diff --git "a/data/processed/backup/llm_generated_synthetic_v2.jsonl" "b/data/processed/backup/llm_generated_synthetic_v2.jsonl"
new file mode 100644--- /dev/null
+++ "b/data/processed/backup/llm_generated_synthetic_v2.jsonl"
@@ -0,0 +1,2000 @@
+{"text": "FireEye published a threat intelligence report linking Velvet Tempest to a new campaign exploiting CVE-2021-10425 in Apache Struts. The attackers deployed DarkSide via LaZagne, establishing C2 communication with 10.191.82.139 and mail-backup.xyz. A secondary payload was downloaded from hxxps://data-cache.net/assets/js/payload.js. The malware binary (MD5: 072e927f30f4a43cd273aa080f56e196) was dropped to C:\\ProgramData\\dropper.ps1. Phishing emails were sent from noreply@account-update.xyz targeting enterprise users. A backup C2 server was identified at 192.165.250.5.", "spans": {"ORGANIZATION: FireEye": [[0, 7]], "THREAT_ACTOR: Velvet Tempest": [[55, 69]], "CVE_ID: CVE-2021-10425": [[99, 113]], "SYSTEM: Apache Struts": [[117, 130]], "MALWARE: DarkSide": [[155, 163]], "TOOL: LaZagne": [[168, 175]], "IP_ADDRESS: 10.191.82.139": [[212, 225]], "DOMAIN: mail-backup.xyz": [[230, 245]], "URL: hxxps://data-cache.net/assets/js/payload.js": [[287, 330]], "HASH: 072e927f30f4a43cd273aa080f56e196": [[357, 389]], "FILEPATH: C:\\ProgramData\\dropper.ps1": [[406, 432]], "EMAIL: noreply@account-update.xyz": [[465, 491]], "IP_ADDRESS: 192.165.250.5": [[557, 570]]}, "info": {"id": "synth_v2_00001", "source": "synthetic_v2"}}
+{"text": "Google TAG published a threat intelligence report linking Star Blizzard to a new campaign exploiting CVE-2023-33283 in Juniper SRX. The attackers deployed Amadey via Certutil, establishing C2 communication with 55.102.159.103 and api-storage.com. A secondary payload was downloaded from hxxps://cache-data.com/assets/js/payload.js. The malware binary (SHA1: b34e8181a11e04ad27121e7ca00ec86ed1c796c6) was dropped to C:\\Users\\admin\\AppData\\Local\\Temp\\helper.sh. Phishing emails were sent from info@phishing-domain.com targeting enterprise users. A backup C2 server was identified at 113.231.61.64.", "spans": {"ORGANIZATION: Google TAG": [[0, 10]], "THREAT_ACTOR: Star Blizzard": [[58, 71]], "CVE_ID: CVE-2023-33283": [[101, 115]], "SYSTEM: Juniper SRX": [[119, 130]], "MALWARE: Amadey": [[155, 161]], "TOOL: Certutil": [[166, 174]], "IP_ADDRESS: 55.102.159.103": [[211, 225]], "DOMAIN: api-storage.com": [[230, 245]], "URL: hxxps://cache-data.com/assets/js/payload.js": [[287, 330]], "HASH: b34e8181a11e04ad27121e7ca00ec86ed1c796c6": [[358, 398]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\helper.sh": [[415, 458]], "EMAIL: info@phishing-domain.com": [[491, 515]], "IP_ADDRESS: 113.231.61.64": [[581, 594]]}, "info": {"id": "synth_v2_00002", "source": "synthetic_v2"}}
+{"text": "NSA published a threat intelligence report linking Salt Typhoon to a new campaign exploiting CVE-2023-16619 in Active Directory. The attackers deployed NjRAT via Impacket, establishing C2 communication with 55.67.242.63 and gateway-mail.site. A secondary payload was downloaded from hxxps://relaycdn.top/login. The malware binary (MD5: 67e8d86f5cedfc3d30443604f6492700) was dropped to /opt/app/bin/taskhost.exe. Phishing emails were sent from helpdesk@login-portal.tech targeting enterprise users. A backup C2 server was identified at 207.208.97.25.", "spans": {"ORGANIZATION: NSA": [[0, 3]], "THREAT_ACTOR: Salt Typhoon": [[51, 63]], "CVE_ID: CVE-2023-16619": [[93, 107]], "SYSTEM: Active Directory": [[111, 127]], "MALWARE: NjRAT": [[152, 157]], "TOOL: Impacket": [[162, 170]], "IP_ADDRESS: 55.67.242.63": [[207, 219]], "DOMAIN: gateway-mail.site": [[224, 241]], "URL: hxxps://relaycdn.top/login": [[283, 309]], "HASH: 67e8d86f5cedfc3d30443604f6492700": [[336, 368]], "FILEPATH: /opt/app/bin/taskhost.exe": [[385, 410]], "EMAIL: helpdesk@login-portal.tech": [[443, 469]], "IP_ADDRESS: 207.208.97.25": [[535, 548]]}, "info": {"id": "synth_v2_00003", "source": "synthetic_v2"}}
+{"text": "Microsoft MSRC published a threat intelligence report linking Sandworm to a new campaign exploiting CVE-2025-24373 in Fortinet FortiGate. The attackers deployed WarmCookie via Brute Ratel, establishing C2 communication with 119.127.38.114 and secure-gateway.online. A secondary payload was downloaded from hxxps://cloudportal.dev/download/update.exe. The malware binary (MD5: ffeac3158b4933091e77ae339b587f2d) was dropped to C:\\Windows\\Temp\\lsass.dmp. Phishing emails were sent from hr@credential-check.site targeting enterprise users. A backup C2 server was identified at 10.7.47.238.", "spans": {"ORGANIZATION: Microsoft MSRC": [[0, 14]], "THREAT_ACTOR: Sandworm": [[62, 70]], "CVE_ID: CVE-2025-24373": [[100, 114]], "SYSTEM: Fortinet FortiGate": [[118, 136]], "MALWARE: WarmCookie": [[161, 171]], "TOOL: Brute Ratel": [[176, 187]], "IP_ADDRESS: 119.127.38.114": [[224, 238]], "DOMAIN: secure-gateway.online": [[243, 264]], "URL: hxxps://cloudportal.dev/download/update.exe": [[306, 349]], "HASH: ffeac3158b4933091e77ae339b587f2d": [[376, 408]], "FILEPATH: C:\\Windows\\Temp\\lsass.dmp": [[425, 450]], "EMAIL: hr@credential-check.site": [[483, 507]], "IP_ADDRESS: 10.7.47.238": [[573, 584]]}, "info": {"id": "synth_v2_00004", "source": "synthetic_v2"}}
+{"text": "Volexity published a threat intelligence report linking TA505 to a new campaign exploiting CVE-2026-44676 in Citrix NetScaler. The attackers deployed XLoader via WinPEAS, establishing C2 communication with 172.111.29.149 and nodenode.org. A secondary payload was downloaded from hxxp://node-api.live/api/v2/auth. The malware binary (SHA1: 097e31987e1382d795ec15b2a2f758cf402ed1d6) was dropped to C:\\ProgramData\\helper.sh. Phishing emails were sent from service@secure-verify.net targeting enterprise users. A backup C2 server was identified at 192.160.29.13.", "spans": {"ORGANIZATION: Volexity": [[0, 8]], "THREAT_ACTOR: TA505": [[56, 61]], "CVE_ID: CVE-2026-44676": [[91, 105]], "SYSTEM: Citrix NetScaler": [[109, 125]], "MALWARE: XLoader": [[150, 157]], "TOOL: WinPEAS": [[162, 169]], "IP_ADDRESS: 172.111.29.149": [[206, 220]], "DOMAIN: nodenode.org": [[225, 237]], "URL: hxxp://node-api.live/api/v2/auth": [[279, 311]], "HASH: 097e31987e1382d795ec15b2a2f758cf402ed1d6": [[339, 379]], "FILEPATH: C:\\ProgramData\\helper.sh": [[396, 420]], "EMAIL: service@secure-verify.net": [[453, 478]], "IP_ADDRESS: 192.160.29.13": [[544, 557]]}, "info": {"id": "synth_v2_00005", "source": "synthetic_v2"}}
+{"text": "Europol published a threat intelligence report linking Silk Typhoon to a new campaign exploiting CVE-2020-37651 in Progress Telerik. The attackers deployed DanaBot via PsExec, establishing C2 communication with 172.161.133.53 and relaystorage.dev. A secondary payload was downloaded from hxxps://update-relay.cc/api/v2/auth. The malware binary (SHA1: de6f0d7cdb38cc9940992b684cf5416222fee2e5) was dropped to /tmp/loader.exe. Phishing emails were sent from hr@account-update.xyz targeting enterprise users. A backup C2 server was identified at 62.135.202.34.", "spans": {"ORGANIZATION: Europol": [[0, 7]], "THREAT_ACTOR: Silk Typhoon": [[55, 67]], "CVE_ID: CVE-2020-37651": [[97, 111]], "SYSTEM: Progress Telerik": [[115, 131]], "MALWARE: DanaBot": [[156, 163]], "TOOL: PsExec": [[168, 174]], "IP_ADDRESS: 172.161.133.53": [[211, 225]], "DOMAIN: relaystorage.dev": [[230, 246]], "URL: hxxps://update-relay.cc/api/v2/auth": [[288, 323]], "HASH: de6f0d7cdb38cc9940992b684cf5416222fee2e5": [[351, 391]], "FILEPATH: /tmp/loader.exe": [[408, 423]], "EMAIL: hr@account-update.xyz": [[456, 477]], "IP_ADDRESS: 62.135.202.34": [[543, 556]]}, "info": {"id": "synth_v2_00006", "source": "synthetic_v2"}}
+{"text": "Recorded Future published a threat intelligence report linking Diamond Sleet to a new campaign exploiting CVE-2023-28217 in Ivanti Connect Secure. The attackers deployed AgentTesla via Mythic, establishing C2 communication with 41.224.154.157 and sync-auth.dev. A secondary payload was downloaded from https://edge-login.info/collect. The malware binary (SHA256: 78f706009e82940aadb53106035b179b28fe918c2b1d8580ca768e3e8da9e64d) was dropped to /opt/app/bin/runtime.dll. Phishing emails were sent from hr@urgent-notice.online targeting enterprise users. A backup C2 server was identified at 192.153.53.241.", "spans": {"ORGANIZATION: Recorded Future": [[0, 15]], "THREAT_ACTOR: Diamond Sleet": [[63, 76]], "CVE_ID: CVE-2023-28217": [[106, 120]], "SYSTEM: Ivanti Connect Secure": [[124, 145]], "MALWARE: AgentTesla": [[170, 180]], "TOOL: Mythic": [[185, 191]], "IP_ADDRESS: 41.224.154.157": [[228, 242]], "DOMAIN: sync-auth.dev": [[247, 260]], "URL: https://edge-login.info/collect": [[302, 333]], "HASH: 78f706009e82940aadb53106035b179b28fe918c2b1d8580ca768e3e8da9e64d": [[363, 427]], "FILEPATH: /opt/app/bin/runtime.dll": [[444, 468]], "EMAIL: hr@urgent-notice.online": [[501, 524]], "IP_ADDRESS: 192.153.53.241": [[590, 604]]}, "info": {"id": "synth_v2_00007", "source": "synthetic_v2"}}
+{"text": "FireEye published a threat intelligence report linking Ember Bear to a new campaign exploiting CVE-2020-16140 in Ubuntu 22.04. The attackers deployed SmokeLoader via Mythic, establishing C2 communication with 213.141.22.1 and edgegateway.io. A secondary payload was downloaded from hxxp://auth-api.dev/panel/index.html. The malware binary (SHA256: 709bde24267b4f2c6a906dedc700471e605b721fd34b62e5770ee0f5d239962c) was dropped to /etc/cron.d/shell.php. Phishing emails were sent from confirm@account-update.xyz targeting enterprise users. A backup C2 server was identified at 198.66.134.42.", "spans": {"ORGANIZATION: FireEye": [[0, 7]], "THREAT_ACTOR: Ember Bear": [[55, 65]], "CVE_ID: CVE-2020-16140": [[95, 109]], "SYSTEM: Ubuntu 22.04": [[113, 125]], "MALWARE: SmokeLoader": [[150, 161]], "TOOL: Mythic": [[166, 172]], "IP_ADDRESS: 213.141.22.1": [[209, 221]], "DOMAIN: edgegateway.io": [[226, 240]], "URL: hxxp://auth-api.dev/panel/index.html": [[282, 318]], "HASH: 709bde24267b4f2c6a906dedc700471e605b721fd34b62e5770ee0f5d239962c": [[348, 412]], "FILEPATH: /etc/cron.d/shell.php": [[429, 450]], "EMAIL: confirm@account-update.xyz": [[483, 509]], "IP_ADDRESS: 198.66.134.42": [[575, 588]]}, "info": {"id": "synth_v2_00008", "source": "synthetic_v2"}}
+{"text": "Trend Micro published a threat intelligence report linking Storm-0558 to a new campaign exploiting CVE-2024-42717 in Windows 11. The attackers deployed BlackCat via BloodHound, establishing C2 communication with 54.127.52.91 and secure-gateway.com. A secondary payload was downloaded from hxxp://storage-gateway.link/portal/verify. The malware binary (SHA256: 04ab15485b8e4707d5448fbe13e3a035d5c4cd23dfdd3b043f49fcfbe6d239ea) was dropped to C:\\Users\\Public\\Documents\\lsass.dmp. Phishing emails were sent from support@credential-check.site targeting enterprise users. A backup C2 server was identified at 159.79.121.222.", "spans": {"ORGANIZATION: Trend Micro": [[0, 11]], "THREAT_ACTOR: Storm-0558": [[59, 69]], "CVE_ID: CVE-2024-42717": [[99, 113]], "SYSTEM: Windows 11": [[117, 127]], "MALWARE: BlackCat": [[152, 160]], "TOOL: BloodHound": [[165, 175]], "IP_ADDRESS: 54.127.52.91": [[212, 224]], "DOMAIN: secure-gateway.com": [[229, 247]], "URL: hxxp://storage-gateway.link/portal/verify": [[289, 330]], "HASH: 04ab15485b8e4707d5448fbe13e3a035d5c4cd23dfdd3b043f49fcfbe6d239ea": [[360, 424]], "FILEPATH: C:\\Users\\Public\\Documents\\lsass.dmp": [[441, 476]], "EMAIL: support@credential-check.site": [[509, 538]], "IP_ADDRESS: 159.79.121.222": [[604, 618]]}, "info": {"id": "synth_v2_00009", "source": "synthetic_v2"}}
+{"text": "FireEye published a threat intelligence report linking FIN7 to a new campaign exploiting CVE-2025-37666 in Ivanti Connect Secure. The attackers deployed Hive via Covenant, establishing C2 communication with 211.116.114.7 and sync-mail.top. A secondary payload was downloaded from hxxps://edgestorage.com/portal/verify. The malware binary (SHA256: 12bdce9f7068d00f0154ac1d7844f06cf75bd67eff8b37a779d8e1b6bf6b22c0) was dropped to /usr/local/bin/update.dll. Phishing emails were sent from alert@document-share.link targeting enterprise users. A backup C2 server was identified at 172.168.142.222.", "spans": {"ORGANIZATION: FireEye": [[0, 7]], "THREAT_ACTOR: FIN7": [[55, 59]], "CVE_ID: CVE-2025-37666": [[89, 103]], "SYSTEM: Ivanti Connect Secure": [[107, 128]], "MALWARE: Hive": [[153, 157]], "TOOL: Covenant": [[162, 170]], "IP_ADDRESS: 211.116.114.7": [[207, 220]], "DOMAIN: sync-mail.top": [[225, 238]], "URL: hxxps://edgestorage.com/portal/verify": [[280, 317]], "HASH: 12bdce9f7068d00f0154ac1d7844f06cf75bd67eff8b37a779d8e1b6bf6b22c0": [[347, 411]], "FILEPATH: /usr/local/bin/update.dll": [[428, 453]], "EMAIL: alert@document-share.link": [[486, 511]], "IP_ADDRESS: 172.168.142.222": [[577, 592]]}, "info": {"id": "synth_v2_00010", "source": "synthetic_v2"}}
+{"text": "Rapid7 published a threat intelligence report linking Storm-0558 to a new campaign exploiting CVE-2024-24392 in SonicWall SMA. The attackers deployed AgentTesla via LinPEAS, establishing C2 communication with 172.97.130.12 and storage-static.tech. A secondary payload was downloaded from http://backup-node.info/secure/token. The malware binary (MD5: fc9d70d467461bd29c401f0744c09eea) was dropped to /home/user/.config/dropper.ps1. Phishing emails were sent from noreply@login-portal.tech targeting enterprise users. A backup C2 server was identified at 1.100.186.111.", "spans": {"ORGANIZATION: Rapid7": [[0, 6]], "THREAT_ACTOR: Storm-0558": [[54, 64]], "CVE_ID: CVE-2024-24392": [[94, 108]], "SYSTEM: SonicWall SMA": [[112, 125]], "MALWARE: AgentTesla": [[150, 160]], "TOOL: LinPEAS": [[165, 172]], "IP_ADDRESS: 172.97.130.12": [[209, 222]], "DOMAIN: storage-static.tech": [[227, 246]], "URL: http://backup-node.info/secure/token": [[288, 324]], "HASH: fc9d70d467461bd29c401f0744c09eea": [[351, 383]], "FILEPATH: /home/user/.config/dropper.ps1": [[400, 430]], "EMAIL: noreply@login-portal.tech": [[463, 488]], "IP_ADDRESS: 1.100.186.111": [[554, 567]]}, "info": {"id": "synth_v2_00011", "source": "synthetic_v2"}}
+{"text": "Volexity published a threat intelligence report linking Storm-0558 to a new campaign exploiting CVE-2022-40108 in Progress Telerik. The attackers deployed Raccoon Stealer via PowerView, establishing C2 communication with 104.0.155.74 and cloudnode.online. A secondary payload was downloaded from https://api-backup.io/api/v2/auth. The malware binary (SHA256: 0f3152206ba37427e826981e007d59fb99b6ce1f1fa856ff8f363905b527f1e3) was dropped to /home/user/.config/helper.sh. Phishing emails were sent from billing@account-update.xyz targeting enterprise users. A backup C2 server was identified at 172.164.238.114.", "spans": {"ORGANIZATION: Volexity": [[0, 8]], "THREAT_ACTOR: Storm-0558": [[56, 66]], "CVE_ID: CVE-2022-40108": [[96, 110]], "SYSTEM: Progress Telerik": [[114, 130]], "MALWARE: Raccoon Stealer": [[155, 170]], "TOOL: PowerView": [[175, 184]], "IP_ADDRESS: 104.0.155.74": [[221, 233]], "DOMAIN: cloudnode.online": [[238, 254]], "URL: https://api-backup.io/api/v2/auth": [[296, 329]], "HASH: 0f3152206ba37427e826981e007d59fb99b6ce1f1fa856ff8f363905b527f1e3": [[359, 423]], "FILEPATH: /home/user/.config/helper.sh": [[440, 468]], "EMAIL: billing@account-update.xyz": [[501, 527]], "IP_ADDRESS: 172.164.238.114": [[593, 608]]}, "info": {"id": "synth_v2_00012", "source": "synthetic_v2"}}
+{"text": "FBI published a threat intelligence report linking APT28 to a new campaign exploiting CVE-2020-11739 in Zyxel USG. The attackers deployed Cobalt Strike via PsExec, establishing C2 communication with 162.99.196.127 and gateway-data.org. A secondary payload was downloaded from hxxps://cdnedge.xyz/gate.php. The malware binary (SHA256: ba4a5d089e1f12fa709b2ca4abec7fece16ba33979137fb58c532948202e61a4) was dropped to C:\\Windows\\Tasks\\loader.exe. Phishing emails were sent from confirm@document-share.link targeting enterprise users. A backup C2 server was identified at 63.75.2.229.", "spans": {"ORGANIZATION: FBI": [[0, 3]], "THREAT_ACTOR: APT28": [[51, 56]], "CVE_ID: CVE-2020-11739": [[86, 100]], "SYSTEM: Zyxel USG": [[104, 113]], "MALWARE: Cobalt Strike": [[138, 151]], "TOOL: PsExec": [[156, 162]], "IP_ADDRESS: 162.99.196.127": [[199, 213]], "DOMAIN: gateway-data.org": [[218, 234]], "URL: hxxps://cdnedge.xyz/gate.php": [[276, 304]], "HASH: ba4a5d089e1f12fa709b2ca4abec7fece16ba33979137fb58c532948202e61a4": [[334, 398]], "FILEPATH: C:\\Windows\\Tasks\\loader.exe": [[415, 442]], "EMAIL: confirm@document-share.link": [[475, 502]], "IP_ADDRESS: 63.75.2.229": [[568, 579]]}, "info": {"id": "synth_v2_00013", "source": "synthetic_v2"}}
+{"text": "Tenable published a threat intelligence report linking Scattered Spider to a new campaign exploiting CVE-2026-45190 in SonicWall SMA. The attackers deployed PlugX via ADFind, establishing C2 communication with 41.243.230.67 and sync-relay.net. A secondary payload was downloaded from https://datasync.tech/panel/index.html. The malware binary (SHA256: 64144df97cc804765c2329cefd9f47ba8ed4f649137c013af151d4ff23244efa) was dropped to C:\\Windows\\System32\\payload.bin. Phishing emails were sent from helpdesk@identity-verify.cc targeting enterprise users. A backup C2 server was identified at 192.141.248.161.", "spans": {"ORGANIZATION: Tenable": [[0, 7]], "THREAT_ACTOR: Scattered Spider": [[55, 71]], "CVE_ID: CVE-2026-45190": [[101, 115]], "SYSTEM: SonicWall SMA": [[119, 132]], "MALWARE: PlugX": [[157, 162]], "TOOL: ADFind": [[167, 173]], "IP_ADDRESS: 41.243.230.67": [[210, 223]], "DOMAIN: sync-relay.net": [[228, 242]], "URL: https://datasync.tech/panel/index.html": [[284, 322]], "HASH: 64144df97cc804765c2329cefd9f47ba8ed4f649137c013af151d4ff23244efa": [[352, 416]], "FILEPATH: C:\\Windows\\System32\\payload.bin": [[433, 464]], "EMAIL: helpdesk@identity-verify.cc": [[497, 524]], "IP_ADDRESS: 192.141.248.161": [[590, 605]]}, "info": {"id": "synth_v2_00014", "source": "synthetic_v2"}}
+{"text": "Cisco Talos published a threat intelligence report linking Forest Blizzard to a new campaign exploiting CVE-2020-43118 in SonicWall SMA. The attackers deployed LockBit via WinPEAS, establishing C2 communication with 85.238.212.16 and proxyupdate.tech. A secondary payload was downloaded from hxxp://portalgateway.io/gate.php. The malware binary (SHA256: afea57b982068d7c4a8b7e5e297ebfca902d6f7b692d0c41db858d3f3409a19d) was dropped to /usr/local/bin/ntds.dit. Phishing emails were sent from verify@phishing-domain.com targeting enterprise users. A backup C2 server was identified at 172.199.10.220.", "spans": {"ORGANIZATION: Cisco Talos": [[0, 11]], "THREAT_ACTOR: Forest Blizzard": [[59, 74]], "CVE_ID: CVE-2020-43118": [[104, 118]], "SYSTEM: SonicWall SMA": [[122, 135]], "MALWARE: LockBit": [[160, 167]], "TOOL: WinPEAS": [[172, 179]], "IP_ADDRESS: 85.238.212.16": [[216, 229]], "DOMAIN: proxyupdate.tech": [[234, 250]], "URL: hxxp://portalgateway.io/gate.php": [[292, 324]], "HASH: afea57b982068d7c4a8b7e5e297ebfca902d6f7b692d0c41db858d3f3409a19d": [[354, 418]], "FILEPATH: /usr/local/bin/ntds.dit": [[435, 458]], "EMAIL: verify@phishing-domain.com": [[491, 517]], "IP_ADDRESS: 172.199.10.220": [[583, 597]]}, "info": {"id": "synth_v2_00015", "source": "synthetic_v2"}}
+{"text": "Zscaler ThreatLabz published a threat intelligence report linking Volt Typhoon to a new campaign exploiting CVE-2025-48311 in Fortinet FortiGate. The attackers deployed NjRAT via PowerView, establishing C2 communication with 33.13.201.152 and securecdn.info. A secondary payload was downloaded from https://storagecloud.online/secure/token. The malware binary (MD5: 40a194b4d4cb5d64805d497691b575e3) was dropped to /usr/local/bin/ntds.dit. Phishing emails were sent from hr@secure-verify.net targeting enterprise users. A backup C2 server was identified at 10.219.69.222.", "spans": {"ORGANIZATION: Zscaler ThreatLabz": [[0, 18]], "THREAT_ACTOR: Volt Typhoon": [[66, 78]], "CVE_ID: CVE-2025-48311": [[108, 122]], "SYSTEM: Fortinet FortiGate": [[126, 144]], "MALWARE: NjRAT": [[169, 174]], "TOOL: PowerView": [[179, 188]], "IP_ADDRESS: 33.13.201.152": [[225, 238]], "DOMAIN: securecdn.info": [[243, 257]], "URL: https://storagecloud.online/secure/token": [[299, 339]], "HASH: 40a194b4d4cb5d64805d497691b575e3": [[366, 398]], "FILEPATH: /usr/local/bin/ntds.dit": [[415, 438]], "EMAIL: hr@secure-verify.net": [[471, 491]], "IP_ADDRESS: 10.219.69.222": [[557, 570]]}, "info": {"id": "synth_v2_00016", "source": "synthetic_v2"}}
+{"text": "NCSC published a threat intelligence report linking Ember Bear to a new campaign exploiting CVE-2020-16140 in Ivanti Connect Secure. The attackers deployed TrickBot via LinPEAS, establishing C2 communication with 192.35.20.194 and data-login.online. A secondary payload was downloaded from https://cache-cloud.online/secure/token. The malware binary (SHA256: 458812376a4f0e55d81c4c22075794c054ee8cdefb8735f9616cb3fe83360e7e) was dropped to C:\\Users\\Public\\Documents\\config.dat. Phishing emails were sent from finance@secure-verify.net targeting enterprise users. A backup C2 server was identified at 10.102.10.160.", "spans": {"ORGANIZATION: NCSC": [[0, 4]], "THREAT_ACTOR: Ember Bear": [[52, 62]], "CVE_ID: CVE-2020-16140": [[92, 106]], "SYSTEM: Ivanti Connect Secure": [[110, 131]], "MALWARE: TrickBot": [[156, 164]], "TOOL: LinPEAS": [[169, 176]], "IP_ADDRESS: 192.35.20.194": [[213, 226]], "DOMAIN: data-login.online": [[231, 248]], "URL: https://cache-cloud.online/secure/token": [[290, 329]], "HASH: 458812376a4f0e55d81c4c22075794c054ee8cdefb8735f9616cb3fe83360e7e": [[359, 423]], "FILEPATH: C:\\Users\\Public\\Documents\\config.dat": [[440, 476]], "EMAIL: finance@secure-verify.net": [[509, 534]], "IP_ADDRESS: 10.102.10.160": [[600, 613]]}, "info": {"id": "synth_v2_00017", "source": "synthetic_v2"}}
+{"text": "Trend Micro published a threat intelligence report linking OilRig to a new campaign exploiting CVE-2024-19363 in Cisco ASA. The attackers deployed TrickBot via Merlin, establishing C2 communication with 10.124.52.179 and mailapi.io. A secondary payload was downloaded from http://updategateway.live/api/v2/auth. The malware binary (MD5: 07249a544d17e701e0372ed140c27327) was dropped to /etc/cron.d/sam.hive. Phishing emails were sent from noreply@identity-verify.cc targeting enterprise users. A backup C2 server was identified at 218.61.21.89.", "spans": {"ORGANIZATION: Trend Micro": [[0, 11]], "THREAT_ACTOR: OilRig": [[59, 65]], "CVE_ID: CVE-2024-19363": [[95, 109]], "SYSTEM: Cisco ASA": [[113, 122]], "MALWARE: TrickBot": [[147, 155]], "TOOL: Merlin": [[160, 166]], "IP_ADDRESS: 10.124.52.179": [[203, 216]], "DOMAIN: mailapi.io": [[221, 231]], "URL: http://updategateway.live/api/v2/auth": [[273, 310]], "HASH: 07249a544d17e701e0372ed140c27327": [[337, 369]], "FILEPATH: /etc/cron.d/sam.hive": [[386, 406]], "EMAIL: noreply@identity-verify.cc": [[439, 465]], "IP_ADDRESS: 218.61.21.89": [[531, 543]]}, "info": {"id": "synth_v2_00018", "source": "synthetic_v2"}}
+{"text": "Kaspersky GReAT published a threat intelligence report linking Turla to a new campaign exploiting CVE-2026-10212 in F5 BIG-IP. The attackers deployed PikaBot via Sharphound, establishing C2 communication with 112.137.165.219 and cachestatic.top. A secondary payload was downloaded from https://storageupdate.online/download/update.exe. The malware binary (MD5: 1d433880090a3801a2875e8b715e211c) was dropped to /tmp/csrss.exe. Phishing emails were sent from hr@auth-check.org targeting enterprise users. A backup C2 server was identified at 10.142.230.63.", "spans": {"ORGANIZATION: Kaspersky GReAT": [[0, 15]], "THREAT_ACTOR: Turla": [[63, 68]], "CVE_ID: CVE-2026-10212": [[98, 112]], "SYSTEM: F5 BIG-IP": [[116, 125]], "MALWARE: PikaBot": [[150, 157]], "TOOL: Sharphound": [[162, 172]], "IP_ADDRESS: 112.137.165.219": [[209, 224]], "DOMAIN: cachestatic.top": [[229, 244]], "URL: https://storageupdate.online/download/update.exe": [[286, 334]], "HASH: 1d433880090a3801a2875e8b715e211c": [[361, 393]], "FILEPATH: /tmp/csrss.exe": [[410, 424]], "EMAIL: hr@auth-check.org": [[457, 474]], "IP_ADDRESS: 10.142.230.63": [[540, 553]]}, "info": {"id": "synth_v2_00019", "source": "synthetic_v2"}}
+{"text": "Symantec published a threat intelligence report linking FIN11 to a new campaign exploiting CVE-2023-14679 in Barracuda ESG. The attackers deployed StealC via WinPEAS, establishing C2 communication with 192.97.43.62 and relayupdate.net. A secondary payload was downloaded from hxxp://dataportal.club/portal/verify. The malware binary (SHA1: 946aa4be322a2a0fcc75a9ec5e797ee889203712) was dropped to /etc/cron.d/beacon.dll. Phishing emails were sent from confirm@urgent-notice.online targeting enterprise users. A backup C2 server was identified at 126.123.243.166.", "spans": {"ORGANIZATION: Symantec": [[0, 8]], "THREAT_ACTOR: FIN11": [[56, 61]], "CVE_ID: CVE-2023-14679": [[91, 105]], "SYSTEM: Barracuda ESG": [[109, 122]], "MALWARE: StealC": [[147, 153]], "TOOL: WinPEAS": [[158, 165]], "IP_ADDRESS: 192.97.43.62": [[202, 214]], "DOMAIN: relayupdate.net": [[219, 234]], "URL: hxxp://dataportal.club/portal/verify": [[276, 312]], "HASH: 946aa4be322a2a0fcc75a9ec5e797ee889203712": [[340, 380]], "FILEPATH: /etc/cron.d/beacon.dll": [[397, 419]], "EMAIL: confirm@urgent-notice.online": [[452, 480]], "IP_ADDRESS: 126.123.243.166": [[546, 561]]}, "info": {"id": "synth_v2_00020", "source": "synthetic_v2"}}
+{"text": "NCSC published a threat intelligence report linking BlackTech to a new campaign exploiting CVE-2024-12103 in Ivanti Connect Secure. The attackers deployed XLoader via LinPEAS, establishing C2 communication with 70.156.128.60 and cloud-cloud.club. A secondary payload was downloaded from https://synccache.link/api/v2/auth. The malware binary (SHA256: 67caef98ddb53a6394003b9b5273c766b52b7115ae2762605738a5a816226d5b) was dropped to /home/user/.config/helper.sh. Phishing emails were sent from it@account-update.xyz targeting enterprise users. A backup C2 server was identified at 192.98.161.31.", "spans": {"ORGANIZATION: NCSC": [[0, 4]], "THREAT_ACTOR: BlackTech": [[52, 61]], "CVE_ID: CVE-2024-12103": [[91, 105]], "SYSTEM: Ivanti Connect Secure": [[109, 130]], "MALWARE: XLoader": [[155, 162]], "TOOL: LinPEAS": [[167, 174]], "IP_ADDRESS: 70.156.128.60": [[211, 224]], "DOMAIN: cloud-cloud.club": [[229, 245]], "URL: https://synccache.link/api/v2/auth": [[287, 321]], "HASH: 67caef98ddb53a6394003b9b5273c766b52b7115ae2762605738a5a816226d5b": [[351, 415]], "FILEPATH: /home/user/.config/helper.sh": [[432, 460]], "EMAIL: it@account-update.xyz": [[493, 514]], "IP_ADDRESS: 192.98.161.31": [[580, 593]]}, "info": {"id": "synth_v2_00021", "source": "synthetic_v2"}}
+{"text": "NCSC published a threat intelligence report linking TA505 to a new campaign exploiting CVE-2021-20189 in Active Directory. The attackers deployed Emotet via WinPEAS, establishing C2 communication with 10.149.64.164 and relaystorage.org. A secondary payload was downloaded from hxxps://sync-proxy.net/callback. The malware binary (MD5: 6c38110a7d5123176a220608c94e0e1b) was dropped to C:\\ProgramData\\shell.php. Phishing emails were sent from support@account-update.xyz targeting enterprise users. A backup C2 server was identified at 27.6.145.121.", "spans": {"ORGANIZATION: NCSC": [[0, 4]], "THREAT_ACTOR: TA505": [[52, 57]], "CVE_ID: CVE-2021-20189": [[87, 101]], "SYSTEM: Active Directory": [[105, 121]], "MALWARE: Emotet": [[146, 152]], "TOOL: WinPEAS": [[157, 164]], "IP_ADDRESS: 10.149.64.164": [[201, 214]], "DOMAIN: relaystorage.org": [[219, 235]], "URL: hxxps://sync-proxy.net/callback": [[277, 308]], "HASH: 6c38110a7d5123176a220608c94e0e1b": [[335, 367]], "FILEPATH: C:\\ProgramData\\shell.php": [[384, 408]], "EMAIL: support@account-update.xyz": [[441, 467]], "IP_ADDRESS: 27.6.145.121": [[533, 545]]}, "info": {"id": "synth_v2_00022", "source": "synthetic_v2"}}
+{"text": "Recorded Future published a threat intelligence report linking Mustang Panda to a new campaign exploiting CVE-2023-39714 in VMware ESXi. The attackers deployed DanaBot via Burp Suite, establishing C2 communication with 156.115.194.116 and static-auth.link. A secondary payload was downloaded from hxxps://cloud-sync.top/download/update.exe. The malware binary (SHA256: 2883be8d86321b9b27d42d362b452e1a98b17bf5ea3bcfa97b33d795efe9658c) was dropped to C:\\Users\\admin\\Downloads\\dropper.ps1. Phishing emails were sent from info@account-update.xyz targeting enterprise users. A backup C2 server was identified at 77.219.156.146.", "spans": {"ORGANIZATION: Recorded Future": [[0, 15]], "THREAT_ACTOR: Mustang Panda": [[63, 76]], "CVE_ID: CVE-2023-39714": [[106, 120]], "SYSTEM: VMware ESXi": [[124, 135]], "MALWARE: DanaBot": [[160, 167]], "TOOL: Burp Suite": [[172, 182]], "IP_ADDRESS: 156.115.194.116": [[219, 234]], "DOMAIN: static-auth.link": [[239, 255]], "URL: hxxps://cloud-sync.top/download/update.exe": [[297, 339]], "HASH: 2883be8d86321b9b27d42d362b452e1a98b17bf5ea3bcfa97b33d795efe9658c": [[369, 433]], "FILEPATH: C:\\Users\\admin\\Downloads\\dropper.ps1": [[450, 486]], "EMAIL: info@account-update.xyz": [[519, 542]], "IP_ADDRESS: 77.219.156.146": [[608, 622]]}, "info": {"id": "synth_v2_00023", "source": "synthetic_v2"}}
+{"text": "Secureworks published a threat intelligence report linking APT28 to a new campaign exploiting CVE-2026-35216 in Apache Struts. The attackers deployed FormBook via Brute Ratel, establishing C2 communication with 10.147.144.180 and gateway-auth.io. A secondary payload was downloaded from hxxp://login-sync.live/api/v2/auth. The malware binary (SHA256: 300930f2f5e1cf3605584c9d014ef23f4d6875a79a621d4837dbfbe073ed6be0) was dropped to C:\\Users\\admin\\Downloads\\agent.py. Phishing emails were sent from report@document-share.link targeting enterprise users. A backup C2 server was identified at 19.119.135.202.", "spans": {"ORGANIZATION: Secureworks": [[0, 11]], "THREAT_ACTOR: APT28": [[59, 64]], "CVE_ID: CVE-2026-35216": [[94, 108]], "SYSTEM: Apache Struts": [[112, 125]], "MALWARE: FormBook": [[150, 158]], "TOOL: Brute Ratel": [[163, 174]], "IP_ADDRESS: 10.147.144.180": [[211, 225]], "DOMAIN: gateway-auth.io": [[230, 245]], "URL: hxxp://login-sync.live/api/v2/auth": [[287, 321]], "HASH: 300930f2f5e1cf3605584c9d014ef23f4d6875a79a621d4837dbfbe073ed6be0": [[351, 415]], "FILEPATH: C:\\Users\\admin\\Downloads\\agent.py": [[432, 465]], "EMAIL: report@document-share.link": [[498, 524]], "IP_ADDRESS: 19.119.135.202": [[590, 604]]}, "info": {"id": "synth_v2_00024", "source": "synthetic_v2"}}
+{"text": "Palo Alto Unit 42 published a threat intelligence report linking Diamond Sleet to a new campaign exploiting CVE-2025-14163 in Apache Struts. The attackers deployed Gootloader via Brute Ratel, establishing C2 communication with 70.252.224.21 and data-cache.cc. A secondary payload was downloaded from hxxp://sync-cache.com/gate.php. The malware binary (SHA1: af50cc3c8ecd78bfd49a7cda0ea0fa1a8fdae518) was dropped to C:\\Windows\\Tasks\\backdoor.elf. Phishing emails were sent from security@document-share.link targeting enterprise users. A backup C2 server was identified at 172.165.128.7.", "spans": {"ORGANIZATION: Palo Alto Unit 42": [[0, 17]], "THREAT_ACTOR: Diamond Sleet": [[65, 78]], "CVE_ID: CVE-2025-14163": [[108, 122]], "SYSTEM: Apache Struts": [[126, 139]], "MALWARE: Gootloader": [[164, 174]], "TOOL: Brute Ratel": [[179, 190]], "IP_ADDRESS: 70.252.224.21": [[227, 240]], "DOMAIN: data-cache.cc": [[245, 258]], "URL: hxxp://sync-cache.com/gate.php": [[300, 330]], "HASH: af50cc3c8ecd78bfd49a7cda0ea0fa1a8fdae518": [[358, 398]], "FILEPATH: C:\\Windows\\Tasks\\backdoor.elf": [[415, 444]], "EMAIL: security@document-share.link": [[477, 505]], "IP_ADDRESS: 172.165.128.7": [[571, 584]]}, "info": {"id": "synth_v2_00025", "source": "synthetic_v2"}}
+{"text": "FBI published a threat intelligence report linking Storm-0558 to a new campaign exploiting CVE-2024-23826 in SonicWall SMA. The attackers deployed Qbot via Impacket, establishing C2 communication with 83.53.82.85 and edgecdn.online. A secondary payload was downloaded from hxxps://storage-sync.tech/callback. The malware binary (SHA1: bd979cdc21c161cbed9df94448ea0af15125fa99) was dropped to C:\\Windows\\Temp\\dropper.ps1. Phishing emails were sent from updates@identity-verify.cc targeting enterprise users. A backup C2 server was identified at 178.253.147.170.", "spans": {"ORGANIZATION: FBI": [[0, 3]], "THREAT_ACTOR: Storm-0558": [[51, 61]], "CVE_ID: CVE-2024-23826": [[91, 105]], "SYSTEM: SonicWall SMA": [[109, 122]], "MALWARE: Qbot": [[147, 151]], "TOOL: Impacket": [[156, 164]], "IP_ADDRESS: 83.53.82.85": [[201, 212]], "DOMAIN: edgecdn.online": [[217, 231]], "URL: hxxps://storage-sync.tech/callback": [[273, 307]], "HASH: bd979cdc21c161cbed9df94448ea0af15125fa99": [[335, 375]], "FILEPATH: C:\\Windows\\Temp\\dropper.ps1": [[392, 419]], "EMAIL: updates@identity-verify.cc": [[452, 478]], "IP_ADDRESS: 178.253.147.170": [[544, 559]]}, "info": {"id": "synth_v2_00026", "source": "synthetic_v2"}}
+{"text": "SentinelOne published a threat intelligence report linking APT29 to a new campaign exploiting CVE-2026-10752 in Zyxel USG. The attackers deployed Hive via LaZagne, establishing C2 communication with 10.136.67.238 and secure-backup.io. A secondary payload was downloaded from hxxp://edge-gateway.net/api/v2/auth. The malware binary (MD5: 24872fa35bbae64fda9a336ad763c164) was dropped to C:\\Users\\Public\\Documents\\payload.bin. Phishing emails were sent from verify@mail-service.info targeting enterprise users. A backup C2 server was identified at 113.248.62.8.", "spans": {"ORGANIZATION: SentinelOne": [[0, 11]], "THREAT_ACTOR: APT29": [[59, 64]], "CVE_ID: CVE-2026-10752": [[94, 108]], "SYSTEM: Zyxel USG": [[112, 121]], "MALWARE: Hive": [[146, 150]], "TOOL: LaZagne": [[155, 162]], "IP_ADDRESS: 10.136.67.238": [[199, 212]], "DOMAIN: secure-backup.io": [[217, 233]], "URL: hxxp://edge-gateway.net/api/v2/auth": [[275, 310]], "HASH: 24872fa35bbae64fda9a336ad763c164": [[337, 369]], "FILEPATH: C:\\Users\\Public\\Documents\\payload.bin": [[386, 423]], "EMAIL: verify@mail-service.info": [[456, 480]], "IP_ADDRESS: 113.248.62.8": [[546, 558]]}, "info": {"id": "synth_v2_00027", "source": "synthetic_v2"}}
+{"text": "Tenable published a threat intelligence report linking Charming Kitten to a new campaign exploiting CVE-2026-40674 in F5 BIG-IP. The attackers deployed SystemBC via Sliver, establishing C2 communication with 172.74.196.49 and updatebackup.club. A secondary payload was downloaded from http://cachecache.top/download/update.exe. The malware binary (MD5: 629ab31c8a4ecd3db1cd2e1b40baac66) was dropped to /dev/shm/csrss.exe. Phishing emails were sent from ceo@urgent-notice.online targeting enterprise users. A backup C2 server was identified at 10.141.212.88.", "spans": {"ORGANIZATION: Tenable": [[0, 7]], "THREAT_ACTOR: Charming Kitten": [[55, 70]], "CVE_ID: CVE-2026-40674": [[100, 114]], "SYSTEM: F5 BIG-IP": [[118, 127]], "MALWARE: SystemBC": [[152, 160]], "TOOL: Sliver": [[165, 171]], "IP_ADDRESS: 172.74.196.49": [[208, 221]], "DOMAIN: updatebackup.club": [[226, 243]], "URL: http://cachecache.top/download/update.exe": [[285, 326]], "HASH: 629ab31c8a4ecd3db1cd2e1b40baac66": [[353, 385]], "FILEPATH: /dev/shm/csrss.exe": [[402, 420]], "EMAIL: ceo@urgent-notice.online": [[453, 477]], "IP_ADDRESS: 10.141.212.88": [[543, 556]]}, "info": {"id": "synth_v2_00028", "source": "synthetic_v2"}}
+{"text": "CISA published a threat intelligence report linking Velvet Tempest to a new campaign exploiting CVE-2024-13665 in Palo Alto PAN-OS. The attackers deployed WarmCookie via Ligolo, establishing C2 communication with 192.196.119.220 and portallogin.online. A secondary payload was downloaded from https://login-node.cc/api/v2/auth. The malware binary (MD5: 48a4e1f9efd8b539802ffa430648f24c) was dropped to C:\\Users\\Public\\Documents\\loader.exe. Phishing emails were sent from updates@phishing-domain.com targeting enterprise users. A backup C2 server was identified at 12.162.242.181.", "spans": {"ORGANIZATION: CISA": [[0, 4]], "THREAT_ACTOR: Velvet Tempest": [[52, 66]], "CVE_ID: CVE-2024-13665": [[96, 110]], "SYSTEM: Palo Alto PAN-OS": [[114, 130]], "MALWARE: WarmCookie": [[155, 165]], "TOOL: Ligolo": [[170, 176]], "IP_ADDRESS: 192.196.119.220": [[213, 228]], "DOMAIN: portallogin.online": [[233, 251]], "URL: https://login-node.cc/api/v2/auth": [[293, 326]], "HASH: 48a4e1f9efd8b539802ffa430648f24c": [[353, 385]], "FILEPATH: C:\\Users\\Public\\Documents\\loader.exe": [[402, 438]], "EMAIL: updates@phishing-domain.com": [[471, 498]], "IP_ADDRESS: 12.162.242.181": [[564, 578]]}, "info": {"id": "synth_v2_00029", "source": "synthetic_v2"}}
+{"text": "Qualys published a threat intelligence report linking Aqua Blizzard to a new campaign exploiting CVE-2021-33526 in Ubuntu 22.04. The attackers deployed LockBit via Sliver, establishing C2 communication with 201.135.173.160 and storageproxy.live. A secondary payload was downloaded from https://static-api.xyz/wp-content/uploads/doc.php. The malware binary (SHA1: 87a689b8d0456a4b6bee0748c7c17355d6e9fa2a) was dropped to C:\\ProgramData\\ntds.dit. Phishing emails were sent from alert@secure-verify.net targeting enterprise users. A backup C2 server was identified at 167.41.168.219.", "spans": {"ORGANIZATION: Qualys": [[0, 6]], "THREAT_ACTOR: Aqua Blizzard": [[54, 67]], "CVE_ID: CVE-2021-33526": [[97, 111]], "SYSTEM: Ubuntu 22.04": [[115, 127]], "MALWARE: LockBit": [[152, 159]], "TOOL: Sliver": [[164, 170]], "IP_ADDRESS: 201.135.173.160": [[207, 222]], "DOMAIN: storageproxy.live": [[227, 244]], "URL: https://static-api.xyz/wp-content/uploads/doc.php": [[286, 335]], "HASH: 87a689b8d0456a4b6bee0748c7c17355d6e9fa2a": [[363, 403]], "FILEPATH: C:\\ProgramData\\ntds.dit": [[420, 443]], "EMAIL: alert@secure-verify.net": [[476, 499]], "IP_ADDRESS: 167.41.168.219": [[565, 579]]}, "info": {"id": "synth_v2_00030", "source": "synthetic_v2"}}
+{"text": "Trend Micro published a threat intelligence report linking Midnight Blizzard to a new campaign exploiting CVE-2020-45741 in Windows 11. The attackers deployed REvil via WinPEAS, establishing C2 communication with 204.28.150.92 and cachesecure.org. A secondary payload was downloaded from http://api-static.live/collect. The malware binary (SHA1: 16a8f5ebcc4417461a507887cf21889595e394bc) was dropped to /var/tmp/beacon.dll. Phishing emails were sent from notification@account-update.xyz targeting enterprise users. A backup C2 server was identified at 111.74.125.136.", "spans": {"ORGANIZATION: Trend Micro": [[0, 11]], "THREAT_ACTOR: Midnight Blizzard": [[59, 76]], "CVE_ID: CVE-2020-45741": [[106, 120]], "SYSTEM: Windows 11": [[124, 134]], "MALWARE: REvil": [[159, 164]], "TOOL: WinPEAS": [[169, 176]], "IP_ADDRESS: 204.28.150.92": [[213, 226]], "DOMAIN: cachesecure.org": [[231, 246]], "URL: http://api-static.live/collect": [[288, 318]], "HASH: 16a8f5ebcc4417461a507887cf21889595e394bc": [[346, 386]], "FILEPATH: /var/tmp/beacon.dll": [[403, 422]], "EMAIL: notification@account-update.xyz": [[455, 486]], "IP_ADDRESS: 111.74.125.136": [[552, 566]]}, "info": {"id": "synth_v2_00031", "source": "synthetic_v2"}}
+{"text": "Kaspersky GReAT published a threat intelligence report linking FIN7 to a new campaign exploiting CVE-2025-37666 in Active Directory. The attackers deployed ShadowPad via Sharphound, establishing C2 communication with 172.147.80.19 and relaybackup.xyz. A secondary payload was downloaded from http://proxyauth.xyz/collect. The malware binary (MD5: f7f47c40bf38472859b1116d05cfe79d) was dropped to /home/user/.config/agent.py. Phishing emails were sent from admin@identity-verify.cc targeting enterprise users. A backup C2 server was identified at 89.153.217.177.", "spans": {"ORGANIZATION: Kaspersky GReAT": [[0, 15]], "THREAT_ACTOR: FIN7": [[63, 67]], "CVE_ID: CVE-2025-37666": [[97, 111]], "SYSTEM: Active Directory": [[115, 131]], "MALWARE: ShadowPad": [[156, 165]], "TOOL: Sharphound": [[170, 180]], "IP_ADDRESS: 172.147.80.19": [[217, 230]], "DOMAIN: relaybackup.xyz": [[235, 250]], "URL: http://proxyauth.xyz/collect": [[292, 320]], "HASH: f7f47c40bf38472859b1116d05cfe79d": [[347, 379]], "FILEPATH: /home/user/.config/agent.py": [[396, 423]], "EMAIL: admin@identity-verify.cc": [[456, 480]], "IP_ADDRESS: 89.153.217.177": [[546, 560]]}, "info": {"id": "synth_v2_00032", "source": "synthetic_v2"}}
+{"text": "Qualys published a threat intelligence report linking FIN11 to a new campaign exploiting CVE-2020-11952 in Progress Telerik. The attackers deployed Emotet via BITSAdmin, establishing C2 communication with 214.146.117.156 and auth-cdn.info. A secondary payload was downloaded from hxxp://cdncache.tech/api/v2/auth. The malware binary (MD5: 6b8f7766a7d75ec031daefa6b00a1e30) was dropped to /opt/app/bin/ntds.dit. Phishing emails were sent from security@login-portal.tech targeting enterprise users. A backup C2 server was identified at 57.97.128.174.", "spans": {"ORGANIZATION: Qualys": [[0, 6]], "THREAT_ACTOR: FIN11": [[54, 59]], "CVE_ID: CVE-2020-11952": [[89, 103]], "SYSTEM: Progress Telerik": [[107, 123]], "MALWARE: Emotet": [[148, 154]], "TOOL: BITSAdmin": [[159, 168]], "IP_ADDRESS: 214.146.117.156": [[205, 220]], "DOMAIN: auth-cdn.info": [[225, 238]], "URL: hxxp://cdncache.tech/api/v2/auth": [[280, 312]], "HASH: 6b8f7766a7d75ec031daefa6b00a1e30": [[339, 371]], "FILEPATH: /opt/app/bin/ntds.dit": [[388, 409]], "EMAIL: security@login-portal.tech": [[442, 468]], "IP_ADDRESS: 57.97.128.174": [[534, 547]]}, "info": {"id": "synth_v2_00033", "source": "synthetic_v2"}}
+{"text": "SentinelOne published a threat intelligence report linking Mustang Panda to a new campaign exploiting CVE-2026-20365 in Juniper SRX. The attackers deployed WarmCookie via Mythic, establishing C2 communication with 213.84.131.234 and relay-api.org. A secondary payload was downloaded from hxxps://portal-edge.tech/callback. The malware binary (SHA256: c29bfbd8bb71588032a5f51b8bb533e8a2fe47ce8008c5af7113c96ff0a7dc1a) was dropped to /usr/local/bin/dropper.ps1. Phishing emails were sent from alert@credential-check.site targeting enterprise users. A backup C2 server was identified at 207.151.173.206.", "spans": {"ORGANIZATION: SentinelOne": [[0, 11]], "THREAT_ACTOR: Mustang Panda": [[59, 72]], "CVE_ID: CVE-2026-20365": [[102, 116]], "SYSTEM: Juniper SRX": [[120, 131]], "MALWARE: WarmCookie": [[156, 166]], "TOOL: Mythic": [[171, 177]], "IP_ADDRESS: 213.84.131.234": [[214, 228]], "DOMAIN: relay-api.org": [[233, 246]], "URL: hxxps://portal-edge.tech/callback": [[288, 321]], "HASH: c29bfbd8bb71588032a5f51b8bb533e8a2fe47ce8008c5af7113c96ff0a7dc1a": [[351, 415]], "FILEPATH: /usr/local/bin/dropper.ps1": [[432, 458]], "EMAIL: alert@credential-check.site": [[491, 518]], "IP_ADDRESS: 207.151.173.206": [[584, 599]]}, "info": {"id": "synth_v2_00034", "source": "synthetic_v2"}}
+{"text": "Proofpoint published a threat intelligence report linking BlackTech to a new campaign exploiting CVE-2024-40071 in VMware ESXi. The attackers deployed SmokeLoader via BITSAdmin, establishing C2 communication with 172.12.167.235 and gatewayauth.org. A secondary payload was downloaded from hxxps://cdn-backup.online/api/v2/auth. The malware binary (SHA256: fd302276f8c9c65de3758b622678d38b0c206d1ecbe34b8faffd955d898639a0) was dropped to C:\\Windows\\System32\\lsass.dmp. Phishing emails were sent from updates@auth-check.org targeting enterprise users. A backup C2 server was identified at 192.32.237.233.", "spans": {"ORGANIZATION: Proofpoint": [[0, 10]], "THREAT_ACTOR: BlackTech": [[58, 67]], "CVE_ID: CVE-2024-40071": [[97, 111]], "SYSTEM: VMware ESXi": [[115, 126]], "MALWARE: SmokeLoader": [[151, 162]], "TOOL: BITSAdmin": [[167, 176]], "IP_ADDRESS: 172.12.167.235": [[213, 227]], "DOMAIN: gatewayauth.org": [[232, 247]], "URL: hxxps://cdn-backup.online/api/v2/auth": [[289, 326]], "HASH: fd302276f8c9c65de3758b622678d38b0c206d1ecbe34b8faffd955d898639a0": [[356, 420]], "FILEPATH: C:\\Windows\\System32\\lsass.dmp": [[437, 466]], "EMAIL: updates@auth-check.org": [[499, 521]], "IP_ADDRESS: 192.32.237.233": [[587, 601]]}, "info": {"id": "synth_v2_00035", "source": "synthetic_v2"}}
+{"text": "Europol published a threat intelligence report linking Star Blizzard to a new campaign exploiting CVE-2021-33526 in SonicWall SMA. The attackers deployed WarmCookie via Sliver, establishing C2 communication with 172.208.143.9 and mail-auth.top. A secondary payload was downloaded from http://edgemail.com/portal/verify. The malware binary (SHA256: 5cc10c2390df87920c44d65742a54673ecab69df8629e4cda65b578a47f41260) was dropped to C:\\Users\\Public\\Documents\\sam.hive. Phishing emails were sent from info@login-portal.tech targeting enterprise users. A backup C2 server was identified at 56.227.227.244.", "spans": {"ORGANIZATION: Europol": [[0, 7]], "THREAT_ACTOR: Star Blizzard": [[55, 68]], "CVE_ID: CVE-2021-33526": [[98, 112]], "SYSTEM: SonicWall SMA": [[116, 129]], "MALWARE: WarmCookie": [[154, 164]], "TOOL: Sliver": [[169, 175]], "IP_ADDRESS: 172.208.143.9": [[212, 225]], "DOMAIN: mail-auth.top": [[230, 243]], "URL: http://edgemail.com/portal/verify": [[285, 318]], "HASH: 5cc10c2390df87920c44d65742a54673ecab69df8629e4cda65b578a47f41260": [[348, 412]], "FILEPATH: C:\\Users\\Public\\Documents\\sam.hive": [[429, 463]], "EMAIL: info@login-portal.tech": [[496, 518]], "IP_ADDRESS: 56.227.227.244": [[584, 598]]}, "info": {"id": "synth_v2_00036", "source": "synthetic_v2"}}
+{"text": "Mandiant published a threat intelligence report linking UNC2452 to a new campaign exploiting CVE-2024-30673 in Microsoft Exchange. The attackers deployed StealC via Mimikatz, establishing C2 communication with 192.105.35.213 and static-update.info. A secondary payload was downloaded from hxxp://login-edge.info/api/v2/auth. The malware binary (SHA1: 0163a8c4098a2cc222f1acf6447b598a04e684ee) was dropped to C:\\Windows\\Temp\\payload.bin. Phishing emails were sent from admin@auth-check.org targeting enterprise users. A backup C2 server was identified at 192.110.119.85.", "spans": {"ORGANIZATION: Mandiant": [[0, 8]], "THREAT_ACTOR: UNC2452": [[56, 63]], "CVE_ID: CVE-2024-30673": [[93, 107]], "SYSTEM: Microsoft Exchange": [[111, 129]], "MALWARE: StealC": [[154, 160]], "TOOL: Mimikatz": [[165, 173]], "IP_ADDRESS: 192.105.35.213": [[210, 224]], "DOMAIN: static-update.info": [[229, 247]], "URL: hxxp://login-edge.info/api/v2/auth": [[289, 323]], "HASH: 0163a8c4098a2cc222f1acf6447b598a04e684ee": [[351, 391]], "FILEPATH: C:\\Windows\\Temp\\payload.bin": [[408, 435]], "EMAIL: admin@auth-check.org": [[468, 488]], "IP_ADDRESS: 192.110.119.85": [[554, 568]]}, "info": {"id": "synth_v2_00037", "source": "synthetic_v2"}}
+{"text": "Sophos X-Ops published a threat intelligence report linking Granite Typhoon to a new campaign exploiting CVE-2020-24628 in Fortinet FortiGate. The attackers deployed BumbleBee via BITSAdmin, establishing C2 communication with 14.64.215.135 and nodecache.net. A secondary payload was downloaded from hxxps://nodedata.cc/assets/js/payload.js. The malware binary (SHA1: b79bc049f017072bf407f029402ef56f2dcf06f2) was dropped to /home/user/.config/sam.hive. Phishing emails were sent from admin@phishing-domain.com targeting enterprise users. A backup C2 server was identified at 192.32.243.115.", "spans": {"ORGANIZATION: Sophos X-Ops": [[0, 12]], "THREAT_ACTOR: Granite Typhoon": [[60, 75]], "CVE_ID: CVE-2020-24628": [[105, 119]], "SYSTEM: Fortinet FortiGate": [[123, 141]], "MALWARE: BumbleBee": [[166, 175]], "TOOL: BITSAdmin": [[180, 189]], "IP_ADDRESS: 14.64.215.135": [[226, 239]], "DOMAIN: nodecache.net": [[244, 257]], "URL: hxxps://nodedata.cc/assets/js/payload.js": [[299, 339]], "HASH: b79bc049f017072bf407f029402ef56f2dcf06f2": [[367, 407]], "FILEPATH: /home/user/.config/sam.hive": [[424, 451]], "EMAIL: admin@phishing-domain.com": [[484, 509]], "IP_ADDRESS: 192.32.243.115": [[575, 589]]}, "info": {"id": "synth_v2_00038", "source": "synthetic_v2"}}
+{"text": "Zscaler ThreatLabz published a threat intelligence report linking Ember Bear to a new campaign exploiting CVE-2021-10425 in F5 BIG-IP. The attackers deployed Vidar via Sliver, establishing C2 communication with 19.41.164.156 and portalstatic.io. A secondary payload was downloaded from http://relaynode.cc/api/v2/auth. The malware binary (SHA1: a3c2a25cd751695ce81b16d01f567cc42b44e656) was dropped to C:\\Users\\Public\\Documents\\dropper.ps1. Phishing emails were sent from billing@identity-verify.cc targeting enterprise users. A backup C2 server was identified at 10.64.140.160.", "spans": {"ORGANIZATION: Zscaler ThreatLabz": [[0, 18]], "THREAT_ACTOR: Ember Bear": [[66, 76]], "CVE_ID: CVE-2021-10425": [[106, 120]], "SYSTEM: F5 BIG-IP": [[124, 133]], "MALWARE: Vidar": [[158, 163]], "TOOL: Sliver": [[168, 174]], "IP_ADDRESS: 19.41.164.156": [[211, 224]], "DOMAIN: portalstatic.io": [[229, 244]], "URL: http://relaynode.cc/api/v2/auth": [[286, 317]], "HASH: a3c2a25cd751695ce81b16d01f567cc42b44e656": [[345, 385]], "FILEPATH: C:\\Users\\Public\\Documents\\dropper.ps1": [[402, 439]], "EMAIL: billing@identity-verify.cc": [[472, 498]], "IP_ADDRESS: 10.64.140.160": [[564, 577]]}, "info": {"id": "synth_v2_00039", "source": "synthetic_v2"}}
+{"text": "Sophos X-Ops published a threat intelligence report linking Midnight Blizzard to a new campaign exploiting CVE-2025-20484 in Cisco ASA. The attackers deployed Play via Sliver, establishing C2 communication with 187.48.160.110 and proxy-api.net. A secondary payload was downloaded from https://api-gateway.net/download/update.exe. The malware binary (SHA1: bd3a0e36ca5a56df8a3423b1e52a968066d2acbb) was dropped to C:\\Users\\admin\\AppData\\Local\\Temp\\shell.php. Phishing emails were sent from confirm@urgent-notice.online targeting enterprise users. A backup C2 server was identified at 171.130.191.245.", "spans": {"ORGANIZATION: Sophos X-Ops": [[0, 12]], "THREAT_ACTOR: Midnight Blizzard": [[60, 77]], "CVE_ID: CVE-2025-20484": [[107, 121]], "SYSTEM: Cisco ASA": [[125, 134]], "MALWARE: Play": [[159, 163]], "TOOL: Sliver": [[168, 174]], "IP_ADDRESS: 187.48.160.110": [[211, 225]], "DOMAIN: proxy-api.net": [[230, 243]], "URL: https://api-gateway.net/download/update.exe": [[285, 328]], "HASH: bd3a0e36ca5a56df8a3423b1e52a968066d2acbb": [[356, 396]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\shell.php": [[413, 456]], "EMAIL: confirm@urgent-notice.online": [[489, 517]], "IP_ADDRESS: 171.130.191.245": [[583, 598]]}, "info": {"id": "synth_v2_00040", "source": "synthetic_v2"}}
+{"text": "SentinelOne published a threat intelligence report linking Scattered Spider to a new campaign exploiting CVE-2025-24373 in Windows 11. The attackers deployed Conti via Sliver, establishing C2 communication with 154.159.180.27 and mail-edge.tech. A secondary payload was downloaded from http://sync-cache.xyz/panel/index.html. The malware binary (SHA1: db37ecca584a882ac7b6a828318c6d2f85acc604) was dropped to C:\\Windows\\Temp\\implant.so. Phishing emails were sent from hr@phishing-domain.com targeting enterprise users. A backup C2 server was identified at 10.246.114.217.", "spans": {"ORGANIZATION: SentinelOne": [[0, 11]], "THREAT_ACTOR: Scattered Spider": [[59, 75]], "CVE_ID: CVE-2025-24373": [[105, 119]], "SYSTEM: Windows 11": [[123, 133]], "MALWARE: Conti": [[158, 163]], "TOOL: Sliver": [[168, 174]], "IP_ADDRESS: 154.159.180.27": [[211, 225]], "DOMAIN: mail-edge.tech": [[230, 244]], "URL: http://sync-cache.xyz/panel/index.html": [[286, 324]], "HASH: db37ecca584a882ac7b6a828318c6d2f85acc604": [[352, 392]], "FILEPATH: C:\\Windows\\Temp\\implant.so": [[409, 435]], "EMAIL: hr@phishing-domain.com": [[468, 490]], "IP_ADDRESS: 10.246.114.217": [[556, 570]]}, "info": {"id": "synth_v2_00041", "source": "synthetic_v2"}}
+{"text": "Huntress published a threat intelligence report linking Turla to a new campaign exploiting CVE-2023-46500 in Atlassian Confluence. The attackers deployed SystemBC via WinPEAS, establishing C2 communication with 2.92.73.145 and portal-gateway.online. A secondary payload was downloaded from https://securemail.info/collect. The malware binary (SHA1: 0aba10e88b76f7033e20324f148cbb5de0b5b0b3) was dropped to C:\\ProgramData\\update.dll. Phishing emails were sent from noreply@account-update.xyz targeting enterprise users. A backup C2 server was identified at 18.72.15.24.", "spans": {"ORGANIZATION: Huntress": [[0, 8]], "THREAT_ACTOR: Turla": [[56, 61]], "CVE_ID: CVE-2023-46500": [[91, 105]], "SYSTEM: Atlassian Confluence": [[109, 129]], "MALWARE: SystemBC": [[154, 162]], "TOOL: WinPEAS": [[167, 174]], "IP_ADDRESS: 2.92.73.145": [[211, 222]], "DOMAIN: portal-gateway.online": [[227, 248]], "URL: https://securemail.info/collect": [[290, 321]], "HASH: 0aba10e88b76f7033e20324f148cbb5de0b5b0b3": [[349, 389]], "FILEPATH: C:\\ProgramData\\update.dll": [[406, 431]], "EMAIL: noreply@account-update.xyz": [[464, 490]], "IP_ADDRESS: 18.72.15.24": [[556, 567]]}, "info": {"id": "synth_v2_00042", "source": "synthetic_v2"}}
+{"text": "Zscaler ThreatLabz published a threat intelligence report linking Velvet Tempest to a new campaign exploiting CVE-2021-23031 in Active Directory. The attackers deployed Meduza Stealer via BloodHound, establishing C2 communication with 170.217.248.156 and mail-gateway.net. A secondary payload was downloaded from https://cacheproxy.io/login. The malware binary (SHA256: 18556f832ed01824e644e9fecc512e14b64b65eaa760839f8aeed55662514f47) was dropped to C:\\Users\\admin\\Desktop\\implant.so. Phishing emails were sent from support@phishing-domain.com targeting enterprise users. A backup C2 server was identified at 107.139.110.194.", "spans": {"ORGANIZATION: Zscaler ThreatLabz": [[0, 18]], "THREAT_ACTOR: Velvet Tempest": [[66, 80]], "CVE_ID: CVE-2021-23031": [[110, 124]], "SYSTEM: Active Directory": [[128, 144]], "MALWARE: Meduza Stealer": [[169, 183]], "TOOL: BloodHound": [[188, 198]], "IP_ADDRESS: 170.217.248.156": [[235, 250]], "DOMAIN: mail-gateway.net": [[255, 271]], "URL: https://cacheproxy.io/login": [[313, 340]], "HASH: 18556f832ed01824e644e9fecc512e14b64b65eaa760839f8aeed55662514f47": [[370, 434]], "FILEPATH: C:\\Users\\admin\\Desktop\\implant.so": [[451, 484]], "EMAIL: support@phishing-domain.com": [[517, 544]], "IP_ADDRESS: 107.139.110.194": [[610, 625]]}, "info": {"id": "synth_v2_00043", "source": "synthetic_v2"}}
+{"text": "Huntress published a threat intelligence report linking Sandworm to a new campaign exploiting CVE-2021-16698 in Active Directory. The attackers deployed AsyncRAT via SharpHound, establishing C2 communication with 84.61.3.128 and node-edge.live. A secondary payload was downloaded from hxxps://apiportal.live/callback. The malware binary (SHA256: e52049e70d904c93a0383485aed3a61be95a83ea80ac42dd939edeb1addd2f09) was dropped to C:\\Windows\\Tasks\\chrome_helper.exe. Phishing emails were sent from ceo@document-share.link targeting enterprise users. A backup C2 server was identified at 45.66.194.137.", "spans": {"ORGANIZATION: Huntress": [[0, 8]], "THREAT_ACTOR: Sandworm": [[56, 64]], "CVE_ID: CVE-2021-16698": [[94, 108]], "SYSTEM: Active Directory": [[112, 128]], "MALWARE: AsyncRAT": [[153, 161]], "TOOL: SharpHound": [[166, 176]], "IP_ADDRESS: 84.61.3.128": [[213, 224]], "DOMAIN: node-edge.live": [[229, 243]], "URL: hxxps://apiportal.live/callback": [[285, 316]], "HASH: e52049e70d904c93a0383485aed3a61be95a83ea80ac42dd939edeb1addd2f09": [[346, 410]], "FILEPATH: C:\\Windows\\Tasks\\chrome_helper.exe": [[427, 461]], "EMAIL: ceo@document-share.link": [[494, 517]], "IP_ADDRESS: 45.66.194.137": [[583, 596]]}, "info": {"id": "synth_v2_00044", "source": "synthetic_v2"}}
+{"text": "Secureworks published a threat intelligence report linking Storm-0558 to a new campaign exploiting CVE-2025-36175 in Apache Struts. The attackers deployed DanaBot via Ligolo, establishing C2 communication with 172.10.166.44 and data-gateway.cc. A secondary payload was downloaded from https://nodeapi.site/assets/js/payload.js. The malware binary (MD5: c68321228867bd27aca9e7eea118a233) was dropped to /var/tmp/winlogon.exe. Phishing emails were sent from security@secure-verify.net targeting enterprise users. A backup C2 server was identified at 213.185.45.112.", "spans": {"ORGANIZATION: Secureworks": [[0, 11]], "THREAT_ACTOR: Storm-0558": [[59, 69]], "CVE_ID: CVE-2025-36175": [[99, 113]], "SYSTEM: Apache Struts": [[117, 130]], "MALWARE: DanaBot": [[155, 162]], "TOOL: Ligolo": [[167, 173]], "IP_ADDRESS: 172.10.166.44": [[210, 223]], "DOMAIN: data-gateway.cc": [[228, 243]], "URL: https://nodeapi.site/assets/js/payload.js": [[285, 326]], "HASH: c68321228867bd27aca9e7eea118a233": [[353, 385]], "FILEPATH: /var/tmp/winlogon.exe": [[402, 423]], "EMAIL: security@secure-verify.net": [[456, 482]], "IP_ADDRESS: 213.185.45.112": [[548, 562]]}, "info": {"id": "synth_v2_00045", "source": "synthetic_v2"}}
+{"text": "NSA published a threat intelligence report linking Charming Kitten to a new campaign exploiting CVE-2022-46178 in Ivanti Connect Secure. The attackers deployed Conti via LaZagne, establishing C2 communication with 187.75.120.27 and api-secure.link. A secondary payload was downloaded from http://relaycache.link/admin/config. The malware binary (SHA1: 0d2987cad11d97c129220ae084d2375191512b5d) was dropped to /opt/app/bin/winlogon.exe. Phishing emails were sent from noreply@credential-check.site targeting enterprise users. A backup C2 server was identified at 172.101.88.155.", "spans": {"ORGANIZATION: NSA": [[0, 3]], "THREAT_ACTOR: Charming Kitten": [[51, 66]], "CVE_ID: CVE-2022-46178": [[96, 110]], "SYSTEM: Ivanti Connect Secure": [[114, 135]], "MALWARE: Conti": [[160, 165]], "TOOL: LaZagne": [[170, 177]], "IP_ADDRESS: 187.75.120.27": [[214, 227]], "DOMAIN: api-secure.link": [[232, 247]], "URL: http://relaycache.link/admin/config": [[289, 324]], "HASH: 0d2987cad11d97c129220ae084d2375191512b5d": [[352, 392]], "FILEPATH: /opt/app/bin/winlogon.exe": [[409, 434]], "EMAIL: noreply@credential-check.site": [[467, 496]], "IP_ADDRESS: 172.101.88.155": [[562, 576]]}, "info": {"id": "synth_v2_00046", "source": "synthetic_v2"}}
+{"text": "Check Point Research published a threat intelligence report linking Lazarus Group to a new campaign exploiting CVE-2023-34867 in Active Directory. The attackers deployed Amadey via Brute Ratel, establishing C2 communication with 172.37.158.119 and apiapi.cc. A secondary payload was downloaded from hxxps://relaycache.io/gate.php. The malware binary (SHA1: 957b656ce624bbf47752b26f01607b0941e25f61) was dropped to /tmp/winlogon.exe. Phishing emails were sent from report@credential-check.site targeting enterprise users. A backup C2 server was identified at 10.29.188.213.", "spans": {"ORGANIZATION: Check Point Research": [[0, 20]], "THREAT_ACTOR: Lazarus Group": [[68, 81]], "CVE_ID: CVE-2023-34867": [[111, 125]], "SYSTEM: Active Directory": [[129, 145]], "MALWARE: Amadey": [[170, 176]], "TOOL: Brute Ratel": [[181, 192]], "IP_ADDRESS: 172.37.158.119": [[229, 243]], "DOMAIN: apiapi.cc": [[248, 257]], "URL: hxxps://relaycache.io/gate.php": [[299, 329]], "HASH: 957b656ce624bbf47752b26f01607b0941e25f61": [[357, 397]], "FILEPATH: /tmp/winlogon.exe": [[414, 431]], "EMAIL: report@credential-check.site": [[464, 492]], "IP_ADDRESS: 10.29.188.213": [[558, 571]]}, "info": {"id": "synth_v2_00047", "source": "synthetic_v2"}}
+{"text": "CISA published a threat intelligence report linking Charming Kitten to a new campaign exploiting CVE-2021-28231 in Atlassian Confluence. The attackers deployed LockBit via BloodHound, establishing C2 communication with 192.88.20.64 and portalgateway.link. A secondary payload was downloaded from https://staticcdn.link/api/v2/auth. The malware binary (MD5: 5f0bb717bce47af9e4f74a0f03790bba) was dropped to C:\\Users\\Public\\Documents\\dropper.ps1. Phishing emails were sent from service@mail-service.info targeting enterprise users. A backup C2 server was identified at 113.81.186.96.", "spans": {"ORGANIZATION: CISA": [[0, 4]], "THREAT_ACTOR: Charming Kitten": [[52, 67]], "CVE_ID: CVE-2021-28231": [[97, 111]], "SYSTEM: Atlassian Confluence": [[115, 135]], "MALWARE: LockBit": [[160, 167]], "TOOL: BloodHound": [[172, 182]], "IP_ADDRESS: 192.88.20.64": [[219, 231]], "DOMAIN: portalgateway.link": [[236, 254]], "URL: https://staticcdn.link/api/v2/auth": [[296, 330]], "HASH: 5f0bb717bce47af9e4f74a0f03790bba": [[357, 389]], "FILEPATH: C:\\Users\\Public\\Documents\\dropper.ps1": [[406, 443]], "EMAIL: service@mail-service.info": [[476, 501]], "IP_ADDRESS: 113.81.186.96": [[567, 580]]}, "info": {"id": "synth_v2_00048", "source": "synthetic_v2"}}
+{"text": "Microsoft MSRC published a threat intelligence report linking FIN11 to a new campaign exploiting CVE-2024-30673 in Ubuntu 22.04. The attackers deployed StealC via Havoc, establishing C2 communication with 172.158.200.34 and node-api.top. A secondary payload was downloaded from https://nodemail.com/portal/verify. The malware binary (SHA256: e7fbd709fb2f5bd82d8ab54e188e4276766747a82d44ccbced80a1d0fa9440d7) was dropped to /tmp/winlogon.exe. Phishing emails were sent from verify@login-portal.tech targeting enterprise users. A backup C2 server was identified at 172.192.168.209.", "spans": {"ORGANIZATION: Microsoft MSRC": [[0, 14]], "THREAT_ACTOR: FIN11": [[62, 67]], "CVE_ID: CVE-2024-30673": [[97, 111]], "SYSTEM: Ubuntu 22.04": [[115, 127]], "MALWARE: StealC": [[152, 158]], "TOOL: Havoc": [[163, 168]], "IP_ADDRESS: 172.158.200.34": [[205, 219]], "DOMAIN: node-api.top": [[224, 236]], "URL: https://nodemail.com/portal/verify": [[278, 312]], "HASH: e7fbd709fb2f5bd82d8ab54e188e4276766747a82d44ccbced80a1d0fa9440d7": [[342, 406]], "FILEPATH: /tmp/winlogon.exe": [[423, 440]], "EMAIL: verify@login-portal.tech": [[473, 497]], "IP_ADDRESS: 172.192.168.209": [[563, 578]]}, "info": {"id": "synth_v2_00049", "source": "synthetic_v2"}}
+{"text": "Recorded Future published a threat intelligence report linking FIN7 to a new campaign exploiting CVE-2023-20708 in VMware ESXi. The attackers deployed BlackCat via CrackMapExec, establishing C2 communication with 192.172.67.153 and relay-cdn.site. A secondary payload was downloaded from https://datarelay.cc/assets/js/payload.js. The malware binary (MD5: 6590e446efc8c043e7dd1affed046d25) was dropped to /var/tmp/dropper.ps1. Phishing emails were sent from helpdesk@mail-service.info targeting enterprise users. A backup C2 server was identified at 40.83.92.213.", "spans": {"ORGANIZATION: Recorded Future": [[0, 15]], "THREAT_ACTOR: FIN7": [[63, 67]], "CVE_ID: CVE-2023-20708": [[97, 111]], "SYSTEM: VMware ESXi": [[115, 126]], "MALWARE: BlackCat": [[151, 159]], "TOOL: CrackMapExec": [[164, 176]], "IP_ADDRESS: 192.172.67.153": [[213, 227]], "DOMAIN: relay-cdn.site": [[232, 246]], "URL: https://datarelay.cc/assets/js/payload.js": [[288, 329]], "HASH: 6590e446efc8c043e7dd1affed046d25": [[356, 388]], "FILEPATH: /var/tmp/dropper.ps1": [[405, 425]], "EMAIL: helpdesk@mail-service.info": [[458, 484]], "IP_ADDRESS: 40.83.92.213": [[550, 562]]}, "info": {"id": "synth_v2_00050", "source": "synthetic_v2"}}
+{"text": "Tenable published a threat intelligence report linking Granite Typhoon to a new campaign exploiting CVE-2022-46178 in Ivanti Connect Secure. The attackers deployed Amadey via Mythic, establishing C2 communication with 119.144.195.129 and cdnproxy.live. A secondary payload was downloaded from hxxps://edgeauth.club/portal/verify. The malware binary (SHA256: f653c60a13856448a24856743850847433aa9f27967ce36fe7b1adf58990c16a) was dropped to C:\\Users\\admin\\Downloads\\backdoor.elf. Phishing emails were sent from updates@urgent-notice.online targeting enterprise users. A backup C2 server was identified at 42.102.70.224.", "spans": {"ORGANIZATION: Tenable": [[0, 7]], "THREAT_ACTOR: Granite Typhoon": [[55, 70]], "CVE_ID: CVE-2022-46178": [[100, 114]], "SYSTEM: Ivanti Connect Secure": [[118, 139]], "MALWARE: Amadey": [[164, 170]], "TOOL: Mythic": [[175, 181]], "IP_ADDRESS: 119.144.195.129": [[218, 233]], "DOMAIN: cdnproxy.live": [[238, 251]], "URL: hxxps://edgeauth.club/portal/verify": [[293, 328]], "HASH: f653c60a13856448a24856743850847433aa9f27967ce36fe7b1adf58990c16a": [[358, 422]], "FILEPATH: C:\\Users\\admin\\Downloads\\backdoor.elf": [[439, 476]], "EMAIL: updates@urgent-notice.online": [[509, 537]], "IP_ADDRESS: 42.102.70.224": [[603, 616]]}, "info": {"id": "synth_v2_00051", "source": "synthetic_v2"}}
+{"text": "FireEye published a threat intelligence report linking Mustang Panda to a new campaign exploiting CVE-2022-24935 in Zyxel USG. The attackers deployed XLoader via Impacket, establishing C2 communication with 7.212.27.102 and update-storage.dev. A secondary payload was downloaded from hxxps://storage-login.org/portal/verify. The malware binary (MD5: 6d33689a920b0efe4e191ed385b844d3) was dropped to C:\\Windows\\System32\\beacon.dll. Phishing emails were sent from updates@document-share.link targeting enterprise users. A backup C2 server was identified at 61.197.41.96.", "spans": {"ORGANIZATION: FireEye": [[0, 7]], "THREAT_ACTOR: Mustang Panda": [[55, 68]], "CVE_ID: CVE-2022-24935": [[98, 112]], "SYSTEM: Zyxel USG": [[116, 125]], "MALWARE: XLoader": [[150, 157]], "TOOL: Impacket": [[162, 170]], "IP_ADDRESS: 7.212.27.102": [[207, 219]], "DOMAIN: update-storage.dev": [[224, 242]], "URL: hxxps://storage-login.org/portal/verify": [[284, 323]], "HASH: 6d33689a920b0efe4e191ed385b844d3": [[350, 382]], "FILEPATH: C:\\Windows\\System32\\beacon.dll": [[399, 429]], "EMAIL: updates@document-share.link": [[462, 489]], "IP_ADDRESS: 61.197.41.96": [[555, 567]]}, "info": {"id": "synth_v2_00052", "source": "synthetic_v2"}}
+{"text": "Kaspersky GReAT published a threat intelligence report linking APT28 to a new campaign exploiting CVE-2022-13003 in Citrix NetScaler. The attackers deployed Dridex via Mimikatz, establishing C2 communication with 29.147.121.78 and apiauth.live. A secondary payload was downloaded from hxxp://staticedge.com/assets/js/payload.js. The malware binary (SHA256: 5f223138b207696560bc4209b070dad9f68be5f8d45d3a9c29ef5305c0dc8899) was dropped to /home/user/.config/ntds.dit. Phishing emails were sent from admin@document-share.link targeting enterprise users. A backup C2 server was identified at 10.122.214.164.", "spans": {"ORGANIZATION: Kaspersky GReAT": [[0, 15]], "THREAT_ACTOR: APT28": [[63, 68]], "CVE_ID: CVE-2022-13003": [[98, 112]], "SYSTEM: Citrix NetScaler": [[116, 132]], "MALWARE: Dridex": [[157, 163]], "TOOL: Mimikatz": [[168, 176]], "IP_ADDRESS: 29.147.121.78": [[213, 226]], "DOMAIN: apiauth.live": [[231, 243]], "URL: hxxp://staticedge.com/assets/js/payload.js": [[285, 327]], "HASH: 5f223138b207696560bc4209b070dad9f68be5f8d45d3a9c29ef5305c0dc8899": [[357, 421]], "FILEPATH: /home/user/.config/ntds.dit": [[438, 465]], "EMAIL: admin@document-share.link": [[498, 523]], "IP_ADDRESS: 10.122.214.164": [[589, 603]]}, "info": {"id": "synth_v2_00053", "source": "synthetic_v2"}}
+{"text": "Dragos published a threat intelligence report linking BlackTech to a new campaign exploiting CVE-2022-34807 in Ubuntu 22.04. The attackers deployed BumbleBee via BITSAdmin, establishing C2 communication with 18.10.199.224 and mail-api.tech. A secondary payload was downloaded from https://auth-cache.club/download/update.exe. The malware binary (SHA256: 6f0924ecbad635ed8376c8d6bd6f343bd6246f51099e1c8d33378563824cfe6b) was dropped to /etc/cron.d/dropper.ps1. Phishing emails were sent from ceo@account-update.xyz targeting enterprise users. A backup C2 server was identified at 12.198.191.65.", "spans": {"ORGANIZATION: Dragos": [[0, 6]], "THREAT_ACTOR: BlackTech": [[54, 63]], "CVE_ID: CVE-2022-34807": [[93, 107]], "SYSTEM: Ubuntu 22.04": [[111, 123]], "MALWARE: BumbleBee": [[148, 157]], "TOOL: BITSAdmin": [[162, 171]], "IP_ADDRESS: 18.10.199.224": [[208, 221]], "DOMAIN: mail-api.tech": [[226, 239]], "URL: https://auth-cache.club/download/update.exe": [[281, 324]], "HASH: 6f0924ecbad635ed8376c8d6bd6f343bd6246f51099e1c8d33378563824cfe6b": [[354, 418]], "FILEPATH: /etc/cron.d/dropper.ps1": [[435, 458]], "EMAIL: ceo@account-update.xyz": [[491, 513]], "IP_ADDRESS: 12.198.191.65": [[579, 592]]}, "info": {"id": "synth_v2_00054", "source": "synthetic_v2"}}
+{"text": "FBI published a threat intelligence report linking Flax Typhoon to a new campaign exploiting CVE-2022-18180 in Citrix NetScaler. The attackers deployed ShadowPad via WinPEAS, establishing C2 communication with 192.234.18.76 and nodeportal.live. A secondary payload was downloaded from hxxp://synccdn.link/portal/verify. The malware binary (MD5: f69ce7fcf531d4413996b677ba814f16) was dropped to C:\\Users\\admin\\AppData\\Local\\Temp\\winlogon.exe. Phishing emails were sent from hr@secure-verify.net targeting enterprise users. A backup C2 server was identified at 10.102.21.81.", "spans": {"ORGANIZATION: FBI": [[0, 3]], "THREAT_ACTOR: Flax Typhoon": [[51, 63]], "CVE_ID: CVE-2022-18180": [[93, 107]], "SYSTEM: Citrix NetScaler": [[111, 127]], "MALWARE: ShadowPad": [[152, 161]], "TOOL: WinPEAS": [[166, 173]], "IP_ADDRESS: 192.234.18.76": [[210, 223]], "DOMAIN: nodeportal.live": [[228, 243]], "URL: hxxp://synccdn.link/portal/verify": [[285, 318]], "HASH: f69ce7fcf531d4413996b677ba814f16": [[345, 377]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\winlogon.exe": [[394, 440]], "EMAIL: hr@secure-verify.net": [[473, 493]], "IP_ADDRESS: 10.102.21.81": [[559, 571]]}, "info": {"id": "synth_v2_00055", "source": "synthetic_v2"}}
+{"text": "Symantec published a threat intelligence report linking Granite Typhoon to a new campaign exploiting CVE-2025-27219 in Zyxel USG. The attackers deployed RedLine Stealer via Sliver, establishing C2 communication with 87.95.254.178 and apigateway.cc. A secondary payload was downloaded from hxxps://edge-backup.tech/api/v2/auth. The malware binary (MD5: b3a9bf6af5cc6adb1e1ad022ee072d0b) was dropped to /home/user/.config/agent.py. Phishing emails were sent from updates@document-share.link targeting enterprise users. A backup C2 server was identified at 95.136.42.187.", "spans": {"ORGANIZATION: Symantec": [[0, 8]], "THREAT_ACTOR: Granite Typhoon": [[56, 71]], "CVE_ID: CVE-2025-27219": [[101, 115]], "SYSTEM: Zyxel USG": [[119, 128]], "MALWARE: RedLine Stealer": [[153, 168]], "TOOL: Sliver": [[173, 179]], "IP_ADDRESS: 87.95.254.178": [[216, 229]], "DOMAIN: apigateway.cc": [[234, 247]], "URL: hxxps://edge-backup.tech/api/v2/auth": [[289, 325]], "HASH: b3a9bf6af5cc6adb1e1ad022ee072d0b": [[352, 384]], "FILEPATH: /home/user/.config/agent.py": [[401, 428]], "EMAIL: updates@document-share.link": [[461, 488]], "IP_ADDRESS: 95.136.42.187": [[554, 567]]}, "info": {"id": "synth_v2_00056", "source": "synthetic_v2"}}
+{"text": "Secureworks published a threat intelligence report linking Forest Blizzard to a new campaign exploiting CVE-2025-13087 in Ivanti Connect Secure. The attackers deployed XLoader via Rubeus, establishing C2 communication with 11.180.222.71 and update-login.live. A secondary payload was downloaded from hxxp://cdnlogin.net/admin/config. The malware binary (MD5: 36c29ca92702c0a63adde81a3578b8c9) was dropped to /etc/cron.d/lsass.dmp. Phishing emails were sent from notification@phishing-domain.com targeting enterprise users. A backup C2 server was identified at 10.207.186.132.", "spans": {"ORGANIZATION: Secureworks": [[0, 11]], "THREAT_ACTOR: Forest Blizzard": [[59, 74]], "CVE_ID: CVE-2025-13087": [[104, 118]], "SYSTEM: Ivanti Connect Secure": [[122, 143]], "MALWARE: XLoader": [[168, 175]], "TOOL: Rubeus": [[180, 186]], "IP_ADDRESS: 11.180.222.71": [[223, 236]], "DOMAIN: update-login.live": [[241, 258]], "URL: hxxp://cdnlogin.net/admin/config": [[300, 332]], "HASH: 36c29ca92702c0a63adde81a3578b8c9": [[359, 391]], "FILEPATH: /etc/cron.d/lsass.dmp": [[408, 429]], "EMAIL: notification@phishing-domain.com": [[462, 494]], "IP_ADDRESS: 10.207.186.132": [[560, 574]]}, "info": {"id": "synth_v2_00057", "source": "synthetic_v2"}}
+{"text": "CISA published a threat intelligence report linking Gamaredon to a new campaign exploiting CVE-2024-35928 in Ivanti Connect Secure. The attackers deployed LockBit via PowerView, establishing C2 communication with 196.39.70.136 and update-secure.online. A secondary payload was downloaded from https://edgeauth.info/assets/js/payload.js. The malware binary (MD5: 5088c82ddcdb8143fe6bb994742fca7f) was dropped to /tmp/implant.so. Phishing emails were sent from finance@credential-check.site targeting enterprise users. A backup C2 server was identified at 102.160.142.64.", "spans": {"ORGANIZATION: CISA": [[0, 4]], "THREAT_ACTOR: Gamaredon": [[52, 61]], "CVE_ID: CVE-2024-35928": [[91, 105]], "SYSTEM: Ivanti Connect Secure": [[109, 130]], "MALWARE: LockBit": [[155, 162]], "TOOL: PowerView": [[167, 176]], "IP_ADDRESS: 196.39.70.136": [[213, 226]], "DOMAIN: update-secure.online": [[231, 251]], "URL: https://edgeauth.info/assets/js/payload.js": [[293, 335]], "HASH: 5088c82ddcdb8143fe6bb994742fca7f": [[362, 394]], "FILEPATH: /tmp/implant.so": [[411, 426]], "EMAIL: finance@credential-check.site": [[459, 488]], "IP_ADDRESS: 102.160.142.64": [[554, 568]]}, "info": {"id": "synth_v2_00058", "source": "synthetic_v2"}}
+{"text": "Qualys published a threat intelligence report linking Sandworm to a new campaign exploiting CVE-2020-11739 in Zyxel USG. The attackers deployed Conti via CrackMapExec, establishing C2 communication with 192.227.44.208 and backupsecure.club. A secondary payload was downloaded from hxxps://mail-node.xyz/wp-content/uploads/doc.php. The malware binary (SHA256: ba84d2dc58dc073397c3dc31f4e82ef8cd1f69cbcc1bb1569f3a2dbd34bb2aa2) was dropped to /var/tmp/beacon.dll. Phishing emails were sent from admin@auth-check.org targeting enterprise users. A backup C2 server was identified at 171.177.33.141.", "spans": {"ORGANIZATION: Qualys": [[0, 6]], "THREAT_ACTOR: Sandworm": [[54, 62]], "CVE_ID: CVE-2020-11739": [[92, 106]], "SYSTEM: Zyxel USG": [[110, 119]], "MALWARE: Conti": [[144, 149]], "TOOL: CrackMapExec": [[154, 166]], "IP_ADDRESS: 192.227.44.208": [[203, 217]], "DOMAIN: backupsecure.club": [[222, 239]], "URL: hxxps://mail-node.xyz/wp-content/uploads/doc.php": [[281, 329]], "HASH: ba84d2dc58dc073397c3dc31f4e82ef8cd1f69cbcc1bb1569f3a2dbd34bb2aa2": [[359, 423]], "FILEPATH: /var/tmp/beacon.dll": [[440, 459]], "EMAIL: admin@auth-check.org": [[492, 512]], "IP_ADDRESS: 171.177.33.141": [[578, 592]]}, "info": {"id": "synth_v2_00059", "source": "synthetic_v2"}}
+{"text": "CISA published a threat intelligence report linking MuddyWater to a new campaign exploiting CVE-2021-24110 in Progress Telerik. The attackers deployed DanaBot via Chisel, establishing C2 communication with 10.158.203.184 and login-storage.top. A secondary payload was downloaded from https://relay-relay.top/download/update.exe. The malware binary (SHA1: fb3f35dd59fc3d9b6dd785230e9839b752e78dd5) was dropped to C:\\Users\\admin\\Downloads\\payload.bin. Phishing emails were sent from contact@urgent-notice.online targeting enterprise users. A backup C2 server was identified at 135.210.209.211.", "spans": {"ORGANIZATION: CISA": [[0, 4]], "THREAT_ACTOR: MuddyWater": [[52, 62]], "CVE_ID: CVE-2021-24110": [[92, 106]], "SYSTEM: Progress Telerik": [[110, 126]], "MALWARE: DanaBot": [[151, 158]], "TOOL: Chisel": [[163, 169]], "IP_ADDRESS: 10.158.203.184": [[206, 220]], "DOMAIN: login-storage.top": [[225, 242]], "URL: https://relay-relay.top/download/update.exe": [[284, 327]], "HASH: fb3f35dd59fc3d9b6dd785230e9839b752e78dd5": [[355, 395]], "FILEPATH: C:\\Users\\admin\\Downloads\\payload.bin": [[412, 448]], "EMAIL: contact@urgent-notice.online": [[481, 509]], "IP_ADDRESS: 135.210.209.211": [[575, 590]]}, "info": {"id": "synth_v2_00060", "source": "synthetic_v2"}}
+{"text": "Palo Alto Unit 42 published a threat intelligence report linking Diamond Sleet to a new campaign exploiting CVE-2026-17310 in Citrix NetScaler. The attackers deployed QakBot via Covenant, establishing C2 communication with 43.82.165.240 and edge-sync.org. A secondary payload was downloaded from hxxp://staticedge.net/collect. The malware binary (SHA1: 2303482ab61f96fb5e4ebbee91d6163f507305be) was dropped to C:\\Windows\\System32\\config.dat. Phishing emails were sent from report@document-share.link targeting enterprise users. A backup C2 server was identified at 172.145.40.65.", "spans": {"ORGANIZATION: Palo Alto Unit 42": [[0, 17]], "THREAT_ACTOR: Diamond Sleet": [[65, 78]], "CVE_ID: CVE-2026-17310": [[108, 122]], "SYSTEM: Citrix NetScaler": [[126, 142]], "MALWARE: QakBot": [[167, 173]], "TOOL: Covenant": [[178, 186]], "IP_ADDRESS: 43.82.165.240": [[223, 236]], "DOMAIN: edge-sync.org": [[241, 254]], "URL: hxxp://staticedge.net/collect": [[296, 325]], "HASH: 2303482ab61f96fb5e4ebbee91d6163f507305be": [[353, 393]], "FILEPATH: C:\\Windows\\System32\\config.dat": [[410, 440]], "EMAIL: report@document-share.link": [[473, 499]], "IP_ADDRESS: 172.145.40.65": [[565, 578]]}, "info": {"id": "synth_v2_00061", "source": "synthetic_v2"}}
+{"text": "Tenable published a threat intelligence report linking Scattered Spider to a new campaign exploiting CVE-2020-45741 in Ubuntu 22.04. The attackers deployed DanaBot via BloodHound, establishing C2 communication with 192.135.107.197 and backupproxy.xyz. A secondary payload was downloaded from hxxps://backuprelay.net/download/update.exe. The malware binary (MD5: df3ab7db0037647b0a40311e4bbcb610) was dropped to C:\\Program Files\\Common Files\\beacon.dll. Phishing emails were sent from updates@login-portal.tech targeting enterprise users. A backup C2 server was identified at 159.15.254.228.", "spans": {"ORGANIZATION: Tenable": [[0, 7]], "THREAT_ACTOR: Scattered Spider": [[55, 71]], "CVE_ID: CVE-2020-45741": [[101, 115]], "SYSTEM: Ubuntu 22.04": [[119, 131]], "MALWARE: DanaBot": [[156, 163]], "TOOL: BloodHound": [[168, 178]], "IP_ADDRESS: 192.135.107.197": [[215, 230]], "DOMAIN: backupproxy.xyz": [[235, 250]], "URL: hxxps://backuprelay.net/download/update.exe": [[292, 335]], "HASH: df3ab7db0037647b0a40311e4bbcb610": [[362, 394]], "FILEPATH: C:\\Program Files\\Common Files\\beacon.dll": [[411, 451]], "EMAIL: updates@login-portal.tech": [[484, 509]], "IP_ADDRESS: 159.15.254.228": [[575, 589]]}, "info": {"id": "synth_v2_00062", "source": "synthetic_v2"}}
+{"text": "Sophos X-Ops published a threat intelligence report linking Scattered Spider to a new campaign exploiting CVE-2024-31252 in Ivanti Connect Secure. The attackers deployed StealC via CrackMapExec, establishing C2 communication with 34.189.54.82 and login-auth.com. A secondary payload was downloaded from hxxp://portalstatic.site/download/update.exe. The malware binary (MD5: 7cba07f381cefcf75a1fba876742d0c8) was dropped to /opt/app/bin/runtime.dll. Phishing emails were sent from security@credential-check.site targeting enterprise users. A backup C2 server was identified at 172.62.136.116.", "spans": {"ORGANIZATION: Sophos X-Ops": [[0, 12]], "THREAT_ACTOR: Scattered Spider": [[60, 76]], "CVE_ID: CVE-2024-31252": [[106, 120]], "SYSTEM: Ivanti Connect Secure": [[124, 145]], "MALWARE: StealC": [[170, 176]], "TOOL: CrackMapExec": [[181, 193]], "IP_ADDRESS: 34.189.54.82": [[230, 242]], "DOMAIN: login-auth.com": [[247, 261]], "URL: hxxp://portalstatic.site/download/update.exe": [[303, 347]], "HASH: 7cba07f381cefcf75a1fba876742d0c8": [[374, 406]], "FILEPATH: /opt/app/bin/runtime.dll": [[423, 447]], "EMAIL: security@credential-check.site": [[480, 510]], "IP_ADDRESS: 172.62.136.116": [[576, 590]]}, "info": {"id": "synth_v2_00063", "source": "synthetic_v2"}}
+{"text": "Symantec published a threat intelligence report linking Charming Kitten to a new campaign exploiting CVE-2023-27691 in F5 BIG-IP. The attackers deployed ShadowPad via PowerShell Empire, establishing C2 communication with 10.201.234.248 and proxystatic.dev. A secondary payload was downloaded from hxxps://backupedge.com/callback. The malware binary (SHA256: 281d2eea1dfcb7d5200f553e234a990b41cb457d05d65e45c66328ecfc904e31) was dropped to /usr/local/bin/csrss.exe. Phishing emails were sent from service@auth-check.org targeting enterprise users. A backup C2 server was identified at 10.180.24.13.", "spans": {"ORGANIZATION: Symantec": [[0, 8]], "THREAT_ACTOR: Charming Kitten": [[56, 71]], "CVE_ID: CVE-2023-27691": [[101, 115]], "SYSTEM: F5 BIG-IP": [[119, 128]], "MALWARE: ShadowPad": [[153, 162]], "TOOL: PowerShell Empire": [[167, 184]], "IP_ADDRESS: 10.201.234.248": [[221, 235]], "DOMAIN: proxystatic.dev": [[240, 255]], "URL: hxxps://backupedge.com/callback": [[297, 328]], "HASH: 281d2eea1dfcb7d5200f553e234a990b41cb457d05d65e45c66328ecfc904e31": [[358, 422]], "FILEPATH: /usr/local/bin/csrss.exe": [[439, 463]], "EMAIL: service@auth-check.org": [[496, 518]], "IP_ADDRESS: 10.180.24.13": [[584, 596]]}, "info": {"id": "synth_v2_00064", "source": "synthetic_v2"}}
+{"text": "Europol published a threat intelligence report linking APT29 to a new campaign exploiting CVE-2022-46178 in Ivanti Connect Secure. The attackers deployed Vidar via BloodHound, establishing C2 communication with 19.197.230.196 and portal-mail.link. A secondary payload was downloaded from hxxp://edgemail.link/wp-content/uploads/doc.php. The malware binary (SHA1: 61f9bddbe3c5b03ddc11f6585738989a34c2e53c) was dropped to C:\\Users\\admin\\Desktop\\loader.exe. Phishing emails were sent from support@phishing-domain.com targeting enterprise users. A backup C2 server was identified at 212.60.65.250.", "spans": {"ORGANIZATION: Europol": [[0, 7]], "THREAT_ACTOR: APT29": [[55, 60]], "CVE_ID: CVE-2022-46178": [[90, 104]], "SYSTEM: Ivanti Connect Secure": [[108, 129]], "MALWARE: Vidar": [[154, 159]], "TOOL: BloodHound": [[164, 174]], "IP_ADDRESS: 19.197.230.196": [[211, 225]], "DOMAIN: portal-mail.link": [[230, 246]], "URL: hxxp://edgemail.link/wp-content/uploads/doc.php": [[288, 335]], "HASH: 61f9bddbe3c5b03ddc11f6585738989a34c2e53c": [[363, 403]], "FILEPATH: C:\\Users\\admin\\Desktop\\loader.exe": [[420, 453]], "EMAIL: support@phishing-domain.com": [[486, 513]], "IP_ADDRESS: 212.60.65.250": [[579, 592]]}, "info": {"id": "synth_v2_00065", "source": "synthetic_v2"}}
+{"text": "Sophos X-Ops published a threat intelligence report linking APT29 to a new campaign exploiting CVE-2026-35009 in Juniper SRX. The attackers deployed BlackCat via WinPEAS, establishing C2 communication with 39.71.167.239 and nodenode.io. A secondary payload was downloaded from hxxps://cachebackup.online/secure/token. The malware binary (MD5: ff480f115c2f9a8bfc917fd06825c91f) was dropped to C:\\Users\\Public\\Documents\\ntds.dit. Phishing emails were sent from notification@mail-service.info targeting enterprise users. A backup C2 server was identified at 42.201.153.152.", "spans": {"ORGANIZATION: Sophos X-Ops": [[0, 12]], "THREAT_ACTOR: APT29": [[60, 65]], "CVE_ID: CVE-2026-35009": [[95, 109]], "SYSTEM: Juniper SRX": [[113, 124]], "MALWARE: BlackCat": [[149, 157]], "TOOL: WinPEAS": [[162, 169]], "IP_ADDRESS: 39.71.167.239": [[206, 219]], "DOMAIN: nodenode.io": [[224, 235]], "URL: hxxps://cachebackup.online/secure/token": [[277, 316]], "HASH: ff480f115c2f9a8bfc917fd06825c91f": [[343, 375]], "FILEPATH: C:\\Users\\Public\\Documents\\ntds.dit": [[392, 426]], "EMAIL: notification@mail-service.info": [[459, 489]], "IP_ADDRESS: 42.201.153.152": [[555, 569]]}, "info": {"id": "synth_v2_00066", "source": "synthetic_v2"}}
+{"text": "FBI published a threat intelligence report linking Granite Typhoon to a new campaign exploiting CVE-2023-33283 in MOVEit Transfer. The attackers deployed TrickBot via ADFind, establishing C2 communication with 192.26.245.44 and cloud-update.online. A secondary payload was downloaded from hxxp://gatewaylogin.site/callback. The malware binary (SHA1: 21acf9cca989c315cc10860dd3d9802687a3fc1d) was dropped to /dev/shm/update.dll. Phishing emails were sent from noreply@urgent-notice.online targeting enterprise users. A backup C2 server was identified at 38.124.16.147.", "spans": {"ORGANIZATION: FBI": [[0, 3]], "THREAT_ACTOR: Granite Typhoon": [[51, 66]], "CVE_ID: CVE-2023-33283": [[96, 110]], "SYSTEM: MOVEit Transfer": [[114, 129]], "MALWARE: TrickBot": [[154, 162]], "TOOL: ADFind": [[167, 173]], "IP_ADDRESS: 192.26.245.44": [[210, 223]], "DOMAIN: cloud-update.online": [[228, 247]], "URL: hxxp://gatewaylogin.site/callback": [[289, 322]], "HASH: 21acf9cca989c315cc10860dd3d9802687a3fc1d": [[350, 390]], "FILEPATH: /dev/shm/update.dll": [[407, 426]], "EMAIL: noreply@urgent-notice.online": [[459, 487]], "IP_ADDRESS: 38.124.16.147": [[553, 566]]}, "info": {"id": "synth_v2_00067", "source": "synthetic_v2"}}
+{"text": "Zscaler ThreatLabz published a threat intelligence report linking Sandworm to a new campaign exploiting CVE-2026-49052 in Juniper SRX. The attackers deployed Latrodectus via Hashcat, establishing C2 communication with 81.88.235.234 and clouddata.info. A secondary payload was downloaded from https://databackup.link/assets/js/payload.js. The malware binary (SHA256: 8dad785439bfc3769c29b4a90854d0964b31066b00995bc49d5fa65d21f99766) was dropped to /dev/shm/winlogon.exe. Phishing emails were sent from verify@auth-check.org targeting enterprise users. A backup C2 server was identified at 140.181.135.157.", "spans": {"ORGANIZATION: Zscaler ThreatLabz": [[0, 18]], "THREAT_ACTOR: Sandworm": [[66, 74]], "CVE_ID: CVE-2026-49052": [[104, 118]], "SYSTEM: Juniper SRX": [[122, 133]], "MALWARE: Latrodectus": [[158, 169]], "TOOL: Hashcat": [[174, 181]], "IP_ADDRESS: 81.88.235.234": [[218, 231]], "DOMAIN: clouddata.info": [[236, 250]], "URL: https://databackup.link/assets/js/payload.js": [[292, 336]], "HASH: 8dad785439bfc3769c29b4a90854d0964b31066b00995bc49d5fa65d21f99766": [[366, 430]], "FILEPATH: /dev/shm/winlogon.exe": [[447, 468]], "EMAIL: verify@auth-check.org": [[501, 522]], "IP_ADDRESS: 140.181.135.157": [[588, 603]]}, "info": {"id": "synth_v2_00068", "source": "synthetic_v2"}}
+{"text": "Palo Alto Unit 42 published a threat intelligence report linking MuddyWater to a new campaign exploiting CVE-2026-42806 in Cisco ASA. The attackers deployed SystemBC via Burp Suite, establishing C2 communication with 210.176.74.75 and syncproxy.xyz. A secondary payload was downloaded from https://edge-sync.dev/download/update.exe. The malware binary (SHA256: 93d36df26ea4082b4048d2fca8a9a2e9971fe52946eb5d0de4d7235e640aea53) was dropped to /var/tmp/helper.sh. Phishing emails were sent from support@urgent-notice.online targeting enterprise users. A backup C2 server was identified at 172.40.177.237.", "spans": {"ORGANIZATION: Palo Alto Unit 42": [[0, 17]], "THREAT_ACTOR: MuddyWater": [[65, 75]], "CVE_ID: CVE-2026-42806": [[105, 119]], "SYSTEM: Cisco ASA": [[123, 132]], "MALWARE: SystemBC": [[157, 165]], "TOOL: Burp Suite": [[170, 180]], "IP_ADDRESS: 210.176.74.75": [[217, 230]], "DOMAIN: syncproxy.xyz": [[235, 248]], "URL: https://edge-sync.dev/download/update.exe": [[290, 331]], "HASH: 93d36df26ea4082b4048d2fca8a9a2e9971fe52946eb5d0de4d7235e640aea53": [[361, 425]], "FILEPATH: /var/tmp/helper.sh": [[442, 460]], "EMAIL: support@urgent-notice.online": [[493, 521]], "IP_ADDRESS: 172.40.177.237": [[587, 601]]}, "info": {"id": "synth_v2_00069", "source": "synthetic_v2"}}
+{"text": "Palo Alto Unit 42 published a threat intelligence report linking FIN7 to a new campaign exploiting CVE-2025-48242 in Atlassian Confluence. The attackers deployed Play via BloodHound, establishing C2 communication with 26.70.2.247 and backup-storage.info. A secondary payload was downloaded from hxxps://api-cache.xyz/download/update.exe. The malware binary (MD5: 9a3d4af642ab0ad2e206074bfb4c10c2) was dropped to C:\\Users\\admin\\Downloads\\update.dll. Phishing emails were sent from service@credential-check.site targeting enterprise users. A backup C2 server was identified at 172.243.244.167.", "spans": {"ORGANIZATION: Palo Alto Unit 42": [[0, 17]], "THREAT_ACTOR: FIN7": [[65, 69]], "CVE_ID: CVE-2025-48242": [[99, 113]], "SYSTEM: Atlassian Confluence": [[117, 137]], "MALWARE: Play": [[162, 166]], "TOOL: BloodHound": [[171, 181]], "IP_ADDRESS: 26.70.2.247": [[218, 229]], "DOMAIN: backup-storage.info": [[234, 253]], "URL: hxxps://api-cache.xyz/download/update.exe": [[295, 336]], "HASH: 9a3d4af642ab0ad2e206074bfb4c10c2": [[363, 395]], "FILEPATH: C:\\Users\\admin\\Downloads\\update.dll": [[412, 447]], "EMAIL: service@credential-check.site": [[480, 509]], "IP_ADDRESS: 172.243.244.167": [[575, 590]]}, "info": {"id": "synth_v2_00070", "source": "synthetic_v2"}}
+{"text": "Mandiant published a threat intelligence report linking Turla to a new campaign exploiting CVE-2020-28024 in Apache Struts. The attackers deployed Gootloader via Mythic, establishing C2 communication with 172.145.232.254 and storage-secure.club. A secondary payload was downloaded from https://syncsecure.com/portal/verify. The malware binary (SHA1: 4fb4a8852e5b88fb796ace8988e90b9f96f89dc4) was dropped to /tmp/config.dat. Phishing emails were sent from report@identity-verify.cc targeting enterprise users. A backup C2 server was identified at 35.239.139.50.", "spans": {"ORGANIZATION: Mandiant": [[0, 8]], "THREAT_ACTOR: Turla": [[56, 61]], "CVE_ID: CVE-2020-28024": [[91, 105]], "SYSTEM: Apache Struts": [[109, 122]], "MALWARE: Gootloader": [[147, 157]], "TOOL: Mythic": [[162, 168]], "IP_ADDRESS: 172.145.232.254": [[205, 220]], "DOMAIN: storage-secure.club": [[225, 244]], "URL: https://syncsecure.com/portal/verify": [[286, 322]], "HASH: 4fb4a8852e5b88fb796ace8988e90b9f96f89dc4": [[350, 390]], "FILEPATH: /tmp/config.dat": [[407, 422]], "EMAIL: report@identity-verify.cc": [[455, 480]], "IP_ADDRESS: 35.239.139.50": [[546, 559]]}, "info": {"id": "synth_v2_00071", "source": "synthetic_v2"}}
+{"text": "Sophos X-Ops published a threat intelligence report linking Flax Typhoon to a new campaign exploiting CVE-2021-37493 in Cisco ASA. The attackers deployed XLoader via LaZagne, establishing C2 communication with 10.71.244.83 and syncstorage.info. A secondary payload was downloaded from hxxp://sync-mail.club/login. The malware binary (SHA1: 399069f190452ace4efc3570ab38e184ff8375ac) was dropped to C:\\Users\\Public\\Documents\\sam.hive. Phishing emails were sent from finance@account-update.xyz targeting enterprise users. A backup C2 server was identified at 10.133.196.61.", "spans": {"ORGANIZATION: Sophos X-Ops": [[0, 12]], "THREAT_ACTOR: Flax Typhoon": [[60, 72]], "CVE_ID: CVE-2021-37493": [[102, 116]], "SYSTEM: Cisco ASA": [[120, 129]], "MALWARE: XLoader": [[154, 161]], "TOOL: LaZagne": [[166, 173]], "IP_ADDRESS: 10.71.244.83": [[210, 222]], "DOMAIN: syncstorage.info": [[227, 243]], "URL: hxxp://sync-mail.club/login": [[285, 312]], "HASH: 399069f190452ace4efc3570ab38e184ff8375ac": [[340, 380]], "FILEPATH: C:\\Users\\Public\\Documents\\sam.hive": [[397, 431]], "EMAIL: finance@account-update.xyz": [[464, 490]], "IP_ADDRESS: 10.133.196.61": [[556, 569]]}, "info": {"id": "synth_v2_00072", "source": "synthetic_v2"}}
+{"text": "Symantec published a threat intelligence report linking Volt Typhoon to a new campaign exploiting CVE-2023-46500 in VMware ESXi. The attackers deployed BatLoader via Merlin, establishing C2 communication with 95.113.112.246 and gatewayedge.dev. A secondary payload was downloaded from hxxp://edgecloud.link/admin/config. The malware binary (SHA1: 0ebd7621d8fae53e65535e3bffaa23546edb1f0a) was dropped to C:\\ProgramData\\loader.exe. Phishing emails were sent from updates@urgent-notice.online targeting enterprise users. A backup C2 server was identified at 172.78.232.192.", "spans": {"ORGANIZATION: Symantec": [[0, 8]], "THREAT_ACTOR: Volt Typhoon": [[56, 68]], "CVE_ID: CVE-2023-46500": [[98, 112]], "SYSTEM: VMware ESXi": [[116, 127]], "MALWARE: BatLoader": [[152, 161]], "TOOL: Merlin": [[166, 172]], "IP_ADDRESS: 95.113.112.246": [[209, 223]], "DOMAIN: gatewayedge.dev": [[228, 243]], "URL: hxxp://edgecloud.link/admin/config": [[285, 319]], "HASH: 0ebd7621d8fae53e65535e3bffaa23546edb1f0a": [[347, 387]], "FILEPATH: C:\\ProgramData\\loader.exe": [[404, 429]], "EMAIL: updates@urgent-notice.online": [[462, 490]], "IP_ADDRESS: 172.78.232.192": [[556, 570]]}, "info": {"id": "synth_v2_00073", "source": "synthetic_v2"}}
+{"text": "FireEye published a threat intelligence report linking Forest Blizzard to a new campaign exploiting CVE-2021-20463 in Windows 11. The attackers deployed RedLine Stealer via Impacket, establishing C2 communication with 192.76.84.84 and cdnrelay.org. A secondary payload was downloaded from http://relaycache.com/admin/config. The malware binary (MD5: e9c03befdd70db8a0a04dd5d1f0097c9) was dropped to C:\\Windows\\Temp\\lsass.dmp. Phishing emails were sent from hr@phishing-domain.com targeting enterprise users. A backup C2 server was identified at 30.105.250.24.", "spans": {"ORGANIZATION: FireEye": [[0, 7]], "THREAT_ACTOR: Forest Blizzard": [[55, 70]], "CVE_ID: CVE-2021-20463": [[100, 114]], "SYSTEM: Windows 11": [[118, 128]], "MALWARE: RedLine Stealer": [[153, 168]], "TOOL: Impacket": [[173, 181]], "IP_ADDRESS: 192.76.84.84": [[218, 230]], "DOMAIN: cdnrelay.org": [[235, 247]], "URL: http://relaycache.com/admin/config": [[289, 323]], "HASH: e9c03befdd70db8a0a04dd5d1f0097c9": [[350, 382]], "FILEPATH: C:\\Windows\\Temp\\lsass.dmp": [[399, 424]], "EMAIL: hr@phishing-domain.com": [[457, 479]], "IP_ADDRESS: 30.105.250.24": [[545, 558]]}, "info": {"id": "synth_v2_00074", "source": "synthetic_v2"}}
+{"text": "Recorded Future published a threat intelligence report linking Aqua Blizzard to a new campaign exploiting CVE-2020-12082 in SonicWall SMA. The attackers deployed Royal via BITSAdmin, establishing C2 communication with 180.32.30.240 and login-gateway.tech. A secondary payload was downloaded from hxxps://relayportal.site/admin/config. The malware binary (SHA1: 26686e9771ce132aa0f5c6f08149413040d4839c) was dropped to C:\\Windows\\System32\\csrss.exe. Phishing emails were sent from alert@account-update.xyz targeting enterprise users. A backup C2 server was identified at 172.16.146.105.", "spans": {"ORGANIZATION: Recorded Future": [[0, 15]], "THREAT_ACTOR: Aqua Blizzard": [[63, 76]], "CVE_ID: CVE-2020-12082": [[106, 120]], "SYSTEM: SonicWall SMA": [[124, 137]], "MALWARE: Royal": [[162, 167]], "TOOL: BITSAdmin": [[172, 181]], "IP_ADDRESS: 180.32.30.240": [[218, 231]], "DOMAIN: login-gateway.tech": [[236, 254]], "URL: hxxps://relayportal.site/admin/config": [[296, 333]], "HASH: 26686e9771ce132aa0f5c6f08149413040d4839c": [[361, 401]], "FILEPATH: C:\\Windows\\System32\\csrss.exe": [[418, 447]], "EMAIL: alert@account-update.xyz": [[480, 504]], "IP_ADDRESS: 172.16.146.105": [[570, 584]]}, "info": {"id": "synth_v2_00075", "source": "synthetic_v2"}}
+{"text": "Microsoft MSRC published a threat intelligence report linking MuddyWater to a new campaign exploiting CVE-2022-28965 in Windows Server 2019. The attackers deployed Vidar via LaZagne, establishing C2 communication with 172.237.217.137 and loginsync.xyz. A secondary payload was downloaded from hxxps://cdn-gateway.cc/wp-content/uploads/doc.php. The malware binary (SHA256: ed647899d24535e5ef76fba648dfdc672b56d1e385dbc5f975dfba74b71b42e4) was dropped to C:\\ProgramData\\taskhost.exe. Phishing emails were sent from report@phishing-domain.com targeting enterprise users. A backup C2 server was identified at 211.117.126.118.", "spans": {"ORGANIZATION: Microsoft MSRC": [[0, 14]], "THREAT_ACTOR: MuddyWater": [[62, 72]], "CVE_ID: CVE-2022-28965": [[102, 116]], "SYSTEM: Windows Server 2019": [[120, 139]], "MALWARE: Vidar": [[164, 169]], "TOOL: LaZagne": [[174, 181]], "IP_ADDRESS: 172.237.217.137": [[218, 233]], "DOMAIN: loginsync.xyz": [[238, 251]], "URL: hxxps://cdn-gateway.cc/wp-content/uploads/doc.php": [[293, 342]], "HASH: ed647899d24535e5ef76fba648dfdc672b56d1e385dbc5f975dfba74b71b42e4": [[372, 436]], "FILEPATH: C:\\ProgramData\\taskhost.exe": [[453, 480]], "EMAIL: report@phishing-domain.com": [[513, 539]], "IP_ADDRESS: 211.117.126.118": [[605, 620]]}, "info": {"id": "synth_v2_00076", "source": "synthetic_v2"}}
+{"text": "Secureworks published a threat intelligence report linking Midnight Blizzard to a new campaign exploiting CVE-2020-11952 in Microsoft Exchange. The attackers deployed StealC via PowerView, establishing C2 communication with 172.224.119.139 and cachestatic.link. A secondary payload was downloaded from hxxp://databackup.dev/admin/config. The malware binary (SHA1: 7533e32613b615bdd0b213ec24d865ccbea9cd86) was dropped to /var/tmp/ntds.dit. Phishing emails were sent from finance@mail-service.info targeting enterprise users. A backup C2 server was identified at 10.71.148.60.", "spans": {"ORGANIZATION: Secureworks": [[0, 11]], "THREAT_ACTOR: Midnight Blizzard": [[59, 76]], "CVE_ID: CVE-2020-11952": [[106, 120]], "SYSTEM: Microsoft Exchange": [[124, 142]], "MALWARE: StealC": [[167, 173]], "TOOL: PowerView": [[178, 187]], "IP_ADDRESS: 172.224.119.139": [[224, 239]], "DOMAIN: cachestatic.link": [[244, 260]], "URL: hxxp://databackup.dev/admin/config": [[302, 336]], "HASH: 7533e32613b615bdd0b213ec24d865ccbea9cd86": [[364, 404]], "FILEPATH: /var/tmp/ntds.dit": [[421, 438]], "EMAIL: finance@mail-service.info": [[471, 496]], "IP_ADDRESS: 10.71.148.60": [[562, 574]]}, "info": {"id": "synth_v2_00077", "source": "synthetic_v2"}}
+{"text": "Symantec published a threat intelligence report linking APT29 to a new campaign exploiting CVE-2022-40108 in SonicWall SMA. The attackers deployed Latrodectus via BITSAdmin, establishing C2 communication with 13.176.195.202 and portalsecure.link. A secondary payload was downloaded from hxxp://datadata.info/gate.php. The malware binary (SHA256: 166d51ec8b6262b278b7a6e1347a8a4ec40242344b44da1cf87ab1c11d566a63) was dropped to C:\\Program Files\\Common Files\\ntds.dit. Phishing emails were sent from confirm@urgent-notice.online targeting enterprise users. A backup C2 server was identified at 179.213.209.39.", "spans": {"ORGANIZATION: Symantec": [[0, 8]], "THREAT_ACTOR: APT29": [[56, 61]], "CVE_ID: CVE-2022-40108": [[91, 105]], "SYSTEM: SonicWall SMA": [[109, 122]], "MALWARE: Latrodectus": [[147, 158]], "TOOL: BITSAdmin": [[163, 172]], "IP_ADDRESS: 13.176.195.202": [[209, 223]], "DOMAIN: portalsecure.link": [[228, 245]], "URL: hxxp://datadata.info/gate.php": [[287, 316]], "HASH: 166d51ec8b6262b278b7a6e1347a8a4ec40242344b44da1cf87ab1c11d566a63": [[346, 410]], "FILEPATH: C:\\Program Files\\Common Files\\ntds.dit": [[427, 465]], "EMAIL: confirm@urgent-notice.online": [[498, 526]], "IP_ADDRESS: 179.213.209.39": [[592, 606]]}, "info": {"id": "synth_v2_00078", "source": "synthetic_v2"}}
+{"text": "Kaspersky GReAT published a threat intelligence report linking Mustang Panda to a new campaign exploiting CVE-2022-47837 in Atlassian Confluence. The attackers deployed Raccoon Stealer via PsExec, establishing C2 communication with 172.189.47.138 and api-cloud.link. A secondary payload was downloaded from https://proxy-cloud.live/portal/verify. The malware binary (SHA256: 0de6b488edea39f67674e41d7e14c1c3d5d13e5a65f57598c129b30289aef0ff) was dropped to /tmp/runtime.dll. Phishing emails were sent from alert@credential-check.site targeting enterprise users. A backup C2 server was identified at 10.137.193.173.", "spans": {"ORGANIZATION: Kaspersky GReAT": [[0, 15]], "THREAT_ACTOR: Mustang Panda": [[63, 76]], "CVE_ID: CVE-2022-47837": [[106, 120]], "SYSTEM: Atlassian Confluence": [[124, 144]], "MALWARE: Raccoon Stealer": [[169, 184]], "TOOL: PsExec": [[189, 195]], "IP_ADDRESS: 172.189.47.138": [[232, 246]], "DOMAIN: api-cloud.link": [[251, 265]], "URL: https://proxy-cloud.live/portal/verify": [[307, 345]], "HASH: 0de6b488edea39f67674e41d7e14c1c3d5d13e5a65f57598c129b30289aef0ff": [[375, 439]], "FILEPATH: /tmp/runtime.dll": [[456, 472]], "EMAIL: alert@credential-check.site": [[505, 532]], "IP_ADDRESS: 10.137.193.173": [[598, 612]]}, "info": {"id": "synth_v2_00079", "source": "synthetic_v2"}}
+{"text": "INTERPOL published a threat intelligence report linking Diamond Sleet to a new campaign exploiting CVE-2022-47837 in Cisco ASA. The attackers deployed BumbleBee via WinPEAS, establishing C2 communication with 192.164.144.98 and nodeproxy.online. A secondary payload was downloaded from hxxp://proxy-storage.dev/secure/token. The malware binary (MD5: 022c81682909faba6eec771009ea0cb5) was dropped to C:\\Program Files\\Common Files\\update.dll. Phishing emails were sent from notification@login-portal.tech targeting enterprise users. A backup C2 server was identified at 137.183.157.67.", "spans": {"ORGANIZATION: INTERPOL": [[0, 8]], "THREAT_ACTOR: Diamond Sleet": [[56, 69]], "CVE_ID: CVE-2022-47837": [[99, 113]], "SYSTEM: Cisco ASA": [[117, 126]], "MALWARE: BumbleBee": [[151, 160]], "TOOL: WinPEAS": [[165, 172]], "IP_ADDRESS: 192.164.144.98": [[209, 223]], "DOMAIN: nodeproxy.online": [[228, 244]], "URL: hxxp://proxy-storage.dev/secure/token": [[286, 323]], "HASH: 022c81682909faba6eec771009ea0cb5": [[350, 382]], "FILEPATH: C:\\Program Files\\Common Files\\update.dll": [[399, 439]], "EMAIL: notification@login-portal.tech": [[472, 502]], "IP_ADDRESS: 137.183.157.67": [[568, 582]]}, "info": {"id": "synth_v2_00080", "source": "synthetic_v2"}}
+{"text": "Kaspersky GReAT published a threat intelligence report linking Aqua Blizzard to a new campaign exploiting CVE-2025-36175 in Apache Struts. The attackers deployed LockBit via Mimikatz, establishing C2 communication with 10.168.117.98 and proxyrelay.org. A secondary payload was downloaded from http://securelogin.club/download/update.exe. The malware binary (SHA1: 9b931494072a7afade8f83e7d41e126c44351020) was dropped to C:\\Users\\admin\\AppData\\Local\\Temp\\loader.exe. Phishing emails were sent from support@secure-verify.net targeting enterprise users. A backup C2 server was identified at 172.172.131.196.", "spans": {"ORGANIZATION: Kaspersky GReAT": [[0, 15]], "THREAT_ACTOR: Aqua Blizzard": [[63, 76]], "CVE_ID: CVE-2025-36175": [[106, 120]], "SYSTEM: Apache Struts": [[124, 137]], "MALWARE: LockBit": [[162, 169]], "TOOL: Mimikatz": [[174, 182]], "IP_ADDRESS: 10.168.117.98": [[219, 232]], "DOMAIN: proxyrelay.org": [[237, 251]], "URL: http://securelogin.club/download/update.exe": [[293, 336]], "HASH: 9b931494072a7afade8f83e7d41e126c44351020": [[364, 404]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\loader.exe": [[421, 465]], "EMAIL: support@secure-verify.net": [[498, 523]], "IP_ADDRESS: 172.172.131.196": [[589, 604]]}, "info": {"id": "synth_v2_00081", "source": "synthetic_v2"}}
+{"text": "CrowdStrike published a threat intelligence report linking Flax Typhoon to a new campaign exploiting CVE-2025-48242 in Citrix NetScaler. The attackers deployed QakBot via Seatbelt, establishing C2 communication with 10.77.4.56 and updateupdate.io. A secondary payload was downloaded from https://updateupdate.io/panel/index.html. The malware binary (MD5: d6b598e7cd1e1a683589a5d3a21814e3) was dropped to C:\\Windows\\Temp\\loader.exe. Phishing emails were sent from contact@account-update.xyz targeting enterprise users. A backup C2 server was identified at 96.30.247.169.", "spans": {"ORGANIZATION: CrowdStrike": [[0, 11]], "THREAT_ACTOR: Flax Typhoon": [[59, 71]], "CVE_ID: CVE-2025-48242": [[101, 115]], "SYSTEM: Citrix NetScaler": [[119, 135]], "MALWARE: QakBot": [[160, 166]], "TOOL: Seatbelt": [[171, 179]], "IP_ADDRESS: 10.77.4.56": [[216, 226]], "DOMAIN: updateupdate.io": [[231, 246]], "URL: https://updateupdate.io/panel/index.html": [[288, 328]], "HASH: d6b598e7cd1e1a683589a5d3a21814e3": [[355, 387]], "FILEPATH: C:\\Windows\\Temp\\loader.exe": [[404, 430]], "EMAIL: contact@account-update.xyz": [[463, 489]], "IP_ADDRESS: 96.30.247.169": [[555, 568]]}, "info": {"id": "synth_v2_00082", "source": "synthetic_v2"}}
+{"text": "Microsoft MSRC published a threat intelligence report linking Kimsuky to a new campaign exploiting CVE-2023-34911 in Palo Alto PAN-OS. The attackers deployed Ryuk via LaZagne, establishing C2 communication with 209.181.136.204 and data-backup.top. A secondary payload was downloaded from http://cdn-api.site/callback. The malware binary (SHA1: 8247cd21680ad26bf8e89a426617762360a7c176) was dropped to /dev/shm/update.dll. Phishing emails were sent from admin@account-update.xyz targeting enterprise users. A backup C2 server was identified at 21.191.207.118.", "spans": {"ORGANIZATION: Microsoft MSRC": [[0, 14]], "THREAT_ACTOR: Kimsuky": [[62, 69]], "CVE_ID: CVE-2023-34911": [[99, 113]], "SYSTEM: Palo Alto PAN-OS": [[117, 133]], "MALWARE: Ryuk": [[158, 162]], "TOOL: LaZagne": [[167, 174]], "IP_ADDRESS: 209.181.136.204": [[211, 226]], "DOMAIN: data-backup.top": [[231, 246]], "URL: http://cdn-api.site/callback": [[288, 316]], "HASH: 8247cd21680ad26bf8e89a426617762360a7c176": [[344, 384]], "FILEPATH: /dev/shm/update.dll": [[401, 420]], "EMAIL: admin@account-update.xyz": [[453, 477]], "IP_ADDRESS: 21.191.207.118": [[543, 557]]}, "info": {"id": "synth_v2_00083", "source": "synthetic_v2"}}
+{"text": "Dragos published a threat intelligence report linking Lazarus Group to a new campaign exploiting CVE-2024-12103 in MOVEit Transfer. The attackers deployed Qbot via Havoc, establishing C2 communication with 192.21.117.55 and edgecache.top. A secondary payload was downloaded from hxxp://secure-storage.com/collect. The malware binary (SHA256: abe8839500d534b4859cccf6c800b548cf0a0a87a0f635f6ac5e462be8dc7b23) was dropped to C:\\Users\\admin\\Desktop\\chrome_helper.exe. Phishing emails were sent from finance@account-update.xyz targeting enterprise users. A backup C2 server was identified at 70.23.38.176.", "spans": {"ORGANIZATION: Dragos": [[0, 6]], "THREAT_ACTOR: Lazarus Group": [[54, 67]], "CVE_ID: CVE-2024-12103": [[97, 111]], "SYSTEM: MOVEit Transfer": [[115, 130]], "MALWARE: Qbot": [[155, 159]], "TOOL: Havoc": [[164, 169]], "IP_ADDRESS: 192.21.117.55": [[206, 219]], "DOMAIN: edgecache.top": [[224, 237]], "URL: hxxp://secure-storage.com/collect": [[279, 312]], "HASH: abe8839500d534b4859cccf6c800b548cf0a0a87a0f635f6ac5e462be8dc7b23": [[342, 406]], "FILEPATH: C:\\Users\\admin\\Desktop\\chrome_helper.exe": [[423, 463]], "EMAIL: finance@account-update.xyz": [[496, 522]], "IP_ADDRESS: 70.23.38.176": [[588, 600]]}, "info": {"id": "synth_v2_00084", "source": "synthetic_v2"}}
+{"text": "Tenable published a threat intelligence report linking OilRig to a new campaign exploiting CVE-2024-26162 in Barracuda ESG. The attackers deployed BumbleBee via BITSAdmin, establishing C2 communication with 99.71.40.129 and storage-static.link. A secondary payload was downloaded from https://storageupdate.top/gate.php. The malware binary (MD5: 7e8f00640a9b88d468abf649a3c071f6) was dropped to /var/tmp/csrss.exe. Phishing emails were sent from confirm@identity-verify.cc targeting enterprise users. A backup C2 server was identified at 14.50.223.60.", "spans": {"ORGANIZATION: Tenable": [[0, 7]], "THREAT_ACTOR: OilRig": [[55, 61]], "CVE_ID: CVE-2024-26162": [[91, 105]], "SYSTEM: Barracuda ESG": [[109, 122]], "MALWARE: BumbleBee": [[147, 156]], "TOOL: BITSAdmin": [[161, 170]], "IP_ADDRESS: 99.71.40.129": [[207, 219]], "DOMAIN: storage-static.link": [[224, 243]], "URL: https://storageupdate.top/gate.php": [[285, 319]], "HASH: 7e8f00640a9b88d468abf649a3c071f6": [[346, 378]], "FILEPATH: /var/tmp/csrss.exe": [[395, 413]], "EMAIL: confirm@identity-verify.cc": [[446, 472]], "IP_ADDRESS: 14.50.223.60": [[538, 550]]}, "info": {"id": "synth_v2_00085", "source": "synthetic_v2"}}
+{"text": "Europol published a threat intelligence report linking Storm-0558 to a new campaign exploiting CVE-2024-27359 in Ubuntu 22.04. The attackers deployed DarkSide via PowerView, establishing C2 communication with 205.126.37.22 and storagemail.net. A secondary payload was downloaded from https://update-backup.online/portal/verify. The malware binary (SHA256: f44c9a77a1c53074d213b81213fcf7083a0ee1995a18d13a8764729ce40e6b6b) was dropped to C:\\Windows\\System32\\chrome_helper.exe. Phishing emails were sent from security@identity-verify.cc targeting enterprise users. A backup C2 server was identified at 40.194.78.190.", "spans": {"ORGANIZATION: Europol": [[0, 7]], "THREAT_ACTOR: Storm-0558": [[55, 65]], "CVE_ID: CVE-2024-27359": [[95, 109]], "SYSTEM: Ubuntu 22.04": [[113, 125]], "MALWARE: DarkSide": [[150, 158]], "TOOL: PowerView": [[163, 172]], "IP_ADDRESS: 205.126.37.22": [[209, 222]], "DOMAIN: storagemail.net": [[227, 242]], "URL: https://update-backup.online/portal/verify": [[284, 326]], "HASH: f44c9a77a1c53074d213b81213fcf7083a0ee1995a18d13a8764729ce40e6b6b": [[356, 420]], "FILEPATH: C:\\Windows\\System32\\chrome_helper.exe": [[437, 474]], "EMAIL: security@identity-verify.cc": [[507, 534]], "IP_ADDRESS: 40.194.78.190": [[600, 613]]}, "info": {"id": "synth_v2_00086", "source": "synthetic_v2"}}
+{"text": "NSA published a threat intelligence report linking Midnight Blizzard to a new campaign exploiting CVE-2025-38077 in VMware ESXi. The attackers deployed Latrodectus via Certutil, establishing C2 communication with 10.181.47.153 and portalapi.club. A secondary payload was downloaded from http://cache-node.org/download/update.exe. The malware binary (SHA256: 9860d3f70ca29420e9410e17509d3551e7650ee9d3e342d5c7041cf6160ada69) was dropped to /usr/local/bin/agent.py. Phishing emails were sent from hr@credential-check.site targeting enterprise users. A backup C2 server was identified at 222.197.6.75.", "spans": {"ORGANIZATION: NSA": [[0, 3]], "THREAT_ACTOR: Midnight Blizzard": [[51, 68]], "CVE_ID: CVE-2025-38077": [[98, 112]], "SYSTEM: VMware ESXi": [[116, 127]], "MALWARE: Latrodectus": [[152, 163]], "TOOL: Certutil": [[168, 176]], "IP_ADDRESS: 10.181.47.153": [[213, 226]], "DOMAIN: portalapi.club": [[231, 245]], "URL: http://cache-node.org/download/update.exe": [[287, 328]], "HASH: 9860d3f70ca29420e9410e17509d3551e7650ee9d3e342d5c7041cf6160ada69": [[358, 422]], "FILEPATH: /usr/local/bin/agent.py": [[439, 462]], "EMAIL: hr@credential-check.site": [[495, 519]], "IP_ADDRESS: 222.197.6.75": [[585, 597]]}, "info": {"id": "synth_v2_00087", "source": "synthetic_v2"}}
+{"text": "Dragos published a threat intelligence report linking Mustang Panda to a new campaign exploiting CVE-2023-14679 in SonicWall SMA. The attackers deployed IcedID via Rubeus, establishing C2 communication with 124.39.184.65 and login-backup.com. A secondary payload was downloaded from https://storagestatic.site/gate.php. The malware binary (MD5: e57d614677d2d2e098a4eb8723fe17fe) was dropped to C:\\Program Files\\Common Files\\implant.so. Phishing emails were sent from noreply@mail-service.info targeting enterprise users. A backup C2 server was identified at 192.253.100.118.", "spans": {"ORGANIZATION: Dragos": [[0, 6]], "THREAT_ACTOR: Mustang Panda": [[54, 67]], "CVE_ID: CVE-2023-14679": [[97, 111]], "SYSTEM: SonicWall SMA": [[115, 128]], "MALWARE: IcedID": [[153, 159]], "TOOL: Rubeus": [[164, 170]], "IP_ADDRESS: 124.39.184.65": [[207, 220]], "DOMAIN: login-backup.com": [[225, 241]], "URL: https://storagestatic.site/gate.php": [[283, 318]], "HASH: e57d614677d2d2e098a4eb8723fe17fe": [[345, 377]], "FILEPATH: C:\\Program Files\\Common Files\\implant.so": [[394, 434]], "EMAIL: noreply@mail-service.info": [[467, 492]], "IP_ADDRESS: 192.253.100.118": [[558, 573]]}, "info": {"id": "synth_v2_00088", "source": "synthetic_v2"}}
+{"text": "Cisco Talos published a threat intelligence report linking Scattered Spider to a new campaign exploiting CVE-2026-49052 in Atlassian Confluence. The attackers deployed StealC via WinPEAS, establishing C2 communication with 172.163.149.189 and portalmail.net. A secondary payload was downloaded from hxxps://cache-edge.org/assets/js/payload.js. The malware binary (MD5: 79798afe27b70af8dab3fb741dab7633) was dropped to /tmp/sam.hive. Phishing emails were sent from finance@secure-verify.net targeting enterprise users. A backup C2 server was identified at 148.124.166.97.", "spans": {"ORGANIZATION: Cisco Talos": [[0, 11]], "THREAT_ACTOR: Scattered Spider": [[59, 75]], "CVE_ID: CVE-2026-49052": [[105, 119]], "SYSTEM: Atlassian Confluence": [[123, 143]], "MALWARE: StealC": [[168, 174]], "TOOL: WinPEAS": [[179, 186]], "IP_ADDRESS: 172.163.149.189": [[223, 238]], "DOMAIN: portalmail.net": [[243, 257]], "URL: hxxps://cache-edge.org/assets/js/payload.js": [[299, 342]], "HASH: 79798afe27b70af8dab3fb741dab7633": [[369, 401]], "FILEPATH: /tmp/sam.hive": [[418, 431]], "EMAIL: finance@secure-verify.net": [[464, 489]], "IP_ADDRESS: 148.124.166.97": [[555, 569]]}, "info": {"id": "synth_v2_00089", "source": "synthetic_v2"}}
+{"text": "FBI published a threat intelligence report linking Flax Typhoon to a new campaign exploiting CVE-2021-16698 in Apache Struts. The attackers deployed FormBook via PowerView, establishing C2 communication with 172.78.216.203 and edgenode.dev. A secondary payload was downloaded from https://edgecdn.link/assets/js/payload.js. The malware binary (SHA1: 269d116dc2f561c564d776bf88795a92865561a6) was dropped to C:\\ProgramData\\taskhost.exe. Phishing emails were sent from helpdesk@auth-check.org targeting enterprise users. A backup C2 server was identified at 19.229.245.150.", "spans": {"ORGANIZATION: FBI": [[0, 3]], "THREAT_ACTOR: Flax Typhoon": [[51, 63]], "CVE_ID: CVE-2021-16698": [[93, 107]], "SYSTEM: Apache Struts": [[111, 124]], "MALWARE: FormBook": [[149, 157]], "TOOL: PowerView": [[162, 171]], "IP_ADDRESS: 172.78.216.203": [[208, 222]], "DOMAIN: edgenode.dev": [[227, 239]], "URL: https://edgecdn.link/assets/js/payload.js": [[281, 322]], "HASH: 269d116dc2f561c564d776bf88795a92865561a6": [[350, 390]], "FILEPATH: C:\\ProgramData\\taskhost.exe": [[407, 434]], "EMAIL: helpdesk@auth-check.org": [[467, 490]], "IP_ADDRESS: 19.229.245.150": [[556, 570]]}, "info": {"id": "synth_v2_00090", "source": "synthetic_v2"}}
+{"text": "Europol published a threat intelligence report linking Turla to a new campaign exploiting CVE-2025-27219 in Atlassian Confluence. The attackers deployed Meduza Stealer via BloodHound, establishing C2 communication with 28.5.50.67 and relaycache.club. A secondary payload was downloaded from hxxps://mail-update.online/portal/verify. The malware binary (MD5: 396a2c68b2cfba3e0036f07160242336) was dropped to C:\\ProgramData\\taskhost.exe. Phishing emails were sent from noreply@auth-check.org targeting enterprise users. A backup C2 server was identified at 192.113.228.96.", "spans": {"ORGANIZATION: Europol": [[0, 7]], "THREAT_ACTOR: Turla": [[55, 60]], "CVE_ID: CVE-2025-27219": [[90, 104]], "SYSTEM: Atlassian Confluence": [[108, 128]], "MALWARE: Meduza Stealer": [[153, 167]], "TOOL: BloodHound": [[172, 182]], "IP_ADDRESS: 28.5.50.67": [[219, 229]], "DOMAIN: relaycache.club": [[234, 249]], "URL: hxxps://mail-update.online/portal/verify": [[291, 331]], "HASH: 396a2c68b2cfba3e0036f07160242336": [[358, 390]], "FILEPATH: C:\\ProgramData\\taskhost.exe": [[407, 434]], "EMAIL: noreply@auth-check.org": [[467, 489]], "IP_ADDRESS: 192.113.228.96": [[555, 569]]}, "info": {"id": "synth_v2_00091", "source": "synthetic_v2"}}
+{"text": "Rapid7 published a threat intelligence report linking TA505 to a new campaign exploiting CVE-2022-47837 in Juniper SRX. The attackers deployed NjRAT via Brute Ratel, establishing C2 communication with 90.243.49.113 and update-storage.top. A secondary payload was downloaded from hxxp://secure-data.io/panel/index.html. The malware binary (SHA256: c0eb0ab288ed0b91d51b08d0ab7474e899c0356942496d6f28ce73ef91841b55) was dropped to /opt/app/bin/dropper.ps1. Phishing emails were sent from contact@credential-check.site targeting enterprise users. A backup C2 server was identified at 82.34.153.12.", "spans": {"ORGANIZATION: Rapid7": [[0, 6]], "THREAT_ACTOR: TA505": [[54, 59]], "CVE_ID: CVE-2022-47837": [[89, 103]], "SYSTEM: Juniper SRX": [[107, 118]], "MALWARE: NjRAT": [[143, 148]], "TOOL: Brute Ratel": [[153, 164]], "IP_ADDRESS: 90.243.49.113": [[201, 214]], "DOMAIN: update-storage.top": [[219, 237]], "URL: hxxp://secure-data.io/panel/index.html": [[279, 317]], "HASH: c0eb0ab288ed0b91d51b08d0ab7474e899c0356942496d6f28ce73ef91841b55": [[347, 411]], "FILEPATH: /opt/app/bin/dropper.ps1": [[428, 452]], "EMAIL: contact@credential-check.site": [[485, 514]], "IP_ADDRESS: 82.34.153.12": [[580, 592]]}, "info": {"id": "synth_v2_00092", "source": "synthetic_v2"}}
+{"text": "Google TAG published a threat intelligence report linking FIN7 to a new campaign exploiting CVE-2022-34807 in SonicWall SMA. The attackers deployed Vidar via Sharphound, establishing C2 communication with 8.101.230.152 and apicache.net. A secondary payload was downloaded from http://mail-storage.xyz/api/v2/auth. The malware binary (MD5: 1e887708c518a52c0bbefb21c839109d) was dropped to /dev/shm/loader.exe. Phishing emails were sent from ceo@document-share.link targeting enterprise users. A backup C2 server was identified at 100.2.109.53.", "spans": {"ORGANIZATION: Google TAG": [[0, 10]], "THREAT_ACTOR: FIN7": [[58, 62]], "CVE_ID: CVE-2022-34807": [[92, 106]], "SYSTEM: SonicWall SMA": [[110, 123]], "MALWARE: Vidar": [[148, 153]], "TOOL: Sharphound": [[158, 168]], "IP_ADDRESS: 8.101.230.152": [[205, 218]], "DOMAIN: apicache.net": [[223, 235]], "URL: http://mail-storage.xyz/api/v2/auth": [[277, 312]], "HASH: 1e887708c518a52c0bbefb21c839109d": [[339, 371]], "FILEPATH: /dev/shm/loader.exe": [[388, 407]], "EMAIL: ceo@document-share.link": [[440, 463]], "IP_ADDRESS: 100.2.109.53": [[529, 541]]}, "info": {"id": "synth_v2_00093", "source": "synthetic_v2"}}
+{"text": "Europol published a threat intelligence report linking Volt Typhoon to a new campaign exploiting CVE-2021-37696 in Ivanti Connect Secure. The attackers deployed Meduza Stealer via Ligolo, establishing C2 communication with 217.234.88.209 and data-backup.net. A secondary payload was downloaded from http://mail-login.io/callback. The malware binary (SHA1: 36ac1f70c33bf6477c22d4076969fc664ef0b6db) was dropped to C:\\Windows\\System32\\shell.php. Phishing emails were sent from service@identity-verify.cc targeting enterprise users. A backup C2 server was identified at 158.43.68.81.", "spans": {"ORGANIZATION: Europol": [[0, 7]], "THREAT_ACTOR: Volt Typhoon": [[55, 67]], "CVE_ID: CVE-2021-37696": [[97, 111]], "SYSTEM: Ivanti Connect Secure": [[115, 136]], "MALWARE: Meduza Stealer": [[161, 175]], "TOOL: Ligolo": [[180, 186]], "IP_ADDRESS: 217.234.88.209": [[223, 237]], "DOMAIN: data-backup.net": [[242, 257]], "URL: http://mail-login.io/callback": [[299, 328]], "HASH: 36ac1f70c33bf6477c22d4076969fc664ef0b6db": [[356, 396]], "FILEPATH: C:\\Windows\\System32\\shell.php": [[413, 442]], "EMAIL: service@identity-verify.cc": [[475, 501]], "IP_ADDRESS: 158.43.68.81": [[567, 579]]}, "info": {"id": "synth_v2_00094", "source": "synthetic_v2"}}
+{"text": "NCSC published a threat intelligence report linking Turla to a new campaign exploiting CVE-2022-40108 in Barracuda ESG. The attackers deployed Qbot via Sharphound, establishing C2 communication with 172.147.71.48 and updateproxy.org. A secondary payload was downloaded from http://portal-edge.io/callback. The malware binary (SHA1: b9ecb99e7b1111b4455f032282c70e7683fb4320) was dropped to /dev/shm/ntds.dit. Phishing emails were sent from updates@credential-check.site targeting enterprise users. A backup C2 server was identified at 216.230.27.222.", "spans": {"ORGANIZATION: NCSC": [[0, 4]], "THREAT_ACTOR: Turla": [[52, 57]], "CVE_ID: CVE-2022-40108": [[87, 101]], "SYSTEM: Barracuda ESG": [[105, 118]], "MALWARE: Qbot": [[143, 147]], "TOOL: Sharphound": [[152, 162]], "IP_ADDRESS: 172.147.71.48": [[199, 212]], "DOMAIN: updateproxy.org": [[217, 232]], "URL: http://portal-edge.io/callback": [[274, 304]], "HASH: b9ecb99e7b1111b4455f032282c70e7683fb4320": [[332, 372]], "FILEPATH: /dev/shm/ntds.dit": [[389, 406]], "EMAIL: updates@credential-check.site": [[439, 468]], "IP_ADDRESS: 216.230.27.222": [[534, 548]]}, "info": {"id": "synth_v2_00095", "source": "synthetic_v2"}}
+{"text": "CrowdStrike published a threat intelligence report linking Turla to a new campaign exploiting CVE-2022-24935 in Apache Struts. The attackers deployed Dridex via BITSAdmin, establishing C2 communication with 172.115.147.44 and sync-edge.live. A secondary payload was downloaded from http://edgecdn.link/panel/index.html. The malware binary (SHA256: d0cd76fd9eb10f91e2d6848d7b8c166d9229c6424bde16adf0d25d164902bdc1) was dropped to C:\\Program Files\\Common Files\\taskhost.exe. Phishing emails were sent from helpdesk@mail-service.info targeting enterprise users. A backup C2 server was identified at 145.253.57.147.", "spans": {"ORGANIZATION: CrowdStrike": [[0, 11]], "THREAT_ACTOR: Turla": [[59, 64]], "CVE_ID: CVE-2022-24935": [[94, 108]], "SYSTEM: Apache Struts": [[112, 125]], "MALWARE: Dridex": [[150, 156]], "TOOL: BITSAdmin": [[161, 170]], "IP_ADDRESS: 172.115.147.44": [[207, 221]], "DOMAIN: sync-edge.live": [[226, 240]], "URL: http://edgecdn.link/panel/index.html": [[282, 318]], "HASH: d0cd76fd9eb10f91e2d6848d7b8c166d9229c6424bde16adf0d25d164902bdc1": [[348, 412]], "FILEPATH: C:\\Program Files\\Common Files\\taskhost.exe": [[429, 471]], "EMAIL: helpdesk@mail-service.info": [[504, 530]], "IP_ADDRESS: 145.253.57.147": [[596, 610]]}, "info": {"id": "synth_v2_00096", "source": "synthetic_v2"}}
+{"text": "Kaspersky GReAT published a threat intelligence report linking Salt Typhoon to a new campaign exploiting CVE-2024-23826 in Ubuntu 22.04. The attackers deployed Cobalt Strike via Brute Ratel, establishing C2 communication with 222.60.121.54 and cloud-cloud.link. A secondary payload was downloaded from https://cache-mail.io/collect. The malware binary (SHA1: 35bacded5f7164a9f324e9f0a7b6a46198f5108c) was dropped to C:\\Users\\admin\\Downloads\\winlogon.exe. Phishing emails were sent from finance@mail-service.info targeting enterprise users. A backup C2 server was identified at 221.219.84.158.", "spans": {"ORGANIZATION: Kaspersky GReAT": [[0, 15]], "THREAT_ACTOR: Salt Typhoon": [[63, 75]], "CVE_ID: CVE-2024-23826": [[105, 119]], "SYSTEM: Ubuntu 22.04": [[123, 135]], "MALWARE: Cobalt Strike": [[160, 173]], "TOOL: Brute Ratel": [[178, 189]], "IP_ADDRESS: 222.60.121.54": [[226, 239]], "DOMAIN: cloud-cloud.link": [[244, 260]], "URL: https://cache-mail.io/collect": [[302, 331]], "HASH: 35bacded5f7164a9f324e9f0a7b6a46198f5108c": [[359, 399]], "FILEPATH: C:\\Users\\admin\\Downloads\\winlogon.exe": [[416, 453]], "EMAIL: finance@mail-service.info": [[486, 511]], "IP_ADDRESS: 221.219.84.158": [[577, 591]]}, "info": {"id": "synth_v2_00097", "source": "synthetic_v2"}}
+{"text": "NSA published a threat intelligence report linking OilRig to a new campaign exploiting CVE-2021-39439 in Citrix NetScaler. The attackers deployed SystemBC via Havoc, establishing C2 communication with 16.141.64.180 and portal-proxy.org. A secondary payload was downloaded from hxxps://gatewayportal.online/admin/config. The malware binary (SHA256: 2efd63356677694ca494c881d44536f0be396e2b75068ad9f144e5101318755e) was dropped to C:\\Users\\admin\\Desktop\\loader.exe. Phishing emails were sent from hr@auth-check.org targeting enterprise users. A backup C2 server was identified at 10.74.164.213.", "spans": {"ORGANIZATION: NSA": [[0, 3]], "THREAT_ACTOR: OilRig": [[51, 57]], "CVE_ID: CVE-2021-39439": [[87, 101]], "SYSTEM: Citrix NetScaler": [[105, 121]], "MALWARE: SystemBC": [[146, 154]], "TOOL: Havoc": [[159, 164]], "IP_ADDRESS: 16.141.64.180": [[201, 214]], "DOMAIN: portal-proxy.org": [[219, 235]], "URL: hxxps://gatewayportal.online/admin/config": [[277, 318]], "HASH: 2efd63356677694ca494c881d44536f0be396e2b75068ad9f144e5101318755e": [[348, 412]], "FILEPATH: C:\\Users\\admin\\Desktop\\loader.exe": [[429, 462]], "EMAIL: hr@auth-check.org": [[495, 512]], "IP_ADDRESS: 10.74.164.213": [[578, 591]]}, "info": {"id": "synth_v2_00098", "source": "synthetic_v2"}}
+{"text": "Europol published a threat intelligence report linking Midnight Blizzard to a new campaign exploiting CVE-2020-17296 in Ubuntu 22.04. The attackers deployed Qbot via Hashcat, establishing C2 communication with 163.183.32.204 and storagebackup.tech. A secondary payload was downloaded from https://cache-proxy.link/admin/config. The malware binary (SHA256: 5ab115bd718dd63abb977e65564b14729ceca6875aae2a98d2b49c7f5958fad4) was dropped to C:\\Users\\admin\\AppData\\Local\\Temp\\taskhost.exe. Phishing emails were sent from updates@phishing-domain.com targeting enterprise users. A backup C2 server was identified at 56.219.108.127.", "spans": {"ORGANIZATION: Europol": [[0, 7]], "THREAT_ACTOR: Midnight Blizzard": [[55, 72]], "CVE_ID: CVE-2020-17296": [[102, 116]], "SYSTEM: Ubuntu 22.04": [[120, 132]], "MALWARE: Qbot": [[157, 161]], "TOOL: Hashcat": [[166, 173]], "IP_ADDRESS: 163.183.32.204": [[210, 224]], "DOMAIN: storagebackup.tech": [[229, 247]], "URL: https://cache-proxy.link/admin/config": [[289, 326]], "HASH: 5ab115bd718dd63abb977e65564b14729ceca6875aae2a98d2b49c7f5958fad4": [[356, 420]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\taskhost.exe": [[437, 483]], "EMAIL: updates@phishing-domain.com": [[516, 543]], "IP_ADDRESS: 56.219.108.127": [[609, 623]]}, "info": {"id": "synth_v2_00099", "source": "synthetic_v2"}}
+{"text": "CISA published a threat intelligence report linking Kimsuky to a new campaign exploiting CVE-2020-17296 in SonicWall SMA. The attackers deployed REvil via Brute Ratel, establishing C2 communication with 192.67.154.41 and securecdn.site. A secondary payload was downloaded from hxxps://datagateway.top/assets/js/payload.js. The malware binary (SHA256: be2549e5f385b18f7c9aa94f4f5e87eaa565038bcf36e0d61ee4a760e75b6511) was dropped to C:\\Windows\\Temp\\runtime.dll. Phishing emails were sent from verify@secure-verify.net targeting enterprise users. A backup C2 server was identified at 24.184.128.22.", "spans": {"ORGANIZATION: CISA": [[0, 4]], "THREAT_ACTOR: Kimsuky": [[52, 59]], "CVE_ID: CVE-2020-17296": [[89, 103]], "SYSTEM: SonicWall SMA": [[107, 120]], "MALWARE: REvil": [[145, 150]], "TOOL: Brute Ratel": [[155, 166]], "IP_ADDRESS: 192.67.154.41": [[203, 216]], "DOMAIN: securecdn.site": [[221, 235]], "URL: hxxps://datagateway.top/assets/js/payload.js": [[277, 321]], "HASH: be2549e5f385b18f7c9aa94f4f5e87eaa565038bcf36e0d61ee4a760e75b6511": [[351, 415]], "FILEPATH: C:\\Windows\\Temp\\runtime.dll": [[432, 459]], "EMAIL: verify@secure-verify.net": [[492, 516]], "IP_ADDRESS: 24.184.128.22": [[582, 595]]}, "info": {"id": "synth_v2_00100", "source": "synthetic_v2"}}
+{"text": "NSA published a threat intelligence report linking Mustang Panda to a new campaign exploiting CVE-2025-13087 in Windows Server 2019. The attackers deployed Lumma Stealer via PsExec, establishing C2 communication with 192.175.61.253 and portal-api.club. A secondary payload was downloaded from https://auth-storage.tech/download/update.exe. The malware binary (MD5: c35be3fdba9bf683edaf783fa12b9c89) was dropped to C:\\Windows\\System32\\payload.bin. Phishing emails were sent from info@urgent-notice.online targeting enterprise users. A backup C2 server was identified at 178.67.244.19.", "spans": {"ORGANIZATION: NSA": [[0, 3]], "THREAT_ACTOR: Mustang Panda": [[51, 64]], "CVE_ID: CVE-2025-13087": [[94, 108]], "SYSTEM: Windows Server 2019": [[112, 131]], "MALWARE: Lumma Stealer": [[156, 169]], "TOOL: PsExec": [[174, 180]], "IP_ADDRESS: 192.175.61.253": [[217, 231]], "DOMAIN: portal-api.club": [[236, 251]], "URL: https://auth-storage.tech/download/update.exe": [[293, 338]], "HASH: c35be3fdba9bf683edaf783fa12b9c89": [[365, 397]], "FILEPATH: C:\\Windows\\System32\\payload.bin": [[414, 445]], "EMAIL: info@urgent-notice.online": [[478, 503]], "IP_ADDRESS: 178.67.244.19": [[569, 582]]}, "info": {"id": "synth_v2_00101", "source": "synthetic_v2"}}
+{"text": "Check Point Research published a threat intelligence report linking OilRig to a new campaign exploiting CVE-2022-27335 in Zyxel USG. The attackers deployed Emotet via ADFind, establishing C2 communication with 185.109.77.236 and login-auth.cc. A secondary payload was downloaded from hxxp://mailgateway.tech/wp-content/uploads/doc.php. The malware binary (MD5: 6644b46fd85810a4d4bfec8e2dbbcec8) was dropped to C:\\ProgramData\\helper.sh. Phishing emails were sent from confirm@document-share.link targeting enterprise users. A backup C2 server was identified at 158.226.111.23.", "spans": {"ORGANIZATION: Check Point Research": [[0, 20]], "THREAT_ACTOR: OilRig": [[68, 74]], "CVE_ID: CVE-2022-27335": [[104, 118]], "SYSTEM: Zyxel USG": [[122, 131]], "MALWARE: Emotet": [[156, 162]], "TOOL: ADFind": [[167, 173]], "IP_ADDRESS: 185.109.77.236": [[210, 224]], "DOMAIN: login-auth.cc": [[229, 242]], "URL: hxxp://mailgateway.tech/wp-content/uploads/doc.php": [[284, 334]], "HASH: 6644b46fd85810a4d4bfec8e2dbbcec8": [[361, 393]], "FILEPATH: C:\\ProgramData\\helper.sh": [[410, 434]], "EMAIL: confirm@document-share.link": [[467, 494]], "IP_ADDRESS: 158.226.111.23": [[560, 574]]}, "info": {"id": "synth_v2_00102", "source": "synthetic_v2"}}
+{"text": "Huntress published a threat intelligence report linking Gamaredon to a new campaign exploiting CVE-2020-16717 in Apache Struts. The attackers deployed StealC via Burp Suite, establishing C2 communication with 192.96.200.76 and proxy-static.net. A secondary payload was downloaded from http://mail-storage.org/collect. The malware binary (MD5: 9b24d6c623acf64374b974b426d0448d) was dropped to /etc/cron.d/dropper.ps1. Phishing emails were sent from security@credential-check.site targeting enterprise users. A backup C2 server was identified at 10.253.197.29.", "spans": {"ORGANIZATION: Huntress": [[0, 8]], "THREAT_ACTOR: Gamaredon": [[56, 65]], "CVE_ID: CVE-2020-16717": [[95, 109]], "SYSTEM: Apache Struts": [[113, 126]], "MALWARE: StealC": [[151, 157]], "TOOL: Burp Suite": [[162, 172]], "IP_ADDRESS: 192.96.200.76": [[209, 222]], "DOMAIN: proxy-static.net": [[227, 243]], "URL: http://mail-storage.org/collect": [[285, 316]], "HASH: 9b24d6c623acf64374b974b426d0448d": [[343, 375]], "FILEPATH: /etc/cron.d/dropper.ps1": [[392, 415]], "EMAIL: security@credential-check.site": [[448, 478]], "IP_ADDRESS: 10.253.197.29": [[544, 557]]}, "info": {"id": "synth_v2_00103", "source": "synthetic_v2"}}
+{"text": "Europol published a threat intelligence report linking Velvet Tempest to a new campaign exploiting CVE-2020-49453 in Windows Server 2019. The attackers deployed IcedID via Mimikatz, establishing C2 communication with 56.20.30.243 and apiedge.io. A secondary payload was downloaded from hxxps://sync-api.info/panel/index.html. The malware binary (SHA256: 45295eb53df7a927f5c264a79a39b6c549e13269b6de949a6b4a3ae1287010cd) was dropped to C:\\Windows\\System32\\dropper.ps1. Phishing emails were sent from ceo@identity-verify.cc targeting enterprise users. A backup C2 server was identified at 130.146.212.109.", "spans": {"ORGANIZATION: Europol": [[0, 7]], "THREAT_ACTOR: Velvet Tempest": [[55, 69]], "CVE_ID: CVE-2020-49453": [[99, 113]], "SYSTEM: Windows Server 2019": [[117, 136]], "MALWARE: IcedID": [[161, 167]], "TOOL: Mimikatz": [[172, 180]], "IP_ADDRESS: 56.20.30.243": [[217, 229]], "DOMAIN: apiedge.io": [[234, 244]], "URL: hxxps://sync-api.info/panel/index.html": [[286, 324]], "HASH: 45295eb53df7a927f5c264a79a39b6c549e13269b6de949a6b4a3ae1287010cd": [[354, 418]], "FILEPATH: C:\\Windows\\System32\\dropper.ps1": [[435, 466]], "EMAIL: ceo@identity-verify.cc": [[499, 521]], "IP_ADDRESS: 130.146.212.109": [[587, 602]]}, "info": {"id": "synth_v2_00104", "source": "synthetic_v2"}}
+{"text": "Secureworks published a threat intelligence report linking OilRig to a new campaign exploiting CVE-2025-42343 in Microsoft Exchange. The attackers deployed IcedID via Burp Suite, establishing C2 communication with 10.44.222.30 and auth-update.club. A secondary payload was downloaded from https://update-secure.online/panel/index.html. The malware binary (SHA1: d551568c890117dbee36458ef362c8711871f0a4) was dropped to /usr/local/bin/config.dat. Phishing emails were sent from it@account-update.xyz targeting enterprise users. A backup C2 server was identified at 157.28.158.171.", "spans": {"ORGANIZATION: Secureworks": [[0, 11]], "THREAT_ACTOR: OilRig": [[59, 65]], "CVE_ID: CVE-2025-42343": [[95, 109]], "SYSTEM: Microsoft Exchange": [[113, 131]], "MALWARE: IcedID": [[156, 162]], "TOOL: Burp Suite": [[167, 177]], "IP_ADDRESS: 10.44.222.30": [[214, 226]], "DOMAIN: auth-update.club": [[231, 247]], "URL: https://update-secure.online/panel/index.html": [[289, 334]], "HASH: d551568c890117dbee36458ef362c8711871f0a4": [[362, 402]], "FILEPATH: /usr/local/bin/config.dat": [[419, 444]], "EMAIL: it@account-update.xyz": [[477, 498]], "IP_ADDRESS: 157.28.158.171": [[564, 578]]}, "info": {"id": "synth_v2_00105", "source": "synthetic_v2"}}
+{"text": "Symantec published a threat intelligence report linking Aqua Blizzard to a new campaign exploiting CVE-2021-32298 in Windows Server 2019. The attackers deployed SystemBC via LinPEAS, establishing C2 communication with 207.219.139.135 and cdnproxy.live. A secondary payload was downloaded from hxxps://mail-secure.info/collect. The malware binary (SHA1: d06640e45caac53ccfaf8e9f6e49eabdee473446) was dropped to C:\\Users\\Public\\Documents\\helper.sh. Phishing emails were sent from account@phishing-domain.com targeting enterprise users. A backup C2 server was identified at 172.39.254.117.", "spans": {"ORGANIZATION: Symantec": [[0, 8]], "THREAT_ACTOR: Aqua Blizzard": [[56, 69]], "CVE_ID: CVE-2021-32298": [[99, 113]], "SYSTEM: Windows Server 2019": [[117, 136]], "MALWARE: SystemBC": [[161, 169]], "TOOL: LinPEAS": [[174, 181]], "IP_ADDRESS: 207.219.139.135": [[218, 233]], "DOMAIN: cdnproxy.live": [[238, 251]], "URL: hxxps://mail-secure.info/collect": [[293, 325]], "HASH: d06640e45caac53ccfaf8e9f6e49eabdee473446": [[353, 393]], "FILEPATH: C:\\Users\\Public\\Documents\\helper.sh": [[410, 445]], "EMAIL: account@phishing-domain.com": [[478, 505]], "IP_ADDRESS: 172.39.254.117": [[571, 585]]}, "info": {"id": "synth_v2_00106", "source": "synthetic_v2"}}
+{"text": "Mandiant published a threat intelligence report linking APT29 to a new campaign exploiting CVE-2026-35216 in Ivanti Connect Secure. The attackers deployed Emotet via PsExec, establishing C2 communication with 39.91.18.142 and syncapi.cc. A secondary payload was downloaded from hxxps://authnode.top/download/update.exe. The malware binary (SHA256: 12c326810190516e9550c4ee61afcc90622033f4aa2c01d7c911b03738b91e46) was dropped to C:\\Users\\admin\\AppData\\Local\\Temp\\lsass.dmp. Phishing emails were sent from info@credential-check.site targeting enterprise users. A backup C2 server was identified at 58.164.127.107.", "spans": {"ORGANIZATION: Mandiant": [[0, 8]], "THREAT_ACTOR: APT29": [[56, 61]], "CVE_ID: CVE-2026-35216": [[91, 105]], "SYSTEM: Ivanti Connect Secure": [[109, 130]], "MALWARE: Emotet": [[155, 161]], "TOOL: PsExec": [[166, 172]], "IP_ADDRESS: 39.91.18.142": [[209, 221]], "DOMAIN: syncapi.cc": [[226, 236]], "URL: hxxps://authnode.top/download/update.exe": [[278, 318]], "HASH: 12c326810190516e9550c4ee61afcc90622033f4aa2c01d7c911b03738b91e46": [[348, 412]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\lsass.dmp": [[429, 472]], "EMAIL: info@credential-check.site": [[505, 531]], "IP_ADDRESS: 58.164.127.107": [[597, 611]]}, "info": {"id": "synth_v2_00107", "source": "synthetic_v2"}}
+{"text": "Qualys published a threat intelligence report linking Salt Typhoon to a new campaign exploiting CVE-2023-46500 in Atlassian Confluence. The attackers deployed Gootloader via Seatbelt, establishing C2 communication with 192.233.4.95 and cacheproxy.link. A secondary payload was downloaded from hxxps://edge-data.org/callback. The malware binary (SHA256: cdc925d8c0d86b3ebd3b10c2d32b2bf13262e89e1230227a336a344d9cb9261c) was dropped to /var/tmp/dropper.ps1. Phishing emails were sent from it@phishing-domain.com targeting enterprise users. A backup C2 server was identified at 172.155.124.119.", "spans": {"ORGANIZATION: Qualys": [[0, 6]], "THREAT_ACTOR: Salt Typhoon": [[54, 66]], "CVE_ID: CVE-2023-46500": [[96, 110]], "SYSTEM: Atlassian Confluence": [[114, 134]], "MALWARE: Gootloader": [[159, 169]], "TOOL: Seatbelt": [[174, 182]], "IP_ADDRESS: 192.233.4.95": [[219, 231]], "DOMAIN: cacheproxy.link": [[236, 251]], "URL: hxxps://edge-data.org/callback": [[293, 323]], "HASH: cdc925d8c0d86b3ebd3b10c2d32b2bf13262e89e1230227a336a344d9cb9261c": [[353, 417]], "FILEPATH: /var/tmp/dropper.ps1": [[434, 454]], "EMAIL: it@phishing-domain.com": [[487, 509]], "IP_ADDRESS: 172.155.124.119": [[575, 590]]}, "info": {"id": "synth_v2_00108", "source": "synthetic_v2"}}
+{"text": "Zscaler ThreatLabz published a threat intelligence report linking Scattered Spider to a new campaign exploiting CVE-2024-19363 in Apache Struts. The attackers deployed Emotet via Seatbelt, establishing C2 communication with 10.121.214.126 and node-gateway.club. A secondary payload was downloaded from hxxps://relayapi.cc/panel/index.html. The malware binary (SHA256: a73eccfdae2a3255bcdcffc27b75b8b5df40415185704bc547c8173cccaa2602) was dropped to C:\\Users\\admin\\Desktop\\chrome_helper.exe. Phishing emails were sent from notification@document-share.link targeting enterprise users. A backup C2 server was identified at 10.143.47.12.", "spans": {"ORGANIZATION: Zscaler ThreatLabz": [[0, 18]], "THREAT_ACTOR: Scattered Spider": [[66, 82]], "CVE_ID: CVE-2024-19363": [[112, 126]], "SYSTEM: Apache Struts": [[130, 143]], "MALWARE: Emotet": [[168, 174]], "TOOL: Seatbelt": [[179, 187]], "IP_ADDRESS: 10.121.214.126": [[224, 238]], "DOMAIN: node-gateway.club": [[243, 260]], "URL: hxxps://relayapi.cc/panel/index.html": [[302, 338]], "HASH: a73eccfdae2a3255bcdcffc27b75b8b5df40415185704bc547c8173cccaa2602": [[368, 432]], "FILEPATH: C:\\Users\\admin\\Desktop\\chrome_helper.exe": [[449, 489]], "EMAIL: notification@document-share.link": [[522, 554]], "IP_ADDRESS: 10.143.47.12": [[620, 632]]}, "info": {"id": "synth_v2_00109", "source": "synthetic_v2"}}
+{"text": "Microsoft MSRC published a threat intelligence report linking APT29 to a new campaign exploiting CVE-2023-16619 in Apache Struts. The attackers deployed XLoader via PowerView, establishing C2 communication with 218.161.201.180 and cloud-login.link. A secondary payload was downloaded from http://login-auth.org/gate.php. The malware binary (MD5: 1ad8610a793293232d59f96534403ea1) was dropped to C:\\Program Files\\Common Files\\taskhost.exe. Phishing emails were sent from confirm@auth-check.org targeting enterprise users. A backup C2 server was identified at 82.231.139.60.", "spans": {"ORGANIZATION: Microsoft MSRC": [[0, 14]], "THREAT_ACTOR: APT29": [[62, 67]], "CVE_ID: CVE-2023-16619": [[97, 111]], "SYSTEM: Apache Struts": [[115, 128]], "MALWARE: XLoader": [[153, 160]], "TOOL: PowerView": [[165, 174]], "IP_ADDRESS: 218.161.201.180": [[211, 226]], "DOMAIN: cloud-login.link": [[231, 247]], "URL: http://login-auth.org/gate.php": [[289, 319]], "HASH: 1ad8610a793293232d59f96534403ea1": [[346, 378]], "FILEPATH: C:\\Program Files\\Common Files\\taskhost.exe": [[395, 437]], "EMAIL: confirm@auth-check.org": [[470, 492]], "IP_ADDRESS: 82.231.139.60": [[558, 571]]}, "info": {"id": "synth_v2_00110", "source": "synthetic_v2"}}
+{"text": "Trend Micro published a threat intelligence report linking Velvet Tempest to a new campaign exploiting CVE-2025-49086 in Active Directory. The attackers deployed Royal via Brute Ratel, establishing C2 communication with 10.80.155.212 and mail-portal.io. A secondary payload was downloaded from hxxp://backup-sync.live/login. The malware binary (MD5: 4f03e7cbbe0151937e3857e2c5af2d7e) was dropped to C:\\Windows\\Tasks\\dropper.ps1. Phishing emails were sent from confirm@login-portal.tech targeting enterprise users. A backup C2 server was identified at 10.167.75.24.", "spans": {"ORGANIZATION: Trend Micro": [[0, 11]], "THREAT_ACTOR: Velvet Tempest": [[59, 73]], "CVE_ID: CVE-2025-49086": [[103, 117]], "SYSTEM: Active Directory": [[121, 137]], "MALWARE: Royal": [[162, 167]], "TOOL: Brute Ratel": [[172, 183]], "IP_ADDRESS: 10.80.155.212": [[220, 233]], "DOMAIN: mail-portal.io": [[238, 252]], "URL: hxxp://backup-sync.live/login": [[294, 323]], "HASH: 4f03e7cbbe0151937e3857e2c5af2d7e": [[350, 382]], "FILEPATH: C:\\Windows\\Tasks\\dropper.ps1": [[399, 427]], "EMAIL: confirm@login-portal.tech": [[460, 485]], "IP_ADDRESS: 10.167.75.24": [[551, 563]]}, "info": {"id": "synth_v2_00111", "source": "synthetic_v2"}}
+{"text": "Rapid7 published a threat intelligence report linking Kimsuky to a new campaign exploiting CVE-2021-16698 in VMware ESXi. The attackers deployed ShadowPad via Metasploit, establishing C2 communication with 10.113.66.51 and update-api.xyz. A secondary payload was downloaded from https://loginapi.dev/api/v2/auth. The malware binary (SHA256: 7449ed739be4d77f4d42ed0778db80cb1e99329c5b198bbc4a1450c0f774898e) was dropped to C:\\Windows\\Tasks\\update.dll. Phishing emails were sent from security@document-share.link targeting enterprise users. A backup C2 server was identified at 96.43.132.235.", "spans": {"ORGANIZATION: Rapid7": [[0, 6]], "THREAT_ACTOR: Kimsuky": [[54, 61]], "CVE_ID: CVE-2021-16698": [[91, 105]], "SYSTEM: VMware ESXi": [[109, 120]], "MALWARE: ShadowPad": [[145, 154]], "TOOL: Metasploit": [[159, 169]], "IP_ADDRESS: 10.113.66.51": [[206, 218]], "DOMAIN: update-api.xyz": [[223, 237]], "URL: https://loginapi.dev/api/v2/auth": [[279, 311]], "HASH: 7449ed739be4d77f4d42ed0778db80cb1e99329c5b198bbc4a1450c0f774898e": [[341, 405]], "FILEPATH: C:\\Windows\\Tasks\\update.dll": [[422, 449]], "EMAIL: security@document-share.link": [[482, 510]], "IP_ADDRESS: 96.43.132.235": [[576, 589]]}, "info": {"id": "synth_v2_00112", "source": "synthetic_v2"}}
+{"text": "CrowdStrike published a threat intelligence report linking Storm-0558 to a new campaign exploiting CVE-2024-27359 in SonicWall SMA. The attackers deployed Vidar via PowerShell Empire, establishing C2 communication with 172.109.95.71 and backup-proxy.site. A secondary payload was downloaded from http://cdnapi.info/download/update.exe. The malware binary (MD5: 21541cbf5664f89075a34fa4fc4b029e) was dropped to /tmp/loader.exe. Phishing emails were sent from helpdesk@urgent-notice.online targeting enterprise users. A backup C2 server was identified at 115.76.17.158.", "spans": {"ORGANIZATION: CrowdStrike": [[0, 11]], "THREAT_ACTOR: Storm-0558": [[59, 69]], "CVE_ID: CVE-2024-27359": [[99, 113]], "SYSTEM: SonicWall SMA": [[117, 130]], "MALWARE: Vidar": [[155, 160]], "TOOL: PowerShell Empire": [[165, 182]], "IP_ADDRESS: 172.109.95.71": [[219, 232]], "DOMAIN: backup-proxy.site": [[237, 254]], "URL: http://cdnapi.info/download/update.exe": [[296, 334]], "HASH: 21541cbf5664f89075a34fa4fc4b029e": [[361, 393]], "FILEPATH: /tmp/loader.exe": [[410, 425]], "EMAIL: helpdesk@urgent-notice.online": [[458, 487]], "IP_ADDRESS: 115.76.17.158": [[553, 566]]}, "info": {"id": "synth_v2_00113", "source": "synthetic_v2"}}
+{"text": "Rapid7 published a threat intelligence report linking Granite Typhoon to a new campaign exploiting CVE-2024-30622 in F5 BIG-IP. The attackers deployed TrickBot via Ligolo, establishing C2 communication with 89.164.198.70 and cdnproxy.io. A secondary payload was downloaded from hxxps://cachedata.org/wp-content/uploads/doc.php. The malware binary (SHA1: 846a391db1ac51ca39ad717d064b41b4270806d3) was dropped to /var/tmp/backdoor.elf. Phishing emails were sent from confirm@phishing-domain.com targeting enterprise users. A backup C2 server was identified at 10.163.112.8.", "spans": {"ORGANIZATION: Rapid7": [[0, 6]], "THREAT_ACTOR: Granite Typhoon": [[54, 69]], "CVE_ID: CVE-2024-30622": [[99, 113]], "SYSTEM: F5 BIG-IP": [[117, 126]], "MALWARE: TrickBot": [[151, 159]], "TOOL: Ligolo": [[164, 170]], "IP_ADDRESS: 89.164.198.70": [[207, 220]], "DOMAIN: cdnproxy.io": [[225, 236]], "URL: hxxps://cachedata.org/wp-content/uploads/doc.php": [[278, 326]], "HASH: 846a391db1ac51ca39ad717d064b41b4270806d3": [[354, 394]], "FILEPATH: /var/tmp/backdoor.elf": [[411, 432]], "EMAIL: confirm@phishing-domain.com": [[465, 492]], "IP_ADDRESS: 10.163.112.8": [[558, 570]]}, "info": {"id": "synth_v2_00114", "source": "synthetic_v2"}}
+{"text": "Qualys published a threat intelligence report linking Velvet Tempest to a new campaign exploiting CVE-2024-26162 in Ivanti Connect Secure. The attackers deployed Play via BITSAdmin, establishing C2 communication with 10.121.162.207 and cache-cloud.live. A secondary payload was downloaded from http://edgebackup.org/login. The malware binary (SHA256: 76d82b15aac3de36ee8a5cb22458c52852c7951490791eb50aef578c55d98375) was dropped to C:\\Users\\admin\\AppData\\Local\\Temp\\helper.sh. Phishing emails were sent from report@login-portal.tech targeting enterprise users. A backup C2 server was identified at 152.14.180.243.", "spans": {"ORGANIZATION: Qualys": [[0, 6]], "THREAT_ACTOR: Velvet Tempest": [[54, 68]], "CVE_ID: CVE-2024-26162": [[98, 112]], "SYSTEM: Ivanti Connect Secure": [[116, 137]], "MALWARE: Play": [[162, 166]], "TOOL: BITSAdmin": [[171, 180]], "IP_ADDRESS: 10.121.162.207": [[217, 231]], "DOMAIN: cache-cloud.live": [[236, 252]], "URL: http://edgebackup.org/login": [[294, 321]], "HASH: 76d82b15aac3de36ee8a5cb22458c52852c7951490791eb50aef578c55d98375": [[351, 415]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\helper.sh": [[432, 475]], "EMAIL: report@login-portal.tech": [[508, 532]], "IP_ADDRESS: 152.14.180.243": [[598, 612]]}, "info": {"id": "synth_v2_00115", "source": "synthetic_v2"}}
+{"text": "CrowdStrike published a threat intelligence report linking APT28 to a new campaign exploiting CVE-2024-12103 in Progress Telerik. The attackers deployed PikaBot via PowerShell Empire, establishing C2 communication with 10.174.90.236 and auth-node.live. A secondary payload was downloaded from http://apimail.club/collect. The malware binary (SHA256: fffb9a72932c0e807012d4dd7d2d3d366efc05821b4a32e0cf52ca0fd293d1da) was dropped to /opt/app/bin/agent.py. Phishing emails were sent from ceo@account-update.xyz targeting enterprise users. A backup C2 server was identified at 16.11.75.151.", "spans": {"ORGANIZATION: CrowdStrike": [[0, 11]], "THREAT_ACTOR: APT28": [[59, 64]], "CVE_ID: CVE-2024-12103": [[94, 108]], "SYSTEM: Progress Telerik": [[112, 128]], "MALWARE: PikaBot": [[153, 160]], "TOOL: PowerShell Empire": [[165, 182]], "IP_ADDRESS: 10.174.90.236": [[219, 232]], "DOMAIN: auth-node.live": [[237, 251]], "URL: http://apimail.club/collect": [[293, 320]], "HASH: fffb9a72932c0e807012d4dd7d2d3d366efc05821b4a32e0cf52ca0fd293d1da": [[350, 414]], "FILEPATH: /opt/app/bin/agent.py": [[431, 452]], "EMAIL: ceo@account-update.xyz": [[485, 507]], "IP_ADDRESS: 16.11.75.151": [[573, 585]]}, "info": {"id": "synth_v2_00116", "source": "synthetic_v2"}}
+{"text": "Check Point Research published a threat intelligence report linking Turla to a new campaign exploiting CVE-2026-44676 in Atlassian Confluence. The attackers deployed XLoader via GhostPack, establishing C2 communication with 192.182.114.171 and update-cache.site. A secondary payload was downloaded from hxxp://secure-static.tech/admin/config. The malware binary (SHA1: 055c6823ec608bcf2e3d7d5f3515d10347496b24) was dropped to C:\\Users\\Public\\Documents\\beacon.dll. Phishing emails were sent from noreply@auth-check.org targeting enterprise users. A backup C2 server was identified at 172.157.150.33.", "spans": {"ORGANIZATION: Check Point Research": [[0, 20]], "THREAT_ACTOR: Turla": [[68, 73]], "CVE_ID: CVE-2026-44676": [[103, 117]], "SYSTEM: Atlassian Confluence": [[121, 141]], "MALWARE: XLoader": [[166, 173]], "TOOL: GhostPack": [[178, 187]], "IP_ADDRESS: 192.182.114.171": [[224, 239]], "DOMAIN: update-cache.site": [[244, 261]], "URL: hxxp://secure-static.tech/admin/config": [[303, 341]], "HASH: 055c6823ec608bcf2e3d7d5f3515d10347496b24": [[369, 409]], "FILEPATH: C:\\Users\\Public\\Documents\\beacon.dll": [[426, 462]], "EMAIL: noreply@auth-check.org": [[495, 517]], "IP_ADDRESS: 172.157.150.33": [[583, 597]]}, "info": {"id": "synth_v2_00117", "source": "synthetic_v2"}}
+{"text": "SentinelOne published a threat intelligence report linking Aqua Blizzard to a new campaign exploiting CVE-2024-31252 in Fortinet FortiGate. The attackers deployed IcedID via PsExec, establishing C2 communication with 192.171.228.3 and authupdate.com. A secondary payload was downloaded from http://relaygateway.org/gate.php. The malware binary (MD5: 5de8263dc0cfcd56567d7fc0b0fcbba1) was dropped to /etc/cron.d/dropper.ps1. Phishing emails were sent from service@secure-verify.net targeting enterprise users. A backup C2 server was identified at 54.127.34.90.", "spans": {"ORGANIZATION: SentinelOne": [[0, 11]], "THREAT_ACTOR: Aqua Blizzard": [[59, 72]], "CVE_ID: CVE-2024-31252": [[102, 116]], "SYSTEM: Fortinet FortiGate": [[120, 138]], "MALWARE: IcedID": [[163, 169]], "TOOL: PsExec": [[174, 180]], "IP_ADDRESS: 192.171.228.3": [[217, 230]], "DOMAIN: authupdate.com": [[235, 249]], "URL: http://relaygateway.org/gate.php": [[291, 323]], "HASH: 5de8263dc0cfcd56567d7fc0b0fcbba1": [[350, 382]], "FILEPATH: /etc/cron.d/dropper.ps1": [[399, 422]], "EMAIL: service@secure-verify.net": [[455, 480]], "IP_ADDRESS: 54.127.34.90": [[546, 558]]}, "info": {"id": "synth_v2_00118", "source": "synthetic_v2"}}
+{"text": "Qualys published a threat intelligence report linking Flax Typhoon to a new campaign exploiting CVE-2022-28965 in Fortinet FortiGate. The attackers deployed Amadey via GhostPack, establishing C2 communication with 19.17.150.6 and portal-secure.club. A secondary payload was downloaded from http://edge-api.tech/assets/js/payload.js. The malware binary (SHA256: 8758959998e0f4d6fc11c0ad1d3cd675712e5fbe94b2121cfdd8a14b68e10b7f) was dropped to C:\\Program Files\\Common Files\\config.dat. Phishing emails were sent from report@identity-verify.cc targeting enterprise users. A backup C2 server was identified at 67.53.37.88.", "spans": {"ORGANIZATION: Qualys": [[0, 6]], "THREAT_ACTOR: Flax Typhoon": [[54, 66]], "CVE_ID: CVE-2022-28965": [[96, 110]], "SYSTEM: Fortinet FortiGate": [[114, 132]], "MALWARE: Amadey": [[157, 163]], "TOOL: GhostPack": [[168, 177]], "IP_ADDRESS: 19.17.150.6": [[214, 225]], "DOMAIN: portal-secure.club": [[230, 248]], "URL: http://edge-api.tech/assets/js/payload.js": [[290, 331]], "HASH: 8758959998e0f4d6fc11c0ad1d3cd675712e5fbe94b2121cfdd8a14b68e10b7f": [[361, 425]], "FILEPATH: C:\\Program Files\\Common Files\\config.dat": [[442, 482]], "EMAIL: report@identity-verify.cc": [[515, 540]], "IP_ADDRESS: 67.53.37.88": [[606, 617]]}, "info": {"id": "synth_v2_00119", "source": "synthetic_v2"}}
+{"text": "Sophos X-Ops published a threat intelligence report linking Turla to a new campaign exploiting CVE-2022-47837 in Palo Alto PAN-OS. The attackers deployed QakBot via Metasploit, establishing C2 communication with 179.135.144.77 and logincdn.tech. A secondary payload was downloaded from http://gateway-api.info/wp-content/uploads/doc.php. The malware binary (SHA256: 284b4ee446f5ada115da1aa27b467af418b0637d7ca538687dd19fb64c1c30f4) was dropped to C:\\Windows\\Temp\\runtime.dll. Phishing emails were sent from security@mail-service.info targeting enterprise users. A backup C2 server was identified at 10.25.201.147.", "spans": {"ORGANIZATION: Sophos X-Ops": [[0, 12]], "THREAT_ACTOR: Turla": [[60, 65]], "CVE_ID: CVE-2022-47837": [[95, 109]], "SYSTEM: Palo Alto PAN-OS": [[113, 129]], "MALWARE: QakBot": [[154, 160]], "TOOL: Metasploit": [[165, 175]], "IP_ADDRESS: 179.135.144.77": [[212, 226]], "DOMAIN: logincdn.tech": [[231, 244]], "URL: http://gateway-api.info/wp-content/uploads/doc.php": [[286, 336]], "HASH: 284b4ee446f5ada115da1aa27b467af418b0637d7ca538687dd19fb64c1c30f4": [[366, 430]], "FILEPATH: C:\\Windows\\Temp\\runtime.dll": [[447, 474]], "EMAIL: security@mail-service.info": [[507, 533]], "IP_ADDRESS: 10.25.201.147": [[599, 612]]}, "info": {"id": "synth_v2_00120", "source": "synthetic_v2"}}
+{"text": "Palo Alto Unit 42 published a threat intelligence report linking Lazarus Group to a new campaign exploiting CVE-2023-27691 in Cisco ASA. The attackers deployed Amadey via Havoc, establishing C2 communication with 126.135.46.165 and relay-cdn.info. A secondary payload was downloaded from https://relaysync.xyz/collect. The malware binary (SHA256: f777ac7dd4f0d8dcea76d4010f549ef497446bb7a39080c7f95e567c7a83f452) was dropped to C:\\Windows\\System32\\taskhost.exe. Phishing emails were sent from info@auth-check.org targeting enterprise users. A backup C2 server was identified at 48.189.195.95.", "spans": {"ORGANIZATION: Palo Alto Unit 42": [[0, 17]], "THREAT_ACTOR: Lazarus Group": [[65, 78]], "CVE_ID: CVE-2023-27691": [[108, 122]], "SYSTEM: Cisco ASA": [[126, 135]], "MALWARE: Amadey": [[160, 166]], "TOOL: Havoc": [[171, 176]], "IP_ADDRESS: 126.135.46.165": [[213, 227]], "DOMAIN: relay-cdn.info": [[232, 246]], "URL: https://relaysync.xyz/collect": [[288, 317]], "HASH: f777ac7dd4f0d8dcea76d4010f549ef497446bb7a39080c7f95e567c7a83f452": [[347, 411]], "FILEPATH: C:\\Windows\\System32\\taskhost.exe": [[428, 460]], "EMAIL: info@auth-check.org": [[493, 512]], "IP_ADDRESS: 48.189.195.95": [[578, 591]]}, "info": {"id": "synth_v2_00121", "source": "synthetic_v2"}}
+{"text": "Huntress published a threat intelligence report linking Granite Typhoon to a new campaign exploiting CVE-2022-15229 in Barracuda ESG. The attackers deployed WarmCookie via Sliver, establishing C2 communication with 172.214.243.147 and node-cache.dev. A secondary payload was downloaded from hxxp://auth-relay.org/wp-content/uploads/doc.php. The malware binary (SHA256: ac02614b0c9dac0ff54e9421e260bf46c3127e125e19d932286776e5eec14b9c) was dropped to C:\\Windows\\System32\\update.dll. Phishing emails were sent from contact@secure-verify.net targeting enterprise users. A backup C2 server was identified at 172.153.40.102.", "spans": {"ORGANIZATION: Huntress": [[0, 8]], "THREAT_ACTOR: Granite Typhoon": [[56, 71]], "CVE_ID: CVE-2022-15229": [[101, 115]], "SYSTEM: Barracuda ESG": [[119, 132]], "MALWARE: WarmCookie": [[157, 167]], "TOOL: Sliver": [[172, 178]], "IP_ADDRESS: 172.214.243.147": [[215, 230]], "DOMAIN: node-cache.dev": [[235, 249]], "URL: hxxp://auth-relay.org/wp-content/uploads/doc.php": [[291, 339]], "HASH: ac02614b0c9dac0ff54e9421e260bf46c3127e125e19d932286776e5eec14b9c": [[369, 433]], "FILEPATH: C:\\Windows\\System32\\update.dll": [[450, 480]], "EMAIL: contact@secure-verify.net": [[513, 538]], "IP_ADDRESS: 172.153.40.102": [[604, 618]]}, "info": {"id": "synth_v2_00122", "source": "synthetic_v2"}}
+{"text": "Tenable published a threat intelligence report linking Star Blizzard to a new campaign exploiting CVE-2021-34898 in Progress Telerik. The attackers deployed XLoader via SharpHound, establishing C2 communication with 82.34.44.100 and updatestatic.cc. A secondary payload was downloaded from hxxp://authgateway.org/collect. The malware binary (SHA1: 52d0ee6d032b3bf33be9785429508429c6f0571d) was dropped to C:\\Users\\Public\\Documents\\taskhost.exe. Phishing emails were sent from notification@secure-verify.net targeting enterprise users. A backup C2 server was identified at 142.166.141.134.", "spans": {"ORGANIZATION: Tenable": [[0, 7]], "THREAT_ACTOR: Star Blizzard": [[55, 68]], "CVE_ID: CVE-2021-34898": [[98, 112]], "SYSTEM: Progress Telerik": [[116, 132]], "MALWARE: XLoader": [[157, 164]], "TOOL: SharpHound": [[169, 179]], "IP_ADDRESS: 82.34.44.100": [[216, 228]], "DOMAIN: updatestatic.cc": [[233, 248]], "URL: hxxp://authgateway.org/collect": [[290, 320]], "HASH: 52d0ee6d032b3bf33be9785429508429c6f0571d": [[348, 388]], "FILEPATH: C:\\Users\\Public\\Documents\\taskhost.exe": [[405, 443]], "EMAIL: notification@secure-verify.net": [[476, 506]], "IP_ADDRESS: 142.166.141.134": [[572, 587]]}, "info": {"id": "synth_v2_00123", "source": "synthetic_v2"}}
+{"text": "NCSC published a threat intelligence report linking Granite Typhoon to a new campaign exploiting CVE-2024-14337 in SonicWall SMA. The attackers deployed Gootloader via Havoc, establishing C2 communication with 99.248.242.10 and cdnportal.dev. A secondary payload was downloaded from http://datacdn.club/portal/verify. The malware binary (MD5: a413cc671443ce5b228b676779bd56c4) was dropped to C:\\Windows\\Temp\\winlogon.exe. Phishing emails were sent from finance@mail-service.info targeting enterprise users. A backup C2 server was identified at 172.206.73.159.", "spans": {"ORGANIZATION: NCSC": [[0, 4]], "THREAT_ACTOR: Granite Typhoon": [[52, 67]], "CVE_ID: CVE-2024-14337": [[97, 111]], "SYSTEM: SonicWall SMA": [[115, 128]], "MALWARE: Gootloader": [[153, 163]], "TOOL: Havoc": [[168, 173]], "IP_ADDRESS: 99.248.242.10": [[210, 223]], "DOMAIN: cdnportal.dev": [[228, 241]], "URL: http://datacdn.club/portal/verify": [[283, 316]], "HASH: a413cc671443ce5b228b676779bd56c4": [[343, 375]], "FILEPATH: C:\\Windows\\Temp\\winlogon.exe": [[392, 420]], "EMAIL: finance@mail-service.info": [[453, 478]], "IP_ADDRESS: 172.206.73.159": [[544, 558]]}, "info": {"id": "synth_v2_00124", "source": "synthetic_v2"}}
+{"text": "Secureworks published a threat intelligence report linking FIN11 to a new campaign exploiting CVE-2021-48618 in Microsoft Exchange. The attackers deployed Qbot via Havoc, establishing C2 communication with 172.226.164.69 and gateway-proxy.link. A secondary payload was downloaded from hxxp://cdnnode.link/api/v2/auth. The malware binary (MD5: 3e43dd8135576d8bce9d369fd389683a) was dropped to C:\\Users\\admin\\Desktop\\payload.bin. Phishing emails were sent from account@document-share.link targeting enterprise users. A backup C2 server was identified at 155.45.96.114.", "spans": {"ORGANIZATION: Secureworks": [[0, 11]], "THREAT_ACTOR: FIN11": [[59, 64]], "CVE_ID: CVE-2021-48618": [[94, 108]], "SYSTEM: Microsoft Exchange": [[112, 130]], "MALWARE: Qbot": [[155, 159]], "TOOL: Havoc": [[164, 169]], "IP_ADDRESS: 172.226.164.69": [[206, 220]], "DOMAIN: gateway-proxy.link": [[225, 243]], "URL: hxxp://cdnnode.link/api/v2/auth": [[285, 316]], "HASH: 3e43dd8135576d8bce9d369fd389683a": [[343, 375]], "FILEPATH: C:\\Users\\admin\\Desktop\\payload.bin": [[392, 426]], "EMAIL: account@document-share.link": [[459, 486]], "IP_ADDRESS: 155.45.96.114": [[552, 565]]}, "info": {"id": "synth_v2_00125", "source": "synthetic_v2"}}
+{"text": "Symantec published a threat intelligence report linking APT28 to a new campaign exploiting CVE-2022-33700 in Windows 11. The attackers deployed DarkSide via SharpHound, establishing C2 communication with 10.233.25.236 and nodeportal.top. A secondary payload was downloaded from http://update-data.tech/collect. The malware binary (MD5: 5634bf245f67e68b90cbac36a359e789) was dropped to C:\\Users\\admin\\Downloads\\beacon.dll. Phishing emails were sent from notification@urgent-notice.online targeting enterprise users. A backup C2 server was identified at 181.101.140.95.", "spans": {"ORGANIZATION: Symantec": [[0, 8]], "THREAT_ACTOR: APT28": [[56, 61]], "CVE_ID: CVE-2022-33700": [[91, 105]], "SYSTEM: Windows 11": [[109, 119]], "MALWARE: DarkSide": [[144, 152]], "TOOL: SharpHound": [[157, 167]], "IP_ADDRESS: 10.233.25.236": [[204, 217]], "DOMAIN: nodeportal.top": [[222, 236]], "URL: http://update-data.tech/collect": [[278, 309]], "HASH: 5634bf245f67e68b90cbac36a359e789": [[336, 368]], "FILEPATH: C:\\Users\\admin\\Downloads\\beacon.dll": [[385, 420]], "EMAIL: notification@urgent-notice.online": [[453, 486]], "IP_ADDRESS: 181.101.140.95": [[552, 566]]}, "info": {"id": "synth_v2_00126", "source": "synthetic_v2"}}
+{"text": "Tenable published a threat intelligence report linking BlackTech to a new campaign exploiting CVE-2023-34260 in Ubuntu 22.04. The attackers deployed AgentTesla via Rubeus, establishing C2 communication with 8.197.25.42 and nodeupdate.live. A secondary payload was downloaded from hxxp://proxy-login.top/collect. The malware binary (SHA256: fa352da0d0b9458ee0ea23c2e31aa2de0b8d0a6c33342c6337a08cd618bbad95) was dropped to /var/tmp/backdoor.elf. Phishing emails were sent from report@mail-service.info targeting enterprise users. A backup C2 server was identified at 10.115.105.69.", "spans": {"ORGANIZATION: Tenable": [[0, 7]], "THREAT_ACTOR: BlackTech": [[55, 64]], "CVE_ID: CVE-2023-34260": [[94, 108]], "SYSTEM: Ubuntu 22.04": [[112, 124]], "MALWARE: AgentTesla": [[149, 159]], "TOOL: Rubeus": [[164, 170]], "IP_ADDRESS: 8.197.25.42": [[207, 218]], "DOMAIN: nodeupdate.live": [[223, 238]], "URL: hxxp://proxy-login.top/collect": [[280, 310]], "HASH: fa352da0d0b9458ee0ea23c2e31aa2de0b8d0a6c33342c6337a08cd618bbad95": [[340, 404]], "FILEPATH: /var/tmp/backdoor.elf": [[421, 442]], "EMAIL: report@mail-service.info": [[475, 499]], "IP_ADDRESS: 10.115.105.69": [[565, 578]]}, "info": {"id": "synth_v2_00127", "source": "synthetic_v2"}}
+{"text": "Symantec published a threat intelligence report linking Forest Blizzard to a new campaign exploiting CVE-2024-19363 in Ivanti Connect Secure. The attackers deployed SystemBC via Sliver, establishing C2 communication with 65.111.238.78 and edgestatic.cc. A secondary payload was downloaded from hxxps://backupauth.online/secure/token. The malware binary (MD5: 7af18e7c4592f267446ad66fce8c5495) was dropped to /opt/app/bin/backdoor.elf. Phishing emails were sent from hr@mail-service.info targeting enterprise users. A backup C2 server was identified at 150.52.3.131.", "spans": {"ORGANIZATION: Symantec": [[0, 8]], "THREAT_ACTOR: Forest Blizzard": [[56, 71]], "CVE_ID: CVE-2024-19363": [[101, 115]], "SYSTEM: Ivanti Connect Secure": [[119, 140]], "MALWARE: SystemBC": [[165, 173]], "TOOL: Sliver": [[178, 184]], "IP_ADDRESS: 65.111.238.78": [[221, 234]], "DOMAIN: edgestatic.cc": [[239, 252]], "URL: hxxps://backupauth.online/secure/token": [[294, 332]], "HASH: 7af18e7c4592f267446ad66fce8c5495": [[359, 391]], "FILEPATH: /opt/app/bin/backdoor.elf": [[408, 433]], "EMAIL: hr@mail-service.info": [[466, 486]], "IP_ADDRESS: 150.52.3.131": [[552, 564]]}, "info": {"id": "synth_v2_00128", "source": "synthetic_v2"}}
+{"text": "Huntress published a threat intelligence report linking Sandworm to a new campaign exploiting CVE-2023-34911 in Windows 11. The attackers deployed LockBit via LaZagne, establishing C2 communication with 170.163.71.185 and portalportal.club. A secondary payload was downloaded from hxxp://cache-cache.live/secure/token. The malware binary (SHA1: cc4104ce181c724cce3311449e0716e58c031730) was dropped to /var/tmp/dropper.ps1. Phishing emails were sent from verify@auth-check.org targeting enterprise users. A backup C2 server was identified at 192.254.151.67.", "spans": {"ORGANIZATION: Huntress": [[0, 8]], "THREAT_ACTOR: Sandworm": [[56, 64]], "CVE_ID: CVE-2023-34911": [[94, 108]], "SYSTEM: Windows 11": [[112, 122]], "MALWARE: LockBit": [[147, 154]], "TOOL: LaZagne": [[159, 166]], "IP_ADDRESS: 170.163.71.185": [[203, 217]], "DOMAIN: portalportal.club": [[222, 239]], "URL: hxxp://cache-cache.live/secure/token": [[281, 317]], "HASH: cc4104ce181c724cce3311449e0716e58c031730": [[345, 385]], "FILEPATH: /var/tmp/dropper.ps1": [[402, 422]], "EMAIL: verify@auth-check.org": [[455, 476]], "IP_ADDRESS: 192.254.151.67": [[542, 556]]}, "info": {"id": "synth_v2_00129", "source": "synthetic_v2"}}
+{"text": "Google TAG published a threat intelligence report linking Charming Kitten to a new campaign exploiting CVE-2022-18180 in Apache Struts. The attackers deployed AsyncRAT via Havoc, establishing C2 communication with 172.65.132.186 and databackup.site. A secondary payload was downloaded from https://mailsync.cc/gate.php. The malware binary (SHA256: fa34653871ec61efff21793c3cc7cae50ee7ddaa1208a769bf73420813a85c12) was dropped to /dev/shm/update.dll. Phishing emails were sent from notification@document-share.link targeting enterprise users. A backup C2 server was identified at 192.171.45.57.", "spans": {"ORGANIZATION: Google TAG": [[0, 10]], "THREAT_ACTOR: Charming Kitten": [[58, 73]], "CVE_ID: CVE-2022-18180": [[103, 117]], "SYSTEM: Apache Struts": [[121, 134]], "MALWARE: AsyncRAT": [[159, 167]], "TOOL: Havoc": [[172, 177]], "IP_ADDRESS: 172.65.132.186": [[214, 228]], "DOMAIN: databackup.site": [[233, 248]], "URL: https://mailsync.cc/gate.php": [[290, 318]], "HASH: fa34653871ec61efff21793c3cc7cae50ee7ddaa1208a769bf73420813a85c12": [[348, 412]], "FILEPATH: /dev/shm/update.dll": [[429, 448]], "EMAIL: notification@document-share.link": [[481, 513]], "IP_ADDRESS: 192.171.45.57": [[579, 592]]}, "info": {"id": "synth_v2_00130", "source": "synthetic_v2"}}
+{"text": "Symantec published a threat intelligence report linking Gamaredon to a new campaign exploiting CVE-2022-46178 in Juniper SRX. The attackers deployed IcedID via PowerShell Empire, establishing C2 communication with 192.195.152.106 and cacherelay.org. A secondary payload was downloaded from https://secureapi.online/admin/config. The malware binary (SHA256: 1ed64c14f6cfb965f58e772ad92f0860fe1c0eb2c2a64337fb78e8fef499eeaf) was dropped to /opt/app/bin/update.dll. Phishing emails were sent from admin@credential-check.site targeting enterprise users. A backup C2 server was identified at 10.70.102.88.", "spans": {"ORGANIZATION: Symantec": [[0, 8]], "THREAT_ACTOR: Gamaredon": [[56, 65]], "CVE_ID: CVE-2022-46178": [[95, 109]], "SYSTEM: Juniper SRX": [[113, 124]], "MALWARE: IcedID": [[149, 155]], "TOOL: PowerShell Empire": [[160, 177]], "IP_ADDRESS: 192.195.152.106": [[214, 229]], "DOMAIN: cacherelay.org": [[234, 248]], "URL: https://secureapi.online/admin/config": [[290, 327]], "HASH: 1ed64c14f6cfb965f58e772ad92f0860fe1c0eb2c2a64337fb78e8fef499eeaf": [[357, 421]], "FILEPATH: /opt/app/bin/update.dll": [[438, 461]], "EMAIL: admin@credential-check.site": [[494, 521]], "IP_ADDRESS: 10.70.102.88": [[587, 599]]}, "info": {"id": "synth_v2_00131", "source": "synthetic_v2"}}
+{"text": "Huntress published a threat intelligence report linking FIN11 to a new campaign exploiting CVE-2022-12847 in MOVEit Transfer. The attackers deployed Royal via Seatbelt, establishing C2 communication with 172.45.66.158 and portalupdate.com. A secondary payload was downloaded from https://mail-update.dev/panel/index.html. The malware binary (SHA256: d76c344864ffdfcdbee34f1831029249fb27cb19338bff92a501ed8bcc33328a) was dropped to C:\\Windows\\Temp\\svchost.exe. Phishing emails were sent from helpdesk@login-portal.tech targeting enterprise users. A backup C2 server was identified at 163.219.206.110.", "spans": {"ORGANIZATION: Huntress": [[0, 8]], "THREAT_ACTOR: FIN11": [[56, 61]], "CVE_ID: CVE-2022-12847": [[91, 105]], "SYSTEM: MOVEit Transfer": [[109, 124]], "MALWARE: Royal": [[149, 154]], "TOOL: Seatbelt": [[159, 167]], "IP_ADDRESS: 172.45.66.158": [[204, 217]], "DOMAIN: portalupdate.com": [[222, 238]], "URL: https://mail-update.dev/panel/index.html": [[280, 320]], "HASH: d76c344864ffdfcdbee34f1831029249fb27cb19338bff92a501ed8bcc33328a": [[350, 414]], "FILEPATH: C:\\Windows\\Temp\\svchost.exe": [[431, 458]], "EMAIL: helpdesk@login-portal.tech": [[491, 517]], "IP_ADDRESS: 163.219.206.110": [[583, 598]]}, "info": {"id": "synth_v2_00132", "source": "synthetic_v2"}}
+{"text": "Microsoft MSRC published a threat intelligence report linking Forest Blizzard to a new campaign exploiting CVE-2021-28231 in Cisco ASA. The attackers deployed AgentTesla via Burp Suite, establishing C2 communication with 43.33.23.77 and storage-proxy.tech. A secondary payload was downloaded from hxxp://secure-portal.com/wp-content/uploads/doc.php. The malware binary (SHA1: 56b49f3cf44a40fc46233261373ee4bd2e9644ca) was dropped to C:\\Windows\\System32\\runtime.dll. Phishing emails were sent from admin@document-share.link targeting enterprise users. A backup C2 server was identified at 117.172.222.228.", "spans": {"ORGANIZATION: Microsoft MSRC": [[0, 14]], "THREAT_ACTOR: Forest Blizzard": [[62, 77]], "CVE_ID: CVE-2021-28231": [[107, 121]], "SYSTEM: Cisco ASA": [[125, 134]], "MALWARE: AgentTesla": [[159, 169]], "TOOL: Burp Suite": [[174, 184]], "IP_ADDRESS: 43.33.23.77": [[221, 232]], "DOMAIN: storage-proxy.tech": [[237, 255]], "URL: hxxp://secure-portal.com/wp-content/uploads/doc.php": [[297, 348]], "HASH: 56b49f3cf44a40fc46233261373ee4bd2e9644ca": [[376, 416]], "FILEPATH: C:\\Windows\\System32\\runtime.dll": [[433, 464]], "EMAIL: admin@document-share.link": [[497, 522]], "IP_ADDRESS: 117.172.222.228": [[588, 603]]}, "info": {"id": "synth_v2_00133", "source": "synthetic_v2"}}
+{"text": "SentinelOne published a threat intelligence report linking Charming Kitten to a new campaign exploiting CVE-2020-48698 in Cisco ASA. The attackers deployed REvil via Metasploit, establishing C2 communication with 198.24.24.170 and gateway-relay.site. A secondary payload was downloaded from hxxp://edge-sync.online/wp-content/uploads/doc.php. The malware binary (SHA1: 52a81f85578ec25909f93977c451790e2c34748a) was dropped to C:\\Windows\\Temp\\agent.py. Phishing emails were sent from contact@secure-verify.net targeting enterprise users. A backup C2 server was identified at 192.10.24.177.", "spans": {"ORGANIZATION: SentinelOne": [[0, 11]], "THREAT_ACTOR: Charming Kitten": [[59, 74]], "CVE_ID: CVE-2020-48698": [[104, 118]], "SYSTEM: Cisco ASA": [[122, 131]], "MALWARE: REvil": [[156, 161]], "TOOL: Metasploit": [[166, 176]], "IP_ADDRESS: 198.24.24.170": [[213, 226]], "DOMAIN: gateway-relay.site": [[231, 249]], "URL: hxxp://edge-sync.online/wp-content/uploads/doc.php": [[291, 341]], "HASH: 52a81f85578ec25909f93977c451790e2c34748a": [[369, 409]], "FILEPATH: C:\\Windows\\Temp\\agent.py": [[426, 450]], "EMAIL: contact@secure-verify.net": [[483, 508]], "IP_ADDRESS: 192.10.24.177": [[574, 587]]}, "info": {"id": "synth_v2_00134", "source": "synthetic_v2"}}
+{"text": "INTERPOL published a threat intelligence report linking Star Blizzard to a new campaign exploiting CVE-2021-16698 in SonicWall SMA. The attackers deployed PikaBot via Nmap, establishing C2 communication with 192.60.144.30 and nodecloud.tech. A secondary payload was downloaded from http://backupsecure.com/wp-content/uploads/doc.php. The malware binary (SHA1: 3bf8a549a57e8deb42cd6d13060f4d22a69e675b) was dropped to /dev/shm/winlogon.exe. Phishing emails were sent from helpdesk@phishing-domain.com targeting enterprise users. A backup C2 server was identified at 172.101.102.200.", "spans": {"ORGANIZATION: INTERPOL": [[0, 8]], "THREAT_ACTOR: Star Blizzard": [[56, 69]], "CVE_ID: CVE-2021-16698": [[99, 113]], "SYSTEM: SonicWall SMA": [[117, 130]], "MALWARE: PikaBot": [[155, 162]], "TOOL: Nmap": [[167, 171]], "IP_ADDRESS: 192.60.144.30": [[208, 221]], "DOMAIN: nodecloud.tech": [[226, 240]], "URL: http://backupsecure.com/wp-content/uploads/doc.php": [[282, 332]], "HASH: 3bf8a549a57e8deb42cd6d13060f4d22a69e675b": [[360, 400]], "FILEPATH: /dev/shm/winlogon.exe": [[417, 438]], "EMAIL: helpdesk@phishing-domain.com": [[471, 499]], "IP_ADDRESS: 172.101.102.200": [[565, 580]]}, "info": {"id": "synth_v2_00135", "source": "synthetic_v2"}}
+{"text": "Palo Alto Unit 42 published a threat intelligence report linking APT28 to a new campaign exploiting CVE-2026-46256 in Citrix NetScaler. The attackers deployed Dridex via Merlin, establishing C2 communication with 192.38.51.232 and syncrelay.com. A secondary payload was downloaded from https://secure-cdn.live/secure/token. The malware binary (SHA1: 2d359d8ca506c0d4fd5ff8f7243d8af0f9eb9551) was dropped to /opt/app/bin/ntds.dit. Phishing emails were sent from alert@secure-verify.net targeting enterprise users. A backup C2 server was identified at 165.118.233.254.", "spans": {"ORGANIZATION: Palo Alto Unit 42": [[0, 17]], "THREAT_ACTOR: APT28": [[65, 70]], "CVE_ID: CVE-2026-46256": [[100, 114]], "SYSTEM: Citrix NetScaler": [[118, 134]], "MALWARE: Dridex": [[159, 165]], "TOOL: Merlin": [[170, 176]], "IP_ADDRESS: 192.38.51.232": [[213, 226]], "DOMAIN: syncrelay.com": [[231, 244]], "URL: https://secure-cdn.live/secure/token": [[286, 322]], "HASH: 2d359d8ca506c0d4fd5ff8f7243d8af0f9eb9551": [[350, 390]], "FILEPATH: /opt/app/bin/ntds.dit": [[407, 428]], "EMAIL: alert@secure-verify.net": [[461, 484]], "IP_ADDRESS: 165.118.233.254": [[550, 565]]}, "info": {"id": "synth_v2_00136", "source": "synthetic_v2"}}
+{"text": "Qualys published a threat intelligence report linking Salt Typhoon to a new campaign exploiting CVE-2021-16698 in Fortinet FortiGate. The attackers deployed Cobalt Strike via Mimikatz, establishing C2 communication with 92.224.137.225 and portalrelay.info. A secondary payload was downloaded from hxxp://proxygateway.top/api/v2/auth. The malware binary (SHA256: 8f33a3e2371d6083d3969c45fe4c082cc2a2ee147a0f14706148e7cb192e82e5) was dropped to C:\\Users\\admin\\AppData\\Local\\Temp\\config.dat. Phishing emails were sent from alert@identity-verify.cc targeting enterprise users. A backup C2 server was identified at 172.175.93.30.", "spans": {"ORGANIZATION: Qualys": [[0, 6]], "THREAT_ACTOR: Salt Typhoon": [[54, 66]], "CVE_ID: CVE-2021-16698": [[96, 110]], "SYSTEM: Fortinet FortiGate": [[114, 132]], "MALWARE: Cobalt Strike": [[157, 170]], "TOOL: Mimikatz": [[175, 183]], "IP_ADDRESS: 92.224.137.225": [[220, 234]], "DOMAIN: portalrelay.info": [[239, 255]], "URL: hxxp://proxygateway.top/api/v2/auth": [[297, 332]], "HASH: 8f33a3e2371d6083d3969c45fe4c082cc2a2ee147a0f14706148e7cb192e82e5": [[362, 426]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\config.dat": [[443, 487]], "EMAIL: alert@identity-verify.cc": [[520, 544]], "IP_ADDRESS: 172.175.93.30": [[610, 623]]}, "info": {"id": "synth_v2_00137", "source": "synthetic_v2"}}
+{"text": "Rapid7 published a threat intelligence report linking Diamond Sleet to a new campaign exploiting CVE-2025-15957 in Fortinet FortiGate. The attackers deployed Lumma Stealer via PowerShell Empire, establishing C2 communication with 200.183.14.221 and relaycdn.net. A secondary payload was downloaded from hxxp://storageupdate.club/admin/config. The malware binary (MD5: c311c3038ecf4bf4f8da8e9aa091020c) was dropped to C:\\Users\\Public\\Documents\\ntds.dit. Phishing emails were sent from helpdesk@credential-check.site targeting enterprise users. A backup C2 server was identified at 172.249.57.228.", "spans": {"ORGANIZATION: Rapid7": [[0, 6]], "THREAT_ACTOR: Diamond Sleet": [[54, 67]], "CVE_ID: CVE-2025-15957": [[97, 111]], "SYSTEM: Fortinet FortiGate": [[115, 133]], "MALWARE: Lumma Stealer": [[158, 171]], "TOOL: PowerShell Empire": [[176, 193]], "IP_ADDRESS: 200.183.14.221": [[230, 244]], "DOMAIN: relaycdn.net": [[249, 261]], "URL: hxxp://storageupdate.club/admin/config": [[303, 341]], "HASH: c311c3038ecf4bf4f8da8e9aa091020c": [[368, 400]], "FILEPATH: C:\\Users\\Public\\Documents\\ntds.dit": [[417, 451]], "EMAIL: helpdesk@credential-check.site": [[484, 514]], "IP_ADDRESS: 172.249.57.228": [[580, 594]]}, "info": {"id": "synth_v2_00138", "source": "synthetic_v2"}}
+{"text": "Tenable published a threat intelligence report linking BlackTech to a new campaign exploiting CVE-2020-16140 in Windows Server 2019. The attackers deployed Raccoon Stealer via CrackMapExec, establishing C2 communication with 192.240.253.223 and synccdn.io. A secondary payload was downloaded from hxxp://edge-portal.site/api/v2/auth. The malware binary (MD5: b6c1d612f85acb6b33f5496cf44b4f98) was dropped to C:\\Windows\\Tasks\\shell.php. Phishing emails were sent from updates@secure-verify.net targeting enterprise users. A backup C2 server was identified at 10.251.164.62.", "spans": {"ORGANIZATION: Tenable": [[0, 7]], "THREAT_ACTOR: BlackTech": [[55, 64]], "CVE_ID: CVE-2020-16140": [[94, 108]], "SYSTEM: Windows Server 2019": [[112, 131]], "MALWARE: Raccoon Stealer": [[156, 171]], "TOOL: CrackMapExec": [[176, 188]], "IP_ADDRESS: 192.240.253.223": [[225, 240]], "DOMAIN: synccdn.io": [[245, 255]], "URL: hxxp://edge-portal.site/api/v2/auth": [[297, 332]], "HASH: b6c1d612f85acb6b33f5496cf44b4f98": [[359, 391]], "FILEPATH: C:\\Windows\\Tasks\\shell.php": [[408, 434]], "EMAIL: updates@secure-verify.net": [[467, 492]], "IP_ADDRESS: 10.251.164.62": [[558, 571]]}, "info": {"id": "synth_v2_00139", "source": "synthetic_v2"}}
+{"text": "Sophos X-Ops published a threat intelligence report linking Salt Typhoon to a new campaign exploiting CVE-2021-32298 in F5 BIG-IP. The attackers deployed Qbot via Brute Ratel, establishing C2 communication with 10.206.211.10 and storagemail.live. A secondary payload was downloaded from http://data-relay.tech/assets/js/payload.js. The malware binary (SHA1: ea830fc544ebfc159dfc565f5b1be61abf5ef84a) was dropped to /etc/cron.d/sam.hive. Phishing emails were sent from alert@secure-verify.net targeting enterprise users. A backup C2 server was identified at 10.155.105.168.", "spans": {"ORGANIZATION: Sophos X-Ops": [[0, 12]], "THREAT_ACTOR: Salt Typhoon": [[60, 72]], "CVE_ID: CVE-2021-32298": [[102, 116]], "SYSTEM: F5 BIG-IP": [[120, 129]], "MALWARE: Qbot": [[154, 158]], "TOOL: Brute Ratel": [[163, 174]], "IP_ADDRESS: 10.206.211.10": [[211, 224]], "DOMAIN: storagemail.live": [[229, 245]], "URL: http://data-relay.tech/assets/js/payload.js": [[287, 330]], "HASH: ea830fc544ebfc159dfc565f5b1be61abf5ef84a": [[358, 398]], "FILEPATH: /etc/cron.d/sam.hive": [[415, 435]], "EMAIL: alert@secure-verify.net": [[468, 491]], "IP_ADDRESS: 10.155.105.168": [[557, 571]]}, "info": {"id": "synth_v2_00140", "source": "synthetic_v2"}}
+{"text": "Sophos X-Ops published a threat intelligence report linking Velvet Tempest to a new campaign exploiting CVE-2024-47170 in Apache Struts. The attackers deployed Play via Mimikatz, establishing C2 communication with 180.54.23.230 and staticcloud.xyz. A secondary payload was downloaded from hxxp://portal-cloud.online/assets/js/payload.js. The malware binary (MD5: 19321a7a962333a7af6e09858286794a) was dropped to C:\\Users\\Public\\Documents\\ntds.dit. Phishing emails were sent from support@document-share.link targeting enterprise users. A backup C2 server was identified at 172.71.209.28.", "spans": {"ORGANIZATION: Sophos X-Ops": [[0, 12]], "THREAT_ACTOR: Velvet Tempest": [[60, 74]], "CVE_ID: CVE-2024-47170": [[104, 118]], "SYSTEM: Apache Struts": [[122, 135]], "MALWARE: Play": [[160, 164]], "TOOL: Mimikatz": [[169, 177]], "IP_ADDRESS: 180.54.23.230": [[214, 227]], "DOMAIN: staticcloud.xyz": [[232, 247]], "URL: hxxp://portal-cloud.online/assets/js/payload.js": [[289, 336]], "HASH: 19321a7a962333a7af6e09858286794a": [[363, 395]], "FILEPATH: C:\\Users\\Public\\Documents\\ntds.dit": [[412, 446]], "EMAIL: support@document-share.link": [[479, 506]], "IP_ADDRESS: 172.71.209.28": [[572, 585]]}, "info": {"id": "synth_v2_00141", "source": "synthetic_v2"}}
+{"text": "Zscaler ThreatLabz published a threat intelligence report linking Kimsuky to a new campaign exploiting CVE-2026-45190 in Citrix NetScaler. The attackers deployed PlugX via Brute Ratel, establishing C2 communication with 2.24.221.215 and auth-portal.top. A secondary payload was downloaded from hxxp://nodeportal.site/portal/verify. The malware binary (MD5: e63c2824ee5248e2f83a36aa16783058) was dropped to /opt/app/bin/agent.py. Phishing emails were sent from updates@account-update.xyz targeting enterprise users. A backup C2 server was identified at 131.90.88.188.", "spans": {"ORGANIZATION: Zscaler ThreatLabz": [[0, 18]], "THREAT_ACTOR: Kimsuky": [[66, 73]], "CVE_ID: CVE-2026-45190": [[103, 117]], "SYSTEM: Citrix NetScaler": [[121, 137]], "MALWARE: PlugX": [[162, 167]], "TOOL: Brute Ratel": [[172, 183]], "IP_ADDRESS: 2.24.221.215": [[220, 232]], "DOMAIN: auth-portal.top": [[237, 252]], "URL: hxxp://nodeportal.site/portal/verify": [[294, 330]], "HASH: e63c2824ee5248e2f83a36aa16783058": [[357, 389]], "FILEPATH: /opt/app/bin/agent.py": [[406, 427]], "EMAIL: updates@account-update.xyz": [[460, 486]], "IP_ADDRESS: 131.90.88.188": [[552, 565]]}, "info": {"id": "synth_v2_00142", "source": "synthetic_v2"}}
+{"text": "Secureworks published a threat intelligence report linking Mustang Panda to a new campaign exploiting CVE-2026-32293 in Apache Struts. The attackers deployed FormBook via ADFind, establishing C2 communication with 183.111.102.54 and node-edge.club. A secondary payload was downloaded from http://authmail.io/collect. The malware binary (SHA1: 965a76703f7025273c712699497ab6127ef5f1e6) was dropped to C:\\Program Files\\Common Files\\dropper.ps1. Phishing emails were sent from finance@identity-verify.cc targeting enterprise users. A backup C2 server was identified at 176.176.67.252.", "spans": {"ORGANIZATION: Secureworks": [[0, 11]], "THREAT_ACTOR: Mustang Panda": [[59, 72]], "CVE_ID: CVE-2026-32293": [[102, 116]], "SYSTEM: Apache Struts": [[120, 133]], "MALWARE: FormBook": [[158, 166]], "TOOL: ADFind": [[171, 177]], "IP_ADDRESS: 183.111.102.54": [[214, 228]], "DOMAIN: node-edge.club": [[233, 247]], "URL: http://authmail.io/collect": [[289, 315]], "HASH: 965a76703f7025273c712699497ab6127ef5f1e6": [[343, 383]], "FILEPATH: C:\\Program Files\\Common Files\\dropper.ps1": [[400, 441]], "EMAIL: finance@identity-verify.cc": [[474, 500]], "IP_ADDRESS: 176.176.67.252": [[566, 580]]}, "info": {"id": "synth_v2_00143", "source": "synthetic_v2"}}
+{"text": "Palo Alto Unit 42 published a threat intelligence report linking Granite Typhoon to a new campaign exploiting CVE-2020-16717 in Cisco ASA. The attackers deployed Emotet via LaZagne, establishing C2 communication with 10.28.102.69 and backup-cloud.link. A secondary payload was downloaded from hxxp://mail-relay.net/assets/js/payload.js. The malware binary (SHA1: 31de1c02f56ef5ec2512db09f71df92e84e8e098) was dropped to C:\\Users\\admin\\Desktop\\helper.sh. Phishing emails were sent from account@mail-service.info targeting enterprise users. A backup C2 server was identified at 172.128.74.215.", "spans": {"ORGANIZATION: Palo Alto Unit 42": [[0, 17]], "THREAT_ACTOR: Granite Typhoon": [[65, 80]], "CVE_ID: CVE-2020-16717": [[110, 124]], "SYSTEM: Cisco ASA": [[128, 137]], "MALWARE: Emotet": [[162, 168]], "TOOL: LaZagne": [[173, 180]], "IP_ADDRESS: 10.28.102.69": [[217, 229]], "DOMAIN: backup-cloud.link": [[234, 251]], "URL: hxxp://mail-relay.net/assets/js/payload.js": [[293, 335]], "HASH: 31de1c02f56ef5ec2512db09f71df92e84e8e098": [[363, 403]], "FILEPATH: C:\\Users\\admin\\Desktop\\helper.sh": [[420, 452]], "EMAIL: account@mail-service.info": [[485, 510]], "IP_ADDRESS: 172.128.74.215": [[576, 590]]}, "info": {"id": "synth_v2_00144", "source": "synthetic_v2"}}
+{"text": "Proofpoint published a threat intelligence report linking Forest Blizzard to a new campaign exploiting CVE-2024-26162 in SonicWall SMA. The attackers deployed QakBot via Merlin, establishing C2 communication with 142.27.6.191 and cacheedge.club. A secondary payload was downloaded from hxxp://cloud-backup.online/admin/config. The malware binary (SHA256: 626c3d8067b532b245b03867d2c7f7578e1536e2938433a55e5ec669f48eb967) was dropped to C:\\Users\\admin\\Downloads\\config.dat. Phishing emails were sent from account@secure-verify.net targeting enterprise users. A backup C2 server was identified at 52.226.115.234.", "spans": {"ORGANIZATION: Proofpoint": [[0, 10]], "THREAT_ACTOR: Forest Blizzard": [[58, 73]], "CVE_ID: CVE-2024-26162": [[103, 117]], "SYSTEM: SonicWall SMA": [[121, 134]], "MALWARE: QakBot": [[159, 165]], "TOOL: Merlin": [[170, 176]], "IP_ADDRESS: 142.27.6.191": [[213, 225]], "DOMAIN: cacheedge.club": [[230, 244]], "URL: hxxp://cloud-backup.online/admin/config": [[286, 325]], "HASH: 626c3d8067b532b245b03867d2c7f7578e1536e2938433a55e5ec669f48eb967": [[355, 419]], "FILEPATH: C:\\Users\\admin\\Downloads\\config.dat": [[436, 471]], "EMAIL: account@secure-verify.net": [[504, 529]], "IP_ADDRESS: 52.226.115.234": [[595, 609]]}, "info": {"id": "synth_v2_00145", "source": "synthetic_v2"}}
+{"text": "Kaspersky GReAT published a threat intelligence report linking Volt Typhoon to a new campaign exploiting CVE-2023-33283 in Citrix NetScaler. The attackers deployed Cobalt Strike via Sliver, establishing C2 communication with 192.130.2.85 and staticcdn.link. A secondary payload was downloaded from https://proxycache.io/api/v2/auth. The malware binary (SHA1: 93fc3470e45158215f3190f5a9cca7f61f93be3c) was dropped to /opt/app/bin/loader.exe. Phishing emails were sent from helpdesk@account-update.xyz targeting enterprise users. A backup C2 server was identified at 182.79.20.40.", "spans": {"ORGANIZATION: Kaspersky GReAT": [[0, 15]], "THREAT_ACTOR: Volt Typhoon": [[63, 75]], "CVE_ID: CVE-2023-33283": [[105, 119]], "SYSTEM: Citrix NetScaler": [[123, 139]], "MALWARE: Cobalt Strike": [[164, 177]], "TOOL: Sliver": [[182, 188]], "IP_ADDRESS: 192.130.2.85": [[225, 237]], "DOMAIN: staticcdn.link": [[242, 256]], "URL: https://proxycache.io/api/v2/auth": [[298, 331]], "HASH: 93fc3470e45158215f3190f5a9cca7f61f93be3c": [[359, 399]], "FILEPATH: /opt/app/bin/loader.exe": [[416, 439]], "EMAIL: helpdesk@account-update.xyz": [[472, 499]], "IP_ADDRESS: 182.79.20.40": [[565, 577]]}, "info": {"id": "synth_v2_00146", "source": "synthetic_v2"}}
+{"text": "NSA published a threat intelligence report linking Charming Kitten to a new campaign exploiting CVE-2022-32541 in SonicWall SMA. The attackers deployed IcedID via GhostPack, establishing C2 communication with 24.178.113.227 and cloudstatic.io. A secondary payload was downloaded from https://edgeupdate.net/gate.php. The malware binary (SHA256: ff0e462188792506c0c5e50ac8ede88605c529b9a268e1b3f4ee5a74e9eb5427) was dropped to /var/tmp/update.dll. Phishing emails were sent from ceo@identity-verify.cc targeting enterprise users. A backup C2 server was identified at 192.169.169.93.", "spans": {"ORGANIZATION: NSA": [[0, 3]], "THREAT_ACTOR: Charming Kitten": [[51, 66]], "CVE_ID: CVE-2022-32541": [[96, 110]], "SYSTEM: SonicWall SMA": [[114, 127]], "MALWARE: IcedID": [[152, 158]], "TOOL: GhostPack": [[163, 172]], "IP_ADDRESS: 24.178.113.227": [[209, 223]], "DOMAIN: cloudstatic.io": [[228, 242]], "URL: https://edgeupdate.net/gate.php": [[284, 315]], "HASH: ff0e462188792506c0c5e50ac8ede88605c529b9a268e1b3f4ee5a74e9eb5427": [[345, 409]], "FILEPATH: /var/tmp/update.dll": [[426, 445]], "EMAIL: ceo@identity-verify.cc": [[478, 500]], "IP_ADDRESS: 192.169.169.93": [[566, 580]]}, "info": {"id": "synth_v2_00147", "source": "synthetic_v2"}}
+{"text": "Kaspersky GReAT published a threat intelligence report linking Diamond Sleet to a new campaign exploiting CVE-2026-27261 in Apache Struts. The attackers deployed Conti via Ligolo, establishing C2 communication with 192.191.228.125 and auth-secure.link. A secondary payload was downloaded from hxxp://api-cloud.top/admin/config. The malware binary (MD5: d1750cfa51b2004ae0753113c69f13f3) was dropped to C:\\Users\\Public\\Documents\\runtime.dll. Phishing emails were sent from confirm@identity-verify.cc targeting enterprise users. A backup C2 server was identified at 172.98.164.132.", "spans": {"ORGANIZATION: Kaspersky GReAT": [[0, 15]], "THREAT_ACTOR: Diamond Sleet": [[63, 76]], "CVE_ID: CVE-2026-27261": [[106, 120]], "SYSTEM: Apache Struts": [[124, 137]], "MALWARE: Conti": [[162, 167]], "TOOL: Ligolo": [[172, 178]], "IP_ADDRESS: 192.191.228.125": [[215, 230]], "DOMAIN: auth-secure.link": [[235, 251]], "URL: hxxp://api-cloud.top/admin/config": [[293, 326]], "HASH: d1750cfa51b2004ae0753113c69f13f3": [[353, 385]], "FILEPATH: C:\\Users\\Public\\Documents\\runtime.dll": [[402, 439]], "EMAIL: confirm@identity-verify.cc": [[472, 498]], "IP_ADDRESS: 172.98.164.132": [[564, 578]]}, "info": {"id": "synth_v2_00148", "source": "synthetic_v2"}}
+{"text": "Zscaler ThreatLabz published a threat intelligence report linking UNC2452 to a new campaign exploiting CVE-2021-33526 in Windows Server 2019. The attackers deployed IcedID via LinPEAS, establishing C2 communication with 184.169.19.23 and cache-data.dev. A secondary payload was downloaded from http://gatewayportal.online/callback. The malware binary (MD5: 7ebe201637f8d28558b2950ce2952a74) was dropped to C:\\Windows\\Temp\\lsass.dmp. Phishing emails were sent from alert@urgent-notice.online targeting enterprise users. A backup C2 server was identified at 10.91.128.143.", "spans": {"ORGANIZATION: Zscaler ThreatLabz": [[0, 18]], "THREAT_ACTOR: UNC2452": [[66, 73]], "CVE_ID: CVE-2021-33526": [[103, 117]], "SYSTEM: Windows Server 2019": [[121, 140]], "MALWARE: IcedID": [[165, 171]], "TOOL: LinPEAS": [[176, 183]], "IP_ADDRESS: 184.169.19.23": [[220, 233]], "DOMAIN: cache-data.dev": [[238, 252]], "URL: http://gatewayportal.online/callback": [[294, 330]], "HASH: 7ebe201637f8d28558b2950ce2952a74": [[357, 389]], "FILEPATH: C:\\Windows\\Temp\\lsass.dmp": [[406, 431]], "EMAIL: alert@urgent-notice.online": [[464, 490]], "IP_ADDRESS: 10.91.128.143": [[556, 569]]}, "info": {"id": "synth_v2_00149", "source": "synthetic_v2"}}
+{"text": "Huntress published a threat intelligence report linking APT28 to a new campaign exploiting CVE-2020-12082 in Ubuntu 22.04. The attackers deployed Meduza Stealer via Impacket, establishing C2 communication with 129.54.148.202 and portalportal.live. A secondary payload was downloaded from hxxp://proxy-secure.io/download/update.exe. The malware binary (SHA1: 97a05e736aacd79574fe3a5d5d0b599d7bcf638e) was dropped to C:\\Users\\admin\\Desktop\\dropper.ps1. Phishing emails were sent from finance@account-update.xyz targeting enterprise users. A backup C2 server was identified at 156.44.144.196.", "spans": {"ORGANIZATION: Huntress": [[0, 8]], "THREAT_ACTOR: APT28": [[56, 61]], "CVE_ID: CVE-2020-12082": [[91, 105]], "SYSTEM: Ubuntu 22.04": [[109, 121]], "MALWARE: Meduza Stealer": [[146, 160]], "TOOL: Impacket": [[165, 173]], "IP_ADDRESS: 129.54.148.202": [[210, 224]], "DOMAIN: portalportal.live": [[229, 246]], "URL: hxxp://proxy-secure.io/download/update.exe": [[288, 330]], "HASH: 97a05e736aacd79574fe3a5d5d0b599d7bcf638e": [[358, 398]], "FILEPATH: C:\\Users\\admin\\Desktop\\dropper.ps1": [[415, 449]], "EMAIL: finance@account-update.xyz": [[482, 508]], "IP_ADDRESS: 156.44.144.196": [[574, 588]]}, "info": {"id": "synth_v2_00150", "source": "synthetic_v2"}}
+{"text": "NCSC published a threat intelligence report linking TA505 to a new campaign exploiting CVE-2021-16078 in VMware ESXi. The attackers deployed RedLine Stealer via Mimikatz, establishing C2 communication with 10.201.43.79 and secure-secure.xyz. A secondary payload was downloaded from hxxps://cloudauth.org/panel/index.html. The malware binary (MD5: 10869bac984bf4e24a2927d50877c091) was dropped to C:\\ProgramData\\agent.py. Phishing emails were sent from info@mail-service.info targeting enterprise users. A backup C2 server was identified at 192.176.108.106.", "spans": {"ORGANIZATION: NCSC": [[0, 4]], "THREAT_ACTOR: TA505": [[52, 57]], "CVE_ID: CVE-2021-16078": [[87, 101]], "SYSTEM: VMware ESXi": [[105, 116]], "MALWARE: RedLine Stealer": [[141, 156]], "TOOL: Mimikatz": [[161, 169]], "IP_ADDRESS: 10.201.43.79": [[206, 218]], "DOMAIN: secure-secure.xyz": [[223, 240]], "URL: hxxps://cloudauth.org/panel/index.html": [[282, 320]], "HASH: 10869bac984bf4e24a2927d50877c091": [[347, 379]], "FILEPATH: C:\\ProgramData\\agent.py": [[396, 419]], "EMAIL: info@mail-service.info": [[452, 474]], "IP_ADDRESS: 192.176.108.106": [[540, 555]]}, "info": {"id": "synth_v2_00151", "source": "synthetic_v2"}}
+{"text": "Europol published a threat intelligence report linking Kimsuky to a new campaign exploiting CVE-2026-44676 in Atlassian Confluence. The attackers deployed Hive via LinPEAS, establishing C2 communication with 33.120.51.73 and staticbackup.club. A secondary payload was downloaded from https://cache-cache.tech/callback. The malware binary (SHA256: 4c92d14cbaaa3222a41a0622e72512b5a2e953bc1469e6c46bc6c22ff073bbff) was dropped to C:\\Windows\\Temp\\winlogon.exe. Phishing emails were sent from helpdesk@login-portal.tech targeting enterprise users. A backup C2 server was identified at 10.162.248.116.", "spans": {"ORGANIZATION: Europol": [[0, 7]], "THREAT_ACTOR: Kimsuky": [[55, 62]], "CVE_ID: CVE-2026-44676": [[92, 106]], "SYSTEM: Atlassian Confluence": [[110, 130]], "MALWARE: Hive": [[155, 159]], "TOOL: LinPEAS": [[164, 171]], "IP_ADDRESS: 33.120.51.73": [[208, 220]], "DOMAIN: staticbackup.club": [[225, 242]], "URL: https://cache-cache.tech/callback": [[284, 317]], "HASH: 4c92d14cbaaa3222a41a0622e72512b5a2e953bc1469e6c46bc6c22ff073bbff": [[347, 411]], "FILEPATH: C:\\Windows\\Temp\\winlogon.exe": [[428, 456]], "EMAIL: helpdesk@login-portal.tech": [[489, 515]], "IP_ADDRESS: 10.162.248.116": [[581, 595]]}, "info": {"id": "synth_v2_00152", "source": "synthetic_v2"}}
+{"text": "Tenable published a threat intelligence report linking Forest Blizzard to a new campaign exploiting CVE-2024-23934 in Citrix NetScaler. The attackers deployed XLoader via Nmap, establishing C2 communication with 123.236.228.92 and sync-login.dev. A secondary payload was downloaded from hxxps://sync-api.club/login. The malware binary (SHA1: 6cee7ffab9b17a0d4aa9182815bc0a5941c35abd) was dropped to C:\\Windows\\Temp\\shell.php. Phishing emails were sent from notification@identity-verify.cc targeting enterprise users. A backup C2 server was identified at 125.55.89.166.", "spans": {"ORGANIZATION: Tenable": [[0, 7]], "THREAT_ACTOR: Forest Blizzard": [[55, 70]], "CVE_ID: CVE-2024-23934": [[100, 114]], "SYSTEM: Citrix NetScaler": [[118, 134]], "MALWARE: XLoader": [[159, 166]], "TOOL: Nmap": [[171, 175]], "IP_ADDRESS: 123.236.228.92": [[212, 226]], "DOMAIN: sync-login.dev": [[231, 245]], "URL: hxxps://sync-api.club/login": [[287, 314]], "HASH: 6cee7ffab9b17a0d4aa9182815bc0a5941c35abd": [[342, 382]], "FILEPATH: C:\\Windows\\Temp\\shell.php": [[399, 424]], "EMAIL: notification@identity-verify.cc": [[457, 488]], "IP_ADDRESS: 125.55.89.166": [[554, 567]]}, "info": {"id": "synth_v2_00153", "source": "synthetic_v2"}}
+{"text": "FireEye published a threat intelligence report linking Velvet Tempest to a new campaign exploiting CVE-2020-48698 in Barracuda ESG. The attackers deployed Lumma Stealer via SharpHound, establishing C2 communication with 140.241.76.94 and portal-mail.io. A secondary payload was downloaded from hxxp://data-static.top/panel/index.html. The malware binary (SHA256: 3e53f8b989435e5f98f75ecaee4922b736b44e850fdf9719ff280fc6fb2cf3b6) was dropped to C:\\Windows\\Tasks\\config.dat. Phishing emails were sent from security@document-share.link targeting enterprise users. A backup C2 server was identified at 58.148.68.119.", "spans": {"ORGANIZATION: FireEye": [[0, 7]], "THREAT_ACTOR: Velvet Tempest": [[55, 69]], "CVE_ID: CVE-2020-48698": [[99, 113]], "SYSTEM: Barracuda ESG": [[117, 130]], "MALWARE: Lumma Stealer": [[155, 168]], "TOOL: SharpHound": [[173, 183]], "IP_ADDRESS: 140.241.76.94": [[220, 233]], "DOMAIN: portal-mail.io": [[238, 252]], "URL: hxxp://data-static.top/panel/index.html": [[294, 333]], "HASH: 3e53f8b989435e5f98f75ecaee4922b736b44e850fdf9719ff280fc6fb2cf3b6": [[363, 427]], "FILEPATH: C:\\Windows\\Tasks\\config.dat": [[444, 471]], "EMAIL: security@document-share.link": [[504, 532]], "IP_ADDRESS: 58.148.68.119": [[598, 611]]}, "info": {"id": "synth_v2_00154", "source": "synthetic_v2"}}
+{"text": "Volexity published a threat intelligence report linking OilRig to a new campaign exploiting CVE-2026-40674 in Ivanti Connect Secure. The attackers deployed LockBit via LinPEAS, establishing C2 communication with 10.249.118.17 and node-mail.site. A secondary payload was downloaded from https://relaycdn.com/api/v2/auth. The malware binary (SHA1: 4052fe6edf0fda791617268bce2e419ed36c5ab8) was dropped to /usr/local/bin/backdoor.elf. Phishing emails were sent from notification@urgent-notice.online targeting enterprise users. A backup C2 server was identified at 95.119.21.172.", "spans": {"ORGANIZATION: Volexity": [[0, 8]], "THREAT_ACTOR: OilRig": [[56, 62]], "CVE_ID: CVE-2026-40674": [[92, 106]], "SYSTEM: Ivanti Connect Secure": [[110, 131]], "MALWARE: LockBit": [[156, 163]], "TOOL: LinPEAS": [[168, 175]], "IP_ADDRESS: 10.249.118.17": [[212, 225]], "DOMAIN: node-mail.site": [[230, 244]], "URL: https://relaycdn.com/api/v2/auth": [[286, 318]], "HASH: 4052fe6edf0fda791617268bce2e419ed36c5ab8": [[346, 386]], "FILEPATH: /usr/local/bin/backdoor.elf": [[403, 430]], "EMAIL: notification@urgent-notice.online": [[463, 496]], "IP_ADDRESS: 95.119.21.172": [[562, 575]]}, "info": {"id": "synth_v2_00155", "source": "synthetic_v2"}}
+{"text": "Check Point Research published a threat intelligence report linking OilRig to a new campaign exploiting CVE-2024-19363 in Ivanti Connect Secure. The attackers deployed DarkSide via Ligolo, establishing C2 communication with 192.128.192.250 and proxyproxy.dev. A secondary payload was downloaded from hxxp://node-login.online/wp-content/uploads/doc.php. The malware binary (SHA256: 284667f1a0446fec040f50af7ee6d6a926c3e3b66cd09a7793292556ba17686d) was dropped to /usr/local/bin/runtime.dll. Phishing emails were sent from noreply@account-update.xyz targeting enterprise users. A backup C2 server was identified at 192.207.180.210.", "spans": {"ORGANIZATION: Check Point Research": [[0, 20]], "THREAT_ACTOR: OilRig": [[68, 74]], "CVE_ID: CVE-2024-19363": [[104, 118]], "SYSTEM: Ivanti Connect Secure": [[122, 143]], "MALWARE: DarkSide": [[168, 176]], "TOOL: Ligolo": [[181, 187]], "IP_ADDRESS: 192.128.192.250": [[224, 239]], "DOMAIN: proxyproxy.dev": [[244, 258]], "URL: hxxp://node-login.online/wp-content/uploads/doc.php": [[300, 351]], "HASH: 284667f1a0446fec040f50af7ee6d6a926c3e3b66cd09a7793292556ba17686d": [[381, 445]], "FILEPATH: /usr/local/bin/runtime.dll": [[462, 488]], "EMAIL: noreply@account-update.xyz": [[521, 547]], "IP_ADDRESS: 192.207.180.210": [[613, 628]]}, "info": {"id": "synth_v2_00156", "source": "synthetic_v2"}}
+{"text": "Secureworks published a threat intelligence report linking Turla to a new campaign exploiting CVE-2021-32298 in Microsoft Exchange. The attackers deployed RedLine Stealer via ADFind, establishing C2 communication with 208.169.58.124 and updatedata.com. A secondary payload was downloaded from hxxp://cache-cache.org/admin/config. The malware binary (SHA1: c9e11674c1099b29a7889dc634048837a41ecb5c) was dropped to C:\\Users\\admin\\AppData\\Local\\Temp\\shell.php. Phishing emails were sent from noreply@phishing-domain.com targeting enterprise users. A backup C2 server was identified at 123.107.82.166.", "spans": {"ORGANIZATION: Secureworks": [[0, 11]], "THREAT_ACTOR: Turla": [[59, 64]], "CVE_ID: CVE-2021-32298": [[94, 108]], "SYSTEM: Microsoft Exchange": [[112, 130]], "MALWARE: RedLine Stealer": [[155, 170]], "TOOL: ADFind": [[175, 181]], "IP_ADDRESS: 208.169.58.124": [[218, 232]], "DOMAIN: updatedata.com": [[237, 251]], "URL: hxxp://cache-cache.org/admin/config": [[293, 328]], "HASH: c9e11674c1099b29a7889dc634048837a41ecb5c": [[356, 396]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\shell.php": [[413, 456]], "EMAIL: noreply@phishing-domain.com": [[489, 516]], "IP_ADDRESS: 123.107.82.166": [[582, 596]]}, "info": {"id": "synth_v2_00157", "source": "synthetic_v2"}}
+{"text": "Google TAG published a threat intelligence report linking Turla to a new campaign exploiting CVE-2026-17310 in Cisco ASA. The attackers deployed SmokeLoader via Merlin, establishing C2 communication with 192.145.43.56 and gateway-static.org. A secondary payload was downloaded from hxxp://static-node.info/assets/js/payload.js. The malware binary (SHA1: eb1a5d149c80af13212ccb906269660766eba480) was dropped to /opt/app/bin/sam.hive. Phishing emails were sent from report@document-share.link targeting enterprise users. A backup C2 server was identified at 156.241.246.44.", "spans": {"ORGANIZATION: Google TAG": [[0, 10]], "THREAT_ACTOR: Turla": [[58, 63]], "CVE_ID: CVE-2026-17310": [[93, 107]], "SYSTEM: Cisco ASA": [[111, 120]], "MALWARE: SmokeLoader": [[145, 156]], "TOOL: Merlin": [[161, 167]], "IP_ADDRESS: 192.145.43.56": [[204, 217]], "DOMAIN: gateway-static.org": [[222, 240]], "URL: hxxp://static-node.info/assets/js/payload.js": [[282, 326]], "HASH: eb1a5d149c80af13212ccb906269660766eba480": [[354, 394]], "FILEPATH: /opt/app/bin/sam.hive": [[411, 432]], "EMAIL: report@document-share.link": [[465, 491]], "IP_ADDRESS: 156.241.246.44": [[557, 571]]}, "info": {"id": "synth_v2_00158", "source": "synthetic_v2"}}
+{"text": "Proofpoint published a threat intelligence report linking Lazarus Group to a new campaign exploiting CVE-2021-24110 in VMware ESXi. The attackers deployed Play via Ligolo, establishing C2 communication with 10.214.76.156 and api-proxy.top. A secondary payload was downloaded from hxxps://static-edge.live/admin/config. The malware binary (SHA1: a756596d202f39aaa903852435e94cf3f4679e13) was dropped to C:\\Program Files\\Common Files\\loader.exe. Phishing emails were sent from contact@auth-check.org targeting enterprise users. A backup C2 server was identified at 10.243.19.225.", "spans": {"ORGANIZATION: Proofpoint": [[0, 10]], "THREAT_ACTOR: Lazarus Group": [[58, 71]], "CVE_ID: CVE-2021-24110": [[101, 115]], "SYSTEM: VMware ESXi": [[119, 130]], "MALWARE: Play": [[155, 159]], "TOOL: Ligolo": [[164, 170]], "IP_ADDRESS: 10.214.76.156": [[207, 220]], "DOMAIN: api-proxy.top": [[225, 238]], "URL: hxxps://static-edge.live/admin/config": [[280, 317]], "HASH: a756596d202f39aaa903852435e94cf3f4679e13": [[345, 385]], "FILEPATH: C:\\Program Files\\Common Files\\loader.exe": [[402, 442]], "EMAIL: contact@auth-check.org": [[475, 497]], "IP_ADDRESS: 10.243.19.225": [[563, 576]]}, "info": {"id": "synth_v2_00159", "source": "synthetic_v2"}}
+{"text": "NSA published a threat intelligence report linking Salt Typhoon to a new campaign exploiting CVE-2025-19065 in Microsoft Exchange. The attackers deployed Cobalt Strike via WinPEAS, establishing C2 communication with 203.195.179.151 and api-backup.cc. A secondary payload was downloaded from hxxps://synccloud.com/collect. The malware binary (SHA1: 2f8aceeafb572e20e2f31af0771073a21d66d953) was dropped to C:\\Users\\Public\\Documents\\loader.exe. Phishing emails were sent from admin@identity-verify.cc targeting enterprise users. A backup C2 server was identified at 172.68.130.123.", "spans": {"ORGANIZATION: NSA": [[0, 3]], "THREAT_ACTOR: Salt Typhoon": [[51, 63]], "CVE_ID: CVE-2025-19065": [[93, 107]], "SYSTEM: Microsoft Exchange": [[111, 129]], "MALWARE: Cobalt Strike": [[154, 167]], "TOOL: WinPEAS": [[172, 179]], "IP_ADDRESS: 203.195.179.151": [[216, 231]], "DOMAIN: api-backup.cc": [[236, 249]], "URL: hxxps://synccloud.com/collect": [[291, 320]], "HASH: 2f8aceeafb572e20e2f31af0771073a21d66d953": [[348, 388]], "FILEPATH: C:\\Users\\Public\\Documents\\loader.exe": [[405, 441]], "EMAIL: admin@identity-verify.cc": [[474, 498]], "IP_ADDRESS: 172.68.130.123": [[564, 578]]}, "info": {"id": "synth_v2_00160", "source": "synthetic_v2"}}
+{"text": "Rapid7 published a threat intelligence report linking UNC2452 to a new campaign exploiting CVE-2024-24392 in SonicWall SMA. The attackers deployed Royal via WinPEAS, establishing C2 communication with 28.79.218.167 and portalcloud.site. A secondary payload was downloaded from http://securemail.io/portal/verify. The malware binary (MD5: bae580e4175fbeb4b64b75f7280f8c0e) was dropped to /etc/cron.d/lsass.dmp. Phishing emails were sent from noreply@secure-verify.net targeting enterprise users. A backup C2 server was identified at 67.216.187.157.", "spans": {"ORGANIZATION: Rapid7": [[0, 6]], "THREAT_ACTOR: UNC2452": [[54, 61]], "CVE_ID: CVE-2024-24392": [[91, 105]], "SYSTEM: SonicWall SMA": [[109, 122]], "MALWARE: Royal": [[147, 152]], "TOOL: WinPEAS": [[157, 164]], "IP_ADDRESS: 28.79.218.167": [[201, 214]], "DOMAIN: portalcloud.site": [[219, 235]], "URL: http://securemail.io/portal/verify": [[277, 311]], "HASH: bae580e4175fbeb4b64b75f7280f8c0e": [[338, 370]], "FILEPATH: /etc/cron.d/lsass.dmp": [[387, 408]], "EMAIL: noreply@secure-verify.net": [[441, 466]], "IP_ADDRESS: 67.216.187.157": [[532, 546]]}, "info": {"id": "synth_v2_00161", "source": "synthetic_v2"}}
+{"text": "Rapid7 published a threat intelligence report linking Aqua Blizzard to a new campaign exploiting CVE-2022-49565 in VMware ESXi. The attackers deployed Play via Brute Ratel, establishing C2 communication with 192.205.173.206 and login-proxy.dev. A secondary payload was downloaded from hxxp://apiapi.info/secure/token. The malware binary (SHA256: 067c8fed258e5b71ba567cede8caf1a92e9044f4fd0ba579fa477017006ea6eb) was dropped to C:\\Users\\admin\\AppData\\Local\\Temp\\lsass.dmp. Phishing emails were sent from service@document-share.link targeting enterprise users. A backup C2 server was identified at 10.199.2.206.", "spans": {"ORGANIZATION: Rapid7": [[0, 6]], "THREAT_ACTOR: Aqua Blizzard": [[54, 67]], "CVE_ID: CVE-2022-49565": [[97, 111]], "SYSTEM: VMware ESXi": [[115, 126]], "MALWARE: Play": [[151, 155]], "TOOL: Brute Ratel": [[160, 171]], "IP_ADDRESS: 192.205.173.206": [[208, 223]], "DOMAIN: login-proxy.dev": [[228, 243]], "URL: hxxp://apiapi.info/secure/token": [[285, 316]], "HASH: 067c8fed258e5b71ba567cede8caf1a92e9044f4fd0ba579fa477017006ea6eb": [[346, 410]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\lsass.dmp": [[427, 470]], "EMAIL: service@document-share.link": [[503, 530]], "IP_ADDRESS: 10.199.2.206": [[596, 608]]}, "info": {"id": "synth_v2_00162", "source": "synthetic_v2"}}
+{"text": "Secureworks published a threat intelligence report linking UNC2452 to a new campaign exploiting CVE-2020-24328 in Fortinet FortiGate. The attackers deployed PikaBot via Burp Suite, establishing C2 communication with 113.5.103.218 and cdn-mail.xyz. A secondary payload was downloaded from http://secure-api.info/secure/token. The malware binary (SHA1: f6ed137f1afcbb33e10792625b45a449a4f9dafa) was dropped to C:\\Users\\admin\\Desktop\\lsass.dmp. Phishing emails were sent from notification@login-portal.tech targeting enterprise users. A backup C2 server was identified at 50.17.118.158.", "spans": {"ORGANIZATION: Secureworks": [[0, 11]], "THREAT_ACTOR: UNC2452": [[59, 66]], "CVE_ID: CVE-2020-24328": [[96, 110]], "SYSTEM: Fortinet FortiGate": [[114, 132]], "MALWARE: PikaBot": [[157, 164]], "TOOL: Burp Suite": [[169, 179]], "IP_ADDRESS: 113.5.103.218": [[216, 229]], "DOMAIN: cdn-mail.xyz": [[234, 246]], "URL: http://secure-api.info/secure/token": [[288, 323]], "HASH: f6ed137f1afcbb33e10792625b45a449a4f9dafa": [[351, 391]], "FILEPATH: C:\\Users\\admin\\Desktop\\lsass.dmp": [[408, 440]], "EMAIL: notification@login-portal.tech": [[473, 503]], "IP_ADDRESS: 50.17.118.158": [[569, 582]]}, "info": {"id": "synth_v2_00163", "source": "synthetic_v2"}}
+{"text": "Secureworks published a threat intelligence report linking Charming Kitten to a new campaign exploiting CVE-2020-49453 in Ubuntu 22.04. The attackers deployed Emotet via LinPEAS, establishing C2 communication with 186.178.177.247 and cacheupdate.info. A secondary payload was downloaded from hxxps://gateway-node.net/panel/index.html. The malware binary (MD5: 348e1d59429cea872abbcce3350fad25) was dropped to /opt/app/bin/taskhost.exe. Phishing emails were sent from account@mail-service.info targeting enterprise users. A backup C2 server was identified at 58.99.232.239.", "spans": {"ORGANIZATION: Secureworks": [[0, 11]], "THREAT_ACTOR: Charming Kitten": [[59, 74]], "CVE_ID: CVE-2020-49453": [[104, 118]], "SYSTEM: Ubuntu 22.04": [[122, 134]], "MALWARE: Emotet": [[159, 165]], "TOOL: LinPEAS": [[170, 177]], "IP_ADDRESS: 186.178.177.247": [[214, 229]], "DOMAIN: cacheupdate.info": [[234, 250]], "URL: hxxps://gateway-node.net/panel/index.html": [[292, 333]], "HASH: 348e1d59429cea872abbcce3350fad25": [[360, 392]], "FILEPATH: /opt/app/bin/taskhost.exe": [[409, 434]], "EMAIL: account@mail-service.info": [[467, 492]], "IP_ADDRESS: 58.99.232.239": [[558, 571]]}, "info": {"id": "synth_v2_00164", "source": "synthetic_v2"}}
+{"text": "Rapid7 published a threat intelligence report linking Silk Typhoon to a new campaign exploiting CVE-2023-33909 in Zyxel USG. The attackers deployed WarmCookie via Covenant, establishing C2 communication with 145.247.124.194 and proxy-auth.info. A secondary payload was downloaded from hxxp://portal-data.top/secure/token. The malware binary (MD5: f1e573b16f9b95b1006f07dcb1e4dbd6) was dropped to /etc/cron.d/loader.exe. Phishing emails were sent from confirm@phishing-domain.com targeting enterprise users. A backup C2 server was identified at 199.234.235.230.", "spans": {"ORGANIZATION: Rapid7": [[0, 6]], "THREAT_ACTOR: Silk Typhoon": [[54, 66]], "CVE_ID: CVE-2023-33909": [[96, 110]], "SYSTEM: Zyxel USG": [[114, 123]], "MALWARE: WarmCookie": [[148, 158]], "TOOL: Covenant": [[163, 171]], "IP_ADDRESS: 145.247.124.194": [[208, 223]], "DOMAIN: proxy-auth.info": [[228, 243]], "URL: hxxp://portal-data.top/secure/token": [[285, 320]], "HASH: f1e573b16f9b95b1006f07dcb1e4dbd6": [[347, 379]], "FILEPATH: /etc/cron.d/loader.exe": [[396, 418]], "EMAIL: confirm@phishing-domain.com": [[451, 478]], "IP_ADDRESS: 199.234.235.230": [[544, 559]]}, "info": {"id": "synth_v2_00165", "source": "synthetic_v2"}}
+{"text": "Trend Micro published a threat intelligence report linking Forest Blizzard to a new campaign exploiting CVE-2021-24446 in Cisco ASA. The attackers deployed SmokeLoader via PsExec, establishing C2 communication with 20.91.243.81 and proxy-cloud.xyz. A secondary payload was downloaded from hxxp://sync-cloud.xyz/wp-content/uploads/doc.php. The malware binary (SHA1: b9daf676c4627c3af9af734000aeea6542a64e70) was dropped to /etc/cron.d/payload.bin. Phishing emails were sent from alert@secure-verify.net targeting enterprise users. A backup C2 server was identified at 56.137.93.243.", "spans": {"ORGANIZATION: Trend Micro": [[0, 11]], "THREAT_ACTOR: Forest Blizzard": [[59, 74]], "CVE_ID: CVE-2021-24446": [[104, 118]], "SYSTEM: Cisco ASA": [[122, 131]], "MALWARE: SmokeLoader": [[156, 167]], "TOOL: PsExec": [[172, 178]], "IP_ADDRESS: 20.91.243.81": [[215, 227]], "DOMAIN: proxy-cloud.xyz": [[232, 247]], "URL: hxxp://sync-cloud.xyz/wp-content/uploads/doc.php": [[289, 337]], "HASH: b9daf676c4627c3af9af734000aeea6542a64e70": [[365, 405]], "FILEPATH: /etc/cron.d/payload.bin": [[422, 445]], "EMAIL: alert@secure-verify.net": [[478, 501]], "IP_ADDRESS: 56.137.93.243": [[567, 580]]}, "info": {"id": "synth_v2_00166", "source": "synthetic_v2"}}
+{"text": "Zscaler ThreatLabz published a threat intelligence report linking Diamond Sleet to a new campaign exploiting CVE-2026-46256 in Progress Telerik. The attackers deployed Dridex via PowerView, establishing C2 communication with 192.21.246.96 and portaldata.link. A secondary payload was downloaded from http://cdn-node.link/gate.php. The malware binary (SHA1: f6152a14f4b0feb9af6ff975399cc92a560fd6f0) was dropped to C:\\Users\\admin\\AppData\\Local\\Temp\\loader.exe. Phishing emails were sent from it@identity-verify.cc targeting enterprise users. A backup C2 server was identified at 127.140.251.47.", "spans": {"ORGANIZATION: Zscaler ThreatLabz": [[0, 18]], "THREAT_ACTOR: Diamond Sleet": [[66, 79]], "CVE_ID: CVE-2026-46256": [[109, 123]], "SYSTEM: Progress Telerik": [[127, 143]], "MALWARE: Dridex": [[168, 174]], "TOOL: PowerView": [[179, 188]], "IP_ADDRESS: 192.21.246.96": [[225, 238]], "DOMAIN: portaldata.link": [[243, 258]], "URL: http://cdn-node.link/gate.php": [[300, 329]], "HASH: f6152a14f4b0feb9af6ff975399cc92a560fd6f0": [[357, 397]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\loader.exe": [[414, 458]], "EMAIL: it@identity-verify.cc": [[491, 512]], "IP_ADDRESS: 127.140.251.47": [[578, 592]]}, "info": {"id": "synth_v2_00167", "source": "synthetic_v2"}}
+{"text": "Palo Alto Unit 42 published a threat intelligence report linking Salt Typhoon to a new campaign exploiting CVE-2026-17310 in Zyxel USG. The attackers deployed DarkSide via Brute Ratel, establishing C2 communication with 177.4.6.173 and secureedge.info. A secondary payload was downloaded from https://sync-proxy.cc/secure/token. The malware binary (SHA256: 3a5438906fd0a6b3633aef3fb3a264310128c100b5494fab170cfef1a35eef76) was dropped to /dev/shm/ntds.dit. Phishing emails were sent from billing@identity-verify.cc targeting enterprise users. A backup C2 server was identified at 172.51.166.93.", "spans": {"ORGANIZATION: Palo Alto Unit 42": [[0, 17]], "THREAT_ACTOR: Salt Typhoon": [[65, 77]], "CVE_ID: CVE-2026-17310": [[107, 121]], "SYSTEM: Zyxel USG": [[125, 134]], "MALWARE: DarkSide": [[159, 167]], "TOOL: Brute Ratel": [[172, 183]], "IP_ADDRESS: 177.4.6.173": [[220, 231]], "DOMAIN: secureedge.info": [[236, 251]], "URL: https://sync-proxy.cc/secure/token": [[293, 327]], "HASH: 3a5438906fd0a6b3633aef3fb3a264310128c100b5494fab170cfef1a35eef76": [[357, 421]], "FILEPATH: /dev/shm/ntds.dit": [[438, 455]], "EMAIL: billing@identity-verify.cc": [[488, 514]], "IP_ADDRESS: 172.51.166.93": [[580, 593]]}, "info": {"id": "synth_v2_00168", "source": "synthetic_v2"}}
+{"text": "Qualys published a threat intelligence report linking Forest Blizzard to a new campaign exploiting CVE-2025-27219 in Active Directory. The attackers deployed RedLine Stealer via Chisel, establishing C2 communication with 47.67.117.209 and portalcloud.org. A secondary payload was downloaded from http://proxy-update.org/gate.php. The malware binary (SHA256: 2617efa9785fbc1db5df82b57fdd5282bb8fab48549336571885df9b16f9f935) was dropped to /opt/app/bin/beacon.dll. Phishing emails were sent from finance@mail-service.info targeting enterprise users. A backup C2 server was identified at 192.138.120.143.", "spans": {"ORGANIZATION: Qualys": [[0, 6]], "THREAT_ACTOR: Forest Blizzard": [[54, 69]], "CVE_ID: CVE-2025-27219": [[99, 113]], "SYSTEM: Active Directory": [[117, 133]], "MALWARE: RedLine Stealer": [[158, 173]], "TOOL: Chisel": [[178, 184]], "IP_ADDRESS: 47.67.117.209": [[221, 234]], "DOMAIN: portalcloud.org": [[239, 254]], "URL: http://proxy-update.org/gate.php": [[296, 328]], "HASH: 2617efa9785fbc1db5df82b57fdd5282bb8fab48549336571885df9b16f9f935": [[358, 422]], "FILEPATH: /opt/app/bin/beacon.dll": [[439, 462]], "EMAIL: finance@mail-service.info": [[495, 520]], "IP_ADDRESS: 192.138.120.143": [[586, 601]]}, "info": {"id": "synth_v2_00169", "source": "synthetic_v2"}}
+{"text": "Proofpoint published a threat intelligence report linking MuddyWater to a new campaign exploiting CVE-2021-48618 in Fortinet FortiGate. The attackers deployed DanaBot via BloodHound, establishing C2 communication with 10.130.243.215 and edgeedge.dev. A secondary payload was downloaded from hxxps://mailupdate.site/secure/token. The malware binary (SHA1: d9f0c79404d338b4e166631cf683882af7da6c3e) was dropped to /tmp/shell.php. Phishing emails were sent from notification@urgent-notice.online targeting enterprise users. A backup C2 server was identified at 172.171.133.93.", "spans": {"ORGANIZATION: Proofpoint": [[0, 10]], "THREAT_ACTOR: MuddyWater": [[58, 68]], "CVE_ID: CVE-2021-48618": [[98, 112]], "SYSTEM: Fortinet FortiGate": [[116, 134]], "MALWARE: DanaBot": [[159, 166]], "TOOL: BloodHound": [[171, 181]], "IP_ADDRESS: 10.130.243.215": [[218, 232]], "DOMAIN: edgeedge.dev": [[237, 249]], "URL: hxxps://mailupdate.site/secure/token": [[291, 327]], "HASH: d9f0c79404d338b4e166631cf683882af7da6c3e": [[355, 395]], "FILEPATH: /tmp/shell.php": [[412, 426]], "EMAIL: notification@urgent-notice.online": [[459, 492]], "IP_ADDRESS: 172.171.133.93": [[558, 572]]}, "info": {"id": "synth_v2_00170", "source": "synthetic_v2"}}
+{"text": "Sophos X-Ops published a threat intelligence report linking Turla to a new campaign exploiting CVE-2026-27486 in F5 BIG-IP. The attackers deployed Gootloader via Chisel, establishing C2 communication with 21.195.146.119 and apiapi.org. A secondary payload was downloaded from https://datastorage.tech/assets/js/payload.js. The malware binary (MD5: 08b5281fdecc4f453934f0b0f8d37180) was dropped to C:\\Users\\admin\\Desktop\\backdoor.elf. Phishing emails were sent from updates@auth-check.org targeting enterprise users. A backup C2 server was identified at 10.172.215.162.", "spans": {"ORGANIZATION: Sophos X-Ops": [[0, 12]], "THREAT_ACTOR: Turla": [[60, 65]], "CVE_ID: CVE-2026-27486": [[95, 109]], "SYSTEM: F5 BIG-IP": [[113, 122]], "MALWARE: Gootloader": [[147, 157]], "TOOL: Chisel": [[162, 168]], "IP_ADDRESS: 21.195.146.119": [[205, 219]], "DOMAIN: apiapi.org": [[224, 234]], "URL: https://datastorage.tech/assets/js/payload.js": [[276, 321]], "HASH: 08b5281fdecc4f453934f0b0f8d37180": [[348, 380]], "FILEPATH: C:\\Users\\admin\\Desktop\\backdoor.elf": [[397, 432]], "EMAIL: updates@auth-check.org": [[465, 487]], "IP_ADDRESS: 10.172.215.162": [[553, 567]]}, "info": {"id": "synth_v2_00171", "source": "synthetic_v2"}}
+{"text": "CISA published a threat intelligence report linking Aqua Blizzard to a new campaign exploiting CVE-2025-48242 in Fortinet FortiGate. The attackers deployed Lumma Stealer via LaZagne, establishing C2 communication with 10.64.120.170 and authauth.net. A secondary payload was downloaded from http://edgecdn.com/panel/index.html. The malware binary (SHA256: 378a5a25f729f46944bf2100df618f7cec741df97d3bf1c4f7611d006780a372) was dropped to C:\\Users\\Public\\Documents\\backdoor.elf. Phishing emails were sent from report@account-update.xyz targeting enterprise users. A backup C2 server was identified at 191.40.107.43.", "spans": {"ORGANIZATION: CISA": [[0, 4]], "THREAT_ACTOR: Aqua Blizzard": [[52, 65]], "CVE_ID: CVE-2025-48242": [[95, 109]], "SYSTEM: Fortinet FortiGate": [[113, 131]], "MALWARE: Lumma Stealer": [[156, 169]], "TOOL: LaZagne": [[174, 181]], "IP_ADDRESS: 10.64.120.170": [[218, 231]], "DOMAIN: authauth.net": [[236, 248]], "URL: http://edgecdn.com/panel/index.html": [[290, 325]], "HASH: 378a5a25f729f46944bf2100df618f7cec741df97d3bf1c4f7611d006780a372": [[355, 419]], "FILEPATH: C:\\Users\\Public\\Documents\\backdoor.elf": [[436, 474]], "EMAIL: report@account-update.xyz": [[507, 532]], "IP_ADDRESS: 191.40.107.43": [[598, 611]]}, "info": {"id": "synth_v2_00172", "source": "synthetic_v2"}}
+{"text": "ESET Research published a threat intelligence report linking Lazarus Group to a new campaign exploiting CVE-2023-39714 in Apache Struts. The attackers deployed Raccoon Stealer via Burp Suite, establishing C2 communication with 161.64.67.135 and proxyrelay.live. A secondary payload was downloaded from hxxp://edgerelay.org/collect. The malware binary (SHA1: cc1cd3ba31b256bac1fef3b924d0ed6c9940c3a9) was dropped to C:\\Windows\\Tasks\\shell.php. Phishing emails were sent from contact@urgent-notice.online targeting enterprise users. A backup C2 server was identified at 10.17.182.221.", "spans": {"ORGANIZATION: ESET Research": [[0, 13]], "THREAT_ACTOR: Lazarus Group": [[61, 74]], "CVE_ID: CVE-2023-39714": [[104, 118]], "SYSTEM: Apache Struts": [[122, 135]], "MALWARE: Raccoon Stealer": [[160, 175]], "TOOL: Burp Suite": [[180, 190]], "IP_ADDRESS: 161.64.67.135": [[227, 240]], "DOMAIN: proxyrelay.live": [[245, 260]], "URL: hxxp://edgerelay.org/collect": [[302, 330]], "HASH: cc1cd3ba31b256bac1fef3b924d0ed6c9940c3a9": [[358, 398]], "FILEPATH: C:\\Windows\\Tasks\\shell.php": [[415, 441]], "EMAIL: contact@urgent-notice.online": [[474, 502]], "IP_ADDRESS: 10.17.182.221": [[568, 581]]}, "info": {"id": "synth_v2_00173", "source": "synthetic_v2"}}
+{"text": "FireEye published a threat intelligence report linking UNC2452 to a new campaign exploiting CVE-2024-14337 in F5 BIG-IP. The attackers deployed WarmCookie via Burp Suite, establishing C2 communication with 10.226.157.94 and node-login.tech. A secondary payload was downloaded from http://proxyedge.com/gate.php. The malware binary (MD5: 478c274e5643a15a0a4a5b0338f93f89) was dropped to C:\\Windows\\Temp\\ntds.dit. Phishing emails were sent from finance@document-share.link targeting enterprise users. A backup C2 server was identified at 67.79.155.3.", "spans": {"ORGANIZATION: FireEye": [[0, 7]], "THREAT_ACTOR: UNC2452": [[55, 62]], "CVE_ID: CVE-2024-14337": [[92, 106]], "SYSTEM: F5 BIG-IP": [[110, 119]], "MALWARE: WarmCookie": [[144, 154]], "TOOL: Burp Suite": [[159, 169]], "IP_ADDRESS: 10.226.157.94": [[206, 219]], "DOMAIN: node-login.tech": [[224, 239]], "URL: http://proxyedge.com/gate.php": [[281, 310]], "HASH: 478c274e5643a15a0a4a5b0338f93f89": [[337, 369]], "FILEPATH: C:\\Windows\\Temp\\ntds.dit": [[386, 410]], "EMAIL: finance@document-share.link": [[443, 470]], "IP_ADDRESS: 67.79.155.3": [[536, 547]]}, "info": {"id": "synth_v2_00174", "source": "synthetic_v2"}}
+{"text": "SentinelOne published a threat intelligence report linking FIN7 to a new campaign exploiting CVE-2022-15164 in SonicWall SMA. The attackers deployed Emotet via Certutil, establishing C2 communication with 102.127.83.184 and gateway-data.io. A secondary payload was downloaded from https://backupedge.link/callback. The malware binary (SHA256: a85f1fbb356ac8729582f3aea662a7fb4294a414e1b4e00e4b6b1d950aa8d535) was dropped to C:\\ProgramData\\config.dat. Phishing emails were sent from noreply@mail-service.info targeting enterprise users. A backup C2 server was identified at 213.193.112.68.", "spans": {"ORGANIZATION: SentinelOne": [[0, 11]], "THREAT_ACTOR: FIN7": [[59, 63]], "CVE_ID: CVE-2022-15164": [[93, 107]], "SYSTEM: SonicWall SMA": [[111, 124]], "MALWARE: Emotet": [[149, 155]], "TOOL: Certutil": [[160, 168]], "IP_ADDRESS: 102.127.83.184": [[205, 219]], "DOMAIN: gateway-data.io": [[224, 239]], "URL: https://backupedge.link/callback": [[281, 313]], "HASH: a85f1fbb356ac8729582f3aea662a7fb4294a414e1b4e00e4b6b1d950aa8d535": [[343, 407]], "FILEPATH: C:\\ProgramData\\config.dat": [[424, 449]], "EMAIL: noreply@mail-service.info": [[482, 507]], "IP_ADDRESS: 213.193.112.68": [[573, 587]]}, "info": {"id": "synth_v2_00175", "source": "synthetic_v2"}}
+{"text": "CISA published a threat intelligence report linking Kimsuky to a new campaign exploiting CVE-2023-27496 in Progress Telerik. The attackers deployed ShadowPad via ADFind, establishing C2 communication with 49.164.9.39 and backup-sync.org. A secondary payload was downloaded from hxxp://updatedata.net/login. The malware binary (MD5: 1abfecfd65942e7edfe4fbf5d2000623) was dropped to /tmp/winlogon.exe. Phishing emails were sent from contact@mail-service.info targeting enterprise users. A backup C2 server was identified at 192.11.95.249.", "spans": {"ORGANIZATION: CISA": [[0, 4]], "THREAT_ACTOR: Kimsuky": [[52, 59]], "CVE_ID: CVE-2023-27496": [[89, 103]], "SYSTEM: Progress Telerik": [[107, 123]], "MALWARE: ShadowPad": [[148, 157]], "TOOL: ADFind": [[162, 168]], "IP_ADDRESS: 49.164.9.39": [[205, 216]], "DOMAIN: backup-sync.org": [[221, 236]], "URL: hxxp://updatedata.net/login": [[278, 305]], "HASH: 1abfecfd65942e7edfe4fbf5d2000623": [[332, 364]], "FILEPATH: /tmp/winlogon.exe": [[381, 398]], "EMAIL: contact@mail-service.info": [[431, 456]], "IP_ADDRESS: 192.11.95.249": [[522, 535]]}, "info": {"id": "synth_v2_00176", "source": "synthetic_v2"}}
+{"text": "CISA published a threat intelligence report linking Granite Typhoon to a new campaign exploiting CVE-2020-15697 in Atlassian Confluence. The attackers deployed Qbot via Chisel, establishing C2 communication with 10.28.136.199 and portalupdate.net. A secondary payload was downloaded from hxxps://portal-relay.xyz/wp-content/uploads/doc.php. The malware binary (MD5: be1a85f332c58d19463bb6b892fb4088) was dropped to C:\\Users\\Public\\Documents\\loader.exe. Phishing emails were sent from billing@credential-check.site targeting enterprise users. A backup C2 server was identified at 19.240.92.50.", "spans": {"ORGANIZATION: CISA": [[0, 4]], "THREAT_ACTOR: Granite Typhoon": [[52, 67]], "CVE_ID: CVE-2020-15697": [[97, 111]], "SYSTEM: Atlassian Confluence": [[115, 135]], "MALWARE: Qbot": [[160, 164]], "TOOL: Chisel": [[169, 175]], "IP_ADDRESS: 10.28.136.199": [[212, 225]], "DOMAIN: portalupdate.net": [[230, 246]], "URL: hxxps://portal-relay.xyz/wp-content/uploads/doc.php": [[288, 339]], "HASH: be1a85f332c58d19463bb6b892fb4088": [[366, 398]], "FILEPATH: C:\\Users\\Public\\Documents\\loader.exe": [[415, 451]], "EMAIL: billing@credential-check.site": [[484, 513]], "IP_ADDRESS: 19.240.92.50": [[579, 591]]}, "info": {"id": "synth_v2_00177", "source": "synthetic_v2"}}
+{"text": "Sophos X-Ops published a threat intelligence report linking Volt Typhoon to a new campaign exploiting CVE-2022-32541 in Windows 11. The attackers deployed AsyncRAT via Merlin, establishing C2 communication with 172.246.152.51 and storageupdate.org. A secondary payload was downloaded from hxxp://cacheauth.site/login. The malware binary (SHA256: fd78726e2358935f627914d661c3e430d70c5e3281a7b07993ca66411ac8e879) was dropped to /dev/shm/implant.so. Phishing emails were sent from noreply@auth-check.org targeting enterprise users. A backup C2 server was identified at 14.111.57.61.", "spans": {"ORGANIZATION: Sophos X-Ops": [[0, 12]], "THREAT_ACTOR: Volt Typhoon": [[60, 72]], "CVE_ID: CVE-2022-32541": [[102, 116]], "SYSTEM: Windows 11": [[120, 130]], "MALWARE: AsyncRAT": [[155, 163]], "TOOL: Merlin": [[168, 174]], "IP_ADDRESS: 172.246.152.51": [[211, 225]], "DOMAIN: storageupdate.org": [[230, 247]], "URL: hxxp://cacheauth.site/login": [[289, 316]], "HASH: fd78726e2358935f627914d661c3e430d70c5e3281a7b07993ca66411ac8e879": [[346, 410]], "FILEPATH: /dev/shm/implant.so": [[427, 446]], "EMAIL: noreply@auth-check.org": [[479, 501]], "IP_ADDRESS: 14.111.57.61": [[567, 579]]}, "info": {"id": "synth_v2_00178", "source": "synthetic_v2"}}
+{"text": "Google TAG published a threat intelligence report linking Velvet Tempest to a new campaign exploiting CVE-2026-10752 in Ubuntu 22.04. The attackers deployed Dridex via PsExec, establishing C2 communication with 195.30.30.92 and storage-edge.link. A secondary payload was downloaded from http://relaycloud.com/secure/token. The malware binary (SHA1: 14e2c23730ac7fb89ef4a6263435b5088cc091e0) was dropped to C:\\Windows\\System32\\backdoor.elf. Phishing emails were sent from support@credential-check.site targeting enterprise users. A backup C2 server was identified at 192.54.64.125.", "spans": {"ORGANIZATION: Google TAG": [[0, 10]], "THREAT_ACTOR: Velvet Tempest": [[58, 72]], "CVE_ID: CVE-2026-10752": [[102, 116]], "SYSTEM: Ubuntu 22.04": [[120, 132]], "MALWARE: Dridex": [[157, 163]], "TOOL: PsExec": [[168, 174]], "IP_ADDRESS: 195.30.30.92": [[211, 223]], "DOMAIN: storage-edge.link": [[228, 245]], "URL: http://relaycloud.com/secure/token": [[287, 321]], "HASH: 14e2c23730ac7fb89ef4a6263435b5088cc091e0": [[349, 389]], "FILEPATH: C:\\Windows\\System32\\backdoor.elf": [[406, 438]], "EMAIL: support@credential-check.site": [[471, 500]], "IP_ADDRESS: 192.54.64.125": [[566, 579]]}, "info": {"id": "synth_v2_00179", "source": "synthetic_v2"}}
+{"text": "Trend Micro published a threat intelligence report linking Forest Blizzard to a new campaign exploiting CVE-2026-27261 in F5 BIG-IP. The attackers deployed PlugX via Certutil, establishing C2 communication with 192.95.178.83 and relay-backup.live. A secondary payload was downloaded from hxxps://edgemail.online/admin/config. The malware binary (SHA1: 53fe2f0da7d366cb51bc006eae93da4e37b731f0) was dropped to C:\\Users\\admin\\Desktop\\config.dat. Phishing emails were sent from admin@document-share.link targeting enterprise users. A backup C2 server was identified at 71.82.35.136.", "spans": {"ORGANIZATION: Trend Micro": [[0, 11]], "THREAT_ACTOR: Forest Blizzard": [[59, 74]], "CVE_ID: CVE-2026-27261": [[104, 118]], "SYSTEM: F5 BIG-IP": [[122, 131]], "MALWARE: PlugX": [[156, 161]], "TOOL: Certutil": [[166, 174]], "IP_ADDRESS: 192.95.178.83": [[211, 224]], "DOMAIN: relay-backup.live": [[229, 246]], "URL: hxxps://edgemail.online/admin/config": [[288, 324]], "HASH: 53fe2f0da7d366cb51bc006eae93da4e37b731f0": [[352, 392]], "FILEPATH: C:\\Users\\admin\\Desktop\\config.dat": [[409, 442]], "EMAIL: admin@document-share.link": [[475, 500]], "IP_ADDRESS: 71.82.35.136": [[566, 578]]}, "info": {"id": "synth_v2_00180", "source": "synthetic_v2"}}
+{"text": "INTERPOL published a threat intelligence report linking Salt Typhoon to a new campaign exploiting CVE-2023-34911 in Atlassian Confluence. The attackers deployed RedLine Stealer via Seatbelt, establishing C2 communication with 192.198.97.135 and storageauth.net. A secondary payload was downloaded from hxxps://cdn-login.org/wp-content/uploads/doc.php. The malware binary (SHA256: 5345260963ebac5d2746dac8532a38c2515ff380da71a8b727ea203e2bdcff8f) was dropped to /dev/shm/runtime.dll. Phishing emails were sent from alert@phishing-domain.com targeting enterprise users. A backup C2 server was identified at 197.78.144.83.", "spans": {"ORGANIZATION: INTERPOL": [[0, 8]], "THREAT_ACTOR: Salt Typhoon": [[56, 68]], "CVE_ID: CVE-2023-34911": [[98, 112]], "SYSTEM: Atlassian Confluence": [[116, 136]], "MALWARE: RedLine Stealer": [[161, 176]], "TOOL: Seatbelt": [[181, 189]], "IP_ADDRESS: 192.198.97.135": [[226, 240]], "DOMAIN: storageauth.net": [[245, 260]], "URL: hxxps://cdn-login.org/wp-content/uploads/doc.php": [[302, 350]], "HASH: 5345260963ebac5d2746dac8532a38c2515ff380da71a8b727ea203e2bdcff8f": [[380, 444]], "FILEPATH: /dev/shm/runtime.dll": [[461, 481]], "EMAIL: alert@phishing-domain.com": [[514, 539]], "IP_ADDRESS: 197.78.144.83": [[605, 618]]}, "info": {"id": "synth_v2_00181", "source": "synthetic_v2"}}
+{"text": "FBI published a threat intelligence report linking OilRig to a new campaign exploiting CVE-2026-38492 in Progress Telerik. The attackers deployed Raccoon Stealer via PowerView, establishing C2 communication with 13.187.113.156 and relay-cdn.tech. A secondary payload was downloaded from https://mailcdn.live/panel/index.html. The malware binary (SHA256: 946f50d01f431c813f9480cbb9086b8375dddac6cab57453e7c088863395bfed) was dropped to C:\\ProgramData\\agent.py. Phishing emails were sent from info@login-portal.tech targeting enterprise users. A backup C2 server was identified at 10.106.251.238.", "spans": {"ORGANIZATION: FBI": [[0, 3]], "THREAT_ACTOR: OilRig": [[51, 57]], "CVE_ID: CVE-2026-38492": [[87, 101]], "SYSTEM: Progress Telerik": [[105, 121]], "MALWARE: Raccoon Stealer": [[146, 161]], "TOOL: PowerView": [[166, 175]], "IP_ADDRESS: 13.187.113.156": [[212, 226]], "DOMAIN: relay-cdn.tech": [[231, 245]], "URL: https://mailcdn.live/panel/index.html": [[287, 324]], "HASH: 946f50d01f431c813f9480cbb9086b8375dddac6cab57453e7c088863395bfed": [[354, 418]], "FILEPATH: C:\\ProgramData\\agent.py": [[435, 458]], "EMAIL: info@login-portal.tech": [[491, 513]], "IP_ADDRESS: 10.106.251.238": [[579, 593]]}, "info": {"id": "synth_v2_00182", "source": "synthetic_v2"}}
+{"text": "Volexity published a threat intelligence report linking Charming Kitten to a new campaign exploiting CVE-2022-25256 in Barracuda ESG. The attackers deployed Ryuk via Metasploit, establishing C2 communication with 49.98.127.146 and relaygateway.dev. A secondary payload was downloaded from http://secure-secure.io/panel/index.html. The malware binary (MD5: 29d94d26f2667bca2cd4e0a9ec2c3a94) was dropped to C:\\Users\\admin\\Downloads\\dropper.ps1. Phishing emails were sent from report@credential-check.site targeting enterprise users. A backup C2 server was identified at 192.212.54.197.", "spans": {"ORGANIZATION: Volexity": [[0, 8]], "THREAT_ACTOR: Charming Kitten": [[56, 71]], "CVE_ID: CVE-2022-25256": [[101, 115]], "SYSTEM: Barracuda ESG": [[119, 132]], "MALWARE: Ryuk": [[157, 161]], "TOOL: Metasploit": [[166, 176]], "IP_ADDRESS: 49.98.127.146": [[213, 226]], "DOMAIN: relaygateway.dev": [[231, 247]], "URL: http://secure-secure.io/panel/index.html": [[289, 329]], "HASH: 29d94d26f2667bca2cd4e0a9ec2c3a94": [[356, 388]], "FILEPATH: C:\\Users\\admin\\Downloads\\dropper.ps1": [[405, 441]], "EMAIL: report@credential-check.site": [[474, 502]], "IP_ADDRESS: 192.212.54.197": [[568, 582]]}, "info": {"id": "synth_v2_00183", "source": "synthetic_v2"}}
+{"text": "Sophos X-Ops published a threat intelligence report linking Diamond Sleet to a new campaign exploiting CVE-2024-25010 in Ivanti Connect Secure. The attackers deployed AgentTesla via Mythic, establishing C2 communication with 196.220.165.156 and mailrelay.online. A secondary payload was downloaded from hxxps://updatecdn.info/panel/index.html. The malware binary (SHA256: ba6e3eeca96079171c4bee46cdb2755afa4ccd9bf1e0528600ee16f9c54f355f) was dropped to /home/user/.config/svchost.exe. Phishing emails were sent from finance@login-portal.tech targeting enterprise users. A backup C2 server was identified at 192.109.192.197.", "spans": {"ORGANIZATION: Sophos X-Ops": [[0, 12]], "THREAT_ACTOR: Diamond Sleet": [[60, 73]], "CVE_ID: CVE-2024-25010": [[103, 117]], "SYSTEM: Ivanti Connect Secure": [[121, 142]], "MALWARE: AgentTesla": [[167, 177]], "TOOL: Mythic": [[182, 188]], "IP_ADDRESS: 196.220.165.156": [[225, 240]], "DOMAIN: mailrelay.online": [[245, 261]], "URL: hxxps://updatecdn.info/panel/index.html": [[303, 342]], "HASH: ba6e3eeca96079171c4bee46cdb2755afa4ccd9bf1e0528600ee16f9c54f355f": [[372, 436]], "FILEPATH: /home/user/.config/svchost.exe": [[453, 483]], "EMAIL: finance@login-portal.tech": [[516, 541]], "IP_ADDRESS: 192.109.192.197": [[607, 622]]}, "info": {"id": "synth_v2_00184", "source": "synthetic_v2"}}
+{"text": "Huntress published a threat intelligence report linking Sandworm to a new campaign exploiting CVE-2023-14679 in Barracuda ESG. The attackers deployed RemcosRAT via Mimikatz, establishing C2 communication with 10.19.235.92 and data-sync.link. A secondary payload was downloaded from hxxp://apicache.site/assets/js/payload.js. The malware binary (SHA256: 4c4e44fcd78d0398702a76eac4c22b1a53e8ab4e069d654d46c2b017ea51d348) was dropped to /opt/app/bin/beacon.dll. Phishing emails were sent from security@credential-check.site targeting enterprise users. A backup C2 server was identified at 10.135.187.228.", "spans": {"ORGANIZATION: Huntress": [[0, 8]], "THREAT_ACTOR: Sandworm": [[56, 64]], "CVE_ID: CVE-2023-14679": [[94, 108]], "SYSTEM: Barracuda ESG": [[112, 125]], "MALWARE: RemcosRAT": [[150, 159]], "TOOL: Mimikatz": [[164, 172]], "IP_ADDRESS: 10.19.235.92": [[209, 221]], "DOMAIN: data-sync.link": [[226, 240]], "URL: hxxp://apicache.site/assets/js/payload.js": [[282, 323]], "HASH: 4c4e44fcd78d0398702a76eac4c22b1a53e8ab4e069d654d46c2b017ea51d348": [[353, 417]], "FILEPATH: /opt/app/bin/beacon.dll": [[434, 457]], "EMAIL: security@credential-check.site": [[490, 520]], "IP_ADDRESS: 10.135.187.228": [[586, 600]]}, "info": {"id": "synth_v2_00185", "source": "synthetic_v2"}}
+{"text": "FireEye published a threat intelligence report linking Flax Typhoon to a new campaign exploiting CVE-2021-39439 in Progress Telerik. The attackers deployed DanaBot via Covenant, establishing C2 communication with 10.195.40.200 and data-static.dev. A secondary payload was downloaded from hxxps://portal-cdn.info/secure/token. The malware binary (SHA1: 6c98d03f9e642c0fd02479bd8e694e7e5484f129) was dropped to C:\\Windows\\System32\\winlogon.exe. Phishing emails were sent from account@login-portal.tech targeting enterprise users. A backup C2 server was identified at 172.178.222.107.", "spans": {"ORGANIZATION: FireEye": [[0, 7]], "THREAT_ACTOR: Flax Typhoon": [[55, 67]], "CVE_ID: CVE-2021-39439": [[97, 111]], "SYSTEM: Progress Telerik": [[115, 131]], "MALWARE: DanaBot": [[156, 163]], "TOOL: Covenant": [[168, 176]], "IP_ADDRESS: 10.195.40.200": [[213, 226]], "DOMAIN: data-static.dev": [[231, 246]], "URL: hxxps://portal-cdn.info/secure/token": [[288, 324]], "HASH: 6c98d03f9e642c0fd02479bd8e694e7e5484f129": [[352, 392]], "FILEPATH: C:\\Windows\\System32\\winlogon.exe": [[409, 441]], "EMAIL: account@login-portal.tech": [[474, 499]], "IP_ADDRESS: 172.178.222.107": [[565, 580]]}, "info": {"id": "synth_v2_00186", "source": "synthetic_v2"}}
+{"text": "Volexity published a threat intelligence report linking Mustang Panda to a new campaign exploiting CVE-2025-46789 in Zyxel USG. The attackers deployed QakBot via PowerView, establishing C2 communication with 10.221.148.202 and cachecdn.io. A secondary payload was downloaded from http://syncapi.site/assets/js/payload.js. The malware binary (SHA256: ada5a8047f838e42ca543f7e9d0fb96757761fccd41f882aa5e7ab4cd3afabdb) was dropped to C:\\Windows\\System32\\beacon.dll. Phishing emails were sent from confirm@login-portal.tech targeting enterprise users. A backup C2 server was identified at 38.67.172.22.", "spans": {"ORGANIZATION: Volexity": [[0, 8]], "THREAT_ACTOR: Mustang Panda": [[56, 69]], "CVE_ID: CVE-2025-46789": [[99, 113]], "SYSTEM: Zyxel USG": [[117, 126]], "MALWARE: QakBot": [[151, 157]], "TOOL: PowerView": [[162, 171]], "IP_ADDRESS: 10.221.148.202": [[208, 222]], "DOMAIN: cachecdn.io": [[227, 238]], "URL: http://syncapi.site/assets/js/payload.js": [[280, 320]], "HASH: ada5a8047f838e42ca543f7e9d0fb96757761fccd41f882aa5e7ab4cd3afabdb": [[350, 414]], "FILEPATH: C:\\Windows\\System32\\beacon.dll": [[431, 461]], "EMAIL: confirm@login-portal.tech": [[494, 519]], "IP_ADDRESS: 38.67.172.22": [[585, 597]]}, "info": {"id": "synth_v2_00187", "source": "synthetic_v2"}}
+{"text": "Europol published a threat intelligence report linking Ember Bear to a new campaign exploiting CVE-2022-29213 in Barracuda ESG. The attackers deployed Vidar via Sharphound, establishing C2 communication with 10.36.136.199 and gatewaymail.tech. A secondary payload was downloaded from hxxps://storage-mail.cc/portal/verify. The malware binary (SHA256: 9e1c4746b0ddb672766baa84701f6ad974ad7613798b47209b19e30603e677bc) was dropped to /etc/cron.d/implant.so. Phishing emails were sent from updates@document-share.link targeting enterprise users. A backup C2 server was identified at 83.45.57.172.", "spans": {"ORGANIZATION: Europol": [[0, 7]], "THREAT_ACTOR: Ember Bear": [[55, 65]], "CVE_ID: CVE-2022-29213": [[95, 109]], "SYSTEM: Barracuda ESG": [[113, 126]], "MALWARE: Vidar": [[151, 156]], "TOOL: Sharphound": [[161, 171]], "IP_ADDRESS: 10.36.136.199": [[208, 221]], "DOMAIN: gatewaymail.tech": [[226, 242]], "URL: hxxps://storage-mail.cc/portal/verify": [[284, 321]], "HASH: 9e1c4746b0ddb672766baa84701f6ad974ad7613798b47209b19e30603e677bc": [[351, 415]], "FILEPATH: /etc/cron.d/implant.so": [[432, 454]], "EMAIL: updates@document-share.link": [[487, 514]], "IP_ADDRESS: 83.45.57.172": [[580, 592]]}, "info": {"id": "synth_v2_00188", "source": "synthetic_v2"}}
+{"text": "FireEye published a threat intelligence report linking Mustang Panda to a new campaign exploiting CVE-2022-25256 in Palo Alto PAN-OS. The attackers deployed PlugX via BloodHound, establishing C2 communication with 40.43.57.190 and authbackup.online. A secondary payload was downloaded from hxxp://updatestorage.xyz/wp-content/uploads/doc.php. The malware binary (SHA1: 174dfec32c8c594e215f44d70f76b0404284931a) was dropped to /usr/local/bin/dropper.ps1. Phishing emails were sent from verify@document-share.link targeting enterprise users. A backup C2 server was identified at 10.75.147.4.", "spans": {"ORGANIZATION: FireEye": [[0, 7]], "THREAT_ACTOR: Mustang Panda": [[55, 68]], "CVE_ID: CVE-2022-25256": [[98, 112]], "SYSTEM: Palo Alto PAN-OS": [[116, 132]], "MALWARE: PlugX": [[157, 162]], "TOOL: BloodHound": [[167, 177]], "IP_ADDRESS: 40.43.57.190": [[214, 226]], "DOMAIN: authbackup.online": [[231, 248]], "URL: hxxp://updatestorage.xyz/wp-content/uploads/doc.php": [[290, 341]], "HASH: 174dfec32c8c594e215f44d70f76b0404284931a": [[369, 409]], "FILEPATH: /usr/local/bin/dropper.ps1": [[426, 452]], "EMAIL: verify@document-share.link": [[485, 511]], "IP_ADDRESS: 10.75.147.4": [[577, 588]]}, "info": {"id": "synth_v2_00189", "source": "synthetic_v2"}}
+{"text": "Secureworks published a threat intelligence report linking Aqua Blizzard to a new campaign exploiting CVE-2020-24628 in Cisco ASA. The attackers deployed LockBit via WinPEAS, establishing C2 communication with 172.87.30.73 and api-portal.top. A secondary payload was downloaded from https://mailauth.com/admin/config. The malware binary (MD5: 92cff7973afef359fd4f350706d3ec9a) was dropped to /var/tmp/lsass.dmp. Phishing emails were sent from account@secure-verify.net targeting enterprise users. A backup C2 server was identified at 192.138.27.120.", "spans": {"ORGANIZATION: Secureworks": [[0, 11]], "THREAT_ACTOR: Aqua Blizzard": [[59, 72]], "CVE_ID: CVE-2020-24628": [[102, 116]], "SYSTEM: Cisco ASA": [[120, 129]], "MALWARE: LockBit": [[154, 161]], "TOOL: WinPEAS": [[166, 173]], "IP_ADDRESS: 172.87.30.73": [[210, 222]], "DOMAIN: api-portal.top": [[227, 241]], "URL: https://mailauth.com/admin/config": [[283, 316]], "HASH: 92cff7973afef359fd4f350706d3ec9a": [[343, 375]], "FILEPATH: /var/tmp/lsass.dmp": [[392, 410]], "EMAIL: account@secure-verify.net": [[443, 468]], "IP_ADDRESS: 192.138.27.120": [[534, 548]]}, "info": {"id": "synth_v2_00190", "source": "synthetic_v2"}}
+{"text": "Qualys published a threat intelligence report linking Silk Typhoon to a new campaign exploiting CVE-2026-39735 in Ubuntu 22.04. The attackers deployed RemcosRAT via PowerShell Empire, establishing C2 communication with 10.234.11.11 and secureupdate.tech. A secondary payload was downloaded from https://mailbackup.xyz/login. The malware binary (SHA1: 54dcfddcc428904238595ecb407891f6fb36c841) was dropped to /usr/local/bin/lsass.dmp. Phishing emails were sent from admin@urgent-notice.online targeting enterprise users. A backup C2 server was identified at 192.156.170.126.", "spans": {"ORGANIZATION: Qualys": [[0, 6]], "THREAT_ACTOR: Silk Typhoon": [[54, 66]], "CVE_ID: CVE-2026-39735": [[96, 110]], "SYSTEM: Ubuntu 22.04": [[114, 126]], "MALWARE: RemcosRAT": [[151, 160]], "TOOL: PowerShell Empire": [[165, 182]], "IP_ADDRESS: 10.234.11.11": [[219, 231]], "DOMAIN: secureupdate.tech": [[236, 253]], "URL: https://mailbackup.xyz/login": [[295, 323]], "HASH: 54dcfddcc428904238595ecb407891f6fb36c841": [[351, 391]], "FILEPATH: /usr/local/bin/lsass.dmp": [[408, 432]], "EMAIL: admin@urgent-notice.online": [[465, 491]], "IP_ADDRESS: 192.156.170.126": [[557, 572]]}, "info": {"id": "synth_v2_00191", "source": "synthetic_v2"}}
+{"text": "Sophos X-Ops published a threat intelligence report linking FIN11 to a new campaign exploiting CVE-2025-46789 in Citrix NetScaler. The attackers deployed Play via CrackMapExec, establishing C2 communication with 192.195.116.107 and staticstorage.online. A secondary payload was downloaded from hxxp://cloud-login.cc/download/update.exe. The malware binary (MD5: 5005f8b01c76b47a142bb13e4b40d2a0) was dropped to C:\\Windows\\System32\\ntds.dit. Phishing emails were sent from noreply@document-share.link targeting enterprise users. A backup C2 server was identified at 192.78.218.249.", "spans": {"ORGANIZATION: Sophos X-Ops": [[0, 12]], "THREAT_ACTOR: FIN11": [[60, 65]], "CVE_ID: CVE-2025-46789": [[95, 109]], "SYSTEM: Citrix NetScaler": [[113, 129]], "MALWARE: Play": [[154, 158]], "TOOL: CrackMapExec": [[163, 175]], "IP_ADDRESS: 192.195.116.107": [[212, 227]], "DOMAIN: staticstorage.online": [[232, 252]], "URL: hxxp://cloud-login.cc/download/update.exe": [[294, 335]], "HASH: 5005f8b01c76b47a142bb13e4b40d2a0": [[362, 394]], "FILEPATH: C:\\Windows\\System32\\ntds.dit": [[411, 439]], "EMAIL: noreply@document-share.link": [[472, 499]], "IP_ADDRESS: 192.78.218.249": [[565, 579]]}, "info": {"id": "synth_v2_00192", "source": "synthetic_v2"}}
+{"text": "Recorded Future published a threat intelligence report linking Diamond Sleet to a new campaign exploiting CVE-2026-39735 in VMware ESXi. The attackers deployed REvil via Hashcat, establishing C2 communication with 172.74.15.196 and logincloud.net. A secondary payload was downloaded from https://secure-update.link/collect. The malware binary (SHA1: 83d83da2bf67e3752185bd93ef693852b290ad69) was dropped to /var/tmp/implant.so. Phishing emails were sent from helpdesk@login-portal.tech targeting enterprise users. A backup C2 server was identified at 106.210.155.114.", "spans": {"ORGANIZATION: Recorded Future": [[0, 15]], "THREAT_ACTOR: Diamond Sleet": [[63, 76]], "CVE_ID: CVE-2026-39735": [[106, 120]], "SYSTEM: VMware ESXi": [[124, 135]], "MALWARE: REvil": [[160, 165]], "TOOL: Hashcat": [[170, 177]], "IP_ADDRESS: 172.74.15.196": [[214, 227]], "DOMAIN: logincloud.net": [[232, 246]], "URL: https://secure-update.link/collect": [[288, 322]], "HASH: 83d83da2bf67e3752185bd93ef693852b290ad69": [[350, 390]], "FILEPATH: /var/tmp/implant.so": [[407, 426]], "EMAIL: helpdesk@login-portal.tech": [[459, 485]], "IP_ADDRESS: 106.210.155.114": [[551, 566]]}, "info": {"id": "synth_v2_00193", "source": "synthetic_v2"}}
+{"text": "Recorded Future published a threat intelligence report linking Star Blizzard to a new campaign exploiting CVE-2026-49052 in Citrix NetScaler. The attackers deployed TrickBot via Chisel, establishing C2 communication with 183.191.94.219 and data-cdn.site. A secondary payload was downloaded from hxxp://sync-gateway.xyz/wp-content/uploads/doc.php. The malware binary (SHA256: a2c0983bb925326af84b295d4c3d60fbbfe26011fd9786aac411ed906328ad4f) was dropped to C:\\Users\\admin\\Downloads\\sam.hive. Phishing emails were sent from report@credential-check.site targeting enterprise users. A backup C2 server was identified at 126.242.70.42.", "spans": {"ORGANIZATION: Recorded Future": [[0, 15]], "THREAT_ACTOR: Star Blizzard": [[63, 76]], "CVE_ID: CVE-2026-49052": [[106, 120]], "SYSTEM: Citrix NetScaler": [[124, 140]], "MALWARE: TrickBot": [[165, 173]], "TOOL: Chisel": [[178, 184]], "IP_ADDRESS: 183.191.94.219": [[221, 235]], "DOMAIN: data-cdn.site": [[240, 253]], "URL: hxxp://sync-gateway.xyz/wp-content/uploads/doc.php": [[295, 345]], "HASH: a2c0983bb925326af84b295d4c3d60fbbfe26011fd9786aac411ed906328ad4f": [[375, 439]], "FILEPATH: C:\\Users\\admin\\Downloads\\sam.hive": [[456, 489]], "EMAIL: report@credential-check.site": [[522, 550]], "IP_ADDRESS: 126.242.70.42": [[616, 629]]}, "info": {"id": "synth_v2_00194", "source": "synthetic_v2"}}
+{"text": "CISA published a threat intelligence report linking Forest Blizzard to a new campaign exploiting CVE-2023-39714 in SonicWall SMA. The attackers deployed RemcosRAT via Havoc, establishing C2 communication with 199.21.194.185 and cdndata.io. A secondary payload was downloaded from hxxps://cdnedge.site/wp-content/uploads/doc.php. The malware binary (MD5: c1e4206779fdf6b879eb697848e2dcdf) was dropped to C:\\Windows\\Tasks\\lsass.dmp. Phishing emails were sent from finance@mail-service.info targeting enterprise users. A backup C2 server was identified at 101.19.55.116.", "spans": {"ORGANIZATION: CISA": [[0, 4]], "THREAT_ACTOR: Forest Blizzard": [[52, 67]], "CVE_ID: CVE-2023-39714": [[97, 111]], "SYSTEM: SonicWall SMA": [[115, 128]], "MALWARE: RemcosRAT": [[153, 162]], "TOOL: Havoc": [[167, 172]], "IP_ADDRESS: 199.21.194.185": [[209, 223]], "DOMAIN: cdndata.io": [[228, 238]], "URL: hxxps://cdnedge.site/wp-content/uploads/doc.php": [[280, 327]], "HASH: c1e4206779fdf6b879eb697848e2dcdf": [[354, 386]], "FILEPATH: C:\\Windows\\Tasks\\lsass.dmp": [[403, 429]], "EMAIL: finance@mail-service.info": [[462, 487]], "IP_ADDRESS: 101.19.55.116": [[553, 566]]}, "info": {"id": "synth_v2_00195", "source": "synthetic_v2"}}
+{"text": "Trend Micro published a threat intelligence report linking Midnight Blizzard to a new campaign exploiting CVE-2020-16140 in Juniper SRX. The attackers deployed REvil via Sliver, establishing C2 communication with 172.231.46.185 and relayupdate.org. A secondary payload was downloaded from http://cachecloud.dev/api/v2/auth. The malware binary (MD5: 90c9a3dae515d3bab663609156b26b80) was dropped to /opt/app/bin/config.dat. Phishing emails were sent from alert@secure-verify.net targeting enterprise users. A backup C2 server was identified at 10.69.201.106.", "spans": {"ORGANIZATION: Trend Micro": [[0, 11]], "THREAT_ACTOR: Midnight Blizzard": [[59, 76]], "CVE_ID: CVE-2020-16140": [[106, 120]], "SYSTEM: Juniper SRX": [[124, 135]], "MALWARE: REvil": [[160, 165]], "TOOL: Sliver": [[170, 176]], "IP_ADDRESS: 172.231.46.185": [[213, 227]], "DOMAIN: relayupdate.org": [[232, 247]], "URL: http://cachecloud.dev/api/v2/auth": [[289, 322]], "HASH: 90c9a3dae515d3bab663609156b26b80": [[349, 381]], "FILEPATH: /opt/app/bin/config.dat": [[398, 421]], "EMAIL: alert@secure-verify.net": [[454, 477]], "IP_ADDRESS: 10.69.201.106": [[543, 556]]}, "info": {"id": "synth_v2_00196", "source": "synthetic_v2"}}
+{"text": "SentinelOne published a threat intelligence report linking Kimsuky to a new campaign exploiting CVE-2021-45713 in Juniper SRX. The attackers deployed PlugX via Sharphound, establishing C2 communication with 187.81.193.141 and secure-login.org. A secondary payload was downloaded from http://gateway-backup.info/portal/verify. The malware binary (SHA1: 187266a167216a572c39311fd3497e3585f32ef9) was dropped to C:\\Users\\admin\\Downloads\\taskhost.exe. Phishing emails were sent from noreply@login-portal.tech targeting enterprise users. A backup C2 server was identified at 12.87.171.145.", "spans": {"ORGANIZATION: SentinelOne": [[0, 11]], "THREAT_ACTOR: Kimsuky": [[59, 66]], "CVE_ID: CVE-2021-45713": [[96, 110]], "SYSTEM: Juniper SRX": [[114, 125]], "MALWARE: PlugX": [[150, 155]], "TOOL: Sharphound": [[160, 170]], "IP_ADDRESS: 187.81.193.141": [[207, 221]], "DOMAIN: secure-login.org": [[226, 242]], "URL: http://gateway-backup.info/portal/verify": [[284, 324]], "HASH: 187266a167216a572c39311fd3497e3585f32ef9": [[352, 392]], "FILEPATH: C:\\Users\\admin\\Downloads\\taskhost.exe": [[409, 446]], "EMAIL: noreply@login-portal.tech": [[479, 504]], "IP_ADDRESS: 12.87.171.145": [[570, 583]]}, "info": {"id": "synth_v2_00197", "source": "synthetic_v2"}}
+{"text": "Kaspersky GReAT published a threat intelligence report linking APT28 to a new campaign exploiting CVE-2020-26049 in Zyxel USG. The attackers deployed Meduza Stealer via Seatbelt, establishing C2 communication with 219.255.2.156 and relayapi.cc. A secondary payload was downloaded from hxxp://data-edge.info/login. The malware binary (SHA256: 9d34e7db2db89dead1b45fcbc94dca3ad252bc7ef4747738f3177e0284b38733) was dropped to C:\\Windows\\System32\\update.dll. Phishing emails were sent from it@phishing-domain.com targeting enterprise users. A backup C2 server was identified at 61.111.243.117.", "spans": {"ORGANIZATION: Kaspersky GReAT": [[0, 15]], "THREAT_ACTOR: APT28": [[63, 68]], "CVE_ID: CVE-2020-26049": [[98, 112]], "SYSTEM: Zyxel USG": [[116, 125]], "MALWARE: Meduza Stealer": [[150, 164]], "TOOL: Seatbelt": [[169, 177]], "IP_ADDRESS: 219.255.2.156": [[214, 227]], "DOMAIN: relayapi.cc": [[232, 243]], "URL: hxxp://data-edge.info/login": [[285, 312]], "HASH: 9d34e7db2db89dead1b45fcbc94dca3ad252bc7ef4747738f3177e0284b38733": [[342, 406]], "FILEPATH: C:\\Windows\\System32\\update.dll": [[423, 453]], "EMAIL: it@phishing-domain.com": [[486, 508]], "IP_ADDRESS: 61.111.243.117": [[574, 588]]}, "info": {"id": "synth_v2_00198", "source": "synthetic_v2"}}
+{"text": "Europol published a threat intelligence report linking Mustang Panda to a new campaign exploiting CVE-2023-40294 in Atlassian Confluence. The attackers deployed Cobalt Strike via PowerView, establishing C2 communication with 10.55.213.46 and cachemail.dev. A secondary payload was downloaded from https://api-backup.tech/callback. The malware binary (SHA256: d68fd3bfdc5edde7ec7c4a0935d05339a599e79358f80bda6150ba879e39da04) was dropped to C:\\Program Files\\Common Files\\dropper.ps1. Phishing emails were sent from info@mail-service.info targeting enterprise users. A backup C2 server was identified at 192.145.90.248.", "spans": {"ORGANIZATION: Europol": [[0, 7]], "THREAT_ACTOR: Mustang Panda": [[55, 68]], "CVE_ID: CVE-2023-40294": [[98, 112]], "SYSTEM: Atlassian Confluence": [[116, 136]], "MALWARE: Cobalt Strike": [[161, 174]], "TOOL: PowerView": [[179, 188]], "IP_ADDRESS: 10.55.213.46": [[225, 237]], "DOMAIN: cachemail.dev": [[242, 255]], "URL: https://api-backup.tech/callback": [[297, 329]], "HASH: d68fd3bfdc5edde7ec7c4a0935d05339a599e79358f80bda6150ba879e39da04": [[359, 423]], "FILEPATH: C:\\Program Files\\Common Files\\dropper.ps1": [[440, 481]], "EMAIL: info@mail-service.info": [[514, 536]], "IP_ADDRESS: 192.145.90.248": [[602, 616]]}, "info": {"id": "synth_v2_00199", "source": "synthetic_v2"}}
+{"text": "Secureworks published a threat intelligence report linking Ember Bear to a new campaign exploiting CVE-2023-14679 in Atlassian Confluence. The attackers deployed BlackCat via Metasploit, establishing C2 communication with 135.107.107.157 and gatewaystatic.live. A secondary payload was downloaded from https://syncnode.cc/download/update.exe. The malware binary (SHA1: 508c457302a6e04270b427f204d7bb295280258d) was dropped to /dev/shm/loader.exe. Phishing emails were sent from verify@credential-check.site targeting enterprise users. A backup C2 server was identified at 10.44.247.186.", "spans": {"ORGANIZATION: Secureworks": [[0, 11]], "THREAT_ACTOR: Ember Bear": [[59, 69]], "CVE_ID: CVE-2023-14679": [[99, 113]], "SYSTEM: Atlassian Confluence": [[117, 137]], "MALWARE: BlackCat": [[162, 170]], "TOOL: Metasploit": [[175, 185]], "IP_ADDRESS: 135.107.107.157": [[222, 237]], "DOMAIN: gatewaystatic.live": [[242, 260]], "URL: https://syncnode.cc/download/update.exe": [[302, 341]], "HASH: 508c457302a6e04270b427f204d7bb295280258d": [[369, 409]], "FILEPATH: /dev/shm/loader.exe": [[426, 445]], "EMAIL: verify@credential-check.site": [[478, 506]], "IP_ADDRESS: 10.44.247.186": [[572, 585]]}, "info": {"id": "synth_v2_00200", "source": "synthetic_v2"}}
+{"text": "INTERPOL published a threat intelligence report linking Granite Typhoon to a new campaign exploiting CVE-2022-25256 in Apache Struts. The attackers deployed DarkSide via Mythic, establishing C2 communication with 10.60.12.120 and storage-mail.io. A secondary payload was downloaded from https://update-cloud.club/portal/verify. The malware binary (SHA256: 70118dfcc8b54f340c5fbc99e0fe0801344d497083a5e6b8cabdac9756c270f6) was dropped to /home/user/.config/agent.py. Phishing emails were sent from account@urgent-notice.online targeting enterprise users. A backup C2 server was identified at 192.106.212.106.", "spans": {"ORGANIZATION: INTERPOL": [[0, 8]], "THREAT_ACTOR: Granite Typhoon": [[56, 71]], "CVE_ID: CVE-2022-25256": [[101, 115]], "SYSTEM: Apache Struts": [[119, 132]], "MALWARE: DarkSide": [[157, 165]], "TOOL: Mythic": [[170, 176]], "IP_ADDRESS: 10.60.12.120": [[213, 225]], "DOMAIN: storage-mail.io": [[230, 245]], "URL: https://update-cloud.club/portal/verify": [[287, 326]], "HASH: 70118dfcc8b54f340c5fbc99e0fe0801344d497083a5e6b8cabdac9756c270f6": [[356, 420]], "FILEPATH: /home/user/.config/agent.py": [[437, 464]], "EMAIL: account@urgent-notice.online": [[497, 525]], "IP_ADDRESS: 192.106.212.106": [[591, 606]]}, "info": {"id": "synth_v2_00201", "source": "synthetic_v2"}}
+{"text": "Zscaler ThreatLabz published a threat intelligence report linking Scattered Spider to a new campaign exploiting CVE-2024-30673 in Atlassian Confluence. The attackers deployed Emotet via Metasploit, establishing C2 communication with 186.14.89.50 and cdnlogin.online. A secondary payload was downloaded from https://relay-edge.dev/gate.php. The malware binary (MD5: a52e811342585c753c3a78153f22d6ac) was dropped to C:\\Users\\admin\\AppData\\Local\\Temp\\loader.exe. Phishing emails were sent from finance@document-share.link targeting enterprise users. A backup C2 server was identified at 214.173.245.235.", "spans": {"ORGANIZATION: Zscaler ThreatLabz": [[0, 18]], "THREAT_ACTOR: Scattered Spider": [[66, 82]], "CVE_ID: CVE-2024-30673": [[112, 126]], "SYSTEM: Atlassian Confluence": [[130, 150]], "MALWARE: Emotet": [[175, 181]], "TOOL: Metasploit": [[186, 196]], "IP_ADDRESS: 186.14.89.50": [[233, 245]], "DOMAIN: cdnlogin.online": [[250, 265]], "URL: https://relay-edge.dev/gate.php": [[307, 338]], "HASH: a52e811342585c753c3a78153f22d6ac": [[365, 397]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\loader.exe": [[414, 458]], "EMAIL: finance@document-share.link": [[491, 518]], "IP_ADDRESS: 214.173.245.235": [[584, 599]]}, "info": {"id": "synth_v2_00202", "source": "synthetic_v2"}}
+{"text": "NCSC published a threat intelligence report linking Aqua Blizzard to a new campaign exploiting CVE-2020-24628 in Palo Alto PAN-OS. The attackers deployed RemcosRAT via Certutil, establishing C2 communication with 205.181.33.249 and edgesecure.cc. A secondary payload was downloaded from https://securestatic.net/assets/js/payload.js. The malware binary (MD5: 421d6f8086f073c05b03ce2b75a83ff3) was dropped to C:\\Users\\admin\\AppData\\Local\\Temp\\backdoor.elf. Phishing emails were sent from contact@secure-verify.net targeting enterprise users. A backup C2 server was identified at 172.15.173.252.", "spans": {"ORGANIZATION: NCSC": [[0, 4]], "THREAT_ACTOR: Aqua Blizzard": [[52, 65]], "CVE_ID: CVE-2020-24628": [[95, 109]], "SYSTEM: Palo Alto PAN-OS": [[113, 129]], "MALWARE: RemcosRAT": [[154, 163]], "TOOL: Certutil": [[168, 176]], "IP_ADDRESS: 205.181.33.249": [[213, 227]], "DOMAIN: edgesecure.cc": [[232, 245]], "URL: https://securestatic.net/assets/js/payload.js": [[287, 332]], "HASH: 421d6f8086f073c05b03ce2b75a83ff3": [[359, 391]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\backdoor.elf": [[408, 454]], "EMAIL: contact@secure-verify.net": [[487, 512]], "IP_ADDRESS: 172.15.173.252": [[578, 592]]}, "info": {"id": "synth_v2_00203", "source": "synthetic_v2"}}
+{"text": "CISA published a threat intelligence report linking Ember Bear to a new campaign exploiting CVE-2023-34867 in Palo Alto PAN-OS. The attackers deployed BumbleBee via Chisel, establishing C2 communication with 45.57.191.201 and proxy-node.org. A secondary payload was downloaded from https://storage-proxy.club/secure/token. The malware binary (SHA256: 478043fae335f8711a5d06cce2abf26bb14c5f6c82b97c4d85e7b946a5dd7c33) was dropped to C:\\Users\\Public\\Documents\\loader.exe. Phishing emails were sent from noreply@login-portal.tech targeting enterprise users. A backup C2 server was identified at 10.47.227.130.", "spans": {"ORGANIZATION: CISA": [[0, 4]], "THREAT_ACTOR: Ember Bear": [[52, 62]], "CVE_ID: CVE-2023-34867": [[92, 106]], "SYSTEM: Palo Alto PAN-OS": [[110, 126]], "MALWARE: BumbleBee": [[151, 160]], "TOOL: Chisel": [[165, 171]], "IP_ADDRESS: 45.57.191.201": [[208, 221]], "DOMAIN: proxy-node.org": [[226, 240]], "URL: https://storage-proxy.club/secure/token": [[282, 321]], "HASH: 478043fae335f8711a5d06cce2abf26bb14c5f6c82b97c4d85e7b946a5dd7c33": [[351, 415]], "FILEPATH: C:\\Users\\Public\\Documents\\loader.exe": [[432, 468]], "EMAIL: noreply@login-portal.tech": [[501, 526]], "IP_ADDRESS: 10.47.227.130": [[592, 605]]}, "info": {"id": "synth_v2_00204", "source": "synthetic_v2"}}
+{"text": "Proofpoint published a threat intelligence report linking Aqua Blizzard to a new campaign exploiting CVE-2026-29234 in VMware ESXi. The attackers deployed Cobalt Strike via Brute Ratel, establishing C2 communication with 172.22.44.86 and cloudstorage.xyz. A secondary payload was downloaded from https://backup-sync.io/gate.php. The malware binary (SHA1: 64b1a0d2d133ef11232e8db1c21fc7772b7215ad) was dropped to C:\\Users\\Public\\Documents\\backdoor.elf. Phishing emails were sent from noreply@account-update.xyz targeting enterprise users. A backup C2 server was identified at 12.52.159.6.", "spans": {"ORGANIZATION: Proofpoint": [[0, 10]], "THREAT_ACTOR: Aqua Blizzard": [[58, 71]], "CVE_ID: CVE-2026-29234": [[101, 115]], "SYSTEM: VMware ESXi": [[119, 130]], "MALWARE: Cobalt Strike": [[155, 168]], "TOOL: Brute Ratel": [[173, 184]], "IP_ADDRESS: 172.22.44.86": [[221, 233]], "DOMAIN: cloudstorage.xyz": [[238, 254]], "URL: https://backup-sync.io/gate.php": [[296, 327]], "HASH: 64b1a0d2d133ef11232e8db1c21fc7772b7215ad": [[355, 395]], "FILEPATH: C:\\Users\\Public\\Documents\\backdoor.elf": [[412, 450]], "EMAIL: noreply@account-update.xyz": [[483, 509]], "IP_ADDRESS: 12.52.159.6": [[575, 586]]}, "info": {"id": "synth_v2_00205", "source": "synthetic_v2"}}
+{"text": "INTERPOL published a threat intelligence report linking FIN11 to a new campaign exploiting CVE-2026-32293 in VMware ESXi. The attackers deployed Conti via Mimikatz, establishing C2 communication with 192.179.163.70 and backup-static.dev. A secondary payload was downloaded from hxxp://edgerelay.com/login. The malware binary (MD5: b422b189a8414d9b9245de8305b7428d) was dropped to C:\\Users\\admin\\AppData\\Local\\Temp\\taskhost.exe. Phishing emails were sent from service@phishing-domain.com targeting enterprise users. A backup C2 server was identified at 192.145.125.44.", "spans": {"ORGANIZATION: INTERPOL": [[0, 8]], "THREAT_ACTOR: FIN11": [[56, 61]], "CVE_ID: CVE-2026-32293": [[91, 105]], "SYSTEM: VMware ESXi": [[109, 120]], "MALWARE: Conti": [[145, 150]], "TOOL: Mimikatz": [[155, 163]], "IP_ADDRESS: 192.179.163.70": [[200, 214]], "DOMAIN: backup-static.dev": [[219, 236]], "URL: hxxp://edgerelay.com/login": [[278, 304]], "HASH: b422b189a8414d9b9245de8305b7428d": [[331, 363]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\taskhost.exe": [[380, 426]], "EMAIL: service@phishing-domain.com": [[459, 486]], "IP_ADDRESS: 192.145.125.44": [[552, 566]]}, "info": {"id": "synth_v2_00206", "source": "synthetic_v2"}}
+{"text": "Google TAG published a threat intelligence report linking Lazarus Group to a new campaign exploiting CVE-2025-17185 in Progress Telerik. The attackers deployed XLoader via Ligolo, establishing C2 communication with 80.170.101.183 and authrelay.info. A secondary payload was downloaded from hxxp://proxydata.xyz/collect. The malware binary (MD5: c8a0f2bb3478669ef6656e5410cab7d9) was dropped to /etc/cron.d/lsass.dmp. Phishing emails were sent from security@auth-check.org targeting enterprise users. A backup C2 server was identified at 172.67.47.209.", "spans": {"ORGANIZATION: Google TAG": [[0, 10]], "THREAT_ACTOR: Lazarus Group": [[58, 71]], "CVE_ID: CVE-2025-17185": [[101, 115]], "SYSTEM: Progress Telerik": [[119, 135]], "MALWARE: XLoader": [[160, 167]], "TOOL: Ligolo": [[172, 178]], "IP_ADDRESS: 80.170.101.183": [[215, 229]], "DOMAIN: authrelay.info": [[234, 248]], "URL: hxxp://proxydata.xyz/collect": [[290, 318]], "HASH: c8a0f2bb3478669ef6656e5410cab7d9": [[345, 377]], "FILEPATH: /etc/cron.d/lsass.dmp": [[394, 415]], "EMAIL: security@auth-check.org": [[448, 471]], "IP_ADDRESS: 172.67.47.209": [[537, 550]]}, "info": {"id": "synth_v2_00207", "source": "synthetic_v2"}}
+{"text": "FBI published a threat intelligence report linking Granite Typhoon to a new campaign exploiting CVE-2020-45741 in Ubuntu 22.04. The attackers deployed RemcosRAT via Brute Ratel, establishing C2 communication with 29.179.245.119 and portal-auth.tech. A secondary payload was downloaded from http://backup-edge.online/collect. The malware binary (MD5: 8802576e6275eaec09ab53b06e7cd2a1) was dropped to /var/tmp/implant.so. Phishing emails were sent from helpdesk@urgent-notice.online targeting enterprise users. A backup C2 server was identified at 172.178.65.131.", "spans": {"ORGANIZATION: FBI": [[0, 3]], "THREAT_ACTOR: Granite Typhoon": [[51, 66]], "CVE_ID: CVE-2020-45741": [[96, 110]], "SYSTEM: Ubuntu 22.04": [[114, 126]], "MALWARE: RemcosRAT": [[151, 160]], "TOOL: Brute Ratel": [[165, 176]], "IP_ADDRESS: 29.179.245.119": [[213, 227]], "DOMAIN: portal-auth.tech": [[232, 248]], "URL: http://backup-edge.online/collect": [[290, 323]], "HASH: 8802576e6275eaec09ab53b06e7cd2a1": [[350, 382]], "FILEPATH: /var/tmp/implant.so": [[399, 418]], "EMAIL: helpdesk@urgent-notice.online": [[451, 480]], "IP_ADDRESS: 172.178.65.131": [[546, 560]]}, "info": {"id": "synth_v2_00208", "source": "synthetic_v2"}}
+{"text": "Recorded Future published a threat intelligence report linking Turla to a new campaign exploiting CVE-2024-27546 in Palo Alto PAN-OS. The attackers deployed Amadey via Ligolo, establishing C2 communication with 201.222.175.140 and storageedge.net. A secondary payload was downloaded from hxxps://securebackup.site/collect. The malware binary (SHA256: 9d52abee7cc78ed1ac3f15b9da52c00b750990568f76c49cc61951418ee6d5e5) was dropped to C:\\Users\\admin\\Desktop\\winlogon.exe. Phishing emails were sent from verify@phishing-domain.com targeting enterprise users. A backup C2 server was identified at 10.39.249.30.", "spans": {"ORGANIZATION: Recorded Future": [[0, 15]], "THREAT_ACTOR: Turla": [[63, 68]], "CVE_ID: CVE-2024-27546": [[98, 112]], "SYSTEM: Palo Alto PAN-OS": [[116, 132]], "MALWARE: Amadey": [[157, 163]], "TOOL: Ligolo": [[168, 174]], "IP_ADDRESS: 201.222.175.140": [[211, 226]], "DOMAIN: storageedge.net": [[231, 246]], "URL: hxxps://securebackup.site/collect": [[288, 321]], "HASH: 9d52abee7cc78ed1ac3f15b9da52c00b750990568f76c49cc61951418ee6d5e5": [[351, 415]], "FILEPATH: C:\\Users\\admin\\Desktop\\winlogon.exe": [[432, 467]], "EMAIL: verify@phishing-domain.com": [[500, 526]], "IP_ADDRESS: 10.39.249.30": [[592, 604]]}, "info": {"id": "synth_v2_00209", "source": "synthetic_v2"}}
+{"text": "Microsoft MSRC published a threat intelligence report linking Lazarus Group to a new campaign exploiting CVE-2020-17296 in Citrix NetScaler. The attackers deployed Royal via Covenant, establishing C2 communication with 172.149.199.158 and gatewaymail.net. A secondary payload was downloaded from hxxp://static-node.site/portal/verify. The malware binary (SHA256: 6fca1a65002b1821fee24cfc04a643ae0cad9baccad21f2d3ff1621729da0ddd) was dropped to /etc/cron.d/dropper.ps1. Phishing emails were sent from support@phishing-domain.com targeting enterprise users. A backup C2 server was identified at 51.105.162.77.", "spans": {"ORGANIZATION: Microsoft MSRC": [[0, 14]], "THREAT_ACTOR: Lazarus Group": [[62, 75]], "CVE_ID: CVE-2020-17296": [[105, 119]], "SYSTEM: Citrix NetScaler": [[123, 139]], "MALWARE: Royal": [[164, 169]], "TOOL: Covenant": [[174, 182]], "IP_ADDRESS: 172.149.199.158": [[219, 234]], "DOMAIN: gatewaymail.net": [[239, 254]], "URL: hxxp://static-node.site/portal/verify": [[296, 333]], "HASH: 6fca1a65002b1821fee24cfc04a643ae0cad9baccad21f2d3ff1621729da0ddd": [[363, 427]], "FILEPATH: /etc/cron.d/dropper.ps1": [[444, 467]], "EMAIL: support@phishing-domain.com": [[500, 527]], "IP_ADDRESS: 51.105.162.77": [[593, 606]]}, "info": {"id": "synth_v2_00210", "source": "synthetic_v2"}}
+{"text": "SentinelOne published a threat intelligence report linking Forest Blizzard to a new campaign exploiting CVE-2021-20463 in Apache Struts. The attackers deployed Latrodectus via Covenant, establishing C2 communication with 10.221.201.161 and edgecloud.top. A secondary payload was downloaded from http://proxy-login.xyz/secure/token. The malware binary (MD5: 18d0f61c949507c7592eba9db7da3e11) was dropped to C:\\Windows\\System32\\agent.py. Phishing emails were sent from noreply@account-update.xyz targeting enterprise users. A backup C2 server was identified at 183.195.207.98.", "spans": {"ORGANIZATION: SentinelOne": [[0, 11]], "THREAT_ACTOR: Forest Blizzard": [[59, 74]], "CVE_ID: CVE-2021-20463": [[104, 118]], "SYSTEM: Apache Struts": [[122, 135]], "MALWARE: Latrodectus": [[160, 171]], "TOOL: Covenant": [[176, 184]], "IP_ADDRESS: 10.221.201.161": [[221, 235]], "DOMAIN: edgecloud.top": [[240, 253]], "URL: http://proxy-login.xyz/secure/token": [[295, 330]], "HASH: 18d0f61c949507c7592eba9db7da3e11": [[357, 389]], "FILEPATH: C:\\Windows\\System32\\agent.py": [[406, 434]], "EMAIL: noreply@account-update.xyz": [[467, 493]], "IP_ADDRESS: 183.195.207.98": [[559, 573]]}, "info": {"id": "synth_v2_00211", "source": "synthetic_v2"}}
+{"text": "CrowdStrike published a threat intelligence report linking APT28 to a new campaign exploiting CVE-2021-16078 in F5 BIG-IP. The attackers deployed IcedID via Sharphound, establishing C2 communication with 35.43.70.165 and relay-node.site. A secondary payload was downloaded from hxxp://portalmail.xyz/callback. The malware binary (SHA1: f590308d8945aa33c66895152b7f2af90795cebf) was dropped to C:\\Windows\\Temp\\shell.php. Phishing emails were sent from verify@login-portal.tech targeting enterprise users. A backup C2 server was identified at 221.233.217.160.", "spans": {"ORGANIZATION: CrowdStrike": [[0, 11]], "THREAT_ACTOR: APT28": [[59, 64]], "CVE_ID: CVE-2021-16078": [[94, 108]], "SYSTEM: F5 BIG-IP": [[112, 121]], "MALWARE: IcedID": [[146, 152]], "TOOL: Sharphound": [[157, 167]], "IP_ADDRESS: 35.43.70.165": [[204, 216]], "DOMAIN: relay-node.site": [[221, 236]], "URL: hxxp://portalmail.xyz/callback": [[278, 308]], "HASH: f590308d8945aa33c66895152b7f2af90795cebf": [[336, 376]], "FILEPATH: C:\\Windows\\Temp\\shell.php": [[393, 418]], "EMAIL: verify@login-portal.tech": [[451, 475]], "IP_ADDRESS: 221.233.217.160": [[541, 556]]}, "info": {"id": "synth_v2_00212", "source": "synthetic_v2"}}
+{"text": "Dragos published a threat intelligence report linking Forest Blizzard to a new campaign exploiting CVE-2026-42806 in MOVEit Transfer. The attackers deployed BatLoader via Nmap, establishing C2 communication with 9.19.247.181 and relaynode.net. A secondary payload was downloaded from hxxps://data-proxy.top/admin/config. The malware binary (SHA1: cf5b0dc56dab06632a6c5a40290fadcdd590b3b1) was dropped to /home/user/.config/implant.so. Phishing emails were sent from support@auth-check.org targeting enterprise users. A backup C2 server was identified at 29.246.40.37.", "spans": {"ORGANIZATION: Dragos": [[0, 6]], "THREAT_ACTOR: Forest Blizzard": [[54, 69]], "CVE_ID: CVE-2026-42806": [[99, 113]], "SYSTEM: MOVEit Transfer": [[117, 132]], "MALWARE: BatLoader": [[157, 166]], "TOOL: Nmap": [[171, 175]], "IP_ADDRESS: 9.19.247.181": [[212, 224]], "DOMAIN: relaynode.net": [[229, 242]], "URL: hxxps://data-proxy.top/admin/config": [[284, 319]], "HASH: cf5b0dc56dab06632a6c5a40290fadcdd590b3b1": [[347, 387]], "FILEPATH: /home/user/.config/implant.so": [[404, 433]], "EMAIL: support@auth-check.org": [[466, 488]], "IP_ADDRESS: 29.246.40.37": [[554, 566]]}, "info": {"id": "synth_v2_00213", "source": "synthetic_v2"}}
+{"text": "CISA published a threat intelligence report linking MuddyWater to a new campaign exploiting CVE-2026-32293 in F5 BIG-IP. The attackers deployed Emotet via PowerShell Empire, establishing C2 communication with 108.180.150.75 and cachesecure.cc. A secondary payload was downloaded from https://backup-static.com/gate.php. The malware binary (SHA256: fb7bc7af521779bc62593a4f166f3156c679fbd84ce6a79890d920c7b88b09cb) was dropped to C:\\Windows\\System32\\loader.exe. Phishing emails were sent from info@mail-service.info targeting enterprise users. A backup C2 server was identified at 10.155.133.16.", "spans": {"ORGANIZATION: CISA": [[0, 4]], "THREAT_ACTOR: MuddyWater": [[52, 62]], "CVE_ID: CVE-2026-32293": [[92, 106]], "SYSTEM: F5 BIG-IP": [[110, 119]], "MALWARE: Emotet": [[144, 150]], "TOOL: PowerShell Empire": [[155, 172]], "IP_ADDRESS: 108.180.150.75": [[209, 223]], "DOMAIN: cachesecure.cc": [[228, 242]], "URL: https://backup-static.com/gate.php": [[284, 318]], "HASH: fb7bc7af521779bc62593a4f166f3156c679fbd84ce6a79890d920c7b88b09cb": [[348, 412]], "FILEPATH: C:\\Windows\\System32\\loader.exe": [[429, 459]], "EMAIL: info@mail-service.info": [[492, 514]], "IP_ADDRESS: 10.155.133.16": [[580, 593]]}, "info": {"id": "synth_v2_00214", "source": "synthetic_v2"}}
+{"text": "Kaspersky GReAT published a threat intelligence report linking FIN11 to a new campaign exploiting CVE-2023-14679 in Active Directory. The attackers deployed BlackCat via ADFind, establishing C2 communication with 192.57.89.233 and sync-data.online. A secondary payload was downloaded from hxxps://node-cdn.tech/download/update.exe. The malware binary (SHA1: eaa22cd1eda1a40a06142d920127b2afc6145588) was dropped to C:\\Windows\\System32\\beacon.dll. Phishing emails were sent from contact@identity-verify.cc targeting enterprise users. A backup C2 server was identified at 192.228.189.207.", "spans": {"ORGANIZATION: Kaspersky GReAT": [[0, 15]], "THREAT_ACTOR: FIN11": [[63, 68]], "CVE_ID: CVE-2023-14679": [[98, 112]], "SYSTEM: Active Directory": [[116, 132]], "MALWARE: BlackCat": [[157, 165]], "TOOL: ADFind": [[170, 176]], "IP_ADDRESS: 192.57.89.233": [[213, 226]], "DOMAIN: sync-data.online": [[231, 247]], "URL: hxxps://node-cdn.tech/download/update.exe": [[289, 330]], "HASH: eaa22cd1eda1a40a06142d920127b2afc6145588": [[358, 398]], "FILEPATH: C:\\Windows\\System32\\beacon.dll": [[415, 445]], "EMAIL: contact@identity-verify.cc": [[478, 504]], "IP_ADDRESS: 192.228.189.207": [[570, 585]]}, "info": {"id": "synth_v2_00215", "source": "synthetic_v2"}}
+{"text": "Check Point Research published a threat intelligence report linking FIN7 to a new campaign exploiting CVE-2022-27335 in Palo Alto PAN-OS. The attackers deployed PlugX via LinPEAS, establishing C2 communication with 14.135.59.14 and edgedata.site. A secondary payload was downloaded from http://proxysync.org/login. The malware binary (MD5: 7d27e5624bcd4fc2a207a778570181ee) was dropped to C:\\Windows\\Tasks\\lsass.dmp. Phishing emails were sent from ceo@urgent-notice.online targeting enterprise users. A backup C2 server was identified at 172.204.243.78.", "spans": {"ORGANIZATION: Check Point Research": [[0, 20]], "THREAT_ACTOR: FIN7": [[68, 72]], "CVE_ID: CVE-2022-27335": [[102, 116]], "SYSTEM: Palo Alto PAN-OS": [[120, 136]], "MALWARE: PlugX": [[161, 166]], "TOOL: LinPEAS": [[171, 178]], "IP_ADDRESS: 14.135.59.14": [[215, 227]], "DOMAIN: edgedata.site": [[232, 245]], "URL: http://proxysync.org/login": [[287, 313]], "HASH: 7d27e5624bcd4fc2a207a778570181ee": [[340, 372]], "FILEPATH: C:\\Windows\\Tasks\\lsass.dmp": [[389, 415]], "EMAIL: ceo@urgent-notice.online": [[448, 472]], "IP_ADDRESS: 172.204.243.78": [[538, 552]]}, "info": {"id": "synth_v2_00216", "source": "synthetic_v2"}}
+{"text": "FireEye published a threat intelligence report linking Star Blizzard to a new campaign exploiting CVE-2026-39735 in Ivanti Connect Secure. The attackers deployed Cobalt Strike via Metasploit, establishing C2 communication with 157.139.171.70 and relaydata.club. A secondary payload was downloaded from hxxp://node-storage.top/secure/token. The malware binary (SHA1: 9cb9e81bedfc446f25943dfde8fc85a1e1870f9e) was dropped to C:\\Windows\\Temp\\svchost.exe. Phishing emails were sent from info@phishing-domain.com targeting enterprise users. A backup C2 server was identified at 206.50.130.168.", "spans": {"ORGANIZATION: FireEye": [[0, 7]], "THREAT_ACTOR: Star Blizzard": [[55, 68]], "CVE_ID: CVE-2026-39735": [[98, 112]], "SYSTEM: Ivanti Connect Secure": [[116, 137]], "MALWARE: Cobalt Strike": [[162, 175]], "TOOL: Metasploit": [[180, 190]], "IP_ADDRESS: 157.139.171.70": [[227, 241]], "DOMAIN: relaydata.club": [[246, 260]], "URL: hxxp://node-storage.top/secure/token": [[302, 338]], "HASH: 9cb9e81bedfc446f25943dfde8fc85a1e1870f9e": [[366, 406]], "FILEPATH: C:\\Windows\\Temp\\svchost.exe": [[423, 450]], "EMAIL: info@phishing-domain.com": [[483, 507]], "IP_ADDRESS: 206.50.130.168": [[573, 587]]}, "info": {"id": "synth_v2_00217", "source": "synthetic_v2"}}
+{"text": "Palo Alto Unit 42 published a threat intelligence report linking Storm-0558 to a new campaign exploiting CVE-2025-17185 in Ivanti Connect Secure. The attackers deployed Ryuk via LaZagne, establishing C2 communication with 192.145.128.50 and static-auth.club. A secondary payload was downloaded from http://api-static.org/admin/config. The malware binary (SHA1: 617a6abeee3b0fb3faa4faf316b3d04a77b41fec) was dropped to C:\\Users\\admin\\Downloads\\taskhost.exe. Phishing emails were sent from security@mail-service.info targeting enterprise users. A backup C2 server was identified at 10.47.29.241.", "spans": {"ORGANIZATION: Palo Alto Unit 42": [[0, 17]], "THREAT_ACTOR: Storm-0558": [[65, 75]], "CVE_ID: CVE-2025-17185": [[105, 119]], "SYSTEM: Ivanti Connect Secure": [[123, 144]], "MALWARE: Ryuk": [[169, 173]], "TOOL: LaZagne": [[178, 185]], "IP_ADDRESS: 192.145.128.50": [[222, 236]], "DOMAIN: static-auth.club": [[241, 257]], "URL: http://api-static.org/admin/config": [[299, 333]], "HASH: 617a6abeee3b0fb3faa4faf316b3d04a77b41fec": [[361, 401]], "FILEPATH: C:\\Users\\admin\\Downloads\\taskhost.exe": [[418, 455]], "EMAIL: security@mail-service.info": [[488, 514]], "IP_ADDRESS: 10.47.29.241": [[580, 592]]}, "info": {"id": "synth_v2_00218", "source": "synthetic_v2"}}
+{"text": "FireEye published a threat intelligence report linking TA505 to a new campaign exploiting CVE-2020-46781 in Zyxel USG. The attackers deployed ShadowPad via PowerView, establishing C2 communication with 197.218.165.66 and storagecdn.info. A secondary payload was downloaded from http://securerelay.net/wp-content/uploads/doc.php. The malware binary (SHA1: a617983efea5120c8ebdc75c1422b7ae83819980) was dropped to C:\\Users\\admin\\Desktop\\config.dat. Phishing emails were sent from verify@secure-verify.net targeting enterprise users. A backup C2 server was identified at 10.141.31.98.", "spans": {"ORGANIZATION: FireEye": [[0, 7]], "THREAT_ACTOR: TA505": [[55, 60]], "CVE_ID: CVE-2020-46781": [[90, 104]], "SYSTEM: Zyxel USG": [[108, 117]], "MALWARE: ShadowPad": [[142, 151]], "TOOL: PowerView": [[156, 165]], "IP_ADDRESS: 197.218.165.66": [[202, 216]], "DOMAIN: storagecdn.info": [[221, 236]], "URL: http://securerelay.net/wp-content/uploads/doc.php": [[278, 327]], "HASH: a617983efea5120c8ebdc75c1422b7ae83819980": [[355, 395]], "FILEPATH: C:\\Users\\admin\\Desktop\\config.dat": [[412, 445]], "EMAIL: verify@secure-verify.net": [[478, 502]], "IP_ADDRESS: 10.141.31.98": [[568, 580]]}, "info": {"id": "synth_v2_00219", "source": "synthetic_v2"}}
+{"text": "Dragos published a threat intelligence report linking Mustang Panda to a new campaign exploiting CVE-2022-13003 in Progress Telerik. The attackers deployed WarmCookie via Seatbelt, establishing C2 communication with 172.132.52.9 and loginupdate.dev. A secondary payload was downloaded from https://portal-sync.org/callback. The malware binary (SHA1: 8e82e59597e7c8b5b2c7ac77bfa874940e4a746d) was dropped to C:\\Windows\\Temp\\loader.exe. Phishing emails were sent from verify@credential-check.site targeting enterprise users. A backup C2 server was identified at 10.128.228.5.", "spans": {"ORGANIZATION: Dragos": [[0, 6]], "THREAT_ACTOR: Mustang Panda": [[54, 67]], "CVE_ID: CVE-2022-13003": [[97, 111]], "SYSTEM: Progress Telerik": [[115, 131]], "MALWARE: WarmCookie": [[156, 166]], "TOOL: Seatbelt": [[171, 179]], "IP_ADDRESS: 172.132.52.9": [[216, 228]], "DOMAIN: loginupdate.dev": [[233, 248]], "URL: https://portal-sync.org/callback": [[290, 322]], "HASH: 8e82e59597e7c8b5b2c7ac77bfa874940e4a746d": [[350, 390]], "FILEPATH: C:\\Windows\\Temp\\loader.exe": [[407, 433]], "EMAIL: verify@credential-check.site": [[466, 494]], "IP_ADDRESS: 10.128.228.5": [[560, 572]]}, "info": {"id": "synth_v2_00220", "source": "synthetic_v2"}}
+{"text": "Volexity published a threat intelligence report linking Storm-0558 to a new campaign exploiting CVE-2020-49453 in Barracuda ESG. The attackers deployed Vidar via Havoc, establishing C2 communication with 10.196.246.32 and mail-edge.live. A secondary payload was downloaded from https://apirelay.link/admin/config. The malware binary (SHA256: 4441688bf37a54d7e13a605653bfbbf88ccd9cce7b5e1ff3f2d8d0dc2e65e5d0) was dropped to C:\\Users\\admin\\Downloads\\dropper.ps1. Phishing emails were sent from support@identity-verify.cc targeting enterprise users. A backup C2 server was identified at 86.155.205.15.", "spans": {"ORGANIZATION: Volexity": [[0, 8]], "THREAT_ACTOR: Storm-0558": [[56, 66]], "CVE_ID: CVE-2020-49453": [[96, 110]], "SYSTEM: Barracuda ESG": [[114, 127]], "MALWARE: Vidar": [[152, 157]], "TOOL: Havoc": [[162, 167]], "IP_ADDRESS: 10.196.246.32": [[204, 217]], "DOMAIN: mail-edge.live": [[222, 236]], "URL: https://apirelay.link/admin/config": [[278, 312]], "HASH: 4441688bf37a54d7e13a605653bfbbf88ccd9cce7b5e1ff3f2d8d0dc2e65e5d0": [[342, 406]], "FILEPATH: C:\\Users\\admin\\Downloads\\dropper.ps1": [[423, 459]], "EMAIL: support@identity-verify.cc": [[492, 518]], "IP_ADDRESS: 86.155.205.15": [[584, 597]]}, "info": {"id": "synth_v2_00221", "source": "synthetic_v2"}}
+{"text": "Secureworks published a threat intelligence report linking Star Blizzard to a new campaign exploiting CVE-2024-26162 in VMware ESXi. The attackers deployed Hive via Burp Suite, establishing C2 communication with 125.43.224.189 and proxy-portal.net. A secondary payload was downloaded from http://proxyedge.live/login. The malware binary (SHA256: fffbc542f5e8c1f0fd9870d6dfd4f485c3e88fb505cf5653672baf68782bb24c) was dropped to /opt/app/bin/update.dll. Phishing emails were sent from ceo@phishing-domain.com targeting enterprise users. A backup C2 server was identified at 10.18.98.7.", "spans": {"ORGANIZATION: Secureworks": [[0, 11]], "THREAT_ACTOR: Star Blizzard": [[59, 72]], "CVE_ID: CVE-2024-26162": [[102, 116]], "SYSTEM: VMware ESXi": [[120, 131]], "MALWARE: Hive": [[156, 160]], "TOOL: Burp Suite": [[165, 175]], "IP_ADDRESS: 125.43.224.189": [[212, 226]], "DOMAIN: proxy-portal.net": [[231, 247]], "URL: http://proxyedge.live/login": [[289, 316]], "HASH: fffbc542f5e8c1f0fd9870d6dfd4f485c3e88fb505cf5653672baf68782bb24c": [[346, 410]], "FILEPATH: /opt/app/bin/update.dll": [[427, 450]], "EMAIL: ceo@phishing-domain.com": [[483, 506]], "IP_ADDRESS: 10.18.98.7": [[572, 582]]}, "info": {"id": "synth_v2_00222", "source": "synthetic_v2"}}
+{"text": "Rapid7 published a threat intelligence report linking Volt Typhoon to a new campaign exploiting CVE-2026-29234 in Zyxel USG. The attackers deployed Conti via SharpHound, establishing C2 communication with 192.119.36.10 and data-login.com. A secondary payload was downloaded from hxxps://cdn-backup.live/gate.php. The malware binary (SHA1: 52537a3924eeac80ff723200895e368bb0260c34) was dropped to C:\\Users\\admin\\Downloads\\shell.php. Phishing emails were sent from info@secure-verify.net targeting enterprise users. A backup C2 server was identified at 172.9.241.233.", "spans": {"ORGANIZATION: Rapid7": [[0, 6]], "THREAT_ACTOR: Volt Typhoon": [[54, 66]], "CVE_ID: CVE-2026-29234": [[96, 110]], "SYSTEM: Zyxel USG": [[114, 123]], "MALWARE: Conti": [[148, 153]], "TOOL: SharpHound": [[158, 168]], "IP_ADDRESS: 192.119.36.10": [[205, 218]], "DOMAIN: data-login.com": [[223, 237]], "URL: hxxps://cdn-backup.live/gate.php": [[279, 311]], "HASH: 52537a3924eeac80ff723200895e368bb0260c34": [[339, 379]], "FILEPATH: C:\\Users\\admin\\Downloads\\shell.php": [[396, 430]], "EMAIL: info@secure-verify.net": [[463, 485]], "IP_ADDRESS: 172.9.241.233": [[551, 564]]}, "info": {"id": "synth_v2_00223", "source": "synthetic_v2"}}
+{"text": "Rapid7 published a threat intelligence report linking Kimsuky to a new campaign exploiting CVE-2022-24935 in Ubuntu 22.04. The attackers deployed Qbot via ADFind, establishing C2 communication with 172.172.205.84 and cdn-cache.org. A secondary payload was downloaded from hxxp://apiauth.info/callback. The malware binary (SHA256: 15a7cec160b72522fabcc7c0d59e767eee7ef161b34d9dd29f9f84b3d8a63434) was dropped to /etc/cron.d/dropper.ps1. Phishing emails were sent from security@credential-check.site targeting enterprise users. A backup C2 server was identified at 192.70.164.215.", "spans": {"ORGANIZATION: Rapid7": [[0, 6]], "THREAT_ACTOR: Kimsuky": [[54, 61]], "CVE_ID: CVE-2022-24935": [[91, 105]], "SYSTEM: Ubuntu 22.04": [[109, 121]], "MALWARE: Qbot": [[146, 150]], "TOOL: ADFind": [[155, 161]], "IP_ADDRESS: 172.172.205.84": [[198, 212]], "DOMAIN: cdn-cache.org": [[217, 230]], "URL: hxxp://apiauth.info/callback": [[272, 300]], "HASH: 15a7cec160b72522fabcc7c0d59e767eee7ef161b34d9dd29f9f84b3d8a63434": [[330, 394]], "FILEPATH: /etc/cron.d/dropper.ps1": [[411, 434]], "EMAIL: security@credential-check.site": [[467, 497]], "IP_ADDRESS: 192.70.164.215": [[563, 577]]}, "info": {"id": "synth_v2_00224", "source": "synthetic_v2"}}
+{"text": "Microsoft MSRC published a threat intelligence report linking FIN7 to a new campaign exploiting CVE-2021-48618 in Progress Telerik. The attackers deployed Lumma Stealer via BloodHound, establishing C2 communication with 200.80.8.226 and cache-backup.site. A secondary payload was downloaded from https://logincloud.org/panel/index.html. The malware binary (MD5: 8045a876307c5034a9207efb379a2ca0) was dropped to C:\\Program Files\\Common Files\\helper.sh. Phishing emails were sent from security@document-share.link targeting enterprise users. A backup C2 server was identified at 21.3.3.46.", "spans": {"ORGANIZATION: Microsoft MSRC": [[0, 14]], "THREAT_ACTOR: FIN7": [[62, 66]], "CVE_ID: CVE-2021-48618": [[96, 110]], "SYSTEM: Progress Telerik": [[114, 130]], "MALWARE: Lumma Stealer": [[155, 168]], "TOOL: BloodHound": [[173, 183]], "IP_ADDRESS: 200.80.8.226": [[220, 232]], "DOMAIN: cache-backup.site": [[237, 254]], "URL: https://logincloud.org/panel/index.html": [[296, 335]], "HASH: 8045a876307c5034a9207efb379a2ca0": [[362, 394]], "FILEPATH: C:\\Program Files\\Common Files\\helper.sh": [[411, 450]], "EMAIL: security@document-share.link": [[483, 511]], "IP_ADDRESS: 21.3.3.46": [[577, 586]]}, "info": {"id": "synth_v2_00225", "source": "synthetic_v2"}}
+{"text": "Google TAG published a threat intelligence report linking Forest Blizzard to a new campaign exploiting CVE-2026-10752 in Progress Telerik. The attackers deployed Cobalt Strike via ADFind, establishing C2 communication with 192.154.178.108 and static-mail.live. A secondary payload was downloaded from hxxps://relay-cloud.info/wp-content/uploads/doc.php. The malware binary (SHA256: bac29a9b6aeefd90b4e10c373953c04504252cfd57f3d6b883630053b3e6b62a) was dropped to C:\\Windows\\System32\\beacon.dll. Phishing emails were sent from verify@account-update.xyz targeting enterprise users. A backup C2 server was identified at 192.120.98.31.", "spans": {"ORGANIZATION: Google TAG": [[0, 10]], "THREAT_ACTOR: Forest Blizzard": [[58, 73]], "CVE_ID: CVE-2026-10752": [[103, 117]], "SYSTEM: Progress Telerik": [[121, 137]], "MALWARE: Cobalt Strike": [[162, 175]], "TOOL: ADFind": [[180, 186]], "IP_ADDRESS: 192.154.178.108": [[223, 238]], "DOMAIN: static-mail.live": [[243, 259]], "URL: hxxps://relay-cloud.info/wp-content/uploads/doc.php": [[301, 352]], "HASH: bac29a9b6aeefd90b4e10c373953c04504252cfd57f3d6b883630053b3e6b62a": [[382, 446]], "FILEPATH: C:\\Windows\\System32\\beacon.dll": [[463, 493]], "EMAIL: verify@account-update.xyz": [[526, 551]], "IP_ADDRESS: 192.120.98.31": [[617, 630]]}, "info": {"id": "synth_v2_00226", "source": "synthetic_v2"}}
+{"text": "Check Point Research published a threat intelligence report linking Turla to a new campaign exploiting CVE-2024-42717 in Apache Struts. The attackers deployed Cobalt Strike via BloodHound, establishing C2 communication with 172.128.171.158 and secure-update.online. A secondary payload was downloaded from http://api-data.club/collect. The malware binary (SHA1: 9ae665d971cdbb6cc5285479f6d8d48e02c5f0a3) was dropped to /opt/app/bin/ntds.dit. Phishing emails were sent from billing@auth-check.org targeting enterprise users. A backup C2 server was identified at 12.53.26.237.", "spans": {"ORGANIZATION: Check Point Research": [[0, 20]], "THREAT_ACTOR: Turla": [[68, 73]], "CVE_ID: CVE-2024-42717": [[103, 117]], "SYSTEM: Apache Struts": [[121, 134]], "MALWARE: Cobalt Strike": [[159, 172]], "TOOL: BloodHound": [[177, 187]], "IP_ADDRESS: 172.128.171.158": [[224, 239]], "DOMAIN: secure-update.online": [[244, 264]], "URL: http://api-data.club/collect": [[306, 334]], "HASH: 9ae665d971cdbb6cc5285479f6d8d48e02c5f0a3": [[362, 402]], "FILEPATH: /opt/app/bin/ntds.dit": [[419, 440]], "EMAIL: billing@auth-check.org": [[473, 495]], "IP_ADDRESS: 12.53.26.237": [[561, 573]]}, "info": {"id": "synth_v2_00227", "source": "synthetic_v2"}}
+{"text": "ESET Research published a threat intelligence report linking FIN7 to a new campaign exploiting CVE-2021-48618 in Microsoft Exchange. The attackers deployed Conti via Hashcat, establishing C2 communication with 223.102.192.229 and logincloud.dev. A secondary payload was downloaded from hxxp://secureportal.tech/gate.php. The malware binary (SHA1: d2b7b0a6a5de9832323e17cdd872f29f64568942) was dropped to /tmp/csrss.exe. Phishing emails were sent from hr@login-portal.tech targeting enterprise users. A backup C2 server was identified at 10.241.248.14.", "spans": {"ORGANIZATION: ESET Research": [[0, 13]], "THREAT_ACTOR: FIN7": [[61, 65]], "CVE_ID: CVE-2021-48618": [[95, 109]], "SYSTEM: Microsoft Exchange": [[113, 131]], "MALWARE: Conti": [[156, 161]], "TOOL: Hashcat": [[166, 173]], "IP_ADDRESS: 223.102.192.229": [[210, 225]], "DOMAIN: logincloud.dev": [[230, 244]], "URL: hxxp://secureportal.tech/gate.php": [[286, 319]], "HASH: d2b7b0a6a5de9832323e17cdd872f29f64568942": [[347, 387]], "FILEPATH: /tmp/csrss.exe": [[404, 418]], "EMAIL: hr@login-portal.tech": [[451, 471]], "IP_ADDRESS: 10.241.248.14": [[537, 550]]}, "info": {"id": "synth_v2_00228", "source": "synthetic_v2"}}
+{"text": "Secureworks published a threat intelligence report linking Scattered Spider to a new campaign exploiting CVE-2020-25247 in Active Directory. The attackers deployed BlackCat via BloodHound, establishing C2 communication with 10.238.234.108 and static-secure.cc. A secondary payload was downloaded from http://api-gateway.live/wp-content/uploads/doc.php. The malware binary (SHA1: 378ffd5b20cdadcfef735db843ec5f29eb1d7665) was dropped to /dev/shm/sam.hive. Phishing emails were sent from hr@phishing-domain.com targeting enterprise users. A backup C2 server was identified at 172.112.151.155.", "spans": {"ORGANIZATION: Secureworks": [[0, 11]], "THREAT_ACTOR: Scattered Spider": [[59, 75]], "CVE_ID: CVE-2020-25247": [[105, 119]], "SYSTEM: Active Directory": [[123, 139]], "MALWARE: BlackCat": [[164, 172]], "TOOL: BloodHound": [[177, 187]], "IP_ADDRESS: 10.238.234.108": [[224, 238]], "DOMAIN: static-secure.cc": [[243, 259]], "URL: http://api-gateway.live/wp-content/uploads/doc.php": [[301, 351]], "HASH: 378ffd5b20cdadcfef735db843ec5f29eb1d7665": [[379, 419]], "FILEPATH: /dev/shm/sam.hive": [[436, 453]], "EMAIL: hr@phishing-domain.com": [[486, 508]], "IP_ADDRESS: 172.112.151.155": [[574, 589]]}, "info": {"id": "synth_v2_00229", "source": "synthetic_v2"}}
+{"text": "Qualys published a threat intelligence report linking Aqua Blizzard to a new campaign exploiting CVE-2023-39714 in Microsoft Exchange. The attackers deployed XLoader via LinPEAS, establishing C2 communication with 112.113.76.234 and nodecdn.site. A secondary payload was downloaded from http://proxyauth.online/wp-content/uploads/doc.php. The malware binary (SHA256: ff1c5da8010ed28cff28c306aef9983ad9d4349ef391d47cb05d5140387e024e) was dropped to C:\\Windows\\Temp\\ntds.dit. Phishing emails were sent from billing@account-update.xyz targeting enterprise users. A backup C2 server was identified at 172.22.20.254.", "spans": {"ORGANIZATION: Qualys": [[0, 6]], "THREAT_ACTOR: Aqua Blizzard": [[54, 67]], "CVE_ID: CVE-2023-39714": [[97, 111]], "SYSTEM: Microsoft Exchange": [[115, 133]], "MALWARE: XLoader": [[158, 165]], "TOOL: LinPEAS": [[170, 177]], "IP_ADDRESS: 112.113.76.234": [[214, 228]], "DOMAIN: nodecdn.site": [[233, 245]], "URL: http://proxyauth.online/wp-content/uploads/doc.php": [[287, 337]], "HASH: ff1c5da8010ed28cff28c306aef9983ad9d4349ef391d47cb05d5140387e024e": [[367, 431]], "FILEPATH: C:\\Windows\\Temp\\ntds.dit": [[448, 472]], "EMAIL: billing@account-update.xyz": [[505, 531]], "IP_ADDRESS: 172.22.20.254": [[597, 610]]}, "info": {"id": "synth_v2_00230", "source": "synthetic_v2"}}
+{"text": "Check Point Research published a threat intelligence report linking BlackTech to a new campaign exploiting CVE-2021-24446 in Windows Server 2019. The attackers deployed Gootloader via PsExec, establishing C2 communication with 172.156.82.181 and portal-secure.link. A secondary payload was downloaded from hxxps://relayupdate.live/callback. The malware binary (SHA1: 4c6263e8420777299756a4beee3aecf0d2dddc59) was dropped to /opt/app/bin/loader.exe. Phishing emails were sent from support@mail-service.info targeting enterprise users. A backup C2 server was identified at 220.12.232.119.", "spans": {"ORGANIZATION: Check Point Research": [[0, 20]], "THREAT_ACTOR: BlackTech": [[68, 77]], "CVE_ID: CVE-2021-24446": [[107, 121]], "SYSTEM: Windows Server 2019": [[125, 144]], "MALWARE: Gootloader": [[169, 179]], "TOOL: PsExec": [[184, 190]], "IP_ADDRESS: 172.156.82.181": [[227, 241]], "DOMAIN: portal-secure.link": [[246, 264]], "URL: hxxps://relayupdate.live/callback": [[306, 339]], "HASH: 4c6263e8420777299756a4beee3aecf0d2dddc59": [[367, 407]], "FILEPATH: /opt/app/bin/loader.exe": [[424, 447]], "EMAIL: support@mail-service.info": [[480, 505]], "IP_ADDRESS: 220.12.232.119": [[571, 585]]}, "info": {"id": "synth_v2_00231", "source": "synthetic_v2"}}
+{"text": "INTERPOL published a threat intelligence report linking Storm-0558 to a new campaign exploiting CVE-2026-27261 in MOVEit Transfer. The attackers deployed SystemBC via WinPEAS, establishing C2 communication with 192.41.171.189 and mailrelay.cc. A secondary payload was downloaded from hxxps://mail-mail.org/panel/index.html. The malware binary (SHA1: 03a3ddbedb1bbe9dfff5b120630ac32acf882ef7) was dropped to /tmp/payload.bin. Phishing emails were sent from ceo@login-portal.tech targeting enterprise users. A backup C2 server was identified at 192.186.26.29.", "spans": {"ORGANIZATION: INTERPOL": [[0, 8]], "THREAT_ACTOR: Storm-0558": [[56, 66]], "CVE_ID: CVE-2026-27261": [[96, 110]], "SYSTEM: MOVEit Transfer": [[114, 129]], "MALWARE: SystemBC": [[154, 162]], "TOOL: WinPEAS": [[167, 174]], "IP_ADDRESS: 192.41.171.189": [[211, 225]], "DOMAIN: mailrelay.cc": [[230, 242]], "URL: hxxps://mail-mail.org/panel/index.html": [[284, 322]], "HASH: 03a3ddbedb1bbe9dfff5b120630ac32acf882ef7": [[350, 390]], "FILEPATH: /tmp/payload.bin": [[407, 423]], "EMAIL: ceo@login-portal.tech": [[456, 477]], "IP_ADDRESS: 192.186.26.29": [[543, 556]]}, "info": {"id": "synth_v2_00232", "source": "synthetic_v2"}}
+{"text": "FBI published a threat intelligence report linking MuddyWater to a new campaign exploiting CVE-2022-22601 in Microsoft Exchange. The attackers deployed Conti via Sharphound, establishing C2 communication with 91.136.216.71 and nodenode.live. A secondary payload was downloaded from https://proxy-edge.top/gate.php. The malware binary (SHA1: 0f0ec49fd17b62e62b6c35e417e9756267929e69) was dropped to /etc/cron.d/chrome_helper.exe. Phishing emails were sent from billing@credential-check.site targeting enterprise users. A backup C2 server was identified at 10.190.176.116.", "spans": {"ORGANIZATION: FBI": [[0, 3]], "THREAT_ACTOR: MuddyWater": [[51, 61]], "CVE_ID: CVE-2022-22601": [[91, 105]], "SYSTEM: Microsoft Exchange": [[109, 127]], "MALWARE: Conti": [[152, 157]], "TOOL: Sharphound": [[162, 172]], "IP_ADDRESS: 91.136.216.71": [[209, 222]], "DOMAIN: nodenode.live": [[227, 240]], "URL: https://proxy-edge.top/gate.php": [[282, 313]], "HASH: 0f0ec49fd17b62e62b6c35e417e9756267929e69": [[341, 381]], "FILEPATH: /etc/cron.d/chrome_helper.exe": [[398, 427]], "EMAIL: billing@credential-check.site": [[460, 489]], "IP_ADDRESS: 10.190.176.116": [[555, 569]]}, "info": {"id": "synth_v2_00233", "source": "synthetic_v2"}}
+{"text": "Symantec published a threat intelligence report linking Lazarus Group to a new campaign exploiting CVE-2022-45142 in Apache Struts. The attackers deployed Dridex via Ligolo, establishing C2 communication with 10.84.141.29 and backup-gateway.top. A secondary payload was downloaded from http://proxy-mail.site/assets/js/payload.js. The malware binary (SHA1: 64cc478ff183fbab60d87027b717505acbe5e1bd) was dropped to C:\\Windows\\Temp\\agent.py. Phishing emails were sent from billing@secure-verify.net targeting enterprise users. A backup C2 server was identified at 172.77.104.134.", "spans": {"ORGANIZATION: Symantec": [[0, 8]], "THREAT_ACTOR: Lazarus Group": [[56, 69]], "CVE_ID: CVE-2022-45142": [[99, 113]], "SYSTEM: Apache Struts": [[117, 130]], "MALWARE: Dridex": [[155, 161]], "TOOL: Ligolo": [[166, 172]], "IP_ADDRESS: 10.84.141.29": [[209, 221]], "DOMAIN: backup-gateway.top": [[226, 244]], "URL: http://proxy-mail.site/assets/js/payload.js": [[286, 329]], "HASH: 64cc478ff183fbab60d87027b717505acbe5e1bd": [[357, 397]], "FILEPATH: C:\\Windows\\Temp\\agent.py": [[414, 438]], "EMAIL: billing@secure-verify.net": [[471, 496]], "IP_ADDRESS: 172.77.104.134": [[562, 576]]}, "info": {"id": "synth_v2_00234", "source": "synthetic_v2"}}
+{"text": "NSA published a threat intelligence report linking APT28 to a new campaign exploiting CVE-2024-30673 in SonicWall SMA. The attackers deployed Play via Covenant, establishing C2 communication with 168.167.248.152 and securesync.xyz. A secondary payload was downloaded from hxxps://mailbackup.link/download/update.exe. The malware binary (MD5: 2ec7dca3f14e6104720dd0bf9a8135ea) was dropped to /home/user/.config/sam.hive. Phishing emails were sent from security@document-share.link targeting enterprise users. A backup C2 server was identified at 118.155.67.230.", "spans": {"ORGANIZATION: NSA": [[0, 3]], "THREAT_ACTOR: APT28": [[51, 56]], "CVE_ID: CVE-2024-30673": [[86, 100]], "SYSTEM: SonicWall SMA": [[104, 117]], "MALWARE: Play": [[142, 146]], "TOOL: Covenant": [[151, 159]], "IP_ADDRESS: 168.167.248.152": [[196, 211]], "DOMAIN: securesync.xyz": [[216, 230]], "URL: hxxps://mailbackup.link/download/update.exe": [[272, 315]], "HASH: 2ec7dca3f14e6104720dd0bf9a8135ea": [[342, 374]], "FILEPATH: /home/user/.config/sam.hive": [[391, 418]], "EMAIL: security@document-share.link": [[451, 479]], "IP_ADDRESS: 118.155.67.230": [[545, 559]]}, "info": {"id": "synth_v2_00235", "source": "synthetic_v2"}}
+{"text": "NCSC published a threat intelligence report linking Diamond Sleet to a new campaign exploiting CVE-2023-45005 in Fortinet FortiGate. The attackers deployed REvil via WinPEAS, establishing C2 communication with 192.78.82.61 and mailsecure.xyz. A secondary payload was downloaded from https://storage-mail.org/gate.php. The malware binary (SHA1: 1ca71cb95e6afc884ded214adfb2f1beae38d0d6) was dropped to C:\\Users\\admin\\Downloads\\dropper.ps1. Phishing emails were sent from finance@secure-verify.net targeting enterprise users. A backup C2 server was identified at 10.162.64.113.", "spans": {"ORGANIZATION: NCSC": [[0, 4]], "THREAT_ACTOR: Diamond Sleet": [[52, 65]], "CVE_ID: CVE-2023-45005": [[95, 109]], "SYSTEM: Fortinet FortiGate": [[113, 131]], "MALWARE: REvil": [[156, 161]], "TOOL: WinPEAS": [[166, 173]], "IP_ADDRESS: 192.78.82.61": [[210, 222]], "DOMAIN: mailsecure.xyz": [[227, 241]], "URL: https://storage-mail.org/gate.php": [[283, 316]], "HASH: 1ca71cb95e6afc884ded214adfb2f1beae38d0d6": [[344, 384]], "FILEPATH: C:\\Users\\admin\\Downloads\\dropper.ps1": [[401, 437]], "EMAIL: finance@secure-verify.net": [[470, 495]], "IP_ADDRESS: 10.162.64.113": [[561, 574]]}, "info": {"id": "synth_v2_00236", "source": "synthetic_v2"}}
+{"text": "FireEye published a threat intelligence report linking Diamond Sleet to a new campaign exploiting CVE-2026-10752 in Citrix NetScaler. The attackers deployed TrickBot via Ligolo, establishing C2 communication with 82.79.2.249 and cachelogin.link. A secondary payload was downloaded from http://storageauth.club/login. The malware binary (SHA256: 9a111a5553be537433c96ff740bc133a1ca1d9737db86231af5b6609b4a01052) was dropped to C:\\Users\\Public\\Documents\\agent.py. Phishing emails were sent from admin@identity-verify.cc targeting enterprise users. A backup C2 server was identified at 166.151.242.230.", "spans": {"ORGANIZATION: FireEye": [[0, 7]], "THREAT_ACTOR: Diamond Sleet": [[55, 68]], "CVE_ID: CVE-2026-10752": [[98, 112]], "SYSTEM: Citrix NetScaler": [[116, 132]], "MALWARE: TrickBot": [[157, 165]], "TOOL: Ligolo": [[170, 176]], "IP_ADDRESS: 82.79.2.249": [[213, 224]], "DOMAIN: cachelogin.link": [[229, 244]], "URL: http://storageauth.club/login": [[286, 315]], "HASH: 9a111a5553be537433c96ff740bc133a1ca1d9737db86231af5b6609b4a01052": [[345, 409]], "FILEPATH: C:\\Users\\Public\\Documents\\agent.py": [[426, 460]], "EMAIL: admin@identity-verify.cc": [[493, 517]], "IP_ADDRESS: 166.151.242.230": [[583, 598]]}, "info": {"id": "synth_v2_00237", "source": "synthetic_v2"}}
+{"text": "SentinelOne published a threat intelligence report linking Gamaredon to a new campaign exploiting CVE-2021-24446 in Atlassian Confluence. The attackers deployed Play via Brute Ratel, establishing C2 communication with 192.99.113.201 and apinode.site. A secondary payload was downloaded from hxxps://proxy-storage.cc/admin/config. The malware binary (MD5: cb214460df2524d9f2d95ffb3ebec031) was dropped to C:\\Users\\admin\\Desktop\\payload.bin. Phishing emails were sent from contact@auth-check.org targeting enterprise users. A backup C2 server was identified at 51.11.42.138.", "spans": {"ORGANIZATION: SentinelOne": [[0, 11]], "THREAT_ACTOR: Gamaredon": [[59, 68]], "CVE_ID: CVE-2021-24446": [[98, 112]], "SYSTEM: Atlassian Confluence": [[116, 136]], "MALWARE: Play": [[161, 165]], "TOOL: Brute Ratel": [[170, 181]], "IP_ADDRESS: 192.99.113.201": [[218, 232]], "DOMAIN: apinode.site": [[237, 249]], "URL: hxxps://proxy-storage.cc/admin/config": [[291, 328]], "HASH: cb214460df2524d9f2d95ffb3ebec031": [[355, 387]], "FILEPATH: C:\\Users\\admin\\Desktop\\payload.bin": [[404, 438]], "EMAIL: contact@auth-check.org": [[471, 493]], "IP_ADDRESS: 51.11.42.138": [[559, 571]]}, "info": {"id": "synth_v2_00238", "source": "synthetic_v2"}}
+{"text": "Trend Micro published a threat intelligence report linking Volt Typhoon to a new campaign exploiting CVE-2024-14337 in Ivanti Connect Secure. The attackers deployed RedLine Stealer via Mimikatz, establishing C2 communication with 115.44.110.187 and gateway-gateway.org. A secondary payload was downloaded from http://login-cloud.info/panel/index.html. The malware binary (MD5: 596f37d5c5c10fb8d12ed13f131fc9ca) was dropped to C:\\ProgramData\\shell.php. Phishing emails were sent from service@secure-verify.net targeting enterprise users. A backup C2 server was identified at 190.212.226.74.", "spans": {"ORGANIZATION: Trend Micro": [[0, 11]], "THREAT_ACTOR: Volt Typhoon": [[59, 71]], "CVE_ID: CVE-2024-14337": [[101, 115]], "SYSTEM: Ivanti Connect Secure": [[119, 140]], "MALWARE: RedLine Stealer": [[165, 180]], "TOOL: Mimikatz": [[185, 193]], "IP_ADDRESS: 115.44.110.187": [[230, 244]], "DOMAIN: gateway-gateway.org": [[249, 268]], "URL: http://login-cloud.info/panel/index.html": [[310, 350]], "HASH: 596f37d5c5c10fb8d12ed13f131fc9ca": [[377, 409]], "FILEPATH: C:\\ProgramData\\shell.php": [[426, 450]], "EMAIL: service@secure-verify.net": [[483, 508]], "IP_ADDRESS: 190.212.226.74": [[574, 588]]}, "info": {"id": "synth_v2_00239", "source": "synthetic_v2"}}
+{"text": "FireEye published a threat intelligence report linking APT28 to a new campaign exploiting CVE-2023-27496 in SonicWall SMA. The attackers deployed FormBook via Sharphound, establishing C2 communication with 192.236.70.52 and cachebackup.online. A secondary payload was downloaded from hxxps://dataupdate.link/download/update.exe. The malware binary (MD5: 74c7254c9956aad94cfc6318829457b7) was dropped to /home/user/.config/beacon.dll. Phishing emails were sent from alert@mail-service.info targeting enterprise users. A backup C2 server was identified at 172.148.251.11.", "spans": {"ORGANIZATION: FireEye": [[0, 7]], "THREAT_ACTOR: APT28": [[55, 60]], "CVE_ID: CVE-2023-27496": [[90, 104]], "SYSTEM: SonicWall SMA": [[108, 121]], "MALWARE: FormBook": [[146, 154]], "TOOL: Sharphound": [[159, 169]], "IP_ADDRESS: 192.236.70.52": [[206, 219]], "DOMAIN: cachebackup.online": [[224, 242]], "URL: hxxps://dataupdate.link/download/update.exe": [[284, 327]], "HASH: 74c7254c9956aad94cfc6318829457b7": [[354, 386]], "FILEPATH: /home/user/.config/beacon.dll": [[403, 432]], "EMAIL: alert@mail-service.info": [[465, 488]], "IP_ADDRESS: 172.148.251.11": [[554, 568]]}, "info": {"id": "synth_v2_00240", "source": "synthetic_v2"}}
+{"text": "FireEye published a threat intelligence report linking Storm-0558 to a new campaign exploiting CVE-2023-28217 in Windows Server 2019. The attackers deployed DarkSide via PowerShell Empire, establishing C2 communication with 172.252.34.154 and proxyauth.tech. A secondary payload was downloaded from hxxps://sync-secure.cc/download/update.exe. The malware binary (MD5: 95974a7bf27e08ea33589fdb737c315f) was dropped to C:\\Windows\\Tasks\\payload.bin. Phishing emails were sent from it@account-update.xyz targeting enterprise users. A backup C2 server was identified at 149.246.223.223.", "spans": {"ORGANIZATION: FireEye": [[0, 7]], "THREAT_ACTOR: Storm-0558": [[55, 65]], "CVE_ID: CVE-2023-28217": [[95, 109]], "SYSTEM: Windows Server 2019": [[113, 132]], "MALWARE: DarkSide": [[157, 165]], "TOOL: PowerShell Empire": [[170, 187]], "IP_ADDRESS: 172.252.34.154": [[224, 238]], "DOMAIN: proxyauth.tech": [[243, 257]], "URL: hxxps://sync-secure.cc/download/update.exe": [[299, 341]], "HASH: 95974a7bf27e08ea33589fdb737c315f": [[368, 400]], "FILEPATH: C:\\Windows\\Tasks\\payload.bin": [[417, 445]], "EMAIL: it@account-update.xyz": [[478, 499]], "IP_ADDRESS: 149.246.223.223": [[565, 580]]}, "info": {"id": "synth_v2_00241", "source": "synthetic_v2"}}
+{"text": "Dragos published a threat intelligence report linking APT29 to a new campaign exploiting CVE-2024-30622 in Windows 11. The attackers deployed SystemBC via Chisel, establishing C2 communication with 75.39.99.197 and backupsync.top. A secondary payload was downloaded from https://authedge.cc/download/update.exe. The malware binary (SHA256: 71e0bfdef98e8357d71adf8724dd0e31a238a95879b1979ac1d3353dc48d5d78) was dropped to C:\\Windows\\System32\\loader.exe. Phishing emails were sent from finance@auth-check.org targeting enterprise users. A backup C2 server was identified at 10.85.165.224.", "spans": {"ORGANIZATION: Dragos": [[0, 6]], "THREAT_ACTOR: APT29": [[54, 59]], "CVE_ID: CVE-2024-30622": [[89, 103]], "SYSTEM: Windows 11": [[107, 117]], "MALWARE: SystemBC": [[142, 150]], "TOOL: Chisel": [[155, 161]], "IP_ADDRESS: 75.39.99.197": [[198, 210]], "DOMAIN: backupsync.top": [[215, 229]], "URL: https://authedge.cc/download/update.exe": [[271, 310]], "HASH: 71e0bfdef98e8357d71adf8724dd0e31a238a95879b1979ac1d3353dc48d5d78": [[340, 404]], "FILEPATH: C:\\Windows\\System32\\loader.exe": [[421, 451]], "EMAIL: finance@auth-check.org": [[484, 506]], "IP_ADDRESS: 10.85.165.224": [[572, 585]]}, "info": {"id": "synth_v2_00242", "source": "synthetic_v2"}}
+{"text": "Sophos X-Ops published a threat intelligence report linking Velvet Tempest to a new campaign exploiting CVE-2022-49565 in VMware ESXi. The attackers deployed Qbot via Sliver, establishing C2 communication with 10.113.96.204 and update-proxy.tech. A secondary payload was downloaded from http://maillogin.live/collect. The malware binary (SHA1: dbfdc6813a44c44961e2950b16964ce8e5017cd3) was dropped to /opt/app/bin/config.dat. Phishing emails were sent from finance@phishing-domain.com targeting enterprise users. A backup C2 server was identified at 172.235.39.30.", "spans": {"ORGANIZATION: Sophos X-Ops": [[0, 12]], "THREAT_ACTOR: Velvet Tempest": [[60, 74]], "CVE_ID: CVE-2022-49565": [[104, 118]], "SYSTEM: VMware ESXi": [[122, 133]], "MALWARE: Qbot": [[158, 162]], "TOOL: Sliver": [[167, 173]], "IP_ADDRESS: 10.113.96.204": [[210, 223]], "DOMAIN: update-proxy.tech": [[228, 245]], "URL: http://maillogin.live/collect": [[287, 316]], "HASH: dbfdc6813a44c44961e2950b16964ce8e5017cd3": [[344, 384]], "FILEPATH: /opt/app/bin/config.dat": [[401, 424]], "EMAIL: finance@phishing-domain.com": [[457, 484]], "IP_ADDRESS: 172.235.39.30": [[550, 563]]}, "info": {"id": "synth_v2_00243", "source": "synthetic_v2"}}
+{"text": "Microsoft MSRC published a threat intelligence report linking Aqua Blizzard to a new campaign exploiting CVE-2021-16078 in Microsoft Exchange. The attackers deployed Conti via PsExec, establishing C2 communication with 33.107.66.252 and gatewaycdn.xyz. A secondary payload was downloaded from hxxps://cdn-node.cc/gate.php. The malware binary (SHA256: a0294850016534073d2b46bd74453a3cf8d98360bbfe368787503edefad54329) was dropped to /usr/local/bin/update.dll. Phishing emails were sent from info@mail-service.info targeting enterprise users. A backup C2 server was identified at 172.57.39.5.", "spans": {"ORGANIZATION: Microsoft MSRC": [[0, 14]], "THREAT_ACTOR: Aqua Blizzard": [[62, 75]], "CVE_ID: CVE-2021-16078": [[105, 119]], "SYSTEM: Microsoft Exchange": [[123, 141]], "MALWARE: Conti": [[166, 171]], "TOOL: PsExec": [[176, 182]], "IP_ADDRESS: 33.107.66.252": [[219, 232]], "DOMAIN: gatewaycdn.xyz": [[237, 251]], "URL: hxxps://cdn-node.cc/gate.php": [[293, 321]], "HASH: a0294850016534073d2b46bd74453a3cf8d98360bbfe368787503edefad54329": [[351, 415]], "FILEPATH: /usr/local/bin/update.dll": [[432, 457]], "EMAIL: info@mail-service.info": [[490, 512]], "IP_ADDRESS: 172.57.39.5": [[578, 589]]}, "info": {"id": "synth_v2_00244", "source": "synthetic_v2"}}
+{"text": "Palo Alto Unit 42 published a threat intelligence report linking Star Blizzard to a new campaign exploiting CVE-2021-28210 in Progress Telerik. The attackers deployed Emotet via Seatbelt, establishing C2 communication with 192.102.94.172 and cachemail.tech. A secondary payload was downloaded from hxxps://node-static.xyz/api/v2/auth. The malware binary (SHA1: 8e42764f576660165cf1b2d8c109813a4882d606) was dropped to C:\\Windows\\Temp\\loader.exe. Phishing emails were sent from billing@login-portal.tech targeting enterprise users. A backup C2 server was identified at 8.46.74.217.", "spans": {"ORGANIZATION: Palo Alto Unit 42": [[0, 17]], "THREAT_ACTOR: Star Blizzard": [[65, 78]], "CVE_ID: CVE-2021-28210": [[108, 122]], "SYSTEM: Progress Telerik": [[126, 142]], "MALWARE: Emotet": [[167, 173]], "TOOL: Seatbelt": [[178, 186]], "IP_ADDRESS: 192.102.94.172": [[223, 237]], "DOMAIN: cachemail.tech": [[242, 256]], "URL: hxxps://node-static.xyz/api/v2/auth": [[298, 333]], "HASH: 8e42764f576660165cf1b2d8c109813a4882d606": [[361, 401]], "FILEPATH: C:\\Windows\\Temp\\loader.exe": [[418, 444]], "EMAIL: billing@login-portal.tech": [[477, 502]], "IP_ADDRESS: 8.46.74.217": [[568, 579]]}, "info": {"id": "synth_v2_00245", "source": "synthetic_v2"}}
+{"text": "Huntress published a threat intelligence report linking TA505 to a new campaign exploiting CVE-2026-10212 in Windows Server 2019. The attackers deployed REvil via Mythic, establishing C2 communication with 10.243.187.179 and portalgateway.xyz. A secondary payload was downloaded from https://gateway-auth.link/api/v2/auth. The malware binary (MD5: dc061f1293aa6ed4de6d16af5734092e) was dropped to C:\\Users\\Public\\Documents\\loader.exe. Phishing emails were sent from noreply@credential-check.site targeting enterprise users. A backup C2 server was identified at 172.54.92.214.", "spans": {"ORGANIZATION: Huntress": [[0, 8]], "THREAT_ACTOR: TA505": [[56, 61]], "CVE_ID: CVE-2026-10212": [[91, 105]], "SYSTEM: Windows Server 2019": [[109, 128]], "MALWARE: REvil": [[153, 158]], "TOOL: Mythic": [[163, 169]], "IP_ADDRESS: 10.243.187.179": [[206, 220]], "DOMAIN: portalgateway.xyz": [[225, 242]], "URL: https://gateway-auth.link/api/v2/auth": [[284, 321]], "HASH: dc061f1293aa6ed4de6d16af5734092e": [[348, 380]], "FILEPATH: C:\\Users\\Public\\Documents\\loader.exe": [[397, 433]], "EMAIL: noreply@credential-check.site": [[466, 495]], "IP_ADDRESS: 172.54.92.214": [[561, 574]]}, "info": {"id": "synth_v2_00246", "source": "synthetic_v2"}}
+{"text": "Trend Micro published a threat intelligence report linking Velvet Tempest to a new campaign exploiting CVE-2020-37651 in Ubuntu 22.04. The attackers deployed RedLine Stealer via WinPEAS, establishing C2 communication with 127.59.197.73 and backupgateway.xyz. A secondary payload was downloaded from hxxps://proxy-mail.org/admin/config. The malware binary (MD5: 53ab9f9a156ca59ba077469a72d84692) was dropped to C:\\Users\\Public\\Documents\\lsass.dmp. Phishing emails were sent from updates@urgent-notice.online targeting enterprise users. A backup C2 server was identified at 154.159.227.58.", "spans": {"ORGANIZATION: Trend Micro": [[0, 11]], "THREAT_ACTOR: Velvet Tempest": [[59, 73]], "CVE_ID: CVE-2020-37651": [[103, 117]], "SYSTEM: Ubuntu 22.04": [[121, 133]], "MALWARE: RedLine Stealer": [[158, 173]], "TOOL: WinPEAS": [[178, 185]], "IP_ADDRESS: 127.59.197.73": [[222, 235]], "DOMAIN: backupgateway.xyz": [[240, 257]], "URL: hxxps://proxy-mail.org/admin/config": [[299, 334]], "HASH: 53ab9f9a156ca59ba077469a72d84692": [[361, 393]], "FILEPATH: C:\\Users\\Public\\Documents\\lsass.dmp": [[410, 445]], "EMAIL: updates@urgent-notice.online": [[478, 506]], "IP_ADDRESS: 154.159.227.58": [[572, 586]]}, "info": {"id": "synth_v2_00247", "source": "synthetic_v2"}}
+{"text": "Microsoft MSRC published a threat intelligence report linking Star Blizzard to a new campaign exploiting CVE-2025-45322 in Cisco ASA. The attackers deployed Dridex via Metasploit, establishing C2 communication with 192.86.33.94 and gateway-proxy.info. A secondary payload was downloaded from http://portalmail.online/gate.php. The malware binary (SHA1: f41c15beab8bb6c53694a6b74a6693a860692dee) was dropped to /usr/local/bin/payload.bin. Phishing emails were sent from updates@secure-verify.net targeting enterprise users. A backup C2 server was identified at 172.102.206.32.", "spans": {"ORGANIZATION: Microsoft MSRC": [[0, 14]], "THREAT_ACTOR: Star Blizzard": [[62, 75]], "CVE_ID: CVE-2025-45322": [[105, 119]], "SYSTEM: Cisco ASA": [[123, 132]], "MALWARE: Dridex": [[157, 163]], "TOOL: Metasploit": [[168, 178]], "IP_ADDRESS: 192.86.33.94": [[215, 227]], "DOMAIN: gateway-proxy.info": [[232, 250]], "URL: http://portalmail.online/gate.php": [[292, 325]], "HASH: f41c15beab8bb6c53694a6b74a6693a860692dee": [[353, 393]], "FILEPATH: /usr/local/bin/payload.bin": [[410, 436]], "EMAIL: updates@secure-verify.net": [[469, 494]], "IP_ADDRESS: 172.102.206.32": [[560, 574]]}, "info": {"id": "synth_v2_00248", "source": "synthetic_v2"}}
+{"text": "FBI published a threat intelligence report linking Kimsuky to a new campaign exploiting CVE-2022-25256 in Citrix NetScaler. The attackers deployed SmokeLoader via PowerShell Empire, establishing C2 communication with 10.27.34.128 and staticstatic.net. A secondary payload was downloaded from http://node-proxy.link/wp-content/uploads/doc.php. The malware binary (MD5: b968e8d522a0112b31ea569b7a2e548b) was dropped to /dev/shm/beacon.dll. Phishing emails were sent from account@mail-service.info targeting enterprise users. A backup C2 server was identified at 10.195.167.40.", "spans": {"ORGANIZATION: FBI": [[0, 3]], "THREAT_ACTOR: Kimsuky": [[51, 58]], "CVE_ID: CVE-2022-25256": [[88, 102]], "SYSTEM: Citrix NetScaler": [[106, 122]], "MALWARE: SmokeLoader": [[147, 158]], "TOOL: PowerShell Empire": [[163, 180]], "IP_ADDRESS: 10.27.34.128": [[217, 229]], "DOMAIN: staticstatic.net": [[234, 250]], "URL: http://node-proxy.link/wp-content/uploads/doc.php": [[292, 341]], "HASH: b968e8d522a0112b31ea569b7a2e548b": [[368, 400]], "FILEPATH: /dev/shm/beacon.dll": [[417, 436]], "EMAIL: account@mail-service.info": [[469, 494]], "IP_ADDRESS: 10.195.167.40": [[560, 573]]}, "info": {"id": "synth_v2_00249", "source": "synthetic_v2"}}
+{"text": "Qualys published a threat intelligence report linking MuddyWater to a new campaign exploiting CVE-2026-27261 in Barracuda ESG. The attackers deployed NjRAT via GhostPack, establishing C2 communication with 10.220.60.99 and cdn-secure.io. A secondary payload was downloaded from hxxp://secureproxy.site/portal/verify. The malware binary (SHA1: d319d2ca1e5e0fb3f819c50cf2d1011d6f3e6f01) was dropped to C:\\Users\\admin\\Desktop\\beacon.dll. Phishing emails were sent from alert@document-share.link targeting enterprise users. A backup C2 server was identified at 81.192.226.118.", "spans": {"ORGANIZATION: Qualys": [[0, 6]], "THREAT_ACTOR: MuddyWater": [[54, 64]], "CVE_ID: CVE-2026-27261": [[94, 108]], "SYSTEM: Barracuda ESG": [[112, 125]], "MALWARE: NjRAT": [[150, 155]], "TOOL: GhostPack": [[160, 169]], "IP_ADDRESS: 10.220.60.99": [[206, 218]], "DOMAIN: cdn-secure.io": [[223, 236]], "URL: hxxp://secureproxy.site/portal/verify": [[278, 315]], "HASH: d319d2ca1e5e0fb3f819c50cf2d1011d6f3e6f01": [[343, 383]], "FILEPATH: C:\\Users\\admin\\Desktop\\beacon.dll": [[400, 433]], "EMAIL: alert@document-share.link": [[466, 491]], "IP_ADDRESS: 81.192.226.118": [[557, 571]]}, "info": {"id": "synth_v2_00250", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 122.80.28.101, the SentinelOne IR team identified Qbot running as C:\\Windows\\Temp\\winlogon.exe. The threat actor, believed to be Star Blizzard, used Certutil for credential harvesting and PowerView for lateral movement. Exfiltrated data was sent to storagecdn.com and login-mail.tech. The initial dropper (MD5: c8b3f4fde8db41555bb75bfddb5db340) was delivered via a phishing email from it@identity-verify.cc. A second C2 node was observed at 127.193.180.197, with a persistence mechanism writing to C:\\Users\\admin\\Desktop\\taskhost.exe.", "spans": {"IP_ADDRESS: 122.80.28.101": [[64, 77]], "ORGANIZATION: SentinelOne": [[83, 94]], "MALWARE: Qbot": [[114, 118]], "FILEPATH: C:\\Windows\\Temp\\winlogon.exe": [[130, 158]], "THREAT_ACTOR: Star Blizzard": [[193, 206]], "TOOL: Certutil": [[213, 221]], "TOOL: PowerView": [[252, 261]], "DOMAIN: storagecdn.com": [[313, 327]], "DOMAIN: login-mail.tech": [[332, 347]], "HASH: c8b3f4fde8db41555bb75bfddb5db340": [[375, 407]], "EMAIL: it@identity-verify.cc": [[449, 470]], "IP_ADDRESS: 127.193.180.197": [[505, 520]], "FILEPATH: C:\\Users\\admin\\Desktop\\taskhost.exe": [[562, 597]]}, "info": {"id": "synth_v2_00251", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 10.159.43.234, the CrowdStrike IR team identified AgentTesla running as C:\\Program Files\\Common Files\\backdoor.elf. The threat actor, believed to be APT29, used PowerView for credential harvesting and PsExec for lateral movement. Exfiltrated data was sent to edge-storage.com and gatewaycache.io. The initial dropper (SHA1: a660d9215ff3d6493e79be01f6f104e0a75c5537) was delivered via a phishing email from ceo@identity-verify.cc. A second C2 node was observed at 172.58.172.44, with a persistence mechanism writing to C:\\Windows\\Temp\\beacon.dll.", "spans": {"IP_ADDRESS: 10.159.43.234": [[64, 77]], "ORGANIZATION: CrowdStrike": [[83, 94]], "MALWARE: AgentTesla": [[114, 124]], "FILEPATH: C:\\Program Files\\Common Files\\backdoor.elf": [[136, 178]], "THREAT_ACTOR: APT29": [[213, 218]], "TOOL: PowerView": [[225, 234]], "TOOL: PsExec": [[265, 271]], "DOMAIN: edge-storage.com": [[323, 339]], "DOMAIN: gatewaycache.io": [[344, 359]], "HASH: a660d9215ff3d6493e79be01f6f104e0a75c5537": [[388, 428]], "EMAIL: ceo@identity-verify.cc": [[470, 492]], "IP_ADDRESS: 172.58.172.44": [[527, 540]], "FILEPATH: C:\\Windows\\Temp\\beacon.dll": [[582, 608]]}, "info": {"id": "synth_v2_00252", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 172.51.105.87, the Proofpoint IR team identified DanaBot running as /home/user/.config/backdoor.elf. The threat actor, believed to be Volt Typhoon, used Hashcat for credential harvesting and BITSAdmin for lateral movement. Exfiltrated data was sent to mailgateway.xyz and apiedge.xyz. The initial dropper (SHA1: 7374ea52b1ef41fed341209738cf3000ab8330a3) was delivered via a phishing email from helpdesk@document-share.link. A second C2 node was observed at 129.173.85.158, with a persistence mechanism writing to C:\\Users\\admin\\AppData\\Local\\Temp\\agent.py.", "spans": {"IP_ADDRESS: 172.51.105.87": [[64, 77]], "ORGANIZATION: Proofpoint": [[83, 93]], "MALWARE: DanaBot": [[113, 120]], "FILEPATH: /home/user/.config/backdoor.elf": [[132, 163]], "THREAT_ACTOR: Volt Typhoon": [[198, 210]], "TOOL: Hashcat": [[217, 224]], "TOOL: BITSAdmin": [[255, 264]], "DOMAIN: mailgateway.xyz": [[316, 331]], "DOMAIN: apiedge.xyz": [[336, 347]], "HASH: 7374ea52b1ef41fed341209738cf3000ab8330a3": [[376, 416]], "EMAIL: helpdesk@document-share.link": [[458, 486]], "IP_ADDRESS: 129.173.85.158": [[521, 535]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\agent.py": [[577, 619]]}, "info": {"id": "synth_v2_00253", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 192.172.139.18, the NSA IR team identified Dridex running as /tmp/ntds.dit. The threat actor, believed to be Forest Blizzard, used Havoc for credential harvesting and BITSAdmin for lateral movement. Exfiltrated data was sent to backup-node.link and gatewayedge.tech. The initial dropper (SHA1: 9836a2e930894421911dae6282bb6988be3ae7c9) was delivered via a phishing email from updates@urgent-notice.online. A second C2 node was observed at 110.107.177.204, with a persistence mechanism writing to C:\\Users\\admin\\Desktop\\backdoor.elf.", "spans": {"IP_ADDRESS: 192.172.139.18": [[64, 78]], "ORGANIZATION: NSA": [[84, 87]], "MALWARE: Dridex": [[107, 113]], "FILEPATH: /tmp/ntds.dit": [[125, 138]], "THREAT_ACTOR: Forest Blizzard": [[173, 188]], "TOOL: Havoc": [[195, 200]], "TOOL: BITSAdmin": [[231, 240]], "DOMAIN: backup-node.link": [[292, 308]], "DOMAIN: gatewayedge.tech": [[313, 329]], "HASH: 9836a2e930894421911dae6282bb6988be3ae7c9": [[358, 398]], "EMAIL: updates@urgent-notice.online": [[440, 468]], "IP_ADDRESS: 110.107.177.204": [[503, 518]], "FILEPATH: C:\\Users\\admin\\Desktop\\backdoor.elf": [[560, 595]]}, "info": {"id": "synth_v2_00254", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 192.255.109.170, the Cisco Talos IR team identified DarkSide running as C:\\Program Files\\Common Files\\ntds.dit. The threat actor, believed to be Silk Typhoon, used Mimikatz for credential harvesting and Sharphound for lateral movement. Exfiltrated data was sent to mail-relay.org and login-backup.live. The initial dropper (SHA1: b4d1279fc6252638488a4b2d6f3abd005274b9be) was delivered via a phishing email from contact@mail-service.info. A second C2 node was observed at 69.222.30.134, with a persistence mechanism writing to /opt/app/bin/chrome_helper.exe.", "spans": {"IP_ADDRESS: 192.255.109.170": [[64, 79]], "ORGANIZATION: Cisco Talos": [[85, 96]], "MALWARE: DarkSide": [[116, 124]], "FILEPATH: C:\\Program Files\\Common Files\\ntds.dit": [[136, 174]], "THREAT_ACTOR: Silk Typhoon": [[209, 221]], "TOOL: Mimikatz": [[228, 236]], "TOOL: Sharphound": [[267, 277]], "DOMAIN: mail-relay.org": [[329, 343]], "DOMAIN: login-backup.live": [[348, 365]], "HASH: b4d1279fc6252638488a4b2d6f3abd005274b9be": [[394, 434]], "EMAIL: contact@mail-service.info": [[476, 501]], "IP_ADDRESS: 69.222.30.134": [[536, 549]], "FILEPATH: /opt/app/bin/chrome_helper.exe": [[591, 621]]}, "info": {"id": "synth_v2_00255", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 172.122.58.39, the NCSC IR team identified Gootloader running as C:\\Windows\\System32\\svchost.exe. The threat actor, believed to be UNC2452, used Rubeus for credential harvesting and Nmap for lateral movement. Exfiltrated data was sent to edgegateway.site and cloud-secure.info. The initial dropper (SHA1: dc95913bd363c5dcd794d416243a8c5356d9711f) was delivered via a phishing email from security@phishing-domain.com. A second C2 node was observed at 10.125.158.119, with a persistence mechanism writing to /usr/local/bin/backdoor.elf.", "spans": {"IP_ADDRESS: 172.122.58.39": [[64, 77]], "ORGANIZATION: NCSC": [[83, 87]], "MALWARE: Gootloader": [[107, 117]], "FILEPATH: C:\\Windows\\System32\\svchost.exe": [[129, 160]], "THREAT_ACTOR: UNC2452": [[195, 202]], "TOOL: Rubeus": [[209, 215]], "TOOL: Nmap": [[246, 250]], "DOMAIN: edgegateway.site": [[302, 318]], "DOMAIN: cloud-secure.info": [[323, 340]], "HASH: dc95913bd363c5dcd794d416243a8c5356d9711f": [[369, 409]], "EMAIL: security@phishing-domain.com": [[451, 479]], "IP_ADDRESS: 10.125.158.119": [[514, 528]], "FILEPATH: /usr/local/bin/backdoor.elf": [[570, 597]]}, "info": {"id": "synth_v2_00256", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 172.152.32.231, the Palo Alto Unit 42 IR team identified Qbot running as /usr/local/bin/beacon.dll. The threat actor, believed to be Granite Typhoon, used Mimikatz for credential harvesting and BloodHound for lateral movement. Exfiltrated data was sent to data-auth.cc and node-cache.link. The initial dropper (SHA1: d30c2a7ce678a84ad24d8e1055eb325edccf51c3) was delivered via a phishing email from ceo@auth-check.org. A second C2 node was observed at 94.46.203.242, with a persistence mechanism writing to C:\\ProgramData\\helper.sh.", "spans": {"IP_ADDRESS: 172.152.32.231": [[64, 78]], "ORGANIZATION: Palo Alto Unit 42": [[84, 101]], "MALWARE: Qbot": [[121, 125]], "FILEPATH: /usr/local/bin/beacon.dll": [[137, 162]], "THREAT_ACTOR: Granite Typhoon": [[197, 212]], "TOOL: Mimikatz": [[219, 227]], "TOOL: BloodHound": [[258, 268]], "DOMAIN: data-auth.cc": [[320, 332]], "DOMAIN: node-cache.link": [[337, 352]], "HASH: d30c2a7ce678a84ad24d8e1055eb325edccf51c3": [[381, 421]], "EMAIL: ceo@auth-check.org": [[463, 481]], "IP_ADDRESS: 94.46.203.242": [[516, 529]], "FILEPATH: C:\\ProgramData\\helper.sh": [[571, 595]]}, "info": {"id": "synth_v2_00257", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 172.111.73.28, the SentinelOne IR team identified Lumma Stealer running as C:\\Program Files\\Common Files\\beacon.dll. The threat actor, believed to be Aqua Blizzard, used Ligolo for credential harvesting and GhostPack for lateral movement. Exfiltrated data was sent to cachecdn.online and authstorage.io. The initial dropper (SHA256: 9b79674b67a51ef460f1a8d6c8fb317e97b89081d19ad4df82585a350f5026af) was delivered via a phishing email from verify@auth-check.org. A second C2 node was observed at 10.140.225.105, with a persistence mechanism writing to /var/tmp/backdoor.elf.", "spans": {"IP_ADDRESS: 172.111.73.28": [[64, 77]], "ORGANIZATION: SentinelOne": [[83, 94]], "MALWARE: Lumma Stealer": [[114, 127]], "FILEPATH: C:\\Program Files\\Common Files\\beacon.dll": [[139, 179]], "THREAT_ACTOR: Aqua Blizzard": [[214, 227]], "TOOL: Ligolo": [[234, 240]], "TOOL: GhostPack": [[271, 280]], "DOMAIN: cachecdn.online": [[332, 347]], "DOMAIN: authstorage.io": [[352, 366]], "HASH: 9b79674b67a51ef460f1a8d6c8fb317e97b89081d19ad4df82585a350f5026af": [[397, 461]], "EMAIL: verify@auth-check.org": [[503, 524]], "IP_ADDRESS: 10.140.225.105": [[559, 573]], "FILEPATH: /var/tmp/backdoor.elf": [[615, 636]]}, "info": {"id": "synth_v2_00258", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 192.27.122.65, the Check Point Research IR team identified AsyncRAT running as /var/tmp/agent.py. The threat actor, believed to be APT28, used Sharphound for credential harvesting and Mythic for lateral movement. Exfiltrated data was sent to relay-portal.com and syncbackup.net. The initial dropper (MD5: 250e702092cce59213fb9ad5181d3f0a) was delivered via a phishing email from ceo@identity-verify.cc. A second C2 node was observed at 80.185.62.137, with a persistence mechanism writing to /tmp/config.dat.", "spans": {"IP_ADDRESS: 192.27.122.65": [[64, 77]], "ORGANIZATION: Check Point Research": [[83, 103]], "MALWARE: AsyncRAT": [[123, 131]], "FILEPATH: /var/tmp/agent.py": [[143, 160]], "THREAT_ACTOR: APT28": [[195, 200]], "TOOL: Sharphound": [[207, 217]], "TOOL: Mythic": [[248, 254]], "DOMAIN: relay-portal.com": [[306, 322]], "DOMAIN: syncbackup.net": [[327, 341]], "HASH: 250e702092cce59213fb9ad5181d3f0a": [[369, 401]], "EMAIL: ceo@identity-verify.cc": [[443, 465]], "IP_ADDRESS: 80.185.62.137": [[500, 513]], "FILEPATH: /tmp/config.dat": [[555, 570]]}, "info": {"id": "synth_v2_00259", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 121.211.170.184, the Check Point Research IR team identified Cobalt Strike running as /opt/app/bin/sam.hive. The threat actor, believed to be FIN11, used Havoc for credential harvesting and Impacket for lateral movement. Exfiltrated data was sent to nodeapi.tech and staticedge.club. The initial dropper (SHA1: 10d7faf8345968d4cb6f2c1c26c4fbdad334385f) was delivered via a phishing email from security@credential-check.site. A second C2 node was observed at 210.51.82.179, with a persistence mechanism writing to C:\\Windows\\Temp\\update.dll.", "spans": {"IP_ADDRESS: 121.211.170.184": [[64, 79]], "ORGANIZATION: Check Point Research": [[85, 105]], "MALWARE: Cobalt Strike": [[125, 138]], "FILEPATH: /opt/app/bin/sam.hive": [[150, 171]], "THREAT_ACTOR: FIN11": [[206, 211]], "TOOL: Havoc": [[218, 223]], "TOOL: Impacket": [[254, 262]], "DOMAIN: nodeapi.tech": [[314, 326]], "DOMAIN: staticedge.club": [[331, 346]], "HASH: 10d7faf8345968d4cb6f2c1c26c4fbdad334385f": [[375, 415]], "EMAIL: security@credential-check.site": [[457, 487]], "IP_ADDRESS: 210.51.82.179": [[522, 535]], "FILEPATH: C:\\Windows\\Temp\\update.dll": [[577, 603]]}, "info": {"id": "synth_v2_00260", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 81.42.56.41, the SentinelOne IR team identified BlackCat running as /opt/app/bin/agent.py. The threat actor, believed to be APT28, used Ligolo for credential harvesting and SharpHound for lateral movement. Exfiltrated data was sent to relayproxy.live and sync-secure.top. The initial dropper (MD5: ccf6264f30606e6fb640fdc1d6102059) was delivered via a phishing email from security@identity-verify.cc. A second C2 node was observed at 192.66.210.203, with a persistence mechanism writing to /tmp/chrome_helper.exe.", "spans": {"IP_ADDRESS: 81.42.56.41": [[64, 75]], "ORGANIZATION: SentinelOne": [[81, 92]], "MALWARE: BlackCat": [[112, 120]], "FILEPATH: /opt/app/bin/agent.py": [[132, 153]], "THREAT_ACTOR: APT28": [[188, 193]], "TOOL: Ligolo": [[200, 206]], "TOOL: SharpHound": [[237, 247]], "DOMAIN: relayproxy.live": [[299, 314]], "DOMAIN: sync-secure.top": [[319, 334]], "HASH: ccf6264f30606e6fb640fdc1d6102059": [[362, 394]], "EMAIL: security@identity-verify.cc": [[436, 463]], "IP_ADDRESS: 192.66.210.203": [[498, 512]], "FILEPATH: /tmp/chrome_helper.exe": [[554, 576]]}, "info": {"id": "synth_v2_00261", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 10.11.117.233, the CrowdStrike IR team identified Raccoon Stealer running as C:\\ProgramData\\csrss.exe. The threat actor, believed to be Flax Typhoon, used Mythic for credential harvesting and BITSAdmin for lateral movement. Exfiltrated data was sent to cdn-portal.cc and staticsync.org. The initial dropper (SHA256: 942d91adb7bc1b10862d51ae3df475aa8c3c63f675e37c923c86df92e17b677d) was delivered via a phishing email from account@identity-verify.cc. A second C2 node was observed at 172.101.134.180, with a persistence mechanism writing to C:\\Users\\admin\\Downloads\\shell.php.", "spans": {"IP_ADDRESS: 10.11.117.233": [[64, 77]], "ORGANIZATION: CrowdStrike": [[83, 94]], "MALWARE: Raccoon Stealer": [[114, 129]], "FILEPATH: C:\\ProgramData\\csrss.exe": [[141, 165]], "THREAT_ACTOR: Flax Typhoon": [[200, 212]], "TOOL: Mythic": [[219, 225]], "TOOL: BITSAdmin": [[256, 265]], "DOMAIN: cdn-portal.cc": [[317, 330]], "DOMAIN: staticsync.org": [[335, 349]], "HASH: 942d91adb7bc1b10862d51ae3df475aa8c3c63f675e37c923c86df92e17b677d": [[380, 444]], "EMAIL: account@identity-verify.cc": [[486, 512]], "IP_ADDRESS: 172.101.134.180": [[547, 562]], "FILEPATH: C:\\Users\\admin\\Downloads\\shell.php": [[604, 638]]}, "info": {"id": "synth_v2_00262", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 10.104.97.243, the ESET Research IR team identified ShadowPad running as C:\\Program Files\\Common Files\\payload.bin. The threat actor, believed to be Flax Typhoon, used PowerView for credential harvesting and PowerShell Empire for lateral movement. Exfiltrated data was sent to cloudstatic.xyz and cloudgateway.org. The initial dropper (MD5: 16691c4ed662f3cc59250951902b17bb) was delivered via a phishing email from report@credential-check.site. A second C2 node was observed at 74.253.195.34, with a persistence mechanism writing to C:\\Windows\\Temp\\agent.py.", "spans": {"IP_ADDRESS: 10.104.97.243": [[64, 77]], "ORGANIZATION: ESET Research": [[83, 96]], "MALWARE: ShadowPad": [[116, 125]], "FILEPATH: C:\\Program Files\\Common Files\\payload.bin": [[137, 178]], "THREAT_ACTOR: Flax Typhoon": [[213, 225]], "TOOL: PowerView": [[232, 241]], "TOOL: PowerShell Empire": [[272, 289]], "DOMAIN: cloudstatic.xyz": [[341, 356]], "DOMAIN: cloudgateway.org": [[361, 377]], "HASH: 16691c4ed662f3cc59250951902b17bb": [[405, 437]], "EMAIL: report@credential-check.site": [[479, 507]], "IP_ADDRESS: 74.253.195.34": [[542, 555]], "FILEPATH: C:\\Windows\\Temp\\agent.py": [[597, 621]]}, "info": {"id": "synth_v2_00263", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 22.5.240.35, the INTERPOL IR team identified BumbleBee running as C:\\Users\\admin\\AppData\\Local\\Temp\\winlogon.exe. The threat actor, believed to be BlackTech, used BITSAdmin for credential harvesting and PowerView for lateral movement. Exfiltrated data was sent to gatewaystatic.info and auth-edge.com. The initial dropper (MD5: 12678ee09fd6fc46d98e530426bdbdb0) was delivered via a phishing email from report@phishing-domain.com. A second C2 node was observed at 178.203.108.183, with a persistence mechanism writing to /var/tmp/beacon.dll.", "spans": {"IP_ADDRESS: 22.5.240.35": [[64, 75]], "ORGANIZATION: INTERPOL": [[81, 89]], "MALWARE: BumbleBee": [[109, 118]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\winlogon.exe": [[130, 176]], "THREAT_ACTOR: BlackTech": [[211, 220]], "TOOL: BITSAdmin": [[227, 236]], "TOOL: PowerView": [[267, 276]], "DOMAIN: gatewaystatic.info": [[328, 346]], "DOMAIN: auth-edge.com": [[351, 364]], "HASH: 12678ee09fd6fc46d98e530426bdbdb0": [[392, 424]], "EMAIL: report@phishing-domain.com": [[466, 492]], "IP_ADDRESS: 178.203.108.183": [[527, 542]], "FILEPATH: /var/tmp/beacon.dll": [[584, 603]]}, "info": {"id": "synth_v2_00264", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 78.202.189.34, the Microsoft MSRC IR team identified Emotet running as C:\\Windows\\System32\\backdoor.elf. The threat actor, believed to be FIN11, used LaZagne for credential harvesting and ADFind for lateral movement. Exfiltrated data was sent to storagerelay.org and storage-node.site. The initial dropper (SHA256: 5cfdc0539a63306494a705a32d6c5c0454624ab68a04f7e37e5e3a556c1153e3) was delivered via a phishing email from verify@mail-service.info. A second C2 node was observed at 192.91.133.44, with a persistence mechanism writing to C:\\Users\\Public\\Documents\\winlogon.exe.", "spans": {"IP_ADDRESS: 78.202.189.34": [[64, 77]], "ORGANIZATION: Microsoft MSRC": [[83, 97]], "MALWARE: Emotet": [[117, 123]], "FILEPATH: C:\\Windows\\System32\\backdoor.elf": [[135, 167]], "THREAT_ACTOR: FIN11": [[202, 207]], "TOOL: LaZagne": [[214, 221]], "TOOL: ADFind": [[252, 258]], "DOMAIN: storagerelay.org": [[310, 326]], "DOMAIN: storage-node.site": [[331, 348]], "HASH: 5cfdc0539a63306494a705a32d6c5c0454624ab68a04f7e37e5e3a556c1153e3": [[379, 443]], "EMAIL: verify@mail-service.info": [[485, 509]], "IP_ADDRESS: 192.91.133.44": [[544, 557]], "FILEPATH: C:\\Users\\Public\\Documents\\winlogon.exe": [[599, 637]]}, "info": {"id": "synth_v2_00265", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 157.135.160.112, the Palo Alto Unit 42 IR team identified RedLine Stealer running as /dev/shm/backdoor.elf. The threat actor, believed to be Diamond Sleet, used Sliver for credential harvesting and Burp Suite for lateral movement. Exfiltrated data was sent to cdncloud.org and data-secure.com. The initial dropper (MD5: 3527c5ba873762b2a9c00f7d247c814f) was delivered via a phishing email from verify@phishing-domain.com. A second C2 node was observed at 172.251.77.143, with a persistence mechanism writing to C:\\Users\\admin\\Downloads\\sam.hive.", "spans": {"IP_ADDRESS: 157.135.160.112": [[64, 79]], "ORGANIZATION: Palo Alto Unit 42": [[85, 102]], "MALWARE: RedLine Stealer": [[122, 137]], "FILEPATH: /dev/shm/backdoor.elf": [[149, 170]], "THREAT_ACTOR: Diamond Sleet": [[205, 218]], "TOOL: Sliver": [[225, 231]], "TOOL: Burp Suite": [[262, 272]], "DOMAIN: cdncloud.org": [[324, 336]], "DOMAIN: data-secure.com": [[341, 356]], "HASH: 3527c5ba873762b2a9c00f7d247c814f": [[384, 416]], "EMAIL: verify@phishing-domain.com": [[458, 484]], "IP_ADDRESS: 172.251.77.143": [[519, 533]], "FILEPATH: C:\\Users\\admin\\Downloads\\sam.hive": [[575, 608]]}, "info": {"id": "synth_v2_00266", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 118.252.57.217, the ESET Research IR team identified PlugX running as C:\\Windows\\Temp\\loader.exe. The threat actor, believed to be BlackTech, used WinPEAS for credential harvesting and Certutil for lateral movement. Exfiltrated data was sent to securesecure.club and cachecache.xyz. The initial dropper (SHA256: 911f1f3bb80cb6acbf96dfc6a58de249764f2d3c1e7ea95278d2722fac119f9c) was delivered via a phishing email from verify@secure-verify.net. A second C2 node was observed at 10.178.47.53, with a persistence mechanism writing to C:\\Users\\admin\\Downloads\\ntds.dit.", "spans": {"IP_ADDRESS: 118.252.57.217": [[64, 78]], "ORGANIZATION: ESET Research": [[84, 97]], "MALWARE: PlugX": [[117, 122]], "FILEPATH: C:\\Windows\\Temp\\loader.exe": [[134, 160]], "THREAT_ACTOR: BlackTech": [[195, 204]], "TOOL: WinPEAS": [[211, 218]], "TOOL: Certutil": [[249, 257]], "DOMAIN: securesecure.club": [[309, 326]], "DOMAIN: cachecache.xyz": [[331, 345]], "HASH: 911f1f3bb80cb6acbf96dfc6a58de249764f2d3c1e7ea95278d2722fac119f9c": [[376, 440]], "EMAIL: verify@secure-verify.net": [[482, 506]], "IP_ADDRESS: 10.178.47.53": [[541, 553]], "FILEPATH: C:\\Users\\admin\\Downloads\\ntds.dit": [[595, 628]]}, "info": {"id": "synth_v2_00267", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 172.191.54.215, the Rapid7 IR team identified NjRAT running as C:\\Windows\\Tasks\\winlogon.exe. The threat actor, believed to be APT28, used Burp Suite for credential harvesting and PowerView for lateral movement. Exfiltrated data was sent to relaysync.cc and storage-cdn.top. The initial dropper (SHA256: fbb64a18689d06a6581a0b95826a9ed1ea30560447ac4d9845d074ba1554dfb1) was delivered via a phishing email from finance@auth-check.org. A second C2 node was observed at 40.14.41.118, with a persistence mechanism writing to C:\\Windows\\System32\\runtime.dll.", "spans": {"IP_ADDRESS: 172.191.54.215": [[64, 78]], "ORGANIZATION: Rapid7": [[84, 90]], "MALWARE: NjRAT": [[110, 115]], "FILEPATH: C:\\Windows\\Tasks\\winlogon.exe": [[127, 156]], "THREAT_ACTOR: APT28": [[191, 196]], "TOOL: Burp Suite": [[203, 213]], "TOOL: PowerView": [[244, 253]], "DOMAIN: relaysync.cc": [[305, 317]], "DOMAIN: storage-cdn.top": [[322, 337]], "HASH: fbb64a18689d06a6581a0b95826a9ed1ea30560447ac4d9845d074ba1554dfb1": [[368, 432]], "EMAIL: finance@auth-check.org": [[474, 496]], "IP_ADDRESS: 40.14.41.118": [[531, 543]], "FILEPATH: C:\\Windows\\System32\\runtime.dll": [[585, 616]]}, "info": {"id": "synth_v2_00268", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 24.204.130.46, the INTERPOL IR team identified QakBot running as /home/user/.config/beacon.dll. The threat actor, believed to be Aqua Blizzard, used Impacket for credential harvesting and Certutil for lateral movement. Exfiltrated data was sent to secure-portal.link and backuplogin.net. The initial dropper (SHA1: e18ca283e50fd7dd3d3b395a86e8c03b980bc62b) was delivered via a phishing email from noreply@auth-check.org. A second C2 node was observed at 172.45.10.219, with a persistence mechanism writing to C:\\Program Files\\Common Files\\agent.py.", "spans": {"IP_ADDRESS: 24.204.130.46": [[64, 77]], "ORGANIZATION: INTERPOL": [[83, 91]], "MALWARE: QakBot": [[111, 117]], "FILEPATH: /home/user/.config/beacon.dll": [[129, 158]], "THREAT_ACTOR: Aqua Blizzard": [[193, 206]], "TOOL: Impacket": [[213, 221]], "TOOL: Certutil": [[252, 260]], "DOMAIN: secure-portal.link": [[312, 330]], "DOMAIN: backuplogin.net": [[335, 350]], "HASH: e18ca283e50fd7dd3d3b395a86e8c03b980bc62b": [[379, 419]], "EMAIL: noreply@auth-check.org": [[461, 483]], "IP_ADDRESS: 172.45.10.219": [[518, 531]], "FILEPATH: C:\\Program Files\\Common Files\\agent.py": [[573, 611]]}, "info": {"id": "synth_v2_00269", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 172.228.198.122, the NSA IR team identified Ryuk running as /opt/app/bin/sam.hive. The threat actor, believed to be Flax Typhoon, used Chisel for credential harvesting and LaZagne for lateral movement. Exfiltrated data was sent to mailstatic.org and gatewayapi.com. The initial dropper (MD5: 66a4581044f74a34d62f4f5c1344b399) was delivered via a phishing email from account@secure-verify.net. A second C2 node was observed at 145.216.46.194, with a persistence mechanism writing to /var/tmp/payload.bin.", "spans": {"IP_ADDRESS: 172.228.198.122": [[64, 79]], "ORGANIZATION: NSA": [[85, 88]], "MALWARE: Ryuk": [[108, 112]], "FILEPATH: /opt/app/bin/sam.hive": [[124, 145]], "THREAT_ACTOR: Flax Typhoon": [[180, 192]], "TOOL: Chisel": [[199, 205]], "TOOL: LaZagne": [[236, 243]], "DOMAIN: mailstatic.org": [[295, 309]], "DOMAIN: gatewayapi.com": [[314, 328]], "HASH: 66a4581044f74a34d62f4f5c1344b399": [[356, 388]], "EMAIL: account@secure-verify.net": [[430, 455]], "IP_ADDRESS: 145.216.46.194": [[490, 504]], "FILEPATH: /var/tmp/payload.bin": [[546, 566]]}, "info": {"id": "synth_v2_00270", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 77.76.65.176, the Volexity IR team identified Gootloader running as C:\\Program Files\\Common Files\\ntds.dit. The threat actor, believed to be Midnight Blizzard, used Sliver for credential harvesting and Impacket for lateral movement. Exfiltrated data was sent to edge-api.dev and node-auth.io. The initial dropper (SHA1: b8f572e2fc2ddf0ccdcbd13274bb3257ca727f2b) was delivered via a phishing email from notification@mail-service.info. A second C2 node was observed at 216.127.218.76, with a persistence mechanism writing to C:\\Users\\Public\\Documents\\sam.hive.", "spans": {"IP_ADDRESS: 77.76.65.176": [[64, 76]], "ORGANIZATION: Volexity": [[82, 90]], "MALWARE: Gootloader": [[110, 120]], "FILEPATH: C:\\Program Files\\Common Files\\ntds.dit": [[132, 170]], "THREAT_ACTOR: Midnight Blizzard": [[205, 222]], "TOOL: Sliver": [[229, 235]], "TOOL: Impacket": [[266, 274]], "DOMAIN: edge-api.dev": [[326, 338]], "DOMAIN: node-auth.io": [[343, 355]], "HASH: b8f572e2fc2ddf0ccdcbd13274bb3257ca727f2b": [[384, 424]], "EMAIL: notification@mail-service.info": [[466, 496]], "IP_ADDRESS: 216.127.218.76": [[531, 545]], "FILEPATH: C:\\Users\\Public\\Documents\\sam.hive": [[587, 621]]}, "info": {"id": "synth_v2_00271", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 10.236.91.202, the Recorded Future IR team identified AgentTesla running as /usr/local/bin/winlogon.exe. The threat actor, believed to be FIN11, used BITSAdmin for credential harvesting and Impacket for lateral movement. Exfiltrated data was sent to storagecache.club and relaystatic.link. The initial dropper (SHA256: f00aa78e9c655b78b6bcda10caac7910851fa28508a057361327db97af52f050) was delivered via a phishing email from report@mail-service.info. A second C2 node was observed at 172.23.42.107, with a persistence mechanism writing to C:\\Users\\admin\\Downloads\\runtime.dll.", "spans": {"IP_ADDRESS: 10.236.91.202": [[64, 77]], "ORGANIZATION: Recorded Future": [[83, 98]], "MALWARE: AgentTesla": [[118, 128]], "FILEPATH: /usr/local/bin/winlogon.exe": [[140, 167]], "THREAT_ACTOR: FIN11": [[202, 207]], "TOOL: BITSAdmin": [[214, 223]], "TOOL: Impacket": [[254, 262]], "DOMAIN: storagecache.club": [[314, 331]], "DOMAIN: relaystatic.link": [[336, 352]], "HASH: f00aa78e9c655b78b6bcda10caac7910851fa28508a057361327db97af52f050": [[383, 447]], "EMAIL: report@mail-service.info": [[489, 513]], "IP_ADDRESS: 172.23.42.107": [[548, 561]], "FILEPATH: C:\\Users\\admin\\Downloads\\runtime.dll": [[603, 639]]}, "info": {"id": "synth_v2_00272", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 172.59.6.44, the FBI IR team identified Ryuk running as C:\\Users\\Public\\Documents\\svchost.exe. The threat actor, believed to be Storm-0558, used Certutil for credential harvesting and Mimikatz for lateral movement. Exfiltrated data was sent to portalbackup.net and login-update.xyz. The initial dropper (SHA256: e4e045bc5f804c2eab8482db119e5b5be819e3dfa827710427b1ef2fcea89e5a) was delivered via a phishing email from noreply@login-portal.tech. A second C2 node was observed at 118.207.249.78, with a persistence mechanism writing to /tmp/svchost.exe.", "spans": {"IP_ADDRESS: 172.59.6.44": [[64, 75]], "ORGANIZATION: FBI": [[81, 84]], "MALWARE: Ryuk": [[104, 108]], "FILEPATH: C:\\Users\\Public\\Documents\\svchost.exe": [[120, 157]], "THREAT_ACTOR: Storm-0558": [[192, 202]], "TOOL: Certutil": [[209, 217]], "TOOL: Mimikatz": [[248, 256]], "DOMAIN: portalbackup.net": [[308, 324]], "DOMAIN: login-update.xyz": [[329, 345]], "HASH: e4e045bc5f804c2eab8482db119e5b5be819e3dfa827710427b1ef2fcea89e5a": [[376, 440]], "EMAIL: noreply@login-portal.tech": [[482, 507]], "IP_ADDRESS: 118.207.249.78": [[542, 556]], "FILEPATH: /tmp/svchost.exe": [[598, 614]]}, "info": {"id": "synth_v2_00273", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 10.154.237.38, the CrowdStrike IR team identified XLoader running as /tmp/agent.py. The threat actor, believed to be Flax Typhoon, used Sharphound for credential harvesting and Havoc for lateral movement. Exfiltrated data was sent to relay-proxy.online and relay-cache.xyz. The initial dropper (MD5: 05e793717c4c2b8179fb0c82bc54b354) was delivered via a phishing email from alert@identity-verify.cc. A second C2 node was observed at 109.11.59.43, with a persistence mechanism writing to C:\\Users\\admin\\Desktop\\update.dll.", "spans": {"IP_ADDRESS: 10.154.237.38": [[64, 77]], "ORGANIZATION: CrowdStrike": [[83, 94]], "MALWARE: XLoader": [[114, 121]], "FILEPATH: /tmp/agent.py": [[133, 146]], "THREAT_ACTOR: Flax Typhoon": [[181, 193]], "TOOL: Sharphound": [[200, 210]], "TOOL: Havoc": [[241, 246]], "DOMAIN: relay-proxy.online": [[298, 316]], "DOMAIN: relay-cache.xyz": [[321, 336]], "HASH: 05e793717c4c2b8179fb0c82bc54b354": [[364, 396]], "EMAIL: alert@identity-verify.cc": [[438, 462]], "IP_ADDRESS: 109.11.59.43": [[497, 509]], "FILEPATH: C:\\Users\\admin\\Desktop\\update.dll": [[551, 584]]}, "info": {"id": "synth_v2_00274", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 10.249.204.125, the Trend Micro IR team identified FormBook running as /etc/cron.d/sam.hive. The threat actor, believed to be Salt Typhoon, used PowerShell Empire for credential harvesting and LinPEAS for lateral movement. Exfiltrated data was sent to edgeapi.info and proxyauth.online. The initial dropper (SHA256: 74928cf25de668b34449066dcc019776038152e0f515140a0e1ef97fd1f465ab) was delivered via a phishing email from billing@credential-check.site. A second C2 node was observed at 60.31.9.109, with a persistence mechanism writing to C:\\Program Files\\Common Files\\svchost.exe.", "spans": {"IP_ADDRESS: 10.249.204.125": [[64, 78]], "ORGANIZATION: Trend Micro": [[84, 95]], "MALWARE: FormBook": [[115, 123]], "FILEPATH: /etc/cron.d/sam.hive": [[135, 155]], "THREAT_ACTOR: Salt Typhoon": [[190, 202]], "TOOL: PowerShell Empire": [[209, 226]], "TOOL: LinPEAS": [[257, 264]], "DOMAIN: edgeapi.info": [[316, 328]], "DOMAIN: proxyauth.online": [[333, 349]], "HASH: 74928cf25de668b34449066dcc019776038152e0f515140a0e1ef97fd1f465ab": [[380, 444]], "EMAIL: billing@credential-check.site": [[486, 515]], "IP_ADDRESS: 60.31.9.109": [[550, 561]], "FILEPATH: C:\\Program Files\\Common Files\\svchost.exe": [[603, 644]]}, "info": {"id": "synth_v2_00275", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 192.173.239.34, the INTERPOL IR team identified AgentTesla running as /dev/shm/payload.bin. The threat actor, believed to be Midnight Blizzard, used PsExec for credential harvesting and LaZagne for lateral movement. Exfiltrated data was sent to proxysecure.cc and backup-api.top. The initial dropper (SHA256: d46afd8e526110fcad6ec001ce48254e231ef9c7dc84a7ec673c65f88fdce661) was delivered via a phishing email from verify@secure-verify.net. A second C2 node was observed at 186.199.213.214, with a persistence mechanism writing to C:\\Users\\admin\\Downloads\\runtime.dll.", "spans": {"IP_ADDRESS: 192.173.239.34": [[64, 78]], "ORGANIZATION: INTERPOL": [[84, 92]], "MALWARE: AgentTesla": [[112, 122]], "FILEPATH: /dev/shm/payload.bin": [[134, 154]], "THREAT_ACTOR: Midnight Blizzard": [[189, 206]], "TOOL: PsExec": [[213, 219]], "TOOL: LaZagne": [[250, 257]], "DOMAIN: proxysecure.cc": [[309, 323]], "DOMAIN: backup-api.top": [[328, 342]], "HASH: d46afd8e526110fcad6ec001ce48254e231ef9c7dc84a7ec673c65f88fdce661": [[373, 437]], "EMAIL: verify@secure-verify.net": [[479, 503]], "IP_ADDRESS: 186.199.213.214": [[538, 553]], "FILEPATH: C:\\Users\\admin\\Downloads\\runtime.dll": [[595, 631]]}, "info": {"id": "synth_v2_00276", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 192.24.9.92, the Huntress IR team identified FormBook running as /var/tmp/beacon.dll. The threat actor, believed to be Ember Bear, used Burp Suite for credential harvesting and PsExec for lateral movement. Exfiltrated data was sent to api-storage.site and static-data.net. The initial dropper (MD5: bd931dfcffa80349020df8514474a008) was delivered via a phishing email from support@urgent-notice.online. A second C2 node was observed at 92.81.89.212, with a persistence mechanism writing to /usr/local/bin/winlogon.exe.", "spans": {"IP_ADDRESS: 192.24.9.92": [[64, 75]], "ORGANIZATION: Huntress": [[81, 89]], "MALWARE: FormBook": [[109, 117]], "FILEPATH: /var/tmp/beacon.dll": [[129, 148]], "THREAT_ACTOR: Ember Bear": [[183, 193]], "TOOL: Burp Suite": [[200, 210]], "TOOL: PsExec": [[241, 247]], "DOMAIN: api-storage.site": [[299, 315]], "DOMAIN: static-data.net": [[320, 335]], "HASH: bd931dfcffa80349020df8514474a008": [[363, 395]], "EMAIL: support@urgent-notice.online": [[437, 465]], "IP_ADDRESS: 92.81.89.212": [[500, 512]], "FILEPATH: /usr/local/bin/winlogon.exe": [[554, 581]]}, "info": {"id": "synth_v2_00277", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 192.25.224.205, the CISA IR team identified SystemBC running as /tmp/csrss.exe. The threat actor, believed to be Silk Typhoon, used CrackMapExec for credential harvesting and Havoc for lateral movement. Exfiltrated data was sent to edge-cdn.io and secure-auth.live. The initial dropper (SHA1: e456f6c6b5594c03d59550896f0af4f4f1da1383) was delivered via a phishing email from account@credential-check.site. A second C2 node was observed at 216.56.54.201, with a persistence mechanism writing to C:\\Users\\admin\\Downloads\\agent.py.", "spans": {"IP_ADDRESS: 192.25.224.205": [[64, 78]], "ORGANIZATION: CISA": [[84, 88]], "MALWARE: SystemBC": [[108, 116]], "FILEPATH: /tmp/csrss.exe": [[128, 142]], "THREAT_ACTOR: Silk Typhoon": [[177, 189]], "TOOL: CrackMapExec": [[196, 208]], "TOOL: Havoc": [[239, 244]], "DOMAIN: edge-cdn.io": [[296, 307]], "DOMAIN: secure-auth.live": [[312, 328]], "HASH: e456f6c6b5594c03d59550896f0af4f4f1da1383": [[357, 397]], "EMAIL: account@credential-check.site": [[439, 468]], "IP_ADDRESS: 216.56.54.201": [[503, 516]], "FILEPATH: C:\\Users\\admin\\Downloads\\agent.py": [[558, 591]]}, "info": {"id": "synth_v2_00278", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 210.70.62.218, the Dragos IR team identified Ryuk running as C:\\Program Files\\Common Files\\csrss.exe. The threat actor, believed to be Mustang Panda, used Sharphound for credential harvesting and Chisel for lateral movement. Exfiltrated data was sent to storagebackup.io and api-sync.tech. The initial dropper (SHA1: 4786f96c8a13a68169ae46c115a191b3e72518d3) was delivered via a phishing email from helpdesk@account-update.xyz. A second C2 node was observed at 172.212.3.63, with a persistence mechanism writing to /var/tmp/payload.bin.", "spans": {"IP_ADDRESS: 210.70.62.218": [[64, 77]], "ORGANIZATION: Dragos": [[83, 89]], "MALWARE: Ryuk": [[109, 113]], "FILEPATH: C:\\Program Files\\Common Files\\csrss.exe": [[125, 164]], "THREAT_ACTOR: Mustang Panda": [[199, 212]], "TOOL: Sharphound": [[219, 229]], "TOOL: Chisel": [[260, 266]], "DOMAIN: storagebackup.io": [[318, 334]], "DOMAIN: api-sync.tech": [[339, 352]], "HASH: 4786f96c8a13a68169ae46c115a191b3e72518d3": [[381, 421]], "EMAIL: helpdesk@account-update.xyz": [[463, 490]], "IP_ADDRESS: 172.212.3.63": [[525, 537]], "FILEPATH: /var/tmp/payload.bin": [[579, 599]]}, "info": {"id": "synth_v2_00279", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 219.185.15.114, the Dragos IR team identified XLoader running as C:\\Windows\\System32\\shell.php. The threat actor, believed to be Storm-0558, used Merlin for credential harvesting and Sliver for lateral movement. Exfiltrated data was sent to portalsecure.site and portal-cdn.top. The initial dropper (MD5: fe1c33e43e5ab1ac8672062323e9997c) was delivered via a phishing email from service@urgent-notice.online. A second C2 node was observed at 10.35.43.87, with a persistence mechanism writing to C:\\Users\\admin\\AppData\\Local\\Temp\\loader.exe.", "spans": {"IP_ADDRESS: 219.185.15.114": [[64, 78]], "ORGANIZATION: Dragos": [[84, 90]], "MALWARE: XLoader": [[110, 117]], "FILEPATH: C:\\Windows\\System32\\shell.php": [[129, 158]], "THREAT_ACTOR: Storm-0558": [[193, 203]], "TOOL: Merlin": [[210, 216]], "TOOL: Sliver": [[247, 253]], "DOMAIN: portalsecure.site": [[305, 322]], "DOMAIN: portal-cdn.top": [[327, 341]], "HASH: fe1c33e43e5ab1ac8672062323e9997c": [[369, 401]], "EMAIL: service@urgent-notice.online": [[443, 471]], "IP_ADDRESS: 10.35.43.87": [[506, 517]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\loader.exe": [[559, 603]]}, "info": {"id": "synth_v2_00280", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 3.143.75.180, the Trend Micro IR team identified AsyncRAT running as /opt/app/bin/lsass.dmp. The threat actor, believed to be Aqua Blizzard, used LinPEAS for credential harvesting and Hashcat for lateral movement. Exfiltrated data was sent to portalcloud.dev and apicdn.io. The initial dropper (SHA1: aa931c09f3fd6ee6c496481eb7a977abeffbeb4e) was delivered via a phishing email from billing@secure-verify.net. A second C2 node was observed at 115.105.226.179, with a persistence mechanism writing to C:\\Windows\\System32\\loader.exe.", "spans": {"IP_ADDRESS: 3.143.75.180": [[64, 76]], "ORGANIZATION: Trend Micro": [[82, 93]], "MALWARE: AsyncRAT": [[113, 121]], "FILEPATH: /opt/app/bin/lsass.dmp": [[133, 155]], "THREAT_ACTOR: Aqua Blizzard": [[190, 203]], "TOOL: LinPEAS": [[210, 217]], "TOOL: Hashcat": [[248, 255]], "DOMAIN: portalcloud.dev": [[307, 322]], "DOMAIN: apicdn.io": [[327, 336]], "HASH: aa931c09f3fd6ee6c496481eb7a977abeffbeb4e": [[365, 405]], "EMAIL: billing@secure-verify.net": [[447, 472]], "IP_ADDRESS: 115.105.226.179": [[507, 522]], "FILEPATH: C:\\Windows\\System32\\loader.exe": [[564, 594]]}, "info": {"id": "synth_v2_00281", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 194.81.11.8, the CrowdStrike IR team identified BatLoader running as C:\\Users\\Public\\Documents\\sam.hive. The threat actor, believed to be MuddyWater, used Burp Suite for credential harvesting and LaZagne for lateral movement. Exfiltrated data was sent to cdn-mail.info and authcdn.link. The initial dropper (SHA1: 8d6918f4f6e82b4e86d9a7abf67ec9341847e5da) was delivered via a phishing email from updates@auth-check.org. A second C2 node was observed at 62.155.216.253, with a persistence mechanism writing to /home/user/.config/shell.php.", "spans": {"IP_ADDRESS: 194.81.11.8": [[64, 75]], "ORGANIZATION: CrowdStrike": [[81, 92]], "MALWARE: BatLoader": [[112, 121]], "FILEPATH: C:\\Users\\Public\\Documents\\sam.hive": [[133, 167]], "THREAT_ACTOR: MuddyWater": [[202, 212]], "TOOL: Burp Suite": [[219, 229]], "TOOL: LaZagne": [[260, 267]], "DOMAIN: cdn-mail.info": [[319, 332]], "DOMAIN: authcdn.link": [[337, 349]], "HASH: 8d6918f4f6e82b4e86d9a7abf67ec9341847e5da": [[378, 418]], "EMAIL: updates@auth-check.org": [[460, 482]], "IP_ADDRESS: 62.155.216.253": [[517, 531]], "FILEPATH: /home/user/.config/shell.php": [[573, 601]]}, "info": {"id": "synth_v2_00282", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 172.153.145.171, the Dragos IR team identified BumbleBee running as C:\\Program Files\\Common Files\\ntds.dit. The threat actor, believed to be Granite Typhoon, used LinPEAS for credential harvesting and BITSAdmin for lateral movement. Exfiltrated data was sent to nodecache.xyz and relayauth.org. The initial dropper (SHA256: cc4a89976731655af086fdf9218a4f809d51699e7e20e6c4895e275933cb61b2) was delivered via a phishing email from noreply@credential-check.site. A second C2 node was observed at 192.193.126.27, with a persistence mechanism writing to C:\\ProgramData\\chrome_helper.exe.", "spans": {"IP_ADDRESS: 172.153.145.171": [[64, 79]], "ORGANIZATION: Dragos": [[85, 91]], "MALWARE: BumbleBee": [[111, 120]], "FILEPATH: C:\\Program Files\\Common Files\\ntds.dit": [[132, 170]], "THREAT_ACTOR: Granite Typhoon": [[205, 220]], "TOOL: LinPEAS": [[227, 234]], "TOOL: BITSAdmin": [[265, 274]], "DOMAIN: nodecache.xyz": [[326, 339]], "DOMAIN: relayauth.org": [[344, 357]], "HASH: cc4a89976731655af086fdf9218a4f809d51699e7e20e6c4895e275933cb61b2": [[388, 452]], "EMAIL: noreply@credential-check.site": [[494, 523]], "IP_ADDRESS: 192.193.126.27": [[558, 572]], "FILEPATH: C:\\ProgramData\\chrome_helper.exe": [[614, 646]]}, "info": {"id": "synth_v2_00283", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 151.202.135.150, the Volexity IR team identified Royal running as C:\\Users\\Public\\Documents\\runtime.dll. The threat actor, believed to be Midnight Blizzard, used Impacket for credential harvesting and Chisel for lateral movement. Exfiltrated data was sent to gatewaysecure.org and proxy-relay.org. The initial dropper (SHA256: 5178e6ed73efb4ae2a40940c69a28cf2fe61ad7214b2d0a9497123235456abb1) was delivered via a phishing email from security@urgent-notice.online. A second C2 node was observed at 163.216.225.177, with a persistence mechanism writing to C:\\Windows\\Tasks\\beacon.dll.", "spans": {"IP_ADDRESS: 151.202.135.150": [[64, 79]], "ORGANIZATION: Volexity": [[85, 93]], "MALWARE: Royal": [[113, 118]], "FILEPATH: C:\\Users\\Public\\Documents\\runtime.dll": [[130, 167]], "THREAT_ACTOR: Midnight Blizzard": [[202, 219]], "TOOL: Impacket": [[226, 234]], "TOOL: Chisel": [[265, 271]], "DOMAIN: gatewaysecure.org": [[323, 340]], "DOMAIN: proxy-relay.org": [[345, 360]], "HASH: 5178e6ed73efb4ae2a40940c69a28cf2fe61ad7214b2d0a9497123235456abb1": [[391, 455]], "EMAIL: security@urgent-notice.online": [[497, 526]], "IP_ADDRESS: 163.216.225.177": [[561, 576]], "FILEPATH: C:\\Windows\\Tasks\\beacon.dll": [[618, 645]]}, "info": {"id": "synth_v2_00284", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 29.61.189.147, the Google TAG IR team identified RedLine Stealer running as C:\\Program Files\\Common Files\\update.dll. The threat actor, believed to be Diamond Sleet, used Metasploit for credential harvesting and ADFind for lateral movement. Exfiltrated data was sent to mailbackup.info and updatelogin.org. The initial dropper (SHA256: 750cff1ae73a22643b24fd5bb0d0b5bd02264854f51c63f9623c8d6c8869740e) was delivered via a phishing email from verify@phishing-domain.com. A second C2 node was observed at 11.78.60.96, with a persistence mechanism writing to /home/user/.config/agent.py.", "spans": {"IP_ADDRESS: 29.61.189.147": [[64, 77]], "ORGANIZATION: Google TAG": [[83, 93]], "MALWARE: RedLine Stealer": [[113, 128]], "FILEPATH: C:\\Program Files\\Common Files\\update.dll": [[140, 180]], "THREAT_ACTOR: Diamond Sleet": [[215, 228]], "TOOL: Metasploit": [[235, 245]], "TOOL: ADFind": [[276, 282]], "DOMAIN: mailbackup.info": [[334, 349]], "DOMAIN: updatelogin.org": [[354, 369]], "HASH: 750cff1ae73a22643b24fd5bb0d0b5bd02264854f51c63f9623c8d6c8869740e": [[400, 464]], "EMAIL: verify@phishing-domain.com": [[506, 532]], "IP_ADDRESS: 11.78.60.96": [[567, 578]], "FILEPATH: /home/user/.config/agent.py": [[620, 647]]}, "info": {"id": "synth_v2_00285", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 172.246.158.145, the Symantec IR team identified Conti running as /opt/app/bin/chrome_helper.exe. The threat actor, believed to be MuddyWater, used Chisel for credential harvesting and Impacket for lateral movement. Exfiltrated data was sent to login-node.top and relayrelay.org. The initial dropper (SHA256: dca8da1f07404dcd18245ffee064ce6ac6fef092fb7a3aa59c5e06743240cfe4) was delivered via a phishing email from service@auth-check.org. A second C2 node was observed at 87.193.243.214, with a persistence mechanism writing to C:\\Program Files\\Common Files\\lsass.dmp.", "spans": {"IP_ADDRESS: 172.246.158.145": [[64, 79]], "ORGANIZATION: Symantec": [[85, 93]], "MALWARE: Conti": [[113, 118]], "FILEPATH: /opt/app/bin/chrome_helper.exe": [[130, 160]], "THREAT_ACTOR: MuddyWater": [[195, 205]], "TOOL: Chisel": [[212, 218]], "TOOL: Impacket": [[249, 257]], "DOMAIN: login-node.top": [[309, 323]], "DOMAIN: relayrelay.org": [[328, 342]], "HASH: dca8da1f07404dcd18245ffee064ce6ac6fef092fb7a3aa59c5e06743240cfe4": [[373, 437]], "EMAIL: service@auth-check.org": [[479, 501]], "IP_ADDRESS: 87.193.243.214": [[536, 550]], "FILEPATH: C:\\Program Files\\Common Files\\lsass.dmp": [[592, 631]]}, "info": {"id": "synth_v2_00286", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 189.142.45.222, the FireEye IR team identified WarmCookie running as /dev/shm/loader.exe. The threat actor, believed to be APT29, used PowerView for credential harvesting and Mythic for lateral movement. Exfiltrated data was sent to edge-api.xyz and cache-node.xyz. The initial dropper (SHA1: ddfb8afeb3ae4476857719b2a0f3705c1961a844) was delivered via a phishing email from confirm@account-update.xyz. A second C2 node was observed at 192.12.158.144, with a persistence mechanism writing to C:\\Windows\\Temp\\taskhost.exe.", "spans": {"IP_ADDRESS: 189.142.45.222": [[64, 78]], "ORGANIZATION: FireEye": [[84, 91]], "MALWARE: WarmCookie": [[111, 121]], "FILEPATH: /dev/shm/loader.exe": [[133, 152]], "THREAT_ACTOR: APT29": [[187, 192]], "TOOL: PowerView": [[199, 208]], "TOOL: Mythic": [[239, 245]], "DOMAIN: edge-api.xyz": [[297, 309]], "DOMAIN: cache-node.xyz": [[314, 328]], "HASH: ddfb8afeb3ae4476857719b2a0f3705c1961a844": [[357, 397]], "EMAIL: confirm@account-update.xyz": [[439, 465]], "IP_ADDRESS: 192.12.158.144": [[500, 514]], "FILEPATH: C:\\Windows\\Temp\\taskhost.exe": [[556, 584]]}, "info": {"id": "synth_v2_00287", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 192.227.43.207, the NCSC IR team identified TrickBot running as C:\\Users\\admin\\Desktop\\backdoor.elf. The threat actor, believed to be FIN11, used GhostPack for credential harvesting and SharpHound for lateral movement. Exfiltrated data was sent to storage-gateway.org and updatenode.tech. The initial dropper (SHA256: 3efdb9dbe144dc9e664bbbfcfc5ebf2efb9b49ceb24a0c93791075f1b0dacc46) was delivered via a phishing email from security@mail-service.info. A second C2 node was observed at 103.23.251.221, with a persistence mechanism writing to C:\\ProgramData\\taskhost.exe.", "spans": {"IP_ADDRESS: 192.227.43.207": [[64, 78]], "ORGANIZATION: NCSC": [[84, 88]], "MALWARE: TrickBot": [[108, 116]], "FILEPATH: C:\\Users\\admin\\Desktop\\backdoor.elf": [[128, 163]], "THREAT_ACTOR: FIN11": [[198, 203]], "TOOL: GhostPack": [[210, 219]], "TOOL: SharpHound": [[250, 260]], "DOMAIN: storage-gateway.org": [[312, 331]], "DOMAIN: updatenode.tech": [[336, 351]], "HASH: 3efdb9dbe144dc9e664bbbfcfc5ebf2efb9b49ceb24a0c93791075f1b0dacc46": [[382, 446]], "EMAIL: security@mail-service.info": [[488, 514]], "IP_ADDRESS: 103.23.251.221": [[549, 563]], "FILEPATH: C:\\ProgramData\\taskhost.exe": [[605, 632]]}, "info": {"id": "synth_v2_00288", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 10.157.208.174, the Cisco Talos IR team identified LockBit running as /opt/app/bin/backdoor.elf. The threat actor, believed to be Turla, used Nmap for credential harvesting and Seatbelt for lateral movement. Exfiltrated data was sent to backup-portal.net and logingateway.dev. The initial dropper (SHA256: 83a4be0879a879f81a54832c3c920ba51234475bf47388c0fdb48f064e6382b3) was delivered via a phishing email from helpdesk@document-share.link. A second C2 node was observed at 10.166.92.7, with a persistence mechanism writing to C:\\Users\\admin\\Desktop\\taskhost.exe.", "spans": {"IP_ADDRESS: 10.157.208.174": [[64, 78]], "ORGANIZATION: Cisco Talos": [[84, 95]], "MALWARE: LockBit": [[115, 122]], "FILEPATH: /opt/app/bin/backdoor.elf": [[134, 159]], "THREAT_ACTOR: Turla": [[194, 199]], "TOOL: Nmap": [[206, 210]], "TOOL: Seatbelt": [[241, 249]], "DOMAIN: backup-portal.net": [[301, 318]], "DOMAIN: logingateway.dev": [[323, 339]], "HASH: 83a4be0879a879f81a54832c3c920ba51234475bf47388c0fdb48f064e6382b3": [[370, 434]], "EMAIL: helpdesk@document-share.link": [[476, 504]], "IP_ADDRESS: 10.166.92.7": [[539, 550]], "FILEPATH: C:\\Users\\admin\\Desktop\\taskhost.exe": [[592, 627]]}, "info": {"id": "synth_v2_00289", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 30.137.31.82, the Dragos IR team identified Lumma Stealer running as C:\\Users\\Public\\Documents\\helper.sh. The threat actor, believed to be FIN7, used PowerShell Empire for credential harvesting and LaZagne for lateral movement. Exfiltrated data was sent to gateway-data.dev and sync-edge.cc. The initial dropper (SHA1: 36fc7cfacb79ec2e38daea03d87310eb92650376) was delivered via a phishing email from updates@secure-verify.net. A second C2 node was observed at 142.208.33.124, with a persistence mechanism writing to C:\\Windows\\System32\\agent.py.", "spans": {"IP_ADDRESS: 30.137.31.82": [[64, 76]], "ORGANIZATION: Dragos": [[82, 88]], "MALWARE: Lumma Stealer": [[108, 121]], "FILEPATH: C:\\Users\\Public\\Documents\\helper.sh": [[133, 168]], "THREAT_ACTOR: FIN7": [[203, 207]], "TOOL: PowerShell Empire": [[214, 231]], "TOOL: LaZagne": [[262, 269]], "DOMAIN: gateway-data.dev": [[321, 337]], "DOMAIN: sync-edge.cc": [[342, 354]], "HASH: 36fc7cfacb79ec2e38daea03d87310eb92650376": [[383, 423]], "EMAIL: updates@secure-verify.net": [[465, 490]], "IP_ADDRESS: 142.208.33.124": [[525, 539]], "FILEPATH: C:\\Windows\\System32\\agent.py": [[581, 609]]}, "info": {"id": "synth_v2_00290", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 139.86.125.138, the Tenable IR team identified BatLoader running as /dev/shm/backdoor.elf. The threat actor, believed to be Sandworm, used GhostPack for credential harvesting and CrackMapExec for lateral movement. Exfiltrated data was sent to staticbackup.top and update-cdn.dev. The initial dropper (MD5: 3b34bdbaaa9faaed4d89a550c5ccee97) was delivered via a phishing email from billing@document-share.link. A second C2 node was observed at 143.231.21.1, with a persistence mechanism writing to /usr/local/bin/lsass.dmp.", "spans": {"IP_ADDRESS: 139.86.125.138": [[64, 78]], "ORGANIZATION: Tenable": [[84, 91]], "MALWARE: BatLoader": [[111, 120]], "FILEPATH: /dev/shm/backdoor.elf": [[132, 153]], "THREAT_ACTOR: Sandworm": [[188, 196]], "TOOL: GhostPack": [[203, 212]], "TOOL: CrackMapExec": [[243, 255]], "DOMAIN: staticbackup.top": [[307, 323]], "DOMAIN: update-cdn.dev": [[328, 342]], "HASH: 3b34bdbaaa9faaed4d89a550c5ccee97": [[370, 402]], "EMAIL: billing@document-share.link": [[444, 471]], "IP_ADDRESS: 143.231.21.1": [[506, 518]], "FILEPATH: /usr/local/bin/lsass.dmp": [[560, 584]]}, "info": {"id": "synth_v2_00291", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 172.45.202.179, the Sophos X-Ops IR team identified BatLoader running as /opt/app/bin/winlogon.exe. The threat actor, believed to be TA505, used BloodHound for credential harvesting and Rubeus for lateral movement. Exfiltrated data was sent to storagesync.link and syncdata.top. The initial dropper (SHA1: 45ed2f82017e2bb0c2e5a778b074191a2ce1ff3b) was delivered via a phishing email from admin@account-update.xyz. A second C2 node was observed at 10.143.221.54, with a persistence mechanism writing to /tmp/sam.hive.", "spans": {"IP_ADDRESS: 172.45.202.179": [[64, 78]], "ORGANIZATION: Sophos X-Ops": [[84, 96]], "MALWARE: BatLoader": [[116, 125]], "FILEPATH: /opt/app/bin/winlogon.exe": [[137, 162]], "THREAT_ACTOR: TA505": [[197, 202]], "TOOL: BloodHound": [[209, 219]], "TOOL: Rubeus": [[250, 256]], "DOMAIN: storagesync.link": [[308, 324]], "DOMAIN: syncdata.top": [[329, 341]], "HASH: 45ed2f82017e2bb0c2e5a778b074191a2ce1ff3b": [[370, 410]], "EMAIL: admin@account-update.xyz": [[452, 476]], "IP_ADDRESS: 10.143.221.54": [[511, 524]], "FILEPATH: /tmp/sam.hive": [[566, 579]]}, "info": {"id": "synth_v2_00292", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 192.88.211.143, the Tenable IR team identified Emotet running as C:\\Users\\admin\\Desktop\\implant.so. The threat actor, believed to be Gamaredon, used PowerShell Empire for credential harvesting and Mimikatz for lateral movement. Exfiltrated data was sent to edge-update.dev and authmail.live. The initial dropper (SHA256: d297d3e2e21274a0c49f6f18de9db19d10cc8adfb13ef17bb6ce866946f2f356) was delivered via a phishing email from admin@secure-verify.net. A second C2 node was observed at 196.201.41.202, with a persistence mechanism writing to /etc/cron.d/lsass.dmp.", "spans": {"IP_ADDRESS: 192.88.211.143": [[64, 78]], "ORGANIZATION: Tenable": [[84, 91]], "MALWARE: Emotet": [[111, 117]], "FILEPATH: C:\\Users\\admin\\Desktop\\implant.so": [[129, 162]], "THREAT_ACTOR: Gamaredon": [[197, 206]], "TOOL: PowerShell Empire": [[213, 230]], "TOOL: Mimikatz": [[261, 269]], "DOMAIN: edge-update.dev": [[321, 336]], "DOMAIN: authmail.live": [[341, 354]], "HASH: d297d3e2e21274a0c49f6f18de9db19d10cc8adfb13ef17bb6ce866946f2f356": [[385, 449]], "EMAIL: admin@secure-verify.net": [[491, 514]], "IP_ADDRESS: 196.201.41.202": [[549, 563]], "FILEPATH: /etc/cron.d/lsass.dmp": [[605, 626]]}, "info": {"id": "synth_v2_00293", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 3.113.10.195, the Qualys IR team identified ShadowPad running as /tmp/svchost.exe. The threat actor, believed to be BlackTech, used Merlin for credential harvesting and SharpHound for lateral movement. Exfiltrated data was sent to datadata.online and cdnsync.online. The initial dropper (SHA256: 0495834527f982c62d02d95c44485efef7370df9ef53c2259adf2a36025e9f73) was delivered via a phishing email from hr@document-share.link. A second C2 node was observed at 175.183.98.24, with a persistence mechanism writing to /tmp/lsass.dmp.", "spans": {"IP_ADDRESS: 3.113.10.195": [[64, 76]], "ORGANIZATION: Qualys": [[82, 88]], "MALWARE: ShadowPad": [[108, 117]], "FILEPATH: /tmp/svchost.exe": [[129, 145]], "THREAT_ACTOR: BlackTech": [[180, 189]], "TOOL: Merlin": [[196, 202]], "TOOL: SharpHound": [[233, 243]], "DOMAIN: datadata.online": [[295, 310]], "DOMAIN: cdnsync.online": [[315, 329]], "HASH: 0495834527f982c62d02d95c44485efef7370df9ef53c2259adf2a36025e9f73": [[360, 424]], "EMAIL: hr@document-share.link": [[466, 488]], "IP_ADDRESS: 175.183.98.24": [[523, 536]], "FILEPATH: /tmp/lsass.dmp": [[578, 592]]}, "info": {"id": "synth_v2_00294", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 192.89.33.151, the Dragos IR team identified BatLoader running as C:\\Windows\\Tasks\\svchost.exe. The threat actor, believed to be Ember Bear, used Rubeus for credential harvesting and Certutil for lateral movement. Exfiltrated data was sent to node-sync.xyz and edge-static.info. The initial dropper (MD5: afd5ea5d4dbc3457f2eb01b07406949a) was delivered via a phishing email from contact@mail-service.info. A second C2 node was observed at 192.33.65.67, with a persistence mechanism writing to C:\\Program Files\\Common Files\\update.dll.", "spans": {"IP_ADDRESS: 192.89.33.151": [[64, 77]], "ORGANIZATION: Dragos": [[83, 89]], "MALWARE: BatLoader": [[109, 118]], "FILEPATH: C:\\Windows\\Tasks\\svchost.exe": [[130, 158]], "THREAT_ACTOR: Ember Bear": [[193, 203]], "TOOL: Rubeus": [[210, 216]], "TOOL: Certutil": [[247, 255]], "DOMAIN: node-sync.xyz": [[307, 320]], "DOMAIN: edge-static.info": [[325, 341]], "HASH: afd5ea5d4dbc3457f2eb01b07406949a": [[369, 401]], "EMAIL: contact@mail-service.info": [[443, 468]], "IP_ADDRESS: 192.33.65.67": [[503, 515]], "FILEPATH: C:\\Program Files\\Common Files\\update.dll": [[557, 597]]}, "info": {"id": "synth_v2_00295", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 93.22.114.13, the Recorded Future IR team identified Conti running as /var/tmp/runtime.dll. The threat actor, believed to be Star Blizzard, used LaZagne for credential harvesting and Brute Ratel for lateral movement. Exfiltrated data was sent to cloudstorage.net and data-gateway.net. The initial dropper (MD5: e77a6566c37f8e8e99a35398ebac896f) was delivered via a phishing email from alert@phishing-domain.com. A second C2 node was observed at 108.229.161.2, with a persistence mechanism writing to C:\\Users\\admin\\Downloads\\winlogon.exe.", "spans": {"IP_ADDRESS: 93.22.114.13": [[64, 76]], "ORGANIZATION: Recorded Future": [[82, 97]], "MALWARE: Conti": [[117, 122]], "FILEPATH: /var/tmp/runtime.dll": [[134, 154]], "THREAT_ACTOR: Star Blizzard": [[189, 202]], "TOOL: LaZagne": [[209, 216]], "TOOL: Brute Ratel": [[247, 258]], "DOMAIN: cloudstorage.net": [[310, 326]], "DOMAIN: data-gateway.net": [[331, 347]], "HASH: e77a6566c37f8e8e99a35398ebac896f": [[375, 407]], "EMAIL: alert@phishing-domain.com": [[449, 474]], "IP_ADDRESS: 108.229.161.2": [[509, 522]], "FILEPATH: C:\\Users\\admin\\Downloads\\winlogon.exe": [[564, 601]]}, "info": {"id": "synth_v2_00296", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 216.128.126.28, the Sophos X-Ops IR team identified Amadey running as C:\\Users\\Public\\Documents\\chrome_helper.exe. The threat actor, believed to be Storm-0558, used GhostPack for credential harvesting and Mimikatz for lateral movement. Exfiltrated data was sent to nodedata.net and authrelay.cc. The initial dropper (MD5: bc19f328f46def8f7c86728997e7f840) was delivered via a phishing email from info@account-update.xyz. A second C2 node was observed at 62.174.27.211, with a persistence mechanism writing to C:\\Users\\admin\\AppData\\Local\\Temp\\update.dll.", "spans": {"IP_ADDRESS: 216.128.126.28": [[64, 78]], "ORGANIZATION: Sophos X-Ops": [[84, 96]], "MALWARE: Amadey": [[116, 122]], "FILEPATH: C:\\Users\\Public\\Documents\\chrome_helper.exe": [[134, 177]], "THREAT_ACTOR: Storm-0558": [[212, 222]], "TOOL: GhostPack": [[229, 238]], "TOOL: Mimikatz": [[269, 277]], "DOMAIN: nodedata.net": [[329, 341]], "DOMAIN: authrelay.cc": [[346, 358]], "HASH: bc19f328f46def8f7c86728997e7f840": [[386, 418]], "EMAIL: info@account-update.xyz": [[460, 483]], "IP_ADDRESS: 62.174.27.211": [[518, 531]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\update.dll": [[573, 617]]}, "info": {"id": "synth_v2_00297", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 172.221.33.27, the Symantec IR team identified QakBot running as C:\\Windows\\Temp\\sam.hive. The threat actor, believed to be Diamond Sleet, used GhostPack for credential harvesting and Brute Ratel for lateral movement. Exfiltrated data was sent to portalauth.cc and datastatic.link. The initial dropper (MD5: c63bd85823dd7aa4685766fbb2ec976c) was delivered via a phishing email from report@document-share.link. A second C2 node was observed at 192.26.150.218, with a persistence mechanism writing to C:\\Users\\admin\\Desktop\\sam.hive.", "spans": {"IP_ADDRESS: 172.221.33.27": [[64, 77]], "ORGANIZATION: Symantec": [[83, 91]], "MALWARE: QakBot": [[111, 117]], "FILEPATH: C:\\Windows\\Temp\\sam.hive": [[129, 153]], "THREAT_ACTOR: Diamond Sleet": [[188, 201]], "TOOL: GhostPack": [[208, 217]], "TOOL: Brute Ratel": [[248, 259]], "DOMAIN: portalauth.cc": [[311, 324]], "DOMAIN: datastatic.link": [[329, 344]], "HASH: c63bd85823dd7aa4685766fbb2ec976c": [[372, 404]], "EMAIL: report@document-share.link": [[446, 472]], "IP_ADDRESS: 192.26.150.218": [[507, 521]], "FILEPATH: C:\\Users\\admin\\Desktop\\sam.hive": [[563, 594]]}, "info": {"id": "synth_v2_00298", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 172.168.98.28, the Microsoft MSRC IR team identified Ryuk running as C:\\Users\\admin\\Downloads\\helper.sh. The threat actor, believed to be Scattered Spider, used Sharphound for credential harvesting and PowerView for lateral movement. Exfiltrated data was sent to node-sync.tech and proxystatic.online. The initial dropper (SHA256: deee9e2824273c0e44aaeca670f1aeb23e39bc6e2e193c3ffcbe8701861ae169) was delivered via a phishing email from finance@document-share.link. A second C2 node was observed at 10.34.99.232, with a persistence mechanism writing to C:\\Windows\\System32\\update.dll.", "spans": {"IP_ADDRESS: 172.168.98.28": [[64, 77]], "ORGANIZATION: Microsoft MSRC": [[83, 97]], "MALWARE: Ryuk": [[117, 121]], "FILEPATH: C:\\Users\\admin\\Downloads\\helper.sh": [[133, 167]], "THREAT_ACTOR: Scattered Spider": [[202, 218]], "TOOL: Sharphound": [[225, 235]], "TOOL: PowerView": [[266, 275]], "DOMAIN: node-sync.tech": [[327, 341]], "DOMAIN: proxystatic.online": [[346, 364]], "HASH: deee9e2824273c0e44aaeca670f1aeb23e39bc6e2e193c3ffcbe8701861ae169": [[395, 459]], "EMAIL: finance@document-share.link": [[501, 528]], "IP_ADDRESS: 10.34.99.232": [[563, 575]], "FILEPATH: C:\\Windows\\System32\\update.dll": [[617, 647]]}, "info": {"id": "synth_v2_00299", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 80.74.75.121, the Check Point Research IR team identified XLoader running as C:\\Users\\admin\\AppData\\Local\\Temp\\ntds.dit. The threat actor, believed to be Charming Kitten, used Sharphound for credential harvesting and Seatbelt for lateral movement. Exfiltrated data was sent to node-cache.top and cdn-data.io. The initial dropper (SHA256: 998bda2fe0de18d02d8ed00eb66d02a7581f6a6d2a707e785d784bbb9b335a4f) was delivered via a phishing email from billing@secure-verify.net. A second C2 node was observed at 155.175.149.95, with a persistence mechanism writing to /etc/cron.d/runtime.dll.", "spans": {"IP_ADDRESS: 80.74.75.121": [[64, 76]], "ORGANIZATION: Check Point Research": [[82, 102]], "MALWARE: XLoader": [[122, 129]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\ntds.dit": [[141, 183]], "THREAT_ACTOR: Charming Kitten": [[218, 233]], "TOOL: Sharphound": [[240, 250]], "TOOL: Seatbelt": [[281, 289]], "DOMAIN: node-cache.top": [[341, 355]], "DOMAIN: cdn-data.io": [[360, 371]], "HASH: 998bda2fe0de18d02d8ed00eb66d02a7581f6a6d2a707e785d784bbb9b335a4f": [[402, 466]], "EMAIL: billing@secure-verify.net": [[508, 533]], "IP_ADDRESS: 155.175.149.95": [[568, 582]], "FILEPATH: /etc/cron.d/runtime.dll": [[624, 647]]}, "info": {"id": "synth_v2_00300", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 154.169.171.158, the Proofpoint IR team identified NjRAT running as /tmp/helper.sh. The threat actor, believed to be Sandworm, used PowerView for credential harvesting and PowerShell Empire for lateral movement. Exfiltrated data was sent to cdnproxy.xyz and data-data.online. The initial dropper (SHA1: edb04ccfb4ef20ac3fa5bbf206ab7c1f1528799a) was delivered via a phishing email from billing@identity-verify.cc. A second C2 node was observed at 108.168.83.27, with a persistence mechanism writing to /dev/shm/winlogon.exe.", "spans": {"IP_ADDRESS: 154.169.171.158": [[64, 79]], "ORGANIZATION: Proofpoint": [[85, 95]], "MALWARE: NjRAT": [[115, 120]], "FILEPATH: /tmp/helper.sh": [[132, 146]], "THREAT_ACTOR: Sandworm": [[181, 189]], "TOOL: PowerView": [[196, 205]], "TOOL: PowerShell Empire": [[236, 253]], "DOMAIN: cdnproxy.xyz": [[305, 317]], "DOMAIN: data-data.online": [[322, 338]], "HASH: edb04ccfb4ef20ac3fa5bbf206ab7c1f1528799a": [[367, 407]], "EMAIL: billing@identity-verify.cc": [[449, 475]], "IP_ADDRESS: 108.168.83.27": [[510, 523]], "FILEPATH: /dev/shm/winlogon.exe": [[565, 586]]}, "info": {"id": "synth_v2_00301", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 10.183.15.143, the Google TAG IR team identified DarkSide running as /usr/local/bin/config.dat. The threat actor, believed to be Flax Typhoon, used Mimikatz for credential harvesting and Chisel for lateral movement. Exfiltrated data was sent to cdnupdate.xyz and backup-secure.xyz. The initial dropper (SHA256: 46df36a3d7fe810656778e810a48b3e199927033eb81cf0af431fcccffc6084c) was delivered via a phishing email from billing@phishing-domain.com. A second C2 node was observed at 10.148.225.50, with a persistence mechanism writing to /opt/app/bin/dropper.ps1.", "spans": {"IP_ADDRESS: 10.183.15.143": [[64, 77]], "ORGANIZATION: Google TAG": [[83, 93]], "MALWARE: DarkSide": [[113, 121]], "FILEPATH: /usr/local/bin/config.dat": [[133, 158]], "THREAT_ACTOR: Flax Typhoon": [[193, 205]], "TOOL: Mimikatz": [[212, 220]], "TOOL: Chisel": [[251, 257]], "DOMAIN: cdnupdate.xyz": [[309, 322]], "DOMAIN: backup-secure.xyz": [[327, 344]], "HASH: 46df36a3d7fe810656778e810a48b3e199927033eb81cf0af431fcccffc6084c": [[375, 439]], "EMAIL: billing@phishing-domain.com": [[481, 508]], "IP_ADDRESS: 10.148.225.50": [[543, 556]], "FILEPATH: /opt/app/bin/dropper.ps1": [[598, 622]]}, "info": {"id": "synth_v2_00302", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 10.70.194.168, the Rapid7 IR team identified DarkSide running as C:\\Program Files\\Common Files\\chrome_helper.exe. The threat actor, believed to be Flax Typhoon, used Nmap for credential harvesting and Merlin for lateral movement. Exfiltrated data was sent to mail-mail.top and node-static.dev. The initial dropper (SHA256: 3a0abc0538bd21516bd0ca4734505514cd0fbc57e200e964a6d4da9bf68b1d89) was delivered via a phishing email from billing@login-portal.tech. A second C2 node was observed at 172.107.156.117, with a persistence mechanism writing to C:\\Users\\Public\\Documents\\payload.bin.", "spans": {"IP_ADDRESS: 10.70.194.168": [[64, 77]], "ORGANIZATION: Rapid7": [[83, 89]], "MALWARE: DarkSide": [[109, 117]], "FILEPATH: C:\\Program Files\\Common Files\\chrome_helper.exe": [[129, 176]], "THREAT_ACTOR: Flax Typhoon": [[211, 223]], "TOOL: Nmap": [[230, 234]], "TOOL: Merlin": [[265, 271]], "DOMAIN: mail-mail.top": [[323, 336]], "DOMAIN: node-static.dev": [[341, 356]], "HASH: 3a0abc0538bd21516bd0ca4734505514cd0fbc57e200e964a6d4da9bf68b1d89": [[387, 451]], "EMAIL: billing@login-portal.tech": [[493, 518]], "IP_ADDRESS: 172.107.156.117": [[553, 568]], "FILEPATH: C:\\Users\\Public\\Documents\\payload.bin": [[610, 647]]}, "info": {"id": "synth_v2_00303", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 154.219.125.236, the INTERPOL IR team identified WarmCookie running as /dev/shm/runtime.dll. The threat actor, believed to be Volt Typhoon, used WinPEAS for credential harvesting and Chisel for lateral movement. Exfiltrated data was sent to storage-data.com and loginnode.cc. The initial dropper (SHA1: 231dbd42550c6a131dd2d87f0bfcd1f9302bfcc5) was delivered via a phishing email from info@account-update.xyz. A second C2 node was observed at 192.96.150.203, with a persistence mechanism writing to C:\\ProgramData\\beacon.dll.", "spans": {"IP_ADDRESS: 154.219.125.236": [[64, 79]], "ORGANIZATION: INTERPOL": [[85, 93]], "MALWARE: WarmCookie": [[113, 123]], "FILEPATH: /dev/shm/runtime.dll": [[135, 155]], "THREAT_ACTOR: Volt Typhoon": [[190, 202]], "TOOL: WinPEAS": [[209, 216]], "TOOL: Chisel": [[247, 253]], "DOMAIN: storage-data.com": [[305, 321]], "DOMAIN: loginnode.cc": [[326, 338]], "HASH: 231dbd42550c6a131dd2d87f0bfcd1f9302bfcc5": [[367, 407]], "EMAIL: info@account-update.xyz": [[449, 472]], "IP_ADDRESS: 192.96.150.203": [[507, 521]], "FILEPATH: C:\\ProgramData\\beacon.dll": [[563, 588]]}, "info": {"id": "synth_v2_00304", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 128.237.91.83, the Trend Micro IR team identified BatLoader running as /tmp/sam.hive. The threat actor, believed to be Volt Typhoon, used Seatbelt for credential harvesting and Mythic for lateral movement. Exfiltrated data was sent to cacheportal.top and cloud-data.dev. The initial dropper (SHA256: 598a21720a6717ed82c472c0780a0f5ff34087ce22538762b0de54a950dd3a0e) was delivered via a phishing email from contact@identity-verify.cc. A second C2 node was observed at 135.247.253.122, with a persistence mechanism writing to /var/tmp/lsass.dmp.", "spans": {"IP_ADDRESS: 128.237.91.83": [[64, 77]], "ORGANIZATION: Trend Micro": [[83, 94]], "MALWARE: BatLoader": [[114, 123]], "FILEPATH: /tmp/sam.hive": [[135, 148]], "THREAT_ACTOR: Volt Typhoon": [[183, 195]], "TOOL: Seatbelt": [[202, 210]], "TOOL: Mythic": [[241, 247]], "DOMAIN: cacheportal.top": [[299, 314]], "DOMAIN: cloud-data.dev": [[319, 333]], "HASH: 598a21720a6717ed82c472c0780a0f5ff34087ce22538762b0de54a950dd3a0e": [[364, 428]], "EMAIL: contact@identity-verify.cc": [[470, 496]], "IP_ADDRESS: 135.247.253.122": [[531, 546]], "FILEPATH: /var/tmp/lsass.dmp": [[588, 606]]}, "info": {"id": "synth_v2_00305", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 66.43.68.193, the Kaspersky GReAT IR team identified DanaBot running as C:\\Program Files\\Common Files\\ntds.dit. The threat actor, believed to be Turla, used Merlin for credential harvesting and Covenant for lateral movement. Exfiltrated data was sent to relay-node.cc and gatewayrelay.online. The initial dropper (MD5: e693748ddc31f09e9619e52c44641f38) was delivered via a phishing email from service@phishing-domain.com. A second C2 node was observed at 172.227.180.59, with a persistence mechanism writing to /etc/cron.d/beacon.dll.", "spans": {"IP_ADDRESS: 66.43.68.193": [[64, 76]], "ORGANIZATION: Kaspersky GReAT": [[82, 97]], "MALWARE: DanaBot": [[117, 124]], "FILEPATH: C:\\Program Files\\Common Files\\ntds.dit": [[136, 174]], "THREAT_ACTOR: Turla": [[209, 214]], "TOOL: Merlin": [[221, 227]], "TOOL: Covenant": [[258, 266]], "DOMAIN: relay-node.cc": [[318, 331]], "DOMAIN: gatewayrelay.online": [[336, 355]], "HASH: e693748ddc31f09e9619e52c44641f38": [[383, 415]], "EMAIL: service@phishing-domain.com": [[457, 484]], "IP_ADDRESS: 172.227.180.59": [[519, 533]], "FILEPATH: /etc/cron.d/beacon.dll": [[575, 597]]}, "info": {"id": "synth_v2_00306", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 172.42.150.216, the Secureworks IR team identified DarkSide running as /opt/app/bin/backdoor.elf. The threat actor, believed to be Midnight Blizzard, used PsExec for credential harvesting and Nmap for lateral movement. Exfiltrated data was sent to mail-cdn.io and storage-cloud.top. The initial dropper (SHA256: 50ed04b66f573f7fead9b119d3ba0ab959baeabcdcd844bfd2f3b6314ef8ef59) was delivered via a phishing email from report@account-update.xyz. A second C2 node was observed at 172.116.50.31, with a persistence mechanism writing to /home/user/.config/backdoor.elf.", "spans": {"IP_ADDRESS: 172.42.150.216": [[64, 78]], "ORGANIZATION: Secureworks": [[84, 95]], "MALWARE: DarkSide": [[115, 123]], "FILEPATH: /opt/app/bin/backdoor.elf": [[135, 160]], "THREAT_ACTOR: Midnight Blizzard": [[195, 212]], "TOOL: PsExec": [[219, 225]], "TOOL: Nmap": [[256, 260]], "DOMAIN: mail-cdn.io": [[312, 323]], "DOMAIN: storage-cloud.top": [[328, 345]], "HASH: 50ed04b66f573f7fead9b119d3ba0ab959baeabcdcd844bfd2f3b6314ef8ef59": [[376, 440]], "EMAIL: report@account-update.xyz": [[482, 507]], "IP_ADDRESS: 172.116.50.31": [[542, 555]], "FILEPATH: /home/user/.config/backdoor.elf": [[597, 628]]}, "info": {"id": "synth_v2_00307", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 73.177.206.243, the Qualys IR team identified WarmCookie running as C:\\Windows\\Tasks\\sam.hive. The threat actor, believed to be Diamond Sleet, used Nmap for credential harvesting and Mimikatz for lateral movement. Exfiltrated data was sent to portal-data.xyz and proxy-data.io. The initial dropper (MD5: acff08b676873260f3fdfac2ce026b4b) was delivered via a phishing email from billing@identity-verify.cc. A second C2 node was observed at 211.6.241.168, with a persistence mechanism writing to /opt/app/bin/chrome_helper.exe.", "spans": {"IP_ADDRESS: 73.177.206.243": [[64, 78]], "ORGANIZATION: Qualys": [[84, 90]], "MALWARE: WarmCookie": [[110, 120]], "FILEPATH: C:\\Windows\\Tasks\\sam.hive": [[132, 157]], "THREAT_ACTOR: Diamond Sleet": [[192, 205]], "TOOL: Nmap": [[212, 216]], "TOOL: Mimikatz": [[247, 255]], "DOMAIN: portal-data.xyz": [[307, 322]], "DOMAIN: proxy-data.io": [[327, 340]], "HASH: acff08b676873260f3fdfac2ce026b4b": [[368, 400]], "EMAIL: billing@identity-verify.cc": [[442, 468]], "IP_ADDRESS: 211.6.241.168": [[503, 516]], "FILEPATH: /opt/app/bin/chrome_helper.exe": [[558, 588]]}, "info": {"id": "synth_v2_00308", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 172.71.65.79, the Check Point Research IR team identified FormBook running as C:\\Users\\admin\\AppData\\Local\\Temp\\payload.bin. The threat actor, believed to be Sandworm, used Brute Ratel for credential harvesting and Havoc for lateral movement. Exfiltrated data was sent to gatewayportal.link and storagecache.com. The initial dropper (SHA1: 3fc5d879532f3905af0e4dd95294cf9728b24344) was delivered via a phishing email from report@document-share.link. A second C2 node was observed at 172.181.173.58, with a persistence mechanism writing to C:\\Windows\\System32\\winlogon.exe.", "spans": {"IP_ADDRESS: 172.71.65.79": [[64, 76]], "ORGANIZATION: Check Point Research": [[82, 102]], "MALWARE: FormBook": [[122, 130]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\payload.bin": [[142, 187]], "THREAT_ACTOR: Sandworm": [[222, 230]], "TOOL: Brute Ratel": [[237, 248]], "TOOL: Havoc": [[279, 284]], "DOMAIN: gatewayportal.link": [[336, 354]], "DOMAIN: storagecache.com": [[359, 375]], "HASH: 3fc5d879532f3905af0e4dd95294cf9728b24344": [[404, 444]], "EMAIL: report@document-share.link": [[486, 512]], "IP_ADDRESS: 172.181.173.58": [[547, 561]], "FILEPATH: C:\\Windows\\System32\\winlogon.exe": [[603, 635]]}, "info": {"id": "synth_v2_00309", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 17.197.96.122, the Cisco Talos IR team identified DanaBot running as C:\\Users\\admin\\Downloads\\runtime.dll. The threat actor, believed to be Salt Typhoon, used Ligolo for credential harvesting and SharpHound for lateral movement. Exfiltrated data was sent to auth-edge.org and static-proxy.com. The initial dropper (MD5: 30d739b0d350f64911bc0657d0bce8d0) was delivered via a phishing email from helpdesk@mail-service.info. A second C2 node was observed at 172.231.155.24, with a persistence mechanism writing to C:\\ProgramData\\lsass.dmp.", "spans": {"IP_ADDRESS: 17.197.96.122": [[64, 77]], "ORGANIZATION: Cisco Talos": [[83, 94]], "MALWARE: DanaBot": [[114, 121]], "FILEPATH: C:\\Users\\admin\\Downloads\\runtime.dll": [[133, 169]], "THREAT_ACTOR: Salt Typhoon": [[204, 216]], "TOOL: Ligolo": [[223, 229]], "TOOL: SharpHound": [[260, 270]], "DOMAIN: auth-edge.org": [[322, 335]], "DOMAIN: static-proxy.com": [[340, 356]], "HASH: 30d739b0d350f64911bc0657d0bce8d0": [[384, 416]], "EMAIL: helpdesk@mail-service.info": [[458, 484]], "IP_ADDRESS: 172.231.155.24": [[519, 533]], "FILEPATH: C:\\ProgramData\\lsass.dmp": [[575, 599]]}, "info": {"id": "synth_v2_00310", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 133.5.87.84, the Trend Micro IR team identified PikaBot running as C:\\Program Files\\Common Files\\beacon.dll. The threat actor, believed to be Lazarus Group, used Brute Ratel for credential harvesting and BloodHound for lateral movement. Exfiltrated data was sent to proxyapi.site and login-cloud.info. The initial dropper (SHA1: dc826857b57b6e8dd5b7a84ab9095cd7c98c725f) was delivered via a phishing email from notification@login-portal.tech. A second C2 node was observed at 101.80.56.34, with a persistence mechanism writing to C:\\Users\\admin\\Downloads\\implant.so.", "spans": {"IP_ADDRESS: 133.5.87.84": [[64, 75]], "ORGANIZATION: Trend Micro": [[81, 92]], "MALWARE: PikaBot": [[112, 119]], "FILEPATH: C:\\Program Files\\Common Files\\beacon.dll": [[131, 171]], "THREAT_ACTOR: Lazarus Group": [[206, 219]], "TOOL: Brute Ratel": [[226, 237]], "TOOL: BloodHound": [[268, 278]], "DOMAIN: proxyapi.site": [[330, 343]], "DOMAIN: login-cloud.info": [[348, 364]], "HASH: dc826857b57b6e8dd5b7a84ab9095cd7c98c725f": [[393, 433]], "EMAIL: notification@login-portal.tech": [[475, 505]], "IP_ADDRESS: 101.80.56.34": [[540, 552]], "FILEPATH: C:\\Users\\admin\\Downloads\\implant.so": [[594, 629]]}, "info": {"id": "synth_v2_00311", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 52.3.73.115, the Tenable IR team identified BatLoader running as C:\\Windows\\Tasks\\csrss.exe. The threat actor, believed to be Forest Blizzard, used PowerView for credential harvesting and Brute Ratel for lateral movement. Exfiltrated data was sent to relayrelay.cc and api-backup.top. The initial dropper (SHA1: 0fc771507060e2d96e9cf73b4b39f48bba21660e) was delivered via a phishing email from security@identity-verify.cc. A second C2 node was observed at 172.126.168.234, with a persistence mechanism writing to /home/user/.config/lsass.dmp.", "spans": {"IP_ADDRESS: 52.3.73.115": [[64, 75]], "ORGANIZATION: Tenable": [[81, 88]], "MALWARE: BatLoader": [[108, 117]], "FILEPATH: C:\\Windows\\Tasks\\csrss.exe": [[129, 155]], "THREAT_ACTOR: Forest Blizzard": [[190, 205]], "TOOL: PowerView": [[212, 221]], "TOOL: Brute Ratel": [[252, 263]], "DOMAIN: relayrelay.cc": [[315, 328]], "DOMAIN: api-backup.top": [[333, 347]], "HASH: 0fc771507060e2d96e9cf73b4b39f48bba21660e": [[376, 416]], "EMAIL: security@identity-verify.cc": [[458, 485]], "IP_ADDRESS: 172.126.168.234": [[520, 535]], "FILEPATH: /home/user/.config/lsass.dmp": [[577, 605]]}, "info": {"id": "synth_v2_00312", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 118.196.93.179, the Huntress IR team identified BumbleBee running as C:\\Users\\Public\\Documents\\csrss.exe. The threat actor, believed to be Turla, used Mythic for credential harvesting and ADFind for lateral movement. Exfiltrated data was sent to sync-edge.info and cloud-proxy.site. The initial dropper (SHA1: b861d5012471cd92d1feafe9ceabd0e9ee389868) was delivered via a phishing email from ceo@identity-verify.cc. A second C2 node was observed at 172.22.122.227, with a persistence mechanism writing to C:\\ProgramData\\taskhost.exe.", "spans": {"IP_ADDRESS: 118.196.93.179": [[64, 78]], "ORGANIZATION: Huntress": [[84, 92]], "MALWARE: BumbleBee": [[112, 121]], "FILEPATH: C:\\Users\\Public\\Documents\\csrss.exe": [[133, 168]], "THREAT_ACTOR: Turla": [[203, 208]], "TOOL: Mythic": [[215, 221]], "TOOL: ADFind": [[252, 258]], "DOMAIN: sync-edge.info": [[310, 324]], "DOMAIN: cloud-proxy.site": [[329, 345]], "HASH: b861d5012471cd92d1feafe9ceabd0e9ee389868": [[374, 414]], "EMAIL: ceo@identity-verify.cc": [[456, 478]], "IP_ADDRESS: 172.22.122.227": [[513, 527]], "FILEPATH: C:\\ProgramData\\taskhost.exe": [[569, 596]]}, "info": {"id": "synth_v2_00313", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 172.13.37.164, the NCSC IR team identified PlugX running as C:\\Windows\\Tasks\\beacon.dll. The threat actor, believed to be Turla, used Nmap for credential harvesting and SharpHound for lateral movement. Exfiltrated data was sent to portal-cdn.com and authlogin.tech. The initial dropper (SHA256: c1f9db217ef38335ec8dea7b5307c7d7248581188b919b9cac0b287dd94c2318) was delivered via a phishing email from helpdesk@credential-check.site. A second C2 node was observed at 98.175.204.220, with a persistence mechanism writing to C:\\Windows\\Tasks\\chrome_helper.exe.", "spans": {"IP_ADDRESS: 172.13.37.164": [[64, 77]], "ORGANIZATION: NCSC": [[83, 87]], "MALWARE: PlugX": [[107, 112]], "FILEPATH: C:\\Windows\\Tasks\\beacon.dll": [[124, 151]], "THREAT_ACTOR: Turla": [[186, 191]], "TOOL: Nmap": [[198, 202]], "TOOL: SharpHound": [[233, 243]], "DOMAIN: portal-cdn.com": [[295, 309]], "DOMAIN: authlogin.tech": [[314, 328]], "HASH: c1f9db217ef38335ec8dea7b5307c7d7248581188b919b9cac0b287dd94c2318": [[359, 423]], "EMAIL: helpdesk@credential-check.site": [[465, 495]], "IP_ADDRESS: 98.175.204.220": [[530, 544]], "FILEPATH: C:\\Windows\\Tasks\\chrome_helper.exe": [[586, 620]]}, "info": {"id": "synth_v2_00314", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 10.9.51.46, the Mandiant IR team identified BlackCat running as C:\\Users\\admin\\AppData\\Local\\Temp\\dropper.ps1. The threat actor, believed to be Ember Bear, used Covenant for credential harvesting and Nmap for lateral movement. Exfiltrated data was sent to sync-login.online and securecloud.club. The initial dropper (SHA1: c73a1e6ca9e00a723cc36bd448f20b96d4fa5535) was delivered via a phishing email from account@secure-verify.net. A second C2 node was observed at 32.200.86.20, with a persistence mechanism writing to /tmp/sam.hive.", "spans": {"IP_ADDRESS: 10.9.51.46": [[64, 74]], "ORGANIZATION: Mandiant": [[80, 88]], "MALWARE: BlackCat": [[108, 116]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\dropper.ps1": [[128, 173]], "THREAT_ACTOR: Ember Bear": [[208, 218]], "TOOL: Covenant": [[225, 233]], "TOOL: Nmap": [[264, 268]], "DOMAIN: sync-login.online": [[320, 337]], "DOMAIN: securecloud.club": [[342, 358]], "HASH: c73a1e6ca9e00a723cc36bd448f20b96d4fa5535": [[387, 427]], "EMAIL: account@secure-verify.net": [[469, 494]], "IP_ADDRESS: 32.200.86.20": [[529, 541]], "FILEPATH: /tmp/sam.hive": [[583, 596]]}, "info": {"id": "synth_v2_00315", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 192.2.24.198, the Google TAG IR team identified Raccoon Stealer running as /tmp/chrome_helper.exe. The threat actor, believed to be Forest Blizzard, used Burp Suite for credential harvesting and Brute Ratel for lateral movement. Exfiltrated data was sent to cloud-api.com and updateupdate.tech. The initial dropper (SHA1: fd3f254cab9c57d960996b3055a38fe6a2bca537) was delivered via a phishing email from security@phishing-domain.com. A second C2 node was observed at 197.103.127.96, with a persistence mechanism writing to /var/tmp/taskhost.exe.", "spans": {"IP_ADDRESS: 192.2.24.198": [[64, 76]], "ORGANIZATION: Google TAG": [[82, 92]], "MALWARE: Raccoon Stealer": [[112, 127]], "FILEPATH: /tmp/chrome_helper.exe": [[139, 161]], "THREAT_ACTOR: Forest Blizzard": [[196, 211]], "TOOL: Burp Suite": [[218, 228]], "TOOL: Brute Ratel": [[259, 270]], "DOMAIN: cloud-api.com": [[322, 335]], "DOMAIN: updateupdate.tech": [[340, 357]], "HASH: fd3f254cab9c57d960996b3055a38fe6a2bca537": [[386, 426]], "EMAIL: security@phishing-domain.com": [[468, 496]], "IP_ADDRESS: 197.103.127.96": [[531, 545]], "FILEPATH: /var/tmp/taskhost.exe": [[587, 608]]}, "info": {"id": "synth_v2_00316", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 83.97.106.240, the Zscaler ThreatLabz IR team identified FormBook running as C:\\Users\\admin\\Desktop\\runtime.dll. The threat actor, believed to be Charming Kitten, used Metasploit for credential harvesting and Covenant for lateral movement. Exfiltrated data was sent to mail-storage.org and portal-storage.com. The initial dropper (SHA256: 511d154bd149ab61a992edcdc115fcfa68d56bd3ad3ec80bc55163f6ffcb14db) was delivered via a phishing email from hr@document-share.link. A second C2 node was observed at 110.61.118.55, with a persistence mechanism writing to C:\\Windows\\Tasks\\helper.sh.", "spans": {"IP_ADDRESS: 83.97.106.240": [[64, 77]], "ORGANIZATION: Zscaler ThreatLabz": [[83, 101]], "MALWARE: FormBook": [[121, 129]], "FILEPATH: C:\\Users\\admin\\Desktop\\runtime.dll": [[141, 175]], "THREAT_ACTOR: Charming Kitten": [[210, 225]], "TOOL: Metasploit": [[232, 242]], "TOOL: Covenant": [[273, 281]], "DOMAIN: mail-storage.org": [[333, 349]], "DOMAIN: portal-storage.com": [[354, 372]], "HASH: 511d154bd149ab61a992edcdc115fcfa68d56bd3ad3ec80bc55163f6ffcb14db": [[403, 467]], "EMAIL: hr@document-share.link": [[509, 531]], "IP_ADDRESS: 110.61.118.55": [[566, 579]], "FILEPATH: C:\\Windows\\Tasks\\helper.sh": [[621, 647]]}, "info": {"id": "synth_v2_00317", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 172.154.255.252, the INTERPOL IR team identified RedLine Stealer running as /opt/app/bin/beacon.dll. The threat actor, believed to be APT29, used Impacket for credential harvesting and Mythic for lateral movement. Exfiltrated data was sent to static-storage.top and loginstorage.org. The initial dropper (SHA256: 0e3fd2938c6fdc3f2746fc2a5dac69ceaac019bb537eedf4531c58ffdcafd267) was delivered via a phishing email from notification@credential-check.site. A second C2 node was observed at 192.87.128.246, with a persistence mechanism writing to C:\\ProgramData\\winlogon.exe.", "spans": {"IP_ADDRESS: 172.154.255.252": [[64, 79]], "ORGANIZATION: INTERPOL": [[85, 93]], "MALWARE: RedLine Stealer": [[113, 128]], "FILEPATH: /opt/app/bin/beacon.dll": [[140, 163]], "THREAT_ACTOR: APT29": [[198, 203]], "TOOL: Impacket": [[210, 218]], "TOOL: Mythic": [[249, 255]], "DOMAIN: static-storage.top": [[307, 325]], "DOMAIN: loginstorage.org": [[330, 346]], "HASH: 0e3fd2938c6fdc3f2746fc2a5dac69ceaac019bb537eedf4531c58ffdcafd267": [[377, 441]], "EMAIL: notification@credential-check.site": [[483, 517]], "IP_ADDRESS: 192.87.128.246": [[552, 566]], "FILEPATH: C:\\ProgramData\\winlogon.exe": [[608, 635]]}, "info": {"id": "synth_v2_00318", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 192.6.119.6, the Mandiant IR team identified Raccoon Stealer running as /tmp/payload.bin. The threat actor, believed to be Charming Kitten, used Sharphound for credential harvesting and LinPEAS for lateral movement. Exfiltrated data was sent to static-api.com and mail-proxy.info. The initial dropper (SHA1: 7221d2e63397358adf964b6f71df28671b273522) was delivered via a phishing email from helpdesk@document-share.link. A second C2 node was observed at 172.121.219.194, with a persistence mechanism writing to C:\\Users\\admin\\Desktop\\runtime.dll.", "spans": {"IP_ADDRESS: 192.6.119.6": [[64, 75]], "ORGANIZATION: Mandiant": [[81, 89]], "MALWARE: Raccoon Stealer": [[109, 124]], "FILEPATH: /tmp/payload.bin": [[136, 152]], "THREAT_ACTOR: Charming Kitten": [[187, 202]], "TOOL: Sharphound": [[209, 219]], "TOOL: LinPEAS": [[250, 257]], "DOMAIN: static-api.com": [[309, 323]], "DOMAIN: mail-proxy.info": [[328, 343]], "HASH: 7221d2e63397358adf964b6f71df28671b273522": [[372, 412]], "EMAIL: helpdesk@document-share.link": [[454, 482]], "IP_ADDRESS: 172.121.219.194": [[517, 532]], "FILEPATH: C:\\Users\\admin\\Desktop\\runtime.dll": [[574, 608]]}, "info": {"id": "synth_v2_00319", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 172.162.20.134, the Check Point Research IR team identified PlugX running as C:\\Users\\admin\\Desktop\\loader.exe. The threat actor, believed to be Aqua Blizzard, used Mythic for credential harvesting and Hashcat for lateral movement. Exfiltrated data was sent to storagedata.xyz and data-data.cc. The initial dropper (MD5: c9d4fbb81665eda7221f0d026f030894) was delivered via a phishing email from admin@secure-verify.net. A second C2 node was observed at 166.147.12.59, with a persistence mechanism writing to /opt/app/bin/config.dat.", "spans": {"IP_ADDRESS: 172.162.20.134": [[64, 78]], "ORGANIZATION: Check Point Research": [[84, 104]], "MALWARE: PlugX": [[124, 129]], "FILEPATH: C:\\Users\\admin\\Desktop\\loader.exe": [[141, 174]], "THREAT_ACTOR: Aqua Blizzard": [[209, 222]], "TOOL: Mythic": [[229, 235]], "TOOL: Hashcat": [[266, 273]], "DOMAIN: storagedata.xyz": [[325, 340]], "DOMAIN: data-data.cc": [[345, 357]], "HASH: c9d4fbb81665eda7221f0d026f030894": [[385, 417]], "EMAIL: admin@secure-verify.net": [[459, 482]], "IP_ADDRESS: 166.147.12.59": [[517, 530]], "FILEPATH: /opt/app/bin/config.dat": [[572, 595]]}, "info": {"id": "synth_v2_00320", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 10.64.46.45, the Check Point Research IR team identified Qbot running as /var/tmp/agent.py. The threat actor, believed to be Lazarus Group, used SharpHound for credential harvesting and BloodHound for lateral movement. Exfiltrated data was sent to backupsecure.club and data-gateway.org. The initial dropper (MD5: 0db6dee1d00f30c4c7a60236eef49ce1) was delivered via a phishing email from billing@mail-service.info. A second C2 node was observed at 10.40.218.186, with a persistence mechanism writing to /home/user/.config/shell.php.", "spans": {"IP_ADDRESS: 10.64.46.45": [[64, 75]], "ORGANIZATION: Check Point Research": [[81, 101]], "MALWARE: Qbot": [[121, 125]], "FILEPATH: /var/tmp/agent.py": [[137, 154]], "THREAT_ACTOR: Lazarus Group": [[189, 202]], "TOOL: SharpHound": [[209, 219]], "TOOL: BloodHound": [[250, 260]], "DOMAIN: backupsecure.club": [[312, 329]], "DOMAIN: data-gateway.org": [[334, 350]], "HASH: 0db6dee1d00f30c4c7a60236eef49ce1": [[378, 410]], "EMAIL: billing@mail-service.info": [[452, 477]], "IP_ADDRESS: 10.40.218.186": [[512, 525]], "FILEPATH: /home/user/.config/shell.php": [[567, 595]]}, "info": {"id": "synth_v2_00321", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 43.241.225.109, the CISA IR team identified Amadey running as C:\\Users\\admin\\Downloads\\backdoor.elf. The threat actor, believed to be Lazarus Group, used Chisel for credential harvesting and Ligolo for lateral movement. Exfiltrated data was sent to gatewayapi.link and staticedge.org. The initial dropper (MD5: a60826193610bf0ce9276cd92197e17b) was delivered via a phishing email from finance@identity-verify.cc. A second C2 node was observed at 195.79.246.6, with a persistence mechanism writing to C:\\Users\\admin\\Desktop\\sam.hive.", "spans": {"IP_ADDRESS: 43.241.225.109": [[64, 78]], "ORGANIZATION: CISA": [[84, 88]], "MALWARE: Amadey": [[108, 114]], "FILEPATH: C:\\Users\\admin\\Downloads\\backdoor.elf": [[126, 163]], "THREAT_ACTOR: Lazarus Group": [[198, 211]], "TOOL: Chisel": [[218, 224]], "TOOL: Ligolo": [[255, 261]], "DOMAIN: gatewayapi.link": [[313, 328]], "DOMAIN: staticedge.org": [[333, 347]], "HASH: a60826193610bf0ce9276cd92197e17b": [[375, 407]], "EMAIL: finance@identity-verify.cc": [[449, 475]], "IP_ADDRESS: 195.79.246.6": [[510, 522]], "FILEPATH: C:\\Users\\admin\\Desktop\\sam.hive": [[564, 595]]}, "info": {"id": "synth_v2_00322", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 35.240.100.40, the FireEye IR team identified Latrodectus running as C:\\ProgramData\\ntds.dit. The threat actor, believed to be Gamaredon, used PowerShell Empire for credential harvesting and Impacket for lateral movement. Exfiltrated data was sent to gatewayportal.club and portalproxy.info. The initial dropper (MD5: cf5505d7c8ee70ae0716a8921318ae42) was delivered via a phishing email from notification@account-update.xyz. A second C2 node was observed at 10.6.191.126, with a persistence mechanism writing to C:\\Users\\admin\\AppData\\Local\\Temp\\taskhost.exe.", "spans": {"IP_ADDRESS: 35.240.100.40": [[64, 77]], "ORGANIZATION: FireEye": [[83, 90]], "MALWARE: Latrodectus": [[110, 121]], "FILEPATH: C:\\ProgramData\\ntds.dit": [[133, 156]], "THREAT_ACTOR: Gamaredon": [[191, 200]], "TOOL: PowerShell Empire": [[207, 224]], "TOOL: Impacket": [[255, 263]], "DOMAIN: gatewayportal.club": [[315, 333]], "DOMAIN: portalproxy.info": [[338, 354]], "HASH: cf5505d7c8ee70ae0716a8921318ae42": [[382, 414]], "EMAIL: notification@account-update.xyz": [[456, 487]], "IP_ADDRESS: 10.6.191.126": [[522, 534]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\taskhost.exe": [[576, 622]]}, "info": {"id": "synth_v2_00323", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 131.250.188.179, the Europol IR team identified Hive running as C:\\Windows\\Tasks\\payload.bin. The threat actor, believed to be Velvet Tempest, used Sliver for credential harvesting and Nmap for lateral movement. Exfiltrated data was sent to data-proxy.com and updatelogin.info. The initial dropper (SHA1: c66d489e31b1c9f455df0990349890f8ccd5a4f9) was delivered via a phishing email from security@phishing-domain.com. A second C2 node was observed at 192.197.217.189, with a persistence mechanism writing to /usr/local/bin/helper.sh.", "spans": {"IP_ADDRESS: 131.250.188.179": [[64, 79]], "ORGANIZATION: Europol": [[85, 92]], "MALWARE: Hive": [[112, 116]], "FILEPATH: C:\\Windows\\Tasks\\payload.bin": [[128, 156]], "THREAT_ACTOR: Velvet Tempest": [[191, 205]], "TOOL: Sliver": [[212, 218]], "TOOL: Nmap": [[249, 253]], "DOMAIN: data-proxy.com": [[305, 319]], "DOMAIN: updatelogin.info": [[324, 340]], "HASH: c66d489e31b1c9f455df0990349890f8ccd5a4f9": [[369, 409]], "EMAIL: security@phishing-domain.com": [[451, 479]], "IP_ADDRESS: 192.197.217.189": [[514, 529]], "FILEPATH: /usr/local/bin/helper.sh": [[571, 595]]}, "info": {"id": "synth_v2_00324", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 102.41.96.225, the Tenable IR team identified Conti running as C:\\Program Files\\Common Files\\chrome_helper.exe. The threat actor, believed to be Velvet Tempest, used Impacket for credential harvesting and Sharphound for lateral movement. Exfiltrated data was sent to nodeedge.top and cachebackup.club. The initial dropper (MD5: 812c81fa7bbec1f9dffb3f98e33d93ca) was delivered via a phishing email from noreply@mail-service.info. A second C2 node was observed at 43.218.129.178, with a persistence mechanism writing to C:\\Users\\Public\\Documents\\shell.php.", "spans": {"IP_ADDRESS: 102.41.96.225": [[64, 77]], "ORGANIZATION: Tenable": [[83, 90]], "MALWARE: Conti": [[110, 115]], "FILEPATH: C:\\Program Files\\Common Files\\chrome_helper.exe": [[127, 174]], "THREAT_ACTOR: Velvet Tempest": [[209, 223]], "TOOL: Impacket": [[230, 238]], "TOOL: Sharphound": [[269, 279]], "DOMAIN: nodeedge.top": [[331, 343]], "DOMAIN: cachebackup.club": [[348, 364]], "HASH: 812c81fa7bbec1f9dffb3f98e33d93ca": [[392, 424]], "EMAIL: noreply@mail-service.info": [[466, 491]], "IP_ADDRESS: 43.218.129.178": [[526, 540]], "FILEPATH: C:\\Users\\Public\\Documents\\shell.php": [[582, 617]]}, "info": {"id": "synth_v2_00325", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 2.86.251.1, the Tenable IR team identified Royal running as /dev/shm/config.dat. The threat actor, believed to be Diamond Sleet, used LinPEAS for credential harvesting and Ligolo for lateral movement. Exfiltrated data was sent to gatewaysecure.org and securelogin.xyz. The initial dropper (SHA1: b70269e5f3d8f2fe3eaf7ab72d7ad2600d07ecad) was delivered via a phishing email from billing@account-update.xyz. A second C2 node was observed at 10.213.213.168, with a persistence mechanism writing to C:\\Users\\Public\\Documents\\sam.hive.", "spans": {"IP_ADDRESS: 2.86.251.1": [[64, 74]], "ORGANIZATION: Tenable": [[80, 87]], "MALWARE: Royal": [[107, 112]], "FILEPATH: /dev/shm/config.dat": [[124, 143]], "THREAT_ACTOR: Diamond Sleet": [[178, 191]], "TOOL: LinPEAS": [[198, 205]], "TOOL: Ligolo": [[236, 242]], "DOMAIN: gatewaysecure.org": [[294, 311]], "DOMAIN: securelogin.xyz": [[316, 331]], "HASH: b70269e5f3d8f2fe3eaf7ab72d7ad2600d07ecad": [[360, 400]], "EMAIL: billing@account-update.xyz": [[442, 468]], "IP_ADDRESS: 10.213.213.168": [[503, 517]], "FILEPATH: C:\\Users\\Public\\Documents\\sam.hive": [[559, 593]]}, "info": {"id": "synth_v2_00326", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 172.209.225.161, the Mandiant IR team identified Hive running as /var/tmp/beacon.dll. The threat actor, believed to be APT29, used LinPEAS for credential harvesting and Rubeus for lateral movement. Exfiltrated data was sent to portal-auth.info and storage-update.cc. The initial dropper (SHA256: f8efd84ace27ba4ba4c62e13a3312dd4bcca894df2e8535513153226d378f7bf) was delivered via a phishing email from hr@phishing-domain.com. A second C2 node was observed at 192.85.40.76, with a persistence mechanism writing to /dev/shm/taskhost.exe.", "spans": {"IP_ADDRESS: 172.209.225.161": [[64, 79]], "ORGANIZATION: Mandiant": [[85, 93]], "MALWARE: Hive": [[113, 117]], "FILEPATH: /var/tmp/beacon.dll": [[129, 148]], "THREAT_ACTOR: APT29": [[183, 188]], "TOOL: LinPEAS": [[195, 202]], "TOOL: Rubeus": [[233, 239]], "DOMAIN: portal-auth.info": [[291, 307]], "DOMAIN: storage-update.cc": [[312, 329]], "HASH: f8efd84ace27ba4ba4c62e13a3312dd4bcca894df2e8535513153226d378f7bf": [[360, 424]], "EMAIL: hr@phishing-domain.com": [[466, 488]], "IP_ADDRESS: 192.85.40.76": [[523, 535]], "FILEPATH: /dev/shm/taskhost.exe": [[577, 598]]}, "info": {"id": "synth_v2_00327", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 192.3.192.155, the Rapid7 IR team identified Lumma Stealer running as C:\\Users\\admin\\Desktop\\lsass.dmp. The threat actor, believed to be Granite Typhoon, used BloodHound for credential harvesting and Metasploit for lateral movement. Exfiltrated data was sent to storagemail.top and storagedata.tech. The initial dropper (MD5: 33b7eb04d00b77f36e292573b6260f23) was delivered via a phishing email from alert@phishing-domain.com. A second C2 node was observed at 125.242.172.155, with a persistence mechanism writing to C:\\Users\\admin\\AppData\\Local\\Temp\\csrss.exe.", "spans": {"IP_ADDRESS: 192.3.192.155": [[64, 77]], "ORGANIZATION: Rapid7": [[83, 89]], "MALWARE: Lumma Stealer": [[109, 122]], "FILEPATH: C:\\Users\\admin\\Desktop\\lsass.dmp": [[134, 166]], "THREAT_ACTOR: Granite Typhoon": [[201, 216]], "TOOL: BloodHound": [[223, 233]], "TOOL: Metasploit": [[264, 274]], "DOMAIN: storagemail.top": [[326, 341]], "DOMAIN: storagedata.tech": [[346, 362]], "HASH: 33b7eb04d00b77f36e292573b6260f23": [[390, 422]], "EMAIL: alert@phishing-domain.com": [[464, 489]], "IP_ADDRESS: 125.242.172.155": [[524, 539]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\csrss.exe": [[581, 624]]}, "info": {"id": "synth_v2_00328", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 10.62.143.244, the FBI IR team identified ShadowPad running as C:\\Users\\admin\\AppData\\Local\\Temp\\winlogon.exe. The threat actor, believed to be Salt Typhoon, used WinPEAS for credential harvesting and Ligolo for lateral movement. Exfiltrated data was sent to cloudupdate.top and updatemail.live. The initial dropper (SHA1: ea4b84c420c92c93d0843e2814ddb4dde84e9935) was delivered via a phishing email from service@document-share.link. A second C2 node was observed at 172.231.243.132, with a persistence mechanism writing to C:\\Windows\\Tasks\\helper.sh.", "spans": {"IP_ADDRESS: 10.62.143.244": [[64, 77]], "ORGANIZATION: FBI": [[83, 86]], "MALWARE: ShadowPad": [[106, 115]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\winlogon.exe": [[127, 173]], "THREAT_ACTOR: Salt Typhoon": [[208, 220]], "TOOL: WinPEAS": [[227, 234]], "TOOL: Ligolo": [[265, 271]], "DOMAIN: cloudupdate.top": [[323, 338]], "DOMAIN: updatemail.live": [[343, 358]], "HASH: ea4b84c420c92c93d0843e2814ddb4dde84e9935": [[387, 427]], "EMAIL: service@document-share.link": [[469, 496]], "IP_ADDRESS: 172.231.243.132": [[531, 546]], "FILEPATH: C:\\Windows\\Tasks\\helper.sh": [[588, 614]]}, "info": {"id": "synth_v2_00329", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 169.51.197.76, the Google TAG IR team identified Dridex running as /dev/shm/dropper.ps1. The threat actor, believed to be BlackTech, used Sliver for credential harvesting and Merlin for lateral movement. Exfiltrated data was sent to apibackup.live and securerelay.net. The initial dropper (SHA256: fac9daf5351caf4c80ad1d8fdddcbf1ae1ca3f1337bb02da7912d5d54454914a) was delivered via a phishing email from info@secure-verify.net. A second C2 node was observed at 192.73.16.33, with a persistence mechanism writing to /var/tmp/helper.sh.", "spans": {"IP_ADDRESS: 169.51.197.76": [[64, 77]], "ORGANIZATION: Google TAG": [[83, 93]], "MALWARE: Dridex": [[113, 119]], "FILEPATH: /dev/shm/dropper.ps1": [[131, 151]], "THREAT_ACTOR: BlackTech": [[186, 195]], "TOOL: Sliver": [[202, 208]], "TOOL: Merlin": [[239, 245]], "DOMAIN: apibackup.live": [[297, 311]], "DOMAIN: securerelay.net": [[316, 331]], "HASH: fac9daf5351caf4c80ad1d8fdddcbf1ae1ca3f1337bb02da7912d5d54454914a": [[362, 426]], "EMAIL: info@secure-verify.net": [[468, 490]], "IP_ADDRESS: 192.73.16.33": [[525, 537]], "FILEPATH: /var/tmp/helper.sh": [[579, 597]]}, "info": {"id": "synth_v2_00330", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 99.143.112.185, the Check Point Research IR team identified XLoader running as C:\\ProgramData\\winlogon.exe. The threat actor, believed to be Forest Blizzard, used Mimikatz for credential harvesting and Rubeus for lateral movement. Exfiltrated data was sent to edge-proxy.net and datacache.link. The initial dropper (SHA1: 5e6092fc4149c07c0289dc33a9d7cb012c08efff) was delivered via a phishing email from confirm@identity-verify.cc. A second C2 node was observed at 171.243.63.171, with a persistence mechanism writing to C:\\Users\\admin\\Desktop\\lsass.dmp.", "spans": {"IP_ADDRESS: 99.143.112.185": [[64, 78]], "ORGANIZATION: Check Point Research": [[84, 104]], "MALWARE: XLoader": [[124, 131]], "FILEPATH: C:\\ProgramData\\winlogon.exe": [[143, 170]], "THREAT_ACTOR: Forest Blizzard": [[205, 220]], "TOOL: Mimikatz": [[227, 235]], "TOOL: Rubeus": [[266, 272]], "DOMAIN: edge-proxy.net": [[324, 338]], "DOMAIN: datacache.link": [[343, 357]], "HASH: 5e6092fc4149c07c0289dc33a9d7cb012c08efff": [[386, 426]], "EMAIL: confirm@identity-verify.cc": [[468, 494]], "IP_ADDRESS: 171.243.63.171": [[529, 543]], "FILEPATH: C:\\Users\\admin\\Desktop\\lsass.dmp": [[585, 617]]}, "info": {"id": "synth_v2_00331", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 23.57.45.88, the Rapid7 IR team identified Play running as /tmp/lsass.dmp. The threat actor, believed to be FIN7, used Nmap for credential harvesting and Metasploit for lateral movement. Exfiltrated data was sent to portalcache.club and backup-cdn.cc. The initial dropper (MD5: 170f00eaefc2ab5c2db0d053eab8ed3d) was delivered via a phishing email from noreply@urgent-notice.online. A second C2 node was observed at 192.59.188.33, with a persistence mechanism writing to C:\\Program Files\\Common Files\\winlogon.exe.", "spans": {"IP_ADDRESS: 23.57.45.88": [[64, 75]], "ORGANIZATION: Rapid7": [[81, 87]], "MALWARE: Play": [[107, 111]], "FILEPATH: /tmp/lsass.dmp": [[123, 137]], "THREAT_ACTOR: FIN7": [[172, 176]], "TOOL: Nmap": [[183, 187]], "TOOL: Metasploit": [[218, 228]], "DOMAIN: portalcache.club": [[280, 296]], "DOMAIN: backup-cdn.cc": [[301, 314]], "HASH: 170f00eaefc2ab5c2db0d053eab8ed3d": [[342, 374]], "EMAIL: noreply@urgent-notice.online": [[416, 444]], "IP_ADDRESS: 192.59.188.33": [[479, 492]], "FILEPATH: C:\\Program Files\\Common Files\\winlogon.exe": [[534, 576]]}, "info": {"id": "synth_v2_00332", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 3.235.161.38, the Europol IR team identified StealC running as /home/user/.config/loader.exe. The threat actor, believed to be OilRig, used PsExec for credential harvesting and Metasploit for lateral movement. Exfiltrated data was sent to loginstatic.info and cdn-static.tech. The initial dropper (SHA1: 4da3f415885817d93cba44aea548e677b4f1d0f0) was delivered via a phishing email from verify@login-portal.tech. A second C2 node was observed at 215.112.255.175, with a persistence mechanism writing to C:\\Users\\Public\\Documents\\backdoor.elf.", "spans": {"IP_ADDRESS: 3.235.161.38": [[64, 76]], "ORGANIZATION: Europol": [[82, 89]], "MALWARE: StealC": [[109, 115]], "FILEPATH: /home/user/.config/loader.exe": [[127, 156]], "THREAT_ACTOR: OilRig": [[191, 197]], "TOOL: PsExec": [[204, 210]], "TOOL: Metasploit": [[241, 251]], "DOMAIN: loginstatic.info": [[303, 319]], "DOMAIN: cdn-static.tech": [[324, 339]], "HASH: 4da3f415885817d93cba44aea548e677b4f1d0f0": [[368, 408]], "EMAIL: verify@login-portal.tech": [[450, 474]], "IP_ADDRESS: 215.112.255.175": [[509, 524]], "FILEPATH: C:\\Users\\Public\\Documents\\backdoor.elf": [[566, 604]]}, "info": {"id": "synth_v2_00333", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 172.78.107.218, the Proofpoint IR team identified Qbot running as /opt/app/bin/ntds.dit. The threat actor, believed to be TA505, used WinPEAS for credential harvesting and Ligolo for lateral movement. Exfiltrated data was sent to portalbackup.live and update-edge.site. The initial dropper (MD5: d23036f0b080a5ae8a4a460e6f47feb1) was delivered via a phishing email from info@urgent-notice.online. A second C2 node was observed at 192.26.91.220, with a persistence mechanism writing to /dev/shm/csrss.exe.", "spans": {"IP_ADDRESS: 172.78.107.218": [[64, 78]], "ORGANIZATION: Proofpoint": [[84, 94]], "MALWARE: Qbot": [[114, 118]], "FILEPATH: /opt/app/bin/ntds.dit": [[130, 151]], "THREAT_ACTOR: TA505": [[186, 191]], "TOOL: WinPEAS": [[198, 205]], "TOOL: Ligolo": [[236, 242]], "DOMAIN: portalbackup.live": [[294, 311]], "DOMAIN: update-edge.site": [[316, 332]], "HASH: d23036f0b080a5ae8a4a460e6f47feb1": [[360, 392]], "EMAIL: info@urgent-notice.online": [[434, 459]], "IP_ADDRESS: 192.26.91.220": [[494, 507]], "FILEPATH: /dev/shm/csrss.exe": [[549, 567]]}, "info": {"id": "synth_v2_00334", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 192.201.49.34, the Qualys IR team identified Gootloader running as /tmp/runtime.dll. The threat actor, believed to be TA505, used WinPEAS for credential harvesting and Merlin for lateral movement. Exfiltrated data was sent to cache-login.online and backuplogin.xyz. The initial dropper (SHA1: 0af9b1abe80840147ff14976086c1212b741c87d) was delivered via a phishing email from notification@secure-verify.net. A second C2 node was observed at 193.27.155.118, with a persistence mechanism writing to C:\\Windows\\Temp\\csrss.exe.", "spans": {"IP_ADDRESS: 192.201.49.34": [[64, 77]], "ORGANIZATION: Qualys": [[83, 89]], "MALWARE: Gootloader": [[109, 119]], "FILEPATH: /tmp/runtime.dll": [[131, 147]], "THREAT_ACTOR: TA505": [[182, 187]], "TOOL: WinPEAS": [[194, 201]], "TOOL: Merlin": [[232, 238]], "DOMAIN: cache-login.online": [[290, 308]], "DOMAIN: backuplogin.xyz": [[313, 328]], "HASH: 0af9b1abe80840147ff14976086c1212b741c87d": [[357, 397]], "EMAIL: notification@secure-verify.net": [[439, 469]], "IP_ADDRESS: 193.27.155.118": [[504, 518]], "FILEPATH: C:\\Windows\\Temp\\csrss.exe": [[560, 585]]}, "info": {"id": "synth_v2_00335", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 10.49.182.250, the INTERPOL IR team identified LockBit running as /var/tmp/lsass.dmp. The threat actor, believed to be Volt Typhoon, used Sliver for credential harvesting and PowerView for lateral movement. Exfiltrated data was sent to cachegateway.org and datacdn.net. The initial dropper (SHA1: 0a582f84c23b1a53a979cd4502a2d1843f839d8a) was delivered via a phishing email from security@identity-verify.cc. A second C2 node was observed at 46.26.60.251, with a persistence mechanism writing to /dev/shm/agent.py.", "spans": {"IP_ADDRESS: 10.49.182.250": [[64, 77]], "ORGANIZATION: INTERPOL": [[83, 91]], "MALWARE: LockBit": [[111, 118]], "FILEPATH: /var/tmp/lsass.dmp": [[130, 148]], "THREAT_ACTOR: Volt Typhoon": [[183, 195]], "TOOL: Sliver": [[202, 208]], "TOOL: PowerView": [[239, 248]], "DOMAIN: cachegateway.org": [[300, 316]], "DOMAIN: datacdn.net": [[321, 332]], "HASH: 0a582f84c23b1a53a979cd4502a2d1843f839d8a": [[361, 401]], "EMAIL: security@identity-verify.cc": [[443, 470]], "IP_ADDRESS: 46.26.60.251": [[505, 517]], "FILEPATH: /dev/shm/agent.py": [[559, 576]]}, "info": {"id": "synth_v2_00336", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 71.227.188.3, the Europol IR team identified Dridex running as C:\\Users\\admin\\Downloads\\lsass.dmp. The threat actor, believed to be Velvet Tempest, used Brute Ratel for credential harvesting and Havoc for lateral movement. Exfiltrated data was sent to update-cache.cc and syncauth.link. The initial dropper (MD5: 62472b50f126dc17cca3586b6796feda) was delivered via a phishing email from noreply@secure-verify.net. A second C2 node was observed at 10.42.62.126, with a persistence mechanism writing to /dev/shm/ntds.dit.", "spans": {"IP_ADDRESS: 71.227.188.3": [[64, 76]], "ORGANIZATION: Europol": [[82, 89]], "MALWARE: Dridex": [[109, 115]], "FILEPATH: C:\\Users\\admin\\Downloads\\lsass.dmp": [[127, 161]], "THREAT_ACTOR: Velvet Tempest": [[196, 210]], "TOOL: Brute Ratel": [[217, 228]], "TOOL: Havoc": [[259, 264]], "DOMAIN: update-cache.cc": [[316, 331]], "DOMAIN: syncauth.link": [[336, 349]], "HASH: 62472b50f126dc17cca3586b6796feda": [[377, 409]], "EMAIL: noreply@secure-verify.net": [[451, 476]], "IP_ADDRESS: 10.42.62.126": [[511, 523]], "FILEPATH: /dev/shm/ntds.dit": [[565, 582]]}, "info": {"id": "synth_v2_00337", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 172.10.201.143, the Cisco Talos IR team identified RemcosRAT running as /opt/app/bin/taskhost.exe. The threat actor, believed to be Lazarus Group, used WinPEAS for credential harvesting and Merlin for lateral movement. Exfiltrated data was sent to secure-static.club and update-edge.online. The initial dropper (SHA1: ee15444db6355986caa1363ebb0bee0d2c43b820) was delivered via a phishing email from security@secure-verify.net. A second C2 node was observed at 17.63.106.248, with a persistence mechanism writing to C:\\Users\\admin\\AppData\\Local\\Temp\\payload.bin.", "spans": {"IP_ADDRESS: 172.10.201.143": [[64, 78]], "ORGANIZATION: Cisco Talos": [[84, 95]], "MALWARE: RemcosRAT": [[115, 124]], "FILEPATH: /opt/app/bin/taskhost.exe": [[136, 161]], "THREAT_ACTOR: Lazarus Group": [[196, 209]], "TOOL: WinPEAS": [[216, 223]], "TOOL: Merlin": [[254, 260]], "DOMAIN: secure-static.club": [[312, 330]], "DOMAIN: update-edge.online": [[335, 353]], "HASH: ee15444db6355986caa1363ebb0bee0d2c43b820": [[382, 422]], "EMAIL: security@secure-verify.net": [[464, 490]], "IP_ADDRESS: 17.63.106.248": [[525, 538]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\payload.bin": [[580, 625]]}, "info": {"id": "synth_v2_00338", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 10.63.152.94, the NSA IR team identified Latrodectus running as /opt/app/bin/loader.exe. The threat actor, believed to be FIN11, used Havoc for credential harvesting and Seatbelt for lateral movement. Exfiltrated data was sent to node-backup.top and logincache.online. The initial dropper (SHA1: 5b25191a7a79e3410ed6ee7a8a3d691766c222c7) was delivered via a phishing email from billing@secure-verify.net. A second C2 node was observed at 172.0.127.77, with a persistence mechanism writing to /etc/cron.d/implant.so.", "spans": {"IP_ADDRESS: 10.63.152.94": [[64, 76]], "ORGANIZATION: NSA": [[82, 85]], "MALWARE: Latrodectus": [[105, 116]], "FILEPATH: /opt/app/bin/loader.exe": [[128, 151]], "THREAT_ACTOR: FIN11": [[186, 191]], "TOOL: Havoc": [[198, 203]], "TOOL: Seatbelt": [[234, 242]], "DOMAIN: node-backup.top": [[294, 309]], "DOMAIN: logincache.online": [[314, 331]], "HASH: 5b25191a7a79e3410ed6ee7a8a3d691766c222c7": [[360, 400]], "EMAIL: billing@secure-verify.net": [[442, 467]], "IP_ADDRESS: 172.0.127.77": [[502, 514]], "FILEPATH: /etc/cron.d/implant.so": [[556, 578]]}, "info": {"id": "synth_v2_00339", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 172.110.68.155, the Microsoft MSRC IR team identified Cobalt Strike running as C:\\Windows\\Tasks\\chrome_helper.exe. The threat actor, believed to be FIN7, used BloodHound for credential harvesting and SharpHound for lateral movement. Exfiltrated data was sent to apiedge.info and portalsecure.site. The initial dropper (SHA1: d1e88ccc215f257deafb8e16f72970049ad04c0c) was delivered via a phishing email from confirm@login-portal.tech. A second C2 node was observed at 192.183.142.33, with a persistence mechanism writing to /usr/local/bin/ntds.dit.", "spans": {"IP_ADDRESS: 172.110.68.155": [[64, 78]], "ORGANIZATION: Microsoft MSRC": [[84, 98]], "MALWARE: Cobalt Strike": [[118, 131]], "FILEPATH: C:\\Windows\\Tasks\\chrome_helper.exe": [[143, 177]], "THREAT_ACTOR: FIN7": [[212, 216]], "TOOL: BloodHound": [[223, 233]], "TOOL: SharpHound": [[264, 274]], "DOMAIN: apiedge.info": [[326, 338]], "DOMAIN: portalsecure.site": [[343, 360]], "HASH: d1e88ccc215f257deafb8e16f72970049ad04c0c": [[389, 429]], "EMAIL: confirm@login-portal.tech": [[471, 496]], "IP_ADDRESS: 192.183.142.33": [[531, 545]], "FILEPATH: /usr/local/bin/ntds.dit": [[587, 610]]}, "info": {"id": "synth_v2_00340", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 192.190.83.108, the Microsoft MSRC IR team identified IcedID running as /opt/app/bin/chrome_helper.exe. The threat actor, believed to be UNC2452, used LinPEAS for credential harvesting and Nmap for lateral movement. Exfiltrated data was sent to api-sync.net and edge-gateway.net. The initial dropper (MD5: 23f147fe459d401d918e9a063e9afe3c) was delivered via a phishing email from helpdesk@mail-service.info. A second C2 node was observed at 172.222.194.7, with a persistence mechanism writing to /etc/cron.d/winlogon.exe.", "spans": {"IP_ADDRESS: 192.190.83.108": [[64, 78]], "ORGANIZATION: Microsoft MSRC": [[84, 98]], "MALWARE: IcedID": [[118, 124]], "FILEPATH: /opt/app/bin/chrome_helper.exe": [[136, 166]], "THREAT_ACTOR: UNC2452": [[201, 208]], "TOOL: LinPEAS": [[215, 222]], "TOOL: Nmap": [[253, 257]], "DOMAIN: api-sync.net": [[309, 321]], "DOMAIN: edge-gateway.net": [[326, 342]], "HASH: 23f147fe459d401d918e9a063e9afe3c": [[370, 402]], "EMAIL: helpdesk@mail-service.info": [[444, 470]], "IP_ADDRESS: 172.222.194.7": [[505, 518]], "FILEPATH: /etc/cron.d/winlogon.exe": [[560, 584]]}, "info": {"id": "synth_v2_00341", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 27.63.89.135, the SentinelOne IR team identified Emotet running as C:\\Users\\admin\\AppData\\Local\\Temp\\config.dat. The threat actor, believed to be Kimsuky, used Ligolo for credential harvesting and PsExec for lateral movement. Exfiltrated data was sent to cachebackup.io and staticauth.dev. The initial dropper (SHA256: 034093b028d2d48ef7eb31f950fb9c0a31094a44c3c2045a9ce5cec8fbf4d605) was delivered via a phishing email from confirm@urgent-notice.online. A second C2 node was observed at 151.250.48.136, with a persistence mechanism writing to /opt/app/bin/lsass.dmp.", "spans": {"IP_ADDRESS: 27.63.89.135": [[64, 76]], "ORGANIZATION: SentinelOne": [[82, 93]], "MALWARE: Emotet": [[113, 119]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\config.dat": [[131, 175]], "THREAT_ACTOR: Kimsuky": [[210, 217]], "TOOL: Ligolo": [[224, 230]], "TOOL: PsExec": [[261, 267]], "DOMAIN: cachebackup.io": [[319, 333]], "DOMAIN: staticauth.dev": [[338, 352]], "HASH: 034093b028d2d48ef7eb31f950fb9c0a31094a44c3c2045a9ce5cec8fbf4d605": [[383, 447]], "EMAIL: confirm@urgent-notice.online": [[489, 517]], "IP_ADDRESS: 151.250.48.136": [[552, 566]], "FILEPATH: /opt/app/bin/lsass.dmp": [[608, 630]]}, "info": {"id": "synth_v2_00342", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 152.65.132.3, the NSA IR team identified StealC running as C:\\Windows\\Tasks\\config.dat. The threat actor, believed to be Silk Typhoon, used Havoc for credential harvesting and Ligolo for lateral movement. Exfiltrated data was sent to cdnmail.club and static-gateway.club. The initial dropper (MD5: ef65f23e3e18566f546f1b71a2731010) was delivered via a phishing email from finance@mail-service.info. A second C2 node was observed at 192.64.73.97, with a persistence mechanism writing to C:\\Windows\\Tasks\\csrss.exe.", "spans": {"IP_ADDRESS: 152.65.132.3": [[64, 76]], "ORGANIZATION: NSA": [[82, 85]], "MALWARE: StealC": [[105, 111]], "FILEPATH: C:\\Windows\\Tasks\\config.dat": [[123, 150]], "THREAT_ACTOR: Silk Typhoon": [[185, 197]], "TOOL: Havoc": [[204, 209]], "TOOL: Ligolo": [[240, 246]], "DOMAIN: cdnmail.club": [[298, 310]], "DOMAIN: static-gateway.club": [[315, 334]], "HASH: ef65f23e3e18566f546f1b71a2731010": [[362, 394]], "EMAIL: finance@mail-service.info": [[436, 461]], "IP_ADDRESS: 192.64.73.97": [[496, 508]], "FILEPATH: C:\\Windows\\Tasks\\csrss.exe": [[550, 576]]}, "info": {"id": "synth_v2_00343", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 172.44.156.105, the Microsoft MSRC IR team identified XLoader running as /dev/shm/svchost.exe. The threat actor, believed to be Charming Kitten, used WinPEAS for credential harvesting and Mythic for lateral movement. Exfiltrated data was sent to api-secure.cc and api-backup.io. The initial dropper (SHA1: 04d71c8e68fc0f5d134a3d60ab5e4032ebb40f18) was delivered via a phishing email from verify@credential-check.site. A second C2 node was observed at 217.46.40.20, with a persistence mechanism writing to C:\\Program Files\\Common Files\\loader.exe.", "spans": {"IP_ADDRESS: 172.44.156.105": [[64, 78]], "ORGANIZATION: Microsoft MSRC": [[84, 98]], "MALWARE: XLoader": [[118, 125]], "FILEPATH: /dev/shm/svchost.exe": [[137, 157]], "THREAT_ACTOR: Charming Kitten": [[192, 207]], "TOOL: WinPEAS": [[214, 221]], "TOOL: Mythic": [[252, 258]], "DOMAIN: api-secure.cc": [[310, 323]], "DOMAIN: api-backup.io": [[328, 341]], "HASH: 04d71c8e68fc0f5d134a3d60ab5e4032ebb40f18": [[370, 410]], "EMAIL: verify@credential-check.site": [[452, 480]], "IP_ADDRESS: 217.46.40.20": [[515, 527]], "FILEPATH: C:\\Program Files\\Common Files\\loader.exe": [[569, 609]]}, "info": {"id": "synth_v2_00344", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 172.7.97.234, the FBI IR team identified BatLoader running as C:\\Windows\\System32\\loader.exe. The threat actor, believed to be Star Blizzard, used PowerView for credential harvesting and Mythic for lateral movement. Exfiltrated data was sent to static-relay.org and secure-api.tech. The initial dropper (MD5: 17d4ee48e2c7cb6709d431882565c4f0) was delivered via a phishing email from service@account-update.xyz. A second C2 node was observed at 192.217.176.63, with a persistence mechanism writing to /etc/cron.d/update.dll.", "spans": {"IP_ADDRESS: 172.7.97.234": [[64, 76]], "ORGANIZATION: FBI": [[82, 85]], "MALWARE: BatLoader": [[105, 114]], "FILEPATH: C:\\Windows\\System32\\loader.exe": [[126, 156]], "THREAT_ACTOR: Star Blizzard": [[191, 204]], "TOOL: PowerView": [[211, 220]], "TOOL: Mythic": [[251, 257]], "DOMAIN: static-relay.org": [[309, 325]], "DOMAIN: secure-api.tech": [[330, 345]], "HASH: 17d4ee48e2c7cb6709d431882565c4f0": [[373, 405]], "EMAIL: service@account-update.xyz": [[447, 473]], "IP_ADDRESS: 192.217.176.63": [[508, 522]], "FILEPATH: /etc/cron.d/update.dll": [[564, 586]]}, "info": {"id": "synth_v2_00345", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 192.60.148.77, the CISA IR team identified RedLine Stealer running as /dev/shm/update.dll. The threat actor, believed to be Kimsuky, used Hashcat for credential harvesting and Merlin for lateral movement. Exfiltrated data was sent to cloudbackup.dev and relay-static.live. The initial dropper (SHA1: 3a39377afe1bac8f0be98e6d37fd4147cc9cff79) was delivered via a phishing email from ceo@mail-service.info. A second C2 node was observed at 76.135.109.1, with a persistence mechanism writing to /etc/cron.d/svchost.exe.", "spans": {"IP_ADDRESS: 192.60.148.77": [[64, 77]], "ORGANIZATION: CISA": [[83, 87]], "MALWARE: RedLine Stealer": [[107, 122]], "FILEPATH: /dev/shm/update.dll": [[134, 153]], "THREAT_ACTOR: Kimsuky": [[188, 195]], "TOOL: Hashcat": [[202, 209]], "TOOL: Merlin": [[240, 246]], "DOMAIN: cloudbackup.dev": [[298, 313]], "DOMAIN: relay-static.live": [[318, 335]], "HASH: 3a39377afe1bac8f0be98e6d37fd4147cc9cff79": [[364, 404]], "EMAIL: ceo@mail-service.info": [[446, 467]], "IP_ADDRESS: 76.135.109.1": [[502, 514]], "FILEPATH: /etc/cron.d/svchost.exe": [[556, 579]]}, "info": {"id": "synth_v2_00346", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 172.181.4.26, the Trend Micro IR team identified AgentTesla running as /usr/local/bin/helper.sh. The threat actor, believed to be Kimsuky, used Mimikatz for credential harvesting and Chisel for lateral movement. Exfiltrated data was sent to gateway-auth.dev and updatelogin.link. The initial dropper (MD5: 3e7d0838083d5cab37c16c16bacd01fe) was delivered via a phishing email from it@identity-verify.cc. A second C2 node was observed at 126.101.43.136, with a persistence mechanism writing to /dev/shm/lsass.dmp.", "spans": {"IP_ADDRESS: 172.181.4.26": [[64, 76]], "ORGANIZATION: Trend Micro": [[82, 93]], "MALWARE: AgentTesla": [[113, 123]], "FILEPATH: /usr/local/bin/helper.sh": [[135, 159]], "THREAT_ACTOR: Kimsuky": [[194, 201]], "TOOL: Mimikatz": [[208, 216]], "TOOL: Chisel": [[247, 253]], "DOMAIN: gateway-auth.dev": [[305, 321]], "DOMAIN: updatelogin.link": [[326, 342]], "HASH: 3e7d0838083d5cab37c16c16bacd01fe": [[370, 402]], "EMAIL: it@identity-verify.cc": [[444, 465]], "IP_ADDRESS: 126.101.43.136": [[500, 514]], "FILEPATH: /dev/shm/lsass.dmp": [[556, 574]]}, "info": {"id": "synth_v2_00347", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 172.224.82.36, the Zscaler ThreatLabz IR team identified DarkSide running as /opt/app/bin/update.dll. The threat actor, believed to be MuddyWater, used GhostPack for credential harvesting and Nmap for lateral movement. Exfiltrated data was sent to auth-cloud.info and login-portal.site. The initial dropper (MD5: b3629d166c54a6cea256bcb13205e690) was delivered via a phishing email from hr@secure-verify.net. A second C2 node was observed at 192.222.2.92, with a persistence mechanism writing to C:\\Users\\admin\\Downloads\\runtime.dll.", "spans": {"IP_ADDRESS: 172.224.82.36": [[64, 77]], "ORGANIZATION: Zscaler ThreatLabz": [[83, 101]], "MALWARE: DarkSide": [[121, 129]], "FILEPATH: /opt/app/bin/update.dll": [[141, 164]], "THREAT_ACTOR: MuddyWater": [[199, 209]], "TOOL: GhostPack": [[216, 225]], "TOOL: Nmap": [[256, 260]], "DOMAIN: auth-cloud.info": [[312, 327]], "DOMAIN: login-portal.site": [[332, 349]], "HASH: b3629d166c54a6cea256bcb13205e690": [[377, 409]], "EMAIL: hr@secure-verify.net": [[451, 471]], "IP_ADDRESS: 192.222.2.92": [[506, 518]], "FILEPATH: C:\\Users\\admin\\Downloads\\runtime.dll": [[560, 596]]}, "info": {"id": "synth_v2_00348", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 172.204.199.34, the FBI IR team identified FormBook running as C:\\Windows\\Temp\\ntds.dit. The threat actor, believed to be Ember Bear, used Certutil for credential harvesting and PowerShell Empire for lateral movement. Exfiltrated data was sent to nodeupdate.link and cdn-storage.site. The initial dropper (MD5: 224657cb04e64752d06a14c65b10b23e) was delivered via a phishing email from info@identity-verify.cc. A second C2 node was observed at 10.10.64.40, with a persistence mechanism writing to /dev/shm/agent.py.", "spans": {"IP_ADDRESS: 172.204.199.34": [[64, 78]], "ORGANIZATION: FBI": [[84, 87]], "MALWARE: FormBook": [[107, 115]], "FILEPATH: C:\\Windows\\Temp\\ntds.dit": [[127, 151]], "THREAT_ACTOR: Ember Bear": [[186, 196]], "TOOL: Certutil": [[203, 211]], "TOOL: PowerShell Empire": [[242, 259]], "DOMAIN: nodeupdate.link": [[311, 326]], "DOMAIN: cdn-storage.site": [[331, 347]], "HASH: 224657cb04e64752d06a14c65b10b23e": [[375, 407]], "EMAIL: info@identity-verify.cc": [[449, 472]], "IP_ADDRESS: 10.10.64.40": [[507, 518]], "FILEPATH: /dev/shm/agent.py": [[560, 577]]}, "info": {"id": "synth_v2_00349", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 10.143.58.222, the Mandiant IR team identified BumbleBee running as C:\\Windows\\System32\\helper.sh. The threat actor, believed to be Gamaredon, used CrackMapExec for credential harvesting and LinPEAS for lateral movement. Exfiltrated data was sent to authnode.cc and cloud-cache.top. The initial dropper (MD5: a981ff4125c1e7d7d4b0e949faba43a2) was delivered via a phishing email from hr@login-portal.tech. A second C2 node was observed at 180.126.219.51, with a persistence mechanism writing to C:\\Users\\Public\\Documents\\payload.bin.", "spans": {"IP_ADDRESS: 10.143.58.222": [[64, 77]], "ORGANIZATION: Mandiant": [[83, 91]], "MALWARE: BumbleBee": [[111, 120]], "FILEPATH: C:\\Windows\\System32\\helper.sh": [[132, 161]], "THREAT_ACTOR: Gamaredon": [[196, 205]], "TOOL: CrackMapExec": [[212, 224]], "TOOL: LinPEAS": [[255, 262]], "DOMAIN: authnode.cc": [[314, 325]], "DOMAIN: cloud-cache.top": [[330, 345]], "HASH: a981ff4125c1e7d7d4b0e949faba43a2": [[373, 405]], "EMAIL: hr@login-portal.tech": [[447, 467]], "IP_ADDRESS: 180.126.219.51": [[502, 516]], "FILEPATH: C:\\Users\\Public\\Documents\\payload.bin": [[558, 595]]}, "info": {"id": "synth_v2_00350", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 10.26.194.105, the Dragos IR team identified LockBit running as /usr/local/bin/csrss.exe. The threat actor, believed to be Storm-0558, used Mimikatz for credential harvesting and ADFind for lateral movement. Exfiltrated data was sent to proxycdn.io and cdnbackup.net. The initial dropper (SHA1: 931d2b1b337ec916c0bfdb69ce322c130ae6a1a8) was delivered via a phishing email from helpdesk@auth-check.org. A second C2 node was observed at 180.118.113.87, with a persistence mechanism writing to /usr/local/bin/csrss.exe.", "spans": {"IP_ADDRESS: 10.26.194.105": [[64, 77]], "ORGANIZATION: Dragos": [[83, 89]], "MALWARE: LockBit": [[109, 116]], "FILEPATH: /usr/local/bin/csrss.exe": [[128, 152], [128, 152]], "THREAT_ACTOR: Storm-0558": [[187, 197]], "TOOL: Mimikatz": [[204, 212]], "TOOL: ADFind": [[243, 249]], "DOMAIN: proxycdn.io": [[301, 312]], "DOMAIN: cdnbackup.net": [[317, 330]], "HASH: 931d2b1b337ec916c0bfdb69ce322c130ae6a1a8": [[359, 399]], "EMAIL: helpdesk@auth-check.org": [[441, 464]], "IP_ADDRESS: 180.118.113.87": [[499, 513]]}, "info": {"id": "synth_v2_00351", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 192.164.108.74, the Volexity IR team identified QakBot running as C:\\Windows\\Temp\\dropper.ps1. The threat actor, believed to be Turla, used BloodHound for credential harvesting and Mimikatz for lateral movement. Exfiltrated data was sent to proxymail.tech and authauth.top. The initial dropper (MD5: 540b9e174e9d8993d8f938f7eeae785d) was delivered via a phishing email from it@document-share.link. A second C2 node was observed at 72.51.220.48, with a persistence mechanism writing to C:\\Windows\\System32\\winlogon.exe.", "spans": {"IP_ADDRESS: 192.164.108.74": [[64, 78]], "ORGANIZATION: Volexity": [[84, 92]], "MALWARE: QakBot": [[112, 118]], "FILEPATH: C:\\Windows\\Temp\\dropper.ps1": [[130, 157]], "THREAT_ACTOR: Turla": [[192, 197]], "TOOL: BloodHound": [[204, 214]], "TOOL: Mimikatz": [[245, 253]], "DOMAIN: proxymail.tech": [[305, 319]], "DOMAIN: authauth.top": [[324, 336]], "HASH: 540b9e174e9d8993d8f938f7eeae785d": [[364, 396]], "EMAIL: it@document-share.link": [[438, 460]], "IP_ADDRESS: 72.51.220.48": [[495, 507]], "FILEPATH: C:\\Windows\\System32\\winlogon.exe": [[549, 581]]}, "info": {"id": "synth_v2_00352", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 54.196.44.228, the Volexity IR team identified PikaBot running as /opt/app/bin/agent.py. The threat actor, believed to be Gamaredon, used Chisel for credential harvesting and PsExec for lateral movement. Exfiltrated data was sent to cloud-relay.dev and api-edge.cc. The initial dropper (SHA1: 19fd31131096f4fefd28a593cf9737b5cc27516d) was delivered via a phishing email from noreply@phishing-domain.com. A second C2 node was observed at 10.61.21.151, with a persistence mechanism writing to /dev/shm/runtime.dll.", "spans": {"IP_ADDRESS: 54.196.44.228": [[64, 77]], "ORGANIZATION: Volexity": [[83, 91]], "MALWARE: PikaBot": [[111, 118]], "FILEPATH: /opt/app/bin/agent.py": [[130, 151]], "THREAT_ACTOR: Gamaredon": [[186, 195]], "TOOL: Chisel": [[202, 208]], "TOOL: PsExec": [[239, 245]], "DOMAIN: cloud-relay.dev": [[297, 312]], "DOMAIN: api-edge.cc": [[317, 328]], "HASH: 19fd31131096f4fefd28a593cf9737b5cc27516d": [[357, 397]], "EMAIL: noreply@phishing-domain.com": [[439, 466]], "IP_ADDRESS: 10.61.21.151": [[501, 513]], "FILEPATH: /dev/shm/runtime.dll": [[555, 575]]}, "info": {"id": "synth_v2_00353", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 195.177.187.115, the NCSC IR team identified BlackCat running as C:\\Users\\admin\\AppData\\Local\\Temp\\runtime.dll. The threat actor, believed to be Sandworm, used Sliver for credential harvesting and Certutil for lateral movement. Exfiltrated data was sent to secure-static.info and backup-cdn.cc. The initial dropper (SHA1: ff69477fcd08141bde9f256927b3ed40f3e7ce95) was delivered via a phishing email from account@secure-verify.net. A second C2 node was observed at 172.34.247.108, with a persistence mechanism writing to C:\\Users\\admin\\Desktop\\beacon.dll.", "spans": {"IP_ADDRESS: 195.177.187.115": [[64, 79]], "ORGANIZATION: NCSC": [[85, 89]], "MALWARE: BlackCat": [[109, 117]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\runtime.dll": [[129, 174]], "THREAT_ACTOR: Sandworm": [[209, 217]], "TOOL: Sliver": [[224, 230]], "TOOL: Certutil": [[261, 269]], "DOMAIN: secure-static.info": [[321, 339]], "DOMAIN: backup-cdn.cc": [[344, 357]], "HASH: ff69477fcd08141bde9f256927b3ed40f3e7ce95": [[386, 426]], "EMAIL: account@secure-verify.net": [[468, 493]], "IP_ADDRESS: 172.34.247.108": [[528, 542]], "FILEPATH: C:\\Users\\admin\\Desktop\\beacon.dll": [[584, 617]]}, "info": {"id": "synth_v2_00354", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 144.199.205.156, the Palo Alto Unit 42 IR team identified REvil running as /home/user/.config/helper.sh. The threat actor, believed to be Midnight Blizzard, used Seatbelt for credential harvesting and LaZagne for lateral movement. Exfiltrated data was sent to cache-update.dev and nodenode.info. The initial dropper (SHA1: c6997395ec860bb4473a12c2f0b2d8872224b839) was delivered via a phishing email from security@login-portal.tech. A second C2 node was observed at 53.94.1.41, with a persistence mechanism writing to /home/user/.config/backdoor.elf.", "spans": {"IP_ADDRESS: 144.199.205.156": [[64, 79]], "ORGANIZATION: Palo Alto Unit 42": [[85, 102]], "MALWARE: REvil": [[122, 127]], "FILEPATH: /home/user/.config/helper.sh": [[139, 167]], "THREAT_ACTOR: Midnight Blizzard": [[202, 219]], "TOOL: Seatbelt": [[226, 234]], "TOOL: LaZagne": [[265, 272]], "DOMAIN: cache-update.dev": [[324, 340]], "DOMAIN: nodenode.info": [[345, 358]], "HASH: c6997395ec860bb4473a12c2f0b2d8872224b839": [[387, 427]], "EMAIL: security@login-portal.tech": [[469, 495]], "IP_ADDRESS: 53.94.1.41": [[530, 540]], "FILEPATH: /home/user/.config/backdoor.elf": [[582, 613]]}, "info": {"id": "synth_v2_00355", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 192.75.142.238, the Symantec IR team identified Cobalt Strike running as C:\\ProgramData\\dropper.ps1. The threat actor, believed to be MuddyWater, used PsExec for credential harvesting and Burp Suite for lateral movement. Exfiltrated data was sent to edge-auth.com and staticmail.tech. The initial dropper (MD5: 9d68b63aed40a0931526eb53dd3d120e) was delivered via a phishing email from report@mail-service.info. A second C2 node was observed at 172.26.127.254, with a persistence mechanism writing to /usr/local/bin/payload.bin.", "spans": {"IP_ADDRESS: 192.75.142.238": [[64, 78]], "ORGANIZATION: Symantec": [[84, 92]], "MALWARE: Cobalt Strike": [[112, 125]], "FILEPATH: C:\\ProgramData\\dropper.ps1": [[137, 163]], "THREAT_ACTOR: MuddyWater": [[198, 208]], "TOOL: PsExec": [[215, 221]], "TOOL: Burp Suite": [[252, 262]], "DOMAIN: edge-auth.com": [[314, 327]], "DOMAIN: staticmail.tech": [[332, 347]], "HASH: 9d68b63aed40a0931526eb53dd3d120e": [[375, 407]], "EMAIL: report@mail-service.info": [[449, 473]], "IP_ADDRESS: 172.26.127.254": [[508, 522]], "FILEPATH: /usr/local/bin/payload.bin": [[564, 590]]}, "info": {"id": "synth_v2_00356", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 172.112.143.46, the ESET Research IR team identified RemcosRAT running as /tmp/shell.php. The threat actor, believed to be APT29, used Sharphound for credential harvesting and Covenant for lateral movement. Exfiltrated data was sent to staticedge.xyz and datastorage.info. The initial dropper (MD5: ca37057e586181aac63a2e6a2e0d4ecc) was delivered via a phishing email from contact@auth-check.org. A second C2 node was observed at 5.54.195.243, with a persistence mechanism writing to C:\\Users\\admin\\Desktop\\payload.bin.", "spans": {"IP_ADDRESS: 172.112.143.46": [[64, 78]], "ORGANIZATION: ESET Research": [[84, 97]], "MALWARE: RemcosRAT": [[117, 126]], "FILEPATH: /tmp/shell.php": [[138, 152]], "THREAT_ACTOR: APT29": [[187, 192]], "TOOL: Sharphound": [[199, 209]], "TOOL: Covenant": [[240, 248]], "DOMAIN: staticedge.xyz": [[300, 314]], "DOMAIN: datastorage.info": [[319, 335]], "HASH: ca37057e586181aac63a2e6a2e0d4ecc": [[363, 395]], "EMAIL: contact@auth-check.org": [[437, 459]], "IP_ADDRESS: 5.54.195.243": [[494, 506]], "FILEPATH: C:\\Users\\admin\\Desktop\\payload.bin": [[548, 582]]}, "info": {"id": "synth_v2_00357", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 47.235.94.209, the CISA IR team identified LockBit running as C:\\ProgramData\\payload.bin. The threat actor, believed to be Silk Typhoon, used PowerShell Empire for credential harvesting and Impacket for lateral movement. Exfiltrated data was sent to updatebackup.org and portal-static.xyz. The initial dropper (SHA256: 77c3b5bc1ad72f542d1ffbfef587a69cd3881d54c59c41fd96fc54262e54a58e) was delivered via a phishing email from service@secure-verify.net. A second C2 node was observed at 10.251.92.166, with a persistence mechanism writing to C:\\ProgramData\\ntds.dit.", "spans": {"IP_ADDRESS: 47.235.94.209": [[64, 77]], "ORGANIZATION: CISA": [[83, 87]], "MALWARE: LockBit": [[107, 114]], "FILEPATH: C:\\ProgramData\\payload.bin": [[126, 152]], "THREAT_ACTOR: Silk Typhoon": [[187, 199]], "TOOL: PowerShell Empire": [[206, 223]], "TOOL: Impacket": [[254, 262]], "DOMAIN: updatebackup.org": [[314, 330]], "DOMAIN: portal-static.xyz": [[335, 352]], "HASH: 77c3b5bc1ad72f542d1ffbfef587a69cd3881d54c59c41fd96fc54262e54a58e": [[383, 447]], "EMAIL: service@secure-verify.net": [[489, 514]], "IP_ADDRESS: 10.251.92.166": [[549, 562]], "FILEPATH: C:\\ProgramData\\ntds.dit": [[604, 627]]}, "info": {"id": "synth_v2_00358", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 192.51.193.99, the Huntress IR team identified PikaBot running as /opt/app/bin/chrome_helper.exe. The threat actor, believed to be Mustang Panda, used LinPEAS for credential harvesting and Seatbelt for lateral movement. Exfiltrated data was sent to api-sync.org and update-auth.io. The initial dropper (MD5: 0ef2492fa7f8fa41f32421abd14bded9) was delivered via a phishing email from notification@credential-check.site. A second C2 node was observed at 10.6.22.34, with a persistence mechanism writing to /tmp/payload.bin.", "spans": {"IP_ADDRESS: 192.51.193.99": [[64, 77]], "ORGANIZATION: Huntress": [[83, 91]], "MALWARE: PikaBot": [[111, 118]], "FILEPATH: /opt/app/bin/chrome_helper.exe": [[130, 160]], "THREAT_ACTOR: Mustang Panda": [[195, 208]], "TOOL: LinPEAS": [[215, 222]], "TOOL: Seatbelt": [[253, 261]], "DOMAIN: api-sync.org": [[313, 325]], "DOMAIN: update-auth.io": [[330, 344]], "HASH: 0ef2492fa7f8fa41f32421abd14bded9": [[372, 404]], "EMAIL: notification@credential-check.site": [[446, 480]], "IP_ADDRESS: 10.6.22.34": [[515, 525]], "FILEPATH: /tmp/payload.bin": [[567, 583]]}, "info": {"id": "synth_v2_00359", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 10.28.136.161, the Microsoft MSRC IR team identified REvil running as /var/tmp/svchost.exe. The threat actor, believed to be TA505, used Hashcat for credential harvesting and PowerShell Empire for lateral movement. Exfiltrated data was sent to authnode.dev and loginupdate.dev. The initial dropper (MD5: c6cd963e4c79bfae054390fff0a1ae5d) was delivered via a phishing email from it@mail-service.info. A second C2 node was observed at 10.22.52.140, with a persistence mechanism writing to /var/tmp/ntds.dit.", "spans": {"IP_ADDRESS: 10.28.136.161": [[64, 77]], "ORGANIZATION: Microsoft MSRC": [[83, 97]], "MALWARE: REvil": [[117, 122]], "FILEPATH: /var/tmp/svchost.exe": [[134, 154]], "THREAT_ACTOR: TA505": [[189, 194]], "TOOL: Hashcat": [[201, 208]], "TOOL: PowerShell Empire": [[239, 256]], "DOMAIN: authnode.dev": [[308, 320]], "DOMAIN: loginupdate.dev": [[325, 340]], "HASH: c6cd963e4c79bfae054390fff0a1ae5d": [[368, 400]], "EMAIL: it@mail-service.info": [[442, 462]], "IP_ADDRESS: 10.22.52.140": [[497, 509]], "FILEPATH: /var/tmp/ntds.dit": [[551, 568]]}, "info": {"id": "synth_v2_00360", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 176.57.251.44, the INTERPOL IR team identified Play running as C:\\Windows\\System32\\config.dat. The threat actor, believed to be Diamond Sleet, used Mythic for credential harvesting and PowerView for lateral movement. Exfiltrated data was sent to static-storage.net and apicdn.cc. The initial dropper (MD5: 74b2563969a6a9d06abf598e6f55e51d) was delivered via a phishing email from security@identity-verify.cc. A second C2 node was observed at 10.52.144.92, with a persistence mechanism writing to C:\\Program Files\\Common Files\\loader.exe.", "spans": {"IP_ADDRESS: 176.57.251.44": [[64, 77]], "ORGANIZATION: INTERPOL": [[83, 91]], "MALWARE: Play": [[111, 115]], "FILEPATH: C:\\Windows\\System32\\config.dat": [[127, 157]], "THREAT_ACTOR: Diamond Sleet": [[192, 205]], "TOOL: Mythic": [[212, 218]], "TOOL: PowerView": [[249, 258]], "DOMAIN: static-storage.net": [[310, 328]], "DOMAIN: apicdn.cc": [[333, 342]], "HASH: 74b2563969a6a9d06abf598e6f55e51d": [[370, 402]], "EMAIL: security@identity-verify.cc": [[444, 471]], "IP_ADDRESS: 10.52.144.92": [[506, 518]], "FILEPATH: C:\\Program Files\\Common Files\\loader.exe": [[560, 600]]}, "info": {"id": "synth_v2_00361", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 90.53.138.235, the Dragos IR team identified LockBit running as C:\\Windows\\Tasks\\beacon.dll. The threat actor, believed to be Silk Typhoon, used PowerView for credential harvesting and Burp Suite for lateral movement. Exfiltrated data was sent to update-login.link and storage-login.site. The initial dropper (SHA1: aedd877986940184caeddc0c347e46c81dc36e87) was delivered via a phishing email from hr@account-update.xyz. A second C2 node was observed at 170.188.135.208, with a persistence mechanism writing to C:\\ProgramData\\taskhost.exe.", "spans": {"IP_ADDRESS: 90.53.138.235": [[64, 77]], "ORGANIZATION: Dragos": [[83, 89]], "MALWARE: LockBit": [[109, 116]], "FILEPATH: C:\\Windows\\Tasks\\beacon.dll": [[128, 155]], "THREAT_ACTOR: Silk Typhoon": [[190, 202]], "TOOL: PowerView": [[209, 218]], "TOOL: Burp Suite": [[249, 259]], "DOMAIN: update-login.link": [[311, 328]], "DOMAIN: storage-login.site": [[333, 351]], "HASH: aedd877986940184caeddc0c347e46c81dc36e87": [[380, 420]], "EMAIL: hr@account-update.xyz": [[462, 483]], "IP_ADDRESS: 170.188.135.208": [[518, 533]], "FILEPATH: C:\\ProgramData\\taskhost.exe": [[575, 602]]}, "info": {"id": "synth_v2_00362", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 91.163.253.109, the Dragos IR team identified Dridex running as /var/tmp/lsass.dmp. The threat actor, believed to be Scattered Spider, used CrackMapExec for credential harvesting and Rubeus for lateral movement. Exfiltrated data was sent to portal-gateway.io and edgeedge.online. The initial dropper (SHA1: 943c555498a203507d3f868cae0be4c2e7913e02) was delivered via a phishing email from account@document-share.link. A second C2 node was observed at 178.211.170.36, with a persistence mechanism writing to C:\\ProgramData\\shell.php.", "spans": {"IP_ADDRESS: 91.163.253.109": [[64, 78]], "ORGANIZATION: Dragos": [[84, 90]], "MALWARE: Dridex": [[110, 116]], "FILEPATH: /var/tmp/lsass.dmp": [[128, 146]], "THREAT_ACTOR: Scattered Spider": [[181, 197]], "TOOL: CrackMapExec": [[204, 216]], "TOOL: Rubeus": [[247, 253]], "DOMAIN: portal-gateway.io": [[305, 322]], "DOMAIN: edgeedge.online": [[327, 342]], "HASH: 943c555498a203507d3f868cae0be4c2e7913e02": [[371, 411]], "EMAIL: account@document-share.link": [[453, 480]], "IP_ADDRESS: 178.211.170.36": [[515, 529]], "FILEPATH: C:\\ProgramData\\shell.php": [[571, 595]]}, "info": {"id": "synth_v2_00363", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 1.104.8.93, the Volexity IR team identified Play running as C:\\Program Files\\Common Files\\helper.sh. The threat actor, believed to be Forest Blizzard, used Impacket for credential harvesting and PsExec for lateral movement. Exfiltrated data was sent to maillogin.info and loginedge.dev. The initial dropper (SHA256: e9488b6b04c29a09427c2a080b679602f95b4df09060abcd38fdb18b478f4f37) was delivered via a phishing email from noreply@secure-verify.net. A second C2 node was observed at 35.56.30.234, with a persistence mechanism writing to /tmp/helper.sh.", "spans": {"IP_ADDRESS: 1.104.8.93": [[64, 74]], "ORGANIZATION: Volexity": [[80, 88]], "MALWARE: Play": [[108, 112]], "FILEPATH: C:\\Program Files\\Common Files\\helper.sh": [[124, 163]], "THREAT_ACTOR: Forest Blizzard": [[198, 213]], "TOOL: Impacket": [[220, 228]], "TOOL: PsExec": [[259, 265]], "DOMAIN: maillogin.info": [[317, 331]], "DOMAIN: loginedge.dev": [[336, 349]], "HASH: e9488b6b04c29a09427c2a080b679602f95b4df09060abcd38fdb18b478f4f37": [[380, 444]], "EMAIL: noreply@secure-verify.net": [[486, 511]], "IP_ADDRESS: 35.56.30.234": [[546, 558]], "FILEPATH: /tmp/helper.sh": [[600, 614]]}, "info": {"id": "synth_v2_00364", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 96.27.54.170, the Microsoft MSRC IR team identified LockBit running as C:\\Program Files\\Common Files\\payload.bin. The threat actor, believed to be Volt Typhoon, used LinPEAS for credential harvesting and Mimikatz for lateral movement. Exfiltrated data was sent to loginapi.xyz and update-cache.live. The initial dropper (SHA1: 92b21d33d60cb17cc016bb67c04dc86ef88569c1) was delivered via a phishing email from account@mail-service.info. A second C2 node was observed at 172.80.15.38, with a persistence mechanism writing to C:\\Users\\admin\\Downloads\\beacon.dll.", "spans": {"IP_ADDRESS: 96.27.54.170": [[64, 76]], "ORGANIZATION: Microsoft MSRC": [[82, 96]], "MALWARE: LockBit": [[116, 123]], "FILEPATH: C:\\Program Files\\Common Files\\payload.bin": [[135, 176]], "THREAT_ACTOR: Volt Typhoon": [[211, 223]], "TOOL: LinPEAS": [[230, 237]], "TOOL: Mimikatz": [[268, 276]], "DOMAIN: loginapi.xyz": [[328, 340]], "DOMAIN: update-cache.live": [[345, 362]], "HASH: 92b21d33d60cb17cc016bb67c04dc86ef88569c1": [[391, 431]], "EMAIL: account@mail-service.info": [[473, 498]], "IP_ADDRESS: 172.80.15.38": [[533, 545]], "FILEPATH: C:\\Users\\admin\\Downloads\\beacon.dll": [[587, 622]]}, "info": {"id": "synth_v2_00365", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 201.6.146.29, the FireEye IR team identified Amadey running as /usr/local/bin/shell.php. The threat actor, believed to be Storm-0558, used LinPEAS for credential harvesting and Hashcat for lateral movement. Exfiltrated data was sent to update-portal.live and relayedge.club. The initial dropper (MD5: cfb3c1585acf864b2a8991f5fe5292ce) was delivered via a phishing email from security@mail-service.info. A second C2 node was observed at 10.16.88.129, with a persistence mechanism writing to /home/user/.config/helper.sh.", "spans": {"IP_ADDRESS: 201.6.146.29": [[64, 76]], "ORGANIZATION: FireEye": [[82, 89]], "MALWARE: Amadey": [[109, 115]], "FILEPATH: /usr/local/bin/shell.php": [[127, 151]], "THREAT_ACTOR: Storm-0558": [[186, 196]], "TOOL: LinPEAS": [[203, 210]], "TOOL: Hashcat": [[241, 248]], "DOMAIN: update-portal.live": [[300, 318]], "DOMAIN: relayedge.club": [[323, 337]], "HASH: cfb3c1585acf864b2a8991f5fe5292ce": [[365, 397]], "EMAIL: security@mail-service.info": [[439, 465]], "IP_ADDRESS: 10.16.88.129": [[500, 512]], "FILEPATH: /home/user/.config/helper.sh": [[554, 582]]}, "info": {"id": "synth_v2_00366", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 172.28.112.101, the INTERPOL IR team identified Dridex running as /usr/local/bin/taskhost.exe. The threat actor, believed to be Charming Kitten, used Ligolo for credential harvesting and CrackMapExec for lateral movement. Exfiltrated data was sent to portalportal.org and mail-gateway.xyz. The initial dropper (MD5: 0b9d5d66b26f2a9cf01a58a553685857) was delivered via a phishing email from ceo@phishing-domain.com. A second C2 node was observed at 192.39.239.123, with a persistence mechanism writing to C:\\Users\\Public\\Documents\\chrome_helper.exe.", "spans": {"IP_ADDRESS: 172.28.112.101": [[64, 78]], "ORGANIZATION: INTERPOL": [[84, 92]], "MALWARE: Dridex": [[112, 118]], "FILEPATH: /usr/local/bin/taskhost.exe": [[130, 157]], "THREAT_ACTOR: Charming Kitten": [[192, 207]], "TOOL: Ligolo": [[214, 220]], "TOOL: CrackMapExec": [[251, 263]], "DOMAIN: portalportal.org": [[315, 331]], "DOMAIN: mail-gateway.xyz": [[336, 352]], "HASH: 0b9d5d66b26f2a9cf01a58a553685857": [[380, 412]], "EMAIL: ceo@phishing-domain.com": [[454, 477]], "IP_ADDRESS: 192.39.239.123": [[512, 526]], "FILEPATH: C:\\Users\\Public\\Documents\\chrome_helper.exe": [[568, 611]]}, "info": {"id": "synth_v2_00367", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 10.108.5.194, the SentinelOne IR team identified BumbleBee running as C:\\Users\\admin\\AppData\\Local\\Temp\\winlogon.exe. The threat actor, believed to be TA505, used Rubeus for credential harvesting and Certutil for lateral movement. Exfiltrated data was sent to apicache.cc and cache-proxy.com. The initial dropper (SHA256: e55b3adccdb41cd358a3e6755d71156c5025bcc28de88b7d337502b009e23b16) was delivered via a phishing email from finance@identity-verify.cc. A second C2 node was observed at 49.103.16.62, with a persistence mechanism writing to C:\\ProgramData\\agent.py.", "spans": {"IP_ADDRESS: 10.108.5.194": [[64, 76]], "ORGANIZATION: SentinelOne": [[82, 93]], "MALWARE: BumbleBee": [[113, 122]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\winlogon.exe": [[134, 180]], "THREAT_ACTOR: TA505": [[215, 220]], "TOOL: Rubeus": [[227, 233]], "TOOL: Certutil": [[264, 272]], "DOMAIN: apicache.cc": [[324, 335]], "DOMAIN: cache-proxy.com": [[340, 355]], "HASH: e55b3adccdb41cd358a3e6755d71156c5025bcc28de88b7d337502b009e23b16": [[386, 450]], "EMAIL: finance@identity-verify.cc": [[492, 518]], "IP_ADDRESS: 49.103.16.62": [[553, 565]], "FILEPATH: C:\\ProgramData\\agent.py": [[607, 630]]}, "info": {"id": "synth_v2_00368", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 186.182.66.180, the CISA IR team identified BatLoader running as C:\\Users\\admin\\AppData\\Local\\Temp\\agent.py. The threat actor, believed to be Sandworm, used Hashcat for credential harvesting and Seatbelt for lateral movement. Exfiltrated data was sent to update-cache.link and proxycache.live. The initial dropper (SHA1: cef1e7cc266b642d25f1a83551b8424ea7bc467b) was delivered via a phishing email from info@secure-verify.net. A second C2 node was observed at 172.208.51.129, with a persistence mechanism writing to C:\\Users\\admin\\Downloads\\payload.bin.", "spans": {"IP_ADDRESS: 186.182.66.180": [[64, 78]], "ORGANIZATION: CISA": [[84, 88]], "MALWARE: BatLoader": [[108, 117]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\agent.py": [[129, 171]], "THREAT_ACTOR: Sandworm": [[206, 214]], "TOOL: Hashcat": [[221, 228]], "TOOL: Seatbelt": [[259, 267]], "DOMAIN: update-cache.link": [[319, 336]], "DOMAIN: proxycache.live": [[341, 356]], "HASH: cef1e7cc266b642d25f1a83551b8424ea7bc467b": [[385, 425]], "EMAIL: info@secure-verify.net": [[467, 489]], "IP_ADDRESS: 172.208.51.129": [[524, 538]], "FILEPATH: C:\\Users\\admin\\Downloads\\payload.bin": [[580, 616]]}, "info": {"id": "synth_v2_00369", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 192.82.174.115, the Microsoft MSRC IR team identified Play running as C:\\Windows\\System32\\shell.php. The threat actor, believed to be Silk Typhoon, used SharpHound for credential harvesting and GhostPack for lateral movement. Exfiltrated data was sent to cdnportal.xyz and static-static.net. The initial dropper (SHA256: 97260feeb3c713d65f0787c7ace21b46423d5132f4325c0999a9968e2a4f9f2c) was delivered via a phishing email from finance@urgent-notice.online. A second C2 node was observed at 172.148.184.160, with a persistence mechanism writing to /dev/shm/taskhost.exe.", "spans": {"IP_ADDRESS: 192.82.174.115": [[64, 78]], "ORGANIZATION: Microsoft MSRC": [[84, 98]], "MALWARE: Play": [[118, 122]], "FILEPATH: C:\\Windows\\System32\\shell.php": [[134, 163]], "THREAT_ACTOR: Silk Typhoon": [[198, 210]], "TOOL: SharpHound": [[217, 227]], "TOOL: GhostPack": [[258, 267]], "DOMAIN: cdnportal.xyz": [[319, 332]], "DOMAIN: static-static.net": [[337, 354]], "HASH: 97260feeb3c713d65f0787c7ace21b46423d5132f4325c0999a9968e2a4f9f2c": [[385, 449]], "EMAIL: finance@urgent-notice.online": [[491, 519]], "IP_ADDRESS: 172.148.184.160": [[554, 569]], "FILEPATH: /dev/shm/taskhost.exe": [[611, 632]]}, "info": {"id": "synth_v2_00370", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 44.151.82.18, the Qualys IR team identified Dridex running as C:\\Windows\\System32\\taskhost.exe. The threat actor, believed to be Ember Bear, used Metasploit for credential harvesting and Brute Ratel for lateral movement. Exfiltrated data was sent to secure-relay.info and syncrelay.top. The initial dropper (MD5: 7e0477f24ccb5ab5f83d06b38aada3f6) was delivered via a phishing email from finance@identity-verify.cc. A second C2 node was observed at 148.186.180.23, with a persistence mechanism writing to /dev/shm/update.dll.", "spans": {"IP_ADDRESS: 44.151.82.18": [[64, 76]], "ORGANIZATION: Qualys": [[82, 88]], "MALWARE: Dridex": [[108, 114]], "FILEPATH: C:\\Windows\\System32\\taskhost.exe": [[126, 158]], "THREAT_ACTOR: Ember Bear": [[193, 203]], "TOOL: Metasploit": [[210, 220]], "TOOL: Brute Ratel": [[251, 262]], "DOMAIN: secure-relay.info": [[314, 331]], "DOMAIN: syncrelay.top": [[336, 349]], "HASH: 7e0477f24ccb5ab5f83d06b38aada3f6": [[377, 409]], "EMAIL: finance@identity-verify.cc": [[451, 477]], "IP_ADDRESS: 148.186.180.23": [[512, 526]], "FILEPATH: /dev/shm/update.dll": [[568, 587]]}, "info": {"id": "synth_v2_00371", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 172.187.160.96, the Proofpoint IR team identified FormBook running as C:\\Users\\Public\\Documents\\agent.py. The threat actor, believed to be Salt Typhoon, used ADFind for credential harvesting and Merlin for lateral movement. Exfiltrated data was sent to static-cdn.club and edge-update.org. The initial dropper (SHA1: 93e8708e43c41213bf1fb7a99a874d117cadcfa6) was delivered via a phishing email from info@login-portal.tech. A second C2 node was observed at 192.211.230.68, with a persistence mechanism writing to C:\\Users\\admin\\Desktop\\config.dat.", "spans": {"IP_ADDRESS: 172.187.160.96": [[64, 78]], "ORGANIZATION: Proofpoint": [[84, 94]], "MALWARE: FormBook": [[114, 122]], "FILEPATH: C:\\Users\\Public\\Documents\\agent.py": [[134, 168]], "THREAT_ACTOR: Salt Typhoon": [[203, 215]], "TOOL: ADFind": [[222, 228]], "TOOL: Merlin": [[259, 265]], "DOMAIN: static-cdn.club": [[317, 332]], "DOMAIN: edge-update.org": [[337, 352]], "HASH: 93e8708e43c41213bf1fb7a99a874d117cadcfa6": [[381, 421]], "EMAIL: info@login-portal.tech": [[463, 485]], "IP_ADDRESS: 192.211.230.68": [[520, 534]], "FILEPATH: C:\\Users\\admin\\Desktop\\config.dat": [[576, 609]]}, "info": {"id": "synth_v2_00372", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 172.238.239.165, the Volexity IR team identified Raccoon Stealer running as /opt/app/bin/implant.so. The threat actor, believed to be Salt Typhoon, used Brute Ratel for credential harvesting and PowerView for lateral movement. Exfiltrated data was sent to portal-gateway.xyz and storageapi.tech. The initial dropper (SHA1: 42838a413da30901c3d3fabc5ea0a6f95816ef5c) was delivered via a phishing email from verify@secure-verify.net. A second C2 node was observed at 28.43.92.188, with a persistence mechanism writing to /dev/shm/runtime.dll.", "spans": {"IP_ADDRESS: 172.238.239.165": [[64, 79]], "ORGANIZATION: Volexity": [[85, 93]], "MALWARE: Raccoon Stealer": [[113, 128]], "FILEPATH: /opt/app/bin/implant.so": [[140, 163]], "THREAT_ACTOR: Salt Typhoon": [[198, 210]], "TOOL: Brute Ratel": [[217, 228]], "TOOL: PowerView": [[259, 268]], "DOMAIN: portal-gateway.xyz": [[320, 338]], "DOMAIN: storageapi.tech": [[343, 358]], "HASH: 42838a413da30901c3d3fabc5ea0a6f95816ef5c": [[387, 427]], "EMAIL: verify@secure-verify.net": [[469, 493]], "IP_ADDRESS: 28.43.92.188": [[528, 540]], "FILEPATH: /dev/shm/runtime.dll": [[582, 602]]}, "info": {"id": "synth_v2_00373", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 172.74.109.82, the Microsoft MSRC IR team identified SystemBC running as C:\\Program Files\\Common Files\\backdoor.elf. The threat actor, believed to be Midnight Blizzard, used BloodHound for credential harvesting and Certutil for lateral movement. Exfiltrated data was sent to gatewayproxy.xyz and cloud-update.link. The initial dropper (SHA256: 0be1316b3afdc0e2e6ae7e28996840f002af825af6cf86d7fb0e570c56a02fe6) was delivered via a phishing email from info@mail-service.info. A second C2 node was observed at 192.194.31.240, with a persistence mechanism writing to /usr/local/bin/config.dat.", "spans": {"IP_ADDRESS: 172.74.109.82": [[64, 77]], "ORGANIZATION: Microsoft MSRC": [[83, 97]], "MALWARE: SystemBC": [[117, 125]], "FILEPATH: C:\\Program Files\\Common Files\\backdoor.elf": [[137, 179]], "THREAT_ACTOR: Midnight Blizzard": [[214, 231]], "TOOL: BloodHound": [[238, 248]], "TOOL: Certutil": [[279, 287]], "DOMAIN: gatewayproxy.xyz": [[339, 355]], "DOMAIN: cloud-update.link": [[360, 377]], "HASH: 0be1316b3afdc0e2e6ae7e28996840f002af825af6cf86d7fb0e570c56a02fe6": [[408, 472]], "EMAIL: info@mail-service.info": [[514, 536]], "IP_ADDRESS: 192.194.31.240": [[571, 585]], "FILEPATH: /usr/local/bin/config.dat": [[627, 652]]}, "info": {"id": "synth_v2_00374", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 108.109.132.48, the Tenable IR team identified Vidar running as C:\\Users\\admin\\Downloads\\ntds.dit. The threat actor, believed to be Lazarus Group, used Burp Suite for credential harvesting and Havoc for lateral movement. Exfiltrated data was sent to securecloud.tech and proxyproxy.io. The initial dropper (MD5: 31077b2978d4b8bc03f3f74681e74910) was delivered via a phishing email from admin@urgent-notice.online. A second C2 node was observed at 10.219.175.247, with a persistence mechanism writing to /etc/cron.d/shell.php.", "spans": {"IP_ADDRESS: 108.109.132.48": [[64, 78]], "ORGANIZATION: Tenable": [[84, 91]], "MALWARE: Vidar": [[111, 116]], "FILEPATH: C:\\Users\\admin\\Downloads\\ntds.dit": [[128, 161]], "THREAT_ACTOR: Lazarus Group": [[196, 209]], "TOOL: Burp Suite": [[216, 226]], "TOOL: Havoc": [[257, 262]], "DOMAIN: securecloud.tech": [[314, 330]], "DOMAIN: proxyproxy.io": [[335, 348]], "HASH: 31077b2978d4b8bc03f3f74681e74910": [[376, 408]], "EMAIL: admin@urgent-notice.online": [[450, 476]], "IP_ADDRESS: 10.219.175.247": [[511, 525]], "FILEPATH: /etc/cron.d/shell.php": [[567, 588]]}, "info": {"id": "synth_v2_00375", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 172.162.7.39, the Volexity IR team identified StealC running as C:\\Windows\\Tasks\\shell.php. The threat actor, believed to be Sandworm, used Impacket for credential harvesting and LinPEAS for lateral movement. Exfiltrated data was sent to syncnode.club and relay-login.top. The initial dropper (SHA256: c854584f1c043d5df3349aa60e29e0800218a4d845c417813f5d28a476530509) was delivered via a phishing email from billing@identity-verify.cc. A second C2 node was observed at 38.255.162.30, with a persistence mechanism writing to C:\\Users\\Public\\Documents\\update.dll.", "spans": {"IP_ADDRESS: 172.162.7.39": [[64, 76]], "ORGANIZATION: Volexity": [[82, 90]], "MALWARE: StealC": [[110, 116]], "FILEPATH: C:\\Windows\\Tasks\\shell.php": [[128, 154]], "THREAT_ACTOR: Sandworm": [[189, 197]], "TOOL: Impacket": [[204, 212]], "TOOL: LinPEAS": [[243, 250]], "DOMAIN: syncnode.club": [[302, 315]], "DOMAIN: relay-login.top": [[320, 335]], "HASH: c854584f1c043d5df3349aa60e29e0800218a4d845c417813f5d28a476530509": [[366, 430]], "EMAIL: billing@identity-verify.cc": [[472, 498]], "IP_ADDRESS: 38.255.162.30": [[533, 546]], "FILEPATH: C:\\Users\\Public\\Documents\\update.dll": [[588, 624]]}, "info": {"id": "synth_v2_00376", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 56.178.107.244, the SentinelOne IR team identified WarmCookie running as /dev/shm/sam.hive. The threat actor, believed to be Velvet Tempest, used Rubeus for credential harvesting and ADFind for lateral movement. Exfiltrated data was sent to updatebackup.dev and nodeauth.club. The initial dropper (MD5: 7bb54f952cb2965216a98c4060d89360) was delivered via a phishing email from confirm@identity-verify.cc. A second C2 node was observed at 192.7.189.209, with a persistence mechanism writing to C:\\Program Files\\Common Files\\ntds.dit.", "spans": {"IP_ADDRESS: 56.178.107.244": [[64, 78]], "ORGANIZATION: SentinelOne": [[84, 95]], "MALWARE: WarmCookie": [[115, 125]], "FILEPATH: /dev/shm/sam.hive": [[137, 154]], "THREAT_ACTOR: Velvet Tempest": [[189, 203]], "TOOL: Rubeus": [[210, 216]], "TOOL: ADFind": [[247, 253]], "DOMAIN: updatebackup.dev": [[305, 321]], "DOMAIN: nodeauth.club": [[326, 339]], "HASH: 7bb54f952cb2965216a98c4060d89360": [[367, 399]], "EMAIL: confirm@identity-verify.cc": [[441, 467]], "IP_ADDRESS: 192.7.189.209": [[502, 515]], "FILEPATH: C:\\Program Files\\Common Files\\ntds.dit": [[557, 595]]}, "info": {"id": "synth_v2_00377", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 172.219.191.46, the Volexity IR team identified PikaBot running as C:\\Windows\\Temp\\implant.so. The threat actor, believed to be Velvet Tempest, used Hashcat for credential harvesting and Metasploit for lateral movement. Exfiltrated data was sent to backupstatic.dev and api-auth.net. The initial dropper (MD5: 48f8cb0d0d1c9aabbf93e1807625072e) was delivered via a phishing email from report@urgent-notice.online. A second C2 node was observed at 192.223.195.73, with a persistence mechanism writing to C:\\Program Files\\Common Files\\taskhost.exe.", "spans": {"IP_ADDRESS: 172.219.191.46": [[64, 78]], "ORGANIZATION: Volexity": [[84, 92]], "MALWARE: PikaBot": [[112, 119]], "FILEPATH: C:\\Windows\\Temp\\implant.so": [[131, 157]], "THREAT_ACTOR: Velvet Tempest": [[192, 206]], "TOOL: Hashcat": [[213, 220]], "TOOL: Metasploit": [[251, 261]], "DOMAIN: backupstatic.dev": [[313, 329]], "DOMAIN: api-auth.net": [[334, 346]], "HASH: 48f8cb0d0d1c9aabbf93e1807625072e": [[374, 406]], "EMAIL: report@urgent-notice.online": [[448, 475]], "IP_ADDRESS: 192.223.195.73": [[510, 524]], "FILEPATH: C:\\Program Files\\Common Files\\taskhost.exe": [[566, 608]]}, "info": {"id": "synth_v2_00378", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 192.148.215.55, the Kaspersky GReAT IR team identified Ryuk running as /etc/cron.d/helper.sh. The threat actor, believed to be UNC2452, used Brute Ratel for credential harvesting and LaZagne for lateral movement. Exfiltrated data was sent to authmail.link and gatewayportal.com. The initial dropper (SHA1: 5f337b3ba854942d50d056f701abfa4e6cbc76fb) was delivered via a phishing email from finance@identity-verify.cc. A second C2 node was observed at 172.195.58.51, with a persistence mechanism writing to /home/user/.config/backdoor.elf.", "spans": {"IP_ADDRESS: 192.148.215.55": [[64, 78]], "ORGANIZATION: Kaspersky GReAT": [[84, 99]], "MALWARE: Ryuk": [[119, 123]], "FILEPATH: /etc/cron.d/helper.sh": [[135, 156]], "THREAT_ACTOR: UNC2452": [[191, 198]], "TOOL: Brute Ratel": [[205, 216]], "TOOL: LaZagne": [[247, 254]], "DOMAIN: authmail.link": [[306, 319]], "DOMAIN: gatewayportal.com": [[324, 341]], "HASH: 5f337b3ba854942d50d056f701abfa4e6cbc76fb": [[370, 410]], "EMAIL: finance@identity-verify.cc": [[452, 478]], "IP_ADDRESS: 172.195.58.51": [[513, 526]], "FILEPATH: /home/user/.config/backdoor.elf": [[568, 599]]}, "info": {"id": "synth_v2_00379", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 9.7.13.40, the Proofpoint IR team identified BumbleBee running as C:\\Users\\admin\\AppData\\Local\\Temp\\shell.php. The threat actor, believed to be APT28, used Mythic for credential harvesting and Merlin for lateral movement. Exfiltrated data was sent to dataedge.site and static-portal.live. The initial dropper (SHA1: 3b47cc1aec96424b9881b4ab54b4686328a768e0) was delivered via a phishing email from security@identity-verify.cc. A second C2 node was observed at 216.162.171.44, with a persistence mechanism writing to C:\\Program Files\\Common Files\\payload.bin.", "spans": {"IP_ADDRESS: 9.7.13.40": [[64, 73]], "ORGANIZATION: Proofpoint": [[79, 89]], "MALWARE: BumbleBee": [[109, 118]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\shell.php": [[130, 173]], "THREAT_ACTOR: APT28": [[208, 213]], "TOOL: Mythic": [[220, 226]], "TOOL: Merlin": [[257, 263]], "DOMAIN: dataedge.site": [[315, 328]], "DOMAIN: static-portal.live": [[333, 351]], "HASH: 3b47cc1aec96424b9881b4ab54b4686328a768e0": [[380, 420]], "EMAIL: security@identity-verify.cc": [[462, 489]], "IP_ADDRESS: 216.162.171.44": [[524, 538]], "FILEPATH: C:\\Program Files\\Common Files\\payload.bin": [[580, 621]]}, "info": {"id": "synth_v2_00380", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 10.64.60.162, the CrowdStrike IR team identified RemcosRAT running as C:\\Windows\\System32\\svchost.exe. The threat actor, believed to be Charming Kitten, used Rubeus for credential harvesting and Sliver for lateral movement. Exfiltrated data was sent to cloudapi.net and gateway-update.top. The initial dropper (MD5: 0b15c5735b7f369750c1b0edf4be1d1f) was delivered via a phishing email from noreply@credential-check.site. A second C2 node was observed at 216.133.81.243, with a persistence mechanism writing to C:\\ProgramData\\shell.php.", "spans": {"IP_ADDRESS: 10.64.60.162": [[64, 76]], "ORGANIZATION: CrowdStrike": [[82, 93]], "MALWARE: RemcosRAT": [[113, 122]], "FILEPATH: C:\\Windows\\System32\\svchost.exe": [[134, 165]], "THREAT_ACTOR: Charming Kitten": [[200, 215]], "TOOL: Rubeus": [[222, 228]], "TOOL: Sliver": [[259, 265]], "DOMAIN: cloudapi.net": [[317, 329]], "DOMAIN: gateway-update.top": [[334, 352]], "HASH: 0b15c5735b7f369750c1b0edf4be1d1f": [[380, 412]], "EMAIL: noreply@credential-check.site": [[454, 483]], "IP_ADDRESS: 216.133.81.243": [[518, 532]], "FILEPATH: C:\\ProgramData\\shell.php": [[574, 598]]}, "info": {"id": "synth_v2_00381", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 172.99.125.186, the Symantec IR team identified AgentTesla running as C:\\Users\\Public\\Documents\\taskhost.exe. The threat actor, believed to be Turla, used PsExec for credential harvesting and Sharphound for lateral movement. Exfiltrated data was sent to login-update.top and auth-relay.dev. The initial dropper (MD5: 758fcc649322166d0904b50317ae0dd1) was delivered via a phishing email from security@secure-verify.net. A second C2 node was observed at 198.133.26.71, with a persistence mechanism writing to C:\\Windows\\System32\\agent.py.", "spans": {"IP_ADDRESS: 172.99.125.186": [[64, 78]], "ORGANIZATION: Symantec": [[84, 92]], "MALWARE: AgentTesla": [[112, 122]], "FILEPATH: C:\\Users\\Public\\Documents\\taskhost.exe": [[134, 172]], "THREAT_ACTOR: Turla": [[207, 212]], "TOOL: PsExec": [[219, 225]], "TOOL: Sharphound": [[256, 266]], "DOMAIN: login-update.top": [[318, 334]], "DOMAIN: auth-relay.dev": [[339, 353]], "HASH: 758fcc649322166d0904b50317ae0dd1": [[381, 413]], "EMAIL: security@secure-verify.net": [[455, 481]], "IP_ADDRESS: 198.133.26.71": [[516, 529]], "FILEPATH: C:\\Windows\\System32\\agent.py": [[571, 599]]}, "info": {"id": "synth_v2_00382", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 172.51.251.204, the INTERPOL IR team identified IcedID running as /home/user/.config/svchost.exe. The threat actor, believed to be Ember Bear, used Havoc for credential harvesting and Chisel for lateral movement. Exfiltrated data was sent to cloud-gateway.site and relaysecure.org. The initial dropper (SHA1: 061eb47a789ef11c253140104e4cfd68ef23bc21) was delivered via a phishing email from support@secure-verify.net. A second C2 node was observed at 172.37.249.246, with a persistence mechanism writing to C:\\Users\\admin\\Downloads\\shell.php.", "spans": {"IP_ADDRESS: 172.51.251.204": [[64, 78]], "ORGANIZATION: INTERPOL": [[84, 92]], "MALWARE: IcedID": [[112, 118]], "FILEPATH: /home/user/.config/svchost.exe": [[130, 160]], "THREAT_ACTOR: Ember Bear": [[195, 205]], "TOOL: Havoc": [[212, 217]], "TOOL: Chisel": [[248, 254]], "DOMAIN: cloud-gateway.site": [[306, 324]], "DOMAIN: relaysecure.org": [[329, 344]], "HASH: 061eb47a789ef11c253140104e4cfd68ef23bc21": [[373, 413]], "EMAIL: support@secure-verify.net": [[455, 480]], "IP_ADDRESS: 172.37.249.246": [[515, 529]], "FILEPATH: C:\\Users\\admin\\Downloads\\shell.php": [[571, 605]]}, "info": {"id": "synth_v2_00383", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 10.130.62.50, the Recorded Future IR team identified NjRAT running as C:\\Windows\\System32\\backdoor.elf. The threat actor, believed to be BlackTech, used PowerShell Empire for credential harvesting and ADFind for lateral movement. Exfiltrated data was sent to authcloud.com and logindata.net. The initial dropper (SHA256: 5bf0309fadfebc5b80390300c8c7b5c79a7fabeb438c51e81982832b20d19d4b) was delivered via a phishing email from it@urgent-notice.online. A second C2 node was observed at 192.11.78.56, with a persistence mechanism writing to /usr/local/bin/beacon.dll.", "spans": {"IP_ADDRESS: 10.130.62.50": [[64, 76]], "ORGANIZATION: Recorded Future": [[82, 97]], "MALWARE: NjRAT": [[117, 122]], "FILEPATH: C:\\Windows\\System32\\backdoor.elf": [[134, 166]], "THREAT_ACTOR: BlackTech": [[201, 210]], "TOOL: PowerShell Empire": [[217, 234]], "TOOL: ADFind": [[265, 271]], "DOMAIN: authcloud.com": [[323, 336]], "DOMAIN: logindata.net": [[341, 354]], "HASH: 5bf0309fadfebc5b80390300c8c7b5c79a7fabeb438c51e81982832b20d19d4b": [[385, 449]], "EMAIL: it@urgent-notice.online": [[491, 514]], "IP_ADDRESS: 192.11.78.56": [[549, 561]], "FILEPATH: /usr/local/bin/beacon.dll": [[603, 628]]}, "info": {"id": "synth_v2_00384", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 112.204.98.65, the Dragos IR team identified Gootloader running as /usr/local/bin/winlogon.exe. The threat actor, believed to be Midnight Blizzard, used LinPEAS for credential harvesting and GhostPack for lateral movement. Exfiltrated data was sent to securecloud.club and gatewayrelay.site. The initial dropper (MD5: bd5bb2310768a8bcd0ddc331f8183335) was delivered via a phishing email from billing@document-share.link. A second C2 node was observed at 10.143.201.27, with a persistence mechanism writing to C:\\Users\\Public\\Documents\\implant.so.", "spans": {"IP_ADDRESS: 112.204.98.65": [[64, 77]], "ORGANIZATION: Dragos": [[83, 89]], "MALWARE: Gootloader": [[109, 119]], "FILEPATH: /usr/local/bin/winlogon.exe": [[131, 158]], "THREAT_ACTOR: Midnight Blizzard": [[193, 210]], "TOOL: LinPEAS": [[217, 224]], "TOOL: GhostPack": [[255, 264]], "DOMAIN: securecloud.club": [[316, 332]], "DOMAIN: gatewayrelay.site": [[337, 354]], "HASH: bd5bb2310768a8bcd0ddc331f8183335": [[382, 414]], "EMAIL: billing@document-share.link": [[456, 483]], "IP_ADDRESS: 10.143.201.27": [[518, 531]], "FILEPATH: C:\\Users\\Public\\Documents\\implant.so": [[573, 609]]}, "info": {"id": "synth_v2_00385", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 172.85.17.246, the Zscaler ThreatLabz IR team identified AgentTesla running as C:\\Users\\admin\\Downloads\\csrss.exe. The threat actor, believed to be BlackTech, used Mythic for credential harvesting and Sharphound for lateral movement. Exfiltrated data was sent to portalupdate.net and storage-gateway.link. The initial dropper (SHA256: b2962e6ba6d3b7effc326bea469b4c19a9470d7ac8f0c0ec11f14e2542198393) was delivered via a phishing email from it@auth-check.org. A second C2 node was observed at 151.209.150.155, with a persistence mechanism writing to /var/tmp/chrome_helper.exe.", "spans": {"IP_ADDRESS: 172.85.17.246": [[64, 77]], "ORGANIZATION: Zscaler ThreatLabz": [[83, 101]], "MALWARE: AgentTesla": [[121, 131]], "FILEPATH: C:\\Users\\admin\\Downloads\\csrss.exe": [[143, 177]], "THREAT_ACTOR: BlackTech": [[212, 221]], "TOOL: Mythic": [[228, 234]], "TOOL: Sharphound": [[265, 275]], "DOMAIN: portalupdate.net": [[327, 343]], "DOMAIN: storage-gateway.link": [[348, 368]], "HASH: b2962e6ba6d3b7effc326bea469b4c19a9470d7ac8f0c0ec11f14e2542198393": [[399, 463]], "EMAIL: it@auth-check.org": [[505, 522]], "IP_ADDRESS: 151.209.150.155": [[557, 572]], "FILEPATH: /var/tmp/chrome_helper.exe": [[614, 640]]}, "info": {"id": "synth_v2_00386", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 172.5.168.55, the Dragos IR team identified LockBit running as /usr/local/bin/implant.so. The threat actor, believed to be Velvet Tempest, used Hashcat for credential harvesting and Metasploit for lateral movement. Exfiltrated data was sent to portal-backup.cc and node-cloud.net. The initial dropper (SHA1: 4993dc892268a14fad41e80f76ed27e154331ab6) was delivered via a phishing email from contact@auth-check.org. A second C2 node was observed at 146.164.119.144, with a persistence mechanism writing to C:\\ProgramData\\shell.php.", "spans": {"IP_ADDRESS: 172.5.168.55": [[64, 76]], "ORGANIZATION: Dragos": [[82, 88]], "MALWARE: LockBit": [[108, 115]], "FILEPATH: /usr/local/bin/implant.so": [[127, 152]], "THREAT_ACTOR: Velvet Tempest": [[187, 201]], "TOOL: Hashcat": [[208, 215]], "TOOL: Metasploit": [[246, 256]], "DOMAIN: portal-backup.cc": [[308, 324]], "DOMAIN: node-cloud.net": [[329, 343]], "HASH: 4993dc892268a14fad41e80f76ed27e154331ab6": [[372, 412]], "EMAIL: contact@auth-check.org": [[454, 476]], "IP_ADDRESS: 146.164.119.144": [[511, 526]], "FILEPATH: C:\\ProgramData\\shell.php": [[568, 592]]}, "info": {"id": "synth_v2_00387", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 128.23.140.108, the Mandiant IR team identified RemcosRAT running as C:\\Windows\\Temp\\sam.hive. The threat actor, believed to be Sandworm, used SharpHound for credential harvesting and BloodHound for lateral movement. Exfiltrated data was sent to cacheportal.xyz and backup-update.top. The initial dropper (MD5: 7c26d430751668fe0ff1b5d1dc17f121) was delivered via a phishing email from confirm@urgent-notice.online. A second C2 node was observed at 10.231.87.154, with a persistence mechanism writing to /home/user/.config/payload.bin.", "spans": {"IP_ADDRESS: 128.23.140.108": [[64, 78]], "ORGANIZATION: Mandiant": [[84, 92]], "MALWARE: RemcosRAT": [[112, 121]], "FILEPATH: C:\\Windows\\Temp\\sam.hive": [[133, 157]], "THREAT_ACTOR: Sandworm": [[192, 200]], "TOOL: SharpHound": [[207, 217]], "TOOL: BloodHound": [[248, 258]], "DOMAIN: cacheportal.xyz": [[310, 325]], "DOMAIN: backup-update.top": [[330, 347]], "HASH: 7c26d430751668fe0ff1b5d1dc17f121": [[375, 407]], "EMAIL: confirm@urgent-notice.online": [[449, 477]], "IP_ADDRESS: 10.231.87.154": [[512, 525]], "FILEPATH: /home/user/.config/payload.bin": [[567, 597]]}, "info": {"id": "synth_v2_00388", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 172.48.212.186, the Palo Alto Unit 42 IR team identified Cobalt Strike running as C:\\Windows\\Tasks\\beacon.dll. The threat actor, believed to be Scattered Spider, used Sharphound for credential harvesting and Mimikatz for lateral movement. Exfiltrated data was sent to edge-storage.online and portal-backup.club. The initial dropper (SHA1: 816121c7afa35a09d2e41ae0082eb01cd6779478) was delivered via a phishing email from admin@login-portal.tech. A second C2 node was observed at 71.162.177.103, with a persistence mechanism writing to C:\\Users\\Public\\Documents\\csrss.exe.", "spans": {"IP_ADDRESS: 172.48.212.186": [[64, 78]], "ORGANIZATION: Palo Alto Unit 42": [[84, 101]], "MALWARE: Cobalt Strike": [[121, 134]], "FILEPATH: C:\\Windows\\Tasks\\beacon.dll": [[146, 173]], "THREAT_ACTOR: Scattered Spider": [[208, 224]], "TOOL: Sharphound": [[231, 241]], "TOOL: Mimikatz": [[272, 280]], "DOMAIN: edge-storage.online": [[332, 351]], "DOMAIN: portal-backup.club": [[356, 374]], "HASH: 816121c7afa35a09d2e41ae0082eb01cd6779478": [[403, 443]], "EMAIL: admin@login-portal.tech": [[485, 508]], "IP_ADDRESS: 71.162.177.103": [[543, 557]], "FILEPATH: C:\\Users\\Public\\Documents\\csrss.exe": [[599, 634]]}, "info": {"id": "synth_v2_00389", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 172.223.115.44, the Google TAG IR team identified QakBot running as /opt/app/bin/implant.so. The threat actor, believed to be Flax Typhoon, used Mimikatz for credential harvesting and CrackMapExec for lateral movement. Exfiltrated data was sent to sync-cdn.net and backup-api.info. The initial dropper (SHA1: 4b4fa412d1f7ab44a76a16e20485ef0aacf5e9e4) was delivered via a phishing email from noreply@document-share.link. A second C2 node was observed at 10.188.2.240, with a persistence mechanism writing to C:\\Users\\admin\\Desktop\\backdoor.elf.", "spans": {"IP_ADDRESS: 172.223.115.44": [[64, 78]], "ORGANIZATION: Google TAG": [[84, 94]], "MALWARE: QakBot": [[114, 120]], "FILEPATH: /opt/app/bin/implant.so": [[132, 155]], "THREAT_ACTOR: Flax Typhoon": [[190, 202]], "TOOL: Mimikatz": [[209, 217]], "TOOL: CrackMapExec": [[248, 260]], "DOMAIN: sync-cdn.net": [[312, 324]], "DOMAIN: backup-api.info": [[329, 344]], "HASH: 4b4fa412d1f7ab44a76a16e20485ef0aacf5e9e4": [[373, 413]], "EMAIL: noreply@document-share.link": [[455, 482]], "IP_ADDRESS: 10.188.2.240": [[517, 529]], "FILEPATH: C:\\Users\\admin\\Desktop\\backdoor.elf": [[571, 606]]}, "info": {"id": "synth_v2_00390", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 192.211.228.172, the Zscaler ThreatLabz IR team identified ShadowPad running as /home/user/.config/chrome_helper.exe. The threat actor, believed to be Kimsuky, used CrackMapExec for credential harvesting and Hashcat for lateral movement. Exfiltrated data was sent to syncstorage.link and dataapi.info. The initial dropper (SHA256: a0fba5896f399f5636a43007a2e66b2c443117e67f36e57aadd5aab41d515919) was delivered via a phishing email from billing@secure-verify.net. A second C2 node was observed at 192.123.244.170, with a persistence mechanism writing to /etc/cron.d/dropper.ps1.", "spans": {"IP_ADDRESS: 192.211.228.172": [[64, 79]], "ORGANIZATION: Zscaler ThreatLabz": [[85, 103]], "MALWARE: ShadowPad": [[123, 132]], "FILEPATH: /home/user/.config/chrome_helper.exe": [[144, 180]], "THREAT_ACTOR: Kimsuky": [[215, 222]], "TOOL: CrackMapExec": [[229, 241]], "TOOL: Hashcat": [[272, 279]], "DOMAIN: syncstorage.link": [[331, 347]], "DOMAIN: dataapi.info": [[352, 364]], "HASH: a0fba5896f399f5636a43007a2e66b2c443117e67f36e57aadd5aab41d515919": [[395, 459]], "EMAIL: billing@secure-verify.net": [[501, 526]], "IP_ADDRESS: 192.123.244.170": [[561, 576]], "FILEPATH: /etc/cron.d/dropper.ps1": [[618, 641]]}, "info": {"id": "synth_v2_00391", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 192.110.239.210, the FireEye IR team identified IcedID running as C:\\Windows\\System32\\loader.exe. The threat actor, believed to be Ember Bear, used BloodHound for credential harvesting and SharpHound for lateral movement. Exfiltrated data was sent to cache-node.io and backuprelay.top. The initial dropper (SHA256: 90520882cecff2f4351728e80a1323e79e4f83f516caaafce2b446cb04e29bf7) was delivered via a phishing email from it@identity-verify.cc. A second C2 node was observed at 49.249.53.88, with a persistence mechanism writing to C:\\Users\\Public\\Documents\\payload.bin.", "spans": {"IP_ADDRESS: 192.110.239.210": [[64, 79]], "ORGANIZATION: FireEye": [[85, 92]], "MALWARE: IcedID": [[112, 118]], "FILEPATH: C:\\Windows\\System32\\loader.exe": [[130, 160]], "THREAT_ACTOR: Ember Bear": [[195, 205]], "TOOL: BloodHound": [[212, 222]], "TOOL: SharpHound": [[253, 263]], "DOMAIN: cache-node.io": [[315, 328]], "DOMAIN: backuprelay.top": [[333, 348]], "HASH: 90520882cecff2f4351728e80a1323e79e4f83f516caaafce2b446cb04e29bf7": [[379, 443]], "EMAIL: it@identity-verify.cc": [[485, 506]], "IP_ADDRESS: 49.249.53.88": [[541, 553]], "FILEPATH: C:\\Users\\Public\\Documents\\payload.bin": [[595, 632]]}, "info": {"id": "synth_v2_00392", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 172.96.35.72, the Palo Alto Unit 42 IR team identified PlugX running as C:\\Windows\\Temp\\beacon.dll. The threat actor, believed to be Salt Typhoon, used ADFind for credential harvesting and LaZagne for lateral movement. Exfiltrated data was sent to authauth.xyz and relay-secure.info. The initial dropper (MD5: 8743616c5213e4070f7944ddcd4c7673) was delivered via a phishing email from confirm@secure-verify.net. A second C2 node was observed at 43.157.52.38, with a persistence mechanism writing to C:\\Windows\\Tasks\\csrss.exe.", "spans": {"IP_ADDRESS: 172.96.35.72": [[64, 76]], "ORGANIZATION: Palo Alto Unit 42": [[82, 99]], "MALWARE: PlugX": [[119, 124]], "FILEPATH: C:\\Windows\\Temp\\beacon.dll": [[136, 162]], "THREAT_ACTOR: Salt Typhoon": [[197, 209]], "TOOL: ADFind": [[216, 222]], "TOOL: LaZagne": [[253, 260]], "DOMAIN: authauth.xyz": [[312, 324]], "DOMAIN: relay-secure.info": [[329, 346]], "HASH: 8743616c5213e4070f7944ddcd4c7673": [[374, 406]], "EMAIL: confirm@secure-verify.net": [[448, 473]], "IP_ADDRESS: 43.157.52.38": [[508, 520]], "FILEPATH: C:\\Windows\\Tasks\\csrss.exe": [[562, 588]]}, "info": {"id": "synth_v2_00393", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 129.220.170.14, the Palo Alto Unit 42 IR team identified AgentTesla running as /usr/local/bin/loader.exe. The threat actor, believed to be Storm-0558, used SharpHound for credential harvesting and CrackMapExec for lateral movement. Exfiltrated data was sent to gatewaycloud.info and portal-secure.cc. The initial dropper (MD5: c519b87d38706e0102c990c2dfd7c419) was delivered via a phishing email from support@login-portal.tech. A second C2 node was observed at 70.189.50.13, with a persistence mechanism writing to /dev/shm/loader.exe.", "spans": {"IP_ADDRESS: 129.220.170.14": [[64, 78]], "ORGANIZATION: Palo Alto Unit 42": [[84, 101]], "MALWARE: AgentTesla": [[121, 131]], "FILEPATH: /usr/local/bin/loader.exe": [[143, 168]], "THREAT_ACTOR: Storm-0558": [[203, 213]], "TOOL: SharpHound": [[220, 230]], "TOOL: CrackMapExec": [[261, 273]], "DOMAIN: gatewaycloud.info": [[325, 342]], "DOMAIN: portal-secure.cc": [[347, 363]], "HASH: c519b87d38706e0102c990c2dfd7c419": [[391, 423]], "EMAIL: support@login-portal.tech": [[465, 490]], "IP_ADDRESS: 70.189.50.13": [[525, 537]], "FILEPATH: /dev/shm/loader.exe": [[579, 598]]}, "info": {"id": "synth_v2_00394", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 192.136.122.17, the Volexity IR team identified Conti running as /tmp/csrss.exe. The threat actor, believed to be FIN7, used Metasploit for credential harvesting and BloodHound for lateral movement. Exfiltrated data was sent to authdata.club and proxycloud.org. The initial dropper (MD5: e69184dfa61e5bb515e38a1f6e325ae7) was delivered via a phishing email from admin@secure-verify.net. A second C2 node was observed at 172.115.207.101, with a persistence mechanism writing to /home/user/.config/implant.so.", "spans": {"IP_ADDRESS: 192.136.122.17": [[64, 78]], "ORGANIZATION: Volexity": [[84, 92]], "MALWARE: Conti": [[112, 117]], "FILEPATH: /tmp/csrss.exe": [[129, 143]], "THREAT_ACTOR: FIN7": [[178, 182]], "TOOL: Metasploit": [[189, 199]], "TOOL: BloodHound": [[230, 240]], "DOMAIN: authdata.club": [[292, 305]], "DOMAIN: proxycloud.org": [[310, 324]], "HASH: e69184dfa61e5bb515e38a1f6e325ae7": [[352, 384]], "EMAIL: admin@secure-verify.net": [[426, 449]], "IP_ADDRESS: 172.115.207.101": [[484, 499]], "FILEPATH: /home/user/.config/implant.so": [[541, 570]]}, "info": {"id": "synth_v2_00395", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 190.156.122.44, the Huntress IR team identified DarkSide running as C:\\Users\\admin\\Downloads\\backdoor.elf. The threat actor, believed to be Charming Kitten, used Merlin for credential harvesting and WinPEAS for lateral movement. Exfiltrated data was sent to relaylogin.com and gatewaystorage.com. The initial dropper (SHA1: 0fd2c68d3a0e8dc4ce26979699f7a56efce45f98) was delivered via a phishing email from admin@document-share.link. A second C2 node was observed at 175.35.85.48, with a persistence mechanism writing to C:\\ProgramData\\config.dat.", "spans": {"IP_ADDRESS: 190.156.122.44": [[64, 78]], "ORGANIZATION: Huntress": [[84, 92]], "MALWARE: DarkSide": [[112, 120]], "FILEPATH: C:\\Users\\admin\\Downloads\\backdoor.elf": [[132, 169]], "THREAT_ACTOR: Charming Kitten": [[204, 219]], "TOOL: Merlin": [[226, 232]], "TOOL: WinPEAS": [[263, 270]], "DOMAIN: relaylogin.com": [[322, 336]], "DOMAIN: gatewaystorage.com": [[341, 359]], "HASH: 0fd2c68d3a0e8dc4ce26979699f7a56efce45f98": [[388, 428]], "EMAIL: admin@document-share.link": [[470, 495]], "IP_ADDRESS: 175.35.85.48": [[530, 542]], "FILEPATH: C:\\ProgramData\\config.dat": [[584, 609]]}, "info": {"id": "synth_v2_00396", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 64.241.56.12, the SentinelOne IR team identified AgentTesla running as /etc/cron.d/dropper.ps1. The threat actor, believed to be Ember Bear, used BITSAdmin for credential harvesting and Mimikatz for lateral movement. Exfiltrated data was sent to login-auth.net and storagerelay.online. The initial dropper (MD5: ea437c5b20a6a62d58f11b18ee978a81) was delivered via a phishing email from updates@phishing-domain.com. A second C2 node was observed at 192.148.116.135, with a persistence mechanism writing to /usr/local/bin/beacon.dll.", "spans": {"IP_ADDRESS: 64.241.56.12": [[64, 76]], "ORGANIZATION: SentinelOne": [[82, 93]], "MALWARE: AgentTesla": [[113, 123]], "FILEPATH: /etc/cron.d/dropper.ps1": [[135, 158]], "THREAT_ACTOR: Ember Bear": [[193, 203]], "TOOL: BITSAdmin": [[210, 219]], "TOOL: Mimikatz": [[250, 258]], "DOMAIN: login-auth.net": [[310, 324]], "DOMAIN: storagerelay.online": [[329, 348]], "HASH: ea437c5b20a6a62d58f11b18ee978a81": [[376, 408]], "EMAIL: updates@phishing-domain.com": [[450, 477]], "IP_ADDRESS: 192.148.116.135": [[512, 527]], "FILEPATH: /usr/local/bin/beacon.dll": [[569, 594]]}, "info": {"id": "synth_v2_00397", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 29.138.10.38, the Symantec IR team identified AgentTesla running as C:\\ProgramData\\runtime.dll. The threat actor, believed to be TA505, used WinPEAS for credential harvesting and Hashcat for lateral movement. Exfiltrated data was sent to updatedata.cc and mailcloud.club. The initial dropper (MD5: 36585211341c4b7c6e90a08effe0544b) was delivered via a phishing email from confirm@credential-check.site. A second C2 node was observed at 220.112.72.92, with a persistence mechanism writing to C:\\Users\\admin\\Desktop\\taskhost.exe.", "spans": {"IP_ADDRESS: 29.138.10.38": [[64, 76]], "ORGANIZATION: Symantec": [[82, 90]], "MALWARE: AgentTesla": [[110, 120]], "FILEPATH: C:\\ProgramData\\runtime.dll": [[132, 158]], "THREAT_ACTOR: TA505": [[193, 198]], "TOOL: WinPEAS": [[205, 212]], "TOOL: Hashcat": [[243, 250]], "DOMAIN: updatedata.cc": [[302, 315]], "DOMAIN: mailcloud.club": [[320, 334]], "HASH: 36585211341c4b7c6e90a08effe0544b": [[362, 394]], "EMAIL: confirm@credential-check.site": [[436, 465]], "IP_ADDRESS: 220.112.72.92": [[500, 513]], "FILEPATH: C:\\Users\\admin\\Desktop\\taskhost.exe": [[555, 590]]}, "info": {"id": "synth_v2_00398", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 85.200.213.242, the Zscaler ThreatLabz IR team identified PikaBot running as C:\\Users\\Public\\Documents\\svchost.exe. The threat actor, believed to be Turla, used Nmap for credential harvesting and Merlin for lateral movement. Exfiltrated data was sent to staticauth.site and cachemail.info. The initial dropper (MD5: a0c2c1bd72b95b97e6f5292ab60ea801) was delivered via a phishing email from noreply@urgent-notice.online. A second C2 node was observed at 80.97.21.149, with a persistence mechanism writing to /dev/shm/payload.bin.", "spans": {"IP_ADDRESS: 85.200.213.242": [[64, 78]], "ORGANIZATION: Zscaler ThreatLabz": [[84, 102]], "MALWARE: PikaBot": [[122, 129]], "FILEPATH: C:\\Users\\Public\\Documents\\svchost.exe": [[141, 178]], "THREAT_ACTOR: Turla": [[213, 218]], "TOOL: Nmap": [[225, 229]], "TOOL: Merlin": [[260, 266]], "DOMAIN: staticauth.site": [[318, 333]], "DOMAIN: cachemail.info": [[338, 352]], "HASH: a0c2c1bd72b95b97e6f5292ab60ea801": [[380, 412]], "EMAIL: noreply@urgent-notice.online": [[454, 482]], "IP_ADDRESS: 80.97.21.149": [[517, 529]], "FILEPATH: /dev/shm/payload.bin": [[571, 591]]}, "info": {"id": "synth_v2_00399", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 172.249.147.17, the SentinelOne IR team identified Gootloader running as /etc/cron.d/svchost.exe. The threat actor, believed to be Gamaredon, used Certutil for credential harvesting and PowerView for lateral movement. Exfiltrated data was sent to cacheauth.com and backupupdate.site. The initial dropper (SHA256: 26e28601d045d09baca578856569f6725ce640c6de4e97551fdef360c3a40edb) was delivered via a phishing email from finance@urgent-notice.online. A second C2 node was observed at 4.232.20.56, with a persistence mechanism writing to C:\\Users\\admin\\AppData\\Local\\Temp\\backdoor.elf.", "spans": {"IP_ADDRESS: 172.249.147.17": [[64, 78]], "ORGANIZATION: SentinelOne": [[84, 95]], "MALWARE: Gootloader": [[115, 125]], "FILEPATH: /etc/cron.d/svchost.exe": [[137, 160]], "THREAT_ACTOR: Gamaredon": [[195, 204]], "TOOL: Certutil": [[211, 219]], "TOOL: PowerView": [[250, 259]], "DOMAIN: cacheauth.com": [[311, 324]], "DOMAIN: backupupdate.site": [[329, 346]], "HASH: 26e28601d045d09baca578856569f6725ce640c6de4e97551fdef360c3a40edb": [[377, 441]], "EMAIL: finance@urgent-notice.online": [[483, 511]], "IP_ADDRESS: 4.232.20.56": [[546, 557]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\backdoor.elf": [[599, 645]]}, "info": {"id": "synth_v2_00400", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 37.100.221.150, the Dragos IR team identified Latrodectus running as /home/user/.config/implant.so. The threat actor, believed to be Mustang Panda, used Impacket for credential harvesting and WinPEAS for lateral movement. Exfiltrated data was sent to dataportal.site and authsync.dev. The initial dropper (SHA1: 67be9dd5c4ef78fb6114649b843cad70ed0844d3) was delivered via a phishing email from ceo@document-share.link. A second C2 node was observed at 172.112.16.122, with a persistence mechanism writing to /home/user/.config/config.dat.", "spans": {"IP_ADDRESS: 37.100.221.150": [[64, 78]], "ORGANIZATION: Dragos": [[84, 90]], "MALWARE: Latrodectus": [[110, 121]], "FILEPATH: /home/user/.config/implant.so": [[133, 162]], "THREAT_ACTOR: Mustang Panda": [[197, 210]], "TOOL: Impacket": [[217, 225]], "TOOL: WinPEAS": [[256, 263]], "DOMAIN: dataportal.site": [[315, 330]], "DOMAIN: authsync.dev": [[335, 347]], "HASH: 67be9dd5c4ef78fb6114649b843cad70ed0844d3": [[376, 416]], "EMAIL: ceo@document-share.link": [[458, 481]], "IP_ADDRESS: 172.112.16.122": [[516, 530]], "FILEPATH: /home/user/.config/config.dat": [[572, 601]]}, "info": {"id": "synth_v2_00401", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 35.213.102.78, the Dragos IR team identified BlackCat running as /opt/app/bin/loader.exe. The threat actor, believed to be Star Blizzard, used Seatbelt for credential harvesting and SharpHound for lateral movement. Exfiltrated data was sent to portal-gateway.net and node-relay.club. The initial dropper (MD5: 8697252af28b2d8e0d15ce0d2d1042d1) was delivered via a phishing email from updates@identity-verify.cc. A second C2 node was observed at 22.152.236.140, with a persistence mechanism writing to /etc/cron.d/sam.hive.", "spans": {"IP_ADDRESS: 35.213.102.78": [[64, 77]], "ORGANIZATION: Dragos": [[83, 89]], "MALWARE: BlackCat": [[109, 117]], "FILEPATH: /opt/app/bin/loader.exe": [[129, 152]], "THREAT_ACTOR: Star Blizzard": [[187, 200]], "TOOL: Seatbelt": [[207, 215]], "TOOL: SharpHound": [[246, 256]], "DOMAIN: portal-gateway.net": [[308, 326]], "DOMAIN: node-relay.club": [[331, 346]], "HASH: 8697252af28b2d8e0d15ce0d2d1042d1": [[374, 406]], "EMAIL: updates@identity-verify.cc": [[448, 474]], "IP_ADDRESS: 22.152.236.140": [[509, 523]], "FILEPATH: /etc/cron.d/sam.hive": [[565, 585]]}, "info": {"id": "synth_v2_00402", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 172.45.71.158, the Tenable IR team identified FormBook running as C:\\Windows\\Tasks\\update.dll. The threat actor, believed to be Midnight Blizzard, used Mimikatz for credential harvesting and Merlin for lateral movement. Exfiltrated data was sent to cdnportal.org and updaterelay.link. The initial dropper (MD5: 78e7fb1ba04715da0afd750142a89d3c) was delivered via a phishing email from alert@auth-check.org. A second C2 node was observed at 202.124.191.33, with a persistence mechanism writing to C:\\ProgramData\\update.dll.", "spans": {"IP_ADDRESS: 172.45.71.158": [[64, 77]], "ORGANIZATION: Tenable": [[83, 90]], "MALWARE: FormBook": [[110, 118]], "FILEPATH: C:\\Windows\\Tasks\\update.dll": [[130, 157]], "THREAT_ACTOR: Midnight Blizzard": [[192, 209]], "TOOL: Mimikatz": [[216, 224]], "TOOL: Merlin": [[255, 261]], "DOMAIN: cdnportal.org": [[313, 326]], "DOMAIN: updaterelay.link": [[331, 347]], "HASH: 78e7fb1ba04715da0afd750142a89d3c": [[375, 407]], "EMAIL: alert@auth-check.org": [[449, 469]], "IP_ADDRESS: 202.124.191.33": [[504, 518]], "FILEPATH: C:\\ProgramData\\update.dll": [[560, 585]]}, "info": {"id": "synth_v2_00403", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 177.169.31.32, the CrowdStrike IR team identified StealC running as C:\\Windows\\Temp\\beacon.dll. The threat actor, believed to be Kimsuky, used Covenant for credential harvesting and Burp Suite for lateral movement. Exfiltrated data was sent to logindata.dev and backup-backup.club. The initial dropper (SHA256: 2f4a109c9c76a65273efb89358a62018a1ce7a7fd2cbcedcdd7cc2b7bab058c0) was delivered via a phishing email from noreply@document-share.link. A second C2 node was observed at 192.104.73.144, with a persistence mechanism writing to /tmp/taskhost.exe.", "spans": {"IP_ADDRESS: 177.169.31.32": [[64, 77]], "ORGANIZATION: CrowdStrike": [[83, 94]], "MALWARE: StealC": [[114, 120]], "FILEPATH: C:\\Windows\\Temp\\beacon.dll": [[132, 158]], "THREAT_ACTOR: Kimsuky": [[193, 200]], "TOOL: Covenant": [[207, 215]], "TOOL: Burp Suite": [[246, 256]], "DOMAIN: logindata.dev": [[308, 321]], "DOMAIN: backup-backup.club": [[326, 344]], "HASH: 2f4a109c9c76a65273efb89358a62018a1ce7a7fd2cbcedcdd7cc2b7bab058c0": [[375, 439]], "EMAIL: noreply@document-share.link": [[481, 508]], "IP_ADDRESS: 192.104.73.144": [[543, 557]], "FILEPATH: /tmp/taskhost.exe": [[599, 616]]}, "info": {"id": "synth_v2_00404", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 10.242.12.214, the Check Point Research IR team identified Conti running as C:\\Windows\\Tasks\\implant.so. The threat actor, believed to be Charming Kitten, used Metasploit for credential harvesting and PsExec for lateral movement. Exfiltrated data was sent to proxysecure.live and edge-sync.live. The initial dropper (SHA256: bbde2ea86c73ffc4cfe6564688dc810e82b66713ba524717343a20f64d5c1c6a) was delivered via a phishing email from admin@account-update.xyz. A second C2 node was observed at 101.28.62.77, with a persistence mechanism writing to C:\\Users\\Public\\Documents\\ntds.dit.", "spans": {"IP_ADDRESS: 10.242.12.214": [[64, 77]], "ORGANIZATION: Check Point Research": [[83, 103]], "MALWARE: Conti": [[123, 128]], "FILEPATH: C:\\Windows\\Tasks\\implant.so": [[140, 167]], "THREAT_ACTOR: Charming Kitten": [[202, 217]], "TOOL: Metasploit": [[224, 234]], "TOOL: PsExec": [[265, 271]], "DOMAIN: proxysecure.live": [[323, 339]], "DOMAIN: edge-sync.live": [[344, 358]], "HASH: bbde2ea86c73ffc4cfe6564688dc810e82b66713ba524717343a20f64d5c1c6a": [[389, 453]], "EMAIL: admin@account-update.xyz": [[495, 519]], "IP_ADDRESS: 101.28.62.77": [[554, 566]], "FILEPATH: C:\\Users\\Public\\Documents\\ntds.dit": [[608, 642]]}, "info": {"id": "synth_v2_00405", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 10.102.243.123, the Palo Alto Unit 42 IR team identified LockBit running as C:\\Program Files\\Common Files\\payload.bin. The threat actor, believed to be Flax Typhoon, used LinPEAS for credential harvesting and PowerView for lateral movement. Exfiltrated data was sent to portalportal.club and relay-gateway.live. The initial dropper (MD5: 5725b5f2dccc0d6827935d2eb8929a3d) was delivered via a phishing email from notification@identity-verify.cc. A second C2 node was observed at 75.51.252.95, with a persistence mechanism writing to C:\\Windows\\Temp\\agent.py.", "spans": {"IP_ADDRESS: 10.102.243.123": [[64, 78]], "ORGANIZATION: Palo Alto Unit 42": [[84, 101]], "MALWARE: LockBit": [[121, 128]], "FILEPATH: C:\\Program Files\\Common Files\\payload.bin": [[140, 181]], "THREAT_ACTOR: Flax Typhoon": [[216, 228]], "TOOL: LinPEAS": [[235, 242]], "TOOL: PowerView": [[273, 282]], "DOMAIN: portalportal.club": [[334, 351]], "DOMAIN: relay-gateway.live": [[356, 374]], "HASH: 5725b5f2dccc0d6827935d2eb8929a3d": [[402, 434]], "EMAIL: notification@identity-verify.cc": [[476, 507]], "IP_ADDRESS: 75.51.252.95": [[542, 554]], "FILEPATH: C:\\Windows\\Temp\\agent.py": [[596, 620]]}, "info": {"id": "synth_v2_00406", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 11.181.71.120, the Trend Micro IR team identified Emotet running as /opt/app/bin/sam.hive. The threat actor, believed to be OilRig, used Burp Suite for credential harvesting and BloodHound for lateral movement. Exfiltrated data was sent to mail-node.site and secure-login.tech. The initial dropper (SHA1: bf1feef567cdc17543d10c3daba5dc737e63dee9) was delivered via a phishing email from service@secure-verify.net. A second C2 node was observed at 71.4.81.92, with a persistence mechanism writing to C:\\Windows\\System32\\backdoor.elf.", "spans": {"IP_ADDRESS: 11.181.71.120": [[64, 77]], "ORGANIZATION: Trend Micro": [[83, 94]], "MALWARE: Emotet": [[114, 120]], "FILEPATH: /opt/app/bin/sam.hive": [[132, 153]], "THREAT_ACTOR: OilRig": [[188, 194]], "TOOL: Burp Suite": [[201, 211]], "TOOL: BloodHound": [[242, 252]], "DOMAIN: mail-node.site": [[304, 318]], "DOMAIN: secure-login.tech": [[323, 340]], "HASH: bf1feef567cdc17543d10c3daba5dc737e63dee9": [[369, 409]], "EMAIL: service@secure-verify.net": [[451, 476]], "IP_ADDRESS: 71.4.81.92": [[511, 521]], "FILEPATH: C:\\Windows\\System32\\backdoor.elf": [[563, 595]]}, "info": {"id": "synth_v2_00407", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 192.132.66.179, the Symantec IR team identified Amadey running as /dev/shm/winlogon.exe. The threat actor, believed to be Volt Typhoon, used PowerShell Empire for credential harvesting and ADFind for lateral movement. Exfiltrated data was sent to update-secure.xyz and auth-proxy.dev. The initial dropper (SHA256: 2b708c10e12547a7c3a2a29f6b7a26189d531916507afb7e5ea379fc6799ad98) was delivered via a phishing email from security@identity-verify.cc. A second C2 node was observed at 151.178.206.18, with a persistence mechanism writing to /var/tmp/helper.sh.", "spans": {"IP_ADDRESS: 192.132.66.179": [[64, 78]], "ORGANIZATION: Symantec": [[84, 92]], "MALWARE: Amadey": [[112, 118]], "FILEPATH: /dev/shm/winlogon.exe": [[130, 151]], "THREAT_ACTOR: Volt Typhoon": [[186, 198]], "TOOL: PowerShell Empire": [[205, 222]], "TOOL: ADFind": [[253, 259]], "DOMAIN: update-secure.xyz": [[311, 328]], "DOMAIN: auth-proxy.dev": [[333, 347]], "HASH: 2b708c10e12547a7c3a2a29f6b7a26189d531916507afb7e5ea379fc6799ad98": [[378, 442]], "EMAIL: security@identity-verify.cc": [[484, 511]], "IP_ADDRESS: 151.178.206.18": [[546, 560]], "FILEPATH: /var/tmp/helper.sh": [[602, 620]]}, "info": {"id": "synth_v2_00408", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 30.19.37.114, the Google TAG IR team identified FormBook running as C:\\Windows\\Tasks\\agent.py. The threat actor, believed to be Diamond Sleet, used Impacket for credential harvesting and BloodHound for lateral movement. Exfiltrated data was sent to relay-portal.org and cloud-sync.online. The initial dropper (SHA1: eda258fd14039f8ba36a97b1bcc5cfb586f49f80) was delivered via a phishing email from contact@urgent-notice.online. A second C2 node was observed at 156.15.89.83, with a persistence mechanism writing to /var/tmp/runtime.dll.", "spans": {"IP_ADDRESS: 30.19.37.114": [[64, 76]], "ORGANIZATION: Google TAG": [[82, 92]], "MALWARE: FormBook": [[112, 120]], "FILEPATH: C:\\Windows\\Tasks\\agent.py": [[132, 157]], "THREAT_ACTOR: Diamond Sleet": [[192, 205]], "TOOL: Impacket": [[212, 220]], "TOOL: BloodHound": [[251, 261]], "DOMAIN: relay-portal.org": [[313, 329]], "DOMAIN: cloud-sync.online": [[334, 351]], "HASH: eda258fd14039f8ba36a97b1bcc5cfb586f49f80": [[380, 420]], "EMAIL: contact@urgent-notice.online": [[462, 490]], "IP_ADDRESS: 156.15.89.83": [[525, 537]], "FILEPATH: /var/tmp/runtime.dll": [[579, 599]]}, "info": {"id": "synth_v2_00409", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 10.17.71.229, the Dragos IR team identified Hive running as /etc/cron.d/csrss.exe. The threat actor, believed to be Lazarus Group, used BITSAdmin for credential harvesting and Mimikatz for lateral movement. Exfiltrated data was sent to node-proxy.xyz and cache-proxy.io. The initial dropper (MD5: 64a0842e4cbb23c3069bb9d1ada887a4) was delivered via a phishing email from service@secure-verify.net. A second C2 node was observed at 172.208.36.88, with a persistence mechanism writing to C:\\Windows\\System32\\chrome_helper.exe.", "spans": {"IP_ADDRESS: 10.17.71.229": [[64, 76]], "ORGANIZATION: Dragos": [[82, 88]], "MALWARE: Hive": [[108, 112]], "FILEPATH: /etc/cron.d/csrss.exe": [[124, 145]], "THREAT_ACTOR: Lazarus Group": [[180, 193]], "TOOL: BITSAdmin": [[200, 209]], "TOOL: Mimikatz": [[240, 248]], "DOMAIN: node-proxy.xyz": [[300, 314]], "DOMAIN: cache-proxy.io": [[319, 333]], "HASH: 64a0842e4cbb23c3069bb9d1ada887a4": [[361, 393]], "EMAIL: service@secure-verify.net": [[435, 460]], "IP_ADDRESS: 172.208.36.88": [[495, 508]], "FILEPATH: C:\\Windows\\System32\\chrome_helper.exe": [[550, 587]]}, "info": {"id": "synth_v2_00410", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 26.60.255.60, the NSA IR team identified DanaBot running as C:\\ProgramData\\dropper.ps1. The threat actor, believed to be Lazarus Group, used CrackMapExec for credential harvesting and GhostPack for lateral movement. Exfiltrated data was sent to syncportal.club and apisecure.info. The initial dropper (SHA1: 6358d3dc28ff6265cbb46a037a7b994b6a999a1e) was delivered via a phishing email from finance@identity-verify.cc. A second C2 node was observed at 192.169.11.58, with a persistence mechanism writing to /var/tmp/loader.exe.", "spans": {"IP_ADDRESS: 26.60.255.60": [[64, 76]], "ORGANIZATION: NSA": [[82, 85]], "MALWARE: DanaBot": [[105, 112]], "FILEPATH: C:\\ProgramData\\dropper.ps1": [[124, 150]], "THREAT_ACTOR: Lazarus Group": [[185, 198]], "TOOL: CrackMapExec": [[205, 217]], "TOOL: GhostPack": [[248, 257]], "DOMAIN: syncportal.club": [[309, 324]], "DOMAIN: apisecure.info": [[329, 343]], "HASH: 6358d3dc28ff6265cbb46a037a7b994b6a999a1e": [[372, 412]], "EMAIL: finance@identity-verify.cc": [[454, 480]], "IP_ADDRESS: 192.169.11.58": [[515, 528]], "FILEPATH: /var/tmp/loader.exe": [[570, 589]]}, "info": {"id": "synth_v2_00411", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 192.241.134.168, the Symantec IR team identified Meduza Stealer running as C:\\Users\\admin\\AppData\\Local\\Temp\\helper.sh. The threat actor, believed to be APT29, used Certutil for credential harvesting and WinPEAS for lateral movement. Exfiltrated data was sent to storage-cdn.org and edge-storage.dev. The initial dropper (SHA1: fc811b4561f4eb4b62e4132862f6efb348bba2b8) was delivered via a phishing email from report@phishing-domain.com. A second C2 node was observed at 10.173.215.67, with a persistence mechanism writing to /dev/shm/chrome_helper.exe.", "spans": {"IP_ADDRESS: 192.241.134.168": [[64, 79]], "ORGANIZATION: Symantec": [[85, 93]], "MALWARE: Meduza Stealer": [[113, 127]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\helper.sh": [[139, 182]], "THREAT_ACTOR: APT29": [[217, 222]], "TOOL: Certutil": [[229, 237]], "TOOL: WinPEAS": [[268, 275]], "DOMAIN: storage-cdn.org": [[327, 342]], "DOMAIN: edge-storage.dev": [[347, 363]], "HASH: fc811b4561f4eb4b62e4132862f6efb348bba2b8": [[392, 432]], "EMAIL: report@phishing-domain.com": [[474, 500]], "IP_ADDRESS: 10.173.215.67": [[535, 548]], "FILEPATH: /dev/shm/chrome_helper.exe": [[590, 616]]}, "info": {"id": "synth_v2_00412", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 192.245.66.70, the Qualys IR team identified AgentTesla running as C:\\Users\\admin\\AppData\\Local\\Temp\\svchost.exe. The threat actor, believed to be Lazarus Group, used Sliver for credential harvesting and ADFind for lateral movement. Exfiltrated data was sent to mail-gateway.online and dataupdate.dev. The initial dropper (SHA1: 1b8d2cc98063d3d46df6c0c592015df49c59e6f3) was delivered via a phishing email from service@phishing-domain.com. A second C2 node was observed at 10.18.254.130, with a persistence mechanism writing to /tmp/dropper.ps1.", "spans": {"IP_ADDRESS: 192.245.66.70": [[64, 77]], "ORGANIZATION: Qualys": [[83, 89]], "MALWARE: AgentTesla": [[109, 119]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\svchost.exe": [[131, 176]], "THREAT_ACTOR: Lazarus Group": [[211, 224]], "TOOL: Sliver": [[231, 237]], "TOOL: ADFind": [[268, 274]], "DOMAIN: mail-gateway.online": [[326, 345]], "DOMAIN: dataupdate.dev": [[350, 364]], "HASH: 1b8d2cc98063d3d46df6c0c592015df49c59e6f3": [[393, 433]], "EMAIL: service@phishing-domain.com": [[475, 502]], "IP_ADDRESS: 10.18.254.130": [[537, 550]], "FILEPATH: /tmp/dropper.ps1": [[592, 608]]}, "info": {"id": "synth_v2_00413", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 179.64.220.180, the CrowdStrike IR team identified Latrodectus running as C:\\Users\\admin\\AppData\\Local\\Temp\\helper.sh. The threat actor, believed to be Ember Bear, used BloodHound for credential harvesting and Ligolo for lateral movement. Exfiltrated data was sent to static-mail.tech and storage-gateway.dev. The initial dropper (SHA1: 292b2a2795416121d57cc5a9d9a5d83cdd84821d) was delivered via a phishing email from helpdesk@identity-verify.cc. A second C2 node was observed at 141.70.59.113, with a persistence mechanism writing to /var/tmp/chrome_helper.exe.", "spans": {"IP_ADDRESS: 179.64.220.180": [[64, 78]], "ORGANIZATION: CrowdStrike": [[84, 95]], "MALWARE: Latrodectus": [[115, 126]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\helper.sh": [[138, 181]], "THREAT_ACTOR: Ember Bear": [[216, 226]], "TOOL: BloodHound": [[233, 243]], "TOOL: Ligolo": [[274, 280]], "DOMAIN: static-mail.tech": [[332, 348]], "DOMAIN: storage-gateway.dev": [[353, 372]], "HASH: 292b2a2795416121d57cc5a9d9a5d83cdd84821d": [[401, 441]], "EMAIL: helpdesk@identity-verify.cc": [[483, 510]], "IP_ADDRESS: 141.70.59.113": [[545, 558]], "FILEPATH: /var/tmp/chrome_helper.exe": [[600, 626]]}, "info": {"id": "synth_v2_00414", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 192.127.29.20, the Kaspersky GReAT IR team identified WarmCookie running as C:\\Users\\admin\\Desktop\\beacon.dll. The threat actor, believed to be OilRig, used BloodHound for credential harvesting and GhostPack for lateral movement. Exfiltrated data was sent to storage-mail.cc and backup-login.cc. The initial dropper (SHA256: ef8433053b43f225c848eb78a7ff6b4d51a913eac8c2be1d8926f124e35e075a) was delivered via a phishing email from confirm@login-portal.tech. A second C2 node was observed at 10.224.92.73, with a persistence mechanism writing to C:\\Users\\Public\\Documents\\chrome_helper.exe.", "spans": {"IP_ADDRESS: 192.127.29.20": [[64, 77]], "ORGANIZATION: Kaspersky GReAT": [[83, 98]], "MALWARE: WarmCookie": [[118, 128]], "FILEPATH: C:\\Users\\admin\\Desktop\\beacon.dll": [[140, 173]], "THREAT_ACTOR: OilRig": [[208, 214]], "TOOL: BloodHound": [[221, 231]], "TOOL: GhostPack": [[262, 271]], "DOMAIN: storage-mail.cc": [[323, 338]], "DOMAIN: backup-login.cc": [[343, 358]], "HASH: ef8433053b43f225c848eb78a7ff6b4d51a913eac8c2be1d8926f124e35e075a": [[389, 453]], "EMAIL: confirm@login-portal.tech": [[495, 520]], "IP_ADDRESS: 10.224.92.73": [[555, 567]], "FILEPATH: C:\\Users\\Public\\Documents\\chrome_helper.exe": [[609, 652]]}, "info": {"id": "synth_v2_00415", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 220.112.227.183, the Cisco Talos IR team identified Qbot running as C:\\Program Files\\Common Files\\implant.so. The threat actor, believed to be Forest Blizzard, used LinPEAS for credential harvesting and Covenant for lateral movement. Exfiltrated data was sent to storageedge.io and cdn-mail.dev. The initial dropper (SHA256: 6e47a24a4b7f400e59e9392bf7d4cf5e096a84d7763bf25c81e504b463c37b00) was delivered via a phishing email from noreply@urgent-notice.online. A second C2 node was observed at 94.149.125.135, with a persistence mechanism writing to /dev/shm/backdoor.elf.", "spans": {"IP_ADDRESS: 220.112.227.183": [[64, 79]], "ORGANIZATION: Cisco Talos": [[85, 96]], "MALWARE: Qbot": [[116, 120]], "FILEPATH: C:\\Program Files\\Common Files\\implant.so": [[132, 172]], "THREAT_ACTOR: Forest Blizzard": [[207, 222]], "TOOL: LinPEAS": [[229, 236]], "TOOL: Covenant": [[267, 275]], "DOMAIN: storageedge.io": [[327, 341]], "DOMAIN: cdn-mail.dev": [[346, 358]], "HASH: 6e47a24a4b7f400e59e9392bf7d4cf5e096a84d7763bf25c81e504b463c37b00": [[389, 453]], "EMAIL: noreply@urgent-notice.online": [[495, 523]], "IP_ADDRESS: 94.149.125.135": [[558, 572]], "FILEPATH: /dev/shm/backdoor.elf": [[614, 635]]}, "info": {"id": "synth_v2_00416", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 10.190.72.10, the Qualys IR team identified Play running as C:\\Users\\admin\\Desktop\\agent.py. The threat actor, believed to be TA505, used LinPEAS for credential harvesting and Certutil for lateral movement. Exfiltrated data was sent to update-proxy.live and sync-sync.cc. The initial dropper (MD5: db6fb85023d76e426c358b623acd33b9) was delivered via a phishing email from report@identity-verify.cc. A second C2 node was observed at 192.225.232.244, with a persistence mechanism writing to C:\\ProgramData\\update.dll.", "spans": {"IP_ADDRESS: 10.190.72.10": [[64, 76]], "ORGANIZATION: Qualys": [[82, 88]], "MALWARE: Play": [[108, 112]], "FILEPATH: C:\\Users\\admin\\Desktop\\agent.py": [[124, 155]], "THREAT_ACTOR: TA505": [[190, 195]], "TOOL: LinPEAS": [[202, 209]], "TOOL: Certutil": [[240, 248]], "DOMAIN: update-proxy.live": [[300, 317]], "DOMAIN: sync-sync.cc": [[322, 334]], "HASH: db6fb85023d76e426c358b623acd33b9": [[362, 394]], "EMAIL: report@identity-verify.cc": [[436, 461]], "IP_ADDRESS: 192.225.232.244": [[496, 511]], "FILEPATH: C:\\ProgramData\\update.dll": [[553, 578]]}, "info": {"id": "synth_v2_00417", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 114.22.114.53, the Volexity IR team identified Qbot running as /opt/app/bin/backdoor.elf. The threat actor, believed to be APT28, used Havoc for credential harvesting and Ligolo for lateral movement. Exfiltrated data was sent to cdnedge.link and updatestatic.link. The initial dropper (MD5: fe156c9e4f2275c823db96ed82403e04) was delivered via a phishing email from report@identity-verify.cc. A second C2 node was observed at 48.220.26.170, with a persistence mechanism writing to /tmp/svchost.exe.", "spans": {"IP_ADDRESS: 114.22.114.53": [[64, 77]], "ORGANIZATION: Volexity": [[83, 91]], "MALWARE: Qbot": [[111, 115]], "FILEPATH: /opt/app/bin/backdoor.elf": [[127, 152]], "THREAT_ACTOR: APT28": [[187, 192]], "TOOL: Havoc": [[199, 204]], "TOOL: Ligolo": [[235, 241]], "DOMAIN: cdnedge.link": [[293, 305]], "DOMAIN: updatestatic.link": [[310, 327]], "HASH: fe156c9e4f2275c823db96ed82403e04": [[355, 387]], "EMAIL: report@identity-verify.cc": [[429, 454]], "IP_ADDRESS: 48.220.26.170": [[489, 502]], "FILEPATH: /tmp/svchost.exe": [[544, 560]]}, "info": {"id": "synth_v2_00418", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 10.198.147.220, the Proofpoint IR team identified XLoader running as /var/tmp/dropper.ps1. The threat actor, believed to be Granite Typhoon, used LinPEAS for credential harvesting and Merlin for lateral movement. Exfiltrated data was sent to relaydata.org and sync-sync.net. The initial dropper (SHA1: 51f798f8b6b772b91785d0fb4f61f514778f75f2) was delivered via a phishing email from support@document-share.link. A second C2 node was observed at 109.133.83.246, with a persistence mechanism writing to /home/user/.config/winlogon.exe.", "spans": {"IP_ADDRESS: 10.198.147.220": [[64, 78]], "ORGANIZATION: Proofpoint": [[84, 94]], "MALWARE: XLoader": [[114, 121]], "FILEPATH: /var/tmp/dropper.ps1": [[133, 153]], "THREAT_ACTOR: Granite Typhoon": [[188, 203]], "TOOL: LinPEAS": [[210, 217]], "TOOL: Merlin": [[248, 254]], "DOMAIN: relaydata.org": [[306, 319]], "DOMAIN: sync-sync.net": [[324, 337]], "HASH: 51f798f8b6b772b91785d0fb4f61f514778f75f2": [[366, 406]], "EMAIL: support@document-share.link": [[448, 475]], "IP_ADDRESS: 109.133.83.246": [[510, 524]], "FILEPATH: /home/user/.config/winlogon.exe": [[566, 597]]}, "info": {"id": "synth_v2_00419", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 201.6.63.79, the Kaspersky GReAT IR team identified SystemBC running as /tmp/ntds.dit. The threat actor, believed to be BlackTech, used Nmap for credential harvesting and PowerView for lateral movement. Exfiltrated data was sent to updaterelay.com and cdnmail.online. The initial dropper (SHA256: a8623432b238dcd8e026004b03103392e4b01c5697e1660c37de6c9c3a4dfb90) was delivered via a phishing email from report@urgent-notice.online. A second C2 node was observed at 215.135.91.114, with a persistence mechanism writing to C:\\Users\\admin\\AppData\\Local\\Temp\\shell.php.", "spans": {"IP_ADDRESS: 201.6.63.79": [[64, 75]], "ORGANIZATION: Kaspersky GReAT": [[81, 96]], "MALWARE: SystemBC": [[116, 124]], "FILEPATH: /tmp/ntds.dit": [[136, 149]], "THREAT_ACTOR: BlackTech": [[184, 193]], "TOOL: Nmap": [[200, 204]], "TOOL: PowerView": [[235, 244]], "DOMAIN: updaterelay.com": [[296, 311]], "DOMAIN: cdnmail.online": [[316, 330]], "HASH: a8623432b238dcd8e026004b03103392e4b01c5697e1660c37de6c9c3a4dfb90": [[361, 425]], "EMAIL: report@urgent-notice.online": [[467, 494]], "IP_ADDRESS: 215.135.91.114": [[529, 543]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\shell.php": [[585, 628]]}, "info": {"id": "synth_v2_00420", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 197.141.132.223, the Secureworks IR team identified RemcosRAT running as C:\\Windows\\Tasks\\shell.php. The threat actor, believed to be Lazarus Group, used Brute Ratel for credential harvesting and Rubeus for lateral movement. Exfiltrated data was sent to data-auth.top and secure-node.live. The initial dropper (SHA1: 88adee71faa91208f0ee6faeb0b8a90c3dd2be9a) was delivered via a phishing email from helpdesk@phishing-domain.com. A second C2 node was observed at 33.116.89.38, with a persistence mechanism writing to /opt/app/bin/update.dll.", "spans": {"IP_ADDRESS: 197.141.132.223": [[64, 79]], "ORGANIZATION: Secureworks": [[85, 96]], "MALWARE: RemcosRAT": [[116, 125]], "FILEPATH: C:\\Windows\\Tasks\\shell.php": [[137, 163]], "THREAT_ACTOR: Lazarus Group": [[198, 211]], "TOOL: Brute Ratel": [[218, 229]], "TOOL: Rubeus": [[260, 266]], "DOMAIN: data-auth.top": [[318, 331]], "DOMAIN: secure-node.live": [[336, 352]], "HASH: 88adee71faa91208f0ee6faeb0b8a90c3dd2be9a": [[381, 421]], "EMAIL: helpdesk@phishing-domain.com": [[463, 491]], "IP_ADDRESS: 33.116.89.38": [[526, 538]], "FILEPATH: /opt/app/bin/update.dll": [[580, 603]]}, "info": {"id": "synth_v2_00421", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 139.22.120.90, the INTERPOL IR team identified SmokeLoader running as C:\\Program Files\\Common Files\\agent.py. The threat actor, believed to be FIN11, used Mimikatz for credential harvesting and PowerView for lateral movement. Exfiltrated data was sent to data-cloud.tech and gatewayapi.top. The initial dropper (MD5: 3eccec0d1973db0b2b737de426f6dae2) was delivered via a phishing email from it@auth-check.org. A second C2 node was observed at 10.227.57.131, with a persistence mechanism writing to C:\\Windows\\System32\\svchost.exe.", "spans": {"IP_ADDRESS: 139.22.120.90": [[64, 77]], "ORGANIZATION: INTERPOL": [[83, 91]], "MALWARE: SmokeLoader": [[111, 122]], "FILEPATH: C:\\Program Files\\Common Files\\agent.py": [[134, 172]], "THREAT_ACTOR: FIN11": [[207, 212]], "TOOL: Mimikatz": [[219, 227]], "TOOL: PowerView": [[258, 267]], "DOMAIN: data-cloud.tech": [[319, 334]], "DOMAIN: gatewayapi.top": [[339, 353]], "HASH: 3eccec0d1973db0b2b737de426f6dae2": [[381, 413]], "EMAIL: it@auth-check.org": [[455, 472]], "IP_ADDRESS: 10.227.57.131": [[507, 520]], "FILEPATH: C:\\Windows\\System32\\svchost.exe": [[562, 593]]}, "info": {"id": "synth_v2_00422", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 76.15.82.95, the FireEye IR team identified FormBook running as C:\\Users\\admin\\AppData\\Local\\Temp\\payload.bin. The threat actor, believed to be Silk Typhoon, used Sharphound for credential harvesting and Chisel for lateral movement. Exfiltrated data was sent to storage-node.club and cloudportal.live. The initial dropper (SHA256: 450d4c47146611496001e3b5cd64f04d82f0708b8f1724a59c67e4a7829a7d20) was delivered via a phishing email from helpdesk@document-share.link. A second C2 node was observed at 172.76.13.28, with a persistence mechanism writing to C:\\Users\\admin\\Desktop\\chrome_helper.exe.", "spans": {"IP_ADDRESS: 76.15.82.95": [[64, 75]], "ORGANIZATION: FireEye": [[81, 88]], "MALWARE: FormBook": [[108, 116]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\payload.bin": [[128, 173]], "THREAT_ACTOR: Silk Typhoon": [[208, 220]], "TOOL: Sharphound": [[227, 237]], "TOOL: Chisel": [[268, 274]], "DOMAIN: storage-node.club": [[326, 343]], "DOMAIN: cloudportal.live": [[348, 364]], "HASH: 450d4c47146611496001e3b5cd64f04d82f0708b8f1724a59c67e4a7829a7d20": [[395, 459]], "EMAIL: helpdesk@document-share.link": [[501, 529]], "IP_ADDRESS: 172.76.13.28": [[564, 576]], "FILEPATH: C:\\Users\\admin\\Desktop\\chrome_helper.exe": [[618, 658]]}, "info": {"id": "synth_v2_00423", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 138.62.26.156, the Palo Alto Unit 42 IR team identified BatLoader running as /etc/cron.d/helper.sh. The threat actor, believed to be OilRig, used Sharphound for credential harvesting and Certutil for lateral movement. Exfiltrated data was sent to cache-backup.dev and storage-data.link. The initial dropper (SHA1: d31902a44ef8742673eff95532edd2577b018d53) was delivered via a phishing email from helpdesk@credential-check.site. A second C2 node was observed at 169.225.162.69, with a persistence mechanism writing to C:\\Windows\\Tasks\\winlogon.exe.", "spans": {"IP_ADDRESS: 138.62.26.156": [[64, 77]], "ORGANIZATION: Palo Alto Unit 42": [[83, 100]], "MALWARE: BatLoader": [[120, 129]], "FILEPATH: /etc/cron.d/helper.sh": [[141, 162]], "THREAT_ACTOR: OilRig": [[197, 203]], "TOOL: Sharphound": [[210, 220]], "TOOL: Certutil": [[251, 259]], "DOMAIN: cache-backup.dev": [[311, 327]], "DOMAIN: storage-data.link": [[332, 349]], "HASH: d31902a44ef8742673eff95532edd2577b018d53": [[378, 418]], "EMAIL: helpdesk@credential-check.site": [[460, 490]], "IP_ADDRESS: 169.225.162.69": [[525, 539]], "FILEPATH: C:\\Windows\\Tasks\\winlogon.exe": [[581, 610]]}, "info": {"id": "synth_v2_00424", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 172.247.117.115, the Microsoft MSRC IR team identified FormBook running as C:\\Users\\Public\\Documents\\chrome_helper.exe. The threat actor, believed to be BlackTech, used Impacket for credential harvesting and Chisel for lateral movement. Exfiltrated data was sent to cachelogin.cc and backupstorage.tech. The initial dropper (SHA1: c363c62d1d740381be1f3d0b5b172d59e5119af3) was delivered via a phishing email from notification@credential-check.site. A second C2 node was observed at 59.64.125.199, with a persistence mechanism writing to C:\\Program Files\\Common Files\\ntds.dit.", "spans": {"IP_ADDRESS: 172.247.117.115": [[64, 79]], "ORGANIZATION: Microsoft MSRC": [[85, 99]], "MALWARE: FormBook": [[119, 127]], "FILEPATH: C:\\Users\\Public\\Documents\\chrome_helper.exe": [[139, 182]], "THREAT_ACTOR: BlackTech": [[217, 226]], "TOOL: Impacket": [[233, 241]], "TOOL: Chisel": [[272, 278]], "DOMAIN: cachelogin.cc": [[330, 343]], "DOMAIN: backupstorage.tech": [[348, 366]], "HASH: c363c62d1d740381be1f3d0b5b172d59e5119af3": [[395, 435]], "EMAIL: notification@credential-check.site": [[477, 511]], "IP_ADDRESS: 59.64.125.199": [[546, 559]], "FILEPATH: C:\\Program Files\\Common Files\\ntds.dit": [[601, 639]]}, "info": {"id": "synth_v2_00425", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 4.85.61.108, the Secureworks IR team identified Hive running as C:\\Users\\admin\\Desktop\\ntds.dit. The threat actor, believed to be Silk Typhoon, used Rubeus for credential harvesting and Mythic for lateral movement. Exfiltrated data was sent to gateway-update.club and api-login.io. The initial dropper (MD5: 590b7d63a4ee757cce08ca5653370b5c) was delivered via a phishing email from confirm@login-portal.tech. A second C2 node was observed at 196.240.51.33, with a persistence mechanism writing to /etc/cron.d/payload.bin.", "spans": {"IP_ADDRESS: 4.85.61.108": [[64, 75]], "ORGANIZATION: Secureworks": [[81, 92]], "MALWARE: Hive": [[112, 116]], "FILEPATH: C:\\Users\\admin\\Desktop\\ntds.dit": [[128, 159]], "THREAT_ACTOR: Silk Typhoon": [[194, 206]], "TOOL: Rubeus": [[213, 219]], "TOOL: Mythic": [[250, 256]], "DOMAIN: gateway-update.club": [[308, 327]], "DOMAIN: api-login.io": [[332, 344]], "HASH: 590b7d63a4ee757cce08ca5653370b5c": [[372, 404]], "EMAIL: confirm@login-portal.tech": [[446, 471]], "IP_ADDRESS: 196.240.51.33": [[506, 519]], "FILEPATH: /etc/cron.d/payload.bin": [[561, 584]]}, "info": {"id": "synth_v2_00426", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 152.55.23.19, the SentinelOne IR team identified Gootloader running as C:\\ProgramData\\payload.bin. The threat actor, believed to be Kimsuky, used Hashcat for credential harvesting and Mythic for lateral movement. Exfiltrated data was sent to backupproxy.club and secure-cache.dev. The initial dropper (SHA1: e29f3eeb98743febed0bdd3322d19a58a1fd73b3) was delivered via a phishing email from updates@identity-verify.cc. A second C2 node was observed at 115.209.230.190, with a persistence mechanism writing to C:\\Windows\\Temp\\shell.php.", "spans": {"IP_ADDRESS: 152.55.23.19": [[64, 76]], "ORGANIZATION: SentinelOne": [[82, 93]], "MALWARE: Gootloader": [[113, 123]], "FILEPATH: C:\\ProgramData\\payload.bin": [[135, 161]], "THREAT_ACTOR: Kimsuky": [[196, 203]], "TOOL: Hashcat": [[210, 217]], "TOOL: Mythic": [[248, 254]], "DOMAIN: backupproxy.club": [[306, 322]], "DOMAIN: secure-cache.dev": [[327, 343]], "HASH: e29f3eeb98743febed0bdd3322d19a58a1fd73b3": [[372, 412]], "EMAIL: updates@identity-verify.cc": [[454, 480]], "IP_ADDRESS: 115.209.230.190": [[515, 530]], "FILEPATH: C:\\Windows\\Temp\\shell.php": [[572, 597]]}, "info": {"id": "synth_v2_00427", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 198.49.118.77, the Sophos X-Ops IR team identified RemcosRAT running as /tmp/ntds.dit. The threat actor, believed to be Midnight Blizzard, used Rubeus for credential harvesting and LaZagne for lateral movement. Exfiltrated data was sent to portalstorage.link and login-cdn.live. The initial dropper (SHA1: de65a79af137cda8956c514d1810bca6e3589101) was delivered via a phishing email from alert@auth-check.org. A second C2 node was observed at 88.24.218.74, with a persistence mechanism writing to /usr/local/bin/shell.php.", "spans": {"IP_ADDRESS: 198.49.118.77": [[64, 77]], "ORGANIZATION: Sophos X-Ops": [[83, 95]], "MALWARE: RemcosRAT": [[115, 124]], "FILEPATH: /tmp/ntds.dit": [[136, 149]], "THREAT_ACTOR: Midnight Blizzard": [[184, 201]], "TOOL: Rubeus": [[208, 214]], "TOOL: LaZagne": [[245, 252]], "DOMAIN: portalstorage.link": [[304, 322]], "DOMAIN: login-cdn.live": [[327, 341]], "HASH: de65a79af137cda8956c514d1810bca6e3589101": [[370, 410]], "EMAIL: alert@auth-check.org": [[452, 472]], "IP_ADDRESS: 88.24.218.74": [[507, 519]], "FILEPATH: /usr/local/bin/shell.php": [[561, 585]]}, "info": {"id": "synth_v2_00428", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 125.224.114.227, the Rapid7 IR team identified Gootloader running as C:\\Users\\admin\\Downloads\\svchost.exe. The threat actor, believed to be Turla, used Metasploit for credential harvesting and Burp Suite for lateral movement. Exfiltrated data was sent to sync-login.net and edge-node.link. The initial dropper (SHA1: 057b8eafab20c3e2af169470e2becbae2a3e3c97) was delivered via a phishing email from billing@phishing-domain.com. A second C2 node was observed at 172.132.54.237, with a persistence mechanism writing to C:\\Users\\admin\\AppData\\Local\\Temp\\dropper.ps1.", "spans": {"IP_ADDRESS: 125.224.114.227": [[64, 79]], "ORGANIZATION: Rapid7": [[85, 91]], "MALWARE: Gootloader": [[111, 121]], "FILEPATH: C:\\Users\\admin\\Downloads\\svchost.exe": [[133, 169]], "THREAT_ACTOR: Turla": [[204, 209]], "TOOL: Metasploit": [[216, 226]], "TOOL: Burp Suite": [[257, 267]], "DOMAIN: sync-login.net": [[319, 333]], "DOMAIN: edge-node.link": [[338, 352]], "HASH: 057b8eafab20c3e2af169470e2becbae2a3e3c97": [[381, 421]], "EMAIL: billing@phishing-domain.com": [[463, 490]], "IP_ADDRESS: 172.132.54.237": [[525, 539]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\dropper.ps1": [[581, 626]]}, "info": {"id": "synth_v2_00429", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 53.144.218.188, the Volexity IR team identified Qbot running as C:\\Windows\\System32\\backdoor.elf. The threat actor, believed to be Flax Typhoon, used Covenant for credential harvesting and Mimikatz for lateral movement. Exfiltrated data was sent to auth-relay.dev and proxysync.net. The initial dropper (SHA256: 7287e38f8fcf6c165f7f72dbf6b1257dcac297d50e4b487301c902fed6fa2516) was delivered via a phishing email from helpdesk@secure-verify.net. A second C2 node was observed at 134.64.232.76, with a persistence mechanism writing to C:\\Users\\Public\\Documents\\csrss.exe.", "spans": {"IP_ADDRESS: 53.144.218.188": [[64, 78]], "ORGANIZATION: Volexity": [[84, 92]], "MALWARE: Qbot": [[112, 116]], "FILEPATH: C:\\Windows\\System32\\backdoor.elf": [[128, 160]], "THREAT_ACTOR: Flax Typhoon": [[195, 207]], "TOOL: Covenant": [[214, 222]], "TOOL: Mimikatz": [[253, 261]], "DOMAIN: auth-relay.dev": [[313, 327]], "DOMAIN: proxysync.net": [[332, 345]], "HASH: 7287e38f8fcf6c165f7f72dbf6b1257dcac297d50e4b487301c902fed6fa2516": [[376, 440]], "EMAIL: helpdesk@secure-verify.net": [[482, 508]], "IP_ADDRESS: 134.64.232.76": [[543, 556]], "FILEPATH: C:\\Users\\Public\\Documents\\csrss.exe": [[598, 633]]}, "info": {"id": "synth_v2_00430", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 117.37.161.229, the FBI IR team identified RemcosRAT running as /dev/shm/payload.bin. The threat actor, believed to be Turla, used LaZagne for credential harvesting and Hashcat for lateral movement. Exfiltrated data was sent to update-data.org and datacloud.info. The initial dropper (SHA1: cf2c72ab40a9924b0833e01fa7d1db4418167fb5) was delivered via a phishing email from finance@account-update.xyz. A second C2 node was observed at 172.51.162.49, with a persistence mechanism writing to /dev/shm/config.dat.", "spans": {"IP_ADDRESS: 117.37.161.229": [[64, 78]], "ORGANIZATION: FBI": [[84, 87]], "MALWARE: RemcosRAT": [[107, 116]], "FILEPATH: /dev/shm/payload.bin": [[128, 148]], "THREAT_ACTOR: Turla": [[183, 188]], "TOOL: LaZagne": [[195, 202]], "TOOL: Hashcat": [[233, 240]], "DOMAIN: update-data.org": [[292, 307]], "DOMAIN: datacloud.info": [[312, 326]], "HASH: cf2c72ab40a9924b0833e01fa7d1db4418167fb5": [[355, 395]], "EMAIL: finance@account-update.xyz": [[437, 463]], "IP_ADDRESS: 172.51.162.49": [[498, 511]], "FILEPATH: /dev/shm/config.dat": [[553, 572]]}, "info": {"id": "synth_v2_00431", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 10.222.34.126, the FBI IR team identified Hive running as C:\\Users\\admin\\Downloads\\agent.py. The threat actor, believed to be UNC2452, used Mythic for credential harvesting and Impacket for lateral movement. Exfiltrated data was sent to staticportal.top and mail-proxy.io. The initial dropper (SHA1: 286118ab11a2dbe625d2ef96fa6e632971e58320) was delivered via a phishing email from verify@identity-verify.cc. A second C2 node was observed at 192.91.19.108, with a persistence mechanism writing to /var/tmp/agent.py.", "spans": {"IP_ADDRESS: 10.222.34.126": [[64, 77]], "ORGANIZATION: FBI": [[83, 86]], "MALWARE: Hive": [[106, 110]], "FILEPATH: C:\\Users\\admin\\Downloads\\agent.py": [[122, 155]], "THREAT_ACTOR: UNC2452": [[190, 197]], "TOOL: Mythic": [[204, 210]], "TOOL: Impacket": [[241, 249]], "DOMAIN: staticportal.top": [[301, 317]], "DOMAIN: mail-proxy.io": [[322, 335]], "HASH: 286118ab11a2dbe625d2ef96fa6e632971e58320": [[364, 404]], "EMAIL: verify@identity-verify.cc": [[446, 471]], "IP_ADDRESS: 192.91.19.108": [[506, 519]], "FILEPATH: /var/tmp/agent.py": [[561, 578]]}, "info": {"id": "synth_v2_00432", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 25.112.57.247, the Dragos IR team identified StealC running as C:\\Users\\admin\\Desktop\\payload.bin. The threat actor, believed to be BlackTech, used Certutil for credential harvesting and PowerShell Empire for lateral movement. Exfiltrated data was sent to authsecure.online and authmail.club. The initial dropper (SHA1: 58b2f6cc5b2dcb6f1e5599ba14a6b29d70731954) was delivered via a phishing email from helpdesk@phishing-domain.com. A second C2 node was observed at 108.228.166.64, with a persistence mechanism writing to /dev/shm/beacon.dll.", "spans": {"IP_ADDRESS: 25.112.57.247": [[64, 77]], "ORGANIZATION: Dragos": [[83, 89]], "MALWARE: StealC": [[109, 115]], "FILEPATH: C:\\Users\\admin\\Desktop\\payload.bin": [[127, 161]], "THREAT_ACTOR: BlackTech": [[196, 205]], "TOOL: Certutil": [[212, 220]], "TOOL: PowerShell Empire": [[251, 268]], "DOMAIN: authsecure.online": [[320, 337]], "DOMAIN: authmail.club": [[342, 355]], "HASH: 58b2f6cc5b2dcb6f1e5599ba14a6b29d70731954": [[384, 424]], "EMAIL: helpdesk@phishing-domain.com": [[466, 494]], "IP_ADDRESS: 108.228.166.64": [[529, 543]], "FILEPATH: /dev/shm/beacon.dll": [[585, 604]]}, "info": {"id": "synth_v2_00433", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 16.165.133.173, the Europol IR team identified Gootloader running as C:\\Users\\admin\\AppData\\Local\\Temp\\agent.py. The threat actor, believed to be FIN11, used LaZagne for credential harvesting and SharpHound for lateral movement. Exfiltrated data was sent to synccdn.info and datastorage.top. The initial dropper (SHA256: d7bb731a580557e8b3ccb39fada59164ba0a2815050ec12ced166bb164a1b8bb) was delivered via a phishing email from security@urgent-notice.online. A second C2 node was observed at 106.200.226.109, with a persistence mechanism writing to C:\\Windows\\Tasks\\ntds.dit.", "spans": {"IP_ADDRESS: 16.165.133.173": [[64, 78]], "ORGANIZATION: Europol": [[84, 91]], "MALWARE: Gootloader": [[111, 121]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\agent.py": [[133, 175]], "THREAT_ACTOR: FIN11": [[210, 215]], "TOOL: LaZagne": [[222, 229]], "TOOL: SharpHound": [[260, 270]], "DOMAIN: synccdn.info": [[322, 334]], "DOMAIN: datastorage.top": [[339, 354]], "HASH: d7bb731a580557e8b3ccb39fada59164ba0a2815050ec12ced166bb164a1b8bb": [[385, 449]], "EMAIL: security@urgent-notice.online": [[491, 520]], "IP_ADDRESS: 106.200.226.109": [[555, 570]], "FILEPATH: C:\\Windows\\Tasks\\ntds.dit": [[612, 637]]}, "info": {"id": "synth_v2_00434", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 34.10.10.206, the Sophos X-Ops IR team identified Royal running as C:\\Users\\admin\\Desktop\\helper.sh. The threat actor, believed to be Velvet Tempest, used Sharphound for credential harvesting and Metasploit for lateral movement. Exfiltrated data was sent to cdn-node.xyz and edgecloud.org. The initial dropper (MD5: 99e48da1c6cb06c73ddab33244783f5a) was delivered via a phishing email from contact@login-portal.tech. A second C2 node was observed at 24.170.180.197, with a persistence mechanism writing to /home/user/.config/config.dat.", "spans": {"IP_ADDRESS: 34.10.10.206": [[64, 76]], "ORGANIZATION: Sophos X-Ops": [[82, 94]], "MALWARE: Royal": [[114, 119]], "FILEPATH: C:\\Users\\admin\\Desktop\\helper.sh": [[131, 163]], "THREAT_ACTOR: Velvet Tempest": [[198, 212]], "TOOL: Sharphound": [[219, 229]], "TOOL: Metasploit": [[260, 270]], "DOMAIN: cdn-node.xyz": [[322, 334]], "DOMAIN: edgecloud.org": [[339, 352]], "HASH: 99e48da1c6cb06c73ddab33244783f5a": [[380, 412]], "EMAIL: contact@login-portal.tech": [[454, 479]], "IP_ADDRESS: 24.170.180.197": [[514, 528]], "FILEPATH: /home/user/.config/config.dat": [[570, 599]]}, "info": {"id": "synth_v2_00435", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 10.52.203.203, the Recorded Future IR team identified Latrodectus running as C:\\Users\\admin\\Desktop\\payload.bin. The threat actor, believed to be Aqua Blizzard, used PsExec for credential harvesting and Mimikatz for lateral movement. Exfiltrated data was sent to data-data.com and authportal.top. The initial dropper (SHA256: 2ba481d065e769106b9ab0a3ae6559195d605ab11452d10891ea993c3f50b534) was delivered via a phishing email from account@identity-verify.cc. A second C2 node was observed at 11.80.144.78, with a persistence mechanism writing to /usr/local/bin/chrome_helper.exe.", "spans": {"IP_ADDRESS: 10.52.203.203": [[64, 77]], "ORGANIZATION: Recorded Future": [[83, 98]], "MALWARE: Latrodectus": [[118, 129]], "FILEPATH: C:\\Users\\admin\\Desktop\\payload.bin": [[141, 175]], "THREAT_ACTOR: Aqua Blizzard": [[210, 223]], "TOOL: PsExec": [[230, 236]], "TOOL: Mimikatz": [[267, 275]], "DOMAIN: data-data.com": [[327, 340]], "DOMAIN: authportal.top": [[345, 359]], "HASH: 2ba481d065e769106b9ab0a3ae6559195d605ab11452d10891ea993c3f50b534": [[390, 454]], "EMAIL: account@identity-verify.cc": [[496, 522]], "IP_ADDRESS: 11.80.144.78": [[557, 569]], "FILEPATH: /usr/local/bin/chrome_helper.exe": [[611, 643]]}, "info": {"id": "synth_v2_00436", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 10.200.99.213, the ESET Research IR team identified TrickBot running as /dev/shm/lsass.dmp. The threat actor, believed to be APT28, used LinPEAS for credential harvesting and Covenant for lateral movement. Exfiltrated data was sent to backup-sync.online and auth-sync.top. The initial dropper (SHA256: cd6faedf4d1b116f7fa9bad572689621a63da7398c11a65334b31b21f490f0cc) was delivered via a phishing email from contact@urgent-notice.online. A second C2 node was observed at 201.165.217.132, with a persistence mechanism writing to /home/user/.config/ntds.dit.", "spans": {"IP_ADDRESS: 10.200.99.213": [[64, 77]], "ORGANIZATION: ESET Research": [[83, 96]], "MALWARE: TrickBot": [[116, 124]], "FILEPATH: /dev/shm/lsass.dmp": [[136, 154]], "THREAT_ACTOR: APT28": [[189, 194]], "TOOL: LinPEAS": [[201, 208]], "TOOL: Covenant": [[239, 247]], "DOMAIN: backup-sync.online": [[299, 317]], "DOMAIN: auth-sync.top": [[322, 335]], "HASH: cd6faedf4d1b116f7fa9bad572689621a63da7398c11a65334b31b21f490f0cc": [[366, 430]], "EMAIL: contact@urgent-notice.online": [[472, 500]], "IP_ADDRESS: 201.165.217.132": [[535, 550]], "FILEPATH: /home/user/.config/ntds.dit": [[592, 619]]}, "info": {"id": "synth_v2_00437", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 172.8.254.187, the NCSC IR team identified SystemBC running as /home/user/.config/winlogon.exe. The threat actor, believed to be Ember Bear, used Burp Suite for credential harvesting and Merlin for lateral movement. Exfiltrated data was sent to portal-data.online and proxycache.net. The initial dropper (SHA256: df7070f3461f6799941c50ab4a721fe0c840202fc59d3ed525100a9ec3e57de1) was delivered via a phishing email from security@login-portal.tech. A second C2 node was observed at 96.55.231.58, with a persistence mechanism writing to C:\\Windows\\System32\\chrome_helper.exe.", "spans": {"IP_ADDRESS: 172.8.254.187": [[64, 77]], "ORGANIZATION: NCSC": [[83, 87]], "MALWARE: SystemBC": [[107, 115]], "FILEPATH: /home/user/.config/winlogon.exe": [[127, 158]], "THREAT_ACTOR: Ember Bear": [[193, 203]], "TOOL: Burp Suite": [[210, 220]], "TOOL: Merlin": [[251, 257]], "DOMAIN: portal-data.online": [[309, 327]], "DOMAIN: proxycache.net": [[332, 346]], "HASH: df7070f3461f6799941c50ab4a721fe0c840202fc59d3ed525100a9ec3e57de1": [[377, 441]], "EMAIL: security@login-portal.tech": [[483, 509]], "IP_ADDRESS: 96.55.231.58": [[544, 556]], "FILEPATH: C:\\Windows\\System32\\chrome_helper.exe": [[598, 635]]}, "info": {"id": "synth_v2_00438", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 172.242.119.16, the Sophos X-Ops IR team identified Qbot running as /tmp/dropper.ps1. The threat actor, believed to be OilRig, used PsExec for credential harvesting and Impacket for lateral movement. Exfiltrated data was sent to logincdn.tech and updatesync.club. The initial dropper (MD5: bb48b05edaab3f4f81210cdac4f1df39) was delivered via a phishing email from helpdesk@auth-check.org. A second C2 node was observed at 65.210.159.190, with a persistence mechanism writing to /dev/shm/dropper.ps1.", "spans": {"IP_ADDRESS: 172.242.119.16": [[64, 78]], "ORGANIZATION: Sophos X-Ops": [[84, 96]], "MALWARE: Qbot": [[116, 120]], "FILEPATH: /tmp/dropper.ps1": [[132, 148]], "THREAT_ACTOR: OilRig": [[183, 189]], "TOOL: PsExec": [[196, 202]], "TOOL: Impacket": [[233, 241]], "DOMAIN: logincdn.tech": [[293, 306]], "DOMAIN: updatesync.club": [[311, 326]], "HASH: bb48b05edaab3f4f81210cdac4f1df39": [[354, 386]], "EMAIL: helpdesk@auth-check.org": [[428, 451]], "IP_ADDRESS: 65.210.159.190": [[486, 500]], "FILEPATH: /dev/shm/dropper.ps1": [[542, 562]]}, "info": {"id": "synth_v2_00439", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 10.217.39.97, the Trend Micro IR team identified ShadowPad running as /dev/shm/payload.bin. The threat actor, believed to be Forest Blizzard, used PowerShell Empire for credential harvesting and LaZagne for lateral movement. Exfiltrated data was sent to relay-auth.com and proxysecure.top. The initial dropper (SHA256: 7c1996744111948933e7cd2129fc45dea50b7dbddbb26de8c0affa0b00917fec) was delivered via a phishing email from alert@identity-verify.cc. A second C2 node was observed at 10.82.62.43, with a persistence mechanism writing to C:\\Program Files\\Common Files\\lsass.dmp.", "spans": {"IP_ADDRESS: 10.217.39.97": [[64, 76]], "ORGANIZATION: Trend Micro": [[82, 93]], "MALWARE: ShadowPad": [[113, 122]], "FILEPATH: /dev/shm/payload.bin": [[134, 154]], "THREAT_ACTOR: Forest Blizzard": [[189, 204]], "TOOL: PowerShell Empire": [[211, 228]], "TOOL: LaZagne": [[259, 266]], "DOMAIN: relay-auth.com": [[318, 332]], "DOMAIN: proxysecure.top": [[337, 352]], "HASH: 7c1996744111948933e7cd2129fc45dea50b7dbddbb26de8c0affa0b00917fec": [[383, 447]], "EMAIL: alert@identity-verify.cc": [[489, 513]], "IP_ADDRESS: 10.82.62.43": [[548, 559]], "FILEPATH: C:\\Program Files\\Common Files\\lsass.dmp": [[601, 640]]}, "info": {"id": "synth_v2_00440", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 134.165.190.145, the Tenable IR team identified Gootloader running as /opt/app/bin/payload.bin. The threat actor, believed to be Aqua Blizzard, used Merlin for credential harvesting and Mythic for lateral movement. Exfiltrated data was sent to nodestatic.info and relaycloud.dev. The initial dropper (SHA1: 222742d9e290ccde12fc5c6ee3ccf51ba2c27269) was delivered via a phishing email from verify@phishing-domain.com. A second C2 node was observed at 10.148.104.206, with a persistence mechanism writing to C:\\Users\\admin\\Downloads\\loader.exe.", "spans": {"IP_ADDRESS: 134.165.190.145": [[64, 79]], "ORGANIZATION: Tenable": [[85, 92]], "MALWARE: Gootloader": [[112, 122]], "FILEPATH: /opt/app/bin/payload.bin": [[134, 158]], "THREAT_ACTOR: Aqua Blizzard": [[193, 206]], "TOOL: Merlin": [[213, 219]], "TOOL: Mythic": [[250, 256]], "DOMAIN: nodestatic.info": [[308, 323]], "DOMAIN: relaycloud.dev": [[328, 342]], "HASH: 222742d9e290ccde12fc5c6ee3ccf51ba2c27269": [[371, 411]], "EMAIL: verify@phishing-domain.com": [[453, 479]], "IP_ADDRESS: 10.148.104.206": [[514, 528]], "FILEPATH: C:\\Users\\admin\\Downloads\\loader.exe": [[570, 605]]}, "info": {"id": "synth_v2_00441", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 18.2.159.180, the Trend Micro IR team identified RemcosRAT running as /var/tmp/csrss.exe. The threat actor, believed to be Storm-0558, used Rubeus for credential harvesting and CrackMapExec for lateral movement. Exfiltrated data was sent to cdn-static.online and api-mail.top. The initial dropper (MD5: 6ad12c5fbc4139ea935cb8d88ddc7663) was delivered via a phishing email from contact@document-share.link. A second C2 node was observed at 10.48.234.85, with a persistence mechanism writing to C:\\Windows\\Temp\\runtime.dll.", "spans": {"IP_ADDRESS: 18.2.159.180": [[64, 76]], "ORGANIZATION: Trend Micro": [[82, 93]], "MALWARE: RemcosRAT": [[113, 122]], "FILEPATH: /var/tmp/csrss.exe": [[134, 152]], "THREAT_ACTOR: Storm-0558": [[187, 197]], "TOOL: Rubeus": [[204, 210]], "TOOL: CrackMapExec": [[241, 253]], "DOMAIN: cdn-static.online": [[305, 322]], "DOMAIN: api-mail.top": [[327, 339]], "HASH: 6ad12c5fbc4139ea935cb8d88ddc7663": [[367, 399]], "EMAIL: contact@document-share.link": [[441, 468]], "IP_ADDRESS: 10.48.234.85": [[503, 515]], "FILEPATH: C:\\Windows\\Temp\\runtime.dll": [[557, 584]]}, "info": {"id": "synth_v2_00442", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 66.103.39.152, the CrowdStrike IR team identified AsyncRAT running as /usr/local/bin/implant.so. The threat actor, believed to be BlackTech, used ADFind for credential harvesting and Seatbelt for lateral movement. Exfiltrated data was sent to cacheauth.org and storagecache.link. The initial dropper (SHA256: 520561c4b4b7473f49c35b573969d458329f995d6aa970bab15166153d2b83ed) was delivered via a phishing email from helpdesk@login-portal.tech. A second C2 node was observed at 10.110.143.46, with a persistence mechanism writing to /dev/shm/runtime.dll.", "spans": {"IP_ADDRESS: 66.103.39.152": [[64, 77]], "ORGANIZATION: CrowdStrike": [[83, 94]], "MALWARE: AsyncRAT": [[114, 122]], "FILEPATH: /usr/local/bin/implant.so": [[134, 159]], "THREAT_ACTOR: BlackTech": [[194, 203]], "TOOL: ADFind": [[210, 216]], "TOOL: Seatbelt": [[247, 255]], "DOMAIN: cacheauth.org": [[307, 320]], "DOMAIN: storagecache.link": [[325, 342]], "HASH: 520561c4b4b7473f49c35b573969d458329f995d6aa970bab15166153d2b83ed": [[373, 437]], "EMAIL: helpdesk@login-portal.tech": [[479, 505]], "IP_ADDRESS: 10.110.143.46": [[540, 553]], "FILEPATH: /dev/shm/runtime.dll": [[595, 615]]}, "info": {"id": "synth_v2_00443", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 10.84.243.224, the Trend Micro IR team identified Dridex running as C:\\Users\\admin\\Desktop\\lsass.dmp. The threat actor, believed to be Diamond Sleet, used GhostPack for credential harvesting and ADFind for lateral movement. Exfiltrated data was sent to gatewayproxy.tech and nodeauth.xyz. The initial dropper (MD5: 6ec41f6ac248129aa977270ff4750475) was delivered via a phishing email from account@auth-check.org. A second C2 node was observed at 172.39.26.36, with a persistence mechanism writing to C:\\Users\\admin\\Desktop\\beacon.dll.", "spans": {"IP_ADDRESS: 10.84.243.224": [[64, 77]], "ORGANIZATION: Trend Micro": [[83, 94]], "MALWARE: Dridex": [[114, 120]], "FILEPATH: C:\\Users\\admin\\Desktop\\lsass.dmp": [[132, 164]], "THREAT_ACTOR: Diamond Sleet": [[199, 212]], "TOOL: GhostPack": [[219, 228]], "TOOL: ADFind": [[259, 265]], "DOMAIN: gatewayproxy.tech": [[317, 334]], "DOMAIN: nodeauth.xyz": [[339, 351]], "HASH: 6ec41f6ac248129aa977270ff4750475": [[379, 411]], "EMAIL: account@auth-check.org": [[453, 475]], "IP_ADDRESS: 172.39.26.36": [[510, 522]], "FILEPATH: C:\\Users\\admin\\Desktop\\beacon.dll": [[564, 597]]}, "info": {"id": "synth_v2_00444", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 10.142.73.216, the INTERPOL IR team identified PikaBot running as /etc/cron.d/sam.hive. The threat actor, believed to be Lazarus Group, used Mythic for credential harvesting and ADFind for lateral movement. Exfiltrated data was sent to authedge.dev and mailsecure.com. The initial dropper (SHA256: a903ddfef58aa0c86593e86272ceeeac5bac1fdd8c696da3c215d4584d610e03) was delivered via a phishing email from confirm@login-portal.tech. A second C2 node was observed at 144.226.250.178, with a persistence mechanism writing to /etc/cron.d/ntds.dit.", "spans": {"IP_ADDRESS: 10.142.73.216": [[64, 77]], "ORGANIZATION: INTERPOL": [[83, 91]], "MALWARE: PikaBot": [[111, 118]], "FILEPATH: /etc/cron.d/sam.hive": [[130, 150]], "THREAT_ACTOR: Lazarus Group": [[185, 198]], "TOOL: Mythic": [[205, 211]], "TOOL: ADFind": [[242, 248]], "DOMAIN: authedge.dev": [[300, 312]], "DOMAIN: mailsecure.com": [[317, 331]], "HASH: a903ddfef58aa0c86593e86272ceeeac5bac1fdd8c696da3c215d4584d610e03": [[362, 426]], "EMAIL: confirm@login-portal.tech": [[468, 493]], "IP_ADDRESS: 144.226.250.178": [[528, 543]], "FILEPATH: /etc/cron.d/ntds.dit": [[585, 605]]}, "info": {"id": "synth_v2_00445", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 10.226.184.135, the Secureworks IR team identified Raccoon Stealer running as /usr/local/bin/beacon.dll. The threat actor, believed to be BlackTech, used Rubeus for credential harvesting and Merlin for lateral movement. Exfiltrated data was sent to syncnode.dev and static-sync.com. The initial dropper (SHA1: 8cbf60f27f705c029084d8b3a47798af9a1e3ea3) was delivered via a phishing email from hr@mail-service.info. A second C2 node was observed at 10.158.168.25, with a persistence mechanism writing to C:\\Users\\admin\\Desktop\\update.dll.", "spans": {"IP_ADDRESS: 10.226.184.135": [[64, 78]], "ORGANIZATION: Secureworks": [[84, 95]], "MALWARE: Raccoon Stealer": [[115, 130]], "FILEPATH: /usr/local/bin/beacon.dll": [[142, 167]], "THREAT_ACTOR: BlackTech": [[202, 211]], "TOOL: Rubeus": [[218, 224]], "TOOL: Merlin": [[255, 261]], "DOMAIN: syncnode.dev": [[313, 325]], "DOMAIN: static-sync.com": [[330, 345]], "HASH: 8cbf60f27f705c029084d8b3a47798af9a1e3ea3": [[374, 414]], "EMAIL: hr@mail-service.info": [[456, 476]], "IP_ADDRESS: 10.158.168.25": [[511, 524]], "FILEPATH: C:\\Users\\admin\\Desktop\\update.dll": [[566, 599]]}, "info": {"id": "synth_v2_00446", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 156.232.251.45, the Palo Alto Unit 42 IR team identified QakBot running as C:\\Users\\Public\\Documents\\update.dll. The threat actor, believed to be OilRig, used Covenant for credential harvesting and Mimikatz for lateral movement. Exfiltrated data was sent to static-login.club and login-api.site. The initial dropper (MD5: 8ddfaaacc400d9aa91fc4a87725325f1) was delivered via a phishing email from confirm@mail-service.info. A second C2 node was observed at 192.53.19.95, with a persistence mechanism writing to C:\\Windows\\Tasks\\update.dll.", "spans": {"IP_ADDRESS: 156.232.251.45": [[64, 78]], "ORGANIZATION: Palo Alto Unit 42": [[84, 101]], "MALWARE: QakBot": [[121, 127]], "FILEPATH: C:\\Users\\Public\\Documents\\update.dll": [[139, 175]], "THREAT_ACTOR: OilRig": [[210, 216]], "TOOL: Covenant": [[223, 231]], "TOOL: Mimikatz": [[262, 270]], "DOMAIN: static-login.club": [[322, 339]], "DOMAIN: login-api.site": [[344, 358]], "HASH: 8ddfaaacc400d9aa91fc4a87725325f1": [[386, 418]], "EMAIL: confirm@mail-service.info": [[460, 485]], "IP_ADDRESS: 192.53.19.95": [[520, 532]], "FILEPATH: C:\\Windows\\Tasks\\update.dll": [[574, 601]]}, "info": {"id": "synth_v2_00447", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 172.162.86.232, the Secureworks IR team identified Hive running as C:\\Windows\\Tasks\\update.dll. The threat actor, believed to be UNC2452, used ADFind for credential harvesting and LinPEAS for lateral movement. Exfiltrated data was sent to api-cloud.live and sync-api.org. The initial dropper (SHA256: c67605336868e5dbd55fa35e56f9c6b8e12b9465cf314febe7e0156ccb2b44c8) was delivered via a phishing email from account@identity-verify.cc. A second C2 node was observed at 133.7.206.107, with a persistence mechanism writing to /usr/local/bin/implant.so.", "spans": {"IP_ADDRESS: 172.162.86.232": [[64, 78]], "ORGANIZATION: Secureworks": [[84, 95]], "MALWARE: Hive": [[115, 119]], "FILEPATH: C:\\Windows\\Tasks\\update.dll": [[131, 158]], "THREAT_ACTOR: UNC2452": [[193, 200]], "TOOL: ADFind": [[207, 213]], "TOOL: LinPEAS": [[244, 251]], "DOMAIN: api-cloud.live": [[303, 317]], "DOMAIN: sync-api.org": [[322, 334]], "HASH: c67605336868e5dbd55fa35e56f9c6b8e12b9465cf314febe7e0156ccb2b44c8": [[365, 429]], "EMAIL: account@identity-verify.cc": [[471, 497]], "IP_ADDRESS: 133.7.206.107": [[532, 545]], "FILEPATH: /usr/local/bin/implant.so": [[587, 612]]}, "info": {"id": "synth_v2_00448", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 172.140.179.31, the SentinelOne IR team identified DarkSide running as C:\\Windows\\Temp\\config.dat. The threat actor, believed to be UNC2452, used LinPEAS for credential harvesting and Covenant for lateral movement. Exfiltrated data was sent to api-secure.club and secure-storage.cc. The initial dropper (SHA1: 0b8c9dc8a90fc5c67f5b61b229ffde436e391735) was delivered via a phishing email from updates@secure-verify.net. A second C2 node was observed at 120.44.237.23, with a persistence mechanism writing to C:\\Windows\\Temp\\runtime.dll.", "spans": {"IP_ADDRESS: 172.140.179.31": [[64, 78]], "ORGANIZATION: SentinelOne": [[84, 95]], "MALWARE: DarkSide": [[115, 123]], "FILEPATH: C:\\Windows\\Temp\\config.dat": [[135, 161]], "THREAT_ACTOR: UNC2452": [[196, 203]], "TOOL: LinPEAS": [[210, 217]], "TOOL: Covenant": [[248, 256]], "DOMAIN: api-secure.club": [[308, 323]], "DOMAIN: secure-storage.cc": [[328, 345]], "HASH: 0b8c9dc8a90fc5c67f5b61b229ffde436e391735": [[374, 414]], "EMAIL: updates@secure-verify.net": [[456, 481]], "IP_ADDRESS: 120.44.237.23": [[516, 529]], "FILEPATH: C:\\Windows\\Temp\\runtime.dll": [[571, 598]]}, "info": {"id": "synth_v2_00449", "source": "synthetic_v2"}}
+{"text": "Incident Response Summary: On detection of anomalous traffic to 192.67.158.14, the CISA IR team identified BumbleBee running as /tmp/config.dat. The threat actor, believed to be TA505, used Covenant for credential harvesting and PowerView for lateral movement. Exfiltrated data was sent to cache-storage.site and cloud-sync.dev. The initial dropper (SHA1: 258955a2ac667d67d4ac20f27c94febebc62395e) was delivered via a phishing email from hr@secure-verify.net. A second C2 node was observed at 181.146.91.72, with a persistence mechanism writing to /home/user/.config/backdoor.elf.", "spans": {"IP_ADDRESS: 192.67.158.14": [[64, 77]], "ORGANIZATION: CISA": [[83, 87]], "MALWARE: BumbleBee": [[107, 116]], "FILEPATH: /tmp/config.dat": [[128, 143]], "THREAT_ACTOR: TA505": [[178, 183]], "TOOL: Covenant": [[190, 198]], "TOOL: PowerView": [[229, 238]], "DOMAIN: cache-storage.site": [[290, 308]], "DOMAIN: cloud-sync.dev": [[313, 327]], "HASH: 258955a2ac667d67d4ac20f27c94febebc62395e": [[356, 396]], "EMAIL: hr@secure-verify.net": [[438, 458]], "IP_ADDRESS: 181.146.91.72": [[493, 506]], "FILEPATH: /home/user/.config/backdoor.elf": [[548, 579]]}, "info": {"id": "synth_v2_00450", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: Qbot (MD5: 9c1d255c01f646fd037d6a8fda3fbc85). Upon execution on Palo Alto PAN-OS, the sample creates /opt/app/bin/loader.exe and injects into legitimate processes. Network analysis shows beaconing to 90.230.87.10 every 60 seconds and DNS queries to loginedge.cc. The second stage was fetched from https://gateway-mail.top/wp-content/uploads/doc.php and written to /usr/local/bin/chrome_helper.exe. The payload uses LaZagne-style techniques for defense evasion. A secondary hash (SHA1: 0c6ca766102f724226e263d9f164c973f433501c) was extracted from the unpacked payload.", "spans": {"MALWARE: Qbot": [[25, 29]], "HASH: 9c1d255c01f646fd037d6a8fda3fbc85": [[36, 68]], "SYSTEM: Palo Alto PAN-OS": [[89, 105]], "FILEPATH: /opt/app/bin/loader.exe": [[126, 149]], "IP_ADDRESS: 90.230.87.10": [[225, 237]], "DOMAIN: loginedge.cc": [[274, 286]], "URL: https://gateway-mail.top/wp-content/uploads/doc.php": [[322, 373]], "FILEPATH: /usr/local/bin/chrome_helper.exe": [[389, 421]], "TOOL: LaZagne": [[440, 447]], "HASH: 0c6ca766102f724226e263d9f164c973f433501c": [[510, 550]]}, "info": {"id": "synth_v2_00451", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: SmokeLoader (SHA256: 8a07d98510d7c9a975a45bd2ed4f17d0961a44e0a8e0649eef6ba0b051645043). Upon execution on F5 BIG-IP, the sample creates C:\\Users\\Public\\Documents\\csrss.exe and injects into legitimate processes. Network analysis shows beaconing to 9.59.95.122 every 60 seconds and DNS queries to relay-cache.tech. The second stage was fetched from hxxps://cacheportal.top/secure/token and written to C:\\Windows\\Temp\\config.dat. The payload uses Sliver-style techniques for defense evasion. A secondary hash (MD5: 684741165b211c28524dcb4b2453cf64) was extracted from the unpacked payload.", "spans": {"MALWARE: SmokeLoader": [[25, 36]], "HASH: 8a07d98510d7c9a975a45bd2ed4f17d0961a44e0a8e0649eef6ba0b051645043": [[46, 110]], "SYSTEM: F5 BIG-IP": [[131, 140]], "FILEPATH: C:\\Users\\Public\\Documents\\csrss.exe": [[161, 196]], "IP_ADDRESS: 9.59.95.122": [[272, 283]], "DOMAIN: relay-cache.tech": [[320, 336]], "URL: hxxps://cacheportal.top/secure/token": [[372, 408]], "FILEPATH: C:\\Windows\\Temp\\config.dat": [[424, 450]], "TOOL: Sliver": [[469, 475]], "HASH: 684741165b211c28524dcb4b2453cf64": [[537, 569]]}, "info": {"id": "synth_v2_00452", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: NjRAT (MD5: c4e1381c835ef420b92ff15667d5e8ed). Upon execution on Ivanti Connect Secure, the sample creates C:\\Users\\admin\\Desktop\\beacon.dll and injects into legitimate processes. Network analysis shows beaconing to 10.183.156.42 every 60 seconds and DNS queries to edgesecure.link. The second stage was fetched from http://relay-static.online/assets/js/payload.js and written to /var/tmp/backdoor.elf. The payload uses LinPEAS-style techniques for defense evasion. A secondary hash (SHA1: 5db43548404ae339875b3917f9702157784fbab1) was extracted from the unpacked payload.", "spans": {"MALWARE: NjRAT": [[25, 30]], "HASH: c4e1381c835ef420b92ff15667d5e8ed": [[37, 69]], "SYSTEM: Ivanti Connect Secure": [[90, 111]], "FILEPATH: C:\\Users\\admin\\Desktop\\beacon.dll": [[132, 165]], "IP_ADDRESS: 10.183.156.42": [[241, 254]], "DOMAIN: edgesecure.link": [[291, 306]], "URL: http://relay-static.online/assets/js/payload.js": [[342, 389]], "FILEPATH: /var/tmp/backdoor.elf": [[405, 426]], "TOOL: LinPEAS": [[445, 452]], "HASH: 5db43548404ae339875b3917f9702157784fbab1": [[515, 555]]}, "info": {"id": "synth_v2_00453", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: StealC (MD5: d1d73e5ff5a3db1b6a39937ab37c527d). Upon execution on Citrix NetScaler, the sample creates C:\\Users\\admin\\Downloads\\agent.py and injects into legitimate processes. Network analysis shows beaconing to 77.20.119.196 every 60 seconds and DNS queries to gateway-gateway.link. The second stage was fetched from hxxps://cacheportal.cc/download/update.exe and written to /tmp/shell.php. The payload uses Seatbelt-style techniques for defense evasion. A secondary hash (MD5: 7b2be7b513142692a3102cb45f962bdb) was extracted from the unpacked payload.", "spans": {"MALWARE: StealC": [[25, 31]], "HASH: d1d73e5ff5a3db1b6a39937ab37c527d": [[38, 70]], "SYSTEM: Citrix NetScaler": [[91, 107]], "FILEPATH: C:\\Users\\admin\\Downloads\\agent.py": [[128, 161]], "IP_ADDRESS: 77.20.119.196": [[237, 250]], "DOMAIN: gateway-gateway.link": [[287, 307]], "URL: hxxps://cacheportal.cc/download/update.exe": [[343, 385]], "FILEPATH: /tmp/shell.php": [[401, 415]], "TOOL: Seatbelt": [[434, 442]], "HASH: 7b2be7b513142692a3102cb45f962bdb": [[504, 536]]}, "info": {"id": "synth_v2_00454", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: BlackCat (SHA1: c6705accb26f6ca42f588c000b8265159182e00a). Upon execution on Palo Alto PAN-OS, the sample creates /home/user/.config/chrome_helper.exe and injects into legitimate processes. Network analysis shows beaconing to 10.158.72.206 every 60 seconds and DNS queries to relayportal.org. The second stage was fetched from hxxp://updatelogin.xyz/portal/verify and written to C:\\Users\\admin\\Downloads\\helper.sh. The payload uses Havoc-style techniques for defense evasion. A secondary hash (MD5: deaa913c77888a46c8f8be4ccd9f333c) was extracted from the unpacked payload.", "spans": {"MALWARE: BlackCat": [[25, 33]], "HASH: c6705accb26f6ca42f588c000b8265159182e00a": [[41, 81]], "SYSTEM: Palo Alto PAN-OS": [[102, 118]], "FILEPATH: /home/user/.config/chrome_helper.exe": [[139, 175]], "IP_ADDRESS: 10.158.72.206": [[251, 264]], "DOMAIN: relayportal.org": [[301, 316]], "URL: hxxp://updatelogin.xyz/portal/verify": [[352, 388]], "FILEPATH: C:\\Users\\admin\\Downloads\\helper.sh": [[404, 438]], "TOOL: Havoc": [[457, 462]], "HASH: deaa913c77888a46c8f8be4ccd9f333c": [[524, 556]]}, "info": {"id": "synth_v2_00455", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: XLoader (SHA256: c492fc5970555a19ea1c02080133c76a62187b419d740fd1949f4cffad081562). Upon execution on Citrix NetScaler, the sample creates /var/tmp/taskhost.exe and injects into legitimate processes. Network analysis shows beaconing to 10.191.2.123 every 60 seconds and DNS queries to mail-auth.online. The second stage was fetched from http://cloudproxy.top/gate.php and written to C:\\Users\\admin\\Desktop\\payload.bin. The payload uses Hashcat-style techniques for defense evasion. A secondary hash (SHA1: 241755e815c4f3c50e44b05cd5c4dcb70cacd38c) was extracted from the unpacked payload.", "spans": {"MALWARE: XLoader": [[25, 32]], "HASH: c492fc5970555a19ea1c02080133c76a62187b419d740fd1949f4cffad081562": [[42, 106]], "SYSTEM: Citrix NetScaler": [[127, 143]], "FILEPATH: /var/tmp/taskhost.exe": [[164, 185]], "IP_ADDRESS: 10.191.2.123": [[261, 273]], "DOMAIN: mail-auth.online": [[310, 326]], "URL: http://cloudproxy.top/gate.php": [[362, 392]], "FILEPATH: C:\\Users\\admin\\Desktop\\payload.bin": [[408, 442]], "TOOL: Hashcat": [[461, 468]], "HASH: 241755e815c4f3c50e44b05cd5c4dcb70cacd38c": [[531, 571]]}, "info": {"id": "synth_v2_00456", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: Vidar (MD5: e1d4dbe437f3acc27be123b7f89ff243). Upon execution on Microsoft Exchange, the sample creates C:\\Windows\\Temp\\implant.so and injects into legitimate processes. Network analysis shows beaconing to 153.201.36.89 every 60 seconds and DNS queries to cacheupdate.xyz. The second stage was fetched from https://data-mail.tech/panel/index.html and written to C:\\Users\\admin\\Desktop\\chrome_helper.exe. The payload uses Sharphound-style techniques for defense evasion. A secondary hash (MD5: ba4044ac25366dfa314ec010d5aa75c0) was extracted from the unpacked payload.", "spans": {"MALWARE: Vidar": [[25, 30]], "HASH: e1d4dbe437f3acc27be123b7f89ff243": [[37, 69]], "SYSTEM: Microsoft Exchange": [[90, 108]], "FILEPATH: C:\\Windows\\Temp\\implant.so": [[129, 155]], "IP_ADDRESS: 153.201.36.89": [[231, 244]], "DOMAIN: cacheupdate.xyz": [[281, 296]], "URL: https://data-mail.tech/panel/index.html": [[332, 371]], "FILEPATH: C:\\Users\\admin\\Desktop\\chrome_helper.exe": [[387, 427]], "TOOL: Sharphound": [[446, 456]], "HASH: ba4044ac25366dfa314ec010d5aa75c0": [[518, 550]]}, "info": {"id": "synth_v2_00457", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: BlackCat (MD5: db0d560b9e1d5847fb3483f2efcce6ef). Upon execution on Juniper SRX, the sample creates /usr/local/bin/ntds.dit and injects into legitimate processes. Network analysis shows beaconing to 10.154.222.24 every 60 seconds and DNS queries to portalsecure.site. The second stage was fetched from http://backup-backup.site/login and written to C:\\Users\\admin\\Downloads\\config.dat. The payload uses Ligolo-style techniques for defense evasion. A secondary hash (SHA256: 6536ec638a535c3e50b33b6b609d5ff7a7d2dc0076a91e195b362bba35489f3e) was extracted from the unpacked payload.", "spans": {"MALWARE: BlackCat": [[25, 33]], "HASH: db0d560b9e1d5847fb3483f2efcce6ef": [[40, 72]], "SYSTEM: Juniper SRX": [[93, 104]], "FILEPATH: /usr/local/bin/ntds.dit": [[125, 148]], "IP_ADDRESS: 10.154.222.24": [[224, 237]], "DOMAIN: portalsecure.site": [[274, 291]], "URL: http://backup-backup.site/login": [[327, 358]], "FILEPATH: C:\\Users\\admin\\Downloads\\config.dat": [[374, 409]], "TOOL: Ligolo": [[428, 434]], "HASH: 6536ec638a535c3e50b33b6b609d5ff7a7d2dc0076a91e195b362bba35489f3e": [[499, 563]]}, "info": {"id": "synth_v2_00458", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: Ryuk (MD5: bf20e740299d2a3d8f9f5c812bbb729d). Upon execution on VMware ESXi, the sample creates C:\\Users\\admin\\AppData\\Local\\Temp\\agent.py and injects into legitimate processes. Network analysis shows beaconing to 176.51.207.206 every 60 seconds and DNS queries to secure-storage.org. The second stage was fetched from http://relayupdate.online/callback and written to C:\\Program Files\\Common Files\\backdoor.elf. The payload uses LinPEAS-style techniques for defense evasion. A secondary hash (SHA256: 17dcd73e3f9841a7ab14221b4569821faae79d57b8bd038623abeeaea8cd8976) was extracted from the unpacked payload.", "spans": {"MALWARE: Ryuk": [[25, 29]], "HASH: bf20e740299d2a3d8f9f5c812bbb729d": [[36, 68]], "SYSTEM: VMware ESXi": [[89, 100]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\agent.py": [[121, 163]], "IP_ADDRESS: 176.51.207.206": [[239, 253]], "DOMAIN: secure-storage.org": [[290, 308]], "URL: http://relayupdate.online/callback": [[344, 378]], "FILEPATH: C:\\Program Files\\Common Files\\backdoor.elf": [[394, 436]], "TOOL: LinPEAS": [[455, 462]], "HASH: 17dcd73e3f9841a7ab14221b4569821faae79d57b8bd038623abeeaea8cd8976": [[527, 591]]}, "info": {"id": "synth_v2_00459", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: StealC (MD5: caf3a29574a0d264286d69cbb23ca0dd). Upon execution on Zyxel USG, the sample creates /usr/local/bin/runtime.dll and injects into legitimate processes. Network analysis shows beaconing to 200.242.171.217 every 60 seconds and DNS queries to authsecure.site. The second stage was fetched from https://apilogin.com/assets/js/payload.js and written to C:\\Windows\\Tasks\\ntds.dit. The payload uses BloodHound-style techniques for defense evasion. A secondary hash (SHA1: aff07aca00be0d6ab9ebd15514ee6b275203038c) was extracted from the unpacked payload.", "spans": {"MALWARE: StealC": [[25, 31]], "HASH: caf3a29574a0d264286d69cbb23ca0dd": [[38, 70]], "SYSTEM: Zyxel USG": [[91, 100]], "FILEPATH: /usr/local/bin/runtime.dll": [[121, 147]], "IP_ADDRESS: 200.242.171.217": [[223, 238]], "DOMAIN: authsecure.site": [[275, 290]], "URL: https://apilogin.com/assets/js/payload.js": [[326, 367]], "FILEPATH: C:\\Windows\\Tasks\\ntds.dit": [[383, 408]], "TOOL: BloodHound": [[427, 437]], "HASH: aff07aca00be0d6ab9ebd15514ee6b275203038c": [[500, 540]]}, "info": {"id": "synth_v2_00460", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: Gootloader (SHA256: 1a45d589534d3e92b2362f495e265dee6323e390ed4b5b4bef02cbe64a37fdee). Upon execution on Apache Struts, the sample creates /etc/cron.d/ntds.dit and injects into legitimate processes. Network analysis shows beaconing to 118.187.25.228 every 60 seconds and DNS queries to syncgateway.tech. The second stage was fetched from hxxp://updateedge.info/portal/verify and written to C:\\Windows\\Temp\\sam.hive. The payload uses Hashcat-style techniques for defense evasion. A secondary hash (SHA256: 17bad8601b84127127dcf1d92fba6ed58a14b726e309dc48c5d5bcf7aa7533ce) was extracted from the unpacked payload.", "spans": {"MALWARE: Gootloader": [[25, 35]], "HASH: 1a45d589534d3e92b2362f495e265dee6323e390ed4b5b4bef02cbe64a37fdee": [[45, 109]], "SYSTEM: Apache Struts": [[130, 143]], "FILEPATH: /etc/cron.d/ntds.dit": [[164, 184]], "IP_ADDRESS: 118.187.25.228": [[260, 274]], "DOMAIN: syncgateway.tech": [[311, 327]], "URL: hxxp://updateedge.info/portal/verify": [[363, 399]], "FILEPATH: C:\\Windows\\Temp\\sam.hive": [[415, 439]], "TOOL: Hashcat": [[458, 465]], "HASH: 17bad8601b84127127dcf1d92fba6ed58a14b726e309dc48c5d5bcf7aa7533ce": [[530, 594]]}, "info": {"id": "synth_v2_00461", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: Cobalt Strike (SHA1: 9ae6a15f30dd1f0369f8ab22314c43b2964ac0f5). Upon execution on Zyxel USG, the sample creates C:\\Windows\\Tasks\\implant.so and injects into legitimate processes. Network analysis shows beaconing to 188.18.202.64 every 60 seconds and DNS queries to api-edge.net. The second stage was fetched from https://login-proxy.site/secure/token and written to /var/tmp/loader.exe. The payload uses BITSAdmin-style techniques for defense evasion. A secondary hash (SHA256: 8f23c32808ee13ce118f86368b55961b74661d08b353dd28659270cfd12108ae) was extracted from the unpacked payload.", "spans": {"MALWARE: Cobalt Strike": [[25, 38]], "HASH: 9ae6a15f30dd1f0369f8ab22314c43b2964ac0f5": [[46, 86]], "SYSTEM: Zyxel USG": [[107, 116]], "FILEPATH: C:\\Windows\\Tasks\\implant.so": [[137, 164]], "IP_ADDRESS: 188.18.202.64": [[240, 253]], "DOMAIN: api-edge.net": [[290, 302]], "URL: https://login-proxy.site/secure/token": [[338, 375]], "FILEPATH: /var/tmp/loader.exe": [[391, 410]], "TOOL: BITSAdmin": [[429, 438]], "HASH: 8f23c32808ee13ce118f86368b55961b74661d08b353dd28659270cfd12108ae": [[503, 567]]}, "info": {"id": "synth_v2_00462", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: Cobalt Strike (SHA256: 45c794ef5c147bcc631648b83c754a7befc9e7f3b14fd1b68da61bddfe0b5ec8). Upon execution on Active Directory, the sample creates C:\\ProgramData\\ntds.dit and injects into legitimate processes. Network analysis shows beaconing to 10.75.51.98 every 60 seconds and DNS queries to storage-backup.site. The second stage was fetched from https://updatesecure.club/assets/js/payload.js and written to C:\\Users\\Public\\Documents\\runtime.dll. The payload uses BITSAdmin-style techniques for defense evasion. A secondary hash (MD5: d38b8a7b3ba3c022116f8323fa3544e2) was extracted from the unpacked payload.", "spans": {"MALWARE: Cobalt Strike": [[25, 38]], "HASH: 45c794ef5c147bcc631648b83c754a7befc9e7f3b14fd1b68da61bddfe0b5ec8": [[48, 112]], "SYSTEM: Active Directory": [[133, 149]], "FILEPATH: C:\\ProgramData\\ntds.dit": [[170, 193]], "IP_ADDRESS: 10.75.51.98": [[269, 280]], "DOMAIN: storage-backup.site": [[317, 336]], "URL: https://updatesecure.club/assets/js/payload.js": [[372, 418]], "FILEPATH: C:\\Users\\Public\\Documents\\runtime.dll": [[434, 471]], "TOOL: BITSAdmin": [[490, 499]], "HASH: d38b8a7b3ba3c022116f8323fa3544e2": [[561, 593]]}, "info": {"id": "synth_v2_00463", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: AsyncRAT (SHA1: 5f6660c5190aeb5ab686ebea38e6604a75977403). Upon execution on SonicWall SMA, the sample creates C:\\Users\\admin\\Desktop\\config.dat and injects into legitimate processes. Network analysis shows beaconing to 192.25.191.147 every 60 seconds and DNS queries to cloudgateway.info. The second stage was fetched from hxxps://sync-node.top/collect and written to /home/user/.config/backdoor.elf. The payload uses Mimikatz-style techniques for defense evasion. A secondary hash (SHA1: 5fcd5308e433e16f040bf4f99f7f358e4da1e866) was extracted from the unpacked payload.", "spans": {"MALWARE: AsyncRAT": [[25, 33]], "HASH: 5f6660c5190aeb5ab686ebea38e6604a75977403": [[41, 81]], "SYSTEM: SonicWall SMA": [[102, 115]], "FILEPATH: C:\\Users\\admin\\Desktop\\config.dat": [[136, 169]], "IP_ADDRESS: 192.25.191.147": [[245, 259]], "DOMAIN: cloudgateway.info": [[296, 313]], "URL: hxxps://sync-node.top/collect": [[349, 378]], "FILEPATH: /home/user/.config/backdoor.elf": [[394, 425]], "TOOL: Mimikatz": [[444, 452]], "HASH: 5fcd5308e433e16f040bf4f99f7f358e4da1e866": [[515, 555]]}, "info": {"id": "synth_v2_00464", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: Royal (SHA256: b75d890df0d4a6a136a9986996698a7bcb1bb691e0951b4e2f69e2678a012502). Upon execution on Barracuda ESG, the sample creates C:\\Windows\\Tasks\\shell.php and injects into legitimate processes. Network analysis shows beaconing to 172.136.236.154 every 60 seconds and DNS queries to authdata.xyz. The second stage was fetched from https://storage-data.net/assets/js/payload.js and written to C:\\Program Files\\Common Files\\implant.so. The payload uses Hashcat-style techniques for defense evasion. A secondary hash (MD5: 31dbff16db7147a570b1b0010ffd24f4) was extracted from the unpacked payload.", "spans": {"MALWARE: Royal": [[25, 30]], "HASH: b75d890df0d4a6a136a9986996698a7bcb1bb691e0951b4e2f69e2678a012502": [[40, 104]], "SYSTEM: Barracuda ESG": [[125, 138]], "FILEPATH: C:\\Windows\\Tasks\\shell.php": [[159, 185]], "IP_ADDRESS: 172.136.236.154": [[261, 276]], "DOMAIN: authdata.xyz": [[313, 325]], "URL: https://storage-data.net/assets/js/payload.js": [[361, 406]], "FILEPATH: C:\\Program Files\\Common Files\\implant.so": [[422, 462]], "TOOL: Hashcat": [[481, 488]], "HASH: 31dbff16db7147a570b1b0010ffd24f4": [[550, 582]]}, "info": {"id": "synth_v2_00465", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: Raccoon Stealer (MD5: 4efaa5cc8f39dc9af5ffc2fa038d0ad7). Upon execution on MOVEit Transfer, the sample creates C:\\Users\\admin\\Desktop\\backdoor.elf and injects into legitimate processes. Network analysis shows beaconing to 172.174.163.89 every 60 seconds and DNS queries to loginrelay.live. The second stage was fetched from hxxp://cloudedge.club/admin/config and written to C:\\Users\\admin\\Desktop\\update.dll. The payload uses PowerView-style techniques for defense evasion. A secondary hash (SHA1: 601539017c697f819b61cd0e3bafaa96ff1e186e) was extracted from the unpacked payload.", "spans": {"MALWARE: Raccoon Stealer": [[25, 40]], "HASH: 4efaa5cc8f39dc9af5ffc2fa038d0ad7": [[47, 79]], "SYSTEM: MOVEit Transfer": [[100, 115]], "FILEPATH: C:\\Users\\admin\\Desktop\\backdoor.elf": [[136, 171]], "IP_ADDRESS: 172.174.163.89": [[247, 261]], "DOMAIN: loginrelay.live": [[298, 313]], "URL: hxxp://cloudedge.club/admin/config": [[349, 383]], "FILEPATH: C:\\Users\\admin\\Desktop\\update.dll": [[399, 432]], "TOOL: PowerView": [[451, 460]], "HASH: 601539017c697f819b61cd0e3bafaa96ff1e186e": [[523, 563]]}, "info": {"id": "synth_v2_00466", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: Dridex (SHA1: 47dd6b1f417b631910b040c525a62f2b27542b2a). Upon execution on Windows Server 2019, the sample creates /etc/cron.d/shell.php and injects into legitimate processes. Network analysis shows beaconing to 22.106.189.78 every 60 seconds and DNS queries to storagerelay.top. The second stage was fetched from hxxp://updatelogin.cc/collect and written to C:\\Program Files\\Common Files\\ntds.dit. The payload uses Seatbelt-style techniques for defense evasion. A secondary hash (MD5: f4b4442f3aef87cdd26fb5892817ca38) was extracted from the unpacked payload.", "spans": {"MALWARE: Dridex": [[25, 31]], "HASH: 47dd6b1f417b631910b040c525a62f2b27542b2a": [[39, 79]], "SYSTEM: Windows Server 2019": [[100, 119]], "FILEPATH: /etc/cron.d/shell.php": [[140, 161]], "IP_ADDRESS: 22.106.189.78": [[237, 250]], "DOMAIN: storagerelay.top": [[287, 303]], "URL: hxxp://updatelogin.cc/collect": [[339, 368]], "FILEPATH: C:\\Program Files\\Common Files\\ntds.dit": [[384, 422]], "TOOL: Seatbelt": [[441, 449]], "HASH: f4b4442f3aef87cdd26fb5892817ca38": [[511, 543]]}, "info": {"id": "synth_v2_00467", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: Gootloader (SHA1: 37a5413cff2845393f72c0387f7399acdc4387b5). Upon execution on Palo Alto PAN-OS, the sample creates C:\\Users\\admin\\Desktop\\dropper.ps1 and injects into legitimate processes. Network analysis shows beaconing to 61.192.67.97 every 60 seconds and DNS queries to auth-portal.xyz. The second stage was fetched from hxxp://auth-cache.info/download/update.exe and written to C:\\Program Files\\Common Files\\csrss.exe. The payload uses Seatbelt-style techniques for defense evasion. A secondary hash (SHA1: a4d2dac1720b2b4e9e3d070b3a85200c911a8e9e) was extracted from the unpacked payload.", "spans": {"MALWARE: Gootloader": [[25, 35]], "HASH: 37a5413cff2845393f72c0387f7399acdc4387b5": [[43, 83]], "SYSTEM: Palo Alto PAN-OS": [[104, 120]], "FILEPATH: C:\\Users\\admin\\Desktop\\dropper.ps1": [[141, 175]], "IP_ADDRESS: 61.192.67.97": [[251, 263]], "DOMAIN: auth-portal.xyz": [[300, 315]], "URL: hxxp://auth-cache.info/download/update.exe": [[351, 393]], "FILEPATH: C:\\Program Files\\Common Files\\csrss.exe": [[409, 448]], "TOOL: Seatbelt": [[467, 475]], "HASH: a4d2dac1720b2b4e9e3d070b3a85200c911a8e9e": [[538, 578]]}, "info": {"id": "synth_v2_00468", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: FormBook (SHA1: e5b3ab64cb3fba938424eeaa6d09f8372ed0f3c2). Upon execution on Windows Server 2019, the sample creates C:\\Windows\\Tasks\\config.dat and injects into legitimate processes. Network analysis shows beaconing to 198.185.54.171 every 60 seconds and DNS queries to nodeedge.io. The second stage was fetched from http://dataportal.online/portal/verify and written to C:\\Users\\admin\\Downloads\\lsass.dmp. The payload uses Burp Suite-style techniques for defense evasion. A secondary hash (MD5: f8943dfeb5d491723a17c2eefef2782b) was extracted from the unpacked payload.", "spans": {"MALWARE: FormBook": [[25, 33]], "HASH: e5b3ab64cb3fba938424eeaa6d09f8372ed0f3c2": [[41, 81]], "SYSTEM: Windows Server 2019": [[102, 121]], "FILEPATH: C:\\Windows\\Tasks\\config.dat": [[142, 169]], "IP_ADDRESS: 198.185.54.171": [[245, 259]], "DOMAIN: nodeedge.io": [[296, 307]], "URL: http://dataportal.online/portal/verify": [[343, 381]], "FILEPATH: C:\\Users\\admin\\Downloads\\lsass.dmp": [[397, 431]], "TOOL: Burp Suite": [[450, 460]], "HASH: f8943dfeb5d491723a17c2eefef2782b": [[522, 554]]}, "info": {"id": "synth_v2_00469", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: WarmCookie (MD5: 8bbf21c057b0f18a069856fccf900c1e). Upon execution on Fortinet FortiGate, the sample creates C:\\Program Files\\Common Files\\svchost.exe and injects into legitimate processes. Network analysis shows beaconing to 192.50.196.149 every 60 seconds and DNS queries to gatewaygateway.xyz. The second stage was fetched from hxxps://static-data.org/collect and written to /opt/app/bin/implant.so. The payload uses PsExec-style techniques for defense evasion. A secondary hash (MD5: 59ecdab799d91d8c481bd60f3e7f51cd) was extracted from the unpacked payload.", "spans": {"MALWARE: WarmCookie": [[25, 35]], "HASH: 8bbf21c057b0f18a069856fccf900c1e": [[42, 74]], "SYSTEM: Fortinet FortiGate": [[95, 113]], "FILEPATH: C:\\Program Files\\Common Files\\svchost.exe": [[134, 175]], "IP_ADDRESS: 192.50.196.149": [[251, 265]], "DOMAIN: gatewaygateway.xyz": [[302, 320]], "URL: hxxps://static-data.org/collect": [[356, 387]], "FILEPATH: /opt/app/bin/implant.so": [[403, 426]], "TOOL: PsExec": [[445, 451]], "HASH: 59ecdab799d91d8c481bd60f3e7f51cd": [[513, 545]]}, "info": {"id": "synth_v2_00470", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: DanaBot (SHA1: 4a57f53781261ca8adc97b2e6444efbca9a5bf46). Upon execution on MOVEit Transfer, the sample creates C:\\Windows\\System32\\agent.py and injects into legitimate processes. Network analysis shows beaconing to 172.11.199.142 every 60 seconds and DNS queries to secure-relay.tech. The second stage was fetched from hxxp://secure-proxy.dev/secure/token and written to C:\\ProgramData\\svchost.exe. The payload uses SharpHound-style techniques for defense evasion. A secondary hash (MD5: e033fab917f42b69c3e0e2edae4552e9) was extracted from the unpacked payload.", "spans": {"MALWARE: DanaBot": [[25, 32]], "HASH: 4a57f53781261ca8adc97b2e6444efbca9a5bf46": [[40, 80]], "SYSTEM: MOVEit Transfer": [[101, 116]], "FILEPATH: C:\\Windows\\System32\\agent.py": [[137, 165]], "IP_ADDRESS: 172.11.199.142": [[241, 255]], "DOMAIN: secure-relay.tech": [[292, 309]], "URL: hxxp://secure-proxy.dev/secure/token": [[345, 381]], "FILEPATH: C:\\ProgramData\\svchost.exe": [[397, 423]], "TOOL: SharpHound": [[442, 452]], "HASH: e033fab917f42b69c3e0e2edae4552e9": [[514, 546]]}, "info": {"id": "synth_v2_00471", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: ShadowPad (MD5: 919bfc3c41e1402c36e73f1d0c4f3666). Upon execution on SonicWall SMA, the sample creates C:\\Users\\admin\\AppData\\Local\\Temp\\ntds.dit and injects into legitimate processes. Network analysis shows beaconing to 62.90.236.129 every 60 seconds and DNS queries to static-storage.live. The second stage was fetched from hxxps://data-relay.club/login and written to /dev/shm/lsass.dmp. The payload uses Impacket-style techniques for defense evasion. A secondary hash (SHA256: d730ce66b507164e8fd30ccbd579f134dae1ad2e34d8a0837d387a1cab78a2d6) was extracted from the unpacked payload.", "spans": {"MALWARE: ShadowPad": [[25, 34]], "HASH: 919bfc3c41e1402c36e73f1d0c4f3666": [[41, 73]], "SYSTEM: SonicWall SMA": [[94, 107]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\ntds.dit": [[128, 170]], "IP_ADDRESS: 62.90.236.129": [[246, 259]], "DOMAIN: static-storage.live": [[296, 315]], "URL: hxxps://data-relay.club/login": [[351, 380]], "FILEPATH: /dev/shm/lsass.dmp": [[396, 414]], "TOOL: Impacket": [[433, 441]], "HASH: d730ce66b507164e8fd30ccbd579f134dae1ad2e34d8a0837d387a1cab78a2d6": [[506, 570]]}, "info": {"id": "synth_v2_00472", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: SmokeLoader (SHA1: c08e0c725714bf8570a291a2c66071fdbc6cb980). Upon execution on MOVEit Transfer, the sample creates C:\\Users\\Public\\Documents\\taskhost.exe and injects into legitimate processes. Network analysis shows beaconing to 192.12.224.124 every 60 seconds and DNS queries to backup-portal.live. The second stage was fetched from http://mail-portal.club/callback and written to C:\\Windows\\System32\\backdoor.elf. The payload uses Seatbelt-style techniques for defense evasion. A secondary hash (SHA1: 4787461f448bbb60dcee1fe14136b6391be77f79) was extracted from the unpacked payload.", "spans": {"MALWARE: SmokeLoader": [[25, 36]], "HASH: c08e0c725714bf8570a291a2c66071fdbc6cb980": [[44, 84]], "SYSTEM: MOVEit Transfer": [[105, 120]], "FILEPATH: C:\\Users\\Public\\Documents\\taskhost.exe": [[141, 179]], "IP_ADDRESS: 192.12.224.124": [[255, 269]], "DOMAIN: backup-portal.live": [[306, 324]], "URL: http://mail-portal.club/callback": [[360, 392]], "FILEPATH: C:\\Windows\\System32\\backdoor.elf": [[408, 440]], "TOOL: Seatbelt": [[459, 467]], "HASH: 4787461f448bbb60dcee1fe14136b6391be77f79": [[530, 570]]}, "info": {"id": "synth_v2_00473", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: Conti (SHA1: 8648cd3dacd28a83b0e1afdb62c16f0b8026ef55). Upon execution on Zyxel USG, the sample creates /usr/local/bin/winlogon.exe and injects into legitimate processes. Network analysis shows beaconing to 106.173.72.234 every 60 seconds and DNS queries to proxy-cloud.info. The second stage was fetched from http://storage-api.online/wp-content/uploads/doc.php and written to /home/user/.config/sam.hive. The payload uses Hashcat-style techniques for defense evasion. A secondary hash (SHA256: 2526e71c692da3557d475d25f097fd45d9c24627b166b9d4cfedf1c513536d4e) was extracted from the unpacked payload.", "spans": {"MALWARE: Conti": [[25, 30]], "HASH: 8648cd3dacd28a83b0e1afdb62c16f0b8026ef55": [[38, 78]], "SYSTEM: Zyxel USG": [[99, 108]], "FILEPATH: /usr/local/bin/winlogon.exe": [[129, 156]], "IP_ADDRESS: 106.173.72.234": [[232, 246]], "DOMAIN: proxy-cloud.info": [[283, 299]], "URL: http://storage-api.online/wp-content/uploads/doc.php": [[335, 387]], "FILEPATH: /home/user/.config/sam.hive": [[403, 430]], "TOOL: Hashcat": [[449, 456]], "HASH: 2526e71c692da3557d475d25f097fd45d9c24627b166b9d4cfedf1c513536d4e": [[521, 585]]}, "info": {"id": "synth_v2_00474", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: SmokeLoader (SHA1: 9584cb70cb8282c427bf1660bf14b62c677b6a0b). Upon execution on Progress Telerik, the sample creates C:\\Windows\\Tasks\\agent.py and injects into legitimate processes. Network analysis shows beaconing to 10.75.147.7 every 60 seconds and DNS queries to mail-cache.tech. The second stage was fetched from https://backupsecure.cc/gate.php and written to C:\\Windows\\System32\\payload.bin. The payload uses CrackMapExec-style techniques for defense evasion. A secondary hash (MD5: b7edfd8aab9ba2b64ff5535795def4e1) was extracted from the unpacked payload.", "spans": {"MALWARE: SmokeLoader": [[25, 36]], "HASH: 9584cb70cb8282c427bf1660bf14b62c677b6a0b": [[44, 84]], "SYSTEM: Progress Telerik": [[105, 121]], "FILEPATH: C:\\Windows\\Tasks\\agent.py": [[142, 167]], "IP_ADDRESS: 10.75.147.7": [[243, 254]], "DOMAIN: mail-cache.tech": [[291, 306]], "URL: https://backupsecure.cc/gate.php": [[342, 374]], "FILEPATH: C:\\Windows\\System32\\payload.bin": [[390, 421]], "TOOL: CrackMapExec": [[440, 452]], "HASH: b7edfd8aab9ba2b64ff5535795def4e1": [[514, 546]]}, "info": {"id": "synth_v2_00475", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: Gootloader (MD5: 0fa957d45d185b9ead181417bbe49afc). Upon execution on Cisco ASA, the sample creates C:\\Windows\\System32\\shell.php and injects into legitimate processes. Network analysis shows beaconing to 10.108.155.38 every 60 seconds and DNS queries to sync-mail.club. The second stage was fetched from hxxp://proxystatic.dev/secure/token and written to /opt/app/bin/loader.exe. The payload uses Chisel-style techniques for defense evasion. A secondary hash (MD5: b9980573972767191297fb77de215e3d) was extracted from the unpacked payload.", "spans": {"MALWARE: Gootloader": [[25, 35]], "HASH: 0fa957d45d185b9ead181417bbe49afc": [[42, 74]], "SYSTEM: Cisco ASA": [[95, 104]], "FILEPATH: C:\\Windows\\System32\\shell.php": [[125, 154]], "IP_ADDRESS: 10.108.155.38": [[230, 243]], "DOMAIN: sync-mail.club": [[280, 294]], "URL: hxxp://proxystatic.dev/secure/token": [[330, 365]], "FILEPATH: /opt/app/bin/loader.exe": [[381, 404]], "TOOL: Chisel": [[423, 429]], "HASH: b9980573972767191297fb77de215e3d": [[491, 523]]}, "info": {"id": "synth_v2_00476", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: Qbot (SHA1: fed7c75d6a4b030a16de5e83a4c280bd58ef530f). Upon execution on Windows Server 2019, the sample creates /tmp/csrss.exe and injects into legitimate processes. Network analysis shows beaconing to 45.247.194.4 every 60 seconds and DNS queries to storage-data.info. The second stage was fetched from hxxps://data-login.info/admin/config and written to /dev/shm/sam.hive. The payload uses BITSAdmin-style techniques for defense evasion. A secondary hash (SHA256: a75e25e172a2a638b95d456027eb208ccd3444f50e708004f35544a7cde37c08) was extracted from the unpacked payload.", "spans": {"MALWARE: Qbot": [[25, 29]], "HASH: fed7c75d6a4b030a16de5e83a4c280bd58ef530f": [[37, 77]], "SYSTEM: Windows Server 2019": [[98, 117]], "FILEPATH: /tmp/csrss.exe": [[138, 152]], "IP_ADDRESS: 45.247.194.4": [[228, 240]], "DOMAIN: storage-data.info": [[277, 294]], "URL: hxxps://data-login.info/admin/config": [[330, 366]], "FILEPATH: /dev/shm/sam.hive": [[382, 399]], "TOOL: BITSAdmin": [[418, 427]], "HASH: a75e25e172a2a638b95d456027eb208ccd3444f50e708004f35544a7cde37c08": [[492, 556]]}, "info": {"id": "synth_v2_00477", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: PikaBot (SHA256: aa99d917cc14b6692ec9bc0a0a9d2955d60c5a65088b66fc5ca4a6dce8d4fb8f). Upon execution on Fortinet FortiGate, the sample creates C:\\Windows\\Tasks\\shell.php and injects into legitimate processes. Network analysis shows beaconing to 172.16.204.161 every 60 seconds and DNS queries to storage-node.net. The second stage was fetched from hxxps://edgeedge.live/login and written to /var/tmp/helper.sh. The payload uses Nmap-style techniques for defense evasion. A secondary hash (SHA1: 1f933a494c3af43a16567aa667424939d7481342) was extracted from the unpacked payload.", "spans": {"MALWARE: PikaBot": [[25, 32]], "HASH: aa99d917cc14b6692ec9bc0a0a9d2955d60c5a65088b66fc5ca4a6dce8d4fb8f": [[42, 106]], "SYSTEM: Fortinet FortiGate": [[127, 145]], "FILEPATH: C:\\Windows\\Tasks\\shell.php": [[166, 192]], "IP_ADDRESS: 172.16.204.161": [[268, 282]], "DOMAIN: storage-node.net": [[319, 335]], "URL: hxxps://edgeedge.live/login": [[371, 398]], "FILEPATH: /var/tmp/helper.sh": [[414, 432]], "TOOL: Nmap": [[451, 455]], "HASH: 1f933a494c3af43a16567aa667424939d7481342": [[518, 558]]}, "info": {"id": "synth_v2_00478", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: BumbleBee (SHA256: 98921383598b2a74931dcd7c7a308e1d8f3f79239a9bc6197c307e7ce16f2682). Upon execution on Barracuda ESG, the sample creates /var/tmp/helper.sh and injects into legitimate processes. Network analysis shows beaconing to 46.20.136.142 every 60 seconds and DNS queries to apicloud.club. The second stage was fetched from hxxps://login-node.info/wp-content/uploads/doc.php and written to /dev/shm/sam.hive. The payload uses Metasploit-style techniques for defense evasion. A secondary hash (SHA1: 3db215e69b8bc659c0c220461861b6b6e25a99cb) was extracted from the unpacked payload.", "spans": {"MALWARE: BumbleBee": [[25, 34]], "HASH: 98921383598b2a74931dcd7c7a308e1d8f3f79239a9bc6197c307e7ce16f2682": [[44, 108]], "SYSTEM: Barracuda ESG": [[129, 142]], "FILEPATH: /var/tmp/helper.sh": [[163, 181]], "IP_ADDRESS: 46.20.136.142": [[257, 270]], "DOMAIN: apicloud.club": [[307, 320]], "URL: hxxps://login-node.info/wp-content/uploads/doc.php": [[356, 406]], "FILEPATH: /dev/shm/sam.hive": [[422, 439]], "TOOL: Metasploit": [[458, 468]], "HASH: 3db215e69b8bc659c0c220461861b6b6e25a99cb": [[531, 571]]}, "info": {"id": "synth_v2_00479", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: QakBot (MD5: 593c7fa0991758f58d75902e351c684f). Upon execution on Progress Telerik, the sample creates C:\\Program Files\\Common Files\\taskhost.exe and injects into legitimate processes. Network analysis shows beaconing to 10.244.59.114 every 60 seconds and DNS queries to proxy-cloud.net. The second stage was fetched from hxxps://static-proxy.info/collect and written to C:\\Windows\\Tasks\\runtime.dll. The payload uses BITSAdmin-style techniques for defense evasion. A secondary hash (SHA1: 62957172a14d2754ee354f14ba81f5911cdb99e0) was extracted from the unpacked payload.", "spans": {"MALWARE: QakBot": [[25, 31]], "HASH: 593c7fa0991758f58d75902e351c684f": [[38, 70]], "SYSTEM: Progress Telerik": [[91, 107]], "FILEPATH: C:\\Program Files\\Common Files\\taskhost.exe": [[128, 170]], "IP_ADDRESS: 10.244.59.114": [[246, 259]], "DOMAIN: proxy-cloud.net": [[296, 311]], "URL: hxxps://static-proxy.info/collect": [[347, 380]], "FILEPATH: C:\\Windows\\Tasks\\runtime.dll": [[396, 424]], "TOOL: BITSAdmin": [[443, 452]], "HASH: 62957172a14d2754ee354f14ba81f5911cdb99e0": [[515, 555]]}, "info": {"id": "synth_v2_00480", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: ShadowPad (SHA256: 7304c425d49a8e5e315daa4d88d2974f92112722312a3522a9fb38d862025223). Upon execution on Fortinet FortiGate, the sample creates /usr/local/bin/dropper.ps1 and injects into legitimate processes. Network analysis shows beaconing to 154.138.252.162 every 60 seconds and DNS queries to storage-node.online. The second stage was fetched from hxxp://backupsync.live/secure/token and written to /home/user/.config/sam.hive. The payload uses Metasploit-style techniques for defense evasion. A secondary hash (MD5: fccefff77d0b9b5868617ca508e5e143) was extracted from the unpacked payload.", "spans": {"MALWARE: ShadowPad": [[25, 34]], "HASH: 7304c425d49a8e5e315daa4d88d2974f92112722312a3522a9fb38d862025223": [[44, 108]], "SYSTEM: Fortinet FortiGate": [[129, 147]], "FILEPATH: /usr/local/bin/dropper.ps1": [[168, 194]], "IP_ADDRESS: 154.138.252.162": [[270, 285]], "DOMAIN: storage-node.online": [[322, 341]], "URL: hxxp://backupsync.live/secure/token": [[377, 412]], "FILEPATH: /home/user/.config/sam.hive": [[428, 455]], "TOOL: Metasploit": [[474, 484]], "HASH: fccefff77d0b9b5868617ca508e5e143": [[546, 578]]}, "info": {"id": "synth_v2_00481", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: Qbot (SHA256: b0191c351d0d22de2dd1aa02c95ed34c35bbd58dc64ed8ac7b6a0a1c449b1ecb). Upon execution on Apache Struts, the sample creates C:\\Users\\Public\\Documents\\helper.sh and injects into legitimate processes. Network analysis shows beaconing to 127.83.91.17 every 60 seconds and DNS queries to backupauth.dev. The second stage was fetched from hxxp://storageedge.live/wp-content/uploads/doc.php and written to /tmp/agent.py. The payload uses LaZagne-style techniques for defense evasion. A secondary hash (MD5: 964fe0738b8fc2c4b52a283067ebac5f) was extracted from the unpacked payload.", "spans": {"MALWARE: Qbot": [[25, 29]], "HASH: b0191c351d0d22de2dd1aa02c95ed34c35bbd58dc64ed8ac7b6a0a1c449b1ecb": [[39, 103]], "SYSTEM: Apache Struts": [[124, 137]], "FILEPATH: C:\\Users\\Public\\Documents\\helper.sh": [[158, 193]], "IP_ADDRESS: 127.83.91.17": [[269, 281]], "DOMAIN: backupauth.dev": [[318, 332]], "URL: hxxp://storageedge.live/wp-content/uploads/doc.php": [[368, 418]], "FILEPATH: /tmp/agent.py": [[434, 447]], "TOOL: LaZagne": [[466, 473]], "HASH: 964fe0738b8fc2c4b52a283067ebac5f": [[535, 567]]}, "info": {"id": "synth_v2_00482", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: RemcosRAT (SHA1: 0be5131d1251566b9f5c53b1f98c265fcb8c51d6). Upon execution on Active Directory, the sample creates /dev/shm/implant.so and injects into legitimate processes. Network analysis shows beaconing to 192.153.107.147 every 60 seconds and DNS queries to storage-secure.xyz. The second stage was fetched from hxxp://securesecure.cc/secure/token and written to C:\\Program Files\\Common Files\\backdoor.elf. The payload uses PsExec-style techniques for defense evasion. A secondary hash (MD5: 3bf5d4693e8e2b41b032e61e4fb11d0e) was extracted from the unpacked payload.", "spans": {"MALWARE: RemcosRAT": [[25, 34]], "HASH: 0be5131d1251566b9f5c53b1f98c265fcb8c51d6": [[42, 82]], "SYSTEM: Active Directory": [[103, 119]], "FILEPATH: /dev/shm/implant.so": [[140, 159]], "IP_ADDRESS: 192.153.107.147": [[235, 250]], "DOMAIN: storage-secure.xyz": [[287, 305]], "URL: hxxp://securesecure.cc/secure/token": [[341, 376]], "FILEPATH: C:\\Program Files\\Common Files\\backdoor.elf": [[392, 434]], "TOOL: PsExec": [[453, 459]], "HASH: 3bf5d4693e8e2b41b032e61e4fb11d0e": [[521, 553]]}, "info": {"id": "synth_v2_00483", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: Amadey (MD5: 9a8498dccb0eed04eb677e42538741ae). Upon execution on Active Directory, the sample creates C:\\Program Files\\Common Files\\csrss.exe and injects into legitimate processes. Network analysis shows beaconing to 172.170.181.213 every 60 seconds and DNS queries to relaybackup.site. The second stage was fetched from http://gatewayupdate.link/login and written to C:\\Windows\\System32\\sam.hive. The payload uses Seatbelt-style techniques for defense evasion. A secondary hash (MD5: cbf76c746f083ba8ed2f13f838427256) was extracted from the unpacked payload.", "spans": {"MALWARE: Amadey": [[25, 31]], "HASH: 9a8498dccb0eed04eb677e42538741ae": [[38, 70]], "SYSTEM: Active Directory": [[91, 107]], "FILEPATH: C:\\Program Files\\Common Files\\csrss.exe": [[128, 167]], "IP_ADDRESS: 172.170.181.213": [[243, 258]], "DOMAIN: relaybackup.site": [[295, 311]], "URL: http://gatewayupdate.link/login": [[347, 378]], "FILEPATH: C:\\Windows\\System32\\sam.hive": [[394, 422]], "TOOL: Seatbelt": [[441, 449]], "HASH: cbf76c746f083ba8ed2f13f838427256": [[511, 543]]}, "info": {"id": "synth_v2_00484", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: TrickBot (SHA1: 5ba325473f41beb4cb02c4a65e20e8074e1fb9d8). Upon execution on Fortinet FortiGate, the sample creates C:\\Windows\\Tasks\\backdoor.elf and injects into legitimate processes. Network analysis shows beaconing to 192.131.150.214 every 60 seconds and DNS queries to updatestorage.site. The second stage was fetched from hxxp://storageedge.io/wp-content/uploads/doc.php and written to C:\\Users\\Public\\Documents\\chrome_helper.exe. The payload uses PsExec-style techniques for defense evasion. A secondary hash (SHA256: 559214a0883554e8ce7423b32eb5d7c90bcfcb3301295a52974f872d4790b29c) was extracted from the unpacked payload.", "spans": {"MALWARE: TrickBot": [[25, 33]], "HASH: 5ba325473f41beb4cb02c4a65e20e8074e1fb9d8": [[41, 81]], "SYSTEM: Fortinet FortiGate": [[102, 120]], "FILEPATH: C:\\Windows\\Tasks\\backdoor.elf": [[141, 170]], "IP_ADDRESS: 192.131.150.214": [[246, 261]], "DOMAIN: updatestorage.site": [[298, 316]], "URL: hxxp://storageedge.io/wp-content/uploads/doc.php": [[352, 400]], "FILEPATH: C:\\Users\\Public\\Documents\\chrome_helper.exe": [[416, 459]], "TOOL: PsExec": [[478, 484]], "HASH: 559214a0883554e8ce7423b32eb5d7c90bcfcb3301295a52974f872d4790b29c": [[549, 613]]}, "info": {"id": "synth_v2_00485", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: RemcosRAT (SHA1: 482393b92e93272acfc55fcd209ae30a0c834e74). Upon execution on Citrix NetScaler, the sample creates /etc/cron.d/sam.hive and injects into legitimate processes. Network analysis shows beaconing to 12.199.249.64 every 60 seconds and DNS queries to staticcache.site. The second stage was fetched from https://auth-cdn.top/portal/verify and written to /home/user/.config/taskhost.exe. The payload uses PowerShell Empire-style techniques for defense evasion. A secondary hash (MD5: 69031d3a0930758ba6a0a5730c0f3aeb) was extracted from the unpacked payload.", "spans": {"MALWARE: RemcosRAT": [[25, 34]], "HASH: 482393b92e93272acfc55fcd209ae30a0c834e74": [[42, 82]], "SYSTEM: Citrix NetScaler": [[103, 119]], "FILEPATH: /etc/cron.d/sam.hive": [[140, 160]], "IP_ADDRESS: 12.199.249.64": [[236, 249]], "DOMAIN: staticcache.site": [[286, 302]], "URL: https://auth-cdn.top/portal/verify": [[338, 372]], "FILEPATH: /home/user/.config/taskhost.exe": [[388, 419]], "TOOL: PowerShell Empire": [[438, 455]], "HASH: 69031d3a0930758ba6a0a5730c0f3aeb": [[517, 549]]}, "info": {"id": "synth_v2_00486", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: IcedID (MD5: 1c6f5b628d7c1c6a7567417e921ac4dc). Upon execution on Atlassian Confluence, the sample creates /home/user/.config/svchost.exe and injects into legitimate processes. Network analysis shows beaconing to 212.77.77.151 every 60 seconds and DNS queries to cachecloud.io. The second stage was fetched from https://relay-data.tech/panel/index.html and written to C:\\Windows\\System32\\chrome_helper.exe. The payload uses Havoc-style techniques for defense evasion. A secondary hash (SHA1: 4f2c2996e0e6f95ae5c6913e8e550acf30df8160) was extracted from the unpacked payload.", "spans": {"MALWARE: IcedID": [[25, 31]], "HASH: 1c6f5b628d7c1c6a7567417e921ac4dc": [[38, 70]], "SYSTEM: Atlassian Confluence": [[91, 111]], "FILEPATH: /home/user/.config/svchost.exe": [[132, 162]], "IP_ADDRESS: 212.77.77.151": [[238, 251]], "DOMAIN: cachecloud.io": [[288, 301]], "URL: https://relay-data.tech/panel/index.html": [[337, 377]], "FILEPATH: C:\\Windows\\System32\\chrome_helper.exe": [[393, 430]], "TOOL: Havoc": [[449, 454]], "HASH: 4f2c2996e0e6f95ae5c6913e8e550acf30df8160": [[517, 557]]}, "info": {"id": "synth_v2_00487", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: RedLine Stealer (MD5: 656ed3f42968adc273f602ccc67f309c). Upon execution on F5 BIG-IP, the sample creates C:\\Users\\Public\\Documents\\ntds.dit and injects into legitimate processes. Network analysis shows beaconing to 10.164.239.59 every 60 seconds and DNS queries to mailstorage.xyz. The second stage was fetched from hxxps://syncstatic.club/download/update.exe and written to C:\\Program Files\\Common Files\\lsass.dmp. The payload uses GhostPack-style techniques for defense evasion. A secondary hash (SHA1: 3303b9970116a672b15849dff7cc64b066a1df02) was extracted from the unpacked payload.", "spans": {"MALWARE: RedLine Stealer": [[25, 40]], "HASH: 656ed3f42968adc273f602ccc67f309c": [[47, 79]], "SYSTEM: F5 BIG-IP": [[100, 109]], "FILEPATH: C:\\Users\\Public\\Documents\\ntds.dit": [[130, 164]], "IP_ADDRESS: 10.164.239.59": [[240, 253]], "DOMAIN: mailstorage.xyz": [[290, 305]], "URL: hxxps://syncstatic.club/download/update.exe": [[341, 384]], "FILEPATH: C:\\Program Files\\Common Files\\lsass.dmp": [[400, 439]], "TOOL: GhostPack": [[458, 467]], "HASH: 3303b9970116a672b15849dff7cc64b066a1df02": [[530, 570]]}, "info": {"id": "synth_v2_00488", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: QakBot (SHA1: f376a013d7d6e905e76ba50ef762622a4bd8450a). Upon execution on Ubuntu 22.04, the sample creates C:\\Users\\Public\\Documents\\dropper.ps1 and injects into legitimate processes. Network analysis shows beaconing to 5.223.16.246 every 60 seconds and DNS queries to edgeproxy.info. The second stage was fetched from hxxps://apiapi.cc/panel/index.html and written to C:\\Users\\admin\\Downloads\\loader.exe. The payload uses Havoc-style techniques for defense evasion. A secondary hash (SHA256: afcd9fa3caaf48b4a5db4d56b983ed81183dba00c855e2fa2d0fe29f8828750b) was extracted from the unpacked payload.", "spans": {"MALWARE: QakBot": [[25, 31]], "HASH: f376a013d7d6e905e76ba50ef762622a4bd8450a": [[39, 79]], "SYSTEM: Ubuntu 22.04": [[100, 112]], "FILEPATH: C:\\Users\\Public\\Documents\\dropper.ps1": [[133, 170]], "IP_ADDRESS: 5.223.16.246": [[246, 258]], "DOMAIN: edgeproxy.info": [[295, 309]], "URL: hxxps://apiapi.cc/panel/index.html": [[345, 379]], "FILEPATH: C:\\Users\\admin\\Downloads\\loader.exe": [[395, 430]], "TOOL: Havoc": [[449, 454]], "HASH: afcd9fa3caaf48b4a5db4d56b983ed81183dba00c855e2fa2d0fe29f8828750b": [[519, 583]]}, "info": {"id": "synth_v2_00489", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: DanaBot (MD5: cab28bc724e690110520b9a7a5711ea0). Upon execution on Cisco ASA, the sample creates C:\\Users\\admin\\Desktop\\shell.php and injects into legitimate processes. Network analysis shows beaconing to 10.220.141.120 every 60 seconds and DNS queries to loginstorage.net. The second stage was fetched from http://cache-storage.online/login and written to /home/user/.config/svchost.exe. The payload uses ADFind-style techniques for defense evasion. A secondary hash (SHA1: 35b391a9966267c5591fb88da2c767c44969b69d) was extracted from the unpacked payload.", "spans": {"MALWARE: DanaBot": [[25, 32]], "HASH: cab28bc724e690110520b9a7a5711ea0": [[39, 71]], "SYSTEM: Cisco ASA": [[92, 101]], "FILEPATH: C:\\Users\\admin\\Desktop\\shell.php": [[122, 154]], "IP_ADDRESS: 10.220.141.120": [[230, 244]], "DOMAIN: loginstorage.net": [[281, 297]], "URL: http://cache-storage.online/login": [[333, 366]], "FILEPATH: /home/user/.config/svchost.exe": [[382, 412]], "TOOL: ADFind": [[431, 437]], "HASH: 35b391a9966267c5591fb88da2c767c44969b69d": [[500, 540]]}, "info": {"id": "synth_v2_00490", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: TrickBot (SHA256: 042c30c39a05b61bb0a77b5c5911822a9e817a0d5354e1a7e1a20ca5f7fcf353). Upon execution on Fortinet FortiGate, the sample creates C:\\Windows\\System32\\runtime.dll and injects into legitimate processes. Network analysis shows beaconing to 110.77.132.220 every 60 seconds and DNS queries to cache-storage.io. The second stage was fetched from https://cloudcache.dev/assets/js/payload.js and written to C:\\Windows\\System32\\runtime.dll. The payload uses Burp Suite-style techniques for defense evasion. A secondary hash (SHA256: 2a6f6439b8309b304293caa454b7706379f3f9f624be25a6335924aaac78f102) was extracted from the unpacked payload.", "spans": {"MALWARE: TrickBot": [[25, 33]], "HASH: 042c30c39a05b61bb0a77b5c5911822a9e817a0d5354e1a7e1a20ca5f7fcf353": [[43, 107]], "SYSTEM: Fortinet FortiGate": [[128, 146]], "FILEPATH: C:\\Windows\\System32\\runtime.dll": [[167, 198], [167, 198]], "IP_ADDRESS: 110.77.132.220": [[274, 288]], "DOMAIN: cache-storage.io": [[325, 341]], "URL: https://cloudcache.dev/assets/js/payload.js": [[377, 420]], "TOOL: Burp Suite": [[486, 496]], "HASH: 2a6f6439b8309b304293caa454b7706379f3f9f624be25a6335924aaac78f102": [[561, 625]]}, "info": {"id": "synth_v2_00491", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: Ryuk (SHA256: 0bfa99d2f8fc186e37db2479b4d84e380a772b42912f043dab5073a52b14d95d). Upon execution on Cisco ASA, the sample creates /etc/cron.d/svchost.exe and injects into legitimate processes. Network analysis shows beaconing to 10.178.35.84 every 60 seconds and DNS queries to datacloud.xyz. The second stage was fetched from hxxp://securegateway.info/wp-content/uploads/doc.php and written to C:\\Windows\\System32\\sam.hive. The payload uses Metasploit-style techniques for defense evasion. A secondary hash (SHA1: 70ffc0baed8a5d92220203cf51a4451e1d8c28e9) was extracted from the unpacked payload.", "spans": {"MALWARE: Ryuk": [[25, 29]], "HASH: 0bfa99d2f8fc186e37db2479b4d84e380a772b42912f043dab5073a52b14d95d": [[39, 103]], "SYSTEM: Cisco ASA": [[124, 133]], "FILEPATH: /etc/cron.d/svchost.exe": [[154, 177]], "IP_ADDRESS: 10.178.35.84": [[253, 265]], "DOMAIN: datacloud.xyz": [[302, 315]], "URL: hxxp://securegateway.info/wp-content/uploads/doc.php": [[351, 403]], "FILEPATH: C:\\Windows\\System32\\sam.hive": [[419, 447]], "TOOL: Metasploit": [[466, 476]], "HASH: 70ffc0baed8a5d92220203cf51a4451e1d8c28e9": [[539, 579]]}, "info": {"id": "synth_v2_00492", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: TrickBot (MD5: 965479a704fa32bab5e0cf9f11c57914). Upon execution on Progress Telerik, the sample creates C:\\Users\\Public\\Documents\\config.dat and injects into legitimate processes. Network analysis shows beaconing to 172.25.228.113 every 60 seconds and DNS queries to cloudcloud.link. The second stage was fetched from hxxp://cacheauth.net/panel/index.html and written to /tmp/taskhost.exe. The payload uses PowerShell Empire-style techniques for defense evasion. A secondary hash (SHA1: 40cc44ccc5e0788b38d8cbea6db6e2fe7239ae4e) was extracted from the unpacked payload.", "spans": {"MALWARE: TrickBot": [[25, 33]], "HASH: 965479a704fa32bab5e0cf9f11c57914": [[40, 72]], "SYSTEM: Progress Telerik": [[93, 109]], "FILEPATH: C:\\Users\\Public\\Documents\\config.dat": [[130, 166]], "IP_ADDRESS: 172.25.228.113": [[242, 256]], "DOMAIN: cloudcloud.link": [[293, 308]], "URL: hxxp://cacheauth.net/panel/index.html": [[344, 381]], "FILEPATH: /tmp/taskhost.exe": [[397, 414]], "TOOL: PowerShell Empire": [[433, 450]], "HASH: 40cc44ccc5e0788b38d8cbea6db6e2fe7239ae4e": [[513, 553]]}, "info": {"id": "synth_v2_00493", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: AgentTesla (SHA1: 980de35503d3e0af1a04bbc9ac37b63390ea5d78). Upon execution on Ubuntu 22.04, the sample creates C:\\Users\\admin\\Desktop\\taskhost.exe and injects into legitimate processes. Network analysis shows beaconing to 49.107.46.205 every 60 seconds and DNS queries to proxysync.io. The second stage was fetched from http://relay-update.com/callback and written to /etc/cron.d/csrss.exe. The payload uses Burp Suite-style techniques for defense evasion. A secondary hash (MD5: 5acdd74763101d811adb11e7aeefca79) was extracted from the unpacked payload.", "spans": {"MALWARE: AgentTesla": [[25, 35]], "HASH: 980de35503d3e0af1a04bbc9ac37b63390ea5d78": [[43, 83]], "SYSTEM: Ubuntu 22.04": [[104, 116]], "FILEPATH: C:\\Users\\admin\\Desktop\\taskhost.exe": [[137, 172]], "IP_ADDRESS: 49.107.46.205": [[248, 261]], "DOMAIN: proxysync.io": [[298, 310]], "URL: http://relay-update.com/callback": [[346, 378]], "FILEPATH: /etc/cron.d/csrss.exe": [[394, 415]], "TOOL: Burp Suite": [[434, 444]], "HASH: 5acdd74763101d811adb11e7aeefca79": [[506, 538]]}, "info": {"id": "synth_v2_00494", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: XLoader (SHA1: 72870d93124dd78257809bf270518453fa40fbd0). Upon execution on F5 BIG-IP, the sample creates C:\\Windows\\Temp\\payload.bin and injects into legitimate processes. Network analysis shows beaconing to 192.43.199.225 every 60 seconds and DNS queries to updatesync.club. The second stage was fetched from hxxp://cdnlogin.live/download/update.exe and written to C:\\Windows\\System32\\payload.bin. The payload uses WinPEAS-style techniques for defense evasion. A secondary hash (MD5: 3e4c82a1227b21453e5e3b60bd30df8f) was extracted from the unpacked payload.", "spans": {"MALWARE: XLoader": [[25, 32]], "HASH: 72870d93124dd78257809bf270518453fa40fbd0": [[40, 80]], "SYSTEM: F5 BIG-IP": [[101, 110]], "FILEPATH: C:\\Windows\\Temp\\payload.bin": [[131, 158]], "IP_ADDRESS: 192.43.199.225": [[234, 248]], "DOMAIN: updatesync.club": [[285, 300]], "URL: hxxp://cdnlogin.live/download/update.exe": [[336, 376]], "FILEPATH: C:\\Windows\\System32\\payload.bin": [[392, 423]], "TOOL: WinPEAS": [[442, 449]], "HASH: 3e4c82a1227b21453e5e3b60bd30df8f": [[511, 543]]}, "info": {"id": "synth_v2_00495", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: Cobalt Strike (SHA256: ce61355c704f0b1b6de291d93d6b8191230b4adadc6fcb8c660e98acb3e344df). Upon execution on Apache Struts, the sample creates C:\\Users\\Public\\Documents\\config.dat and injects into legitimate processes. Network analysis shows beaconing to 192.150.190.159 every 60 seconds and DNS queries to securegateway.org. The second stage was fetched from hxxp://node-login.club/secure/token and written to C:\\Windows\\Temp\\beacon.dll. The payload uses SharpHound-style techniques for defense evasion. A secondary hash (SHA1: 11f2517e8b3be34112c61234c09bd4369494e438) was extracted from the unpacked payload.", "spans": {"MALWARE: Cobalt Strike": [[25, 38]], "HASH: ce61355c704f0b1b6de291d93d6b8191230b4adadc6fcb8c660e98acb3e344df": [[48, 112]], "SYSTEM: Apache Struts": [[133, 146]], "FILEPATH: C:\\Users\\Public\\Documents\\config.dat": [[167, 203]], "IP_ADDRESS: 192.150.190.159": [[279, 294]], "DOMAIN: securegateway.org": [[331, 348]], "URL: hxxp://node-login.club/secure/token": [[384, 419]], "FILEPATH: C:\\Windows\\Temp\\beacon.dll": [[435, 461]], "TOOL: SharpHound": [[480, 490]], "HASH: 11f2517e8b3be34112c61234c09bd4369494e438": [[553, 593]]}, "info": {"id": "synth_v2_00496", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: Vidar (SHA1: 2aea619fe8386eb7afe98f5aae6bbf7ebed2d9b3). Upon execution on Windows Server 2019, the sample creates C:\\Users\\admin\\Desktop\\implant.so and injects into legitimate processes. Network analysis shows beaconing to 160.164.14.201 every 60 seconds and DNS queries to storage-update.dev. The second stage was fetched from http://cdnlogin.dev/login and written to C:\\Users\\admin\\Downloads\\config.dat. The payload uses Metasploit-style techniques for defense evasion. A secondary hash (MD5: e1ca14318060194cc8372db745b91aa7) was extracted from the unpacked payload.", "spans": {"MALWARE: Vidar": [[25, 30]], "HASH: 2aea619fe8386eb7afe98f5aae6bbf7ebed2d9b3": [[38, 78]], "SYSTEM: Windows Server 2019": [[99, 118]], "FILEPATH: C:\\Users\\admin\\Desktop\\implant.so": [[139, 172]], "IP_ADDRESS: 160.164.14.201": [[248, 262]], "DOMAIN: storage-update.dev": [[299, 317]], "URL: http://cdnlogin.dev/login": [[353, 378]], "FILEPATH: C:\\Users\\admin\\Downloads\\config.dat": [[394, 429]], "TOOL: Metasploit": [[448, 458]], "HASH: e1ca14318060194cc8372db745b91aa7": [[520, 552]]}, "info": {"id": "synth_v2_00497", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: AgentTesla (SHA256: df677d572c40267397d1aeb027a00e9f84eebe9c2959fd3754667e818bec7d32). Upon execution on VMware ESXi, the sample creates /opt/app/bin/dropper.ps1 and injects into legitimate processes. Network analysis shows beaconing to 17.57.243.119 every 60 seconds and DNS queries to edgerelay.org. The second stage was fetched from https://backup-proxy.online/download/update.exe and written to /etc/cron.d/implant.so. The payload uses PowerView-style techniques for defense evasion. A secondary hash (SHA256: 226710d90e5377a0c1b18f2ee7065fbfcbb471561c3756d0c8e69202a0995a6f) was extracted from the unpacked payload.", "spans": {"MALWARE: AgentTesla": [[25, 35]], "HASH: df677d572c40267397d1aeb027a00e9f84eebe9c2959fd3754667e818bec7d32": [[45, 109]], "SYSTEM: VMware ESXi": [[130, 141]], "FILEPATH: /opt/app/bin/dropper.ps1": [[162, 186]], "IP_ADDRESS: 17.57.243.119": [[262, 275]], "DOMAIN: edgerelay.org": [[312, 325]], "URL: https://backup-proxy.online/download/update.exe": [[361, 408]], "FILEPATH: /etc/cron.d/implant.so": [[424, 446]], "TOOL: PowerView": [[465, 474]], "HASH: 226710d90e5377a0c1b18f2ee7065fbfcbb471561c3756d0c8e69202a0995a6f": [[539, 603]]}, "info": {"id": "synth_v2_00498", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: Amadey (MD5: 999b5ce008573606cd9780224c8f7224). Upon execution on Zyxel USG, the sample creates /var/tmp/backdoor.elf and injects into legitimate processes. Network analysis shows beaconing to 10.112.66.207 every 60 seconds and DNS queries to data-api.club. The second stage was fetched from hxxps://portal-backup.dev/wp-content/uploads/doc.php and written to C:\\Users\\admin\\Downloads\\agent.py. The payload uses Hashcat-style techniques for defense evasion. A secondary hash (SHA1: b997804f530c1ac0fd94725e47b00d6fbd2b0fcb) was extracted from the unpacked payload.", "spans": {"MALWARE: Amadey": [[25, 31]], "HASH: 999b5ce008573606cd9780224c8f7224": [[38, 70]], "SYSTEM: Zyxel USG": [[91, 100]], "FILEPATH: /var/tmp/backdoor.elf": [[121, 142]], "IP_ADDRESS: 10.112.66.207": [[218, 231]], "DOMAIN: data-api.club": [[268, 281]], "URL: hxxps://portal-backup.dev/wp-content/uploads/doc.php": [[317, 369]], "FILEPATH: C:\\Users\\admin\\Downloads\\agent.py": [[385, 418]], "TOOL: Hashcat": [[437, 444]], "HASH: b997804f530c1ac0fd94725e47b00d6fbd2b0fcb": [[507, 547]]}, "info": {"id": "synth_v2_00499", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: Lumma Stealer (SHA1: 865911f3e52d86ff402de01f856de75619c402c9). Upon execution on Cisco ASA, the sample creates C:\\Windows\\Temp\\payload.bin and injects into legitimate processes. Network analysis shows beaconing to 195.67.167.109 every 60 seconds and DNS queries to logincache.club. The second stage was fetched from hxxp://portal-cdn.link/download/update.exe and written to C:\\Users\\admin\\AppData\\Local\\Temp\\helper.sh. The payload uses Rubeus-style techniques for defense evasion. A secondary hash (SHA1: fdf1c2f5acbc6e61de5a6b57b68c368d53e8379a) was extracted from the unpacked payload.", "spans": {"MALWARE: Lumma Stealer": [[25, 38]], "HASH: 865911f3e52d86ff402de01f856de75619c402c9": [[46, 86]], "SYSTEM: Cisco ASA": [[107, 116]], "FILEPATH: C:\\Windows\\Temp\\payload.bin": [[137, 164]], "IP_ADDRESS: 195.67.167.109": [[240, 254]], "DOMAIN: logincache.club": [[291, 306]], "URL: hxxp://portal-cdn.link/download/update.exe": [[342, 384]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\helper.sh": [[400, 443]], "TOOL: Rubeus": [[462, 468]], "HASH: fdf1c2f5acbc6e61de5a6b57b68c368d53e8379a": [[531, 571]]}, "info": {"id": "synth_v2_00500", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: RemcosRAT (SHA256: 38ad20887d2715778f071a6cc5a0528469f6a883e242d9f68a10a32c3858d660). Upon execution on F5 BIG-IP, the sample creates /opt/app/bin/winlogon.exe and injects into legitimate processes. Network analysis shows beaconing to 124.176.96.161 every 60 seconds and DNS queries to relaycloud.online. The second stage was fetched from https://edgerelay.net/admin/config and written to C:\\Users\\admin\\Downloads\\backdoor.elf. The payload uses Hashcat-style techniques for defense evasion. A secondary hash (SHA1: dd008052b4ed983e7fd1aa5891fd930232661f7a) was extracted from the unpacked payload.", "spans": {"MALWARE: RemcosRAT": [[25, 34]], "HASH: 38ad20887d2715778f071a6cc5a0528469f6a883e242d9f68a10a32c3858d660": [[44, 108]], "SYSTEM: F5 BIG-IP": [[129, 138]], "FILEPATH: /opt/app/bin/winlogon.exe": [[159, 184]], "IP_ADDRESS: 124.176.96.161": [[260, 274]], "DOMAIN: relaycloud.online": [[311, 328]], "URL: https://edgerelay.net/admin/config": [[364, 398]], "FILEPATH: C:\\Users\\admin\\Downloads\\backdoor.elf": [[414, 451]], "TOOL: Hashcat": [[470, 477]], "HASH: dd008052b4ed983e7fd1aa5891fd930232661f7a": [[540, 580]]}, "info": {"id": "synth_v2_00501", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: Latrodectus (MD5: 92d82a0eaa8956ed8b6e0f15d703680a). Upon execution on SonicWall SMA, the sample creates /home/user/.config/payload.bin and injects into legitimate processes. Network analysis shows beaconing to 192.175.134.17 every 60 seconds and DNS queries to gatewayupdate.io. The second stage was fetched from hxxps://auth-data.online/api/v2/auth and written to /etc/cron.d/agent.py. The payload uses Brute Ratel-style techniques for defense evasion. A secondary hash (SHA1: 9c990507e7d51e1b1122226c0cc41b47df3af991) was extracted from the unpacked payload.", "spans": {"MALWARE: Latrodectus": [[25, 36]], "HASH: 92d82a0eaa8956ed8b6e0f15d703680a": [[43, 75]], "SYSTEM: SonicWall SMA": [[96, 109]], "FILEPATH: /home/user/.config/payload.bin": [[130, 160]], "IP_ADDRESS: 192.175.134.17": [[236, 250]], "DOMAIN: gatewayupdate.io": [[287, 303]], "URL: hxxps://auth-data.online/api/v2/auth": [[339, 375]], "FILEPATH: /etc/cron.d/agent.py": [[391, 411]], "TOOL: Brute Ratel": [[430, 441]], "HASH: 9c990507e7d51e1b1122226c0cc41b47df3af991": [[504, 544]]}, "info": {"id": "synth_v2_00502", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: Latrodectus (SHA256: a41ca0840ba8e96f9c48c7cfa2488e7d10b60c76fcf0ae646d7c85a2f0f3fd49). Upon execution on Juniper SRX, the sample creates C:\\Users\\admin\\AppData\\Local\\Temp\\dropper.ps1 and injects into legitimate processes. Network analysis shows beaconing to 172.99.72.216 every 60 seconds and DNS queries to update-cloud.club. The second stage was fetched from hxxp://nodestatic.link/collect and written to /etc/cron.d/dropper.ps1. The payload uses PsExec-style techniques for defense evasion. A secondary hash (SHA1: 5dcb546ed18eaad28fcb44468c28326a586ca35f) was extracted from the unpacked payload.", "spans": {"MALWARE: Latrodectus": [[25, 36]], "HASH: a41ca0840ba8e96f9c48c7cfa2488e7d10b60c76fcf0ae646d7c85a2f0f3fd49": [[46, 110]], "SYSTEM: Juniper SRX": [[131, 142]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\dropper.ps1": [[163, 208]], "IP_ADDRESS: 172.99.72.216": [[284, 297]], "DOMAIN: update-cloud.club": [[334, 351]], "URL: hxxp://nodestatic.link/collect": [[387, 417]], "FILEPATH: /etc/cron.d/dropper.ps1": [[433, 456]], "TOOL: PsExec": [[475, 481]], "HASH: 5dcb546ed18eaad28fcb44468c28326a586ca35f": [[544, 584]]}, "info": {"id": "synth_v2_00503", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: REvil (MD5: 24d9f83b5f9a861987bb18010d2d5db8). Upon execution on Apache Struts, the sample creates C:\\Program Files\\Common Files\\beacon.dll and injects into legitimate processes. Network analysis shows beaconing to 192.84.115.216 every 60 seconds and DNS queries to edge-static.site. The second stage was fetched from https://sync-cdn.site/callback and written to C:\\Windows\\Tasks\\winlogon.exe. The payload uses CrackMapExec-style techniques for defense evasion. A secondary hash (SHA256: 22c5e4505b5a736bc350dda15612e06d7c4057a1d7790acbf542cf8162e38cae) was extracted from the unpacked payload.", "spans": {"MALWARE: REvil": [[25, 30]], "HASH: 24d9f83b5f9a861987bb18010d2d5db8": [[37, 69]], "SYSTEM: Apache Struts": [[90, 103]], "FILEPATH: C:\\Program Files\\Common Files\\beacon.dll": [[124, 164]], "IP_ADDRESS: 192.84.115.216": [[240, 254]], "DOMAIN: edge-static.site": [[291, 307]], "URL: https://sync-cdn.site/callback": [[343, 373]], "FILEPATH: C:\\Windows\\Tasks\\winlogon.exe": [[389, 418]], "TOOL: CrackMapExec": [[437, 449]], "HASH: 22c5e4505b5a736bc350dda15612e06d7c4057a1d7790acbf542cf8162e38cae": [[514, 578]]}, "info": {"id": "synth_v2_00504", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: Emotet (SHA256: 6e5e20d1fead7fe9f9fda50776850e5e04600198a5d74b4077cd412109504e27). Upon execution on Ivanti Connect Secure, the sample creates C:\\Program Files\\Common Files\\lsass.dmp and injects into legitimate processes. Network analysis shows beaconing to 54.34.30.194 every 60 seconds and DNS queries to loginlogin.online. The second stage was fetched from hxxp://data-portal.link/admin/config and written to /tmp/helper.sh. The payload uses Covenant-style techniques for defense evasion. A secondary hash (MD5: f6fe795a70dbfe4be1a038f33c21a2ae) was extracted from the unpacked payload.", "spans": {"MALWARE: Emotet": [[25, 31]], "HASH: 6e5e20d1fead7fe9f9fda50776850e5e04600198a5d74b4077cd412109504e27": [[41, 105]], "SYSTEM: Ivanti Connect Secure": [[126, 147]], "FILEPATH: C:\\Program Files\\Common Files\\lsass.dmp": [[168, 207]], "IP_ADDRESS: 54.34.30.194": [[283, 295]], "DOMAIN: loginlogin.online": [[332, 349]], "URL: hxxp://data-portal.link/admin/config": [[385, 421]], "FILEPATH: /tmp/helper.sh": [[437, 451]], "TOOL: Covenant": [[470, 478]], "HASH: f6fe795a70dbfe4be1a038f33c21a2ae": [[540, 572]]}, "info": {"id": "synth_v2_00505", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: IcedID (SHA256: 4bac1f77ec283db1640c35398e9b367869b9ae3b7608bcd4922de1031634bf98). Upon execution on Zyxel USG, the sample creates C:\\Users\\Public\\Documents\\implant.so and injects into legitimate processes. Network analysis shows beaconing to 172.63.77.53 every 60 seconds and DNS queries to loginsync.link. The second stage was fetched from https://updateauth.io/panel/index.html and written to /dev/shm/helper.sh. The payload uses PowerView-style techniques for defense evasion. A secondary hash (MD5: 73419d10cab2520407d7090ec183bd2b) was extracted from the unpacked payload.", "spans": {"MALWARE: IcedID": [[25, 31]], "HASH: 4bac1f77ec283db1640c35398e9b367869b9ae3b7608bcd4922de1031634bf98": [[41, 105]], "SYSTEM: Zyxel USG": [[126, 135]], "FILEPATH: C:\\Users\\Public\\Documents\\implant.so": [[156, 192]], "IP_ADDRESS: 172.63.77.53": [[268, 280]], "DOMAIN: loginsync.link": [[317, 331]], "URL: https://updateauth.io/panel/index.html": [[367, 405]], "FILEPATH: /dev/shm/helper.sh": [[421, 439]], "TOOL: PowerView": [[458, 467]], "HASH: 73419d10cab2520407d7090ec183bd2b": [[529, 561]]}, "info": {"id": "synth_v2_00506", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: AsyncRAT (SHA256: 8fbc7ebabe3492c2d1be2827c288ec0706cee3d431ac1448201760ba651a2206). Upon execution on Ubuntu 22.04, the sample creates /dev/shm/agent.py and injects into legitimate processes. Network analysis shows beaconing to 40.36.174.225 every 60 seconds and DNS queries to cdnportal.live. The second stage was fetched from hxxp://authrelay.site/assets/js/payload.js and written to /var/tmp/loader.exe. The payload uses Metasploit-style techniques for defense evasion. A secondary hash (SHA1: c66ab7c114177d18b666adeb15fc39432be2e76a) was extracted from the unpacked payload.", "spans": {"MALWARE: AsyncRAT": [[25, 33]], "HASH: 8fbc7ebabe3492c2d1be2827c288ec0706cee3d431ac1448201760ba651a2206": [[43, 107]], "SYSTEM: Ubuntu 22.04": [[128, 140]], "FILEPATH: /dev/shm/agent.py": [[161, 178]], "IP_ADDRESS: 40.36.174.225": [[254, 267]], "DOMAIN: cdnportal.live": [[304, 318]], "URL: hxxp://authrelay.site/assets/js/payload.js": [[354, 396]], "FILEPATH: /var/tmp/loader.exe": [[412, 431]], "TOOL: Metasploit": [[450, 460]], "HASH: c66ab7c114177d18b666adeb15fc39432be2e76a": [[523, 563]]}, "info": {"id": "synth_v2_00507", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: StealC (SHA1: b9afe374931065135a980483ff461e36de0102a2). Upon execution on F5 BIG-IP, the sample creates /usr/local/bin/csrss.exe and injects into legitimate processes. Network analysis shows beaconing to 192.253.221.108 every 60 seconds and DNS queries to auth-sync.live. The second stage was fetched from http://syncnode.tech/admin/config and written to C:\\ProgramData\\svchost.exe. The payload uses Metasploit-style techniques for defense evasion. A secondary hash (MD5: b8b2d1e13c89c9930f568cad1c0fa0c2) was extracted from the unpacked payload.", "spans": {"MALWARE: StealC": [[25, 31]], "HASH: b9afe374931065135a980483ff461e36de0102a2": [[39, 79]], "SYSTEM: F5 BIG-IP": [[100, 109]], "FILEPATH: /usr/local/bin/csrss.exe": [[130, 154]], "IP_ADDRESS: 192.253.221.108": [[230, 245]], "DOMAIN: auth-sync.live": [[282, 296]], "URL: http://syncnode.tech/admin/config": [[332, 365]], "FILEPATH: C:\\ProgramData\\svchost.exe": [[381, 407]], "TOOL: Metasploit": [[426, 436]], "HASH: b8b2d1e13c89c9930f568cad1c0fa0c2": [[498, 530]]}, "info": {"id": "synth_v2_00508", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: BumbleBee (SHA1: b8f5787ce46ec96d8f909a4d60aca6d067d0b338). Upon execution on VMware ESXi, the sample creates C:\\Users\\Public\\Documents\\shell.php and injects into legitimate processes. Network analysis shows beaconing to 192.222.136.27 every 60 seconds and DNS queries to edgestatic.live. The second stage was fetched from http://staticnode.live/login and written to C:\\Users\\Public\\Documents\\shell.php. The payload uses Metasploit-style techniques for defense evasion. A secondary hash (MD5: 7c72780a56275f245e7bda7e0a49630b) was extracted from the unpacked payload.", "spans": {"MALWARE: BumbleBee": [[25, 34]], "HASH: b8f5787ce46ec96d8f909a4d60aca6d067d0b338": [[42, 82]], "SYSTEM: VMware ESXi": [[103, 114]], "FILEPATH: C:\\Users\\Public\\Documents\\shell.php": [[135, 170], [135, 170]], "IP_ADDRESS: 192.222.136.27": [[246, 260]], "DOMAIN: edgestatic.live": [[297, 312]], "URL: http://staticnode.live/login": [[348, 376]], "TOOL: Metasploit": [[446, 456]], "HASH: 7c72780a56275f245e7bda7e0a49630b": [[518, 550]]}, "info": {"id": "synth_v2_00509", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: BumbleBee (MD5: df5ee9ef1c10d7be6b403da2975112d7). Upon execution on SonicWall SMA, the sample creates C:\\Users\\admin\\Downloads\\svchost.exe and injects into legitimate processes. Network analysis shows beaconing to 209.201.20.89 every 60 seconds and DNS queries to relaycache.live. The second stage was fetched from hxxps://portal-gateway.top/wp-content/uploads/doc.php and written to /opt/app/bin/taskhost.exe. The payload uses Burp Suite-style techniques for defense evasion. A secondary hash (SHA1: 98a9aba421b7fcbc90318065dc0b2b1883d01c51) was extracted from the unpacked payload.", "spans": {"MALWARE: BumbleBee": [[25, 34]], "HASH: df5ee9ef1c10d7be6b403da2975112d7": [[41, 73]], "SYSTEM: SonicWall SMA": [[94, 107]], "FILEPATH: C:\\Users\\admin\\Downloads\\svchost.exe": [[128, 164]], "IP_ADDRESS: 209.201.20.89": [[240, 253]], "DOMAIN: relaycache.live": [[290, 305]], "URL: hxxps://portal-gateway.top/wp-content/uploads/doc.php": [[341, 394]], "FILEPATH: /opt/app/bin/taskhost.exe": [[410, 435]], "TOOL: Burp Suite": [[454, 464]], "HASH: 98a9aba421b7fcbc90318065dc0b2b1883d01c51": [[527, 567]]}, "info": {"id": "synth_v2_00510", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: TrickBot (SHA1: 8cc14b98a2b8f33796c2b4ea956b0bb00f0f83aa). Upon execution on Ivanti Connect Secure, the sample creates /tmp/dropper.ps1 and injects into legitimate processes. Network analysis shows beaconing to 92.176.180.250 every 60 seconds and DNS queries to sync-relay.link. The second stage was fetched from https://storage-relay.club/download/update.exe and written to /opt/app/bin/lsass.dmp. The payload uses Seatbelt-style techniques for defense evasion. A secondary hash (MD5: 26b014c2caacd25fd9df3b3a70dcc74f) was extracted from the unpacked payload.", "spans": {"MALWARE: TrickBot": [[25, 33]], "HASH: 8cc14b98a2b8f33796c2b4ea956b0bb00f0f83aa": [[41, 81]], "SYSTEM: Ivanti Connect Secure": [[102, 123]], "FILEPATH: /tmp/dropper.ps1": [[144, 160]], "IP_ADDRESS: 92.176.180.250": [[236, 250]], "DOMAIN: sync-relay.link": [[287, 302]], "URL: https://storage-relay.club/download/update.exe": [[338, 384]], "FILEPATH: /opt/app/bin/lsass.dmp": [[400, 422]], "TOOL: Seatbelt": [[441, 449]], "HASH: 26b014c2caacd25fd9df3b3a70dcc74f": [[511, 543]]}, "info": {"id": "synth_v2_00511", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: DarkSide (MD5: 345876da8aad9baea9b7199097fd9232). Upon execution on Zyxel USG, the sample creates /tmp/backdoor.elf and injects into legitimate processes. Network analysis shows beaconing to 91.116.162.213 every 60 seconds and DNS queries to authapi.top. The second stage was fetched from hxxp://storagestatic.online/callback and written to /dev/shm/csrss.exe. The payload uses Hashcat-style techniques for defense evasion. A secondary hash (SHA256: 15f80ad278186ff733af1d9d2a463c694207e4d27eac25126f6f29d8c9fba3d2) was extracted from the unpacked payload.", "spans": {"MALWARE: DarkSide": [[25, 33]], "HASH: 345876da8aad9baea9b7199097fd9232": [[40, 72]], "SYSTEM: Zyxel USG": [[93, 102]], "FILEPATH: /tmp/backdoor.elf": [[123, 140]], "IP_ADDRESS: 91.116.162.213": [[216, 230]], "DOMAIN: authapi.top": [[267, 278]], "URL: hxxp://storagestatic.online/callback": [[314, 350]], "FILEPATH: /dev/shm/csrss.exe": [[366, 384]], "TOOL: Hashcat": [[403, 410]], "HASH: 15f80ad278186ff733af1d9d2a463c694207e4d27eac25126f6f29d8c9fba3d2": [[475, 539]]}, "info": {"id": "synth_v2_00512", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: RedLine Stealer (SHA256: 3f40ba9425e052fa584e61e52a675e31fc129fcc97e7045d280c74e59e48fa39). Upon execution on Atlassian Confluence, the sample creates C:\\ProgramData\\chrome_helper.exe and injects into legitimate processes. Network analysis shows beaconing to 5.57.97.149 every 60 seconds and DNS queries to nodeedge.info. The second stage was fetched from hxxps://portal-static.club/wp-content/uploads/doc.php and written to C:\\Users\\admin\\Desktop\\backdoor.elf. The payload uses CrackMapExec-style techniques for defense evasion. A secondary hash (SHA256: ccbaad49c780271950c3fd3a226c39f39b7ee834befa66f167e4e9c4dd971f52) was extracted from the unpacked payload.", "spans": {"MALWARE: RedLine Stealer": [[25, 40]], "HASH: 3f40ba9425e052fa584e61e52a675e31fc129fcc97e7045d280c74e59e48fa39": [[50, 114]], "SYSTEM: Atlassian Confluence": [[135, 155]], "FILEPATH: C:\\ProgramData\\chrome_helper.exe": [[176, 208]], "IP_ADDRESS: 5.57.97.149": [[284, 295]], "DOMAIN: nodeedge.info": [[332, 345]], "URL: hxxps://portal-static.club/wp-content/uploads/doc.php": [[381, 434]], "FILEPATH: C:\\Users\\admin\\Desktop\\backdoor.elf": [[450, 485]], "TOOL: CrackMapExec": [[504, 516]], "HASH: ccbaad49c780271950c3fd3a226c39f39b7ee834befa66f167e4e9c4dd971f52": [[581, 645]]}, "info": {"id": "synth_v2_00513", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: WarmCookie (MD5: b57736d23b88e681bfe3895cffa11fd1). Upon execution on Microsoft Exchange, the sample creates /dev/shm/helper.sh and injects into legitimate processes. Network analysis shows beaconing to 172.53.150.158 every 60 seconds and DNS queries to storage-data.online. The second stage was fetched from https://data-edge.org/login and written to /var/tmp/helper.sh. The payload uses Mythic-style techniques for defense evasion. A secondary hash (MD5: fff4af1c56e13fdd4781727045ae89dc) was extracted from the unpacked payload.", "spans": {"MALWARE: WarmCookie": [[25, 35]], "HASH: b57736d23b88e681bfe3895cffa11fd1": [[42, 74]], "SYSTEM: Microsoft Exchange": [[95, 113]], "FILEPATH: /dev/shm/helper.sh": [[134, 152]], "IP_ADDRESS: 172.53.150.158": [[228, 242]], "DOMAIN: storage-data.online": [[279, 298]], "URL: https://data-edge.org/login": [[334, 361]], "FILEPATH: /var/tmp/helper.sh": [[377, 395]], "TOOL: Mythic": [[414, 420]], "HASH: fff4af1c56e13fdd4781727045ae89dc": [[482, 514]]}, "info": {"id": "synth_v2_00514", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: PlugX (SHA1: 32bb7b53bdf2961f69a02116840357b084cd8599). Upon execution on Cisco ASA, the sample creates C:\\Users\\admin\\Downloads\\loader.exe and injects into legitimate processes. Network analysis shows beaconing to 10.151.124.247 every 60 seconds and DNS queries to static-proxy.live. The second stage was fetched from hxxp://gatewayedge.io/callback and written to C:\\Users\\admin\\Desktop\\shell.php. The payload uses Mythic-style techniques for defense evasion. A secondary hash (SHA256: 6c32ba2fb2c0be197cec7aa720f749e1c9096aebfd0cc37b9ee8531469a0e9af) was extracted from the unpacked payload.", "spans": {"MALWARE: PlugX": [[25, 30]], "HASH: 32bb7b53bdf2961f69a02116840357b084cd8599": [[38, 78]], "SYSTEM: Cisco ASA": [[99, 108]], "FILEPATH: C:\\Users\\admin\\Downloads\\loader.exe": [[129, 164]], "IP_ADDRESS: 10.151.124.247": [[240, 254]], "DOMAIN: static-proxy.live": [[291, 308]], "URL: hxxp://gatewayedge.io/callback": [[344, 374]], "FILEPATH: C:\\Users\\admin\\Desktop\\shell.php": [[390, 422]], "TOOL: Mythic": [[441, 447]], "HASH: 6c32ba2fb2c0be197cec7aa720f749e1c9096aebfd0cc37b9ee8531469a0e9af": [[512, 576]]}, "info": {"id": "synth_v2_00515", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: SmokeLoader (SHA1: 9dfa98f7ea8496e031ed346617a682ae1211b70c). Upon execution on VMware ESXi, the sample creates C:\\Windows\\System32\\taskhost.exe and injects into legitimate processes. Network analysis shows beaconing to 111.189.186.231 every 60 seconds and DNS queries to storage-edge.tech. The second stage was fetched from hxxp://login-storage.live/panel/index.html and written to /dev/shm/dropper.ps1. The payload uses Hashcat-style techniques for defense evasion. A secondary hash (MD5: f7238b7ed065ed3768120d806d431c0f) was extracted from the unpacked payload.", "spans": {"MALWARE: SmokeLoader": [[25, 36]], "HASH: 9dfa98f7ea8496e031ed346617a682ae1211b70c": [[44, 84]], "SYSTEM: VMware ESXi": [[105, 116]], "FILEPATH: C:\\Windows\\System32\\taskhost.exe": [[137, 169]], "IP_ADDRESS: 111.189.186.231": [[245, 260]], "DOMAIN: storage-edge.tech": [[297, 314]], "URL: hxxp://login-storage.live/panel/index.html": [[350, 392]], "FILEPATH: /dev/shm/dropper.ps1": [[408, 428]], "TOOL: Hashcat": [[447, 454]], "HASH: f7238b7ed065ed3768120d806d431c0f": [[516, 548]]}, "info": {"id": "synth_v2_00516", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: StealC (SHA256: 312947aa18fbc2c887ed60b56f35e64c6f3b16d6240c82c8b07d2711f716f72b). Upon execution on Citrix NetScaler, the sample creates C:\\Windows\\Tasks\\dropper.ps1 and injects into legitimate processes. Network analysis shows beaconing to 184.114.238.69 every 60 seconds and DNS queries to relay-static.online. The second stage was fetched from hxxp://cachegateway.net/login and written to C:\\Users\\admin\\AppData\\Local\\Temp\\csrss.exe. The payload uses PowerShell Empire-style techniques for defense evasion. A secondary hash (SHA1: 636c3d3daa2f73a51b243258f9f3c9640be983f4) was extracted from the unpacked payload.", "spans": {"MALWARE: StealC": [[25, 31]], "HASH: 312947aa18fbc2c887ed60b56f35e64c6f3b16d6240c82c8b07d2711f716f72b": [[41, 105]], "SYSTEM: Citrix NetScaler": [[126, 142]], "FILEPATH: C:\\Windows\\Tasks\\dropper.ps1": [[163, 191]], "IP_ADDRESS: 184.114.238.69": [[267, 281]], "DOMAIN: relay-static.online": [[318, 337]], "URL: hxxp://cachegateway.net/login": [[373, 402]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\csrss.exe": [[418, 461]], "TOOL: PowerShell Empire": [[480, 497]], "HASH: 636c3d3daa2f73a51b243258f9f3c9640be983f4": [[560, 600]]}, "info": {"id": "synth_v2_00517", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: IcedID (SHA1: 74733f9f4dec7f78d9fcb7e78373399c22133a03). Upon execution on Juniper SRX, the sample creates /home/user/.config/winlogon.exe and injects into legitimate processes. Network analysis shows beaconing to 192.141.129.243 every 60 seconds and DNS queries to static-proxy.site. The second stage was fetched from http://portal-cloud.top/portal/verify and written to /var/tmp/shell.php. The payload uses GhostPack-style techniques for defense evasion. A secondary hash (MD5: 4ab1753b530ec0b74506a3dd3b4155ed) was extracted from the unpacked payload.", "spans": {"MALWARE: IcedID": [[25, 31]], "HASH: 74733f9f4dec7f78d9fcb7e78373399c22133a03": [[39, 79]], "SYSTEM: Juniper SRX": [[100, 111]], "FILEPATH: /home/user/.config/winlogon.exe": [[132, 163]], "IP_ADDRESS: 192.141.129.243": [[239, 254]], "DOMAIN: static-proxy.site": [[291, 308]], "URL: http://portal-cloud.top/portal/verify": [[344, 381]], "FILEPATH: /var/tmp/shell.php": [[397, 415]], "TOOL: GhostPack": [[434, 443]], "HASH: 4ab1753b530ec0b74506a3dd3b4155ed": [[505, 537]]}, "info": {"id": "synth_v2_00518", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: FormBook (SHA256: 7251c78f9a7774ea7b13b882eb805e8a421fd28ba4657214f56c890c65cf7098). Upon execution on Fortinet FortiGate, the sample creates C:\\Users\\admin\\Downloads\\runtime.dll and injects into legitimate processes. Network analysis shows beaconing to 221.3.27.183 every 60 seconds and DNS queries to cacheauth.link. The second stage was fetched from http://static-api.io/assets/js/payload.js and written to /var/tmp/implant.so. The payload uses Seatbelt-style techniques for defense evasion. A secondary hash (SHA1: c7799fc1d11c1a14bb15791c15007c0c00730713) was extracted from the unpacked payload.", "spans": {"MALWARE: FormBook": [[25, 33]], "HASH: 7251c78f9a7774ea7b13b882eb805e8a421fd28ba4657214f56c890c65cf7098": [[43, 107]], "SYSTEM: Fortinet FortiGate": [[128, 146]], "FILEPATH: C:\\Users\\admin\\Downloads\\runtime.dll": [[167, 203]], "IP_ADDRESS: 221.3.27.183": [[279, 291]], "DOMAIN: cacheauth.link": [[328, 342]], "URL: http://static-api.io/assets/js/payload.js": [[378, 419]], "FILEPATH: /var/tmp/implant.so": [[435, 454]], "TOOL: Seatbelt": [[473, 481]], "HASH: c7799fc1d11c1a14bb15791c15007c0c00730713": [[544, 584]]}, "info": {"id": "synth_v2_00519", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: DarkSide (SHA256: 151ce5ab8cf6deef1cbe5dcf8e26ecaf8ae1db0094ac8c2088c5239128872cf8). Upon execution on Fortinet FortiGate, the sample creates /opt/app/bin/config.dat and injects into legitimate processes. Network analysis shows beaconing to 187.61.169.23 every 60 seconds and DNS queries to portal-cache.club. The second stage was fetched from http://gatewayportal.club/download/update.exe and written to C:\\Users\\Public\\Documents\\agent.py. The payload uses Chisel-style techniques for defense evasion. A secondary hash (SHA1: a162d46f181fc78b2383ea3c1474cec495556faa) was extracted from the unpacked payload.", "spans": {"MALWARE: DarkSide": [[25, 33]], "HASH: 151ce5ab8cf6deef1cbe5dcf8e26ecaf8ae1db0094ac8c2088c5239128872cf8": [[43, 107]], "SYSTEM: Fortinet FortiGate": [[128, 146]], "FILEPATH: /opt/app/bin/config.dat": [[167, 190]], "IP_ADDRESS: 187.61.169.23": [[266, 279]], "DOMAIN: portal-cache.club": [[316, 333]], "URL: http://gatewayportal.club/download/update.exe": [[369, 414]], "FILEPATH: C:\\Users\\Public\\Documents\\agent.py": [[430, 464]], "TOOL: Chisel": [[483, 489]], "HASH: a162d46f181fc78b2383ea3c1474cec495556faa": [[552, 592]]}, "info": {"id": "synth_v2_00520", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: XLoader (MD5: 212a0840d69c0c91eb91801079793986). Upon execution on Fortinet FortiGate, the sample creates C:\\Users\\admin\\AppData\\Local\\Temp\\dropper.ps1 and injects into legitimate processes. Network analysis shows beaconing to 10.133.205.52 every 60 seconds and DNS queries to mail-api.tech. The second stage was fetched from hxxps://authnode.info/collect and written to C:\\Users\\admin\\AppData\\Local\\Temp\\csrss.exe. The payload uses Metasploit-style techniques for defense evasion. A secondary hash (MD5: bd2a9085ac8557f4f159d5398e0273e6) was extracted from the unpacked payload.", "spans": {"MALWARE: XLoader": [[25, 32]], "HASH: 212a0840d69c0c91eb91801079793986": [[39, 71]], "SYSTEM: Fortinet FortiGate": [[92, 110]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\dropper.ps1": [[131, 176]], "IP_ADDRESS: 10.133.205.52": [[252, 265]], "DOMAIN: mail-api.tech": [[302, 315]], "URL: hxxps://authnode.info/collect": [[351, 380]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\csrss.exe": [[396, 439]], "TOOL: Metasploit": [[458, 468]], "HASH: bd2a9085ac8557f4f159d5398e0273e6": [[530, 562]]}, "info": {"id": "synth_v2_00521", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: Emotet (SHA1: ceb1ac9c61fc1f73edc92b3548fbfde86a095eb8). Upon execution on Zyxel USG, the sample creates C:\\Windows\\System32\\implant.so and injects into legitimate processes. Network analysis shows beaconing to 172.196.156.8 every 60 seconds and DNS queries to apisecure.xyz. The second stage was fetched from https://secureedge.xyz/api/v2/auth and written to /etc/cron.d/shell.php. The payload uses Rubeus-style techniques for defense evasion. A secondary hash (SHA256: 8d899cd4c6ad2d9d9e4ddb54adabf344d8d7f00d9d78b6f96036560bb4838295) was extracted from the unpacked payload.", "spans": {"MALWARE: Emotet": [[25, 31]], "HASH: ceb1ac9c61fc1f73edc92b3548fbfde86a095eb8": [[39, 79]], "SYSTEM: Zyxel USG": [[100, 109]], "FILEPATH: C:\\Windows\\System32\\implant.so": [[130, 160]], "IP_ADDRESS: 172.196.156.8": [[236, 249]], "DOMAIN: apisecure.xyz": [[286, 299]], "URL: https://secureedge.xyz/api/v2/auth": [[335, 369]], "FILEPATH: /etc/cron.d/shell.php": [[385, 406]], "TOOL: Rubeus": [[425, 431]], "HASH: 8d899cd4c6ad2d9d9e4ddb54adabf344d8d7f00d9d78b6f96036560bb4838295": [[496, 560]]}, "info": {"id": "synth_v2_00522", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: DarkSide (SHA1: 9a02bc32fefcf478767f8e0a9edfe77b2323afb6). Upon execution on Atlassian Confluence, the sample creates /tmp/implant.so and injects into legitimate processes. Network analysis shows beaconing to 8.19.61.207 every 60 seconds and DNS queries to backupauth.tech. The second stage was fetched from hxxps://cache-node.org/gate.php and written to C:\\Windows\\System32\\implant.so. The payload uses Merlin-style techniques for defense evasion. A secondary hash (SHA256: d6dde6d1ea8937c5557f12a9669ecfd73027dd7934b8b2c44152c358341ac128) was extracted from the unpacked payload.", "spans": {"MALWARE: DarkSide": [[25, 33]], "HASH: 9a02bc32fefcf478767f8e0a9edfe77b2323afb6": [[41, 81]], "SYSTEM: Atlassian Confluence": [[102, 122]], "FILEPATH: /tmp/implant.so": [[143, 158]], "IP_ADDRESS: 8.19.61.207": [[234, 245]], "DOMAIN: backupauth.tech": [[282, 297]], "URL: hxxps://cache-node.org/gate.php": [[333, 364]], "FILEPATH: C:\\Windows\\System32\\implant.so": [[380, 410]], "TOOL: Merlin": [[429, 435]], "HASH: d6dde6d1ea8937c5557f12a9669ecfd73027dd7934b8b2c44152c358341ac128": [[500, 564]]}, "info": {"id": "synth_v2_00523", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: ShadowPad (SHA1: 693dc3ed9c2cd21f9d9e0386b82bb70fa33c8047). Upon execution on Juniper SRX, the sample creates /etc/cron.d/update.dll and injects into legitimate processes. Network analysis shows beaconing to 201.229.59.172 every 60 seconds and DNS queries to storage-data.tech. The second stage was fetched from http://data-proxy.xyz/login and written to /dev/shm/shell.php. The payload uses Metasploit-style techniques for defense evasion. A secondary hash (SHA1: 52e1b1ddae5cd80de9de8937a28232db2615a2fe) was extracted from the unpacked payload.", "spans": {"MALWARE: ShadowPad": [[25, 34]], "HASH: 693dc3ed9c2cd21f9d9e0386b82bb70fa33c8047": [[42, 82]], "SYSTEM: Juniper SRX": [[103, 114]], "FILEPATH: /etc/cron.d/update.dll": [[135, 157]], "IP_ADDRESS: 201.229.59.172": [[233, 247]], "DOMAIN: storage-data.tech": [[284, 301]], "URL: http://data-proxy.xyz/login": [[337, 364]], "FILEPATH: /dev/shm/shell.php": [[380, 398]], "TOOL: Metasploit": [[417, 427]], "HASH: 52e1b1ddae5cd80de9de8937a28232db2615a2fe": [[490, 530]]}, "info": {"id": "synth_v2_00524", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: Dridex (SHA1: bd96cd72d2d750d97fb13b221be90c13e31a073c). Upon execution on Atlassian Confluence, the sample creates C:\\ProgramData\\beacon.dll and injects into legitimate processes. Network analysis shows beaconing to 135.201.102.73 every 60 seconds and DNS queries to loginrelay.link. The second stage was fetched from http://backup-gateway.site/callback and written to C:\\Windows\\Temp\\beacon.dll. The payload uses Metasploit-style techniques for defense evasion. A secondary hash (SHA1: 2fe283e209de3ccdcf6523d968de9ec93940690a) was extracted from the unpacked payload.", "spans": {"MALWARE: Dridex": [[25, 31]], "HASH: bd96cd72d2d750d97fb13b221be90c13e31a073c": [[39, 79]], "SYSTEM: Atlassian Confluence": [[100, 120]], "FILEPATH: C:\\ProgramData\\beacon.dll": [[141, 166]], "IP_ADDRESS: 135.201.102.73": [[242, 256]], "DOMAIN: loginrelay.link": [[293, 308]], "URL: http://backup-gateway.site/callback": [[344, 379]], "FILEPATH: C:\\Windows\\Temp\\beacon.dll": [[395, 421]], "TOOL: Metasploit": [[440, 450]], "HASH: 2fe283e209de3ccdcf6523d968de9ec93940690a": [[513, 553]]}, "info": {"id": "synth_v2_00525", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: Latrodectus (MD5: e022b6b9636d830185c293bce0bcb95e). Upon execution on Cisco ASA, the sample creates /opt/app/bin/update.dll and injects into legitimate processes. Network analysis shows beaconing to 79.254.147.198 every 60 seconds and DNS queries to node-cdn.xyz. The second stage was fetched from hxxp://backup-cache.club/admin/config and written to C:\\Windows\\Temp\\update.dll. The payload uses Burp Suite-style techniques for defense evasion. A secondary hash (SHA1: 8d141583ed43a1880430057a80783e2333fee723) was extracted from the unpacked payload.", "spans": {"MALWARE: Latrodectus": [[25, 36]], "HASH: e022b6b9636d830185c293bce0bcb95e": [[43, 75]], "SYSTEM: Cisco ASA": [[96, 105]], "FILEPATH: /opt/app/bin/update.dll": [[126, 149]], "IP_ADDRESS: 79.254.147.198": [[225, 239]], "DOMAIN: node-cdn.xyz": [[276, 288]], "URL: hxxp://backup-cache.club/admin/config": [[324, 361]], "FILEPATH: C:\\Windows\\Temp\\update.dll": [[377, 403]], "TOOL: Burp Suite": [[422, 432]], "HASH: 8d141583ed43a1880430057a80783e2333fee723": [[495, 535]]}, "info": {"id": "synth_v2_00526", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: Hive (MD5: eaeac760556812f2c57c5b8574b2084c). Upon execution on Progress Telerik, the sample creates /tmp/beacon.dll and injects into legitimate processes. Network analysis shows beaconing to 192.222.91.131 every 60 seconds and DNS queries to cdncloud.net. The second stage was fetched from https://securedata.club/api/v2/auth and written to /tmp/shell.php. The payload uses Sharphound-style techniques for defense evasion. A secondary hash (SHA1: 469a42abd758563d56ca739fde1abeac87c1a26f) was extracted from the unpacked payload.", "spans": {"MALWARE: Hive": [[25, 29]], "HASH: eaeac760556812f2c57c5b8574b2084c": [[36, 68]], "SYSTEM: Progress Telerik": [[89, 105]], "FILEPATH: /tmp/beacon.dll": [[126, 141]], "IP_ADDRESS: 192.222.91.131": [[217, 231]], "DOMAIN: cdncloud.net": [[268, 280]], "URL: https://securedata.club/api/v2/auth": [[316, 351]], "FILEPATH: /tmp/shell.php": [[367, 381]], "TOOL: Sharphound": [[400, 410]], "HASH: 469a42abd758563d56ca739fde1abeac87c1a26f": [[473, 513]]}, "info": {"id": "synth_v2_00527", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: Emotet (SHA256: 052dcb920be5a1866a31792ad66276ac21edde89b39c16608902259658f7d822). Upon execution on MOVEit Transfer, the sample creates /var/tmp/implant.so and injects into legitimate processes. Network analysis shows beaconing to 192.59.148.2 every 60 seconds and DNS queries to storage-secure.site. The second stage was fetched from hxxp://mail-portal.com/download/update.exe and written to /usr/local/bin/ntds.dit. The payload uses PowerView-style techniques for defense evasion. A secondary hash (MD5: 5c47bfb1f42b0df00fa93e5f9760b569) was extracted from the unpacked payload.", "spans": {"MALWARE: Emotet": [[25, 31]], "HASH: 052dcb920be5a1866a31792ad66276ac21edde89b39c16608902259658f7d822": [[41, 105]], "SYSTEM: MOVEit Transfer": [[126, 141]], "FILEPATH: /var/tmp/implant.so": [[162, 181]], "IP_ADDRESS: 192.59.148.2": [[257, 269]], "DOMAIN: storage-secure.site": [[306, 325]], "URL: hxxp://mail-portal.com/download/update.exe": [[361, 403]], "FILEPATH: /usr/local/bin/ntds.dit": [[419, 442]], "TOOL: PowerView": [[461, 470]], "HASH: 5c47bfb1f42b0df00fa93e5f9760b569": [[532, 564]]}, "info": {"id": "synth_v2_00528", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: AsyncRAT (SHA256: 401ba4b115bc86583dc156675c8730310663a90c329eaad5a81facd515649495). Upon execution on Microsoft Exchange, the sample creates C:\\Users\\admin\\Desktop\\update.dll and injects into legitimate processes. Network analysis shows beaconing to 105.5.212.211 every 60 seconds and DNS queries to portalsync.live. The second stage was fetched from hxxps://proxy-sync.cc/admin/config and written to C:\\Windows\\Tasks\\payload.bin. The payload uses PowerView-style techniques for defense evasion. A secondary hash (SHA1: 315b3d38b78792d28a725c1d194065d47ca427c9) was extracted from the unpacked payload.", "spans": {"MALWARE: AsyncRAT": [[25, 33]], "HASH: 401ba4b115bc86583dc156675c8730310663a90c329eaad5a81facd515649495": [[43, 107]], "SYSTEM: Microsoft Exchange": [[128, 146]], "FILEPATH: C:\\Users\\admin\\Desktop\\update.dll": [[167, 200]], "IP_ADDRESS: 105.5.212.211": [[276, 289]], "DOMAIN: portalsync.live": [[326, 341]], "URL: hxxps://proxy-sync.cc/admin/config": [[377, 411]], "FILEPATH: C:\\Windows\\Tasks\\payload.bin": [[427, 455]], "TOOL: PowerView": [[474, 483]], "HASH: 315b3d38b78792d28a725c1d194065d47ca427c9": [[546, 586]]}, "info": {"id": "synth_v2_00529", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: IcedID (SHA1: 54202225be570aaa0b0c7e002da471ae5c40bc23). Upon execution on Palo Alto PAN-OS, the sample creates /usr/local/bin/taskhost.exe and injects into legitimate processes. Network analysis shows beaconing to 10.250.34.47 every 60 seconds and DNS queries to securesync.top. The second stage was fetched from https://backupedge.info/collect and written to C:\\Users\\Public\\Documents\\lsass.dmp. The payload uses Covenant-style techniques for defense evasion. A secondary hash (SHA256: 7b3b03a23758733b9ffd3a3f85c46a83fb92bdf64e47efe3df4863327a025a2d) was extracted from the unpacked payload.", "spans": {"MALWARE: IcedID": [[25, 31]], "HASH: 54202225be570aaa0b0c7e002da471ae5c40bc23": [[39, 79]], "SYSTEM: Palo Alto PAN-OS": [[100, 116]], "FILEPATH: /usr/local/bin/taskhost.exe": [[137, 164]], "IP_ADDRESS: 10.250.34.47": [[240, 252]], "DOMAIN: securesync.top": [[289, 303]], "URL: https://backupedge.info/collect": [[339, 370]], "FILEPATH: C:\\Users\\Public\\Documents\\lsass.dmp": [[386, 421]], "TOOL: Covenant": [[440, 448]], "HASH: 7b3b03a23758733b9ffd3a3f85c46a83fb92bdf64e47efe3df4863327a025a2d": [[513, 577]]}, "info": {"id": "synth_v2_00530", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: Dridex (SHA1: 639784c521af2928bd2e87879e2e558738cbb2bb). Upon execution on Citrix NetScaler, the sample creates C:\\Program Files\\Common Files\\implant.so and injects into legitimate processes. Network analysis shows beaconing to 10.18.240.123 every 60 seconds and DNS queries to auth-data.com. The second stage was fetched from hxxps://secureapi.link/wp-content/uploads/doc.php and written to /etc/cron.d/sam.hive. The payload uses LinPEAS-style techniques for defense evasion. A secondary hash (MD5: 22828dfd50fe6b019abc606ed78cdd39) was extracted from the unpacked payload.", "spans": {"MALWARE: Dridex": [[25, 31]], "HASH: 639784c521af2928bd2e87879e2e558738cbb2bb": [[39, 79]], "SYSTEM: Citrix NetScaler": [[100, 116]], "FILEPATH: C:\\Program Files\\Common Files\\implant.so": [[137, 177]], "IP_ADDRESS: 10.18.240.123": [[253, 266]], "DOMAIN: auth-data.com": [[303, 316]], "URL: hxxps://secureapi.link/wp-content/uploads/doc.php": [[352, 401]], "FILEPATH: /etc/cron.d/sam.hive": [[417, 437]], "TOOL: LinPEAS": [[456, 463]], "HASH: 22828dfd50fe6b019abc606ed78cdd39": [[525, 557]]}, "info": {"id": "synth_v2_00531", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: PlugX (SHA1: 47e508f895a1513205d7696e9ffd7edf351a44be). Upon execution on Juniper SRX, the sample creates C:\\Users\\admin\\AppData\\Local\\Temp\\lsass.dmp and injects into legitimate processes. Network analysis shows beaconing to 10.162.22.146 every 60 seconds and DNS queries to login-storage.live. The second stage was fetched from hxxp://securemail.online/admin/config and written to C:\\Users\\admin\\Desktop\\payload.bin. The payload uses Burp Suite-style techniques for defense evasion. A secondary hash (SHA256: 6fe267b7614d8f066c35a79c2f90e7bf233ef25069ebbf1a3ad14fb8831b22c6) was extracted from the unpacked payload.", "spans": {"MALWARE: PlugX": [[25, 30]], "HASH: 47e508f895a1513205d7696e9ffd7edf351a44be": [[38, 78]], "SYSTEM: Juniper SRX": [[99, 110]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\lsass.dmp": [[131, 174]], "IP_ADDRESS: 10.162.22.146": [[250, 263]], "DOMAIN: login-storage.live": [[300, 318]], "URL: hxxp://securemail.online/admin/config": [[354, 391]], "FILEPATH: C:\\Users\\admin\\Desktop\\payload.bin": [[407, 441]], "TOOL: Burp Suite": [[460, 470]], "HASH: 6fe267b7614d8f066c35a79c2f90e7bf233ef25069ebbf1a3ad14fb8831b22c6": [[535, 599]]}, "info": {"id": "synth_v2_00532", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: IcedID (SHA256: 073ef0072781e5ffc16ce5bd909ccc097d9f21765a28b97732d29731aaa27563). Upon execution on Windows Server 2019, the sample creates C:\\Users\\Public\\Documents\\chrome_helper.exe and injects into legitimate processes. Network analysis shows beaconing to 172.224.12.224 every 60 seconds and DNS queries to apidata.cc. The second stage was fetched from https://edgesecure.org/login and written to C:\\Program Files\\Common Files\\loader.exe. The payload uses Certutil-style techniques for defense evasion. A secondary hash (SHA256: 7f22279bb920973cb46e02994674ecff74a47cd9be1eca2f2e637a53d001f1db) was extracted from the unpacked payload.", "spans": {"MALWARE: IcedID": [[25, 31]], "HASH: 073ef0072781e5ffc16ce5bd909ccc097d9f21765a28b97732d29731aaa27563": [[41, 105]], "SYSTEM: Windows Server 2019": [[126, 145]], "FILEPATH: C:\\Users\\Public\\Documents\\chrome_helper.exe": [[166, 209]], "IP_ADDRESS: 172.224.12.224": [[285, 299]], "DOMAIN: apidata.cc": [[336, 346]], "URL: https://edgesecure.org/login": [[382, 410]], "FILEPATH: C:\\Program Files\\Common Files\\loader.exe": [[426, 466]], "TOOL: Certutil": [[485, 493]], "HASH: 7f22279bb920973cb46e02994674ecff74a47cd9be1eca2f2e637a53d001f1db": [[558, 622]]}, "info": {"id": "synth_v2_00533", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: Meduza Stealer (SHA1: 0eb7017578d3f557506a41fc1f31674e5aa43f39). Upon execution on Ubuntu 22.04, the sample creates C:\\Users\\Public\\Documents\\helper.sh and injects into legitimate processes. Network analysis shows beaconing to 95.19.73.231 every 60 seconds and DNS queries to data-update.site. The second stage was fetched from http://cache-cdn.live/collect and written to C:\\Users\\admin\\AppData\\Local\\Temp\\shell.php. The payload uses Certutil-style techniques for defense evasion. A secondary hash (SHA256: 4fb33710dec16d3051b1b7cd74e66c4ff170d71609ac8b4dd99d03ba0d07d63f) was extracted from the unpacked payload.", "spans": {"MALWARE: Meduza Stealer": [[25, 39]], "HASH: 0eb7017578d3f557506a41fc1f31674e5aa43f39": [[47, 87]], "SYSTEM: Ubuntu 22.04": [[108, 120]], "FILEPATH: C:\\Users\\Public\\Documents\\helper.sh": [[141, 176]], "IP_ADDRESS: 95.19.73.231": [[252, 264]], "DOMAIN: data-update.site": [[301, 317]], "URL: http://cache-cdn.live/collect": [[353, 382]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\shell.php": [[398, 441]], "TOOL: Certutil": [[460, 468]], "HASH: 4fb33710dec16d3051b1b7cd74e66c4ff170d71609ac8b4dd99d03ba0d07d63f": [[533, 597]]}, "info": {"id": "synth_v2_00534", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: TrickBot (SHA1: ba625661ea87ee5c4f15c2ed8bb29001a323fafe). Upon execution on Fortinet FortiGate, the sample creates /etc/cron.d/helper.sh and injects into legitimate processes. Network analysis shows beaconing to 73.198.230.234 every 60 seconds and DNS queries to proxy-static.info. The second stage was fetched from hxxp://relayproxy.dev/gate.php and written to C:\\Windows\\System32\\agent.py. The payload uses Sharphound-style techniques for defense evasion. A secondary hash (MD5: 85a8eab5038058e64f2007b85e753a44) was extracted from the unpacked payload.", "spans": {"MALWARE: TrickBot": [[25, 33]], "HASH: ba625661ea87ee5c4f15c2ed8bb29001a323fafe": [[41, 81]], "SYSTEM: Fortinet FortiGate": [[102, 120]], "FILEPATH: /etc/cron.d/helper.sh": [[141, 162]], "IP_ADDRESS: 73.198.230.234": [[238, 252]], "DOMAIN: proxy-static.info": [[289, 306]], "URL: hxxp://relayproxy.dev/gate.php": [[342, 372]], "FILEPATH: C:\\Windows\\System32\\agent.py": [[388, 416]], "TOOL: Sharphound": [[435, 445]], "HASH: 85a8eab5038058e64f2007b85e753a44": [[507, 539]]}, "info": {"id": "synth_v2_00535", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: Raccoon Stealer (MD5: 7d2a3e14f37b033a2eb370df599a4f52). Upon execution on SonicWall SMA, the sample creates /etc/cron.d/runtime.dll and injects into legitimate processes. Network analysis shows beaconing to 190.10.221.207 every 60 seconds and DNS queries to logincdn.online. The second stage was fetched from hxxp://edgedata.site/admin/config and written to C:\\Users\\admin\\Desktop\\ntds.dit. The payload uses Mythic-style techniques for defense evasion. A secondary hash (SHA256: 000fd555bacb9fce27a064d234f8d843543359a986d0053d75e24cd21e5e2d06) was extracted from the unpacked payload.", "spans": {"MALWARE: Raccoon Stealer": [[25, 40]], "HASH: 7d2a3e14f37b033a2eb370df599a4f52": [[47, 79]], "SYSTEM: SonicWall SMA": [[100, 113]], "FILEPATH: /etc/cron.d/runtime.dll": [[134, 157]], "IP_ADDRESS: 190.10.221.207": [[233, 247]], "DOMAIN: logincdn.online": [[284, 299]], "URL: hxxp://edgedata.site/admin/config": [[335, 368]], "FILEPATH: C:\\Users\\admin\\Desktop\\ntds.dit": [[384, 415]], "TOOL: Mythic": [[434, 440]], "HASH: 000fd555bacb9fce27a064d234f8d843543359a986d0053d75e24cd21e5e2d06": [[505, 569]]}, "info": {"id": "synth_v2_00536", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: ShadowPad (SHA1: 555c257765857c35771bb0fac228a9b6eb9c32c6). Upon execution on SonicWall SMA, the sample creates /tmp/implant.so and injects into legitimate processes. Network analysis shows beaconing to 100.237.186.87 every 60 seconds and DNS queries to portallogin.club. The second stage was fetched from hxxp://data-cloud.club/collect and written to /etc/cron.d/sam.hive. The payload uses Certutil-style techniques for defense evasion. A secondary hash (MD5: 8527a7e3c907b7484865bd1d8e014b15) was extracted from the unpacked payload.", "spans": {"MALWARE: ShadowPad": [[25, 34]], "HASH: 555c257765857c35771bb0fac228a9b6eb9c32c6": [[42, 82]], "SYSTEM: SonicWall SMA": [[103, 116]], "FILEPATH: /tmp/implant.so": [[137, 152]], "IP_ADDRESS: 100.237.186.87": [[228, 242]], "DOMAIN: portallogin.club": [[279, 295]], "URL: hxxp://data-cloud.club/collect": [[331, 361]], "FILEPATH: /etc/cron.d/sam.hive": [[377, 397]], "TOOL: Certutil": [[416, 424]], "HASH: 8527a7e3c907b7484865bd1d8e014b15": [[486, 518]]}, "info": {"id": "synth_v2_00537", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: RedLine Stealer (SHA1: 4ee874d400ac4c712dee704a94dbef23ef4f667b). Upon execution on Windows Server 2019, the sample creates C:\\Users\\admin\\Desktop\\loader.exe and injects into legitimate processes. Network analysis shows beaconing to 172.72.240.28 every 60 seconds and DNS queries to backupstatic.site. The second stage was fetched from hxxp://cloud-cloud.tech/admin/config and written to C:\\Program Files\\Common Files\\config.dat. The payload uses Brute Ratel-style techniques for defense evasion. A secondary hash (MD5: e57a159b4b176fdfc04dbe1b7b51db96) was extracted from the unpacked payload.", "spans": {"MALWARE: RedLine Stealer": [[25, 40]], "HASH: 4ee874d400ac4c712dee704a94dbef23ef4f667b": [[48, 88]], "SYSTEM: Windows Server 2019": [[109, 128]], "FILEPATH: C:\\Users\\admin\\Desktop\\loader.exe": [[149, 182]], "IP_ADDRESS: 172.72.240.28": [[258, 271]], "DOMAIN: backupstatic.site": [[308, 325]], "URL: hxxp://cloud-cloud.tech/admin/config": [[361, 397]], "FILEPATH: C:\\Program Files\\Common Files\\config.dat": [[413, 453]], "TOOL: Brute Ratel": [[472, 483]], "HASH: e57a159b4b176fdfc04dbe1b7b51db96": [[545, 577]]}, "info": {"id": "synth_v2_00538", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: Royal (MD5: f531700044e9b51483a841f6b37424f9). Upon execution on Windows Server 2019, the sample creates C:\\Users\\admin\\AppData\\Local\\Temp\\taskhost.exe and injects into legitimate processes. Network analysis shows beaconing to 172.79.205.148 every 60 seconds and DNS queries to login-gateway.tech. The second stage was fetched from http://datalogin.link/secure/token and written to C:\\ProgramData\\chrome_helper.exe. The payload uses Mimikatz-style techniques for defense evasion. A secondary hash (SHA1: 2ce745a1fd71db25afa19306f087607f54d46755) was extracted from the unpacked payload.", "spans": {"MALWARE: Royal": [[25, 30]], "HASH: f531700044e9b51483a841f6b37424f9": [[37, 69]], "SYSTEM: Windows Server 2019": [[90, 109]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\taskhost.exe": [[130, 176]], "IP_ADDRESS: 172.79.205.148": [[252, 266]], "DOMAIN: login-gateway.tech": [[303, 321]], "URL: http://datalogin.link/secure/token": [[357, 391]], "FILEPATH: C:\\ProgramData\\chrome_helper.exe": [[407, 439]], "TOOL: Mimikatz": [[458, 466]], "HASH: 2ce745a1fd71db25afa19306f087607f54d46755": [[529, 569]]}, "info": {"id": "synth_v2_00539", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: QakBot (MD5: 7f3e3a96adda5569af5fed0df51ae116). Upon execution on Barracuda ESG, the sample creates C:\\Users\\admin\\Downloads\\agent.py and injects into legitimate processes. Network analysis shows beaconing to 92.103.77.246 every 60 seconds and DNS queries to backup-api.tech. The second stage was fetched from https://cacherelay.online/assets/js/payload.js and written to /home/user/.config/taskhost.exe. The payload uses GhostPack-style techniques for defense evasion. A secondary hash (SHA256: 52171878734e186739a62cfd0191f096a9cbaa9e19342a88cafcd165def1826e) was extracted from the unpacked payload.", "spans": {"MALWARE: QakBot": [[25, 31]], "HASH: 7f3e3a96adda5569af5fed0df51ae116": [[38, 70]], "SYSTEM: Barracuda ESG": [[91, 104]], "FILEPATH: C:\\Users\\admin\\Downloads\\agent.py": [[125, 158]], "IP_ADDRESS: 92.103.77.246": [[234, 247]], "DOMAIN: backup-api.tech": [[284, 299]], "URL: https://cacherelay.online/assets/js/payload.js": [[335, 381]], "FILEPATH: /home/user/.config/taskhost.exe": [[397, 428]], "TOOL: GhostPack": [[447, 456]], "HASH: 52171878734e186739a62cfd0191f096a9cbaa9e19342a88cafcd165def1826e": [[521, 585]]}, "info": {"id": "synth_v2_00540", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: REvil (SHA256: 5ed2c3c8458307e6eea7548647b83300feb71a510b1da6306974c0ca1c7f7001). Upon execution on Windows Server 2019, the sample creates C:\\Users\\admin\\Desktop\\beacon.dll and injects into legitimate processes. Network analysis shows beaconing to 31.209.81.144 every 60 seconds and DNS queries to syncdata.net. The second stage was fetched from hxxps://relay-auth.link/download/update.exe and written to C:\\Users\\admin\\Desktop\\beacon.dll. The payload uses Rubeus-style techniques for defense evasion. A secondary hash (SHA256: 060843a64b865f38527b2ed2c5d66d6e9955d1674a20c5430f5799e4e9c9a6e7) was extracted from the unpacked payload.", "spans": {"MALWARE: REvil": [[25, 30]], "HASH: 5ed2c3c8458307e6eea7548647b83300feb71a510b1da6306974c0ca1c7f7001": [[40, 104]], "SYSTEM: Windows Server 2019": [[125, 144]], "FILEPATH: C:\\Users\\admin\\Desktop\\beacon.dll": [[165, 198], [165, 198]], "IP_ADDRESS: 31.209.81.144": [[274, 287]], "DOMAIN: syncdata.net": [[324, 336]], "URL: hxxps://relay-auth.link/download/update.exe": [[372, 415]], "TOOL: Rubeus": [[483, 489]], "HASH: 060843a64b865f38527b2ed2c5d66d6e9955d1674a20c5430f5799e4e9c9a6e7": [[554, 618]]}, "info": {"id": "synth_v2_00541", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: Lumma Stealer (SHA1: 0814eb0a39edf798063ae10cc90cba65ab8c5d73). Upon execution on Palo Alto PAN-OS, the sample creates /home/user/.config/lsass.dmp and injects into legitimate processes. Network analysis shows beaconing to 150.93.229.229 every 60 seconds and DNS queries to proxy-cache.tech. The second stage was fetched from hxxp://apimail.net/download/update.exe and written to C:\\Windows\\System32\\taskhost.exe. The payload uses Merlin-style techniques for defense evasion. A secondary hash (MD5: 865bb5cdf5a83a8f8d59db5cdbd49a3f) was extracted from the unpacked payload.", "spans": {"MALWARE: Lumma Stealer": [[25, 38]], "HASH: 0814eb0a39edf798063ae10cc90cba65ab8c5d73": [[46, 86]], "SYSTEM: Palo Alto PAN-OS": [[107, 123]], "FILEPATH: /home/user/.config/lsass.dmp": [[144, 172]], "IP_ADDRESS: 150.93.229.229": [[248, 262]], "DOMAIN: proxy-cache.tech": [[299, 315]], "URL: hxxp://apimail.net/download/update.exe": [[351, 389]], "FILEPATH: C:\\Windows\\System32\\taskhost.exe": [[405, 437]], "TOOL: Merlin": [[456, 462]], "HASH: 865bb5cdf5a83a8f8d59db5cdbd49a3f": [[524, 556]]}, "info": {"id": "synth_v2_00542", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: RemcosRAT (MD5: ef1f2475c21839bd3f404e73e318136b). Upon execution on Apache Struts, the sample creates /opt/app/bin/config.dat and injects into legitimate processes. Network analysis shows beaconing to 172.253.8.160 every 60 seconds and DNS queries to securemail.live. The second stage was fetched from hxxps://cloudnode.info/gate.php and written to C:\\Users\\admin\\AppData\\Local\\Temp\\helper.sh. The payload uses WinPEAS-style techniques for defense evasion. A secondary hash (SHA1: 6d1ddfb83f9320f8ffd20d543eb3b7b882e581c5) was extracted from the unpacked payload.", "spans": {"MALWARE: RemcosRAT": [[25, 34]], "HASH: ef1f2475c21839bd3f404e73e318136b": [[41, 73]], "SYSTEM: Apache Struts": [[94, 107]], "FILEPATH: /opt/app/bin/config.dat": [[128, 151]], "IP_ADDRESS: 172.253.8.160": [[227, 240]], "DOMAIN: securemail.live": [[277, 292]], "URL: hxxps://cloudnode.info/gate.php": [[328, 359]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\helper.sh": [[375, 418]], "TOOL: WinPEAS": [[437, 444]], "HASH: 6d1ddfb83f9320f8ffd20d543eb3b7b882e581c5": [[507, 547]]}, "info": {"id": "synth_v2_00543", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: SmokeLoader (MD5: 4a0ec73e5463116af0e51285fb2c43f1). Upon execution on Windows 11, the sample creates C:\\Users\\admin\\Desktop\\runtime.dll and injects into legitimate processes. Network analysis shows beaconing to 11.139.234.169 every 60 seconds and DNS queries to storage-edge.com. The second stage was fetched from hxxps://static-update.club/portal/verify and written to /dev/shm/lsass.dmp. The payload uses Ligolo-style techniques for defense evasion. A secondary hash (MD5: c8298a88ad47630d6cb97f53b599419a) was extracted from the unpacked payload.", "spans": {"MALWARE: SmokeLoader": [[25, 36]], "HASH: 4a0ec73e5463116af0e51285fb2c43f1": [[43, 75]], "SYSTEM: Windows 11": [[96, 106]], "FILEPATH: C:\\Users\\admin\\Desktop\\runtime.dll": [[127, 161]], "IP_ADDRESS: 11.139.234.169": [[237, 251]], "DOMAIN: storage-edge.com": [[288, 304]], "URL: hxxps://static-update.club/portal/verify": [[340, 380]], "FILEPATH: /dev/shm/lsass.dmp": [[396, 414]], "TOOL: Ligolo": [[433, 439]], "HASH: c8298a88ad47630d6cb97f53b599419a": [[501, 533]]}, "info": {"id": "synth_v2_00544", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: SystemBC (SHA1: 1e8dbf41897cf32a81a8df13b0ed049d87fe7b99). Upon execution on Juniper SRX, the sample creates C:\\ProgramData\\sam.hive and injects into legitimate processes. Network analysis shows beaconing to 94.217.208.182 every 60 seconds and DNS queries to loginmail.club. The second stage was fetched from https://edgecloud.online/portal/verify and written to C:\\ProgramData\\winlogon.exe. The payload uses Havoc-style techniques for defense evasion. A secondary hash (MD5: fba3620678f3284860670faa5ecb64f6) was extracted from the unpacked payload.", "spans": {"MALWARE: SystemBC": [[25, 33]], "HASH: 1e8dbf41897cf32a81a8df13b0ed049d87fe7b99": [[41, 81]], "SYSTEM: Juniper SRX": [[102, 113]], "FILEPATH: C:\\ProgramData\\sam.hive": [[134, 157]], "IP_ADDRESS: 94.217.208.182": [[233, 247]], "DOMAIN: loginmail.club": [[284, 298]], "URL: https://edgecloud.online/portal/verify": [[334, 372]], "FILEPATH: C:\\ProgramData\\winlogon.exe": [[388, 415]], "TOOL: Havoc": [[434, 439]], "HASH: fba3620678f3284860670faa5ecb64f6": [[501, 533]]}, "info": {"id": "synth_v2_00545", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: Conti (SHA256: ecf918534bbe284a5ca72aec778d12972d7e503d1366b6a35fdb0322e8707549). Upon execution on Zyxel USG, the sample creates /opt/app/bin/implant.so and injects into legitimate processes. Network analysis shows beaconing to 10.38.90.96 every 60 seconds and DNS queries to login-cache.link. The second stage was fetched from hxxps://api-api.com/assets/js/payload.js and written to C:\\ProgramData\\payload.bin. The payload uses BITSAdmin-style techniques for defense evasion. A secondary hash (SHA256: ca5ef186bf7de79650af30eaa62b1214e435e406447a2461820d543ee2461302) was extracted from the unpacked payload.", "spans": {"MALWARE: Conti": [[25, 30]], "HASH: ecf918534bbe284a5ca72aec778d12972d7e503d1366b6a35fdb0322e8707549": [[40, 104]], "SYSTEM: Zyxel USG": [[125, 134]], "FILEPATH: /opt/app/bin/implant.so": [[155, 178]], "IP_ADDRESS: 10.38.90.96": [[254, 265]], "DOMAIN: login-cache.link": [[302, 318]], "URL: hxxps://api-api.com/assets/js/payload.js": [[354, 394]], "FILEPATH: C:\\ProgramData\\payload.bin": [[410, 436]], "TOOL: BITSAdmin": [[455, 464]], "HASH: ca5ef186bf7de79650af30eaa62b1214e435e406447a2461820d543ee2461302": [[529, 593]]}, "info": {"id": "synth_v2_00546", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: NjRAT (SHA1: 8eb28cf85605c6d941e1153096ec4699ad77ab16). Upon execution on Juniper SRX, the sample creates C:\\Users\\admin\\AppData\\Local\\Temp\\chrome_helper.exe and injects into legitimate processes. Network analysis shows beaconing to 10.71.102.236 every 60 seconds and DNS queries to secure-api.club. The second stage was fetched from hxxp://update-gateway.link/wp-content/uploads/doc.php and written to C:\\Users\\admin\\Desktop\\winlogon.exe. The payload uses Sharphound-style techniques for defense evasion. A secondary hash (SHA256: a45433045b4eaa05e6ab869aa248b6a6162edb84797c5bcf04b982711a6fd980) was extracted from the unpacked payload.", "spans": {"MALWARE: NjRAT": [[25, 30]], "HASH: 8eb28cf85605c6d941e1153096ec4699ad77ab16": [[38, 78]], "SYSTEM: Juniper SRX": [[99, 110]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\chrome_helper.exe": [[131, 182]], "IP_ADDRESS: 10.71.102.236": [[258, 271]], "DOMAIN: secure-api.club": [[308, 323]], "URL: hxxp://update-gateway.link/wp-content/uploads/doc.php": [[359, 412]], "FILEPATH: C:\\Users\\admin\\Desktop\\winlogon.exe": [[428, 463]], "TOOL: Sharphound": [[482, 492]], "HASH: a45433045b4eaa05e6ab869aa248b6a6162edb84797c5bcf04b982711a6fd980": [[557, 621]]}, "info": {"id": "synth_v2_00547", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: Hive (MD5: 4c8d534a3897f648d0787fc1edcccb8f). Upon execution on Atlassian Confluence, the sample creates /tmp/taskhost.exe and injects into legitimate processes. Network analysis shows beaconing to 155.95.240.74 every 60 seconds and DNS queries to relay-secure.io. The second stage was fetched from https://api-secure.xyz/download/update.exe and written to C:\\ProgramData\\runtime.dll. The payload uses Rubeus-style techniques for defense evasion. A secondary hash (SHA256: c1e7f00e02db9a3ad9ef7ae8b96fb3512ad210a3996288621e74bcde020fb3ab) was extracted from the unpacked payload.", "spans": {"MALWARE: Hive": [[25, 29]], "HASH: 4c8d534a3897f648d0787fc1edcccb8f": [[36, 68]], "SYSTEM: Atlassian Confluence": [[89, 109]], "FILEPATH: /tmp/taskhost.exe": [[130, 147]], "IP_ADDRESS: 155.95.240.74": [[223, 236]], "DOMAIN: relay-secure.io": [[273, 288]], "URL: https://api-secure.xyz/download/update.exe": [[324, 366]], "FILEPATH: C:\\ProgramData\\runtime.dll": [[382, 408]], "TOOL: Rubeus": [[427, 433]], "HASH: c1e7f00e02db9a3ad9ef7ae8b96fb3512ad210a3996288621e74bcde020fb3ab": [[498, 562]]}, "info": {"id": "synth_v2_00548", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: Play (SHA256: 85763adb54f4ac53b92d3da8ae72ff630a2b80b25b11896e68daf48e16f3c351). Upon execution on Ivanti Connect Secure, the sample creates C:\\Users\\admin\\Downloads\\chrome_helper.exe and injects into legitimate processes. Network analysis shows beaconing to 154.211.146.56 every 60 seconds and DNS queries to syncmail.club. The second stage was fetched from https://node-update.top/portal/verify and written to C:\\Users\\admin\\AppData\\Local\\Temp\\chrome_helper.exe. The payload uses PowerShell Empire-style techniques for defense evasion. A secondary hash (MD5: 2c97181e571b3ddb46e6082847ef63f3) was extracted from the unpacked payload.", "spans": {"MALWARE: Play": [[25, 29]], "HASH: 85763adb54f4ac53b92d3da8ae72ff630a2b80b25b11896e68daf48e16f3c351": [[39, 103]], "SYSTEM: Ivanti Connect Secure": [[124, 145]], "FILEPATH: C:\\Users\\admin\\Downloads\\chrome_helper.exe": [[166, 208]], "IP_ADDRESS: 154.211.146.56": [[284, 298]], "DOMAIN: syncmail.club": [[335, 348]], "URL: https://node-update.top/portal/verify": [[384, 421]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\chrome_helper.exe": [[437, 488]], "TOOL: PowerShell Empire": [[507, 524]], "HASH: 2c97181e571b3ddb46e6082847ef63f3": [[586, 618]]}, "info": {"id": "synth_v2_00549", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: QakBot (SHA1: 2402bec33a819e26f0c2a8632e5b2ba9d7eb512f). Upon execution on F5 BIG-IP, the sample creates /opt/app/bin/sam.hive and injects into legitimate processes. Network analysis shows beaconing to 192.228.6.251 every 60 seconds and DNS queries to storage-cache.link. The second stage was fetched from https://staticapi.cc/assets/js/payload.js and written to /etc/cron.d/beacon.dll. The payload uses Chisel-style techniques for defense evasion. A secondary hash (MD5: b9c8dd7bd9bf494c553ec469fceb53cf) was extracted from the unpacked payload.", "spans": {"MALWARE: QakBot": [[25, 31]], "HASH: 2402bec33a819e26f0c2a8632e5b2ba9d7eb512f": [[39, 79]], "SYSTEM: F5 BIG-IP": [[100, 109]], "FILEPATH: /opt/app/bin/sam.hive": [[130, 151]], "IP_ADDRESS: 192.228.6.251": [[227, 240]], "DOMAIN: storage-cache.link": [[277, 295]], "URL: https://staticapi.cc/assets/js/payload.js": [[331, 372]], "FILEPATH: /etc/cron.d/beacon.dll": [[388, 410]], "TOOL: Chisel": [[429, 435]], "HASH: b9c8dd7bd9bf494c553ec469fceb53cf": [[497, 529]]}, "info": {"id": "synth_v2_00550", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: AsyncRAT (MD5: 7afce390a5777656fc861f345bdd152e). Upon execution on Citrix NetScaler, the sample creates C:\\Windows\\System32\\payload.bin and injects into legitimate processes. Network analysis shows beaconing to 10.87.21.177 every 60 seconds and DNS queries to gatewayrelay.dev. The second stage was fetched from http://storageportal.online/gate.php and written to C:\\Users\\admin\\Desktop\\ntds.dit. The payload uses Mimikatz-style techniques for defense evasion. A secondary hash (MD5: 7e81320c73b3c036163e6afc0f81b499) was extracted from the unpacked payload.", "spans": {"MALWARE: AsyncRAT": [[25, 33]], "HASH: 7afce390a5777656fc861f345bdd152e": [[40, 72]], "SYSTEM: Citrix NetScaler": [[93, 109]], "FILEPATH: C:\\Windows\\System32\\payload.bin": [[130, 161]], "IP_ADDRESS: 10.87.21.177": [[237, 249]], "DOMAIN: gatewayrelay.dev": [[286, 302]], "URL: http://storageportal.online/gate.php": [[338, 374]], "FILEPATH: C:\\Users\\admin\\Desktop\\ntds.dit": [[390, 421]], "TOOL: Mimikatz": [[440, 448]], "HASH: 7e81320c73b3c036163e6afc0f81b499": [[510, 542]]}, "info": {"id": "synth_v2_00551", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: RemcosRAT (MD5: 6bf753ff87824ec41bf2cf9ab26860ba). Upon execution on Cisco ASA, the sample creates /usr/local/bin/winlogon.exe and injects into legitimate processes. Network analysis shows beaconing to 172.187.7.112 every 60 seconds and DNS queries to login-cache.org. The second stage was fetched from http://auth-update.site/download/update.exe and written to /tmp/svchost.exe. The payload uses PowerShell Empire-style techniques for defense evasion. A secondary hash (SHA1: 4974b26a59a7276f5b6620322e45110f1565bfc1) was extracted from the unpacked payload.", "spans": {"MALWARE: RemcosRAT": [[25, 34]], "HASH: 6bf753ff87824ec41bf2cf9ab26860ba": [[41, 73]], "SYSTEM: Cisco ASA": [[94, 103]], "FILEPATH: /usr/local/bin/winlogon.exe": [[124, 151]], "IP_ADDRESS: 172.187.7.112": [[227, 240]], "DOMAIN: login-cache.org": [[277, 292]], "URL: http://auth-update.site/download/update.exe": [[328, 371]], "FILEPATH: /tmp/svchost.exe": [[387, 403]], "TOOL: PowerShell Empire": [[422, 439]], "HASH: 4974b26a59a7276f5b6620322e45110f1565bfc1": [[502, 542]]}, "info": {"id": "synth_v2_00552", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: REvil (MD5: 68bf6b25c4ac4408208ecbc3059eafb8). Upon execution on Juniper SRX, the sample creates /opt/app/bin/beacon.dll and injects into legitimate processes. Network analysis shows beaconing to 59.97.249.156 every 60 seconds and DNS queries to gatewaygateway.live. The second stage was fetched from hxxps://proxy-cdn.tech/api/v2/auth and written to /home/user/.config/payload.bin. The payload uses PsExec-style techniques for defense evasion. A secondary hash (SHA1: d6684abe5b3560372744974d573854ec8379fcdb) was extracted from the unpacked payload.", "spans": {"MALWARE: REvil": [[25, 30]], "HASH: 68bf6b25c4ac4408208ecbc3059eafb8": [[37, 69]], "SYSTEM: Juniper SRX": [[90, 101]], "FILEPATH: /opt/app/bin/beacon.dll": [[122, 145]], "IP_ADDRESS: 59.97.249.156": [[221, 234]], "DOMAIN: gatewaygateway.live": [[271, 290]], "URL: hxxps://proxy-cdn.tech/api/v2/auth": [[326, 360]], "FILEPATH: /home/user/.config/payload.bin": [[376, 406]], "TOOL: PsExec": [[425, 431]], "HASH: d6684abe5b3560372744974d573854ec8379fcdb": [[494, 534]]}, "info": {"id": "synth_v2_00553", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: Qbot (SHA256: 64f55ce017bf221672e98bc8e0d260c6c69297176c46b376cab60596ea4cb137). Upon execution on Ubuntu 22.04, the sample creates /etc/cron.d/payload.bin and injects into legitimate processes. Network analysis shows beaconing to 4.157.81.87 every 60 seconds and DNS queries to staticgateway.cc. The second stage was fetched from https://static-login.io/secure/token and written to /etc/cron.d/shell.php. The payload uses PowerShell Empire-style techniques for defense evasion. A secondary hash (MD5: 7b6a675c5c4a58104ce84f59432e9ce4) was extracted from the unpacked payload.", "spans": {"MALWARE: Qbot": [[25, 29]], "HASH: 64f55ce017bf221672e98bc8e0d260c6c69297176c46b376cab60596ea4cb137": [[39, 103]], "SYSTEM: Ubuntu 22.04": [[124, 136]], "FILEPATH: /etc/cron.d/payload.bin": [[157, 180]], "IP_ADDRESS: 4.157.81.87": [[256, 267]], "DOMAIN: staticgateway.cc": [[304, 320]], "URL: https://static-login.io/secure/token": [[356, 392]], "FILEPATH: /etc/cron.d/shell.php": [[408, 429]], "TOOL: PowerShell Empire": [[448, 465]], "HASH: 7b6a675c5c4a58104ce84f59432e9ce4": [[527, 559]]}, "info": {"id": "synth_v2_00554", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: TrickBot (MD5: ee3aebaf9202e1a10cfd88d5d14df76d). Upon execution on Microsoft Exchange, the sample creates /tmp/payload.bin and injects into legitimate processes. Network analysis shows beaconing to 64.107.167.177 every 60 seconds and DNS queries to storage-proxy.link. The second stage was fetched from https://edgestorage.cc/assets/js/payload.js and written to /opt/app/bin/shell.php. The payload uses Merlin-style techniques for defense evasion. A secondary hash (MD5: 54b2feeacd9aaa5c105fe0cd4f57f535) was extracted from the unpacked payload.", "spans": {"MALWARE: TrickBot": [[25, 33]], "HASH: ee3aebaf9202e1a10cfd88d5d14df76d": [[40, 72]], "SYSTEM: Microsoft Exchange": [[93, 111]], "FILEPATH: /tmp/payload.bin": [[132, 148]], "IP_ADDRESS: 64.107.167.177": [[224, 238]], "DOMAIN: storage-proxy.link": [[275, 293]], "URL: https://edgestorage.cc/assets/js/payload.js": [[329, 372]], "FILEPATH: /opt/app/bin/shell.php": [[388, 410]], "TOOL: Merlin": [[429, 435]], "HASH: 54b2feeacd9aaa5c105fe0cd4f57f535": [[497, 529]]}, "info": {"id": "synth_v2_00555", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: Lumma Stealer (SHA1: 13d9cdb3c3670447ac0adad94ca51470a0f2cc51). Upon execution on Palo Alto PAN-OS, the sample creates /usr/local/bin/chrome_helper.exe and injects into legitimate processes. Network analysis shows beaconing to 172.240.9.81 every 60 seconds and DNS queries to portal-login.cc. The second stage was fetched from http://apinode.online/collect and written to C:\\Windows\\Tasks\\lsass.dmp. The payload uses Seatbelt-style techniques for defense evasion. A secondary hash (SHA256: 144dd456de640cccfbd601e4daac55f64794a1d9d8370cc840e6135e724ec1ad) was extracted from the unpacked payload.", "spans": {"MALWARE: Lumma Stealer": [[25, 38]], "HASH: 13d9cdb3c3670447ac0adad94ca51470a0f2cc51": [[46, 86]], "SYSTEM: Palo Alto PAN-OS": [[107, 123]], "FILEPATH: /usr/local/bin/chrome_helper.exe": [[144, 176]], "IP_ADDRESS: 172.240.9.81": [[252, 264]], "DOMAIN: portal-login.cc": [[301, 316]], "URL: http://apinode.online/collect": [[352, 381]], "FILEPATH: C:\\Windows\\Tasks\\lsass.dmp": [[397, 423]], "TOOL: Seatbelt": [[442, 450]], "HASH: 144dd456de640cccfbd601e4daac55f64794a1d9d8370cc840e6135e724ec1ad": [[515, 579]]}, "info": {"id": "synth_v2_00556", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: SystemBC (SHA1: 277812d1f47ed2c8f9e023e478e7900eebd309f4). Upon execution on Progress Telerik, the sample creates /dev/shm/winlogon.exe and injects into legitimate processes. Network analysis shows beaconing to 218.30.242.64 every 60 seconds and DNS queries to update-storage.tech. The second stage was fetched from https://edgelogin.link/secure/token and written to /tmp/runtime.dll. The payload uses Merlin-style techniques for defense evasion. A secondary hash (SHA256: fe846ae4f5f4e5940700d391463685f3027f767d399237317b20ca43055860bc) was extracted from the unpacked payload.", "spans": {"MALWARE: SystemBC": [[25, 33]], "HASH: 277812d1f47ed2c8f9e023e478e7900eebd309f4": [[41, 81]], "SYSTEM: Progress Telerik": [[102, 118]], "FILEPATH: /dev/shm/winlogon.exe": [[139, 160]], "IP_ADDRESS: 218.30.242.64": [[236, 249]], "DOMAIN: update-storage.tech": [[286, 305]], "URL: https://edgelogin.link/secure/token": [[341, 376]], "FILEPATH: /tmp/runtime.dll": [[392, 408]], "TOOL: Merlin": [[427, 433]], "HASH: fe846ae4f5f4e5940700d391463685f3027f767d399237317b20ca43055860bc": [[498, 562]]}, "info": {"id": "synth_v2_00557", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: StealC (SHA256: 9cd282cae7a5c3bd34c56dcca1d62f233eabf98303a1bf91dcfe29927ae4cb1b). Upon execution on Citrix NetScaler, the sample creates C:\\Program Files\\Common Files\\chrome_helper.exe and injects into legitimate processes. Network analysis shows beaconing to 192.99.144.64 every 60 seconds and DNS queries to gatewayupdate.info. The second stage was fetched from hxxps://cloudlogin.info/login and written to /etc/cron.d/sam.hive. The payload uses Seatbelt-style techniques for defense evasion. A secondary hash (MD5: 16b22c205c0a2a64728438f703d720fb) was extracted from the unpacked payload.", "spans": {"MALWARE: StealC": [[25, 31]], "HASH: 9cd282cae7a5c3bd34c56dcca1d62f233eabf98303a1bf91dcfe29927ae4cb1b": [[41, 105]], "SYSTEM: Citrix NetScaler": [[126, 142]], "FILEPATH: C:\\Program Files\\Common Files\\chrome_helper.exe": [[163, 210]], "IP_ADDRESS: 192.99.144.64": [[286, 299]], "DOMAIN: gatewayupdate.info": [[336, 354]], "URL: hxxps://cloudlogin.info/login": [[390, 419]], "FILEPATH: /etc/cron.d/sam.hive": [[435, 455]], "TOOL: Seatbelt": [[474, 482]], "HASH: 16b22c205c0a2a64728438f703d720fb": [[544, 576]]}, "info": {"id": "synth_v2_00558", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: PlugX (SHA1: 04e53ab7e9c48038c583633c9265f0b8e8ee092a). Upon execution on F5 BIG-IP, the sample creates C:\\Windows\\Temp\\taskhost.exe and injects into legitimate processes. Network analysis shows beaconing to 192.227.160.28 every 60 seconds and DNS queries to relaysync.xyz. The second stage was fetched from hxxp://backupsecure.cc/secure/token and written to C:\\Users\\admin\\AppData\\Local\\Temp\\winlogon.exe. The payload uses Certutil-style techniques for defense evasion. A secondary hash (MD5: e8e6c237398482121103362166ec3c54) was extracted from the unpacked payload.", "spans": {"MALWARE: PlugX": [[25, 30]], "HASH: 04e53ab7e9c48038c583633c9265f0b8e8ee092a": [[38, 78]], "SYSTEM: F5 BIG-IP": [[99, 108]], "FILEPATH: C:\\Windows\\Temp\\taskhost.exe": [[129, 157]], "IP_ADDRESS: 192.227.160.28": [[233, 247]], "DOMAIN: relaysync.xyz": [[284, 297]], "URL: hxxp://backupsecure.cc/secure/token": [[333, 368]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\winlogon.exe": [[384, 430]], "TOOL: Certutil": [[449, 457]], "HASH: e8e6c237398482121103362166ec3c54": [[519, 551]]}, "info": {"id": "synth_v2_00559", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: RedLine Stealer (SHA256: 9ad46f3289ae2f5b329218fbde2389eec7bae31efe417b95eb66c1849bf670ba). Upon execution on Ubuntu 22.04, the sample creates C:\\Users\\admin\\AppData\\Local\\Temp\\payload.bin and injects into legitimate processes. Network analysis shows beaconing to 141.13.222.166 every 60 seconds and DNS queries to portalsecure.tech. The second stage was fetched from hxxps://backup-storage.cc/panel/index.html and written to /dev/shm/chrome_helper.exe. The payload uses Merlin-style techniques for defense evasion. A secondary hash (MD5: 7132903d1a97078e0a388d1c655dd3f7) was extracted from the unpacked payload.", "spans": {"MALWARE: RedLine Stealer": [[25, 40]], "HASH: 9ad46f3289ae2f5b329218fbde2389eec7bae31efe417b95eb66c1849bf670ba": [[50, 114]], "SYSTEM: Ubuntu 22.04": [[135, 147]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\payload.bin": [[168, 213]], "IP_ADDRESS: 141.13.222.166": [[289, 303]], "DOMAIN: portalsecure.tech": [[340, 357]], "URL: hxxps://backup-storage.cc/panel/index.html": [[393, 435]], "FILEPATH: /dev/shm/chrome_helper.exe": [[451, 477]], "TOOL: Merlin": [[496, 502]], "HASH: 7132903d1a97078e0a388d1c655dd3f7": [[564, 596]]}, "info": {"id": "synth_v2_00560", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: BlackCat (SHA256: fec1a163206af4199a737eab445a207af3967c8a831a327c70feb7c29722739a). Upon execution on Citrix NetScaler, the sample creates C:\\Users\\admin\\AppData\\Local\\Temp\\loader.exe and injects into legitimate processes. Network analysis shows beaconing to 192.120.47.194 every 60 seconds and DNS queries to mailstorage.net. The second stage was fetched from http://storageapi.online/panel/index.html and written to C:\\Program Files\\Common Files\\lsass.dmp. The payload uses WinPEAS-style techniques for defense evasion. A secondary hash (SHA256: e39b89896b184198693ea1b1f8548f6b8b25ea915f7369e10bd575e4c5fc5473) was extracted from the unpacked payload.", "spans": {"MALWARE: BlackCat": [[25, 33]], "HASH: fec1a163206af4199a737eab445a207af3967c8a831a327c70feb7c29722739a": [[43, 107]], "SYSTEM: Citrix NetScaler": [[128, 144]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\loader.exe": [[165, 209]], "IP_ADDRESS: 192.120.47.194": [[285, 299]], "DOMAIN: mailstorage.net": [[336, 351]], "URL: http://storageapi.online/panel/index.html": [[387, 428]], "FILEPATH: C:\\Program Files\\Common Files\\lsass.dmp": [[444, 483]], "TOOL: WinPEAS": [[502, 509]], "HASH: e39b89896b184198693ea1b1f8548f6b8b25ea915f7369e10bd575e4c5fc5473": [[574, 638]]}, "info": {"id": "synth_v2_00561", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: Latrodectus (SHA256: d064307ffa6519a42e7181729f3a8d775f5a6df3aec95061d7f9ea7b92f9ee47). Upon execution on Atlassian Confluence, the sample creates /var/tmp/payload.bin and injects into legitimate processes. Network analysis shows beaconing to 41.59.133.59 every 60 seconds and DNS queries to cdn-edge.com. The second stage was fetched from hxxps://data-proxy.com/wp-content/uploads/doc.php and written to C:\\Windows\\System32\\loader.exe. The payload uses Hashcat-style techniques for defense evasion. A secondary hash (SHA256: d7a3654c04b0bba4fa5410ba1ce1f2ce4fc535ec62cb5d8c84ef5040992bfe11) was extracted from the unpacked payload.", "spans": {"MALWARE: Latrodectus": [[25, 36]], "HASH: d064307ffa6519a42e7181729f3a8d775f5a6df3aec95061d7f9ea7b92f9ee47": [[46, 110]], "SYSTEM: Atlassian Confluence": [[131, 151]], "FILEPATH: /var/tmp/payload.bin": [[172, 192]], "IP_ADDRESS: 41.59.133.59": [[268, 280]], "DOMAIN: cdn-edge.com": [[317, 329]], "URL: hxxps://data-proxy.com/wp-content/uploads/doc.php": [[365, 414]], "FILEPATH: C:\\Windows\\System32\\loader.exe": [[430, 460]], "TOOL: Hashcat": [[479, 486]], "HASH: d7a3654c04b0bba4fa5410ba1ce1f2ce4fc535ec62cb5d8c84ef5040992bfe11": [[551, 615]]}, "info": {"id": "synth_v2_00562", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: Raccoon Stealer (SHA1: d17f9dff75d99b2294390956079810c867ac3a98). Upon execution on Ivanti Connect Secure, the sample creates /dev/shm/svchost.exe and injects into legitimate processes. Network analysis shows beaconing to 5.148.252.7 every 60 seconds and DNS queries to edgeapi.com. The second stage was fetched from hxxp://cache-cdn.xyz/collect and written to /etc/cron.d/chrome_helper.exe. The payload uses BITSAdmin-style techniques for defense evasion. A secondary hash (SHA1: 0536a3443eb1b7a8a363c4f71539ab3012994e1d) was extracted from the unpacked payload.", "spans": {"MALWARE: Raccoon Stealer": [[25, 40]], "HASH: d17f9dff75d99b2294390956079810c867ac3a98": [[48, 88]], "SYSTEM: Ivanti Connect Secure": [[109, 130]], "FILEPATH: /dev/shm/svchost.exe": [[151, 171]], "IP_ADDRESS: 5.148.252.7": [[247, 258]], "DOMAIN: edgeapi.com": [[295, 306]], "URL: hxxp://cache-cdn.xyz/collect": [[342, 370]], "FILEPATH: /etc/cron.d/chrome_helper.exe": [[386, 415]], "TOOL: BITSAdmin": [[434, 443]], "HASH: 0536a3443eb1b7a8a363c4f71539ab3012994e1d": [[506, 546]]}, "info": {"id": "synth_v2_00563", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: BatLoader (SHA256: ff1e12efdbca4130b384ae67d9f669d312133d60b6466d62af14c4f0bc4582ef). Upon execution on Windows Server 2019, the sample creates /usr/local/bin/lsass.dmp and injects into legitimate processes. Network analysis shows beaconing to 10.3.144.69 every 60 seconds and DNS queries to nodeportal.org. The second stage was fetched from hxxp://static-sync.tech/secure/token and written to C:\\Users\\Public\\Documents\\agent.py. The payload uses Brute Ratel-style techniques for defense evasion. A secondary hash (MD5: 7c488e9d008882d109ea5451e5c3636d) was extracted from the unpacked payload.", "spans": {"MALWARE: BatLoader": [[25, 34]], "HASH: ff1e12efdbca4130b384ae67d9f669d312133d60b6466d62af14c4f0bc4582ef": [[44, 108]], "SYSTEM: Windows Server 2019": [[129, 148]], "FILEPATH: /usr/local/bin/lsass.dmp": [[169, 193]], "IP_ADDRESS: 10.3.144.69": [[269, 280]], "DOMAIN: nodeportal.org": [[317, 331]], "URL: hxxp://static-sync.tech/secure/token": [[367, 403]], "FILEPATH: C:\\Users\\Public\\Documents\\agent.py": [[419, 453]], "TOOL: Brute Ratel": [[472, 483]], "HASH: 7c488e9d008882d109ea5451e5c3636d": [[545, 577]]}, "info": {"id": "synth_v2_00564", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: PlugX (SHA1: 710fa62480ff2b1ffe3915a92d1ef93694cd4792). Upon execution on Active Directory, the sample creates C:\\Windows\\Tasks\\update.dll and injects into legitimate processes. Network analysis shows beaconing to 53.94.57.11 every 60 seconds and DNS queries to authcloud.xyz. The second stage was fetched from https://cloudcache.live/secure/token and written to /var/tmp/shell.php. The payload uses Mythic-style techniques for defense evasion. A secondary hash (SHA1: 196bdf61a03296e0171c9447b83245d1b7893703) was extracted from the unpacked payload.", "spans": {"MALWARE: PlugX": [[25, 30]], "HASH: 710fa62480ff2b1ffe3915a92d1ef93694cd4792": [[38, 78]], "SYSTEM: Active Directory": [[99, 115]], "FILEPATH: C:\\Windows\\Tasks\\update.dll": [[136, 163]], "IP_ADDRESS: 53.94.57.11": [[239, 250]], "DOMAIN: authcloud.xyz": [[287, 300]], "URL: https://cloudcache.live/secure/token": [[336, 372]], "FILEPATH: /var/tmp/shell.php": [[388, 406]], "TOOL: Mythic": [[425, 431]], "HASH: 196bdf61a03296e0171c9447b83245d1b7893703": [[494, 534]]}, "info": {"id": "synth_v2_00565", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: Royal (SHA1: 78c6bb5547245f6ad55ef7758ad42b9b0831cdad). Upon execution on Progress Telerik, the sample creates /dev/shm/dropper.ps1 and injects into legitimate processes. Network analysis shows beaconing to 4.110.92.221 every 60 seconds and DNS queries to cloudproxy.club. The second stage was fetched from hxxp://storagerelay.site/gate.php and written to /home/user/.config/helper.sh. The payload uses Impacket-style techniques for defense evasion. A secondary hash (SHA256: dfada12a3875767049eb8a5c300d93323045a910eee1cd967cdf6e01fc7ff1e2) was extracted from the unpacked payload.", "spans": {"MALWARE: Royal": [[25, 30]], "HASH: 78c6bb5547245f6ad55ef7758ad42b9b0831cdad": [[38, 78]], "SYSTEM: Progress Telerik": [[99, 115]], "FILEPATH: /dev/shm/dropper.ps1": [[136, 156]], "IP_ADDRESS: 4.110.92.221": [[232, 244]], "DOMAIN: cloudproxy.club": [[281, 296]], "URL: hxxp://storagerelay.site/gate.php": [[332, 365]], "FILEPATH: /home/user/.config/helper.sh": [[381, 409]], "TOOL: Impacket": [[428, 436]], "HASH: dfada12a3875767049eb8a5c300d93323045a910eee1cd967cdf6e01fc7ff1e2": [[501, 565]]}, "info": {"id": "synth_v2_00566", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: Ryuk (SHA256: 67e873bfc126b14a1b0a1173cb99e6173adf8b3c95b67d814dfeb294889368a1). Upon execution on Windows Server 2019, the sample creates /etc/cron.d/chrome_helper.exe and injects into legitimate processes. Network analysis shows beaconing to 10.140.0.78 every 60 seconds and DNS queries to portalcache.org. The second stage was fetched from hxxp://cdn-mail.xyz/callback and written to /usr/local/bin/ntds.dit. The payload uses Sharphound-style techniques for defense evasion. A secondary hash (SHA256: 606cee21448c5a97cfc4e8ffd3ec876786b07b5dc939868d0c31e8278a201b83) was extracted from the unpacked payload.", "spans": {"MALWARE: Ryuk": [[25, 29]], "HASH: 67e873bfc126b14a1b0a1173cb99e6173adf8b3c95b67d814dfeb294889368a1": [[39, 103]], "SYSTEM: Windows Server 2019": [[124, 143]], "FILEPATH: /etc/cron.d/chrome_helper.exe": [[164, 193]], "IP_ADDRESS: 10.140.0.78": [[269, 280]], "DOMAIN: portalcache.org": [[317, 332]], "URL: hxxp://cdn-mail.xyz/callback": [[368, 396]], "FILEPATH: /usr/local/bin/ntds.dit": [[412, 435]], "TOOL: Sharphound": [[454, 464]], "HASH: 606cee21448c5a97cfc4e8ffd3ec876786b07b5dc939868d0c31e8278a201b83": [[529, 593]]}, "info": {"id": "synth_v2_00567", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: AsyncRAT (SHA256: 6ee79c710a4c373c71e5c8df455a5f004e8f3345b9c846feb1a2d9ce6faa921f). Upon execution on MOVEit Transfer, the sample creates /var/tmp/sam.hive and injects into legitimate processes. Network analysis shows beaconing to 37.134.233.239 every 60 seconds and DNS queries to auth-update.dev. The second stage was fetched from hxxps://secureupdate.net/assets/js/payload.js and written to /usr/local/bin/backdoor.elf. The payload uses Mimikatz-style techniques for defense evasion. A secondary hash (SHA256: 5cff378a7b81e2a0c4ac8310de34988459d389d6b5dab7fcce14d7f78c665f65) was extracted from the unpacked payload.", "spans": {"MALWARE: AsyncRAT": [[25, 33]], "HASH: 6ee79c710a4c373c71e5c8df455a5f004e8f3345b9c846feb1a2d9ce6faa921f": [[43, 107]], "SYSTEM: MOVEit Transfer": [[128, 143]], "FILEPATH: /var/tmp/sam.hive": [[164, 181]], "IP_ADDRESS: 37.134.233.239": [[257, 271]], "DOMAIN: auth-update.dev": [[308, 323]], "URL: hxxps://secureupdate.net/assets/js/payload.js": [[359, 404]], "FILEPATH: /usr/local/bin/backdoor.elf": [[420, 447]], "TOOL: Mimikatz": [[466, 474]], "HASH: 5cff378a7b81e2a0c4ac8310de34988459d389d6b5dab7fcce14d7f78c665f65": [[539, 603]]}, "info": {"id": "synth_v2_00568", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: Amadey (SHA256: 8be962bbc9c639b20fcd7ecee99cd55f300f867cc52cc5b3785c4030ad78b248). Upon execution on F5 BIG-IP, the sample creates C:\\Users\\admin\\AppData\\Local\\Temp\\chrome_helper.exe and injects into legitimate processes. Network analysis shows beaconing to 10.33.203.174 every 60 seconds and DNS queries to updatecdn.online. The second stage was fetched from hxxps://relaygateway.org/collect and written to /usr/local/bin/agent.py. The payload uses LinPEAS-style techniques for defense evasion. A secondary hash (SHA1: 152cdc97bcba936a5a6645b5d337342e57bd29ea) was extracted from the unpacked payload.", "spans": {"MALWARE: Amadey": [[25, 31]], "HASH: 8be962bbc9c639b20fcd7ecee99cd55f300f867cc52cc5b3785c4030ad78b248": [[41, 105]], "SYSTEM: F5 BIG-IP": [[126, 135]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\chrome_helper.exe": [[156, 207]], "IP_ADDRESS: 10.33.203.174": [[283, 296]], "DOMAIN: updatecdn.online": [[333, 349]], "URL: hxxps://relaygateway.org/collect": [[385, 417]], "FILEPATH: /usr/local/bin/agent.py": [[433, 456]], "TOOL: LinPEAS": [[475, 482]], "HASH: 152cdc97bcba936a5a6645b5d337342e57bd29ea": [[545, 585]]}, "info": {"id": "synth_v2_00569", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: Hive (MD5: d26d75bedb1e829479b48b2484ceb122). Upon execution on Ivanti Connect Secure, the sample creates C:\\Users\\admin\\AppData\\Local\\Temp\\agent.py and injects into legitimate processes. Network analysis shows beaconing to 49.120.229.208 every 60 seconds and DNS queries to cdn-cache.live. The second stage was fetched from hxxp://edgeproxy.link/assets/js/payload.js and written to /etc/cron.d/chrome_helper.exe. The payload uses ADFind-style techniques for defense evasion. A secondary hash (SHA256: 1766d648e87c8571692cc52965355e4b2182719044ef8bcd75766dab3a73babb) was extracted from the unpacked payload.", "spans": {"MALWARE: Hive": [[25, 29]], "HASH: d26d75bedb1e829479b48b2484ceb122": [[36, 68]], "SYSTEM: Ivanti Connect Secure": [[89, 110]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\agent.py": [[131, 173]], "IP_ADDRESS: 49.120.229.208": [[249, 263]], "DOMAIN: cdn-cache.live": [[300, 314]], "URL: hxxp://edgeproxy.link/assets/js/payload.js": [[350, 392]], "FILEPATH: /etc/cron.d/chrome_helper.exe": [[408, 437]], "TOOL: ADFind": [[456, 462]], "HASH: 1766d648e87c8571692cc52965355e4b2182719044ef8bcd75766dab3a73babb": [[527, 591]]}, "info": {"id": "synth_v2_00570", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: ShadowPad (MD5: 561b92984a9ce23ceb8228b961011f42). Upon execution on Ubuntu 22.04, the sample creates /dev/shm/dropper.ps1 and injects into legitimate processes. Network analysis shows beaconing to 172.190.74.83 every 60 seconds and DNS queries to gatewaysecure.cc. The second stage was fetched from https://mailrelay.tech/download/update.exe and written to C:\\Program Files\\Common Files\\csrss.exe. The payload uses Sliver-style techniques for defense evasion. A secondary hash (SHA1: e2fd0b75be730bbf9734bd05078c91dab4f4b7e4) was extracted from the unpacked payload.", "spans": {"MALWARE: ShadowPad": [[25, 34]], "HASH: 561b92984a9ce23ceb8228b961011f42": [[41, 73]], "SYSTEM: Ubuntu 22.04": [[94, 106]], "FILEPATH: /dev/shm/dropper.ps1": [[127, 147]], "IP_ADDRESS: 172.190.74.83": [[223, 236]], "DOMAIN: gatewaysecure.cc": [[273, 289]], "URL: https://mailrelay.tech/download/update.exe": [[325, 367]], "FILEPATH: C:\\Program Files\\Common Files\\csrss.exe": [[383, 422]], "TOOL: Sliver": [[441, 447]], "HASH: e2fd0b75be730bbf9734bd05078c91dab4f4b7e4": [[510, 550]]}, "info": {"id": "synth_v2_00571", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: StealC (MD5: 8e43570803376f4ad1b23e602c0b2470). Upon execution on SonicWall SMA, the sample creates C:\\Windows\\System32\\runtime.dll and injects into legitimate processes. Network analysis shows beaconing to 92.238.230.193 every 60 seconds and DNS queries to cdn-storage.io. The second stage was fetched from hxxp://static-storage.io/collect and written to C:\\Users\\admin\\Desktop\\chrome_helper.exe. The payload uses Covenant-style techniques for defense evasion. A secondary hash (SHA256: 4ca832a4b2856bd3d6a53e26b9b94571d8f10d51b87e4534a88f39996c8a3e0c) was extracted from the unpacked payload.", "spans": {"MALWARE: StealC": [[25, 31]], "HASH: 8e43570803376f4ad1b23e602c0b2470": [[38, 70]], "SYSTEM: SonicWall SMA": [[91, 104]], "FILEPATH: C:\\Windows\\System32\\runtime.dll": [[125, 156]], "IP_ADDRESS: 92.238.230.193": [[232, 246]], "DOMAIN: cdn-storage.io": [[283, 297]], "URL: hxxp://static-storage.io/collect": [[333, 365]], "FILEPATH: C:\\Users\\admin\\Desktop\\chrome_helper.exe": [[381, 421]], "TOOL: Covenant": [[440, 448]], "HASH: 4ca832a4b2856bd3d6a53e26b9b94571d8f10d51b87e4534a88f39996c8a3e0c": [[513, 577]]}, "info": {"id": "synth_v2_00572", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: Conti (SHA1: db0ea2deb71ec9d6283f737189ce8f3475c81b47). Upon execution on VMware ESXi, the sample creates C:\\Users\\admin\\Desktop\\helper.sh and injects into legitimate processes. Network analysis shows beaconing to 192.53.2.66 every 60 seconds and DNS queries to data-storage.online. The second stage was fetched from http://storage-mail.io/panel/index.html and written to /etc/cron.d/ntds.dit. The payload uses WinPEAS-style techniques for defense evasion. A secondary hash (SHA1: d72b75248cb7b183f0e1bf2c069e84d59b2fc0d6) was extracted from the unpacked payload.", "spans": {"MALWARE: Conti": [[25, 30]], "HASH: db0ea2deb71ec9d6283f737189ce8f3475c81b47": [[38, 78]], "SYSTEM: VMware ESXi": [[99, 110]], "FILEPATH: C:\\Users\\admin\\Desktop\\helper.sh": [[131, 163]], "IP_ADDRESS: 192.53.2.66": [[239, 250]], "DOMAIN: data-storage.online": [[287, 306]], "URL: http://storage-mail.io/panel/index.html": [[342, 381]], "FILEPATH: /etc/cron.d/ntds.dit": [[397, 417]], "TOOL: WinPEAS": [[436, 443]], "HASH: d72b75248cb7b183f0e1bf2c069e84d59b2fc0d6": [[506, 546]]}, "info": {"id": "synth_v2_00573", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: Play (SHA1: c1f4cca96dbae6c01b26d511f82de7254693759a). Upon execution on Windows Server 2019, the sample creates /tmp/dropper.ps1 and injects into legitimate processes. Network analysis shows beaconing to 40.96.0.229 every 60 seconds and DNS queries to proxy-login.dev. The second stage was fetched from http://backup-data.link/portal/verify and written to C:\\Users\\Public\\Documents\\runtime.dll. The payload uses Mimikatz-style techniques for defense evasion. A secondary hash (SHA1: 355134e666fab3b99669fe11d6e48170884e9f32) was extracted from the unpacked payload.", "spans": {"MALWARE: Play": [[25, 29]], "HASH: c1f4cca96dbae6c01b26d511f82de7254693759a": [[37, 77]], "SYSTEM: Windows Server 2019": [[98, 117]], "FILEPATH: /tmp/dropper.ps1": [[138, 154]], "IP_ADDRESS: 40.96.0.229": [[230, 241]], "DOMAIN: proxy-login.dev": [[278, 293]], "URL: http://backup-data.link/portal/verify": [[329, 366]], "FILEPATH: C:\\Users\\Public\\Documents\\runtime.dll": [[382, 419]], "TOOL: Mimikatz": [[438, 446]], "HASH: 355134e666fab3b99669fe11d6e48170884e9f32": [[509, 549]]}, "info": {"id": "synth_v2_00574", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: TrickBot (MD5: 89096ac84aa40ae758bba8a777296c93). Upon execution on MOVEit Transfer, the sample creates /etc/cron.d/runtime.dll and injects into legitimate processes. Network analysis shows beaconing to 10.36.34.65 every 60 seconds and DNS queries to authgateway.tech. The second stage was fetched from https://updatestatic.info/callback and written to /home/user/.config/ntds.dit. The payload uses ADFind-style techniques for defense evasion. A secondary hash (SHA256: d88c19411afa62a6b129f23903a763706f8be190eaecfc50fa90f475fa1a97f7) was extracted from the unpacked payload.", "spans": {"MALWARE: TrickBot": [[25, 33]], "HASH: 89096ac84aa40ae758bba8a777296c93": [[40, 72]], "SYSTEM: MOVEit Transfer": [[93, 108]], "FILEPATH: /etc/cron.d/runtime.dll": [[129, 152]], "IP_ADDRESS: 10.36.34.65": [[228, 239]], "DOMAIN: authgateway.tech": [[276, 292]], "URL: https://updatestatic.info/callback": [[328, 362]], "FILEPATH: /home/user/.config/ntds.dit": [[378, 405]], "TOOL: ADFind": [[424, 430]], "HASH: d88c19411afa62a6b129f23903a763706f8be190eaecfc50fa90f475fa1a97f7": [[495, 559]]}, "info": {"id": "synth_v2_00575", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: Amadey (SHA1: e39e81935a57e2009bf1fc3f4af82c1489812ebb). Upon execution on F5 BIG-IP, the sample creates /etc/cron.d/beacon.dll and injects into legitimate processes. Network analysis shows beaconing to 192.251.16.128 every 60 seconds and DNS queries to mailupdate.info. The second stage was fetched from hxxps://portaledge.link/callback and written to C:\\Windows\\Temp\\lsass.dmp. The payload uses BloodHound-style techniques for defense evasion. A secondary hash (SHA1: 49dd6025d7b43b822edb8b4211b299df11b92069) was extracted from the unpacked payload.", "spans": {"MALWARE: Amadey": [[25, 31]], "HASH: e39e81935a57e2009bf1fc3f4af82c1489812ebb": [[39, 79]], "SYSTEM: F5 BIG-IP": [[100, 109]], "FILEPATH: /etc/cron.d/beacon.dll": [[130, 152]], "IP_ADDRESS: 192.251.16.128": [[228, 242]], "DOMAIN: mailupdate.info": [[279, 294]], "URL: hxxps://portaledge.link/callback": [[330, 362]], "FILEPATH: C:\\Windows\\Temp\\lsass.dmp": [[378, 403]], "TOOL: BloodHound": [[422, 432]], "HASH: 49dd6025d7b43b822edb8b4211b299df11b92069": [[495, 535]]}, "info": {"id": "synth_v2_00576", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: Dridex (MD5: b7b0e42b23a70bdd4e715dc6d2d77bbc). Upon execution on Windows Server 2019, the sample creates C:\\Program Files\\Common Files\\taskhost.exe and injects into legitimate processes. Network analysis shows beaconing to 10.125.48.117 every 60 seconds and DNS queries to storagedata.cc. The second stage was fetched from http://cdnstorage.info/wp-content/uploads/doc.php and written to C:\\Windows\\Temp\\payload.bin. The payload uses BITSAdmin-style techniques for defense evasion. A secondary hash (MD5: 5407da544c72daf7132b0d1584feeb80) was extracted from the unpacked payload.", "spans": {"MALWARE: Dridex": [[25, 31]], "HASH: b7b0e42b23a70bdd4e715dc6d2d77bbc": [[38, 70]], "SYSTEM: Windows Server 2019": [[91, 110]], "FILEPATH: C:\\Program Files\\Common Files\\taskhost.exe": [[131, 173]], "IP_ADDRESS: 10.125.48.117": [[249, 262]], "DOMAIN: storagedata.cc": [[299, 313]], "URL: http://cdnstorage.info/wp-content/uploads/doc.php": [[349, 398]], "FILEPATH: C:\\Windows\\Temp\\payload.bin": [[414, 441]], "TOOL: BITSAdmin": [[460, 469]], "HASH: 5407da544c72daf7132b0d1584feeb80": [[531, 563]]}, "info": {"id": "synth_v2_00577", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: BatLoader (MD5: 871b258a3b957b58be76ab0289ae84db). Upon execution on Citrix NetScaler, the sample creates /home/user/.config/implant.so and injects into legitimate processes. Network analysis shows beaconing to 172.140.198.206 every 60 seconds and DNS queries to sync-cache.net. The second stage was fetched from hxxp://securerelay.info/login and written to /opt/app/bin/ntds.dit. The payload uses Metasploit-style techniques for defense evasion. A secondary hash (SHA256: 4f9f9d9f947a8457211b27ec145af1de85f10717333923d522cd6716fa4d5b36) was extracted from the unpacked payload.", "spans": {"MALWARE: BatLoader": [[25, 34]], "HASH: 871b258a3b957b58be76ab0289ae84db": [[41, 73]], "SYSTEM: Citrix NetScaler": [[94, 110]], "FILEPATH: /home/user/.config/implant.so": [[131, 160]], "IP_ADDRESS: 172.140.198.206": [[236, 251]], "DOMAIN: sync-cache.net": [[288, 302]], "URL: hxxp://securerelay.info/login": [[338, 367]], "FILEPATH: /opt/app/bin/ntds.dit": [[383, 404]], "TOOL: Metasploit": [[423, 433]], "HASH: 4f9f9d9f947a8457211b27ec145af1de85f10717333923d522cd6716fa4d5b36": [[498, 562]]}, "info": {"id": "synth_v2_00578", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: IcedID (SHA256: eb94e503b38830cb04fcd556cef4a792ac8516422ecc34b5238ea5530052972f). Upon execution on Citrix NetScaler, the sample creates C:\\Windows\\Tasks\\taskhost.exe and injects into legitimate processes. Network analysis shows beaconing to 64.2.198.199 every 60 seconds and DNS queries to portal-cdn.info. The second stage was fetched from http://data-storage.live/wp-content/uploads/doc.php and written to C:\\Users\\Public\\Documents\\config.dat. The payload uses CrackMapExec-style techniques for defense evasion. A secondary hash (MD5: 3a74d18f311a4500832ee852e632e689) was extracted from the unpacked payload.", "spans": {"MALWARE: IcedID": [[25, 31]], "HASH: eb94e503b38830cb04fcd556cef4a792ac8516422ecc34b5238ea5530052972f": [[41, 105]], "SYSTEM: Citrix NetScaler": [[126, 142]], "FILEPATH: C:\\Windows\\Tasks\\taskhost.exe": [[163, 192]], "IP_ADDRESS: 64.2.198.199": [[268, 280]], "DOMAIN: portal-cdn.info": [[317, 332]], "URL: http://data-storage.live/wp-content/uploads/doc.php": [[368, 419]], "FILEPATH: C:\\Users\\Public\\Documents\\config.dat": [[435, 471]], "TOOL: CrackMapExec": [[490, 502]], "HASH: 3a74d18f311a4500832ee852e632e689": [[564, 596]]}, "info": {"id": "synth_v2_00579", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: StealC (SHA1: 273915e046c972662143c19fbe2813e472860c9f). Upon execution on Cisco ASA, the sample creates C:\\ProgramData\\chrome_helper.exe and injects into legitimate processes. Network analysis shows beaconing to 128.187.220.6 every 60 seconds and DNS queries to edgeauth.site. The second stage was fetched from http://cdnsync.site/api/v2/auth and written to /usr/local/bin/csrss.exe. The payload uses PowerShell Empire-style techniques for defense evasion. A secondary hash (SHA256: 0c7bf78b5207676ef73382b0bd993462ed73e03fbe028569dd825a102b2a1ed6) was extracted from the unpacked payload.", "spans": {"MALWARE: StealC": [[25, 31]], "HASH: 273915e046c972662143c19fbe2813e472860c9f": [[39, 79]], "SYSTEM: Cisco ASA": [[100, 109]], "FILEPATH: C:\\ProgramData\\chrome_helper.exe": [[130, 162]], "IP_ADDRESS: 128.187.220.6": [[238, 251]], "DOMAIN: edgeauth.site": [[288, 301]], "URL: http://cdnsync.site/api/v2/auth": [[337, 368]], "FILEPATH: /usr/local/bin/csrss.exe": [[384, 408]], "TOOL: PowerShell Empire": [[427, 444]], "HASH: 0c7bf78b5207676ef73382b0bd993462ed73e03fbe028569dd825a102b2a1ed6": [[509, 573]]}, "info": {"id": "synth_v2_00580", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: BatLoader (SHA256: 91cd398d82e52cea5203f1188aa76c1d566433cd7b5eff07dcc9fb14595dfbec). Upon execution on Windows 11, the sample creates C:\\Users\\admin\\Downloads\\shell.php and injects into legitimate processes. Network analysis shows beaconing to 10.82.44.147 every 60 seconds and DNS queries to cloud-relay.top. The second stage was fetched from hxxps://edgesync.online/admin/config and written to C:\\Program Files\\Common Files\\taskhost.exe. The payload uses Certutil-style techniques for defense evasion. A secondary hash (SHA256: d8834ef915d43a013345fae7c67b24ac1faa6050ce348545a4371d4dca78a255) was extracted from the unpacked payload.", "spans": {"MALWARE: BatLoader": [[25, 34]], "HASH: 91cd398d82e52cea5203f1188aa76c1d566433cd7b5eff07dcc9fb14595dfbec": [[44, 108]], "SYSTEM: Windows 11": [[129, 139]], "FILEPATH: C:\\Users\\admin\\Downloads\\shell.php": [[160, 194]], "IP_ADDRESS: 10.82.44.147": [[270, 282]], "DOMAIN: cloud-relay.top": [[319, 334]], "URL: hxxps://edgesync.online/admin/config": [[370, 406]], "FILEPATH: C:\\Program Files\\Common Files\\taskhost.exe": [[422, 464]], "TOOL: Certutil": [[483, 491]], "HASH: d8834ef915d43a013345fae7c67b24ac1faa6050ce348545a4371d4dca78a255": [[556, 620]]}, "info": {"id": "synth_v2_00581", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: Play (SHA256: 7f146d8ce4c39d0501e29185d450783497d47803087543d672edbd1953fdd7bb). Upon execution on F5 BIG-IP, the sample creates /opt/app/bin/helper.sh and injects into legitimate processes. Network analysis shows beaconing to 35.200.5.96 every 60 seconds and DNS queries to node-update.net. The second stage was fetched from https://cachenode.com/download/update.exe and written to /dev/shm/runtime.dll. The payload uses SharpHound-style techniques for defense evasion. A secondary hash (SHA256: a75314bb41b1392ae089ad9412e1e0343feee00bf7151636b29f005fe13383f5) was extracted from the unpacked payload.", "spans": {"MALWARE: Play": [[25, 29]], "HASH: 7f146d8ce4c39d0501e29185d450783497d47803087543d672edbd1953fdd7bb": [[39, 103]], "SYSTEM: F5 BIG-IP": [[124, 133]], "FILEPATH: /opt/app/bin/helper.sh": [[154, 176]], "IP_ADDRESS: 35.200.5.96": [[252, 263]], "DOMAIN: node-update.net": [[300, 315]], "URL: https://cachenode.com/download/update.exe": [[351, 392]], "FILEPATH: /dev/shm/runtime.dll": [[408, 428]], "TOOL: SharpHound": [[447, 457]], "HASH: a75314bb41b1392ae089ad9412e1e0343feee00bf7151636b29f005fe13383f5": [[522, 586]]}, "info": {"id": "synth_v2_00582", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: Amadey (MD5: 97dda2ca028226f26ec9443f732caa96). Upon execution on Windows 11, the sample creates C:\\Program Files\\Common Files\\csrss.exe and injects into legitimate processes. Network analysis shows beaconing to 10.198.36.38 every 60 seconds and DNS queries to node-login.live. The second stage was fetched from hxxp://proxy-node.net/wp-content/uploads/doc.php and written to /var/tmp/backdoor.elf. The payload uses Sliver-style techniques for defense evasion. A secondary hash (SHA256: fd600b8a4da758a12bc2a66fac8b3b62bd3c739d2f7ee709796e0e294146f912) was extracted from the unpacked payload.", "spans": {"MALWARE: Amadey": [[25, 31]], "HASH: 97dda2ca028226f26ec9443f732caa96": [[38, 70]], "SYSTEM: Windows 11": [[91, 101]], "FILEPATH: C:\\Program Files\\Common Files\\csrss.exe": [[122, 161]], "IP_ADDRESS: 10.198.36.38": [[237, 249]], "DOMAIN: node-login.live": [[286, 301]], "URL: hxxp://proxy-node.net/wp-content/uploads/doc.php": [[337, 385]], "FILEPATH: /var/tmp/backdoor.elf": [[401, 422]], "TOOL: Sliver": [[441, 447]], "HASH: fd600b8a4da758a12bc2a66fac8b3b62bd3c739d2f7ee709796e0e294146f912": [[512, 576]]}, "info": {"id": "synth_v2_00583", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: XLoader (SHA256: aa90121b9a54b7586a88772e639d3ebf15eff2a3251a615a80b93c3584544919). Upon execution on Ubuntu 22.04, the sample creates C:\\Users\\admin\\Downloads\\helper.sh and injects into legitimate processes. Network analysis shows beaconing to 8.98.191.101 every 60 seconds and DNS queries to staticdata.club. The second stage was fetched from http://proxy-static.link/admin/config and written to /home/user/.config/beacon.dll. The payload uses Seatbelt-style techniques for defense evasion. A secondary hash (MD5: ba30891fabcca2a835bae9d1e23fcfda) was extracted from the unpacked payload.", "spans": {"MALWARE: XLoader": [[25, 32]], "HASH: aa90121b9a54b7586a88772e639d3ebf15eff2a3251a615a80b93c3584544919": [[42, 106]], "SYSTEM: Ubuntu 22.04": [[127, 139]], "FILEPATH: C:\\Users\\admin\\Downloads\\helper.sh": [[160, 194]], "IP_ADDRESS: 8.98.191.101": [[270, 282]], "DOMAIN: staticdata.club": [[319, 334]], "URL: http://proxy-static.link/admin/config": [[370, 407]], "FILEPATH: /home/user/.config/beacon.dll": [[423, 452]], "TOOL: Seatbelt": [[471, 479]], "HASH: ba30891fabcca2a835bae9d1e23fcfda": [[541, 573]]}, "info": {"id": "synth_v2_00584", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: XLoader (SHA1: 038433fda6e93adcf2f6b92249df058a5d144b9c). Upon execution on MOVEit Transfer, the sample creates /dev/shm/loader.exe and injects into legitimate processes. Network analysis shows beaconing to 17.43.74.198 every 60 seconds and DNS queries to mail-sync.site. The second stage was fetched from https://relaystorage.info/portal/verify and written to /dev/shm/lsass.dmp. The payload uses Seatbelt-style techniques for defense evasion. A secondary hash (SHA256: da5728de5cff60ed9bfd581adfa2150989cc57af5f803e8d755f97f65e01c475) was extracted from the unpacked payload.", "spans": {"MALWARE: XLoader": [[25, 32]], "HASH: 038433fda6e93adcf2f6b92249df058a5d144b9c": [[40, 80]], "SYSTEM: MOVEit Transfer": [[101, 116]], "FILEPATH: /dev/shm/loader.exe": [[137, 156]], "IP_ADDRESS: 17.43.74.198": [[232, 244]], "DOMAIN: mail-sync.site": [[281, 295]], "URL: https://relaystorage.info/portal/verify": [[331, 370]], "FILEPATH: /dev/shm/lsass.dmp": [[386, 404]], "TOOL: Seatbelt": [[423, 431]], "HASH: da5728de5cff60ed9bfd581adfa2150989cc57af5f803e8d755f97f65e01c475": [[496, 560]]}, "info": {"id": "synth_v2_00585", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: Latrodectus (SHA1: 6f573265a646c611cd726cb49b19c88b84a8718b). Upon execution on Palo Alto PAN-OS, the sample creates /var/tmp/winlogon.exe and injects into legitimate processes. Network analysis shows beaconing to 172.172.46.178 every 60 seconds and DNS queries to storageedge.io. The second stage was fetched from https://sync-sync.dev/portal/verify and written to /opt/app/bin/helper.sh. The payload uses BITSAdmin-style techniques for defense evasion. A secondary hash (SHA1: 4290ad4093f13e0f2a4f27ebd7d84120560c2d88) was extracted from the unpacked payload.", "spans": {"MALWARE: Latrodectus": [[25, 36]], "HASH: 6f573265a646c611cd726cb49b19c88b84a8718b": [[44, 84]], "SYSTEM: Palo Alto PAN-OS": [[105, 121]], "FILEPATH: /var/tmp/winlogon.exe": [[142, 163]], "IP_ADDRESS: 172.172.46.178": [[239, 253]], "DOMAIN: storageedge.io": [[290, 304]], "URL: https://sync-sync.dev/portal/verify": [[340, 375]], "FILEPATH: /opt/app/bin/helper.sh": [[391, 413]], "TOOL: BITSAdmin": [[432, 441]], "HASH: 4290ad4093f13e0f2a4f27ebd7d84120560c2d88": [[504, 544]]}, "info": {"id": "synth_v2_00586", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: AgentTesla (MD5: ff53eeada2a233a29e096376ae646da4). Upon execution on Fortinet FortiGate, the sample creates /opt/app/bin/runtime.dll and injects into legitimate processes. Network analysis shows beaconing to 133.210.142.68 every 60 seconds and DNS queries to cloudstatic.dev. The second stage was fetched from https://backup-cloud.top/assets/js/payload.js and written to C:\\Windows\\Tasks\\shell.php. The payload uses LaZagne-style techniques for defense evasion. A secondary hash (SHA256: e90d68e8ef5c1c576538f12f3b2c8d590c483684d970ee75fce9346a18dd7ce6) was extracted from the unpacked payload.", "spans": {"MALWARE: AgentTesla": [[25, 35]], "HASH: ff53eeada2a233a29e096376ae646da4": [[42, 74]], "SYSTEM: Fortinet FortiGate": [[95, 113]], "FILEPATH: /opt/app/bin/runtime.dll": [[134, 158]], "IP_ADDRESS: 133.210.142.68": [[234, 248]], "DOMAIN: cloudstatic.dev": [[285, 300]], "URL: https://backup-cloud.top/assets/js/payload.js": [[336, 381]], "FILEPATH: C:\\Windows\\Tasks\\shell.php": [[397, 423]], "TOOL: LaZagne": [[442, 449]], "HASH: e90d68e8ef5c1c576538f12f3b2c8d590c483684d970ee75fce9346a18dd7ce6": [[514, 578]]}, "info": {"id": "synth_v2_00587", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: Conti (SHA1: 63ca8e9737f0f4f81dda226ca748b526d6de1c1f). Upon execution on Progress Telerik, the sample creates C:\\Windows\\Tasks\\dropper.ps1 and injects into legitimate processes. Network analysis shows beaconing to 164.126.105.154 every 60 seconds and DNS queries to secureproxy.tech. The second stage was fetched from https://portal-proxy.club/collect and written to /opt/app/bin/payload.bin. The payload uses Nmap-style techniques for defense evasion. A secondary hash (SHA1: f9765294dfbb0412874a862b43fa68ba0ccfb146) was extracted from the unpacked payload.", "spans": {"MALWARE: Conti": [[25, 30]], "HASH: 63ca8e9737f0f4f81dda226ca748b526d6de1c1f": [[38, 78]], "SYSTEM: Progress Telerik": [[99, 115]], "FILEPATH: C:\\Windows\\Tasks\\dropper.ps1": [[136, 164]], "IP_ADDRESS: 164.126.105.154": [[240, 255]], "DOMAIN: secureproxy.tech": [[292, 308]], "URL: https://portal-proxy.club/collect": [[344, 377]], "FILEPATH: /opt/app/bin/payload.bin": [[393, 417]], "TOOL: Nmap": [[436, 440]], "HASH: f9765294dfbb0412874a862b43fa68ba0ccfb146": [[503, 543]]}, "info": {"id": "synth_v2_00588", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: IcedID (MD5: 129058d65d3e40d314d85634ca10d382). Upon execution on F5 BIG-IP, the sample creates C:\\Users\\admin\\AppData\\Local\\Temp\\ntds.dit and injects into legitimate processes. Network analysis shows beaconing to 209.201.1.18 every 60 seconds and DNS queries to sync-proxy.online. The second stage was fetched from hxxp://nodecache.site/portal/verify and written to /dev/shm/implant.so. The payload uses Metasploit-style techniques for defense evasion. A secondary hash (SHA256: 786ab3bfa019031e2bace7526d64909b1e06aae5baa9e56c896c71926f023125) was extracted from the unpacked payload.", "spans": {"MALWARE: IcedID": [[25, 31]], "HASH: 129058d65d3e40d314d85634ca10d382": [[38, 70]], "SYSTEM: F5 BIG-IP": [[91, 100]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\ntds.dit": [[121, 163]], "IP_ADDRESS: 209.201.1.18": [[239, 251]], "DOMAIN: sync-proxy.online": [[288, 305]], "URL: hxxp://nodecache.site/portal/verify": [[341, 376]], "FILEPATH: /dev/shm/implant.so": [[392, 411]], "TOOL: Metasploit": [[430, 440]], "HASH: 786ab3bfa019031e2bace7526d64909b1e06aae5baa9e56c896c71926f023125": [[505, 569]]}, "info": {"id": "synth_v2_00589", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: XLoader (MD5: 64f99d249ba76cd48ea9537548099cc0). Upon execution on Windows Server 2019, the sample creates C:\\Program Files\\Common Files\\runtime.dll and injects into legitimate processes. Network analysis shows beaconing to 10.92.62.93 every 60 seconds and DNS queries to cdn-api.info. The second stage was fetched from hxxp://edge-edge.info/api/v2/auth and written to C:\\Users\\admin\\AppData\\Local\\Temp\\shell.php. The payload uses BloodHound-style techniques for defense evasion. A secondary hash (MD5: 243208ec90c180c6d47bc9e4f2270362) was extracted from the unpacked payload.", "spans": {"MALWARE: XLoader": [[25, 32]], "HASH: 64f99d249ba76cd48ea9537548099cc0": [[39, 71]], "SYSTEM: Windows Server 2019": [[92, 111]], "FILEPATH: C:\\Program Files\\Common Files\\runtime.dll": [[132, 173]], "IP_ADDRESS: 10.92.62.93": [[249, 260]], "DOMAIN: cdn-api.info": [[297, 309]], "URL: hxxp://edge-edge.info/api/v2/auth": [[345, 378]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\shell.php": [[394, 437]], "TOOL: BloodHound": [[456, 466]], "HASH: 243208ec90c180c6d47bc9e4f2270362": [[528, 560]]}, "info": {"id": "synth_v2_00590", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: Conti (MD5: ffdf6f86b266dd6b6fec4ad734668304). Upon execution on Cisco ASA, the sample creates C:\\Windows\\Temp\\dropper.ps1 and injects into legitimate processes. Network analysis shows beaconing to 73.220.123.60 every 60 seconds and DNS queries to static-static.cc. The second stage was fetched from hxxp://edgemail.live/download/update.exe and written to /opt/app/bin/helper.sh. The payload uses Rubeus-style techniques for defense evasion. A secondary hash (SHA1: 01fbcd6ca63acb13312ca7a9b3d4741abe84a84c) was extracted from the unpacked payload.", "spans": {"MALWARE: Conti": [[25, 30]], "HASH: ffdf6f86b266dd6b6fec4ad734668304": [[37, 69]], "SYSTEM: Cisco ASA": [[90, 99]], "FILEPATH: C:\\Windows\\Temp\\dropper.ps1": [[120, 147]], "IP_ADDRESS: 73.220.123.60": [[223, 236]], "DOMAIN: static-static.cc": [[273, 289]], "URL: hxxp://edgemail.live/download/update.exe": [[325, 365]], "FILEPATH: /opt/app/bin/helper.sh": [[381, 403]], "TOOL: Rubeus": [[422, 428]], "HASH: 01fbcd6ca63acb13312ca7a9b3d4741abe84a84c": [[491, 531]]}, "info": {"id": "synth_v2_00591", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: Royal (SHA1: 0b9ad99ee412a7cf43cc2ef5cc2724c8dc9c5623). Upon execution on Apache Struts, the sample creates /var/tmp/backdoor.elf and injects into legitimate processes. Network analysis shows beaconing to 10.46.138.208 every 60 seconds and DNS queries to authauth.xyz. The second stage was fetched from hxxp://datadata.online/download/update.exe and written to C:\\Users\\Public\\Documents\\svchost.exe. The payload uses PsExec-style techniques for defense evasion. A secondary hash (SHA1: 0e71f8c9c80783fd513b697f01eb2885fb3e74d3) was extracted from the unpacked payload.", "spans": {"MALWARE: Royal": [[25, 30]], "HASH: 0b9ad99ee412a7cf43cc2ef5cc2724c8dc9c5623": [[38, 78]], "SYSTEM: Apache Struts": [[99, 112]], "FILEPATH: /var/tmp/backdoor.elf": [[133, 154]], "IP_ADDRESS: 10.46.138.208": [[230, 243]], "DOMAIN: authauth.xyz": [[280, 292]], "URL: hxxp://datadata.online/download/update.exe": [[328, 370]], "FILEPATH: C:\\Users\\Public\\Documents\\svchost.exe": [[386, 423]], "TOOL: PsExec": [[442, 448]], "HASH: 0e71f8c9c80783fd513b697f01eb2885fb3e74d3": [[511, 551]]}, "info": {"id": "synth_v2_00592", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: XLoader (SHA1: bf4731ab3ab4cffaa49ac4b253e1087d8ed10cc7). Upon execution on Juniper SRX, the sample creates /usr/local/bin/runtime.dll and injects into legitimate processes. Network analysis shows beaconing to 115.109.118.26 every 60 seconds and DNS queries to gateway-relay.online. The second stage was fetched from http://portal-static.link/login and written to /dev/shm/ntds.dit. The payload uses GhostPack-style techniques for defense evasion. A secondary hash (SHA1: 845d9628fa3312d40ab2d99398c04697df5d04a6) was extracted from the unpacked payload.", "spans": {"MALWARE: XLoader": [[25, 32]], "HASH: bf4731ab3ab4cffaa49ac4b253e1087d8ed10cc7": [[40, 80]], "SYSTEM: Juniper SRX": [[101, 112]], "FILEPATH: /usr/local/bin/runtime.dll": [[133, 159]], "IP_ADDRESS: 115.109.118.26": [[235, 249]], "DOMAIN: gateway-relay.online": [[286, 306]], "URL: http://portal-static.link/login": [[342, 373]], "FILEPATH: /dev/shm/ntds.dit": [[389, 406]], "TOOL: GhostPack": [[425, 434]], "HASH: 845d9628fa3312d40ab2d99398c04697df5d04a6": [[497, 537]]}, "info": {"id": "synth_v2_00593", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: NjRAT (MD5: b57cb60a9855c1f66f20eb15013ed490). Upon execution on Microsoft Exchange, the sample creates /tmp/winlogon.exe and injects into legitimate processes. Network analysis shows beaconing to 130.198.226.156 every 60 seconds and DNS queries to mail-login.club. The second stage was fetched from http://static-portal.org/wp-content/uploads/doc.php and written to /etc/cron.d/lsass.dmp. The payload uses Nmap-style techniques for defense evasion. A secondary hash (SHA256: a3e59525b583b4a97be341840d965f0d4a9e285687abb30a2aadde318abda9d6) was extracted from the unpacked payload.", "spans": {"MALWARE: NjRAT": [[25, 30]], "HASH: b57cb60a9855c1f66f20eb15013ed490": [[37, 69]], "SYSTEM: Microsoft Exchange": [[90, 108]], "FILEPATH: /tmp/winlogon.exe": [[129, 146]], "IP_ADDRESS: 130.198.226.156": [[222, 237]], "DOMAIN: mail-login.club": [[274, 289]], "URL: http://static-portal.org/wp-content/uploads/doc.php": [[325, 376]], "FILEPATH: /etc/cron.d/lsass.dmp": [[392, 413]], "TOOL: Nmap": [[432, 436]], "HASH: a3e59525b583b4a97be341840d965f0d4a9e285687abb30a2aadde318abda9d6": [[501, 565]]}, "info": {"id": "synth_v2_00594", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: Gootloader (SHA256: 34a7ad0ce21bcf6e68cbfbc0d2e33c091afbd5698b0ebabcedcd8aa1c6a1e69c). Upon execution on Ivanti Connect Secure, the sample creates C:\\Windows\\Tasks\\ntds.dit and injects into legitimate processes. Network analysis shows beaconing to 7.124.33.116 every 60 seconds and DNS queries to portal-cache.tech. The second stage was fetched from http://portalupdate.online/assets/js/payload.js and written to C:\\ProgramData\\ntds.dit. The payload uses Nmap-style techniques for defense evasion. A secondary hash (MD5: d6f637ae2fc4c3f3676b04962c61ad61) was extracted from the unpacked payload.", "spans": {"MALWARE: Gootloader": [[25, 35]], "HASH: 34a7ad0ce21bcf6e68cbfbc0d2e33c091afbd5698b0ebabcedcd8aa1c6a1e69c": [[45, 109]], "SYSTEM: Ivanti Connect Secure": [[130, 151]], "FILEPATH: C:\\Windows\\Tasks\\ntds.dit": [[172, 197]], "IP_ADDRESS: 7.124.33.116": [[273, 285]], "DOMAIN: portal-cache.tech": [[322, 339]], "URL: http://portalupdate.online/assets/js/payload.js": [[375, 422]], "FILEPATH: C:\\ProgramData\\ntds.dit": [[438, 461]], "TOOL: Nmap": [[480, 484]], "HASH: d6f637ae2fc4c3f3676b04962c61ad61": [[546, 578]]}, "info": {"id": "synth_v2_00595", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: Play (MD5: 1d1ed4af0c2c0a79335e3b8dc59ee752). Upon execution on Active Directory, the sample creates C:\\Users\\admin\\AppData\\Local\\Temp\\backdoor.elf and injects into legitimate processes. Network analysis shows beaconing to 123.80.86.57 every 60 seconds and DNS queries to cdn-portal.tech. The second stage was fetched from hxxp://data-api.club/api/v2/auth and written to C:\\ProgramData\\loader.exe. The payload uses Merlin-style techniques for defense evasion. A secondary hash (MD5: e896cddcca1a5948ef7c7cfeae092c6a) was extracted from the unpacked payload.", "spans": {"MALWARE: Play": [[25, 29]], "HASH: 1d1ed4af0c2c0a79335e3b8dc59ee752": [[36, 68]], "SYSTEM: Active Directory": [[89, 105]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\backdoor.elf": [[126, 172]], "IP_ADDRESS: 123.80.86.57": [[248, 260]], "DOMAIN: cdn-portal.tech": [[297, 312]], "URL: hxxp://data-api.club/api/v2/auth": [[348, 380]], "FILEPATH: C:\\ProgramData\\loader.exe": [[396, 421]], "TOOL: Merlin": [[440, 446]], "HASH: e896cddcca1a5948ef7c7cfeae092c6a": [[508, 540]]}, "info": {"id": "synth_v2_00596", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: PlugX (SHA256: 4b94c65f19c797fdb3d42b188d95b70cff4d6b2e5be41a1c2e5ea9e7c9ea1ffa). Upon execution on Fortinet FortiGate, the sample creates C:\\Users\\admin\\Downloads\\agent.py and injects into legitimate processes. Network analysis shows beaconing to 172.142.95.59 every 60 seconds and DNS queries to backupsecure.io. The second stage was fetched from hxxps://data-api.cc/collect and written to /dev/shm/ntds.dit. The payload uses Mythic-style techniques for defense evasion. A secondary hash (MD5: 8893ecc371f52530f507cca2f2949a27) was extracted from the unpacked payload.", "spans": {"MALWARE: PlugX": [[25, 30]], "HASH: 4b94c65f19c797fdb3d42b188d95b70cff4d6b2e5be41a1c2e5ea9e7c9ea1ffa": [[40, 104]], "SYSTEM: Fortinet FortiGate": [[125, 143]], "FILEPATH: C:\\Users\\admin\\Downloads\\agent.py": [[164, 197]], "IP_ADDRESS: 172.142.95.59": [[273, 286]], "DOMAIN: backupsecure.io": [[323, 338]], "URL: hxxps://data-api.cc/collect": [[374, 401]], "FILEPATH: /dev/shm/ntds.dit": [[417, 434]], "TOOL: Mythic": [[453, 459]], "HASH: 8893ecc371f52530f507cca2f2949a27": [[521, 553]]}, "info": {"id": "synth_v2_00597", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: BumbleBee (SHA256: 544a8e4ae99d98541c9fb5c7f69a475ef2fd32fcc282812a0ba77e77c936be7a). Upon execution on Fortinet FortiGate, the sample creates C:\\Users\\admin\\Downloads\\helper.sh and injects into legitimate processes. Network analysis shows beaconing to 10.51.137.210 every 60 seconds and DNS queries to edge-auth.link. The second stage was fetched from hxxp://edgemail.club/download/update.exe and written to C:\\Windows\\Temp\\winlogon.exe. The payload uses Havoc-style techniques for defense evasion. A secondary hash (SHA256: 61644f440729330083264a1c5331e5b3eaecd065470d4a9dff3fbda3fb91d2e3) was extracted from the unpacked payload.", "spans": {"MALWARE: BumbleBee": [[25, 34]], "HASH: 544a8e4ae99d98541c9fb5c7f69a475ef2fd32fcc282812a0ba77e77c936be7a": [[44, 108]], "SYSTEM: Fortinet FortiGate": [[129, 147]], "FILEPATH: C:\\Users\\admin\\Downloads\\helper.sh": [[168, 202]], "IP_ADDRESS: 10.51.137.210": [[278, 291]], "DOMAIN: edge-auth.link": [[328, 342]], "URL: hxxp://edgemail.club/download/update.exe": [[378, 418]], "FILEPATH: C:\\Windows\\Temp\\winlogon.exe": [[434, 462]], "TOOL: Havoc": [[481, 486]], "HASH: 61644f440729330083264a1c5331e5b3eaecd065470d4a9dff3fbda3fb91d2e3": [[551, 615]]}, "info": {"id": "synth_v2_00598", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: SystemBC (SHA1: 4c22e645e79c79c035783888d19b397cf4a85a07). Upon execution on Progress Telerik, the sample creates C:\\Users\\admin\\Downloads\\taskhost.exe and injects into legitimate processes. Network analysis shows beaconing to 172.69.85.13 every 60 seconds and DNS queries to loginlogin.xyz. The second stage was fetched from hxxp://cachesync.online/gate.php and written to /var/tmp/config.dat. The payload uses Sharphound-style techniques for defense evasion. A secondary hash (SHA256: d3641f7e57e943f1a3bddb56a7c385eb3c682ef70fee3825a978f48f5769c794) was extracted from the unpacked payload.", "spans": {"MALWARE: SystemBC": [[25, 33]], "HASH: 4c22e645e79c79c035783888d19b397cf4a85a07": [[41, 81]], "SYSTEM: Progress Telerik": [[102, 118]], "FILEPATH: C:\\Users\\admin\\Downloads\\taskhost.exe": [[139, 176]], "IP_ADDRESS: 172.69.85.13": [[252, 264]], "DOMAIN: loginlogin.xyz": [[301, 315]], "URL: hxxp://cachesync.online/gate.php": [[351, 383]], "FILEPATH: /var/tmp/config.dat": [[399, 418]], "TOOL: Sharphound": [[437, 447]], "HASH: d3641f7e57e943f1a3bddb56a7c385eb3c682ef70fee3825a978f48f5769c794": [[512, 576]]}, "info": {"id": "synth_v2_00599", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: Cobalt Strike (SHA256: 8a725168c90a8721519b50338da043dbdb805409950524951e6808bc6ee31fd5). Upon execution on F5 BIG-IP, the sample creates C:\\Users\\admin\\Desktop\\backdoor.elf and injects into legitimate processes. Network analysis shows beaconing to 10.147.235.136 every 60 seconds and DNS queries to portaledge.io. The second stage was fetched from https://noderelay.top/collect and written to C:\\Program Files\\Common Files\\config.dat. The payload uses LaZagne-style techniques for defense evasion. A secondary hash (MD5: ce6fa2eea4ae8e6d9bcdfb1902e65bbf) was extracted from the unpacked payload.", "spans": {"MALWARE: Cobalt Strike": [[25, 38]], "HASH: 8a725168c90a8721519b50338da043dbdb805409950524951e6808bc6ee31fd5": [[48, 112]], "SYSTEM: F5 BIG-IP": [[133, 142]], "FILEPATH: C:\\Users\\admin\\Desktop\\backdoor.elf": [[163, 198]], "IP_ADDRESS: 10.147.235.136": [[274, 288]], "DOMAIN: portaledge.io": [[325, 338]], "URL: https://noderelay.top/collect": [[374, 403]], "FILEPATH: C:\\Program Files\\Common Files\\config.dat": [[419, 459]], "TOOL: LaZagne": [[478, 485]], "HASH: ce6fa2eea4ae8e6d9bcdfb1902e65bbf": [[547, 579]]}, "info": {"id": "synth_v2_00600", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: BlackCat (SHA256: a2837586defebc5f521c6637fd98afa5f4fa8cbbe82e0122671bdb47e5d4f1e2). Upon execution on MOVEit Transfer, the sample creates /tmp/ntds.dit and injects into legitimate processes. Network analysis shows beaconing to 192.188.152.30 every 60 seconds and DNS queries to portalportal.info. The second stage was fetched from hxxp://updatestorage.online/login and written to C:\\Windows\\System32\\sam.hive. The payload uses Havoc-style techniques for defense evasion. A secondary hash (SHA256: 0d9601027c507910bee629f13b57523d7434ba9dee24d933013c0728429f48cc) was extracted from the unpacked payload.", "spans": {"MALWARE: BlackCat": [[25, 33]], "HASH: a2837586defebc5f521c6637fd98afa5f4fa8cbbe82e0122671bdb47e5d4f1e2": [[43, 107]], "SYSTEM: MOVEit Transfer": [[128, 143]], "FILEPATH: /tmp/ntds.dit": [[164, 177]], "IP_ADDRESS: 192.188.152.30": [[253, 267]], "DOMAIN: portalportal.info": [[304, 321]], "URL: hxxp://updatestorage.online/login": [[357, 390]], "FILEPATH: C:\\Windows\\System32\\sam.hive": [[406, 434]], "TOOL: Havoc": [[453, 458]], "HASH: 0d9601027c507910bee629f13b57523d7434ba9dee24d933013c0728429f48cc": [[523, 587]]}, "info": {"id": "synth_v2_00601", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: BlackCat (SHA1: 4badc3fe5d500a0ee06b28a7b79ac9522412317b). Upon execution on VMware ESXi, the sample creates C:\\Windows\\System32\\ntds.dit and injects into legitimate processes. Network analysis shows beaconing to 63.72.8.231 every 60 seconds and DNS queries to relay-sync.online. The second stage was fetched from hxxp://relayrelay.tech/gate.php and written to C:\\Users\\admin\\AppData\\Local\\Temp\\helper.sh. The payload uses CrackMapExec-style techniques for defense evasion. A secondary hash (MD5: da078f267320b633160e8c1632de0e61) was extracted from the unpacked payload.", "spans": {"MALWARE: BlackCat": [[25, 33]], "HASH: 4badc3fe5d500a0ee06b28a7b79ac9522412317b": [[41, 81]], "SYSTEM: VMware ESXi": [[102, 113]], "FILEPATH: C:\\Windows\\System32\\ntds.dit": [[134, 162]], "IP_ADDRESS: 63.72.8.231": [[238, 249]], "DOMAIN: relay-sync.online": [[286, 303]], "URL: hxxp://relayrelay.tech/gate.php": [[339, 370]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\helper.sh": [[386, 429]], "TOOL: CrackMapExec": [[448, 460]], "HASH: da078f267320b633160e8c1632de0e61": [[522, 554]]}, "info": {"id": "synth_v2_00602", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: Gootloader (MD5: bf383d4f4a8c9229b2c4ed34f0498e5c). Upon execution on Citrix NetScaler, the sample creates /tmp/agent.py and injects into legitimate processes. Network analysis shows beaconing to 120.197.221.20 every 60 seconds and DNS queries to mailnode.io. The second stage was fetched from https://cdnproxy.net/secure/token and written to C:\\Users\\admin\\Downloads\\svchost.exe. The payload uses Metasploit-style techniques for defense evasion. A secondary hash (SHA256: 3eea8046927ebde536d6349798c5e7e0d9cd6f86dd6bb31bc5e479481ae11636) was extracted from the unpacked payload.", "spans": {"MALWARE: Gootloader": [[25, 35]], "HASH: bf383d4f4a8c9229b2c4ed34f0498e5c": [[42, 74]], "SYSTEM: Citrix NetScaler": [[95, 111]], "FILEPATH: /tmp/agent.py": [[132, 145]], "IP_ADDRESS: 120.197.221.20": [[221, 235]], "DOMAIN: mailnode.io": [[272, 283]], "URL: https://cdnproxy.net/secure/token": [[319, 352]], "FILEPATH: C:\\Users\\admin\\Downloads\\svchost.exe": [[368, 404]], "TOOL: Metasploit": [[423, 433]], "HASH: 3eea8046927ebde536d6349798c5e7e0d9cd6f86dd6bb31bc5e479481ae11636": [[498, 562]]}, "info": {"id": "synth_v2_00603", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: Latrodectus (MD5: 4ba829318284212151662cd8b5b0edaa). Upon execution on F5 BIG-IP, the sample creates C:\\Users\\admin\\AppData\\Local\\Temp\\loader.exe and injects into legitimate processes. Network analysis shows beaconing to 192.111.190.7 every 60 seconds and DNS queries to portalstorage.link. The second stage was fetched from https://mailstatic.tech/secure/token and written to C:\\Users\\Public\\Documents\\sam.hive. The payload uses Seatbelt-style techniques for defense evasion. A secondary hash (SHA256: 230c15db32df67687908b45af1dc053f744c1cd3199e42740d7593ff4ea3c136) was extracted from the unpacked payload.", "spans": {"MALWARE: Latrodectus": [[25, 36]], "HASH: 4ba829318284212151662cd8b5b0edaa": [[43, 75]], "SYSTEM: F5 BIG-IP": [[96, 105]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\loader.exe": [[126, 170]], "IP_ADDRESS: 192.111.190.7": [[246, 259]], "DOMAIN: portalstorage.link": [[296, 314]], "URL: https://mailstatic.tech/secure/token": [[350, 386]], "FILEPATH: C:\\Users\\Public\\Documents\\sam.hive": [[402, 436]], "TOOL: Seatbelt": [[455, 463]], "HASH: 230c15db32df67687908b45af1dc053f744c1cd3199e42740d7593ff4ea3c136": [[528, 592]]}, "info": {"id": "synth_v2_00604", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: XLoader (SHA1: 78ddfbc06827b192534dbac65e30dbe4de674a9a). Upon execution on Citrix NetScaler, the sample creates /var/tmp/update.dll and injects into legitimate processes. Network analysis shows beaconing to 10.193.169.170 every 60 seconds and DNS queries to synclogin.org. The second stage was fetched from https://api-static.site/callback and written to C:\\Users\\admin\\AppData\\Local\\Temp\\agent.py. The payload uses Mimikatz-style techniques for defense evasion. A secondary hash (SHA256: 62bb9ca27c26a2f3112ad3ea4ae968d801463a1444673780271e5c5ad10bf89a) was extracted from the unpacked payload.", "spans": {"MALWARE: XLoader": [[25, 32]], "HASH: 78ddfbc06827b192534dbac65e30dbe4de674a9a": [[40, 80]], "SYSTEM: Citrix NetScaler": [[101, 117]], "FILEPATH: /var/tmp/update.dll": [[138, 157]], "IP_ADDRESS: 10.193.169.170": [[233, 247]], "DOMAIN: synclogin.org": [[284, 297]], "URL: https://api-static.site/callback": [[333, 365]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\agent.py": [[381, 423]], "TOOL: Mimikatz": [[442, 450]], "HASH: 62bb9ca27c26a2f3112ad3ea4ae968d801463a1444673780271e5c5ad10bf89a": [[515, 579]]}, "info": {"id": "synth_v2_00605", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: Hive (MD5: b73d1d39467e447cdea82a221faee369). Upon execution on Ubuntu 22.04, the sample creates /var/tmp/sam.hive and injects into legitimate processes. Network analysis shows beaconing to 172.77.218.141 every 60 seconds and DNS queries to cloudupdate.net. The second stage was fetched from http://cdn-sync.club/api/v2/auth and written to C:\\Users\\admin\\Downloads\\beacon.dll. The payload uses Metasploit-style techniques for defense evasion. A secondary hash (SHA1: 76aa029a5d5258ca206d2e10dbd108961db3dadb) was extracted from the unpacked payload.", "spans": {"MALWARE: Hive": [[25, 29]], "HASH: b73d1d39467e447cdea82a221faee369": [[36, 68]], "SYSTEM: Ubuntu 22.04": [[89, 101]], "FILEPATH: /var/tmp/sam.hive": [[122, 139]], "IP_ADDRESS: 172.77.218.141": [[215, 229]], "DOMAIN: cloudupdate.net": [[266, 281]], "URL: http://cdn-sync.club/api/v2/auth": [[317, 349]], "FILEPATH: C:\\Users\\admin\\Downloads\\beacon.dll": [[365, 400]], "TOOL: Metasploit": [[419, 429]], "HASH: 76aa029a5d5258ca206d2e10dbd108961db3dadb": [[492, 532]]}, "info": {"id": "synth_v2_00606", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: ShadowPad (MD5: 989184ff1c7a6711dbdbf118cf5f8364). Upon execution on F5 BIG-IP, the sample creates /dev/shm/backdoor.elf and injects into legitimate processes. Network analysis shows beaconing to 218.240.132.148 every 60 seconds and DNS queries to storagenode.org. The second stage was fetched from hxxps://staticdata.xyz/callback and written to /opt/app/bin/loader.exe. The payload uses Burp Suite-style techniques for defense evasion. A secondary hash (SHA1: 69f8ba122a086af4b1e15a923b341898ecfeef18) was extracted from the unpacked payload.", "spans": {"MALWARE: ShadowPad": [[25, 34]], "HASH: 989184ff1c7a6711dbdbf118cf5f8364": [[41, 73]], "SYSTEM: F5 BIG-IP": [[94, 103]], "FILEPATH: /dev/shm/backdoor.elf": [[124, 145]], "IP_ADDRESS: 218.240.132.148": [[221, 236]], "DOMAIN: storagenode.org": [[273, 288]], "URL: hxxps://staticdata.xyz/callback": [[324, 355]], "FILEPATH: /opt/app/bin/loader.exe": [[371, 394]], "TOOL: Burp Suite": [[413, 423]], "HASH: 69f8ba122a086af4b1e15a923b341898ecfeef18": [[486, 526]]}, "info": {"id": "synth_v2_00607", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: Vidar (SHA256: 50df7eaf6c17024c396639b4e074d33807f8fa16b3be489a06c5e69bb1003340). Upon execution on Atlassian Confluence, the sample creates /etc/cron.d/ntds.dit and injects into legitimate processes. Network analysis shows beaconing to 206.131.54.211 every 60 seconds and DNS queries to edge-data.live. The second stage was fetched from hxxp://data-relay.dev/api/v2/auth and written to C:\\Users\\admin\\Desktop\\ntds.dit. The payload uses BITSAdmin-style techniques for defense evasion. A secondary hash (SHA1: 6e9f28b1a35307e2abefd6b75fb15d4dc1882d74) was extracted from the unpacked payload.", "spans": {"MALWARE: Vidar": [[25, 30]], "HASH: 50df7eaf6c17024c396639b4e074d33807f8fa16b3be489a06c5e69bb1003340": [[40, 104]], "SYSTEM: Atlassian Confluence": [[125, 145]], "FILEPATH: /etc/cron.d/ntds.dit": [[166, 186]], "IP_ADDRESS: 206.131.54.211": [[262, 276]], "DOMAIN: edge-data.live": [[313, 327]], "URL: hxxp://data-relay.dev/api/v2/auth": [[363, 396]], "FILEPATH: C:\\Users\\admin\\Desktop\\ntds.dit": [[412, 443]], "TOOL: BITSAdmin": [[462, 471]], "HASH: 6e9f28b1a35307e2abefd6b75fb15d4dc1882d74": [[534, 574]]}, "info": {"id": "synth_v2_00608", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: AsyncRAT (SHA256: 3643c09bcc27171042e2ee76371c3fc329f91fa97ef6fd236f0960484040e6be). Upon execution on F5 BIG-IP, the sample creates /etc/cron.d/taskhost.exe and injects into legitimate processes. Network analysis shows beaconing to 192.246.33.199 every 60 seconds and DNS queries to cdngateway.site. The second stage was fetched from hxxps://logingateway.online/secure/token and written to /home/user/.config/helper.sh. The payload uses PowerShell Empire-style techniques for defense evasion. A secondary hash (SHA256: 20e11f40167718564de81cd4743b9b410ff6029cdaa065be8b3b2507ed3ab3c0) was extracted from the unpacked payload.", "spans": {"MALWARE: AsyncRAT": [[25, 33]], "HASH: 3643c09bcc27171042e2ee76371c3fc329f91fa97ef6fd236f0960484040e6be": [[43, 107]], "SYSTEM: F5 BIG-IP": [[128, 137]], "FILEPATH: /etc/cron.d/taskhost.exe": [[158, 182]], "IP_ADDRESS: 192.246.33.199": [[258, 272]], "DOMAIN: cdngateway.site": [[309, 324]], "URL: hxxps://logingateway.online/secure/token": [[360, 400]], "FILEPATH: /home/user/.config/helper.sh": [[416, 444]], "TOOL: PowerShell Empire": [[463, 480]], "HASH: 20e11f40167718564de81cd4743b9b410ff6029cdaa065be8b3b2507ed3ab3c0": [[545, 609]]}, "info": {"id": "synth_v2_00609", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: Vidar (SHA1: 71a3aaaab8e01e071e82ee30a4e6deaddb5776fb). Upon execution on SonicWall SMA, the sample creates C:\\ProgramData\\chrome_helper.exe and injects into legitimate processes. Network analysis shows beaconing to 111.120.146.63 every 60 seconds and DNS queries to storage-secure.cc. The second stage was fetched from hxxps://cacheportal.live/api/v2/auth and written to C:\\Windows\\Temp\\payload.bin. The payload uses Certutil-style techniques for defense evasion. A secondary hash (SHA256: 9f4045ba031c3d49fa1b5f6d2beacc1312b6b5afe71ae0eb19e37b07466ad321) was extracted from the unpacked payload.", "spans": {"MALWARE: Vidar": [[25, 30]], "HASH: 71a3aaaab8e01e071e82ee30a4e6deaddb5776fb": [[38, 78]], "SYSTEM: SonicWall SMA": [[99, 112]], "FILEPATH: C:\\ProgramData\\chrome_helper.exe": [[133, 165]], "IP_ADDRESS: 111.120.146.63": [[241, 255]], "DOMAIN: storage-secure.cc": [[292, 309]], "URL: hxxps://cacheportal.live/api/v2/auth": [[345, 381]], "FILEPATH: C:\\Windows\\Temp\\payload.bin": [[397, 424]], "TOOL: Certutil": [[443, 451]], "HASH: 9f4045ba031c3d49fa1b5f6d2beacc1312b6b5afe71ae0eb19e37b07466ad321": [[516, 580]]}, "info": {"id": "synth_v2_00610", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: Qbot (SHA256: b27dbf9cb8afc9b46f99a7f3c3b8ba696975ffae2b293474a236c4a3996b59ba). Upon execution on Ubuntu 22.04, the sample creates /home/user/.config/winlogon.exe and injects into legitimate processes. Network analysis shows beaconing to 10.1.241.46 every 60 seconds and DNS queries to login-backup.live. The second stage was fetched from hxxps://mailcache.net/download/update.exe and written to C:\\Users\\Public\\Documents\\update.dll. The payload uses BITSAdmin-style techniques for defense evasion. A secondary hash (SHA1: 15e01b3ffbd628d541967d4a5dc4f92fe15049b7) was extracted from the unpacked payload.", "spans": {"MALWARE: Qbot": [[25, 29]], "HASH: b27dbf9cb8afc9b46f99a7f3c3b8ba696975ffae2b293474a236c4a3996b59ba": [[39, 103]], "SYSTEM: Ubuntu 22.04": [[124, 136]], "FILEPATH: /home/user/.config/winlogon.exe": [[157, 188]], "IP_ADDRESS: 10.1.241.46": [[264, 275]], "DOMAIN: login-backup.live": [[312, 329]], "URL: hxxps://mailcache.net/download/update.exe": [[365, 406]], "FILEPATH: C:\\Users\\Public\\Documents\\update.dll": [[422, 458]], "TOOL: BITSAdmin": [[477, 486]], "HASH: 15e01b3ffbd628d541967d4a5dc4f92fe15049b7": [[549, 589]]}, "info": {"id": "synth_v2_00611", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: Cobalt Strike (SHA1: 162ac8acf50b7631bc3f64c49cc63a2c8fd37ca2). Upon execution on Microsoft Exchange, the sample creates /usr/local/bin/config.dat and injects into legitimate processes. Network analysis shows beaconing to 10.200.251.28 every 60 seconds and DNS queries to cachebackup.cc. The second stage was fetched from hxxps://static-backup.org/gate.php and written to C:\\Users\\Public\\Documents\\beacon.dll. The payload uses ADFind-style techniques for defense evasion. A secondary hash (SHA256: bf1388b2190ec4454380f010d28ffe8e7a9b853f5461239f3c0b241b6d55d824) was extracted from the unpacked payload.", "spans": {"MALWARE: Cobalt Strike": [[25, 38]], "HASH: 162ac8acf50b7631bc3f64c49cc63a2c8fd37ca2": [[46, 86]], "SYSTEM: Microsoft Exchange": [[107, 125]], "FILEPATH: /usr/local/bin/config.dat": [[146, 171]], "IP_ADDRESS: 10.200.251.28": [[247, 260]], "DOMAIN: cachebackup.cc": [[297, 311]], "URL: hxxps://static-backup.org/gate.php": [[347, 381]], "FILEPATH: C:\\Users\\Public\\Documents\\beacon.dll": [[397, 433]], "TOOL: ADFind": [[452, 458]], "HASH: bf1388b2190ec4454380f010d28ffe8e7a9b853f5461239f3c0b241b6d55d824": [[523, 587]]}, "info": {"id": "synth_v2_00612", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: Gootloader (SHA256: 6302f4cb2eb5592f761ace9da3188c559b551f3334a41ece7c7a2655fa623944). Upon execution on Citrix NetScaler, the sample creates /opt/app/bin/runtime.dll and injects into legitimate processes. Network analysis shows beaconing to 171.83.242.208 every 60 seconds and DNS queries to mailnode.info. The second stage was fetched from hxxp://portalgateway.link/portal/verify and written to /var/tmp/sam.hive. The payload uses CrackMapExec-style techniques for defense evasion. A secondary hash (MD5: 4b268f56470128b36d3042d5d65d900d) was extracted from the unpacked payload.", "spans": {"MALWARE: Gootloader": [[25, 35]], "HASH: 6302f4cb2eb5592f761ace9da3188c559b551f3334a41ece7c7a2655fa623944": [[45, 109]], "SYSTEM: Citrix NetScaler": [[130, 146]], "FILEPATH: /opt/app/bin/runtime.dll": [[167, 191]], "IP_ADDRESS: 171.83.242.208": [[267, 281]], "DOMAIN: mailnode.info": [[318, 331]], "URL: hxxp://portalgateway.link/portal/verify": [[367, 406]], "FILEPATH: /var/tmp/sam.hive": [[422, 439]], "TOOL: CrackMapExec": [[458, 470]], "HASH: 4b268f56470128b36d3042d5d65d900d": [[532, 564]]}, "info": {"id": "synth_v2_00613", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: Cobalt Strike (SHA256: 0825652d71b472ca7071d651c1100972ef293c292eede3c0a687d2b7dfe21a83). Upon execution on F5 BIG-IP, the sample creates C:\\Program Files\\Common Files\\taskhost.exe and injects into legitimate processes. Network analysis shows beaconing to 10.55.229.33 every 60 seconds and DNS queries to api-backup.link. The second stage was fetched from http://storagecache.xyz/callback and written to /home/user/.config/runtime.dll. The payload uses Mythic-style techniques for defense evasion. A secondary hash (SHA256: 5d0112c7954f369f957a88d01a751e2b66b63d7a1ad8f1d47554815fb1aca617) was extracted from the unpacked payload.", "spans": {"MALWARE: Cobalt Strike": [[25, 38]], "HASH: 0825652d71b472ca7071d651c1100972ef293c292eede3c0a687d2b7dfe21a83": [[48, 112]], "SYSTEM: F5 BIG-IP": [[133, 142]], "FILEPATH: C:\\Program Files\\Common Files\\taskhost.exe": [[163, 205]], "IP_ADDRESS: 10.55.229.33": [[281, 293]], "DOMAIN: api-backup.link": [[330, 345]], "URL: http://storagecache.xyz/callback": [[381, 413]], "FILEPATH: /home/user/.config/runtime.dll": [[429, 459]], "TOOL: Mythic": [[478, 484]], "HASH: 5d0112c7954f369f957a88d01a751e2b66b63d7a1ad8f1d47554815fb1aca617": [[549, 613]]}, "info": {"id": "synth_v2_00614", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: Cobalt Strike (MD5: c646d47d8c9e7d1ee000b451077e82ba). Upon execution on MOVEit Transfer, the sample creates C:\\Windows\\System32\\winlogon.exe and injects into legitimate processes. Network analysis shows beaconing to 50.176.33.13 every 60 seconds and DNS queries to sync-portal.org. The second stage was fetched from https://relayportal.link/gate.php and written to C:\\Program Files\\Common Files\\winlogon.exe. The payload uses Merlin-style techniques for defense evasion. A secondary hash (SHA256: f880fa972aa35ca6ec16d0d281cee33adaf5c2cd215f8ee5be4e0db851da6dbe) was extracted from the unpacked payload.", "spans": {"MALWARE: Cobalt Strike": [[25, 38]], "HASH: c646d47d8c9e7d1ee000b451077e82ba": [[45, 77]], "SYSTEM: MOVEit Transfer": [[98, 113]], "FILEPATH: C:\\Windows\\System32\\winlogon.exe": [[134, 166]], "IP_ADDRESS: 50.176.33.13": [[242, 254]], "DOMAIN: sync-portal.org": [[291, 306]], "URL: https://relayportal.link/gate.php": [[342, 375]], "FILEPATH: C:\\Program Files\\Common Files\\winlogon.exe": [[391, 433]], "TOOL: Merlin": [[452, 458]], "HASH: f880fa972aa35ca6ec16d0d281cee33adaf5c2cd215f8ee5be4e0db851da6dbe": [[523, 587]]}, "info": {"id": "synth_v2_00615", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: DarkSide (SHA256: 6fe9339377033735f2e7f8b1d8d123d81af77ec34c67924087305f7df5bb7d2a). Upon execution on Windows Server 2019, the sample creates /tmp/config.dat and injects into legitimate processes. Network analysis shows beaconing to 107.47.249.225 every 60 seconds and DNS queries to logincdn.dev. The second stage was fetched from http://data-node.cc/portal/verify and written to C:\\Program Files\\Common Files\\update.dll. The payload uses Seatbelt-style techniques for defense evasion. A secondary hash (SHA256: 265bdbaa1c64d43a6ddd930feb93f6aa6658b8110f399225ccdfbc4efd1d53c2) was extracted from the unpacked payload.", "spans": {"MALWARE: DarkSide": [[25, 33]], "HASH: 6fe9339377033735f2e7f8b1d8d123d81af77ec34c67924087305f7df5bb7d2a": [[43, 107]], "SYSTEM: Windows Server 2019": [[128, 147]], "FILEPATH: /tmp/config.dat": [[168, 183]], "IP_ADDRESS: 107.47.249.225": [[259, 273]], "DOMAIN: logincdn.dev": [[310, 322]], "URL: http://data-node.cc/portal/verify": [[358, 391]], "FILEPATH: C:\\Program Files\\Common Files\\update.dll": [[407, 447]], "TOOL: Seatbelt": [[466, 474]], "HASH: 265bdbaa1c64d43a6ddd930feb93f6aa6658b8110f399225ccdfbc4efd1d53c2": [[539, 603]]}, "info": {"id": "synth_v2_00616", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: RedLine Stealer (SHA1: 762f947c7466f2da511999c5889c53519e930956). Upon execution on Zyxel USG, the sample creates C:\\Users\\admin\\AppData\\Local\\Temp\\sam.hive and injects into legitimate processes. Network analysis shows beaconing to 87.1.53.124 every 60 seconds and DNS queries to cloud-login.tech. The second stage was fetched from hxxp://nodeportal.dev/callback and written to /home/user/.config/dropper.ps1. The payload uses Seatbelt-style techniques for defense evasion. A secondary hash (MD5: 29b71c161c624a68de5a139247b14613) was extracted from the unpacked payload.", "spans": {"MALWARE: RedLine Stealer": [[25, 40]], "HASH: 762f947c7466f2da511999c5889c53519e930956": [[48, 88]], "SYSTEM: Zyxel USG": [[109, 118]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\sam.hive": [[139, 181]], "IP_ADDRESS: 87.1.53.124": [[257, 268]], "DOMAIN: cloud-login.tech": [[305, 321]], "URL: hxxp://nodeportal.dev/callback": [[357, 387]], "FILEPATH: /home/user/.config/dropper.ps1": [[403, 433]], "TOOL: Seatbelt": [[452, 460]], "HASH: 29b71c161c624a68de5a139247b14613": [[522, 554]]}, "info": {"id": "synth_v2_00617", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: Cobalt Strike (MD5: 7bea6dbcb67399327c8dcb456b9078ed). Upon execution on Cisco ASA, the sample creates /home/user/.config/update.dll and injects into legitimate processes. Network analysis shows beaconing to 172.32.242.213 every 60 seconds and DNS queries to relaystatic.cc. The second stage was fetched from http://storage-cache.xyz/portal/verify and written to /var/tmp/shell.php. The payload uses Nmap-style techniques for defense evasion. A secondary hash (MD5: 69dcc1a6210e591560a440df22b7a456) was extracted from the unpacked payload.", "spans": {"MALWARE: Cobalt Strike": [[25, 38]], "HASH: 7bea6dbcb67399327c8dcb456b9078ed": [[45, 77]], "SYSTEM: Cisco ASA": [[98, 107]], "FILEPATH: /home/user/.config/update.dll": [[128, 157]], "IP_ADDRESS: 172.32.242.213": [[233, 247]], "DOMAIN: relaystatic.cc": [[284, 298]], "URL: http://storage-cache.xyz/portal/verify": [[334, 372]], "FILEPATH: /var/tmp/shell.php": [[388, 406]], "TOOL: Nmap": [[425, 429]], "HASH: 69dcc1a6210e591560a440df22b7a456": [[491, 523]]}, "info": {"id": "synth_v2_00618", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: SmokeLoader (SHA256: 1ba1c74836218bbccd27f480d277489d5b85de7e60a5fdcb133448facb64e690). Upon execution on Palo Alto PAN-OS, the sample creates /home/user/.config/implant.so and injects into legitimate processes. Network analysis shows beaconing to 10.113.230.62 every 60 seconds and DNS queries to updategateway.com. The second stage was fetched from http://sync-edge.live/login and written to C:\\Users\\admin\\AppData\\Local\\Temp\\beacon.dll. The payload uses BITSAdmin-style techniques for defense evasion. A secondary hash (SHA1: 02cade93700a51bc7926aa9f7aacc72996286509) was extracted from the unpacked payload.", "spans": {"MALWARE: SmokeLoader": [[25, 36]], "HASH: 1ba1c74836218bbccd27f480d277489d5b85de7e60a5fdcb133448facb64e690": [[46, 110]], "SYSTEM: Palo Alto PAN-OS": [[131, 147]], "FILEPATH: /home/user/.config/implant.so": [[168, 197]], "IP_ADDRESS: 10.113.230.62": [[273, 286]], "DOMAIN: updategateway.com": [[323, 340]], "URL: http://sync-edge.live/login": [[376, 403]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\beacon.dll": [[419, 463]], "TOOL: BITSAdmin": [[482, 491]], "HASH: 02cade93700a51bc7926aa9f7aacc72996286509": [[554, 594]]}, "info": {"id": "synth_v2_00619", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: WarmCookie (SHA1: b8be3f9d1120996537073d8c2087373051aeabb3). Upon execution on Active Directory, the sample creates /var/tmp/beacon.dll and injects into legitimate processes. Network analysis shows beaconing to 200.59.120.237 every 60 seconds and DNS queries to edgestorage.org. The second stage was fetched from https://update-gateway.net/admin/config and written to C:\\Windows\\Temp\\taskhost.exe. The payload uses CrackMapExec-style techniques for defense evasion. A secondary hash (SHA1: 8b171cfa4962ff8f7bb0261df6fe81ad2c86117b) was extracted from the unpacked payload.", "spans": {"MALWARE: WarmCookie": [[25, 35]], "HASH: b8be3f9d1120996537073d8c2087373051aeabb3": [[43, 83]], "SYSTEM: Active Directory": [[104, 120]], "FILEPATH: /var/tmp/beacon.dll": [[141, 160]], "IP_ADDRESS: 200.59.120.237": [[236, 250]], "DOMAIN: edgestorage.org": [[287, 302]], "URL: https://update-gateway.net/admin/config": [[338, 377]], "FILEPATH: C:\\Windows\\Temp\\taskhost.exe": [[393, 421]], "TOOL: CrackMapExec": [[440, 452]], "HASH: 8b171cfa4962ff8f7bb0261df6fe81ad2c86117b": [[515, 555]]}, "info": {"id": "synth_v2_00620", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: REvil (SHA1: f330a7922307ec6c3bcf14dcc7bf4ec1234eab14). Upon execution on Active Directory, the sample creates C:\\Windows\\System32\\taskhost.exe and injects into legitimate processes. Network analysis shows beaconing to 107.82.218.53 every 60 seconds and DNS queries to mail-auth.link. The second stage was fetched from hxxps://backupedge.club/api/v2/auth and written to C:\\Windows\\Temp\\helper.sh. The payload uses Impacket-style techniques for defense evasion. A secondary hash (MD5: 36d808bd3255e732f8cfe38298e7fc3a) was extracted from the unpacked payload.", "spans": {"MALWARE: REvil": [[25, 30]], "HASH: f330a7922307ec6c3bcf14dcc7bf4ec1234eab14": [[38, 78]], "SYSTEM: Active Directory": [[99, 115]], "FILEPATH: C:\\Windows\\System32\\taskhost.exe": [[136, 168]], "IP_ADDRESS: 107.82.218.53": [[244, 257]], "DOMAIN: mail-auth.link": [[294, 308]], "URL: hxxps://backupedge.club/api/v2/auth": [[344, 379]], "FILEPATH: C:\\Windows\\Temp\\helper.sh": [[395, 420]], "TOOL: Impacket": [[439, 447]], "HASH: 36d808bd3255e732f8cfe38298e7fc3a": [[509, 541]]}, "info": {"id": "synth_v2_00621", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: DarkSide (SHA256: 2d0631490eac82f9e247d922a3589c969929d7497987db53dd76d7d0bf22b8fe). Upon execution on Citrix NetScaler, the sample creates /usr/local/bin/svchost.exe and injects into legitimate processes. Network analysis shows beaconing to 32.238.62.124 every 60 seconds and DNS queries to apimail.link. The second stage was fetched from hxxp://mail-secure.site/panel/index.html and written to C:\\ProgramData\\chrome_helper.exe. The payload uses Rubeus-style techniques for defense evasion. A secondary hash (MD5: 538441b09255270e6959bd971c47fbd7) was extracted from the unpacked payload.", "spans": {"MALWARE: DarkSide": [[25, 33]], "HASH: 2d0631490eac82f9e247d922a3589c969929d7497987db53dd76d7d0bf22b8fe": [[43, 107]], "SYSTEM: Citrix NetScaler": [[128, 144]], "FILEPATH: /usr/local/bin/svchost.exe": [[165, 191]], "IP_ADDRESS: 32.238.62.124": [[267, 280]], "DOMAIN: apimail.link": [[317, 329]], "URL: hxxp://mail-secure.site/panel/index.html": [[365, 405]], "FILEPATH: C:\\ProgramData\\chrome_helper.exe": [[421, 453]], "TOOL: Rubeus": [[472, 478]], "HASH: 538441b09255270e6959bd971c47fbd7": [[540, 572]]}, "info": {"id": "synth_v2_00622", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: NjRAT (SHA256: d21a92f807e15db26b913f3ad2da59a19e1d008acde09af04a9e4c6ed9fb8552). Upon execution on Zyxel USG, the sample creates C:\\ProgramData\\helper.sh and injects into legitimate processes. Network analysis shows beaconing to 172.179.15.88 every 60 seconds and DNS queries to gatewayauth.link. The second stage was fetched from http://cloudsecure.xyz/collect and written to /dev/shm/dropper.ps1. The payload uses Seatbelt-style techniques for defense evasion. A secondary hash (SHA1: f2da3a507e9fb87626886bcb92556aaa9c2f0fad) was extracted from the unpacked payload.", "spans": {"MALWARE: NjRAT": [[25, 30]], "HASH: d21a92f807e15db26b913f3ad2da59a19e1d008acde09af04a9e4c6ed9fb8552": [[40, 104]], "SYSTEM: Zyxel USG": [[125, 134]], "FILEPATH: C:\\ProgramData\\helper.sh": [[155, 179]], "IP_ADDRESS: 172.179.15.88": [[255, 268]], "DOMAIN: gatewayauth.link": [[305, 321]], "URL: http://cloudsecure.xyz/collect": [[357, 387]], "FILEPATH: /dev/shm/dropper.ps1": [[403, 423]], "TOOL: Seatbelt": [[442, 450]], "HASH: f2da3a507e9fb87626886bcb92556aaa9c2f0fad": [[513, 553]]}, "info": {"id": "synth_v2_00623", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: Raccoon Stealer (MD5: d094fd875d5db9e9eb8866170636b1f1). Upon execution on Juniper SRX, the sample creates C:\\Windows\\Tasks\\chrome_helper.exe and injects into legitimate processes. Network analysis shows beaconing to 51.21.18.116 every 60 seconds and DNS queries to update-cache.tech. The second stage was fetched from hxxps://mail-storage.site/secure/token and written to C:\\Windows\\System32\\taskhost.exe. The payload uses ADFind-style techniques for defense evasion. A secondary hash (SHA1: b779237bdc4c9a0473ae77ac6c4d2ff993eb04e4) was extracted from the unpacked payload.", "spans": {"MALWARE: Raccoon Stealer": [[25, 40]], "HASH: d094fd875d5db9e9eb8866170636b1f1": [[47, 79]], "SYSTEM: Juniper SRX": [[100, 111]], "FILEPATH: C:\\Windows\\Tasks\\chrome_helper.exe": [[132, 166]], "IP_ADDRESS: 51.21.18.116": [[242, 254]], "DOMAIN: update-cache.tech": [[291, 308]], "URL: hxxps://mail-storage.site/secure/token": [[344, 382]], "FILEPATH: C:\\Windows\\System32\\taskhost.exe": [[398, 430]], "TOOL: ADFind": [[449, 455]], "HASH: b779237bdc4c9a0473ae77ac6c4d2ff993eb04e4": [[518, 558]]}, "info": {"id": "synth_v2_00624", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: Latrodectus (SHA256: 30b99c127b1471a45c47609309821cb38781aa97a1bae7c125044f4e0dacd4b9). Upon execution on Active Directory, the sample creates /home/user/.config/payload.bin and injects into legitimate processes. Network analysis shows beaconing to 172.253.174.31 every 60 seconds and DNS queries to storage-data.info. The second stage was fetched from hxxps://backupcdn.live/login and written to /usr/local/bin/lsass.dmp. The payload uses CrackMapExec-style techniques for defense evasion. A secondary hash (SHA1: 80cb6766654801df8bba83f322a3eb7425066053) was extracted from the unpacked payload.", "spans": {"MALWARE: Latrodectus": [[25, 36]], "HASH: 30b99c127b1471a45c47609309821cb38781aa97a1bae7c125044f4e0dacd4b9": [[46, 110]], "SYSTEM: Active Directory": [[131, 147]], "FILEPATH: /home/user/.config/payload.bin": [[168, 198]], "IP_ADDRESS: 172.253.174.31": [[274, 288]], "DOMAIN: storage-data.info": [[325, 342]], "URL: hxxps://backupcdn.live/login": [[378, 406]], "FILEPATH: /usr/local/bin/lsass.dmp": [[422, 446]], "TOOL: CrackMapExec": [[465, 477]], "HASH: 80cb6766654801df8bba83f322a3eb7425066053": [[540, 580]]}, "info": {"id": "synth_v2_00625", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: NjRAT (MD5: 0c4a37d206508e4ea364dcb3c2a826da). Upon execution on Atlassian Confluence, the sample creates C:\\Users\\Public\\Documents\\csrss.exe and injects into legitimate processes. Network analysis shows beaconing to 20.255.157.190 every 60 seconds and DNS queries to gatewayupdate.com. The second stage was fetched from hxxps://storagesecure.club/download/update.exe and written to C:\\Users\\Public\\Documents\\taskhost.exe. The payload uses Nmap-style techniques for defense evasion. A secondary hash (SHA256: 242d7091d4af7d7070db8571e9b757ed39fcba7ea2cd3c208712e6e200a262f6) was extracted from the unpacked payload.", "spans": {"MALWARE: NjRAT": [[25, 30]], "HASH: 0c4a37d206508e4ea364dcb3c2a826da": [[37, 69]], "SYSTEM: Atlassian Confluence": [[90, 110]], "FILEPATH: C:\\Users\\Public\\Documents\\csrss.exe": [[131, 166]], "IP_ADDRESS: 20.255.157.190": [[242, 256]], "DOMAIN: gatewayupdate.com": [[293, 310]], "URL: hxxps://storagesecure.club/download/update.exe": [[346, 392]], "FILEPATH: C:\\Users\\Public\\Documents\\taskhost.exe": [[408, 446]], "TOOL: Nmap": [[465, 469]], "HASH: 242d7091d4af7d7070db8571e9b757ed39fcba7ea2cd3c208712e6e200a262f6": [[534, 598]]}, "info": {"id": "synth_v2_00626", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: RemcosRAT (SHA256: 7dcfc8a53b05f230e8b1fae3b914807b6b176447a9f2354e36d8dbdcdcdbc2d7). Upon execution on SonicWall SMA, the sample creates /home/user/.config/taskhost.exe and injects into legitimate processes. Network analysis shows beaconing to 192.40.118.13 every 60 seconds and DNS queries to backupedge.link. The second stage was fetched from https://edge-cache.live/panel/index.html and written to C:\\Users\\admin\\Desktop\\update.dll. The payload uses Burp Suite-style techniques for defense evasion. A secondary hash (SHA256: 9c92b6fb066a774b7fe4c0a1b70e62620aa7b68e3fd85dcbe63b79499d73dbb3) was extracted from the unpacked payload.", "spans": {"MALWARE: RemcosRAT": [[25, 34]], "HASH: 7dcfc8a53b05f230e8b1fae3b914807b6b176447a9f2354e36d8dbdcdcdbc2d7": [[44, 108]], "SYSTEM: SonicWall SMA": [[129, 142]], "FILEPATH: /home/user/.config/taskhost.exe": [[163, 194]], "IP_ADDRESS: 192.40.118.13": [[270, 283]], "DOMAIN: backupedge.link": [[320, 335]], "URL: https://edge-cache.live/panel/index.html": [[371, 411]], "FILEPATH: C:\\Users\\admin\\Desktop\\update.dll": [[427, 460]], "TOOL: Burp Suite": [[479, 489]], "HASH: 9c92b6fb066a774b7fe4c0a1b70e62620aa7b68e3fd85dcbe63b79499d73dbb3": [[554, 618]]}, "info": {"id": "synth_v2_00627", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: Dridex (SHA1: 9361bc61bb02ae5363238069c39f4417113531ec). Upon execution on Microsoft Exchange, the sample creates C:\\Users\\Public\\Documents\\backdoor.elf and injects into legitimate processes. Network analysis shows beaconing to 190.26.70.18 every 60 seconds and DNS queries to cache-update.net. The second stage was fetched from https://cdnproxy.link/callback and written to C:\\Users\\admin\\Downloads\\shell.php. The payload uses Certutil-style techniques for defense evasion. A secondary hash (MD5: 51aebf756cf2e3378df7787c31b5345e) was extracted from the unpacked payload.", "spans": {"MALWARE: Dridex": [[25, 31]], "HASH: 9361bc61bb02ae5363238069c39f4417113531ec": [[39, 79]], "SYSTEM: Microsoft Exchange": [[100, 118]], "FILEPATH: C:\\Users\\Public\\Documents\\backdoor.elf": [[139, 177]], "IP_ADDRESS: 190.26.70.18": [[253, 265]], "DOMAIN: cache-update.net": [[302, 318]], "URL: https://cdnproxy.link/callback": [[354, 384]], "FILEPATH: C:\\Users\\admin\\Downloads\\shell.php": [[400, 434]], "TOOL: Certutil": [[453, 461]], "HASH: 51aebf756cf2e3378df7787c31b5345e": [[523, 555]]}, "info": {"id": "synth_v2_00628", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: Dridex (MD5: 24a42dceaf8d2ced05517979fdab3652). Upon execution on Palo Alto PAN-OS, the sample creates /tmp/beacon.dll and injects into legitimate processes. Network analysis shows beaconing to 192.53.8.121 every 60 seconds and DNS queries to login-secure.club. The second stage was fetched from https://gateway-update.top/collect and written to /var/tmp/update.dll. The payload uses Sliver-style techniques for defense evasion. A secondary hash (SHA256: 6412d63d36cf538bd4557562d5580fda77148dd599996175b852e3db158b977c) was extracted from the unpacked payload.", "spans": {"MALWARE: Dridex": [[25, 31]], "HASH: 24a42dceaf8d2ced05517979fdab3652": [[38, 70]], "SYSTEM: Palo Alto PAN-OS": [[91, 107]], "FILEPATH: /tmp/beacon.dll": [[128, 143]], "IP_ADDRESS: 192.53.8.121": [[219, 231]], "DOMAIN: login-secure.club": [[268, 285]], "URL: https://gateway-update.top/collect": [[321, 355]], "FILEPATH: /var/tmp/update.dll": [[371, 390]], "TOOL: Sliver": [[409, 415]], "HASH: 6412d63d36cf538bd4557562d5580fda77148dd599996175b852e3db158b977c": [[480, 544]]}, "info": {"id": "synth_v2_00629", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: Meduza Stealer (SHA1: d463fe1638ab93e839224768875b7e7f77219e62). Upon execution on Cisco ASA, the sample creates C:\\Program Files\\Common Files\\backdoor.elf and injects into legitimate processes. Network analysis shows beaconing to 192.149.176.35 every 60 seconds and DNS queries to cachegateway.dev. The second stage was fetched from hxxps://syncdata.cc/assets/js/payload.js and written to /dev/shm/svchost.exe. The payload uses Metasploit-style techniques for defense evasion. A secondary hash (MD5: 140fb1625d73ce80a3052316a10aa807) was extracted from the unpacked payload.", "spans": {"MALWARE: Meduza Stealer": [[25, 39]], "HASH: d463fe1638ab93e839224768875b7e7f77219e62": [[47, 87]], "SYSTEM: Cisco ASA": [[108, 117]], "FILEPATH: C:\\Program Files\\Common Files\\backdoor.elf": [[138, 180]], "IP_ADDRESS: 192.149.176.35": [[256, 270]], "DOMAIN: cachegateway.dev": [[307, 323]], "URL: hxxps://syncdata.cc/assets/js/payload.js": [[359, 399]], "FILEPATH: /dev/shm/svchost.exe": [[415, 435]], "TOOL: Metasploit": [[454, 464]], "HASH: 140fb1625d73ce80a3052316a10aa807": [[526, 558]]}, "info": {"id": "synth_v2_00630", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: Lumma Stealer (SHA256: ad94756b526476b72d2716ad80a02096f808456e7ba6c1592619e8e73ec49926). Upon execution on VMware ESXi, the sample creates C:\\ProgramData\\lsass.dmp and injects into legitimate processes. Network analysis shows beaconing to 177.65.94.209 every 60 seconds and DNS queries to data-login.club. The second stage was fetched from hxxps://data-data.club/assets/js/payload.js and written to C:\\Windows\\System32\\runtime.dll. The payload uses Nmap-style techniques for defense evasion. A secondary hash (SHA1: 4d3a6e8b780782031ddaac7a4c1a742c3da7c1e0) was extracted from the unpacked payload.", "spans": {"MALWARE: Lumma Stealer": [[25, 38]], "HASH: ad94756b526476b72d2716ad80a02096f808456e7ba6c1592619e8e73ec49926": [[48, 112]], "SYSTEM: VMware ESXi": [[133, 144]], "FILEPATH: C:\\ProgramData\\lsass.dmp": [[165, 189]], "IP_ADDRESS: 177.65.94.209": [[265, 278]], "DOMAIN: data-login.club": [[315, 330]], "URL: hxxps://data-data.club/assets/js/payload.js": [[366, 409]], "FILEPATH: C:\\Windows\\System32\\runtime.dll": [[425, 456]], "TOOL: Nmap": [[475, 479]], "HASH: 4d3a6e8b780782031ddaac7a4c1a742c3da7c1e0": [[542, 582]]}, "info": {"id": "synth_v2_00631", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: DanaBot (SHA256: 319459d98b9b7f4f961e9363532aaededef9513a723dd33bb0a1887a1e8d8897). Upon execution on Palo Alto PAN-OS, the sample creates C:\\Program Files\\Common Files\\lsass.dmp and injects into legitimate processes. Network analysis shows beaconing to 192.56.7.106 every 60 seconds and DNS queries to storage-cloud.online. The second stage was fetched from https://login-auth.live/secure/token and written to /usr/local/bin/sam.hive. The payload uses PowerView-style techniques for defense evasion. A secondary hash (SHA1: de71d149e724dc0f53e62c51fa8fc88e541386fb) was extracted from the unpacked payload.", "spans": {"MALWARE: DanaBot": [[25, 32]], "HASH: 319459d98b9b7f4f961e9363532aaededef9513a723dd33bb0a1887a1e8d8897": [[42, 106]], "SYSTEM: Palo Alto PAN-OS": [[127, 143]], "FILEPATH: C:\\Program Files\\Common Files\\lsass.dmp": [[164, 203]], "IP_ADDRESS: 192.56.7.106": [[279, 291]], "DOMAIN: storage-cloud.online": [[328, 348]], "URL: https://login-auth.live/secure/token": [[384, 420]], "FILEPATH: /usr/local/bin/sam.hive": [[436, 459]], "TOOL: PowerView": [[478, 487]], "HASH: de71d149e724dc0f53e62c51fa8fc88e541386fb": [[550, 590]]}, "info": {"id": "synth_v2_00632", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: LockBit (SHA256: 5be61f924a1b840f50b54eaaeb77450806c194101a2d0d8ba481cf40592b7eeb). Upon execution on VMware ESXi, the sample creates C:\\Windows\\Tasks\\loader.exe and injects into legitimate processes. Network analysis shows beaconing to 49.124.250.126 every 60 seconds and DNS queries to gatewaycdn.info. The second stage was fetched from hxxps://gateway-relay.org/login and written to /home/user/.config/runtime.dll. The payload uses Sliver-style techniques for defense evasion. A secondary hash (MD5: 7bd4b89ef217f571e3e33794a18ad8de) was extracted from the unpacked payload.", "spans": {"MALWARE: LockBit": [[25, 32]], "HASH: 5be61f924a1b840f50b54eaaeb77450806c194101a2d0d8ba481cf40592b7eeb": [[42, 106]], "SYSTEM: VMware ESXi": [[127, 138]], "FILEPATH: C:\\Windows\\Tasks\\loader.exe": [[159, 186]], "IP_ADDRESS: 49.124.250.126": [[262, 276]], "DOMAIN: gatewaycdn.info": [[313, 328]], "URL: hxxps://gateway-relay.org/login": [[364, 395]], "FILEPATH: /home/user/.config/runtime.dll": [[411, 441]], "TOOL: Sliver": [[460, 466]], "HASH: 7bd4b89ef217f571e3e33794a18ad8de": [[528, 560]]}, "info": {"id": "synth_v2_00633", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: Gootloader (SHA256: 6eba6f886fc85167dec24f29876dcd1c57cd1a983629390c837a883ba70a09ce). Upon execution on Zyxel USG, the sample creates C:\\Users\\admin\\Desktop\\backdoor.elf and injects into legitimate processes. Network analysis shows beaconing to 46.218.7.122 every 60 seconds and DNS queries to cache-relay.tech. The second stage was fetched from https://datarelay.xyz/gate.php and written to C:\\Users\\admin\\Downloads\\beacon.dll. The payload uses PsExec-style techniques for defense evasion. A secondary hash (MD5: c6a07f47bed6b88f93cf3f9f5c84a0bc) was extracted from the unpacked payload.", "spans": {"MALWARE: Gootloader": [[25, 35]], "HASH: 6eba6f886fc85167dec24f29876dcd1c57cd1a983629390c837a883ba70a09ce": [[45, 109]], "SYSTEM: Zyxel USG": [[130, 139]], "FILEPATH: C:\\Users\\admin\\Desktop\\backdoor.elf": [[160, 195]], "IP_ADDRESS: 46.218.7.122": [[271, 283]], "DOMAIN: cache-relay.tech": [[320, 336]], "URL: https://datarelay.xyz/gate.php": [[372, 402]], "FILEPATH: C:\\Users\\admin\\Downloads\\beacon.dll": [[418, 453]], "TOOL: PsExec": [[472, 478]], "HASH: c6a07f47bed6b88f93cf3f9f5c84a0bc": [[540, 572]]}, "info": {"id": "synth_v2_00634", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: BlackCat (SHA256: bac424b7d51bb34f7ce94c60dde718144f11f2201ce2907cf75dedf024cad28e). Upon execution on VMware ESXi, the sample creates C:\\Users\\admin\\Desktop\\svchost.exe and injects into legitimate processes. Network analysis shows beaconing to 99.112.74.29 every 60 seconds and DNS queries to mailnode.info. The second stage was fetched from https://sync-node.link/assets/js/payload.js and written to C:\\ProgramData\\shell.php. The payload uses Mythic-style techniques for defense evasion. A secondary hash (SHA256: e838e7338f4fe0842822f93f9b8b529e14158da3c49e8300dcd1f898d64c94a3) was extracted from the unpacked payload.", "spans": {"MALWARE: BlackCat": [[25, 33]], "HASH: bac424b7d51bb34f7ce94c60dde718144f11f2201ce2907cf75dedf024cad28e": [[43, 107]], "SYSTEM: VMware ESXi": [[128, 139]], "FILEPATH: C:\\Users\\admin\\Desktop\\svchost.exe": [[160, 194]], "IP_ADDRESS: 99.112.74.29": [[270, 282]], "DOMAIN: mailnode.info": [[319, 332]], "URL: https://sync-node.link/assets/js/payload.js": [[368, 411]], "FILEPATH: C:\\ProgramData\\shell.php": [[427, 451]], "TOOL: Mythic": [[470, 476]], "HASH: e838e7338f4fe0842822f93f9b8b529e14158da3c49e8300dcd1f898d64c94a3": [[541, 605]]}, "info": {"id": "synth_v2_00635", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: BumbleBee (MD5: 2895e414828048cc93966bd1f5d7b485). Upon execution on Active Directory, the sample creates C:\\Users\\admin\\Downloads\\taskhost.exe and injects into legitimate processes. Network analysis shows beaconing to 192.93.254.251 every 60 seconds and DNS queries to login-update.tech. The second stage was fetched from http://cachestorage.com/wp-content/uploads/doc.php and written to /home/user/.config/ntds.dit. The payload uses Nmap-style techniques for defense evasion. A secondary hash (MD5: a5c924f1e082eef969c1c5358a232220) was extracted from the unpacked payload.", "spans": {"MALWARE: BumbleBee": [[25, 34]], "HASH: 2895e414828048cc93966bd1f5d7b485": [[41, 73]], "SYSTEM: Active Directory": [[94, 110]], "FILEPATH: C:\\Users\\admin\\Downloads\\taskhost.exe": [[131, 168]], "IP_ADDRESS: 192.93.254.251": [[244, 258]], "DOMAIN: login-update.tech": [[295, 312]], "URL: http://cachestorage.com/wp-content/uploads/doc.php": [[348, 398]], "FILEPATH: /home/user/.config/ntds.dit": [[414, 441]], "TOOL: Nmap": [[460, 464]], "HASH: a5c924f1e082eef969c1c5358a232220": [[526, 558]]}, "info": {"id": "synth_v2_00636", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: Lumma Stealer (SHA256: 06948d09af44afdd113fc92928e6fe8b9aa65470558e30794a97933dd51e4d9e). Upon execution on SonicWall SMA, the sample creates /dev/shm/helper.sh and injects into legitimate processes. Network analysis shows beaconing to 172.182.49.98 every 60 seconds and DNS queries to staticcloud.dev. The second stage was fetched from https://storage-cdn.live/secure/token and written to /opt/app/bin/beacon.dll. The payload uses PsExec-style techniques for defense evasion. A secondary hash (SHA1: e153351fcd673f171a2db9790bc0f24b2f9f26bb) was extracted from the unpacked payload.", "spans": {"MALWARE: Lumma Stealer": [[25, 38]], "HASH: 06948d09af44afdd113fc92928e6fe8b9aa65470558e30794a97933dd51e4d9e": [[48, 112]], "SYSTEM: SonicWall SMA": [[133, 146]], "FILEPATH: /dev/shm/helper.sh": [[167, 185]], "IP_ADDRESS: 172.182.49.98": [[261, 274]], "DOMAIN: staticcloud.dev": [[311, 326]], "URL: https://storage-cdn.live/secure/token": [[362, 399]], "FILEPATH: /opt/app/bin/beacon.dll": [[415, 438]], "TOOL: PsExec": [[457, 463]], "HASH: e153351fcd673f171a2db9790bc0f24b2f9f26bb": [[526, 566]]}, "info": {"id": "synth_v2_00637", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: Latrodectus (SHA256: de2ed04f2149a7eec041afa4290905b712668a4001c63002016feb028ea75e47). Upon execution on Active Directory, the sample creates /tmp/runtime.dll and injects into legitimate processes. Network analysis shows beaconing to 10.70.118.106 every 60 seconds and DNS queries to cloud-relay.site. The second stage was fetched from hxxp://auth-edge.online/wp-content/uploads/doc.php and written to /etc/cron.d/taskhost.exe. The payload uses BloodHound-style techniques for defense evasion. A secondary hash (SHA1: 060f9d117b5cec5db3649b67b6bca8ec7946776e) was extracted from the unpacked payload.", "spans": {"MALWARE: Latrodectus": [[25, 36]], "HASH: de2ed04f2149a7eec041afa4290905b712668a4001c63002016feb028ea75e47": [[46, 110]], "SYSTEM: Active Directory": [[131, 147]], "FILEPATH: /tmp/runtime.dll": [[168, 184]], "IP_ADDRESS: 10.70.118.106": [[260, 273]], "DOMAIN: cloud-relay.site": [[310, 326]], "URL: hxxp://auth-edge.online/wp-content/uploads/doc.php": [[362, 412]], "FILEPATH: /etc/cron.d/taskhost.exe": [[428, 452]], "TOOL: BloodHound": [[471, 481]], "HASH: 060f9d117b5cec5db3649b67b6bca8ec7946776e": [[544, 584]]}, "info": {"id": "synth_v2_00638", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: Emotet (SHA1: 09a445c5fe964cec72c1a31fc642aa57e2324edb). Upon execution on F5 BIG-IP, the sample creates /dev/shm/backdoor.elf and injects into legitimate processes. Network analysis shows beaconing to 172.230.107.24 every 60 seconds and DNS queries to datastatic.net. The second stage was fetched from hxxp://sync-static.io/login and written to C:\\Users\\admin\\Downloads\\svchost.exe. The payload uses Merlin-style techniques for defense evasion. A secondary hash (MD5: 9ddd792d07c38c683fcad214c26e0015) was extracted from the unpacked payload.", "spans": {"MALWARE: Emotet": [[25, 31]], "HASH: 09a445c5fe964cec72c1a31fc642aa57e2324edb": [[39, 79]], "SYSTEM: F5 BIG-IP": [[100, 109]], "FILEPATH: /dev/shm/backdoor.elf": [[130, 151]], "IP_ADDRESS: 172.230.107.24": [[227, 241]], "DOMAIN: datastatic.net": [[278, 292]], "URL: hxxp://sync-static.io/login": [[328, 355]], "FILEPATH: C:\\Users\\admin\\Downloads\\svchost.exe": [[371, 407]], "TOOL: Merlin": [[426, 432]], "HASH: 9ddd792d07c38c683fcad214c26e0015": [[494, 526]]}, "info": {"id": "synth_v2_00639", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: Royal (MD5: 84f11cd52bc1f3cc370639c4b2efaf42). Upon execution on Fortinet FortiGate, the sample creates C:\\Windows\\Temp\\backdoor.elf and injects into legitimate processes. Network analysis shows beaconing to 10.117.142.1 every 60 seconds and DNS queries to mailmail.link. The second stage was fetched from hxxps://edgesecure.com/admin/config and written to /tmp/config.dat. The payload uses Covenant-style techniques for defense evasion. A secondary hash (MD5: 439e778b0d9d03c3fd1b6337d5b34343) was extracted from the unpacked payload.", "spans": {"MALWARE: Royal": [[25, 30]], "HASH: 84f11cd52bc1f3cc370639c4b2efaf42": [[37, 69]], "SYSTEM: Fortinet FortiGate": [[90, 108]], "FILEPATH: C:\\Windows\\Temp\\backdoor.elf": [[129, 157]], "IP_ADDRESS: 10.117.142.1": [[233, 245]], "DOMAIN: mailmail.link": [[282, 295]], "URL: hxxps://edgesecure.com/admin/config": [[331, 366]], "FILEPATH: /tmp/config.dat": [[382, 397]], "TOOL: Covenant": [[416, 424]], "HASH: 439e778b0d9d03c3fd1b6337d5b34343": [[486, 518]]}, "info": {"id": "synth_v2_00640", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: Play (SHA1: f9ab81b8a8a2a712f8d6aa9ab0b0651eeb5c181a). Upon execution on Ubuntu 22.04, the sample creates /tmp/csrss.exe and injects into legitimate processes. Network analysis shows beaconing to 10.107.101.34 every 60 seconds and DNS queries to relaycdn.top. The second stage was fetched from hxxps://datastatic.org/api/v2/auth and written to /home/user/.config/ntds.dit. The payload uses CrackMapExec-style techniques for defense evasion. A secondary hash (SHA256: 65842fb0c32b8b0ca4c7a6b9e2e473e919f21e7582a5c254dff3119425a9c9dc) was extracted from the unpacked payload.", "spans": {"MALWARE: Play": [[25, 29]], "HASH: f9ab81b8a8a2a712f8d6aa9ab0b0651eeb5c181a": [[37, 77]], "SYSTEM: Ubuntu 22.04": [[98, 110]], "FILEPATH: /tmp/csrss.exe": [[131, 145]], "IP_ADDRESS: 10.107.101.34": [[221, 234]], "DOMAIN: relaycdn.top": [[271, 283]], "URL: hxxps://datastatic.org/api/v2/auth": [[319, 353]], "FILEPATH: /home/user/.config/ntds.dit": [[369, 396]], "TOOL: CrackMapExec": [[415, 427]], "HASH: 65842fb0c32b8b0ca4c7a6b9e2e473e919f21e7582a5c254dff3119425a9c9dc": [[492, 556]]}, "info": {"id": "synth_v2_00641", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: REvil (MD5: 2c1666c9f68bc119f178aea512ce4987). Upon execution on Juniper SRX, the sample creates C:\\Program Files\\Common Files\\helper.sh and injects into legitimate processes. Network analysis shows beaconing to 10.191.17.137 every 60 seconds and DNS queries to gateway-auth.net. The second stage was fetched from http://cloud-api.org/api/v2/auth and written to C:\\Users\\admin\\Downloads\\backdoor.elf. The payload uses WinPEAS-style techniques for defense evasion. A secondary hash (MD5: 0133cb5d34c6ea6a4ea9b69370215847) was extracted from the unpacked payload.", "spans": {"MALWARE: REvil": [[25, 30]], "HASH: 2c1666c9f68bc119f178aea512ce4987": [[37, 69]], "SYSTEM: Juniper SRX": [[90, 101]], "FILEPATH: C:\\Program Files\\Common Files\\helper.sh": [[122, 161]], "IP_ADDRESS: 10.191.17.137": [[237, 250]], "DOMAIN: gateway-auth.net": [[287, 303]], "URL: http://cloud-api.org/api/v2/auth": [[339, 371]], "FILEPATH: C:\\Users\\admin\\Downloads\\backdoor.elf": [[387, 424]], "TOOL: WinPEAS": [[443, 450]], "HASH: 0133cb5d34c6ea6a4ea9b69370215847": [[512, 544]]}, "info": {"id": "synth_v2_00642", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: Latrodectus (SHA1: 23c260a7e848094cdb5a4740aa502bba349d6152). Upon execution on Barracuda ESG, the sample creates C:\\Windows\\Temp\\runtime.dll and injects into legitimate processes. Network analysis shows beaconing to 116.80.110.245 every 60 seconds and DNS queries to gatewaysecure.cc. The second stage was fetched from hxxp://syncstorage.info/assets/js/payload.js and written to C:\\Users\\admin\\Desktop\\agent.py. The payload uses Ligolo-style techniques for defense evasion. A secondary hash (SHA1: b3af32d6ed30aaf46881333cf7c5f4557f5308c1) was extracted from the unpacked payload.", "spans": {"MALWARE: Latrodectus": [[25, 36]], "HASH: 23c260a7e848094cdb5a4740aa502bba349d6152": [[44, 84]], "SYSTEM: Barracuda ESG": [[105, 118]], "FILEPATH: C:\\Windows\\Temp\\runtime.dll": [[139, 166]], "IP_ADDRESS: 116.80.110.245": [[242, 256]], "DOMAIN: gatewaysecure.cc": [[293, 309]], "URL: hxxp://syncstorage.info/assets/js/payload.js": [[345, 389]], "FILEPATH: C:\\Users\\admin\\Desktop\\agent.py": [[405, 436]], "TOOL: Ligolo": [[455, 461]], "HASH: b3af32d6ed30aaf46881333cf7c5f4557f5308c1": [[524, 564]]}, "info": {"id": "synth_v2_00643", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: ShadowPad (SHA256: a877fa590746bef30fc8982070f32381ccec9184f2195ed75209912c8aea0053). Upon execution on Barracuda ESG, the sample creates /var/tmp/update.dll and injects into legitimate processes. Network analysis shows beaconing to 192.64.27.59 every 60 seconds and DNS queries to edge-proxy.site. The second stage was fetched from hxxp://cdn-node.org/download/update.exe and written to C:\\ProgramData\\helper.sh. The payload uses Certutil-style techniques for defense evasion. A secondary hash (SHA1: fe4e08d58b7775511c927b5e1d8caf6076dcf788) was extracted from the unpacked payload.", "spans": {"MALWARE: ShadowPad": [[25, 34]], "HASH: a877fa590746bef30fc8982070f32381ccec9184f2195ed75209912c8aea0053": [[44, 108]], "SYSTEM: Barracuda ESG": [[129, 142]], "FILEPATH: /var/tmp/update.dll": [[163, 182]], "IP_ADDRESS: 192.64.27.59": [[258, 270]], "DOMAIN: edge-proxy.site": [[307, 322]], "URL: hxxp://cdn-node.org/download/update.exe": [[358, 397]], "FILEPATH: C:\\ProgramData\\helper.sh": [[413, 437]], "TOOL: Certutil": [[456, 464]], "HASH: fe4e08d58b7775511c927b5e1d8caf6076dcf788": [[527, 567]]}, "info": {"id": "synth_v2_00644", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: Dridex (MD5: 3b5fdea7a3ef1e2a886d386ab5c30f82). Upon execution on Ubuntu 22.04, the sample creates C:\\ProgramData\\loader.exe and injects into legitimate processes. Network analysis shows beaconing to 172.133.170.141 every 60 seconds and DNS queries to secure-cdn.site. The second stage was fetched from hxxp://cloudlogin.link/assets/js/payload.js and written to C:\\Windows\\System32\\implant.so. The payload uses Brute Ratel-style techniques for defense evasion. A secondary hash (SHA1: 2cb908e5c7190d51d6918aa104ff47406c251f92) was extracted from the unpacked payload.", "spans": {"MALWARE: Dridex": [[25, 31]], "HASH: 3b5fdea7a3ef1e2a886d386ab5c30f82": [[38, 70]], "SYSTEM: Ubuntu 22.04": [[91, 103]], "FILEPATH: C:\\ProgramData\\loader.exe": [[124, 149]], "IP_ADDRESS: 172.133.170.141": [[225, 240]], "DOMAIN: secure-cdn.site": [[277, 292]], "URL: hxxp://cloudlogin.link/assets/js/payload.js": [[328, 371]], "FILEPATH: C:\\Windows\\System32\\implant.so": [[387, 417]], "TOOL: Brute Ratel": [[436, 447]], "HASH: 2cb908e5c7190d51d6918aa104ff47406c251f92": [[510, 550]]}, "info": {"id": "synth_v2_00645", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: XLoader (SHA1: f9b1c6f61ec52739c125c3ec3ac884c9ec4e0555). Upon execution on Palo Alto PAN-OS, the sample creates /opt/app/bin/config.dat and injects into legitimate processes. Network analysis shows beaconing to 192.164.235.43 every 60 seconds and DNS queries to storageupdate.com. The second stage was fetched from hxxps://update-update.live/api/v2/auth and written to C:\\ProgramData\\chrome_helper.exe. The payload uses WinPEAS-style techniques for defense evasion. A secondary hash (SHA1: a456f327d763fa0825e8257a30fffb6446c60857) was extracted from the unpacked payload.", "spans": {"MALWARE: XLoader": [[25, 32]], "HASH: f9b1c6f61ec52739c125c3ec3ac884c9ec4e0555": [[40, 80]], "SYSTEM: Palo Alto PAN-OS": [[101, 117]], "FILEPATH: /opt/app/bin/config.dat": [[138, 161]], "IP_ADDRESS: 192.164.235.43": [[237, 251]], "DOMAIN: storageupdate.com": [[288, 305]], "URL: hxxps://update-update.live/api/v2/auth": [[341, 379]], "FILEPATH: C:\\ProgramData\\chrome_helper.exe": [[395, 427]], "TOOL: WinPEAS": [[446, 453]], "HASH: a456f327d763fa0825e8257a30fffb6446c60857": [[516, 556]]}, "info": {"id": "synth_v2_00646", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: Amadey (SHA256: 01951d2758b6ca769f7c4c8db98e324158d877716d5b4e055ed095f36a3448f4). Upon execution on MOVEit Transfer, the sample creates C:\\Users\\admin\\Downloads\\chrome_helper.exe and injects into legitimate processes. Network analysis shows beaconing to 15.13.76.254 every 60 seconds and DNS queries to storageportal.top. The second stage was fetched from https://node-backup.link/portal/verify and written to C:\\Windows\\System32\\implant.so. The payload uses PowerView-style techniques for defense evasion. A secondary hash (MD5: ce76d692cd4336cd89f64df0646c7199) was extracted from the unpacked payload.", "spans": {"MALWARE: Amadey": [[25, 31]], "HASH: 01951d2758b6ca769f7c4c8db98e324158d877716d5b4e055ed095f36a3448f4": [[41, 105]], "SYSTEM: MOVEit Transfer": [[126, 141]], "FILEPATH: C:\\Users\\admin\\Downloads\\chrome_helper.exe": [[162, 204]], "IP_ADDRESS: 15.13.76.254": [[280, 292]], "DOMAIN: storageportal.top": [[329, 346]], "URL: https://node-backup.link/portal/verify": [[382, 420]], "FILEPATH: C:\\Windows\\System32\\implant.so": [[436, 466]], "TOOL: PowerView": [[485, 494]], "HASH: ce76d692cd4336cd89f64df0646c7199": [[556, 588]]}, "info": {"id": "synth_v2_00647", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: WarmCookie (MD5: 8e7d05464f9b5f901edcc20575df2b85). Upon execution on Windows 11, the sample creates C:\\Program Files\\Common Files\\sam.hive and injects into legitimate processes. Network analysis shows beaconing to 134.39.77.45 every 60 seconds and DNS queries to nodestatic.link. The second stage was fetched from hxxps://storage-portal.online/panel/index.html and written to C:\\Windows\\Temp\\update.dll. The payload uses ADFind-style techniques for defense evasion. A secondary hash (MD5: 3aaa1ea6f7b163c41ed0dd810307d601) was extracted from the unpacked payload.", "spans": {"MALWARE: WarmCookie": [[25, 35]], "HASH: 8e7d05464f9b5f901edcc20575df2b85": [[42, 74]], "SYSTEM: Windows 11": [[95, 105]], "FILEPATH: C:\\Program Files\\Common Files\\sam.hive": [[126, 164]], "IP_ADDRESS: 134.39.77.45": [[240, 252]], "DOMAIN: nodestatic.link": [[289, 304]], "URL: hxxps://storage-portal.online/panel/index.html": [[340, 386]], "FILEPATH: C:\\Windows\\Temp\\update.dll": [[402, 428]], "TOOL: ADFind": [[447, 453]], "HASH: 3aaa1ea6f7b163c41ed0dd810307d601": [[515, 547]]}, "info": {"id": "synth_v2_00648", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: Emotet (SHA1: 51445d2ee01f5de4b9ce83ee8978bce542cdb3da). Upon execution on Atlassian Confluence, the sample creates C:\\Program Files\\Common Files\\payload.bin and injects into legitimate processes. Network analysis shows beaconing to 172.176.174.23 every 60 seconds and DNS queries to nodesync.io. The second stage was fetched from hxxps://portal-portal.cc/wp-content/uploads/doc.php and written to /usr/local/bin/loader.exe. The payload uses PsExec-style techniques for defense evasion. A secondary hash (MD5: 02feed0cf1eadb96af3117f0612703c6) was extracted from the unpacked payload.", "spans": {"MALWARE: Emotet": [[25, 31]], "HASH: 51445d2ee01f5de4b9ce83ee8978bce542cdb3da": [[39, 79]], "SYSTEM: Atlassian Confluence": [[100, 120]], "FILEPATH: C:\\Program Files\\Common Files\\payload.bin": [[141, 182]], "IP_ADDRESS: 172.176.174.23": [[258, 272]], "DOMAIN: nodesync.io": [[309, 320]], "URL: hxxps://portal-portal.cc/wp-content/uploads/doc.php": [[356, 407]], "FILEPATH: /usr/local/bin/loader.exe": [[423, 448]], "TOOL: PsExec": [[467, 473]], "HASH: 02feed0cf1eadb96af3117f0612703c6": [[535, 567]]}, "info": {"id": "synth_v2_00649", "source": "synthetic_v2"}}
+{"text": "Malware Analysis Report: RedLine Stealer (SHA1: 4fa993498d9a346aadd534b88a98c7cd651f1f87). Upon execution on Progress Telerik, the sample creates C:\\Windows\\Tasks\\implant.so and injects into legitimate processes. Network analysis shows beaconing to 80.87.192.187 every 60 seconds and DNS queries to edge-cdn.top. The second stage was fetched from hxxp://cdngateway.xyz/callback and written to /etc/cron.d/svchost.exe. The payload uses Seatbelt-style techniques for defense evasion. A secondary hash (SHA256: 6b40f10ba355d3f4bbe49789601101447ff0daf47ef8895cac7b65aac4399506) was extracted from the unpacked payload.", "spans": {"MALWARE: RedLine Stealer": [[25, 40]], "HASH: 4fa993498d9a346aadd534b88a98c7cd651f1f87": [[48, 88]], "SYSTEM: Progress Telerik": [[109, 125]], "FILEPATH: C:\\Windows\\Tasks\\implant.so": [[146, 173]], "IP_ADDRESS: 80.87.192.187": [[249, 262]], "DOMAIN: edge-cdn.top": [[299, 311]], "URL: hxxp://cdngateway.xyz/callback": [[347, 377]], "FILEPATH: /etc/cron.d/svchost.exe": [[393, 416]], "TOOL: Seatbelt": [[435, 443]], "HASH: 6b40f10ba355d3f4bbe49789601101447ff0daf47ef8895cac7b65aac4399506": [[508, 572]]}, "info": {"id": "synth_v2_00650", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2026-38492 is a critical authentication bypass affecting Citrix NetScaler. Recorded Future confirmed active exploitation by UNC2452 in the wild. Exploitation delivers SmokeLoader (MD5: 3ac43dea138ef64a44f3348ed7f58622) which is dropped to C:\\Users\\admin\\Downloads\\dropper.ps1. The exploit payload is hosted at hxxps://syncnode.net/portal/verify and communicates to 172.24.62.222 for C2.", "spans": {"CVE_ID: CVE-2026-38492": [[24, 38]], "VULNERABILITY: authentication bypass": [[53, 74]], "SYSTEM: Citrix NetScaler": [[85, 101]], "ORGANIZATION: Recorded Future": [[103, 118]], "THREAT_ACTOR: UNC2452": [[152, 159]], "MALWARE: SmokeLoader": [[195, 206]], "HASH: 3ac43dea138ef64a44f3348ed7f58622": [[213, 245]], "FILEPATH: C:\\Users\\admin\\Downloads\\dropper.ps1": [[267, 303]], "URL: hxxps://syncnode.net/portal/verify": [[338, 372]], "IP_ADDRESS: 172.24.62.222": [[393, 406]]}, "info": {"id": "synth_v2_00651", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2026-10752 is a critical command injection affecting Juniper SRX. Cisco Talos confirmed active exploitation by Forest Blizzard in the wild. Exploitation delivers Vidar (SHA1: 3cd18c4ccfd01403bd5ff58b9b6404e29076ae11) which is dropped to /home/user/.config/config.dat. The exploit payload is hosted at hxxps://datalogin.top/download/update.exe and communicates to 184.96.32.103 for C2.", "spans": {"CVE_ID: CVE-2026-10752": [[24, 38]], "VULNERABILITY: command injection": [[53, 70]], "SYSTEM: Juniper SRX": [[81, 92]], "ORGANIZATION: Cisco Talos": [[94, 105]], "THREAT_ACTOR: Forest Blizzard": [[139, 154]], "MALWARE: Vidar": [[190, 195]], "HASH: 3cd18c4ccfd01403bd5ff58b9b6404e29076ae11": [[203, 243]], "FILEPATH: /home/user/.config/config.dat": [[265, 294]], "URL: hxxps://datalogin.top/download/update.exe": [[329, 370]], "IP_ADDRESS: 184.96.32.103": [[391, 404]]}, "info": {"id": "synth_v2_00652", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2023-27691 is a critical SSRF vulnerability affecting Apache Struts. Google TAG confirmed active exploitation by Midnight Blizzard in the wild. Exploitation delivers Cobalt Strike (SHA1: ff219910b8adc2dd03fc077f975e967428a4e32e) which is dropped to C:\\Users\\admin\\Desktop\\agent.py. The exploit payload is hosted at https://cloudauth.info/api/v2/auth and communicates to 10.214.66.95 for C2.", "spans": {"CVE_ID: CVE-2023-27691": [[24, 38]], "VULNERABILITY: SSRF vulnerability": [[53, 71]], "SYSTEM: Apache Struts": [[82, 95]], "ORGANIZATION: Google TAG": [[97, 107]], "THREAT_ACTOR: Midnight Blizzard": [[141, 158]], "MALWARE: Cobalt Strike": [[194, 207]], "HASH: ff219910b8adc2dd03fc077f975e967428a4e32e": [[215, 255]], "FILEPATH: C:\\Users\\admin\\Desktop\\agent.py": [[277, 308]], "URL: https://cloudauth.info/api/v2/auth": [[343, 377]], "IP_ADDRESS: 10.214.66.95": [[398, 410]]}, "info": {"id": "synth_v2_00653", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2024-26162 is a critical authentication bypass affecting Ivanti Connect Secure. Huntress confirmed active exploitation by Sandworm in the wild. Exploitation delivers TrickBot (MD5: 5416b4f14b630160015d2781a17a15fc) which is dropped to C:\\ProgramData\\beacon.dll. The exploit payload is hosted at hxxp://datamail.tech/portal/verify and communicates to 194.148.21.48 for C2.", "spans": {"CVE_ID: CVE-2024-26162": [[24, 38]], "VULNERABILITY: authentication bypass": [[53, 74]], "SYSTEM: Ivanti Connect Secure": [[85, 106]], "ORGANIZATION: Huntress": [[108, 116]], "THREAT_ACTOR: Sandworm": [[150, 158]], "MALWARE: TrickBot": [[194, 202]], "HASH: 5416b4f14b630160015d2781a17a15fc": [[209, 241]], "FILEPATH: C:\\ProgramData\\beacon.dll": [[263, 288]], "URL: hxxp://datamail.tech/portal/verify": [[323, 357]], "IP_ADDRESS: 194.148.21.48": [[378, 391]]}, "info": {"id": "synth_v2_00654", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2023-27691 is a critical SSRF vulnerability affecting Active Directory. Qualys confirmed active exploitation by Scattered Spider in the wild. Exploitation delivers BlackCat (SHA1: 5bf0fa08d4a614abedb0275844eb0b27649ed479) which is dropped to C:\\Windows\\Tasks\\implant.so. The exploit payload is hosted at hxxp://mail-data.io/portal/verify and communicates to 132.11.115.188 for C2.", "spans": {"CVE_ID: CVE-2023-27691": [[24, 38]], "VULNERABILITY: SSRF vulnerability": [[53, 71]], "SYSTEM: Active Directory": [[82, 98]], "ORGANIZATION: Qualys": [[100, 106]], "THREAT_ACTOR: Scattered Spider": [[140, 156]], "MALWARE: BlackCat": [[192, 200]], "HASH: 5bf0fa08d4a614abedb0275844eb0b27649ed479": [[208, 248]], "FILEPATH: C:\\Windows\\Tasks\\implant.so": [[270, 297]], "URL: hxxp://mail-data.io/portal/verify": [[332, 365]], "IP_ADDRESS: 132.11.115.188": [[386, 400]]}, "info": {"id": "synth_v2_00655", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2020-25247 is a critical heap overflow affecting Windows 11. Trend Micro confirmed active exploitation by Scattered Spider in the wild. Exploitation delivers Conti (SHA256: ce31d1af971c75f902dbd901d894191bcbf9b49d84fc7f75c674327b03691305) which is dropped to C:\\Users\\admin\\Desktop\\helper.sh. The exploit payload is hosted at https://cloud-mail.xyz/collect and communicates to 172.122.104.235 for C2.", "spans": {"CVE_ID: CVE-2020-25247": [[24, 38]], "VULNERABILITY: heap overflow": [[53, 66]], "SYSTEM: Windows 11": [[77, 87]], "ORGANIZATION: Trend Micro": [[89, 100]], "THREAT_ACTOR: Scattered Spider": [[134, 150]], "MALWARE: Conti": [[186, 191]], "HASH: ce31d1af971c75f902dbd901d894191bcbf9b49d84fc7f75c674327b03691305": [[201, 265]], "FILEPATH: C:\\Users\\admin\\Desktop\\helper.sh": [[287, 319]], "URL: https://cloud-mail.xyz/collect": [[354, 384]], "IP_ADDRESS: 172.122.104.235": [[405, 420]]}, "info": {"id": "synth_v2_00656", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2021-28231 is a critical SQL injection affecting VMware ESXi. Secureworks confirmed active exploitation by Star Blizzard in the wild. Exploitation delivers Hive (SHA256: 91345b1f8760ab13300e4c661bcd6508063e879768f15fcb8fc247964a6ab4c3) which is dropped to /dev/shm/runtime.dll. The exploit payload is hosted at hxxps://static-cloud.xyz/admin/config and communicates to 135.238.63.140 for C2.", "spans": {"CVE_ID: CVE-2021-28231": [[24, 38]], "VULNERABILITY: SQL injection": [[53, 66]], "SYSTEM: VMware ESXi": [[77, 88]], "ORGANIZATION: Secureworks": [[90, 101]], "THREAT_ACTOR: Star Blizzard": [[135, 148]], "MALWARE: Hive": [[184, 188]], "HASH: 91345b1f8760ab13300e4c661bcd6508063e879768f15fcb8fc247964a6ab4c3": [[198, 262]], "FILEPATH: /dev/shm/runtime.dll": [[284, 304]], "URL: hxxps://static-cloud.xyz/admin/config": [[339, 376]], "IP_ADDRESS: 135.238.63.140": [[397, 411]]}, "info": {"id": "synth_v2_00657", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2025-48311 is a critical heap overflow affecting Microsoft Exchange. Mandiant confirmed active exploitation by Kimsuky in the wild. Exploitation delivers ShadowPad (SHA1: 0ee697c3d4909e3eb765e215ef53f9ba309da6dd) which is dropped to C:\\Program Files\\Common Files\\dropper.ps1. The exploit payload is hosted at https://static-node.online/callback and communicates to 219.17.39.245 for C2.", "spans": {"CVE_ID: CVE-2025-48311": [[24, 38]], "VULNERABILITY: heap overflow": [[53, 66]], "SYSTEM: Microsoft Exchange": [[77, 95]], "ORGANIZATION: Mandiant": [[97, 105]], "THREAT_ACTOR: Kimsuky": [[139, 146]], "MALWARE: ShadowPad": [[182, 191]], "HASH: 0ee697c3d4909e3eb765e215ef53f9ba309da6dd": [[199, 239]], "FILEPATH: C:\\Program Files\\Common Files\\dropper.ps1": [[261, 302]], "URL: https://static-node.online/callback": [[337, 372]], "IP_ADDRESS: 219.17.39.245": [[393, 406]]}, "info": {"id": "synth_v2_00658", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2026-38492 is a critical buffer overflow affecting Windows Server 2019. FireEye confirmed active exploitation by Charming Kitten in the wild. Exploitation delivers Emotet (MD5: 14b0001b1ea0a678e74c92d22b95f2a6) which is dropped to /var/tmp/lsass.dmp. The exploit payload is hosted at hxxp://storage-gateway.net/collect and communicates to 10.13.15.151 for C2.", "spans": {"CVE_ID: CVE-2026-38492": [[24, 38]], "VULNERABILITY: buffer overflow": [[53, 68]], "SYSTEM: Windows Server 2019": [[79, 98]], "ORGANIZATION: FireEye": [[100, 107]], "THREAT_ACTOR: Charming Kitten": [[141, 156]], "MALWARE: Emotet": [[192, 198]], "HASH: 14b0001b1ea0a678e74c92d22b95f2a6": [[205, 237]], "FILEPATH: /var/tmp/lsass.dmp": [[259, 277]], "URL: hxxp://storage-gateway.net/collect": [[312, 346]], "IP_ADDRESS: 10.13.15.151": [[367, 379]]}, "info": {"id": "synth_v2_00659", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2026-35216 is a critical IDOR vulnerability affecting Active Directory. Volexity confirmed active exploitation by Granite Typhoon in the wild. Exploitation delivers AgentTesla (SHA256: 1548b3225be81d4de1f4097f92c222d80906a46b83b0cbaaaae7bc3cd0eb29ba) which is dropped to C:\\Windows\\System32\\update.dll. The exploit payload is hosted at https://static-cloud.site/collect and communicates to 211.61.212.235 for C2.", "spans": {"CVE_ID: CVE-2026-35216": [[24, 38]], "VULNERABILITY: IDOR vulnerability": [[53, 71]], "SYSTEM: Active Directory": [[82, 98]], "ORGANIZATION: Volexity": [[100, 108]], "THREAT_ACTOR: Granite Typhoon": [[142, 157]], "MALWARE: AgentTesla": [[193, 203]], "HASH: 1548b3225be81d4de1f4097f92c222d80906a46b83b0cbaaaae7bc3cd0eb29ba": [[213, 277]], "FILEPATH: C:\\Windows\\System32\\update.dll": [[299, 329]], "URL: https://static-cloud.site/collect": [[364, 397]], "IP_ADDRESS: 211.61.212.235": [[418, 432]]}, "info": {"id": "synth_v2_00660", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2023-46500 is a critical type confusion affecting Ubuntu 22.04. Rapid7 confirmed active exploitation by Flax Typhoon in the wild. Exploitation delivers TrickBot (SHA256: ee0508d79eda99bc7532b2fab948d2a2783d945d49b281c83991cb91779ec170) which is dropped to C:\\Windows\\System32\\ntds.dit. The exploit payload is hosted at http://datadata.site/secure/token and communicates to 192.146.55.139 for C2.", "spans": {"CVE_ID: CVE-2023-46500": [[24, 38]], "VULNERABILITY: type confusion": [[53, 67]], "SYSTEM: Ubuntu 22.04": [[78, 90]], "ORGANIZATION: Rapid7": [[92, 98]], "THREAT_ACTOR: Flax Typhoon": [[132, 144]], "MALWARE: TrickBot": [[180, 188]], "HASH: ee0508d79eda99bc7532b2fab948d2a2783d945d49b281c83991cb91779ec170": [[198, 262]], "FILEPATH: C:\\Windows\\System32\\ntds.dit": [[284, 312]], "URL: http://datadata.site/secure/token": [[347, 380]], "IP_ADDRESS: 192.146.55.139": [[401, 415]]}, "info": {"id": "synth_v2_00661", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2022-12847 is a critical authentication bypass affecting Palo Alto PAN-OS. INTERPOL confirmed active exploitation by Diamond Sleet in the wild. Exploitation delivers Cobalt Strike (SHA1: 33d466aab42eeede24bda56aa97b1d494cdabafb) which is dropped to /home/user/.config/payload.bin. The exploit payload is hosted at hxxps://storagegateway.net/portal/verify and communicates to 10.122.231.71 for C2.", "spans": {"CVE_ID: CVE-2022-12847": [[24, 38]], "VULNERABILITY: authentication bypass": [[53, 74]], "SYSTEM: Palo Alto PAN-OS": [[85, 101]], "ORGANIZATION: INTERPOL": [[103, 111]], "THREAT_ACTOR: Diamond Sleet": [[145, 158]], "MALWARE: Cobalt Strike": [[194, 207]], "HASH: 33d466aab42eeede24bda56aa97b1d494cdabafb": [[215, 255]], "FILEPATH: /home/user/.config/payload.bin": [[277, 307]], "URL: hxxps://storagegateway.net/portal/verify": [[342, 382]], "IP_ADDRESS: 10.122.231.71": [[403, 416]]}, "info": {"id": "synth_v2_00662", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2026-10212 is a critical SSRF vulnerability affecting Windows 11. Tenable confirmed active exploitation by Forest Blizzard in the wild. Exploitation delivers Ryuk (MD5: 2a0422f79dfb9062495a1051a14f4195) which is dropped to C:\\Users\\Public\\Documents\\payload.bin. The exploit payload is hosted at hxxps://portalgateway.site/panel/index.html and communicates to 162.10.172.61 for C2.", "spans": {"CVE_ID: CVE-2026-10212": [[24, 38]], "VULNERABILITY: SSRF vulnerability": [[53, 71]], "SYSTEM: Windows 11": [[82, 92]], "ORGANIZATION: Tenable": [[94, 101]], "THREAT_ACTOR: Forest Blizzard": [[135, 150]], "MALWARE: Ryuk": [[186, 190]], "HASH: 2a0422f79dfb9062495a1051a14f4195": [[197, 229]], "FILEPATH: C:\\Users\\Public\\Documents\\payload.bin": [[251, 288]], "URL: hxxps://portalgateway.site/panel/index.html": [[323, 366]], "IP_ADDRESS: 162.10.172.61": [[387, 400]]}, "info": {"id": "synth_v2_00663", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2020-24628 is a critical remote code execution affecting Palo Alto PAN-OS. Qualys confirmed active exploitation by Mustang Panda in the wild. Exploitation delivers ShadowPad (SHA1: 06286daeb99f440f244664a4bd6efd3a59537569) which is dropped to C:\\ProgramData\\winlogon.exe. The exploit payload is hosted at hxxps://staticapi.live/callback and communicates to 192.104.184.100 for C2.", "spans": {"CVE_ID: CVE-2020-24628": [[24, 38]], "VULNERABILITY: remote code execution": [[53, 74]], "SYSTEM: Palo Alto PAN-OS": [[85, 101]], "ORGANIZATION: Qualys": [[103, 109]], "THREAT_ACTOR: Mustang Panda": [[143, 156]], "MALWARE: ShadowPad": [[192, 201]], "HASH: 06286daeb99f440f244664a4bd6efd3a59537569": [[209, 249]], "FILEPATH: C:\\ProgramData\\winlogon.exe": [[271, 298]], "URL: hxxps://staticapi.live/callback": [[333, 364]], "IP_ADDRESS: 192.104.184.100": [[385, 400]]}, "info": {"id": "synth_v2_00664", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2022-14558 is a critical cross-site scripting affecting Fortinet FortiGate. Huntress confirmed active exploitation by Kimsuky in the wild. Exploitation delivers Qbot (SHA1: 757465a40f1e173f565f97b98608229218862958) which is dropped to /dev/shm/ntds.dit. The exploit payload is hosted at http://nodeedge.org/collect and communicates to 172.174.182.14 for C2.", "spans": {"CVE_ID: CVE-2022-14558": [[24, 38]], "VULNERABILITY: cross-site scripting": [[53, 73]], "SYSTEM: Fortinet FortiGate": [[84, 102]], "ORGANIZATION: Huntress": [[104, 112]], "THREAT_ACTOR: Kimsuky": [[146, 153]], "MALWARE: Qbot": [[189, 193]], "HASH: 757465a40f1e173f565f97b98608229218862958": [[201, 241]], "FILEPATH: /dev/shm/ntds.dit": [[263, 280]], "URL: http://nodeedge.org/collect": [[315, 342]], "IP_ADDRESS: 172.174.182.14": [[363, 377]]}, "info": {"id": "synth_v2_00665", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2021-16078 is a critical type confusion affecting Palo Alto PAN-OS. NSA confirmed active exploitation by Scattered Spider in the wild. Exploitation delivers AsyncRAT (SHA1: 42023d94ec9303e6f3d8010c1b5b3aad166d85dd) which is dropped to /var/tmp/beacon.dll. The exploit payload is hosted at http://edgeupdate.link/wp-content/uploads/doc.php and communicates to 75.20.59.62 for C2.", "spans": {"CVE_ID: CVE-2021-16078": [[24, 38]], "VULNERABILITY: type confusion": [[53, 67]], "SYSTEM: Palo Alto PAN-OS": [[78, 94]], "ORGANIZATION: NSA": [[96, 99]], "THREAT_ACTOR: Scattered Spider": [[133, 149]], "MALWARE: AsyncRAT": [[185, 193]], "HASH: 42023d94ec9303e6f3d8010c1b5b3aad166d85dd": [[201, 241]], "FILEPATH: /var/tmp/beacon.dll": [[263, 282]], "URL: http://edgeupdate.link/wp-content/uploads/doc.php": [[317, 366]], "IP_ADDRESS: 75.20.59.62": [[387, 398]]}, "info": {"id": "synth_v2_00666", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2026-20365 is a critical privilege escalation affecting SonicWall SMA. Mandiant confirmed active exploitation by Flax Typhoon in the wild. Exploitation delivers QakBot (SHA1: 2ce11c6330df244cbf46c4e1baaf7aa6456b26fb) which is dropped to /etc/cron.d/shell.php. The exploit payload is hosted at hxxps://mail-relay.club/collect and communicates to 10.191.63.14 for C2.", "spans": {"CVE_ID: CVE-2026-20365": [[24, 38]], "VULNERABILITY: privilege escalation": [[53, 73]], "SYSTEM: SonicWall SMA": [[84, 97]], "ORGANIZATION: Mandiant": [[99, 107]], "THREAT_ACTOR: Flax Typhoon": [[141, 153]], "MALWARE: QakBot": [[189, 195]], "HASH: 2ce11c6330df244cbf46c4e1baaf7aa6456b26fb": [[203, 243]], "FILEPATH: /etc/cron.d/shell.php": [[265, 286]], "URL: hxxps://mail-relay.club/collect": [[321, 352]], "IP_ADDRESS: 10.191.63.14": [[373, 385]]}, "info": {"id": "synth_v2_00667", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2020-43118 is a critical use-after-free affecting Apache Struts. Europol confirmed active exploitation by OilRig in the wild. Exploitation delivers Raccoon Stealer (SHA1: 0007ba3d16c89ccec20f4c2dc7f62e92f5fb2aba) which is dropped to /home/user/.config/dropper.ps1. The exploit payload is hosted at http://portal-static.club/collect and communicates to 10.231.130.150 for C2.", "spans": {"CVE_ID: CVE-2020-43118": [[24, 38]], "VULNERABILITY: use-after-free": [[53, 67]], "SYSTEM: Apache Struts": [[78, 91]], "ORGANIZATION: Europol": [[93, 100]], "THREAT_ACTOR: OilRig": [[134, 140]], "MALWARE: Raccoon Stealer": [[176, 191]], "HASH: 0007ba3d16c89ccec20f4c2dc7f62e92f5fb2aba": [[199, 239]], "FILEPATH: /home/user/.config/dropper.ps1": [[261, 291]], "URL: http://portal-static.club/collect": [[326, 359]], "IP_ADDRESS: 10.231.130.150": [[380, 394]]}, "info": {"id": "synth_v2_00668", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2025-20484 is a critical SQL injection affecting Juniper SRX. Trend Micro confirmed active exploitation by APT28 in the wild. Exploitation delivers BatLoader (SHA1: da3adcf38b0e0d0ab4a7ad7536b6b98fe5178527) which is dropped to /home/user/.config/shell.php. The exploit payload is hosted at hxxps://login-storage.cc/portal/verify and communicates to 192.187.196.164 for C2.", "spans": {"CVE_ID: CVE-2025-20484": [[24, 38]], "VULNERABILITY: SQL injection": [[53, 66]], "SYSTEM: Juniper SRX": [[77, 88]], "ORGANIZATION: Trend Micro": [[90, 101]], "THREAT_ACTOR: APT28": [[135, 140]], "MALWARE: BatLoader": [[176, 185]], "HASH: da3adcf38b0e0d0ab4a7ad7536b6b98fe5178527": [[193, 233]], "FILEPATH: /home/user/.config/shell.php": [[255, 283]], "URL: hxxps://login-storage.cc/portal/verify": [[318, 356]], "IP_ADDRESS: 192.187.196.164": [[377, 392]]}, "info": {"id": "synth_v2_00669", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2022-46178 is a critical authentication bypass affecting Palo Alto PAN-OS. Palo Alto Unit 42 confirmed active exploitation by Gamaredon in the wild. Exploitation delivers TrickBot (MD5: 089c8212c153466ee584086b545ee73e) which is dropped to /dev/shm/payload.bin. The exploit payload is hosted at hxxps://portalcache.io/callback and communicates to 10.150.72.199 for C2.", "spans": {"CVE_ID: CVE-2022-46178": [[24, 38]], "VULNERABILITY: authentication bypass": [[53, 74]], "SYSTEM: Palo Alto PAN-OS": [[85, 101]], "ORGANIZATION: Palo Alto Unit 42": [[103, 120]], "THREAT_ACTOR: Gamaredon": [[154, 163]], "MALWARE: TrickBot": [[199, 207]], "HASH: 089c8212c153466ee584086b545ee73e": [[214, 246]], "FILEPATH: /dev/shm/payload.bin": [[268, 288]], "URL: hxxps://portalcache.io/callback": [[323, 354]], "IP_ADDRESS: 10.150.72.199": [[375, 388]]}, "info": {"id": "synth_v2_00670", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2021-32298 is a critical XXE injection affecting SonicWall SMA. Symantec confirmed active exploitation by Gamaredon in the wild. Exploitation delivers Play (MD5: d16b68d40a8203a49788ccda7205431f) which is dropped to /opt/app/bin/implant.so. The exploit payload is hosted at hxxp://backup-edge.club/panel/index.html and communicates to 192.226.89.192 for C2.", "spans": {"CVE_ID: CVE-2021-32298": [[24, 38]], "VULNERABILITY: XXE injection": [[53, 66]], "SYSTEM: SonicWall SMA": [[77, 90]], "ORGANIZATION: Symantec": [[92, 100]], "THREAT_ACTOR: Gamaredon": [[134, 143]], "MALWARE: Play": [[179, 183]], "HASH: d16b68d40a8203a49788ccda7205431f": [[190, 222]], "FILEPATH: /opt/app/bin/implant.so": [[244, 267]], "URL: hxxp://backup-edge.club/panel/index.html": [[302, 342]], "IP_ADDRESS: 192.226.89.192": [[363, 377]]}, "info": {"id": "synth_v2_00671", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2023-28217 is a critical CSRF vulnerability affecting Citrix NetScaler. Zscaler ThreatLabz confirmed active exploitation by APT28 in the wild. Exploitation delivers Latrodectus (SHA1: cbdc7ce934d66177db10f68c1c0bc23ebac75a4b) which is dropped to C:\\Windows\\System32\\lsass.dmp. The exploit payload is hosted at http://authlogin.dev/secure/token and communicates to 172.1.176.246 for C2.", "spans": {"CVE_ID: CVE-2023-28217": [[24, 38]], "VULNERABILITY: CSRF vulnerability": [[53, 71]], "SYSTEM: Citrix NetScaler": [[82, 98]], "ORGANIZATION: Zscaler ThreatLabz": [[100, 118]], "THREAT_ACTOR: APT28": [[152, 157]], "MALWARE: Latrodectus": [[193, 204]], "HASH: cbdc7ce934d66177db10f68c1c0bc23ebac75a4b": [[212, 252]], "FILEPATH: C:\\Windows\\System32\\lsass.dmp": [[274, 303]], "URL: http://authlogin.dev/secure/token": [[338, 371]], "IP_ADDRESS: 172.1.176.246": [[392, 405]]}, "info": {"id": "synth_v2_00672", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2024-30622 is a critical memory corruption affecting Citrix NetScaler. Dragos confirmed active exploitation by Kimsuky in the wild. Exploitation delivers LockBit (MD5: f22604293c516c51f56370008000b14c) which is dropped to /tmp/loader.exe. The exploit payload is hosted at http://apicloud.com/callback and communicates to 24.195.193.89 for C2.", "spans": {"CVE_ID: CVE-2024-30622": [[24, 38]], "VULNERABILITY: memory corruption": [[53, 70]], "SYSTEM: Citrix NetScaler": [[81, 97]], "ORGANIZATION: Dragos": [[99, 105]], "THREAT_ACTOR: Kimsuky": [[139, 146]], "MALWARE: LockBit": [[182, 189]], "HASH: f22604293c516c51f56370008000b14c": [[196, 228]], "FILEPATH: /tmp/loader.exe": [[250, 265]], "URL: http://apicloud.com/callback": [[300, 328]], "IP_ADDRESS: 24.195.193.89": [[349, 362]]}, "info": {"id": "synth_v2_00673", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2024-36290 is a critical cross-site scripting affecting Active Directory. Tenable confirmed active exploitation by Flax Typhoon in the wild. Exploitation delivers REvil (SHA256: ebe5f5622b56e020c0405d60fcc24493f23f3d2ccdc4eadb3df0d5cfc45d1123) which is dropped to /dev/shm/helper.sh. The exploit payload is hosted at hxxps://nodesync.top/login and communicates to 172.204.76.62 for C2.", "spans": {"CVE_ID: CVE-2024-36290": [[24, 38]], "VULNERABILITY: cross-site scripting": [[53, 73]], "SYSTEM: Active Directory": [[84, 100]], "ORGANIZATION: Tenable": [[102, 109]], "THREAT_ACTOR: Flax Typhoon": [[143, 155]], "MALWARE: REvil": [[191, 196]], "HASH: ebe5f5622b56e020c0405d60fcc24493f23f3d2ccdc4eadb3df0d5cfc45d1123": [[206, 270]], "FILEPATH: /dev/shm/helper.sh": [[292, 310]], "URL: hxxps://nodesync.top/login": [[345, 371]], "IP_ADDRESS: 172.204.76.62": [[392, 405]]}, "info": {"id": "synth_v2_00674", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2020-11639 is a critical CSRF vulnerability affecting SonicWall SMA. INTERPOL confirmed active exploitation by Sandworm in the wild. Exploitation delivers Meduza Stealer (SHA256: 48430aa50161bb958a416e11f0b52799511bb2f5eb26d2aa43db338bf671a2cb) which is dropped to /opt/app/bin/svchost.exe. The exploit payload is hosted at hxxps://nodecloud.net/admin/config and communicates to 100.32.28.30 for C2.", "spans": {"CVE_ID: CVE-2020-11639": [[24, 38]], "VULNERABILITY: CSRF vulnerability": [[53, 71]], "SYSTEM: SonicWall SMA": [[82, 95]], "ORGANIZATION: INTERPOL": [[97, 105]], "THREAT_ACTOR: Sandworm": [[139, 147]], "MALWARE: Meduza Stealer": [[183, 197]], "HASH: 48430aa50161bb958a416e11f0b52799511bb2f5eb26d2aa43db338bf671a2cb": [[207, 271]], "FILEPATH: /opt/app/bin/svchost.exe": [[293, 317]], "URL: hxxps://nodecloud.net/admin/config": [[352, 386]], "IP_ADDRESS: 100.32.28.30": [[407, 419]]}, "info": {"id": "synth_v2_00675", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2020-43118 is a critical race condition affecting Juniper SRX. Mandiant confirmed active exploitation by Charming Kitten in the wild. Exploitation delivers Hive (SHA1: 318ef7261b1caa0c67718c666eb9f8d24ce5c5b2) which is dropped to C:\\Windows\\Tasks\\ntds.dit. The exploit payload is hosted at hxxp://cdnrelay.site/admin/config and communicates to 21.150.37.220 for C2.", "spans": {"CVE_ID: CVE-2020-43118": [[24, 38]], "VULNERABILITY: race condition": [[53, 67]], "SYSTEM: Juniper SRX": [[78, 89]], "ORGANIZATION: Mandiant": [[91, 99]], "THREAT_ACTOR: Charming Kitten": [[133, 148]], "MALWARE: Hive": [[184, 188]], "HASH: 318ef7261b1caa0c67718c666eb9f8d24ce5c5b2": [[196, 236]], "FILEPATH: C:\\Windows\\Tasks\\ntds.dit": [[258, 283]], "URL: hxxp://cdnrelay.site/admin/config": [[318, 351]], "IP_ADDRESS: 21.150.37.220": [[372, 385]]}, "info": {"id": "synth_v2_00676", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2021-16078 is a critical remote code execution affecting Ivanti Connect Secure. ESET Research confirmed active exploitation by Forest Blizzard in the wild. Exploitation delivers PlugX (MD5: 1957589ed15c8bec1663b54abec89d7a) which is dropped to C:\\Windows\\System32\\lsass.dmp. The exploit payload is hosted at hxxp://staticbackup.site/login and communicates to 70.8.253.113 for C2.", "spans": {"CVE_ID: CVE-2021-16078": [[24, 38]], "VULNERABILITY: remote code execution": [[53, 74]], "SYSTEM: Ivanti Connect Secure": [[85, 106]], "ORGANIZATION: ESET Research": [[108, 121]], "THREAT_ACTOR: Forest Blizzard": [[155, 170]], "MALWARE: PlugX": [[206, 211]], "HASH: 1957589ed15c8bec1663b54abec89d7a": [[218, 250]], "FILEPATH: C:\\Windows\\System32\\lsass.dmp": [[272, 301]], "URL: hxxp://staticbackup.site/login": [[336, 366]], "IP_ADDRESS: 70.8.253.113": [[387, 399]]}, "info": {"id": "synth_v2_00677", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2021-24110 is a critical type confusion affecting Citrix NetScaler. SentinelOne confirmed active exploitation by APT28 in the wild. Exploitation delivers Vidar (SHA256: 0b43551abead5bc743aeb76af063c441120e0fef546a99201c1cd5cafaf79927) which is dropped to /usr/local/bin/chrome_helper.exe. The exploit payload is hosted at hxxps://portalcdn.org/portal/verify and communicates to 192.47.251.186 for C2.", "spans": {"CVE_ID: CVE-2021-24110": [[24, 38]], "VULNERABILITY: type confusion": [[53, 67]], "SYSTEM: Citrix NetScaler": [[78, 94]], "ORGANIZATION: SentinelOne": [[96, 107]], "THREAT_ACTOR: APT28": [[141, 146]], "MALWARE: Vidar": [[182, 187]], "HASH: 0b43551abead5bc743aeb76af063c441120e0fef546a99201c1cd5cafaf79927": [[197, 261]], "FILEPATH: /usr/local/bin/chrome_helper.exe": [[283, 315]], "URL: hxxps://portalcdn.org/portal/verify": [[350, 385]], "IP_ADDRESS: 192.47.251.186": [[406, 420]]}, "info": {"id": "synth_v2_00678", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2022-29213 is a critical directory traversal affecting Zyxel USG. ESET Research confirmed active exploitation by Midnight Blizzard in the wild. Exploitation delivers WarmCookie (SHA256: 6e0bff1ae1750e03a49e92d7df0df1fc3df5e56f2ee2c2b2c5048b940b4611e3) which is dropped to C:\\ProgramData\\sam.hive. The exploit payload is hosted at http://cloud-mail.dev/api/v2/auth and communicates to 10.160.183.184 for C2.", "spans": {"CVE_ID: CVE-2022-29213": [[24, 38]], "VULNERABILITY: directory traversal": [[53, 72]], "SYSTEM: Zyxel USG": [[83, 92]], "ORGANIZATION: ESET Research": [[94, 107]], "THREAT_ACTOR: Midnight Blizzard": [[141, 158]], "MALWARE: WarmCookie": [[194, 204]], "HASH: 6e0bff1ae1750e03a49e92d7df0df1fc3df5e56f2ee2c2b2c5048b940b4611e3": [[214, 278]], "FILEPATH: C:\\ProgramData\\sam.hive": [[300, 323]], "URL: http://cloud-mail.dev/api/v2/auth": [[358, 391]], "IP_ADDRESS: 10.160.183.184": [[412, 426]]}, "info": {"id": "synth_v2_00679", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2022-47837 is a critical authentication bypass affecting VMware ESXi. Recorded Future confirmed active exploitation by Midnight Blizzard in the wild. Exploitation delivers Qbot (SHA256: bb696dfb590ead3d8f87d55500056553391955453e66d72c991b14a84a601697) which is dropped to /etc/cron.d/lsass.dmp. The exploit payload is hosted at https://datanode.top/download/update.exe and communicates to 10.194.57.57 for C2.", "spans": {"CVE_ID: CVE-2022-47837": [[24, 38]], "VULNERABILITY: authentication bypass": [[53, 74]], "SYSTEM: VMware ESXi": [[85, 96]], "ORGANIZATION: Recorded Future": [[98, 113]], "THREAT_ACTOR: Midnight Blizzard": [[147, 164]], "MALWARE: Qbot": [[200, 204]], "HASH: bb696dfb590ead3d8f87d55500056553391955453e66d72c991b14a84a601697": [[214, 278]], "FILEPATH: /etc/cron.d/lsass.dmp": [[300, 321]], "URL: https://datanode.top/download/update.exe": [[356, 396]], "IP_ADDRESS: 10.194.57.57": [[417, 429]]}, "info": {"id": "synth_v2_00680", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2022-15164 is a critical directory traversal affecting Zyxel USG. Recorded Future confirmed active exploitation by TA505 in the wild. Exploitation delivers BatLoader (MD5: 2765a510e8c7dc5cd2633ef1059a781e) which is dropped to C:\\Users\\admin\\AppData\\Local\\Temp\\taskhost.exe. The exploit payload is hosted at hxxp://cache-storage.com/callback and communicates to 79.135.25.186 for C2.", "spans": {"CVE_ID: CVE-2022-15164": [[24, 38]], "VULNERABILITY: directory traversal": [[53, 72]], "SYSTEM: Zyxel USG": [[83, 92]], "ORGANIZATION: Recorded Future": [[94, 109]], "THREAT_ACTOR: TA505": [[143, 148]], "MALWARE: BatLoader": [[184, 193]], "HASH: 2765a510e8c7dc5cd2633ef1059a781e": [[200, 232]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\taskhost.exe": [[254, 300]], "URL: hxxp://cache-storage.com/callback": [[335, 368]], "IP_ADDRESS: 79.135.25.186": [[389, 402]]}, "info": {"id": "synth_v2_00681", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2023-14679 is a critical use-after-free affecting Windows 11. ESET Research confirmed active exploitation by Aqua Blizzard in the wild. Exploitation delivers Qbot (SHA256: 7f34fe03dacea410e58a7dc58ae2341cabea11bd32d2b8538da43599cd053d6d) which is dropped to C:\\Users\\admin\\Downloads\\config.dat. The exploit payload is hosted at hxxp://edgeauth.dev/gate.php and communicates to 53.128.52.102 for C2.", "spans": {"CVE_ID: CVE-2023-14679": [[24, 38]], "VULNERABILITY: use-after-free": [[53, 67]], "SYSTEM: Windows 11": [[78, 88]], "ORGANIZATION: ESET Research": [[90, 103]], "THREAT_ACTOR: Aqua Blizzard": [[137, 150]], "MALWARE: Qbot": [[186, 190]], "HASH: 7f34fe03dacea410e58a7dc58ae2341cabea11bd32d2b8538da43599cd053d6d": [[200, 264]], "FILEPATH: C:\\Users\\admin\\Downloads\\config.dat": [[286, 321]], "URL: hxxp://edgeauth.dev/gate.php": [[356, 384]], "IP_ADDRESS: 53.128.52.102": [[405, 418]]}, "info": {"id": "synth_v2_00682", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2020-26049 is a critical authentication bypass affecting Ubuntu 22.04. Symantec confirmed active exploitation by OilRig in the wild. Exploitation delivers WarmCookie (SHA1: a770b5d571b9f77ea8082e41e508b992b14ec82a) which is dropped to /opt/app/bin/beacon.dll. The exploit payload is hosted at http://sync-node.dev/download/update.exe and communicates to 211.93.52.161 for C2.", "spans": {"CVE_ID: CVE-2020-26049": [[24, 38]], "VULNERABILITY: authentication bypass": [[53, 74]], "SYSTEM: Ubuntu 22.04": [[85, 97]], "ORGANIZATION: Symantec": [[99, 107]], "THREAT_ACTOR: OilRig": [[141, 147]], "MALWARE: WarmCookie": [[183, 193]], "HASH: a770b5d571b9f77ea8082e41e508b992b14ec82a": [[201, 241]], "FILEPATH: /opt/app/bin/beacon.dll": [[263, 286]], "URL: http://sync-node.dev/download/update.exe": [[321, 361]], "IP_ADDRESS: 211.93.52.161": [[382, 395]]}, "info": {"id": "synth_v2_00683", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2025-15957 is a critical command injection affecting SonicWall SMA. Qualys confirmed active exploitation by FIN7 in the wild. Exploitation delivers DanaBot (MD5: 3becdbc9bf3021102611d1b239934967) which is dropped to C:\\Windows\\Tasks\\svchost.exe. The exploit payload is hosted at hxxps://edge-storage.site/secure/token and communicates to 192.124.58.218 for C2.", "spans": {"CVE_ID: CVE-2025-15957": [[24, 38]], "VULNERABILITY: command injection": [[53, 70]], "SYSTEM: SonicWall SMA": [[81, 94]], "ORGANIZATION: Qualys": [[96, 102]], "THREAT_ACTOR: FIN7": [[136, 140]], "MALWARE: DanaBot": [[176, 183]], "HASH: 3becdbc9bf3021102611d1b239934967": [[190, 222]], "FILEPATH: C:\\Windows\\Tasks\\svchost.exe": [[244, 272]], "URL: hxxps://edge-storage.site/secure/token": [[307, 345]], "IP_ADDRESS: 192.124.58.218": [[366, 380]]}, "info": {"id": "synth_v2_00684", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2026-42806 is a critical SSRF vulnerability affecting Cisco ASA. Zscaler ThreatLabz confirmed active exploitation by BlackTech in the wild. Exploitation delivers Emotet (SHA256: 1b1798561d810a5fe92dad23978bacb04b309b02980f1a658653286801b4d19f) which is dropped to C:\\Users\\admin\\Desktop\\dropper.ps1. The exploit payload is hosted at hxxp://dataportal.io/login and communicates to 172.244.31.104 for C2.", "spans": {"CVE_ID: CVE-2026-42806": [[24, 38]], "VULNERABILITY: SSRF vulnerability": [[53, 71]], "SYSTEM: Cisco ASA": [[82, 91]], "ORGANIZATION: Zscaler ThreatLabz": [[93, 111]], "THREAT_ACTOR: BlackTech": [[145, 154]], "MALWARE: Emotet": [[190, 196]], "HASH: 1b1798561d810a5fe92dad23978bacb04b309b02980f1a658653286801b4d19f": [[206, 270]], "FILEPATH: C:\\Users\\admin\\Desktop\\dropper.ps1": [[292, 326]], "URL: hxxp://dataportal.io/login": [[361, 387]], "IP_ADDRESS: 172.244.31.104": [[408, 422]]}, "info": {"id": "synth_v2_00685", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2021-45713 is a critical authentication bypass affecting Fortinet FortiGate. ESET Research confirmed active exploitation by Midnight Blizzard in the wild. Exploitation delivers Ryuk (SHA1: d17546f361eff57cbe06abed2e97d9087eb6f939) which is dropped to /usr/local/bin/lsass.dmp. The exploit payload is hosted at https://mailupdate.link/panel/index.html and communicates to 84.81.44.254 for C2.", "spans": {"CVE_ID: CVE-2021-45713": [[24, 38]], "VULNERABILITY: authentication bypass": [[53, 74]], "SYSTEM: Fortinet FortiGate": [[85, 103]], "ORGANIZATION: ESET Research": [[105, 118]], "THREAT_ACTOR: Midnight Blizzard": [[152, 169]], "MALWARE: Ryuk": [[205, 209]], "HASH: d17546f361eff57cbe06abed2e97d9087eb6f939": [[217, 257]], "FILEPATH: /usr/local/bin/lsass.dmp": [[279, 303]], "URL: https://mailupdate.link/panel/index.html": [[338, 378]], "IP_ADDRESS: 84.81.44.254": [[399, 411]]}, "info": {"id": "synth_v2_00686", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2021-16338 is a critical SQL injection affecting Juniper SRX. Check Point Research confirmed active exploitation by Storm-0558 in the wild. Exploitation delivers Meduza Stealer (SHA256: 79ff2a08ee06b43fcf83ac1aef87de84f9a068d68f57a7559e57aa67877a9906) which is dropped to /home/user/.config/dropper.ps1. The exploit payload is hosted at https://relaystatic.com/wp-content/uploads/doc.php and communicates to 10.71.167.146 for C2.", "spans": {"CVE_ID: CVE-2021-16338": [[24, 38]], "VULNERABILITY: SQL injection": [[53, 66]], "SYSTEM: Juniper SRX": [[77, 88]], "ORGANIZATION: Check Point Research": [[90, 110]], "THREAT_ACTOR: Storm-0558": [[144, 154]], "MALWARE: Meduza Stealer": [[190, 204]], "HASH: 79ff2a08ee06b43fcf83ac1aef87de84f9a068d68f57a7559e57aa67877a9906": [[214, 278]], "FILEPATH: /home/user/.config/dropper.ps1": [[300, 330]], "URL: https://relaystatic.com/wp-content/uploads/doc.php": [[365, 415]], "IP_ADDRESS: 10.71.167.146": [[436, 449]]}, "info": {"id": "synth_v2_00687", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2022-32541 is a critical privilege escalation affecting Windows 11. Qualys confirmed active exploitation by Mustang Panda in the wild. Exploitation delivers AsyncRAT (SHA1: f324e81bce8fb988e3042a70e1ce8f1cb673e289) which is dropped to /opt/app/bin/implant.so. The exploit payload is hosted at https://staticsync.io/admin/config and communicates to 205.17.117.170 for C2.", "spans": {"CVE_ID: CVE-2022-32541": [[24, 38]], "VULNERABILITY: privilege escalation": [[53, 73]], "SYSTEM: Windows 11": [[84, 94]], "ORGANIZATION: Qualys": [[96, 102]], "THREAT_ACTOR: Mustang Panda": [[136, 149]], "MALWARE: AsyncRAT": [[185, 193]], "HASH: f324e81bce8fb988e3042a70e1ce8f1cb673e289": [[201, 241]], "FILEPATH: /opt/app/bin/implant.so": [[263, 286]], "URL: https://staticsync.io/admin/config": [[321, 355]], "IP_ADDRESS: 205.17.117.170": [[376, 390]]}, "info": {"id": "synth_v2_00688", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2020-43118 is a critical SQL injection affecting Apache Struts. SentinelOne confirmed active exploitation by Silk Typhoon in the wild. Exploitation delivers WarmCookie (MD5: cf2cc4486749860e3551dc8ed36354b2) which is dropped to C:\\Users\\admin\\Desktop\\sam.hive. The exploit payload is hosted at hxxp://apimail.dev/wp-content/uploads/doc.php and communicates to 161.234.18.178 for C2.", "spans": {"CVE_ID: CVE-2020-43118": [[24, 38]], "VULNERABILITY: SQL injection": [[53, 66]], "SYSTEM: Apache Struts": [[77, 90]], "ORGANIZATION: SentinelOne": [[92, 103]], "THREAT_ACTOR: Silk Typhoon": [[137, 149]], "MALWARE: WarmCookie": [[185, 195]], "HASH: cf2cc4486749860e3551dc8ed36354b2": [[202, 234]], "FILEPATH: C:\\Users\\admin\\Desktop\\sam.hive": [[256, 287]], "URL: hxxp://apimail.dev/wp-content/uploads/doc.php": [[322, 367]], "IP_ADDRESS: 161.234.18.178": [[388, 402]]}, "info": {"id": "synth_v2_00689", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2026-49052 is a critical directory traversal affecting Barracuda ESG. Huntress confirmed active exploitation by Gamaredon in the wild. Exploitation delivers WarmCookie (SHA1: bd0dd69621e5477d12ecdd3b85b8b502095590ab) which is dropped to /dev/shm/lsass.dmp. The exploit payload is hosted at http://static-api.club/gate.php and communicates to 10.231.140.98 for C2.", "spans": {"CVE_ID: CVE-2026-49052": [[24, 38]], "VULNERABILITY: directory traversal": [[53, 72]], "SYSTEM: Barracuda ESG": [[83, 96]], "ORGANIZATION: Huntress": [[98, 106]], "THREAT_ACTOR: Gamaredon": [[140, 149]], "MALWARE: WarmCookie": [[185, 195]], "HASH: bd0dd69621e5477d12ecdd3b85b8b502095590ab": [[203, 243]], "FILEPATH: /dev/shm/lsass.dmp": [[265, 283]], "URL: http://static-api.club/gate.php": [[318, 349]], "IP_ADDRESS: 10.231.140.98": [[370, 383]]}, "info": {"id": "synth_v2_00690", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2021-16338 is a critical type confusion affecting MOVEit Transfer. FireEye confirmed active exploitation by Aqua Blizzard in the wild. Exploitation delivers Cobalt Strike (SHA256: 989c8296ff64ba76c051343dc74daae48ad69834167f17da3101225880ebb06d) which is dropped to /opt/app/bin/loader.exe. The exploit payload is hosted at hxxp://storage-node.cc/gate.php and communicates to 130.254.78.215 for C2.", "spans": {"CVE_ID: CVE-2021-16338": [[24, 38]], "VULNERABILITY: type confusion": [[53, 67]], "SYSTEM: MOVEit Transfer": [[78, 93]], "ORGANIZATION: FireEye": [[95, 102]], "THREAT_ACTOR: Aqua Blizzard": [[136, 149]], "MALWARE: Cobalt Strike": [[185, 198]], "HASH: 989c8296ff64ba76c051343dc74daae48ad69834167f17da3101225880ebb06d": [[208, 272]], "FILEPATH: /opt/app/bin/loader.exe": [[294, 317]], "URL: hxxp://storage-node.cc/gate.php": [[352, 383]], "IP_ADDRESS: 130.254.78.215": [[404, 418]]}, "info": {"id": "synth_v2_00691", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2025-27219 is a critical authentication bypass affecting Microsoft Exchange. SentinelOne confirmed active exploitation by Midnight Blizzard in the wild. Exploitation delivers DanaBot (SHA1: 8a9c3162c0893621ea1c6dc148cd1356a9a1b53c) which is dropped to C:\\Users\\admin\\AppData\\Local\\Temp\\svchost.exe. The exploit payload is hosted at https://portalportal.club/admin/config and communicates to 192.137.15.170 for C2.", "spans": {"CVE_ID: CVE-2025-27219": [[24, 38]], "VULNERABILITY: authentication bypass": [[53, 74]], "SYSTEM: Microsoft Exchange": [[85, 103]], "ORGANIZATION: SentinelOne": [[105, 116]], "THREAT_ACTOR: Midnight Blizzard": [[150, 167]], "MALWARE: DanaBot": [[203, 210]], "HASH: 8a9c3162c0893621ea1c6dc148cd1356a9a1b53c": [[218, 258]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\svchost.exe": [[280, 325]], "URL: https://portalportal.club/admin/config": [[360, 398]], "IP_ADDRESS: 192.137.15.170": [[419, 433]]}, "info": {"id": "synth_v2_00692", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2021-28210 is a critical authentication bypass affecting Active Directory. Symantec confirmed active exploitation by Volt Typhoon in the wild. Exploitation delivers Hive (SHA1: 541590341ae13befd0cd2d616056a0e5e9620dc3) which is dropped to C:\\Windows\\System32\\csrss.exe. The exploit payload is hosted at http://securenode.site/collect and communicates to 192.175.191.69 for C2.", "spans": {"CVE_ID: CVE-2021-28210": [[24, 38]], "VULNERABILITY: authentication bypass": [[53, 74]], "SYSTEM: Active Directory": [[85, 101]], "ORGANIZATION: Symantec": [[103, 111]], "THREAT_ACTOR: Volt Typhoon": [[145, 157]], "MALWARE: Hive": [[193, 197]], "HASH: 541590341ae13befd0cd2d616056a0e5e9620dc3": [[205, 245]], "FILEPATH: C:\\Windows\\System32\\csrss.exe": [[267, 296]], "URL: http://securenode.site/collect": [[331, 361]], "IP_ADDRESS: 192.175.191.69": [[382, 396]]}, "info": {"id": "synth_v2_00693", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2023-20708 is a critical authentication bypass affecting Microsoft Exchange. Check Point Research confirmed active exploitation by Volt Typhoon in the wild. Exploitation delivers REvil (SHA1: 30b5aa43093aab6143ac11deef78d0cffaca85e3) which is dropped to /usr/local/bin/chrome_helper.exe. The exploit payload is hosted at hxxps://cloud-edge.dev/secure/token and communicates to 192.137.200.213 for C2.", "spans": {"CVE_ID: CVE-2023-20708": [[24, 38]], "VULNERABILITY: authentication bypass": [[53, 74]], "SYSTEM: Microsoft Exchange": [[85, 103]], "ORGANIZATION: Check Point Research": [[105, 125]], "THREAT_ACTOR: Volt Typhoon": [[159, 171]], "MALWARE: REvil": [[207, 212]], "HASH: 30b5aa43093aab6143ac11deef78d0cffaca85e3": [[220, 260]], "FILEPATH: /usr/local/bin/chrome_helper.exe": [[282, 314]], "URL: hxxps://cloud-edge.dev/secure/token": [[349, 384]], "IP_ADDRESS: 192.137.200.213": [[405, 420]]}, "info": {"id": "synth_v2_00694", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2024-25010 is a critical authentication bypass affecting Barracuda ESG. Huntress confirmed active exploitation by OilRig in the wild. Exploitation delivers Play (SHA1: 2dfa8e7b480a6b0f60c2ea55b1302184056ced13) which is dropped to /var/tmp/winlogon.exe. The exploit payload is hosted at hxxp://portalsecure.cc/callback and communicates to 185.247.91.234 for C2.", "spans": {"CVE_ID: CVE-2024-25010": [[24, 38]], "VULNERABILITY: authentication bypass": [[53, 74]], "SYSTEM: Barracuda ESG": [[85, 98]], "ORGANIZATION: Huntress": [[100, 108]], "THREAT_ACTOR: OilRig": [[142, 148]], "MALWARE: Play": [[184, 188]], "HASH: 2dfa8e7b480a6b0f60c2ea55b1302184056ced13": [[196, 236]], "FILEPATH: /var/tmp/winlogon.exe": [[258, 279]], "URL: hxxp://portalsecure.cc/callback": [[314, 345]], "IP_ADDRESS: 185.247.91.234": [[366, 380]]}, "info": {"id": "synth_v2_00695", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2024-35928 is a critical cross-site scripting affecting Microsoft Exchange. Qualys confirmed active exploitation by Scattered Spider in the wild. Exploitation delivers TrickBot (SHA1: f3fec268b4731588a50ca7d2b8c8ef9585f6ae86) which is dropped to /opt/app/bin/beacon.dll. The exploit payload is hosted at http://proxy-node.info/panel/index.html and communicates to 192.200.189.94 for C2.", "spans": {"CVE_ID: CVE-2024-35928": [[24, 38]], "VULNERABILITY: cross-site scripting": [[53, 73]], "SYSTEM: Microsoft Exchange": [[84, 102]], "ORGANIZATION: Qualys": [[104, 110]], "THREAT_ACTOR: Scattered Spider": [[144, 160]], "MALWARE: TrickBot": [[196, 204]], "HASH: f3fec268b4731588a50ca7d2b8c8ef9585f6ae86": [[212, 252]], "FILEPATH: /opt/app/bin/beacon.dll": [[274, 297]], "URL: http://proxy-node.info/panel/index.html": [[332, 371]], "IP_ADDRESS: 192.200.189.94": [[392, 406]]}, "info": {"id": "synth_v2_00696", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2023-45005 is a critical deserialization flaw affecting Microsoft Exchange. CrowdStrike confirmed active exploitation by Sandworm in the wild. Exploitation delivers PikaBot (SHA256: 0df0d0584b692a8c24949a11eb26d515dd95665b54ecffb2e10f56abbadcad3c) which is dropped to /opt/app/bin/shell.php. The exploit payload is hosted at hxxp://proxy-static.online/login and communicates to 172.61.38.238 for C2.", "spans": {"CVE_ID: CVE-2023-45005": [[24, 38]], "VULNERABILITY: deserialization flaw": [[53, 73]], "SYSTEM: Microsoft Exchange": [[84, 102]], "ORGANIZATION: CrowdStrike": [[104, 115]], "THREAT_ACTOR: Sandworm": [[149, 157]], "MALWARE: PikaBot": [[193, 200]], "HASH: 0df0d0584b692a8c24949a11eb26d515dd95665b54ecffb2e10f56abbadcad3c": [[210, 274]], "FILEPATH: /opt/app/bin/shell.php": [[296, 318]], "URL: hxxp://proxy-static.online/login": [[353, 385]], "IP_ADDRESS: 172.61.38.238": [[406, 419]]}, "info": {"id": "synth_v2_00697", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2023-23730 is a critical remote code execution affecting Ubuntu 22.04. Tenable confirmed active exploitation by Sandworm in the wild. Exploitation delivers Ryuk (MD5: e45949b9ce35529cc17dc9ae332081d6) which is dropped to /tmp/config.dat. The exploit payload is hosted at https://backuprelay.net/secure/token and communicates to 54.201.157.23 for C2.", "spans": {"CVE_ID: CVE-2023-23730": [[24, 38]], "VULNERABILITY: remote code execution": [[53, 74]], "SYSTEM: Ubuntu 22.04": [[85, 97]], "ORGANIZATION: Tenable": [[99, 106]], "THREAT_ACTOR: Sandworm": [[140, 148]], "MALWARE: Ryuk": [[184, 188]], "HASH: e45949b9ce35529cc17dc9ae332081d6": [[195, 227]], "FILEPATH: /tmp/config.dat": [[249, 264]], "URL: https://backuprelay.net/secure/token": [[299, 335]], "IP_ADDRESS: 54.201.157.23": [[356, 369]]}, "info": {"id": "synth_v2_00698", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2022-14558 is a critical SSRF vulnerability affecting F5 BIG-IP. Volexity confirmed active exploitation by Forest Blizzard in the wild. Exploitation delivers Ryuk (SHA256: 9eb56581a96776becf5309580e13e6966b04bd0d0e5db90375d16071f9bae108) which is dropped to /home/user/.config/chrome_helper.exe. The exploit payload is hosted at https://cdnupdate.cc/download/update.exe and communicates to 10.218.229.218 for C2.", "spans": {"CVE_ID: CVE-2022-14558": [[24, 38]], "VULNERABILITY: SSRF vulnerability": [[53, 71]], "SYSTEM: F5 BIG-IP": [[82, 91]], "ORGANIZATION: Volexity": [[93, 101]], "THREAT_ACTOR: Forest Blizzard": [[135, 150]], "MALWARE: Ryuk": [[186, 190]], "HASH: 9eb56581a96776becf5309580e13e6966b04bd0d0e5db90375d16071f9bae108": [[200, 264]], "FILEPATH: /home/user/.config/chrome_helper.exe": [[286, 322]], "URL: https://cdnupdate.cc/download/update.exe": [[357, 397]], "IP_ADDRESS: 10.218.229.218": [[418, 432]]}, "info": {"id": "synth_v2_00699", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2024-47170 is a critical authentication bypass affecting Zyxel USG. Proofpoint confirmed active exploitation by FIN7 in the wild. Exploitation delivers BatLoader (SHA256: 9a86b21910032d9bdac36c8e27d2dff6b6030772e42a69789ea15c5b83b14467) which is dropped to /etc/cron.d/lsass.dmp. The exploit payload is hosted at https://proxy-update.info/download/update.exe and communicates to 192.242.30.155 for C2.", "spans": {"CVE_ID: CVE-2024-47170": [[24, 38]], "VULNERABILITY: authentication bypass": [[53, 74]], "SYSTEM: Zyxel USG": [[85, 94]], "ORGANIZATION: Proofpoint": [[96, 106]], "THREAT_ACTOR: FIN7": [[140, 144]], "MALWARE: BatLoader": [[180, 189]], "HASH: 9a86b21910032d9bdac36c8e27d2dff6b6030772e42a69789ea15c5b83b14467": [[199, 263]], "FILEPATH: /etc/cron.d/lsass.dmp": [[285, 306]], "URL: https://proxy-update.info/download/update.exe": [[341, 386]], "IP_ADDRESS: 192.242.30.155": [[407, 421]]}, "info": {"id": "synth_v2_00700", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2021-16698 is a critical heap overflow affecting Barracuda ESG. Rapid7 confirmed active exploitation by Salt Typhoon in the wild. Exploitation delivers REvil (SHA1: ccc3d533b0eb9ff323207962ff0084734fbee15f) which is dropped to C:\\Windows\\System32\\beacon.dll. The exploit payload is hosted at https://relayedge.online/portal/verify and communicates to 107.29.166.222 for C2.", "spans": {"CVE_ID: CVE-2021-16698": [[24, 38]], "VULNERABILITY: heap overflow": [[53, 66]], "SYSTEM: Barracuda ESG": [[77, 90]], "ORGANIZATION: Rapid7": [[92, 98]], "THREAT_ACTOR: Salt Typhoon": [[132, 144]], "MALWARE: REvil": [[180, 185]], "HASH: ccc3d533b0eb9ff323207962ff0084734fbee15f": [[193, 233]], "FILEPATH: C:\\Windows\\System32\\beacon.dll": [[255, 285]], "URL: https://relayedge.online/portal/verify": [[320, 358]], "IP_ADDRESS: 107.29.166.222": [[379, 393]]}, "info": {"id": "synth_v2_00701", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2024-36290 is a critical CSRF vulnerability affecting Atlassian Confluence. Volexity confirmed active exploitation by Mustang Panda in the wild. Exploitation delivers AsyncRAT (SHA1: c263778b7a6738de8bf91abfd2eb0feee273c2a4) which is dropped to C:\\Users\\Public\\Documents\\chrome_helper.exe. The exploit payload is hosted at hxxp://storagestatic.info/panel/index.html and communicates to 139.173.216.247 for C2.", "spans": {"CVE_ID: CVE-2024-36290": [[24, 38]], "VULNERABILITY: CSRF vulnerability": [[53, 71]], "SYSTEM: Atlassian Confluence": [[82, 102]], "ORGANIZATION: Volexity": [[104, 112]], "THREAT_ACTOR: Mustang Panda": [[146, 159]], "MALWARE: AsyncRAT": [[195, 203]], "HASH: c263778b7a6738de8bf91abfd2eb0feee273c2a4": [[211, 251]], "FILEPATH: C:\\Users\\Public\\Documents\\chrome_helper.exe": [[273, 316]], "URL: hxxp://storagestatic.info/panel/index.html": [[351, 393]], "IP_ADDRESS: 139.173.216.247": [[414, 429]]}, "info": {"id": "synth_v2_00702", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2025-19065 is a critical heap overflow affecting Windows Server 2019. Microsoft MSRC confirmed active exploitation by FIN7 in the wild. Exploitation delivers BlackCat (MD5: 9284aecf64965c9d99a75a2ba41f64e4) which is dropped to C:\\Users\\Public\\Documents\\winlogon.exe. The exploit payload is hosted at hxxp://maildata.cc/api/v2/auth and communicates to 10.21.79.206 for C2.", "spans": {"CVE_ID: CVE-2025-19065": [[24, 38]], "VULNERABILITY: heap overflow": [[53, 66]], "SYSTEM: Windows Server 2019": [[77, 96]], "ORGANIZATION: Microsoft MSRC": [[98, 112]], "THREAT_ACTOR: FIN7": [[146, 150]], "MALWARE: BlackCat": [[186, 194]], "HASH: 9284aecf64965c9d99a75a2ba41f64e4": [[201, 233]], "FILEPATH: C:\\Users\\Public\\Documents\\winlogon.exe": [[255, 293]], "URL: hxxp://maildata.cc/api/v2/auth": [[328, 358]], "IP_ADDRESS: 10.21.79.206": [[379, 391]]}, "info": {"id": "synth_v2_00703", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2020-49453 is a critical directory traversal affecting Windows Server 2019. Sophos X-Ops confirmed active exploitation by TA505 in the wild. Exploitation delivers Gootloader (SHA1: 74efea47cb51d54fa6348631e403f0b5ead6e989) which is dropped to C:\\Users\\admin\\Desktop\\lsass.dmp. The exploit payload is hosted at hxxps://edgesecure.top/portal/verify and communicates to 124.17.104.163 for C2.", "spans": {"CVE_ID: CVE-2020-49453": [[24, 38]], "VULNERABILITY: directory traversal": [[53, 72]], "SYSTEM: Windows Server 2019": [[83, 102]], "ORGANIZATION: Sophos X-Ops": [[104, 116]], "THREAT_ACTOR: TA505": [[150, 155]], "MALWARE: Gootloader": [[191, 201]], "HASH: 74efea47cb51d54fa6348631e403f0b5ead6e989": [[209, 249]], "FILEPATH: C:\\Users\\admin\\Desktop\\lsass.dmp": [[271, 303]], "URL: hxxps://edgesecure.top/portal/verify": [[338, 374]], "IP_ADDRESS: 124.17.104.163": [[395, 409]]}, "info": {"id": "synth_v2_00704", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2026-26476 is a critical privilege escalation affecting F5 BIG-IP. Qualys confirmed active exploitation by BlackTech in the wild. Exploitation delivers BatLoader (MD5: 5c580baefda89daa994e637da554eeee) which is dropped to C:\\Users\\admin\\Downloads\\csrss.exe. The exploit payload is hosted at hxxps://gatewaylogin.club/download/update.exe and communicates to 172.229.225.185 for C2.", "spans": {"CVE_ID: CVE-2026-26476": [[24, 38]], "VULNERABILITY: privilege escalation": [[53, 73]], "SYSTEM: F5 BIG-IP": [[84, 93]], "ORGANIZATION: Qualys": [[95, 101]], "THREAT_ACTOR: BlackTech": [[135, 144]], "MALWARE: BatLoader": [[180, 189]], "HASH: 5c580baefda89daa994e637da554eeee": [[196, 228]], "FILEPATH: C:\\Users\\admin\\Downloads\\csrss.exe": [[250, 284]], "URL: hxxps://gatewaylogin.club/download/update.exe": [[319, 364]], "IP_ADDRESS: 172.229.225.185": [[385, 400]]}, "info": {"id": "synth_v2_00705", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2022-22601 is a critical SQL injection affecting Juniper SRX. Cisco Talos confirmed active exploitation by APT28 in the wild. Exploitation delivers AsyncRAT (MD5: ab235a2e57f6bd2a124eed1429ec7053) which is dropped to C:\\ProgramData\\update.dll. The exploit payload is hosted at hxxp://login-cloud.cc/admin/config and communicates to 192.54.68.49 for C2.", "spans": {"CVE_ID: CVE-2022-22601": [[24, 38]], "VULNERABILITY: SQL injection": [[53, 66]], "SYSTEM: Juniper SRX": [[77, 88]], "ORGANIZATION: Cisco Talos": [[90, 101]], "THREAT_ACTOR: APT28": [[135, 140]], "MALWARE: AsyncRAT": [[176, 184]], "HASH: ab235a2e57f6bd2a124eed1429ec7053": [[191, 223]], "FILEPATH: C:\\ProgramData\\update.dll": [[245, 270]], "URL: hxxp://login-cloud.cc/admin/config": [[305, 339]], "IP_ADDRESS: 192.54.68.49": [[360, 372]]}, "info": {"id": "synth_v2_00706", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2020-28024 is a critical SQL injection affecting Juniper SRX. ESET Research confirmed active exploitation by Volt Typhoon in the wild. Exploitation delivers PikaBot (SHA256: dc72ea14cf48b3d2ea816fe5020daaeea7f7146d761b6743ec9710a96c64f7ba) which is dropped to C:\\ProgramData\\sam.hive. The exploit payload is hosted at hxxp://mailupdate.io/gate.php and communicates to 68.250.81.53 for C2.", "spans": {"CVE_ID: CVE-2020-28024": [[24, 38]], "VULNERABILITY: SQL injection": [[53, 66]], "SYSTEM: Juniper SRX": [[77, 88]], "ORGANIZATION: ESET Research": [[90, 103]], "THREAT_ACTOR: Volt Typhoon": [[137, 149]], "MALWARE: PikaBot": [[185, 192]], "HASH: dc72ea14cf48b3d2ea816fe5020daaeea7f7146d761b6743ec9710a96c64f7ba": [[202, 266]], "FILEPATH: C:\\ProgramData\\sam.hive": [[288, 311]], "URL: hxxp://mailupdate.io/gate.php": [[346, 375]], "IP_ADDRESS: 68.250.81.53": [[396, 408]]}, "info": {"id": "synth_v2_00707", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2022-18180 is a critical integer overflow affecting F5 BIG-IP. CISA confirmed active exploitation by Mustang Panda in the wild. Exploitation delivers Meduza Stealer (SHA1: 8e5b74ea4b9b6bbe6964f33fa5ed8629a6acb240) which is dropped to C:\\ProgramData\\loader.exe. The exploit payload is hosted at hxxps://portal-login.live/secure/token and communicates to 67.185.136.124 for C2.", "spans": {"CVE_ID: CVE-2022-18180": [[24, 38]], "VULNERABILITY: integer overflow": [[53, 69]], "SYSTEM: F5 BIG-IP": [[80, 89]], "ORGANIZATION: CISA": [[91, 95]], "THREAT_ACTOR: Mustang Panda": [[129, 142]], "MALWARE: Meduza Stealer": [[178, 192]], "HASH: 8e5b74ea4b9b6bbe6964f33fa5ed8629a6acb240": [[200, 240]], "FILEPATH: C:\\ProgramData\\loader.exe": [[262, 287]], "URL: hxxps://portal-login.live/secure/token": [[322, 360]], "IP_ADDRESS: 67.185.136.124": [[381, 395]]}, "info": {"id": "synth_v2_00708", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2025-20484 is a critical race condition affecting Barracuda ESG. ESET Research confirmed active exploitation by Star Blizzard in the wild. Exploitation delivers Royal (SHA1: 8d7b814c512a1de2f54996dd5732f6153a10eef2) which is dropped to /tmp/sam.hive. The exploit payload is hosted at hxxps://authproxy.org/gate.php and communicates to 172.27.93.184 for C2.", "spans": {"CVE_ID: CVE-2025-20484": [[24, 38]], "VULNERABILITY: race condition": [[53, 67]], "SYSTEM: Barracuda ESG": [[78, 91]], "ORGANIZATION: ESET Research": [[93, 106]], "THREAT_ACTOR: Star Blizzard": [[140, 153]], "MALWARE: Royal": [[189, 194]], "HASH: 8d7b814c512a1de2f54996dd5732f6153a10eef2": [[202, 242]], "FILEPATH: /tmp/sam.hive": [[264, 277]], "URL: hxxps://authproxy.org/gate.php": [[312, 342]], "IP_ADDRESS: 172.27.93.184": [[363, 376]]}, "info": {"id": "synth_v2_00709", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2022-13003 is a critical null pointer dereference affecting MOVEit Transfer. Google TAG confirmed active exploitation by Star Blizzard in the wild. Exploitation delivers Lumma Stealer (SHA256: 4ffa86ed27ea4760696f5b86ba41820a139c98d9c1e65e97c9e1bad5979bbbae) which is dropped to C:\\ProgramData\\agent.py. The exploit payload is hosted at http://gateway-secure.net/secure/token and communicates to 172.93.88.40 for C2.", "spans": {"CVE_ID: CVE-2022-13003": [[24, 38]], "VULNERABILITY: null pointer dereference": [[53, 77]], "SYSTEM: MOVEit Transfer": [[88, 103]], "ORGANIZATION: Google TAG": [[105, 115]], "THREAT_ACTOR: Star Blizzard": [[149, 162]], "MALWARE: Lumma Stealer": [[198, 211]], "HASH: 4ffa86ed27ea4760696f5b86ba41820a139c98d9c1e65e97c9e1bad5979bbbae": [[221, 285]], "FILEPATH: C:\\ProgramData\\agent.py": [[307, 330]], "URL: http://gateway-secure.net/secure/token": [[365, 403]], "IP_ADDRESS: 172.93.88.40": [[424, 436]]}, "info": {"id": "synth_v2_00710", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2021-16078 is a critical command injection affecting Fortinet FortiGate. Sophos X-Ops confirmed active exploitation by UNC2452 in the wild. Exploitation delivers ShadowPad (SHA256: f619238405d45984f31a9191d9a4df2c23fcc143ad8a917174fcce17c01eab27) which is dropped to /dev/shm/helper.sh. The exploit payload is hosted at http://syncgateway.net/assets/js/payload.js and communicates to 180.125.104.82 for C2.", "spans": {"CVE_ID: CVE-2021-16078": [[24, 38]], "VULNERABILITY: command injection": [[53, 70]], "SYSTEM: Fortinet FortiGate": [[81, 99]], "ORGANIZATION: Sophos X-Ops": [[101, 113]], "THREAT_ACTOR: UNC2452": [[147, 154]], "MALWARE: ShadowPad": [[190, 199]], "HASH: f619238405d45984f31a9191d9a4df2c23fcc143ad8a917174fcce17c01eab27": [[209, 273]], "FILEPATH: /dev/shm/helper.sh": [[295, 313]], "URL: http://syncgateway.net/assets/js/payload.js": [[348, 391]], "IP_ADDRESS: 180.125.104.82": [[412, 426]]}, "info": {"id": "synth_v2_00711", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2025-46789 is a critical use-after-free affecting Microsoft Exchange. CrowdStrike confirmed active exploitation by Turla in the wild. Exploitation delivers DanaBot (SHA256: c1fb7c63443b4d4bb6947a439deb130a92da53e75b675dbfd204a1516e5db9dc) which is dropped to C:\\Users\\admin\\Downloads\\sam.hive. The exploit payload is hosted at http://secure-relay.cc/login and communicates to 67.129.255.157 for C2.", "spans": {"CVE_ID: CVE-2025-46789": [[24, 38]], "VULNERABILITY: use-after-free": [[53, 67]], "SYSTEM: Microsoft Exchange": [[78, 96]], "ORGANIZATION: CrowdStrike": [[98, 109]], "THREAT_ACTOR: Turla": [[143, 148]], "MALWARE: DanaBot": [[184, 191]], "HASH: c1fb7c63443b4d4bb6947a439deb130a92da53e75b675dbfd204a1516e5db9dc": [[201, 265]], "FILEPATH: C:\\Users\\admin\\Downloads\\sam.hive": [[287, 320]], "URL: http://secure-relay.cc/login": [[355, 383]], "IP_ADDRESS: 67.129.255.157": [[404, 418]]}, "info": {"id": "synth_v2_00712", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2022-49565 is a critical remote code execution affecting Atlassian Confluence. ESET Research confirmed active exploitation by Mustang Panda in the wild. Exploitation delivers TrickBot (MD5: d3cbd937705fbec29e906aa6f5ca4767) which is dropped to C:\\Users\\Public\\Documents\\payload.bin. The exploit payload is hosted at hxxp://storagelogin.cc/download/update.exe and communicates to 195.254.57.55 for C2.", "spans": {"CVE_ID: CVE-2022-49565": [[24, 38]], "VULNERABILITY: remote code execution": [[53, 74]], "SYSTEM: Atlassian Confluence": [[85, 105]], "ORGANIZATION: ESET Research": [[107, 120]], "THREAT_ACTOR: Mustang Panda": [[154, 167]], "MALWARE: TrickBot": [[203, 211]], "HASH: d3cbd937705fbec29e906aa6f5ca4767": [[218, 250]], "FILEPATH: C:\\Users\\Public\\Documents\\payload.bin": [[272, 309]], "URL: hxxp://storagelogin.cc/download/update.exe": [[344, 386]], "IP_ADDRESS: 195.254.57.55": [[407, 420]]}, "info": {"id": "synth_v2_00713", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2025-45322 is a critical remote code execution affecting Barracuda ESG. Cisco Talos confirmed active exploitation by Star Blizzard in the wild. Exploitation delivers Royal (MD5: f2cdb7426b91c16015519135da916bfe) which is dropped to /etc/cron.d/loader.exe. The exploit payload is hosted at http://staticrelay.io/secure/token and communicates to 10.22.135.195 for C2.", "spans": {"CVE_ID: CVE-2025-45322": [[24, 38]], "VULNERABILITY: remote code execution": [[53, 74]], "SYSTEM: Barracuda ESG": [[85, 98]], "ORGANIZATION: Cisco Talos": [[100, 111]], "THREAT_ACTOR: Star Blizzard": [[145, 158]], "MALWARE: Royal": [[194, 199]], "HASH: f2cdb7426b91c16015519135da916bfe": [[206, 238]], "FILEPATH: /etc/cron.d/loader.exe": [[260, 282]], "URL: http://staticrelay.io/secure/token": [[317, 351]], "IP_ADDRESS: 10.22.135.195": [[372, 385]]}, "info": {"id": "synth_v2_00714", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2022-34807 is a critical command injection affecting Barracuda ESG. Proofpoint confirmed active exploitation by Salt Typhoon in the wild. Exploitation delivers DanaBot (MD5: 09ff5e82c135dfe8b268556361562a4f) which is dropped to /opt/app/bin/taskhost.exe. The exploit payload is hosted at hxxps://dataportal.top/collect and communicates to 10.103.8.72 for C2.", "spans": {"CVE_ID: CVE-2022-34807": [[24, 38]], "VULNERABILITY: command injection": [[53, 70]], "SYSTEM: Barracuda ESG": [[81, 94]], "ORGANIZATION: Proofpoint": [[96, 106]], "THREAT_ACTOR: Salt Typhoon": [[140, 152]], "MALWARE: DanaBot": [[188, 195]], "HASH: 09ff5e82c135dfe8b268556361562a4f": [[202, 234]], "FILEPATH: /opt/app/bin/taskhost.exe": [[256, 281]], "URL: hxxps://dataportal.top/collect": [[316, 346]], "IP_ADDRESS: 10.103.8.72": [[367, 378]]}, "info": {"id": "synth_v2_00715", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2020-49453 is a critical integer overflow affecting Fortinet FortiGate. Cisco Talos confirmed active exploitation by FIN11 in the wild. Exploitation delivers BatLoader (SHA1: 174339fcd92b4bb3f9d206f56768cc100839ec97) which is dropped to /tmp/update.dll. The exploit payload is hosted at hxxp://updateapi.info/gate.php and communicates to 10.76.85.200 for C2.", "spans": {"CVE_ID: CVE-2020-49453": [[24, 38]], "VULNERABILITY: integer overflow": [[53, 69]], "SYSTEM: Fortinet FortiGate": [[80, 98]], "ORGANIZATION: Cisco Talos": [[100, 111]], "THREAT_ACTOR: FIN11": [[145, 150]], "MALWARE: BatLoader": [[186, 195]], "HASH: 174339fcd92b4bb3f9d206f56768cc100839ec97": [[203, 243]], "FILEPATH: /tmp/update.dll": [[265, 280]], "URL: hxxp://updateapi.info/gate.php": [[315, 345]], "IP_ADDRESS: 10.76.85.200": [[366, 378]]}, "info": {"id": "synth_v2_00716", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2022-29213 is a critical buffer overflow affecting MOVEit Transfer. Dragos confirmed active exploitation by Mustang Panda in the wild. Exploitation delivers Conti (SHA256: bdb06142f0181b4c9ed4b5d7fa418e56d9f0699a9925fd4f1f94dc537aca747e) which is dropped to /tmp/config.dat. The exploit payload is hosted at hxxp://login-portal.com/assets/js/payload.js and communicates to 22.107.255.24 for C2.", "spans": {"CVE_ID: CVE-2022-29213": [[24, 38]], "VULNERABILITY: buffer overflow": [[53, 68]], "SYSTEM: MOVEit Transfer": [[79, 94]], "ORGANIZATION: Dragos": [[96, 102]], "THREAT_ACTOR: Mustang Panda": [[136, 149]], "MALWARE: Conti": [[185, 190]], "HASH: bdb06142f0181b4c9ed4b5d7fa418e56d9f0699a9925fd4f1f94dc537aca747e": [[200, 264]], "FILEPATH: /tmp/config.dat": [[286, 301]], "URL: hxxp://login-portal.com/assets/js/payload.js": [[336, 380]], "IP_ADDRESS: 22.107.255.24": [[401, 414]]}, "info": {"id": "synth_v2_00717", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2025-37666 is a critical SSRF vulnerability affecting Zyxel USG. Huntress confirmed active exploitation by APT29 in the wild. Exploitation delivers Conti (SHA256: 067e0b4edfe8f670cb02c44c6d6b4d88abff7f0131e50ccd6c56a86022e4f0d0) which is dropped to C:\\Users\\admin\\AppData\\Local\\Temp\\sam.hive. The exploit payload is hosted at hxxp://portal-portal.net/download/update.exe and communicates to 10.58.45.30 for C2.", "spans": {"CVE_ID: CVE-2025-37666": [[24, 38]], "VULNERABILITY: SSRF vulnerability": [[53, 71]], "SYSTEM: Zyxel USG": [[82, 91]], "ORGANIZATION: Huntress": [[93, 101]], "THREAT_ACTOR: APT29": [[135, 140]], "MALWARE: Conti": [[176, 181]], "HASH: 067e0b4edfe8f670cb02c44c6d6b4d88abff7f0131e50ccd6c56a86022e4f0d0": [[191, 255]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\sam.hive": [[277, 319]], "URL: hxxp://portal-portal.net/download/update.exe": [[354, 398]], "IP_ADDRESS: 10.58.45.30": [[419, 430]]}, "info": {"id": "synth_v2_00718", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2024-27546 is a critical CSRF vulnerability affecting Zyxel USG. FireEye confirmed active exploitation by APT28 in the wild. Exploitation delivers DarkSide (SHA1: 9d45cb8714ddb217127203a99a9d34e8ecc69384) which is dropped to C:\\Windows\\Tasks\\agent.py. The exploit payload is hosted at hxxp://gateway-portal.tech/panel/index.html and communicates to 10.109.18.76 for C2.", "spans": {"CVE_ID: CVE-2024-27546": [[24, 38]], "VULNERABILITY: CSRF vulnerability": [[53, 71]], "SYSTEM: Zyxel USG": [[82, 91]], "ORGANIZATION: FireEye": [[93, 100]], "THREAT_ACTOR: APT28": [[134, 139]], "MALWARE: DarkSide": [[175, 183]], "HASH: 9d45cb8714ddb217127203a99a9d34e8ecc69384": [[191, 231]], "FILEPATH: C:\\Windows\\Tasks\\agent.py": [[253, 278]], "URL: hxxp://gateway-portal.tech/panel/index.html": [[313, 356]], "IP_ADDRESS: 10.109.18.76": [[377, 389]]}, "info": {"id": "synth_v2_00719", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2021-28231 is a critical privilege escalation affecting Apache Struts. Google TAG confirmed active exploitation by OilRig in the wild. Exploitation delivers RemcosRAT (SHA1: b325133fdedd0c4e671ac2fde32b98dd59cc2275) which is dropped to C:\\Windows\\System32\\payload.bin. The exploit payload is hosted at https://nodelogin.dev/login and communicates to 10.145.11.203 for C2.", "spans": {"CVE_ID: CVE-2021-28231": [[24, 38]], "VULNERABILITY: privilege escalation": [[53, 73]], "SYSTEM: Apache Struts": [[84, 97]], "ORGANIZATION: Google TAG": [[99, 109]], "THREAT_ACTOR: OilRig": [[143, 149]], "MALWARE: RemcosRAT": [[185, 194]], "HASH: b325133fdedd0c4e671ac2fde32b98dd59cc2275": [[202, 242]], "FILEPATH: C:\\Windows\\System32\\payload.bin": [[264, 295]], "URL: https://nodelogin.dev/login": [[330, 357]], "IP_ADDRESS: 10.145.11.203": [[378, 391]]}, "info": {"id": "synth_v2_00720", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2023-45005 is a critical race condition affecting Citrix NetScaler. CrowdStrike confirmed active exploitation by Star Blizzard in the wild. Exploitation delivers DanaBot (SHA1: 8694a04b8d7eaf0d405abd673d69d9878663e9cd) which is dropped to /etc/cron.d/payload.bin. The exploit payload is hosted at hxxp://apiupdate.link/assets/js/payload.js and communicates to 192.187.179.185 for C2.", "spans": {"CVE_ID: CVE-2023-45005": [[24, 38]], "VULNERABILITY: race condition": [[53, 67]], "SYSTEM: Citrix NetScaler": [[78, 94]], "ORGANIZATION: CrowdStrike": [[96, 107]], "THREAT_ACTOR: Star Blizzard": [[141, 154]], "MALWARE: DanaBot": [[190, 197]], "HASH: 8694a04b8d7eaf0d405abd673d69d9878663e9cd": [[205, 245]], "FILEPATH: /etc/cron.d/payload.bin": [[267, 290]], "URL: hxxp://apiupdate.link/assets/js/payload.js": [[325, 367]], "IP_ADDRESS: 192.187.179.185": [[388, 403]]}, "info": {"id": "synth_v2_00721", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2026-10752 is a critical buffer overflow affecting VMware ESXi. ESET Research confirmed active exploitation by TA505 in the wild. Exploitation delivers BlackCat (MD5: 6fa7213cee285fc522f298cb171669b3) which is dropped to /tmp/svchost.exe. The exploit payload is hosted at https://mailedge.tech/callback and communicates to 31.72.141.49 for C2.", "spans": {"CVE_ID: CVE-2026-10752": [[24, 38]], "VULNERABILITY: buffer overflow": [[53, 68]], "SYSTEM: VMware ESXi": [[79, 90]], "ORGANIZATION: ESET Research": [[92, 105]], "THREAT_ACTOR: TA505": [[139, 144]], "MALWARE: BlackCat": [[180, 188]], "HASH: 6fa7213cee285fc522f298cb171669b3": [[195, 227]], "FILEPATH: /tmp/svchost.exe": [[249, 265]], "URL: https://mailedge.tech/callback": [[300, 330]], "IP_ADDRESS: 31.72.141.49": [[351, 363]]}, "info": {"id": "synth_v2_00722", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2020-46781 is a critical privilege escalation affecting Windows Server 2019. Microsoft MSRC confirmed active exploitation by APT29 in the wild. Exploitation delivers REvil (SHA1: d07a63f594a8b9a251387a1d24ae788cd953e074) which is dropped to C:\\Users\\admin\\AppData\\Local\\Temp\\sam.hive. The exploit payload is hosted at http://proxy-data.io/portal/verify and communicates to 14.216.63.93 for C2.", "spans": {"CVE_ID: CVE-2020-46781": [[24, 38]], "VULNERABILITY: privilege escalation": [[53, 73]], "SYSTEM: Windows Server 2019": [[84, 103]], "ORGANIZATION: Microsoft MSRC": [[105, 119]], "THREAT_ACTOR: APT29": [[153, 158]], "MALWARE: REvil": [[194, 199]], "HASH: d07a63f594a8b9a251387a1d24ae788cd953e074": [[207, 247]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\sam.hive": [[269, 311]], "URL: http://proxy-data.io/portal/verify": [[346, 380]], "IP_ADDRESS: 14.216.63.93": [[401, 413]]}, "info": {"id": "synth_v2_00723", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2021-45713 is a critical SSRF vulnerability affecting SonicWall SMA. Qualys confirmed active exploitation by Salt Typhoon in the wild. Exploitation delivers REvil (SHA1: 6a6aece9a3e74b385d001da2d8a5973b76014bfd) which is dropped to C:\\Windows\\Temp\\helper.sh. The exploit payload is hosted at https://nodeauth.tech/portal/verify and communicates to 172.116.66.33 for C2.", "spans": {"CVE_ID: CVE-2021-45713": [[24, 38]], "VULNERABILITY: SSRF vulnerability": [[53, 71]], "SYSTEM: SonicWall SMA": [[82, 95]], "ORGANIZATION: Qualys": [[97, 103]], "THREAT_ACTOR: Salt Typhoon": [[137, 149]], "MALWARE: REvil": [[185, 190]], "HASH: 6a6aece9a3e74b385d001da2d8a5973b76014bfd": [[198, 238]], "FILEPATH: C:\\Windows\\Temp\\helper.sh": [[260, 285]], "URL: https://nodeauth.tech/portal/verify": [[320, 355]], "IP_ADDRESS: 172.116.66.33": [[376, 389]]}, "info": {"id": "synth_v2_00724", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2023-45005 is a critical remote code execution affecting Microsoft Exchange. Mandiant confirmed active exploitation by Gamaredon in the wild. Exploitation delivers IcedID (SHA1: 38d66941b75e4f34b72cdbacc675b9487074841d) which is dropped to /etc/cron.d/sam.hive. The exploit payload is hosted at http://cacherelay.tech/portal/verify and communicates to 10.185.207.245 for C2.", "spans": {"CVE_ID: CVE-2023-45005": [[24, 38]], "VULNERABILITY: remote code execution": [[53, 74]], "SYSTEM: Microsoft Exchange": [[85, 103]], "ORGANIZATION: Mandiant": [[105, 113]], "THREAT_ACTOR: Gamaredon": [[147, 156]], "MALWARE: IcedID": [[192, 198]], "HASH: 38d66941b75e4f34b72cdbacc675b9487074841d": [[206, 246]], "FILEPATH: /etc/cron.d/sam.hive": [[268, 288]], "URL: http://cacherelay.tech/portal/verify": [[323, 359]], "IP_ADDRESS: 10.185.207.245": [[380, 394]]}, "info": {"id": "synth_v2_00725", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2024-23826 is a critical integer overflow affecting Apache Struts. Dragos confirmed active exploitation by Kimsuky in the wild. Exploitation delivers Cobalt Strike (SHA1: 30181c4b5819692cfe8d4538d90a597897e1a1b7) which is dropped to C:\\Users\\admin\\AppData\\Local\\Temp\\taskhost.exe. The exploit payload is hosted at http://login-sync.online/login and communicates to 10.128.245.216 for C2.", "spans": {"CVE_ID: CVE-2024-23826": [[24, 38]], "VULNERABILITY: integer overflow": [[53, 69]], "SYSTEM: Apache Struts": [[80, 93]], "ORGANIZATION: Dragos": [[95, 101]], "THREAT_ACTOR: Kimsuky": [[135, 142]], "MALWARE: Cobalt Strike": [[178, 191]], "HASH: 30181c4b5819692cfe8d4538d90a597897e1a1b7": [[199, 239]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\taskhost.exe": [[261, 307]], "URL: http://login-sync.online/login": [[342, 372]], "IP_ADDRESS: 10.128.245.216": [[393, 407]]}, "info": {"id": "synth_v2_00726", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2021-28210 is a critical remote code execution affecting Palo Alto PAN-OS. CrowdStrike confirmed active exploitation by Charming Kitten in the wild. Exploitation delivers Cobalt Strike (SHA256: 859294917cc25cd1fa7802c3434d21178b3dca8c761864f3a6734869510dfe96) which is dropped to C:\\Windows\\Temp\\loader.exe. The exploit payload is hosted at hxxp://syncapi.online/callback and communicates to 142.117.51.116 for C2.", "spans": {"CVE_ID: CVE-2021-28210": [[24, 38]], "VULNERABILITY: remote code execution": [[53, 74]], "SYSTEM: Palo Alto PAN-OS": [[85, 101]], "ORGANIZATION: CrowdStrike": [[103, 114]], "THREAT_ACTOR: Charming Kitten": [[148, 163]], "MALWARE: Cobalt Strike": [[199, 212]], "HASH: 859294917cc25cd1fa7802c3434d21178b3dca8c761864f3a6734869510dfe96": [[222, 286]], "FILEPATH: C:\\Windows\\Temp\\loader.exe": [[308, 334]], "URL: hxxp://syncapi.online/callback": [[369, 399]], "IP_ADDRESS: 142.117.51.116": [[420, 434]]}, "info": {"id": "synth_v2_00727", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2024-42717 is a critical XXE injection affecting VMware ESXi. Microsoft MSRC confirmed active exploitation by Midnight Blizzard in the wild. Exploitation delivers Ryuk (MD5: 2014ff4298fc88ce13a42a749274db44) which is dropped to /var/tmp/update.dll. The exploit payload is hosted at hxxps://relay-api.xyz/callback and communicates to 192.55.175.181 for C2.", "spans": {"CVE_ID: CVE-2024-42717": [[24, 38]], "VULNERABILITY: XXE injection": [[53, 66]], "SYSTEM: VMware ESXi": [[77, 88]], "ORGANIZATION: Microsoft MSRC": [[90, 104]], "THREAT_ACTOR: Midnight Blizzard": [[138, 155]], "MALWARE: Ryuk": [[191, 195]], "HASH: 2014ff4298fc88ce13a42a749274db44": [[202, 234]], "FILEPATH: /var/tmp/update.dll": [[256, 275]], "URL: hxxps://relay-api.xyz/callback": [[310, 340]], "IP_ADDRESS: 192.55.175.181": [[361, 375]]}, "info": {"id": "synth_v2_00728", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2022-15229 is a critical heap overflow affecting Ubuntu 22.04. Mandiant confirmed active exploitation by APT28 in the wild. Exploitation delivers DanaBot (MD5: e820578b681f8d7172170f7b97d6da21) which is dropped to C:\\Program Files\\Common Files\\config.dat. The exploit payload is hosted at hxxp://portal-secure.net/login and communicates to 93.141.251.77 for C2.", "spans": {"CVE_ID: CVE-2022-15229": [[24, 38]], "VULNERABILITY: heap overflow": [[53, 66]], "SYSTEM: Ubuntu 22.04": [[77, 89]], "ORGANIZATION: Mandiant": [[91, 99]], "THREAT_ACTOR: APT28": [[133, 138]], "MALWARE: DanaBot": [[174, 181]], "HASH: e820578b681f8d7172170f7b97d6da21": [[188, 220]], "FILEPATH: C:\\Program Files\\Common Files\\config.dat": [[242, 282]], "URL: hxxp://portal-secure.net/login": [[317, 347]], "IP_ADDRESS: 93.141.251.77": [[368, 381]]}, "info": {"id": "synth_v2_00729", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2026-39735 is a critical CSRF vulnerability affecting Ivanti Connect Secure. CISA confirmed active exploitation by Sandworm in the wild. Exploitation delivers Hive (MD5: b999e3d6dc449a21df718d3763c1da50) which is dropped to C:\\Users\\admin\\Desktop\\config.dat. The exploit payload is hosted at hxxps://cloud-auth.io/secure/token and communicates to 181.219.129.128 for C2.", "spans": {"CVE_ID: CVE-2026-39735": [[24, 38]], "VULNERABILITY: CSRF vulnerability": [[53, 71]], "SYSTEM: Ivanti Connect Secure": [[82, 103]], "ORGANIZATION: CISA": [[105, 109]], "THREAT_ACTOR: Sandworm": [[143, 151]], "MALWARE: Hive": [[187, 191]], "HASH: b999e3d6dc449a21df718d3763c1da50": [[198, 230]], "FILEPATH: C:\\Users\\admin\\Desktop\\config.dat": [[252, 285]], "URL: hxxps://cloud-auth.io/secure/token": [[320, 354]], "IP_ADDRESS: 181.219.129.128": [[375, 390]]}, "info": {"id": "synth_v2_00730", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2023-20659 is a critical SSRF vulnerability affecting Cisco ASA. Dragos confirmed active exploitation by FIN11 in the wild. Exploitation delivers Vidar (SHA256: 106cb5dfcca5dac7fe2ab9d0d9db6ecdc3d9bfa6d56f008104f6f88bf7370f9d) which is dropped to C:\\Program Files\\Common Files\\ntds.dit. The exploit payload is hosted at hxxps://login-proxy.com/login and communicates to 10.180.32.135 for C2.", "spans": {"CVE_ID: CVE-2023-20659": [[24, 38]], "VULNERABILITY: SSRF vulnerability": [[53, 71]], "SYSTEM: Cisco ASA": [[82, 91]], "ORGANIZATION: Dragos": [[93, 99]], "THREAT_ACTOR: FIN11": [[133, 138]], "MALWARE: Vidar": [[174, 179]], "HASH: 106cb5dfcca5dac7fe2ab9d0d9db6ecdc3d9bfa6d56f008104f6f88bf7370f9d": [[189, 253]], "FILEPATH: C:\\Program Files\\Common Files\\ntds.dit": [[275, 313]], "URL: hxxps://login-proxy.com/login": [[348, 377]], "IP_ADDRESS: 10.180.32.135": [[398, 411]]}, "info": {"id": "synth_v2_00731", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2023-46500 is a critical heap overflow affecting MOVEit Transfer. CrowdStrike confirmed active exploitation by APT28 in the wild. Exploitation delivers SmokeLoader (SHA1: ec853b9035b322739988c30bd4363004c1267dfd) which is dropped to /var/tmp/dropper.ps1. The exploit payload is hosted at https://relayauth.dev/login and communicates to 10.25.228.151 for C2.", "spans": {"CVE_ID: CVE-2023-46500": [[24, 38]], "VULNERABILITY: heap overflow": [[53, 66]], "SYSTEM: MOVEit Transfer": [[77, 92]], "ORGANIZATION: CrowdStrike": [[94, 105]], "THREAT_ACTOR: APT28": [[139, 144]], "MALWARE: SmokeLoader": [[180, 191]], "HASH: ec853b9035b322739988c30bd4363004c1267dfd": [[199, 239]], "FILEPATH: /var/tmp/dropper.ps1": [[261, 281]], "URL: https://relayauth.dev/login": [[316, 343]], "IP_ADDRESS: 10.25.228.151": [[364, 377]]}, "info": {"id": "synth_v2_00732", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2020-49453 is a critical null pointer dereference affecting Active Directory. Europol confirmed active exploitation by TA505 in the wild. Exploitation delivers StealC (SHA1: 2450a7b2afc637b52885490a93f1b00cba8fee43) which is dropped to /dev/shm/lsass.dmp. The exploit payload is hosted at hxxps://cdn-sync.cc/collect and communicates to 172.127.33.82 for C2.", "spans": {"CVE_ID: CVE-2020-49453": [[24, 38]], "VULNERABILITY: null pointer dereference": [[53, 77]], "SYSTEM: Active Directory": [[88, 104]], "ORGANIZATION: Europol": [[106, 113]], "THREAT_ACTOR: TA505": [[147, 152]], "MALWARE: StealC": [[188, 194]], "HASH: 2450a7b2afc637b52885490a93f1b00cba8fee43": [[202, 242]], "FILEPATH: /dev/shm/lsass.dmp": [[264, 282]], "URL: hxxps://cdn-sync.cc/collect": [[317, 344]], "IP_ADDRESS: 172.127.33.82": [[365, 378]]}, "info": {"id": "synth_v2_00733", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2026-20365 is a critical IDOR vulnerability affecting Microsoft Exchange. Check Point Research confirmed active exploitation by Storm-0558 in the wild. Exploitation delivers Raccoon Stealer (SHA256: cd178d3d014df9fa5e66b4ec269b65e06c14bd62b2f31c7f9d186444e30b17ba) which is dropped to C:\\Users\\Public\\Documents\\payload.bin. The exploit payload is hosted at https://gateway-portal.cc/api/v2/auth and communicates to 10.237.224.176 for C2.", "spans": {"CVE_ID: CVE-2026-20365": [[24, 38]], "VULNERABILITY: IDOR vulnerability": [[53, 71]], "SYSTEM: Microsoft Exchange": [[82, 100]], "ORGANIZATION: Check Point Research": [[102, 122]], "THREAT_ACTOR: Storm-0558": [[156, 166]], "MALWARE: Raccoon Stealer": [[202, 217]], "HASH: cd178d3d014df9fa5e66b4ec269b65e06c14bd62b2f31c7f9d186444e30b17ba": [[227, 291]], "FILEPATH: C:\\Users\\Public\\Documents\\payload.bin": [[313, 350]], "URL: https://gateway-portal.cc/api/v2/auth": [[385, 422]], "IP_ADDRESS: 10.237.224.176": [[443, 457]]}, "info": {"id": "synth_v2_00734", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2026-44676 is a critical use-after-free affecting Windows 11. FBI confirmed active exploitation by Forest Blizzard in the wild. Exploitation delivers BatLoader (SHA1: 94b48ca18ad4d8cd33111a1921277cca12b27f3e) which is dropped to /home/user/.config/shell.php. The exploit payload is hosted at hxxp://storage-gateway.org/assets/js/payload.js and communicates to 147.136.127.60 for C2.", "spans": {"CVE_ID: CVE-2026-44676": [[24, 38]], "VULNERABILITY: use-after-free": [[53, 67]], "SYSTEM: Windows 11": [[78, 88]], "ORGANIZATION: FBI": [[90, 93]], "THREAT_ACTOR: Forest Blizzard": [[127, 142]], "MALWARE: BatLoader": [[178, 187]], "HASH: 94b48ca18ad4d8cd33111a1921277cca12b27f3e": [[195, 235]], "FILEPATH: /home/user/.config/shell.php": [[257, 285]], "URL: hxxp://storage-gateway.org/assets/js/payload.js": [[320, 367]], "IP_ADDRESS: 147.136.127.60": [[388, 402]]}, "info": {"id": "synth_v2_00735", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2021-37696 is a critical type confusion affecting Zyxel USG. Rapid7 confirmed active exploitation by Charming Kitten in the wild. Exploitation delivers ShadowPad (SHA256: 984551272247c15929986b3769b6a5021b1aa76de33746370bffb488e90bf8db) which is dropped to C:\\Users\\admin\\Downloads\\taskhost.exe. The exploit payload is hosted at http://loginupdate.xyz/login and communicates to 10.135.84.227 for C2.", "spans": {"CVE_ID: CVE-2021-37696": [[24, 38]], "VULNERABILITY: type confusion": [[53, 67]], "SYSTEM: Zyxel USG": [[78, 87]], "ORGANIZATION: Rapid7": [[89, 95]], "THREAT_ACTOR: Charming Kitten": [[129, 144]], "MALWARE: ShadowPad": [[180, 189]], "HASH: 984551272247c15929986b3769b6a5021b1aa76de33746370bffb488e90bf8db": [[199, 263]], "FILEPATH: C:\\Users\\admin\\Downloads\\taskhost.exe": [[285, 322]], "URL: http://loginupdate.xyz/login": [[357, 385]], "IP_ADDRESS: 10.135.84.227": [[406, 419]]}, "info": {"id": "synth_v2_00736", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2025-48242 is a critical remote code execution affecting Fortinet FortiGate. Zscaler ThreatLabz confirmed active exploitation by Silk Typhoon in the wild. Exploitation delivers Conti (SHA256: dc730679139aa8fa79735e78e8a39738709100e2eb2ed3c085846825f679ee73) which is dropped to C:\\ProgramData\\sam.hive. The exploit payload is hosted at http://data-mail.top/download/update.exe and communicates to 192.132.48.218 for C2.", "spans": {"CVE_ID: CVE-2025-48242": [[24, 38]], "VULNERABILITY: remote code execution": [[53, 74]], "SYSTEM: Fortinet FortiGate": [[85, 103]], "ORGANIZATION: Zscaler ThreatLabz": [[105, 123]], "THREAT_ACTOR: Silk Typhoon": [[157, 169]], "MALWARE: Conti": [[205, 210]], "HASH: dc730679139aa8fa79735e78e8a39738709100e2eb2ed3c085846825f679ee73": [[220, 284]], "FILEPATH: C:\\ProgramData\\sam.hive": [[306, 329]], "URL: http://data-mail.top/download/update.exe": [[364, 404]], "IP_ADDRESS: 192.132.48.218": [[425, 439]]}, "info": {"id": "synth_v2_00737", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2026-10212 is a critical CSRF vulnerability affecting MOVEit Transfer. Trend Micro confirmed active exploitation by Charming Kitten in the wild. Exploitation delivers Play (MD5: d7dd3ace432cec804d42f5c033ae6b47) which is dropped to C:\\Windows\\Tasks\\loader.exe. The exploit payload is hosted at https://secure-auth.online/panel/index.html and communicates to 10.204.133.78 for C2.", "spans": {"CVE_ID: CVE-2026-10212": [[24, 38]], "VULNERABILITY: CSRF vulnerability": [[53, 71]], "SYSTEM: MOVEit Transfer": [[82, 97]], "ORGANIZATION: Trend Micro": [[99, 110]], "THREAT_ACTOR: Charming Kitten": [[144, 159]], "MALWARE: Play": [[195, 199]], "HASH: d7dd3ace432cec804d42f5c033ae6b47": [[206, 238]], "FILEPATH: C:\\Windows\\Tasks\\loader.exe": [[260, 287]], "URL: https://secure-auth.online/panel/index.html": [[322, 365]], "IP_ADDRESS: 10.204.133.78": [[386, 399]]}, "info": {"id": "synth_v2_00738", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2025-15957 is a critical buffer overflow affecting Barracuda ESG. Google TAG confirmed active exploitation by Flax Typhoon in the wild. Exploitation delivers Hive (SHA256: eedc60c4c5191faec3f69e00a4062f24ecbf82157cf2fb17f4e2cd06aaf1bab4) which is dropped to C:\\Users\\admin\\Desktop\\shell.php. The exploit payload is hosted at hxxps://storageproxy.top/download/update.exe and communicates to 10.132.23.108 for C2.", "spans": {"CVE_ID: CVE-2025-15957": [[24, 38]], "VULNERABILITY: buffer overflow": [[53, 68]], "SYSTEM: Barracuda ESG": [[79, 92]], "ORGANIZATION: Google TAG": [[94, 104]], "THREAT_ACTOR: Flax Typhoon": [[138, 150]], "MALWARE: Hive": [[186, 190]], "HASH: eedc60c4c5191faec3f69e00a4062f24ecbf82157cf2fb17f4e2cd06aaf1bab4": [[200, 264]], "FILEPATH: C:\\Users\\admin\\Desktop\\shell.php": [[286, 318]], "URL: hxxps://storageproxy.top/download/update.exe": [[353, 397]], "IP_ADDRESS: 10.132.23.108": [[418, 431]]}, "info": {"id": "synth_v2_00739", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2023-40294 is a critical type confusion affecting Cisco ASA. Recorded Future confirmed active exploitation by Aqua Blizzard in the wild. Exploitation delivers Vidar (MD5: 470ea820abeb27a8f99694b9064e5318) which is dropped to /dev/shm/update.dll. The exploit payload is hosted at hxxp://static-gateway.io/gate.php and communicates to 10.255.138.203 for C2.", "spans": {"CVE_ID: CVE-2023-40294": [[24, 38]], "VULNERABILITY: type confusion": [[53, 67]], "SYSTEM: Cisco ASA": [[78, 87]], "ORGANIZATION: Recorded Future": [[89, 104]], "THREAT_ACTOR: Aqua Blizzard": [[138, 151]], "MALWARE: Vidar": [[187, 192]], "HASH: 470ea820abeb27a8f99694b9064e5318": [[199, 231]], "FILEPATH: /dev/shm/update.dll": [[253, 272]], "URL: hxxp://static-gateway.io/gate.php": [[307, 340]], "IP_ADDRESS: 10.255.138.203": [[361, 375]]}, "info": {"id": "synth_v2_00740", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2020-12082 is a critical null pointer dereference affecting Ivanti Connect Secure. ESET Research confirmed active exploitation by Ember Bear in the wild. Exploitation delivers Gootloader (SHA1: ac7c05d2d0448ae2c8905545ab52bfcb35cd02e2) which is dropped to /var/tmp/winlogon.exe. The exploit payload is hosted at hxxp://gatewaycdn.online/download/update.exe and communicates to 172.45.216.29 for C2.", "spans": {"CVE_ID: CVE-2020-12082": [[24, 38]], "VULNERABILITY: null pointer dereference": [[53, 77]], "SYSTEM: Ivanti Connect Secure": [[88, 109]], "ORGANIZATION: ESET Research": [[111, 124]], "THREAT_ACTOR: Ember Bear": [[158, 168]], "MALWARE: Gootloader": [[204, 214]], "HASH: ac7c05d2d0448ae2c8905545ab52bfcb35cd02e2": [[222, 262]], "FILEPATH: /var/tmp/winlogon.exe": [[284, 305]], "URL: hxxp://gatewaycdn.online/download/update.exe": [[340, 384]], "IP_ADDRESS: 172.45.216.29": [[405, 418]]}, "info": {"id": "synth_v2_00741", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2024-19363 is a critical integer overflow affecting VMware ESXi. Huntress confirmed active exploitation by Volt Typhoon in the wild. Exploitation delivers Raccoon Stealer (SHA1: 0df65cd63630250163abe32c741da05d43ad18ea) which is dropped to /var/tmp/backdoor.elf. The exploit payload is hosted at https://static-gateway.club/collect and communicates to 149.203.93.75 for C2.", "spans": {"CVE_ID: CVE-2024-19363": [[24, 38]], "VULNERABILITY: integer overflow": [[53, 69]], "SYSTEM: VMware ESXi": [[80, 91]], "ORGANIZATION: Huntress": [[93, 101]], "THREAT_ACTOR: Volt Typhoon": [[135, 147]], "MALWARE: Raccoon Stealer": [[183, 198]], "HASH: 0df65cd63630250163abe32c741da05d43ad18ea": [[206, 246]], "FILEPATH: /var/tmp/backdoor.elf": [[268, 289]], "URL: https://static-gateway.club/collect": [[324, 359]], "IP_ADDRESS: 149.203.93.75": [[380, 393]]}, "info": {"id": "synth_v2_00742", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2025-19065 is a critical buffer overflow affecting Active Directory. CISA confirmed active exploitation by Turla in the wild. Exploitation delivers AgentTesla (MD5: 755cc0110a8ece9109ef36a5a0a1cfdb) which is dropped to /var/tmp/ntds.dit. The exploit payload is hosted at http://edge-storage.net/download/update.exe and communicates to 39.33.227.3 for C2.", "spans": {"CVE_ID: CVE-2025-19065": [[24, 38]], "VULNERABILITY: buffer overflow": [[53, 68]], "SYSTEM: Active Directory": [[79, 95]], "ORGANIZATION: CISA": [[97, 101]], "THREAT_ACTOR: Turla": [[135, 140]], "MALWARE: AgentTesla": [[176, 186]], "HASH: 755cc0110a8ece9109ef36a5a0a1cfdb": [[193, 225]], "FILEPATH: /var/tmp/ntds.dit": [[247, 264]], "URL: http://edge-storage.net/download/update.exe": [[299, 342]], "IP_ADDRESS: 39.33.227.3": [[363, 374]]}, "info": {"id": "synth_v2_00743", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2026-27261 is a critical memory corruption affecting Citrix NetScaler. CrowdStrike confirmed active exploitation by Mustang Panda in the wild. Exploitation delivers PikaBot (SHA1: 6fd73f52420cad9333d30cd850250775dabd8bd4) which is dropped to C:\\Windows\\Tasks\\implant.so. The exploit payload is hosted at http://gateway-login.info/gate.php and communicates to 172.204.116.158 for C2.", "spans": {"CVE_ID: CVE-2026-27261": [[24, 38]], "VULNERABILITY: memory corruption": [[53, 70]], "SYSTEM: Citrix NetScaler": [[81, 97]], "ORGANIZATION: CrowdStrike": [[99, 110]], "THREAT_ACTOR: Mustang Panda": [[144, 157]], "MALWARE: PikaBot": [[193, 200]], "HASH: 6fd73f52420cad9333d30cd850250775dabd8bd4": [[208, 248]], "FILEPATH: C:\\Windows\\Tasks\\implant.so": [[270, 297]], "URL: http://gateway-login.info/gate.php": [[332, 366]], "IP_ADDRESS: 172.204.116.158": [[387, 402]]}, "info": {"id": "synth_v2_00744", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2020-49453 is a critical SSRF vulnerability affecting Windows Server 2019. INTERPOL confirmed active exploitation by Forest Blizzard in the wild. Exploitation delivers FormBook (SHA256: d0a13c066920e67b603ef26a367d0527f7c20d20befe7b0b2f1c99e4b7d3ee7f) which is dropped to C:\\Users\\Public\\Documents\\helper.sh. The exploit payload is hosted at hxxp://cache-data.tech/wp-content/uploads/doc.php and communicates to 10.153.37.55 for C2.", "spans": {"CVE_ID: CVE-2020-49453": [[24, 38]], "VULNERABILITY: SSRF vulnerability": [[53, 71]], "SYSTEM: Windows Server 2019": [[82, 101]], "ORGANIZATION: INTERPOL": [[103, 111]], "THREAT_ACTOR: Forest Blizzard": [[145, 160]], "MALWARE: FormBook": [[196, 204]], "HASH: d0a13c066920e67b603ef26a367d0527f7c20d20befe7b0b2f1c99e4b7d3ee7f": [[214, 278]], "FILEPATH: C:\\Users\\Public\\Documents\\helper.sh": [[300, 335]], "URL: hxxp://cache-data.tech/wp-content/uploads/doc.php": [[370, 419]], "IP_ADDRESS: 10.153.37.55": [[440, 452]]}, "info": {"id": "synth_v2_00745", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2026-35009 is a critical SSRF vulnerability affecting Windows Server 2019. Sophos X-Ops confirmed active exploitation by BlackTech in the wild. Exploitation delivers SystemBC (SHA256: c6a6e04fa23912b1a001fe4684fd6268c6db8283b2c7f4cc04d50e22da01b8b6) which is dropped to /home/user/.config/beacon.dll. The exploit payload is hosted at hxxps://portal-storage.link/download/update.exe and communicates to 10.22.130.83 for C2.", "spans": {"CVE_ID: CVE-2026-35009": [[24, 38]], "VULNERABILITY: SSRF vulnerability": [[53, 71]], "SYSTEM: Windows Server 2019": [[82, 101]], "ORGANIZATION: Sophos X-Ops": [[103, 115]], "THREAT_ACTOR: BlackTech": [[149, 158]], "MALWARE: SystemBC": [[194, 202]], "HASH: c6a6e04fa23912b1a001fe4684fd6268c6db8283b2c7f4cc04d50e22da01b8b6": [[212, 276]], "FILEPATH: /home/user/.config/beacon.dll": [[298, 327]], "URL: hxxps://portal-storage.link/download/update.exe": [[362, 409]], "IP_ADDRESS: 10.22.130.83": [[430, 442]]}, "info": {"id": "synth_v2_00746", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2023-33283 is a critical cross-site scripting affecting Progress Telerik. Palo Alto Unit 42 confirmed active exploitation by Salt Typhoon in the wild. Exploitation delivers IcedID (SHA1: d4a5b15852857c7799f3bfad0588d8bc5da8b424) which is dropped to /dev/shm/beacon.dll. The exploit payload is hosted at http://syncupdate.link/callback and communicates to 82.16.98.179 for C2.", "spans": {"CVE_ID: CVE-2023-33283": [[24, 38]], "VULNERABILITY: cross-site scripting": [[53, 73]], "SYSTEM: Progress Telerik": [[84, 100]], "ORGANIZATION: Palo Alto Unit 42": [[102, 119]], "THREAT_ACTOR: Salt Typhoon": [[153, 165]], "MALWARE: IcedID": [[201, 207]], "HASH: d4a5b15852857c7799f3bfad0588d8bc5da8b424": [[215, 255]], "FILEPATH: /dev/shm/beacon.dll": [[277, 296]], "URL: http://syncupdate.link/callback": [[331, 362]], "IP_ADDRESS: 82.16.98.179": [[383, 395]]}, "info": {"id": "synth_v2_00747", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2020-43118 is a critical CSRF vulnerability affecting Citrix NetScaler. Secureworks confirmed active exploitation by Lazarus Group in the wild. Exploitation delivers PlugX (SHA1: d6b0837fa05936d1279b02537e22ac498b0e9a0c) which is dropped to /usr/local/bin/ntds.dit. The exploit payload is hosted at hxxps://relayedge.org/portal/verify and communicates to 153.21.1.222 for C2.", "spans": {"CVE_ID: CVE-2020-43118": [[24, 38]], "VULNERABILITY: CSRF vulnerability": [[53, 71]], "SYSTEM: Citrix NetScaler": [[82, 98]], "ORGANIZATION: Secureworks": [[100, 111]], "THREAT_ACTOR: Lazarus Group": [[145, 158]], "MALWARE: PlugX": [[194, 199]], "HASH: d6b0837fa05936d1279b02537e22ac498b0e9a0c": [[207, 247]], "FILEPATH: /usr/local/bin/ntds.dit": [[269, 292]], "URL: hxxps://relayedge.org/portal/verify": [[327, 362]], "IP_ADDRESS: 153.21.1.222": [[383, 395]]}, "info": {"id": "synth_v2_00748", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2021-28231 is a critical command injection affecting Atlassian Confluence. INTERPOL confirmed active exploitation by OilRig in the wild. Exploitation delivers Vidar (SHA1: 7ab01e7b953d196f8b0a928acfb10cd90bde4145) which is dropped to C:\\Windows\\Tasks\\agent.py. The exploit payload is hosted at hxxp://staticedge.cc/assets/js/payload.js and communicates to 172.192.135.140 for C2.", "spans": {"CVE_ID: CVE-2021-28231": [[24, 38]], "VULNERABILITY: command injection": [[53, 70]], "SYSTEM: Atlassian Confluence": [[81, 101]], "ORGANIZATION: INTERPOL": [[103, 111]], "THREAT_ACTOR: OilRig": [[145, 151]], "MALWARE: Vidar": [[187, 192]], "HASH: 7ab01e7b953d196f8b0a928acfb10cd90bde4145": [[200, 240]], "FILEPATH: C:\\Windows\\Tasks\\agent.py": [[262, 287]], "URL: hxxp://staticedge.cc/assets/js/payload.js": [[322, 363]], "IP_ADDRESS: 172.192.135.140": [[384, 399]]}, "info": {"id": "synth_v2_00749", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2024-27359 is a critical null pointer dereference affecting Apache Struts. Secureworks confirmed active exploitation by Gamaredon in the wild. Exploitation delivers DarkSide (MD5: 05444ced4a8bb57227d7daf240f0db5d) which is dropped to C:\\Users\\admin\\AppData\\Local\\Temp\\beacon.dll. The exploit payload is hosted at hxxp://cdnauth.net/assets/js/payload.js and communicates to 172.174.133.251 for C2.", "spans": {"CVE_ID: CVE-2024-27359": [[24, 38]], "VULNERABILITY: null pointer dereference": [[53, 77]], "SYSTEM: Apache Struts": [[88, 101]], "ORGANIZATION: Secureworks": [[103, 114]], "THREAT_ACTOR: Gamaredon": [[148, 157]], "MALWARE: DarkSide": [[193, 201]], "HASH: 05444ced4a8bb57227d7daf240f0db5d": [[208, 240]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\beacon.dll": [[262, 306]], "URL: hxxp://cdnauth.net/assets/js/payload.js": [[341, 380]], "IP_ADDRESS: 172.174.133.251": [[401, 416]]}, "info": {"id": "synth_v2_00750", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2023-39714 is a critical race condition affecting Windows 11. SentinelOne confirmed active exploitation by Storm-0558 in the wild. Exploitation delivers RemcosRAT (SHA1: fe45c5659a9c6ddcaad6797958a6154e98cc6fe9) which is dropped to /var/tmp/ntds.dit. The exploit payload is hosted at http://data-static.io/wp-content/uploads/doc.php and communicates to 10.242.40.109 for C2.", "spans": {"CVE_ID: CVE-2023-39714": [[24, 38]], "VULNERABILITY: race condition": [[53, 67]], "SYSTEM: Windows 11": [[78, 88]], "ORGANIZATION: SentinelOne": [[90, 101]], "THREAT_ACTOR: Storm-0558": [[135, 145]], "MALWARE: RemcosRAT": [[181, 190]], "HASH: fe45c5659a9c6ddcaad6797958a6154e98cc6fe9": [[198, 238]], "FILEPATH: /var/tmp/ntds.dit": [[260, 277]], "URL: http://data-static.io/wp-content/uploads/doc.php": [[312, 360]], "IP_ADDRESS: 10.242.40.109": [[381, 394]]}, "info": {"id": "synth_v2_00751", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2021-20189 is a critical cross-site scripting affecting Juniper SRX. Europol confirmed active exploitation by TA505 in the wild. Exploitation delivers PikaBot (SHA256: 2d9ff1644ba1e506184ce408d52f799cb89fce0f777e897f945b7010d6171784) which is dropped to /usr/local/bin/config.dat. The exploit payload is hosted at https://updatecdn.com/download/update.exe and communicates to 84.190.28.98 for C2.", "spans": {"CVE_ID: CVE-2021-20189": [[24, 38]], "VULNERABILITY: cross-site scripting": [[53, 73]], "SYSTEM: Juniper SRX": [[84, 95]], "ORGANIZATION: Europol": [[97, 104]], "THREAT_ACTOR: TA505": [[138, 143]], "MALWARE: PikaBot": [[179, 186]], "HASH: 2d9ff1644ba1e506184ce408d52f799cb89fce0f777e897f945b7010d6171784": [[196, 260]], "FILEPATH: /usr/local/bin/config.dat": [[282, 307]], "URL: https://updatecdn.com/download/update.exe": [[342, 383]], "IP_ADDRESS: 84.190.28.98": [[404, 416]]}, "info": {"id": "synth_v2_00752", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2023-20708 is a critical race condition affecting Cisco ASA. Zscaler ThreatLabz confirmed active exploitation by Turla in the wild. Exploitation delivers Emotet (MD5: 7045ea00c0b7d54d0869c8dbcfad3acc) which is dropped to /home/user/.config/winlogon.exe. The exploit payload is hosted at http://cdnstorage.link/portal/verify and communicates to 202.222.220.128 for C2.", "spans": {"CVE_ID: CVE-2023-20708": [[24, 38]], "VULNERABILITY: race condition": [[53, 67]], "SYSTEM: Cisco ASA": [[78, 87]], "ORGANIZATION: Zscaler ThreatLabz": [[89, 107]], "THREAT_ACTOR: Turla": [[141, 146]], "MALWARE: Emotet": [[182, 188]], "HASH: 7045ea00c0b7d54d0869c8dbcfad3acc": [[195, 227]], "FILEPATH: /home/user/.config/winlogon.exe": [[249, 280]], "URL: http://cdnstorage.link/portal/verify": [[315, 351]], "IP_ADDRESS: 202.222.220.128": [[372, 387]]}, "info": {"id": "synth_v2_00753", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2024-42717 is a critical IDOR vulnerability affecting Zyxel USG. Sophos X-Ops confirmed active exploitation by Mustang Panda in the wild. Exploitation delivers BumbleBee (MD5: 6ba3dfb264e42d2e047003c2f022ffe5) which is dropped to /etc/cron.d/backdoor.elf. The exploit payload is hosted at hxxps://datacloud.link/callback and communicates to 192.230.157.197 for C2.", "spans": {"CVE_ID: CVE-2024-42717": [[24, 38]], "VULNERABILITY: IDOR vulnerability": [[53, 71]], "SYSTEM: Zyxel USG": [[82, 91]], "ORGANIZATION: Sophos X-Ops": [[93, 105]], "THREAT_ACTOR: Mustang Panda": [[139, 152]], "MALWARE: BumbleBee": [[188, 197]], "HASH: 6ba3dfb264e42d2e047003c2f022ffe5": [[204, 236]], "FILEPATH: /etc/cron.d/backdoor.elf": [[258, 282]], "URL: hxxps://datacloud.link/callback": [[317, 348]], "IP_ADDRESS: 192.230.157.197": [[369, 384]]}, "info": {"id": "synth_v2_00754", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2024-27359 is a critical privilege escalation affecting Fortinet FortiGate. Huntress confirmed active exploitation by Diamond Sleet in the wild. Exploitation delivers QakBot (SHA256: a2778483ab62ab0f27a6e399ad3ba7a0ce085621495106638a87e34321db872d) which is dropped to C:\\Windows\\Temp\\ntds.dit. The exploit payload is hosted at https://storagestatic.cc/wp-content/uploads/doc.php and communicates to 87.148.27.28 for C2.", "spans": {"CVE_ID: CVE-2024-27359": [[24, 38]], "VULNERABILITY: privilege escalation": [[53, 73]], "SYSTEM: Fortinet FortiGate": [[84, 102]], "ORGANIZATION: Huntress": [[104, 112]], "THREAT_ACTOR: Diamond Sleet": [[146, 159]], "MALWARE: QakBot": [[195, 201]], "HASH: a2778483ab62ab0f27a6e399ad3ba7a0ce085621495106638a87e34321db872d": [[211, 275]], "FILEPATH: C:\\Windows\\Temp\\ntds.dit": [[297, 321]], "URL: https://storagestatic.cc/wp-content/uploads/doc.php": [[356, 407]], "IP_ADDRESS: 87.148.27.28": [[428, 440]]}, "info": {"id": "synth_v2_00755", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2022-34807 is a critical cross-site scripting affecting Fortinet FortiGate. Microsoft MSRC confirmed active exploitation by Gamaredon in the wild. Exploitation delivers IcedID (SHA256: 7098c8a6063d5b46574f7562136200aafd24c2c5205ab16d424a1d97131f4e5a) which is dropped to C:\\Users\\admin\\Desktop\\svchost.exe. The exploit payload is hosted at hxxp://proxybackup.site/secure/token and communicates to 47.231.219.247 for C2.", "spans": {"CVE_ID: CVE-2022-34807": [[24, 38]], "VULNERABILITY: cross-site scripting": [[53, 73]], "SYSTEM: Fortinet FortiGate": [[84, 102]], "ORGANIZATION: Microsoft MSRC": [[104, 118]], "THREAT_ACTOR: Gamaredon": [[152, 161]], "MALWARE: IcedID": [[197, 203]], "HASH: 7098c8a6063d5b46574f7562136200aafd24c2c5205ab16d424a1d97131f4e5a": [[213, 277]], "FILEPATH: C:\\Users\\admin\\Desktop\\svchost.exe": [[299, 333]], "URL: hxxp://proxybackup.site/secure/token": [[368, 404]], "IP_ADDRESS: 47.231.219.247": [[425, 439]]}, "info": {"id": "synth_v2_00756", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2021-23031 is a critical authentication bypass affecting Active Directory. Secureworks confirmed active exploitation by Ember Bear in the wild. Exploitation delivers Lumma Stealer (SHA1: 4019b0ea00c1c11c338cbd517b767cfb47f34059) which is dropped to C:\\Users\\admin\\Desktop\\beacon.dll. The exploit payload is hosted at hxxps://cdnupdate.link/api/v2/auth and communicates to 10.190.128.137 for C2.", "spans": {"CVE_ID: CVE-2021-23031": [[24, 38]], "VULNERABILITY: authentication bypass": [[53, 74]], "SYSTEM: Active Directory": [[85, 101]], "ORGANIZATION: Secureworks": [[103, 114]], "THREAT_ACTOR: Ember Bear": [[148, 158]], "MALWARE: Lumma Stealer": [[194, 207]], "HASH: 4019b0ea00c1c11c338cbd517b767cfb47f34059": [[215, 255]], "FILEPATH: C:\\Users\\admin\\Desktop\\beacon.dll": [[277, 310]], "URL: hxxps://cdnupdate.link/api/v2/auth": [[345, 379]], "IP_ADDRESS: 10.190.128.137": [[400, 414]]}, "info": {"id": "synth_v2_00757", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2026-46256 is a critical memory corruption affecting Citrix NetScaler. Cisco Talos confirmed active exploitation by Salt Typhoon in the wild. Exploitation delivers REvil (SHA256: d400505aa7783c4e6b7d13d3ac878455f57a9345d3f88917333b2ad9c7d7b69f) which is dropped to C:\\Program Files\\Common Files\\chrome_helper.exe. The exploit payload is hosted at http://sync-relay.org/portal/verify and communicates to 10.183.227.239 for C2.", "spans": {"CVE_ID: CVE-2026-46256": [[24, 38]], "VULNERABILITY: memory corruption": [[53, 70]], "SYSTEM: Citrix NetScaler": [[81, 97]], "ORGANIZATION: Cisco Talos": [[99, 110]], "THREAT_ACTOR: Salt Typhoon": [[144, 156]], "MALWARE: REvil": [[192, 197]], "HASH: d400505aa7783c4e6b7d13d3ac878455f57a9345d3f88917333b2ad9c7d7b69f": [[207, 271]], "FILEPATH: C:\\Program Files\\Common Files\\chrome_helper.exe": [[293, 340]], "URL: http://sync-relay.org/portal/verify": [[375, 410]], "IP_ADDRESS: 10.183.227.239": [[431, 445]]}, "info": {"id": "synth_v2_00758", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2021-20463 is a critical authentication bypass affecting Windows 11. Cisco Talos confirmed active exploitation by APT29 in the wild. Exploitation delivers ShadowPad (MD5: 668e0db3b11603a371aad1719be99e09) which is dropped to /etc/cron.d/config.dat. The exploit payload is hosted at http://mailcache.club/panel/index.html and communicates to 59.245.175.59 for C2.", "spans": {"CVE_ID: CVE-2021-20463": [[24, 38]], "VULNERABILITY: authentication bypass": [[53, 74]], "SYSTEM: Windows 11": [[85, 95]], "ORGANIZATION: Cisco Talos": [[97, 108]], "THREAT_ACTOR: APT29": [[142, 147]], "MALWARE: ShadowPad": [[183, 192]], "HASH: 668e0db3b11603a371aad1719be99e09": [[199, 231]], "FILEPATH: /etc/cron.d/config.dat": [[253, 275]], "URL: http://mailcache.club/panel/index.html": [[310, 348]], "IP_ADDRESS: 59.245.175.59": [[369, 382]]}, "info": {"id": "synth_v2_00759", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2023-33283 is a critical CSRF vulnerability affecting Fortinet FortiGate. Trend Micro confirmed active exploitation by Storm-0558 in the wild. Exploitation delivers SmokeLoader (MD5: 99e8d28ce3e6999dbe578e6102b4f847) which is dropped to /home/user/.config/csrss.exe. The exploit payload is hosted at hxxps://mailsync.com/admin/config and communicates to 10.119.166.225 for C2.", "spans": {"CVE_ID: CVE-2023-33283": [[24, 38]], "VULNERABILITY: CSRF vulnerability": [[53, 71]], "SYSTEM: Fortinet FortiGate": [[82, 100]], "ORGANIZATION: Trend Micro": [[102, 113]], "THREAT_ACTOR: Storm-0558": [[147, 157]], "MALWARE: SmokeLoader": [[193, 204]], "HASH: 99e8d28ce3e6999dbe578e6102b4f847": [[211, 243]], "FILEPATH: /home/user/.config/csrss.exe": [[265, 293]], "URL: hxxps://mailsync.com/admin/config": [[328, 361]], "IP_ADDRESS: 10.119.166.225": [[382, 396]]}, "info": {"id": "synth_v2_00760", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2025-14163 is a critical heap overflow affecting Citrix NetScaler. Qualys confirmed active exploitation by Gamaredon in the wild. Exploitation delivers Dridex (MD5: 6efc84e11dda823be073efdd6c889f01) which is dropped to C:\\Windows\\Tasks\\sam.hive. The exploit payload is hosted at http://login-relay.info/admin/config and communicates to 10.57.71.242 for C2.", "spans": {"CVE_ID: CVE-2025-14163": [[24, 38]], "VULNERABILITY: heap overflow": [[53, 66]], "SYSTEM: Citrix NetScaler": [[77, 93]], "ORGANIZATION: Qualys": [[95, 101]], "THREAT_ACTOR: Gamaredon": [[135, 144]], "MALWARE: Dridex": [[180, 186]], "HASH: 6efc84e11dda823be073efdd6c889f01": [[193, 225]], "FILEPATH: C:\\Windows\\Tasks\\sam.hive": [[247, 272]], "URL: http://login-relay.info/admin/config": [[307, 343]], "IP_ADDRESS: 10.57.71.242": [[364, 376]]}, "info": {"id": "synth_v2_00761", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2022-47837 is a critical command injection affecting Apache Struts. Check Point Research confirmed active exploitation by Forest Blizzard in the wild. Exploitation delivers Emotet (SHA1: 050a5c5564dc56db5aa304aead04ed676d976dfa) which is dropped to C:\\Users\\admin\\AppData\\Local\\Temp\\chrome_helper.exe. The exploit payload is hosted at http://secureapi.dev/secure/token and communicates to 172.86.15.50 for C2.", "spans": {"CVE_ID: CVE-2022-47837": [[24, 38]], "VULNERABILITY: command injection": [[53, 70]], "SYSTEM: Apache Struts": [[81, 94]], "ORGANIZATION: Check Point Research": [[96, 116]], "THREAT_ACTOR: Forest Blizzard": [[150, 165]], "MALWARE: Emotet": [[201, 207]], "HASH: 050a5c5564dc56db5aa304aead04ed676d976dfa": [[215, 255]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\chrome_helper.exe": [[277, 328]], "URL: http://secureapi.dev/secure/token": [[363, 396]], "IP_ADDRESS: 172.86.15.50": [[417, 429]]}, "info": {"id": "synth_v2_00762", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2024-26162 is a critical command injection affecting Windows 11. Kaspersky GReAT confirmed active exploitation by Gamaredon in the wild. Exploitation delivers Play (MD5: ac254314fc38852677d4cbe7684abd48) which is dropped to /opt/app/bin/helper.sh. The exploit payload is hosted at hxxp://storage-edge.io/portal/verify and communicates to 183.99.16.99 for C2.", "spans": {"CVE_ID: CVE-2024-26162": [[24, 38]], "VULNERABILITY: command injection": [[53, 70]], "SYSTEM: Windows 11": [[81, 91]], "ORGANIZATION: Kaspersky GReAT": [[93, 108]], "THREAT_ACTOR: Gamaredon": [[142, 151]], "MALWARE: Play": [[187, 191]], "HASH: ac254314fc38852677d4cbe7684abd48": [[198, 230]], "FILEPATH: /opt/app/bin/helper.sh": [[252, 274]], "URL: hxxp://storage-edge.io/portal/verify": [[309, 345]], "IP_ADDRESS: 183.99.16.99": [[366, 378]]}, "info": {"id": "synth_v2_00763", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2020-26049 is a critical remote code execution affecting VMware ESXi. NSA confirmed active exploitation by Turla in the wild. Exploitation delivers SystemBC (SHA1: 14885c9b4aedebb6e76e93491a1f55faca017c83) which is dropped to /usr/local/bin/backdoor.elf. The exploit payload is hosted at http://nodeapi.live/secure/token and communicates to 192.202.225.122 for C2.", "spans": {"CVE_ID: CVE-2020-26049": [[24, 38]], "VULNERABILITY: remote code execution": [[53, 74]], "SYSTEM: VMware ESXi": [[85, 96]], "ORGANIZATION: NSA": [[98, 101]], "THREAT_ACTOR: Turla": [[135, 140]], "MALWARE: SystemBC": [[176, 184]], "HASH: 14885c9b4aedebb6e76e93491a1f55faca017c83": [[192, 232]], "FILEPATH: /usr/local/bin/backdoor.elf": [[254, 281]], "URL: http://nodeapi.live/secure/token": [[316, 348]], "IP_ADDRESS: 192.202.225.122": [[369, 384]]}, "info": {"id": "synth_v2_00764", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2024-23934 is a critical deserialization flaw affecting Active Directory. Dragos confirmed active exploitation by Forest Blizzard in the wild. Exploitation delivers Latrodectus (SHA1: e44dcf22967b3149e6b8edffb8972530d2749634) which is dropped to C:\\Users\\Public\\Documents\\svchost.exe. The exploit payload is hosted at hxxp://proxy-static.cc/gate.php and communicates to 192.107.185.177 for C2.", "spans": {"CVE_ID: CVE-2024-23934": [[24, 38]], "VULNERABILITY: deserialization flaw": [[53, 73]], "SYSTEM: Active Directory": [[84, 100]], "ORGANIZATION: Dragos": [[102, 108]], "THREAT_ACTOR: Forest Blizzard": [[142, 157]], "MALWARE: Latrodectus": [[193, 204]], "HASH: e44dcf22967b3149e6b8edffb8972530d2749634": [[212, 252]], "FILEPATH: C:\\Users\\Public\\Documents\\svchost.exe": [[274, 311]], "URL: hxxp://proxy-static.cc/gate.php": [[346, 377]], "IP_ADDRESS: 192.107.185.177": [[398, 413]]}, "info": {"id": "synth_v2_00765", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2024-13665 is a critical command injection affecting Progress Telerik. Palo Alto Unit 42 confirmed active exploitation by Charming Kitten in the wild. Exploitation delivers BatLoader (SHA256: 8c05dd6045d271af6a8fb0e24287cad6e144164be7e8dbb6735dbabadfae4d22) which is dropped to C:\\Windows\\System32\\implant.so. The exploit payload is hosted at http://staticcache.cc/collect and communicates to 192.233.130.224 for C2.", "spans": {"CVE_ID: CVE-2024-13665": [[24, 38]], "VULNERABILITY: command injection": [[53, 70]], "SYSTEM: Progress Telerik": [[81, 97]], "ORGANIZATION: Palo Alto Unit 42": [[99, 116]], "THREAT_ACTOR: Charming Kitten": [[150, 165]], "MALWARE: BatLoader": [[201, 210]], "HASH: 8c05dd6045d271af6a8fb0e24287cad6e144164be7e8dbb6735dbabadfae4d22": [[220, 284]], "FILEPATH: C:\\Windows\\System32\\implant.so": [[306, 336]], "URL: http://staticcache.cc/collect": [[371, 400]], "IP_ADDRESS: 192.233.130.224": [[421, 436]]}, "info": {"id": "synth_v2_00766", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2023-27691 is a critical heap overflow affecting F5 BIG-IP. Europol confirmed active exploitation by Granite Typhoon in the wild. Exploitation delivers Dridex (SHA256: 0315dab475e280e354e79c3b6b7d98d58054aa0e093ee3fe03a3984a162b025a) which is dropped to C:\\Users\\admin\\Desktop\\backdoor.elf. The exploit payload is hosted at hxxp://loginsync.site/login and communicates to 172.53.140.215 for C2.", "spans": {"CVE_ID: CVE-2023-27691": [[24, 38]], "VULNERABILITY: heap overflow": [[53, 66]], "SYSTEM: F5 BIG-IP": [[77, 86]], "ORGANIZATION: Europol": [[88, 95]], "THREAT_ACTOR: Granite Typhoon": [[129, 144]], "MALWARE: Dridex": [[180, 186]], "HASH: 0315dab475e280e354e79c3b6b7d98d58054aa0e093ee3fe03a3984a162b025a": [[196, 260]], "FILEPATH: C:\\Users\\admin\\Desktop\\backdoor.elf": [[282, 317]], "URL: hxxp://loginsync.site/login": [[352, 379]], "IP_ADDRESS: 172.53.140.215": [[400, 414]]}, "info": {"id": "synth_v2_00767", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2023-23730 is a critical privilege escalation affecting Palo Alto PAN-OS. Tenable confirmed active exploitation by Kimsuky in the wild. Exploitation delivers Latrodectus (MD5: e68820a74f0b966c54a92f472f3063fd) which is dropped to /dev/shm/svchost.exe. The exploit payload is hosted at hxxps://data-cache.link/download/update.exe and communicates to 192.230.83.134 for C2.", "spans": {"CVE_ID: CVE-2023-23730": [[24, 38]], "VULNERABILITY: privilege escalation": [[53, 73]], "SYSTEM: Palo Alto PAN-OS": [[84, 100]], "ORGANIZATION: Tenable": [[102, 109]], "THREAT_ACTOR: Kimsuky": [[143, 150]], "MALWARE: Latrodectus": [[186, 197]], "HASH: e68820a74f0b966c54a92f472f3063fd": [[204, 236]], "FILEPATH: /dev/shm/svchost.exe": [[258, 278]], "URL: hxxps://data-cache.link/download/update.exe": [[313, 356]], "IP_ADDRESS: 192.230.83.134": [[377, 391]]}, "info": {"id": "synth_v2_00768", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2022-32541 is a critical null pointer dereference affecting Palo Alto PAN-OS. Google TAG confirmed active exploitation by Turla in the wild. Exploitation delivers Emotet (SHA1: 6ffd0536fe3267b8116f4f2fb2cc647326325d14) which is dropped to C:\\Windows\\Temp\\chrome_helper.exe. The exploit payload is hosted at hxxp://cdn-auth.com/wp-content/uploads/doc.php and communicates to 192.108.85.38 for C2.", "spans": {"CVE_ID: CVE-2022-32541": [[24, 38]], "VULNERABILITY: null pointer dereference": [[53, 77]], "SYSTEM: Palo Alto PAN-OS": [[88, 104]], "ORGANIZATION: Google TAG": [[106, 116]], "THREAT_ACTOR: Turla": [[150, 155]], "MALWARE: Emotet": [[191, 197]], "HASH: 6ffd0536fe3267b8116f4f2fb2cc647326325d14": [[205, 245]], "FILEPATH: C:\\Windows\\Temp\\chrome_helper.exe": [[267, 300]], "URL: hxxp://cdn-auth.com/wp-content/uploads/doc.php": [[335, 381]], "IP_ADDRESS: 192.108.85.38": [[402, 415]]}, "info": {"id": "synth_v2_00769", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2026-29234 is a critical race condition affecting Zyxel USG. Dragos confirmed active exploitation by Sandworm in the wild. Exploitation delivers RedLine Stealer (MD5: 2b2d2064ca04c1eb9c88184e87fd5425) which is dropped to C:\\Users\\admin\\Desktop\\chrome_helper.exe. The exploit payload is hosted at hxxps://portalauth.com/portal/verify and communicates to 30.23.15.131 for C2.", "spans": {"CVE_ID: CVE-2026-29234": [[24, 38]], "VULNERABILITY: race condition": [[53, 67]], "SYSTEM: Zyxel USG": [[78, 87]], "ORGANIZATION: Dragos": [[89, 95]], "THREAT_ACTOR: Sandworm": [[129, 137]], "MALWARE: RedLine Stealer": [[173, 188]], "HASH: 2b2d2064ca04c1eb9c88184e87fd5425": [[195, 227]], "FILEPATH: C:\\Users\\admin\\Desktop\\chrome_helper.exe": [[249, 289]], "URL: hxxps://portalauth.com/portal/verify": [[324, 360]], "IP_ADDRESS: 30.23.15.131": [[381, 393]]}, "info": {"id": "synth_v2_00770", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2020-25247 is a critical command injection affecting Barracuda ESG. Trend Micro confirmed active exploitation by Scattered Spider in the wild. Exploitation delivers AsyncRAT (MD5: 4d0aea4ed2b55be5e8db4b48e2aeadb6) which is dropped to C:\\Program Files\\Common Files\\shell.php. The exploit payload is hosted at hxxp://proxy-sync.site/wp-content/uploads/doc.php and communicates to 167.124.43.151 for C2.", "spans": {"CVE_ID: CVE-2020-25247": [[24, 38]], "VULNERABILITY: command injection": [[53, 70]], "SYSTEM: Barracuda ESG": [[81, 94]], "ORGANIZATION: Trend Micro": [[96, 107]], "THREAT_ACTOR: Scattered Spider": [[141, 157]], "MALWARE: AsyncRAT": [[193, 201]], "HASH: 4d0aea4ed2b55be5e8db4b48e2aeadb6": [[208, 240]], "FILEPATH: C:\\Program Files\\Common Files\\shell.php": [[262, 301]], "URL: hxxp://proxy-sync.site/wp-content/uploads/doc.php": [[336, 385]], "IP_ADDRESS: 167.124.43.151": [[406, 420]]}, "info": {"id": "synth_v2_00771", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2021-48618 is a critical remote code execution affecting Windows Server 2019. Cisco Talos confirmed active exploitation by Flax Typhoon in the wild. Exploitation delivers IcedID (SHA1: c251d94de92f923e4ae900910fcb3418392b328a) which is dropped to /opt/app/bin/svchost.exe. The exploit payload is hosted at http://syncstorage.club/gate.php and communicates to 172.206.93.1 for C2.", "spans": {"CVE_ID: CVE-2021-48618": [[24, 38]], "VULNERABILITY: remote code execution": [[53, 74]], "SYSTEM: Windows Server 2019": [[85, 104]], "ORGANIZATION: Cisco Talos": [[106, 117]], "THREAT_ACTOR: Flax Typhoon": [[151, 163]], "MALWARE: IcedID": [[199, 205]], "HASH: c251d94de92f923e4ae900910fcb3418392b328a": [[213, 253]], "FILEPATH: /opt/app/bin/svchost.exe": [[275, 299]], "URL: http://syncstorage.club/gate.php": [[334, 366]], "IP_ADDRESS: 172.206.93.1": [[387, 399]]}, "info": {"id": "synth_v2_00772", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2020-12082 is a critical SSRF vulnerability affecting SonicWall SMA. Symantec confirmed active exploitation by Lazarus Group in the wild. Exploitation delivers Play (MD5: 8643e8182fa94cb9307cb7319794865c) which is dropped to /home/user/.config/svchost.exe. The exploit payload is hosted at hxxps://portal-mail.info/assets/js/payload.js and communicates to 109.137.47.19 for C2.", "spans": {"CVE_ID: CVE-2020-12082": [[24, 38]], "VULNERABILITY: SSRF vulnerability": [[53, 71]], "SYSTEM: SonicWall SMA": [[82, 95]], "ORGANIZATION: Symantec": [[97, 105]], "THREAT_ACTOR: Lazarus Group": [[139, 152]], "MALWARE: Play": [[188, 192]], "HASH: 8643e8182fa94cb9307cb7319794865c": [[199, 231]], "FILEPATH: /home/user/.config/svchost.exe": [[253, 283]], "URL: hxxps://portal-mail.info/assets/js/payload.js": [[318, 363]], "IP_ADDRESS: 109.137.47.19": [[384, 397]]}, "info": {"id": "synth_v2_00773", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2026-27261 is a critical heap overflow affecting VMware ESXi. Proofpoint confirmed active exploitation by Storm-0558 in the wild. Exploitation delivers Latrodectus (SHA1: 37387c458e263b650c112361cd4438bb272b5fc8) which is dropped to /tmp/agent.py. The exploit payload is hosted at hxxp://mail-edge.link/callback and communicates to 198.240.21.134 for C2.", "spans": {"CVE_ID: CVE-2026-27261": [[24, 38]], "VULNERABILITY: heap overflow": [[53, 66]], "SYSTEM: VMware ESXi": [[77, 88]], "ORGANIZATION: Proofpoint": [[90, 100]], "THREAT_ACTOR: Storm-0558": [[134, 144]], "MALWARE: Latrodectus": [[180, 191]], "HASH: 37387c458e263b650c112361cd4438bb272b5fc8": [[199, 239]], "FILEPATH: /tmp/agent.py": [[261, 274]], "URL: hxxp://mail-edge.link/callback": [[309, 339]], "IP_ADDRESS: 198.240.21.134": [[360, 374]]}, "info": {"id": "synth_v2_00774", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2021-16078 is a critical race condition affecting Barracuda ESG. Volexity confirmed active exploitation by MuddyWater in the wild. Exploitation delivers PikaBot (SHA1: 6774da75820153f24a246844490bb2613b592c28) which is dropped to C:\\Users\\Public\\Documents\\beacon.dll. The exploit payload is hosted at http://node-data.io/panel/index.html and communicates to 41.198.235.201 for C2.", "spans": {"CVE_ID: CVE-2021-16078": [[24, 38]], "VULNERABILITY: race condition": [[53, 67]], "SYSTEM: Barracuda ESG": [[78, 91]], "ORGANIZATION: Volexity": [[93, 101]], "THREAT_ACTOR: MuddyWater": [[135, 145]], "MALWARE: PikaBot": [[181, 188]], "HASH: 6774da75820153f24a246844490bb2613b592c28": [[196, 236]], "FILEPATH: C:\\Users\\Public\\Documents\\beacon.dll": [[258, 294]], "URL: http://node-data.io/panel/index.html": [[329, 365]], "IP_ADDRESS: 41.198.235.201": [[386, 400]]}, "info": {"id": "synth_v2_00775", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2026-44676 is a critical type confusion affecting Ubuntu 22.04. SentinelOne confirmed active exploitation by Forest Blizzard in the wild. Exploitation delivers StealC (SHA256: 192e7cd254c47e5b57572f45e793c72169d8a5c3df7678d86ebb58f3fe61eae9) which is dropped to /var/tmp/payload.bin. The exploit payload is hosted at http://apicache.online/login and communicates to 172.219.92.93 for C2.", "spans": {"CVE_ID: CVE-2026-44676": [[24, 38]], "VULNERABILITY: type confusion": [[53, 67]], "SYSTEM: Ubuntu 22.04": [[78, 90]], "ORGANIZATION: SentinelOne": [[92, 103]], "THREAT_ACTOR: Forest Blizzard": [[137, 152]], "MALWARE: StealC": [[188, 194]], "HASH: 192e7cd254c47e5b57572f45e793c72169d8a5c3df7678d86ebb58f3fe61eae9": [[204, 268]], "FILEPATH: /var/tmp/payload.bin": [[290, 310]], "URL: http://apicache.online/login": [[345, 373]], "IP_ADDRESS: 172.219.92.93": [[394, 407]]}, "info": {"id": "synth_v2_00776", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2021-37493 is a critical privilege escalation affecting SonicWall SMA. Symantec confirmed active exploitation by BlackTech in the wild. Exploitation delivers BlackCat (MD5: bba9f322d12b18d6723dc3d7d532f696) which is dropped to C:\\ProgramData\\sam.hive. The exploit payload is hosted at hxxps://apiedge.live/collect and communicates to 117.95.194.4 for C2.", "spans": {"CVE_ID: CVE-2021-37493": [[24, 38]], "VULNERABILITY: privilege escalation": [[53, 73]], "SYSTEM: SonicWall SMA": [[84, 97]], "ORGANIZATION: Symantec": [[99, 107]], "THREAT_ACTOR: BlackTech": [[141, 150]], "MALWARE: BlackCat": [[186, 194]], "HASH: bba9f322d12b18d6723dc3d7d532f696": [[201, 233]], "FILEPATH: C:\\ProgramData\\sam.hive": [[255, 278]], "URL: hxxps://apiedge.live/collect": [[313, 341]], "IP_ADDRESS: 117.95.194.4": [[362, 374]]}, "info": {"id": "synth_v2_00777", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2024-30673 is a critical CSRF vulnerability affecting Atlassian Confluence. Palo Alto Unit 42 confirmed active exploitation by Turla in the wild. Exploitation delivers IcedID (SHA1: a54849f46f2a2cd2cbeaa8926bd479a1d316da5f) which is dropped to C:\\Users\\Public\\Documents\\dropper.ps1. The exploit payload is hosted at http://login-proxy.info/collect and communicates to 125.233.148.181 for C2.", "spans": {"CVE_ID: CVE-2024-30673": [[24, 38]], "VULNERABILITY: CSRF vulnerability": [[53, 71]], "SYSTEM: Atlassian Confluence": [[82, 102]], "ORGANIZATION: Palo Alto Unit 42": [[104, 121]], "THREAT_ACTOR: Turla": [[155, 160]], "MALWARE: IcedID": [[196, 202]], "HASH: a54849f46f2a2cd2cbeaa8926bd479a1d316da5f": [[210, 250]], "FILEPATH: C:\\Users\\Public\\Documents\\dropper.ps1": [[272, 309]], "URL: http://login-proxy.info/collect": [[344, 375]], "IP_ADDRESS: 125.233.148.181": [[396, 411]]}, "info": {"id": "synth_v2_00778", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2021-34898 is a critical deserialization flaw affecting Ubuntu 22.04. INTERPOL confirmed active exploitation by OilRig in the wild. Exploitation delivers IcedID (SHA1: 5784d45f69a6909b1226dd4ff004916d811ace43) which is dropped to C:\\Windows\\Tasks\\update.dll. The exploit payload is hosted at https://login-static.online/panel/index.html and communicates to 36.223.136.46 for C2.", "spans": {"CVE_ID: CVE-2021-34898": [[24, 38]], "VULNERABILITY: deserialization flaw": [[53, 73]], "SYSTEM: Ubuntu 22.04": [[84, 96]], "ORGANIZATION: INTERPOL": [[98, 106]], "THREAT_ACTOR: OilRig": [[140, 146]], "MALWARE: IcedID": [[182, 188]], "HASH: 5784d45f69a6909b1226dd4ff004916d811ace43": [[196, 236]], "FILEPATH: C:\\Windows\\Tasks\\update.dll": [[258, 285]], "URL: https://login-static.online/panel/index.html": [[320, 364]], "IP_ADDRESS: 36.223.136.46": [[385, 398]]}, "info": {"id": "synth_v2_00779", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2023-33283 is a critical integer overflow affecting Active Directory. FireEye confirmed active exploitation by Salt Typhoon in the wild. Exploitation delivers DanaBot (MD5: fee1d7424b0d7e8162c65fa3b1cf75bc) which is dropped to C:\\Windows\\System32\\payload.bin. The exploit payload is hosted at hxxp://cdnstorage.site/login and communicates to 10.177.150.96 for C2.", "spans": {"CVE_ID: CVE-2023-33283": [[24, 38]], "VULNERABILITY: integer overflow": [[53, 69]], "SYSTEM: Active Directory": [[80, 96]], "ORGANIZATION: FireEye": [[98, 105]], "THREAT_ACTOR: Salt Typhoon": [[139, 151]], "MALWARE: DanaBot": [[187, 194]], "HASH: fee1d7424b0d7e8162c65fa3b1cf75bc": [[201, 233]], "FILEPATH: C:\\Windows\\System32\\payload.bin": [[255, 286]], "URL: hxxp://cdnstorage.site/login": [[321, 349]], "IP_ADDRESS: 10.177.150.96": [[370, 383]]}, "info": {"id": "synth_v2_00780", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2026-10752 is a critical buffer overflow affecting MOVEit Transfer. CrowdStrike confirmed active exploitation by Sandworm in the wild. Exploitation delivers BlackCat (SHA256: 5f0ad18e93b1440da3a0705e96a645fa180928b3fa457be1585cf97d97751d69) which is dropped to /usr/local/bin/beacon.dll. The exploit payload is hosted at http://gatewaysync.com/download/update.exe and communicates to 10.204.112.237 for C2.", "spans": {"CVE_ID: CVE-2026-10752": [[24, 38]], "VULNERABILITY: buffer overflow": [[53, 68]], "SYSTEM: MOVEit Transfer": [[79, 94]], "ORGANIZATION: CrowdStrike": [[96, 107]], "THREAT_ACTOR: Sandworm": [[141, 149]], "MALWARE: BlackCat": [[185, 193]], "HASH: 5f0ad18e93b1440da3a0705e96a645fa180928b3fa457be1585cf97d97751d69": [[203, 267]], "FILEPATH: /usr/local/bin/beacon.dll": [[289, 314]], "URL: http://gatewaysync.com/download/update.exe": [[349, 391]], "IP_ADDRESS: 10.204.112.237": [[412, 426]]}, "info": {"id": "synth_v2_00781", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2026-17507 is a critical authentication bypass affecting Barracuda ESG. INTERPOL confirmed active exploitation by Forest Blizzard in the wild. Exploitation delivers SmokeLoader (SHA256: 87299dc1f387a9bb484c322a6f0f50bc1facbb07171148ba5a34224f74637875) which is dropped to C:\\Windows\\Tasks\\helper.sh. The exploit payload is hosted at hxxp://proxy-node.top/download/update.exe and communicates to 185.143.2.15 for C2.", "spans": {"CVE_ID: CVE-2026-17507": [[24, 38]], "VULNERABILITY: authentication bypass": [[53, 74]], "SYSTEM: Barracuda ESG": [[85, 98]], "ORGANIZATION: INTERPOL": [[100, 108]], "THREAT_ACTOR: Forest Blizzard": [[142, 157]], "MALWARE: SmokeLoader": [[193, 204]], "HASH: 87299dc1f387a9bb484c322a6f0f50bc1facbb07171148ba5a34224f74637875": [[214, 278]], "FILEPATH: C:\\Windows\\Tasks\\helper.sh": [[300, 326]], "URL: hxxp://proxy-node.top/download/update.exe": [[361, 402]], "IP_ADDRESS: 185.143.2.15": [[423, 435]]}, "info": {"id": "synth_v2_00782", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2021-32059 is a critical SSRF vulnerability affecting Ubuntu 22.04. Proofpoint confirmed active exploitation by BlackTech in the wild. Exploitation delivers Emotet (SHA256: 042fb290fe9035bf2a412109049ee3591bf6f44d89657d81b364a8cf376c0d45) which is dropped to C:\\Users\\admin\\Downloads\\sam.hive. The exploit payload is hosted at hxxps://edgecdn.net/collect and communicates to 2.246.33.16 for C2.", "spans": {"CVE_ID: CVE-2021-32059": [[24, 38]], "VULNERABILITY: SSRF vulnerability": [[53, 71]], "SYSTEM: Ubuntu 22.04": [[82, 94]], "ORGANIZATION: Proofpoint": [[96, 106]], "THREAT_ACTOR: BlackTech": [[140, 149]], "MALWARE: Emotet": [[185, 191]], "HASH: 042fb290fe9035bf2a412109049ee3591bf6f44d89657d81b364a8cf376c0d45": [[201, 265]], "FILEPATH: C:\\Users\\admin\\Downloads\\sam.hive": [[287, 320]], "URL: hxxps://edgecdn.net/collect": [[355, 382]], "IP_ADDRESS: 2.246.33.16": [[403, 414]]}, "info": {"id": "synth_v2_00783", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2021-37493 is a critical heap overflow affecting Fortinet FortiGate. Dragos confirmed active exploitation by APT29 in the wild. Exploitation delivers ShadowPad (SHA1: 4a10e5004ae471c4b1bf8337e98e2267f087bff2) which is dropped to C:\\ProgramData\\ntds.dit. The exploit payload is hosted at hxxp://cdncache.org/login and communicates to 192.22.185.59 for C2.", "spans": {"CVE_ID: CVE-2021-37493": [[24, 38]], "VULNERABILITY: heap overflow": [[53, 66]], "SYSTEM: Fortinet FortiGate": [[77, 95]], "ORGANIZATION: Dragos": [[97, 103]], "THREAT_ACTOR: APT29": [[137, 142]], "MALWARE: ShadowPad": [[178, 187]], "HASH: 4a10e5004ae471c4b1bf8337e98e2267f087bff2": [[195, 235]], "FILEPATH: C:\\ProgramData\\ntds.dit": [[257, 280]], "URL: hxxp://cdncache.org/login": [[315, 340]], "IP_ADDRESS: 192.22.185.59": [[361, 374]]}, "info": {"id": "synth_v2_00784", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2024-24392 is a critical buffer overflow affecting Windows Server 2019. FBI confirmed active exploitation by Charming Kitten in the wild. Exploitation delivers ShadowPad (SHA1: 92b73a73036a93c3213e153aaf6a65704f6a0553) which is dropped to C:\\Program Files\\Common Files\\shell.php. The exploit payload is hosted at hxxp://backupdata.link/collect and communicates to 180.44.159.144 for C2.", "spans": {"CVE_ID: CVE-2024-24392": [[24, 38]], "VULNERABILITY: buffer overflow": [[53, 68]], "SYSTEM: Windows Server 2019": [[79, 98]], "ORGANIZATION: FBI": [[100, 103]], "THREAT_ACTOR: Charming Kitten": [[137, 152]], "MALWARE: ShadowPad": [[188, 197]], "HASH: 92b73a73036a93c3213e153aaf6a65704f6a0553": [[205, 245]], "FILEPATH: C:\\Program Files\\Common Files\\shell.php": [[267, 306]], "URL: hxxp://backupdata.link/collect": [[341, 371]], "IP_ADDRESS: 180.44.159.144": [[392, 406]]}, "info": {"id": "synth_v2_00785", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2022-14558 is a critical SSRF vulnerability affecting Ivanti Connect Secure. Microsoft MSRC confirmed active exploitation by Sandworm in the wild. Exploitation delivers AsyncRAT (SHA1: ad3f3e639ebc77f8b929e14e5aeafad76291b28a) which is dropped to C:\\ProgramData\\runtime.dll. The exploit payload is hosted at hxxp://static-node.dev/gate.php and communicates to 72.241.59.106 for C2.", "spans": {"CVE_ID: CVE-2022-14558": [[24, 38]], "VULNERABILITY: SSRF vulnerability": [[53, 71]], "SYSTEM: Ivanti Connect Secure": [[82, 103]], "ORGANIZATION: Microsoft MSRC": [[105, 119]], "THREAT_ACTOR: Sandworm": [[153, 161]], "MALWARE: AsyncRAT": [[197, 205]], "HASH: ad3f3e639ebc77f8b929e14e5aeafad76291b28a": [[213, 253]], "FILEPATH: C:\\ProgramData\\runtime.dll": [[275, 301]], "URL: hxxp://static-node.dev/gate.php": [[336, 367]], "IP_ADDRESS: 72.241.59.106": [[388, 401]]}, "info": {"id": "synth_v2_00786", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2020-11739 is a critical remote code execution affecting Active Directory. Sophos X-Ops confirmed active exploitation by Silk Typhoon in the wild. Exploitation delivers RedLine Stealer (SHA1: 6263ee22586822fe4024f6d0304f03cc0edd2dd9) which is dropped to C:\\Windows\\Tasks\\backdoor.elf. The exploit payload is hosted at https://api-relay.dev/wp-content/uploads/doc.php and communicates to 10.180.206.57 for C2.", "spans": {"CVE_ID: CVE-2020-11739": [[24, 38]], "VULNERABILITY: remote code execution": [[53, 74]], "SYSTEM: Active Directory": [[85, 101]], "ORGANIZATION: Sophos X-Ops": [[103, 115]], "THREAT_ACTOR: Silk Typhoon": [[149, 161]], "MALWARE: RedLine Stealer": [[197, 212]], "HASH: 6263ee22586822fe4024f6d0304f03cc0edd2dd9": [[220, 260]], "FILEPATH: C:\\Windows\\Tasks\\backdoor.elf": [[282, 311]], "URL: https://api-relay.dev/wp-content/uploads/doc.php": [[346, 394]], "IP_ADDRESS: 10.180.206.57": [[415, 428]]}, "info": {"id": "synth_v2_00787", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2023-34911 is a critical heap overflow affecting Citrix NetScaler. Dragos confirmed active exploitation by FIN11 in the wild. Exploitation delivers AsyncRAT (MD5: ebba9885f8f7ced31718ae3ded03d2c3) which is dropped to /tmp/dropper.ps1. The exploit payload is hosted at hxxp://relaycloud.cc/assets/js/payload.js and communicates to 172.139.222.10 for C2.", "spans": {"CVE_ID: CVE-2023-34911": [[24, 38]], "VULNERABILITY: heap overflow": [[53, 66]], "SYSTEM: Citrix NetScaler": [[77, 93]], "ORGANIZATION: Dragos": [[95, 101]], "THREAT_ACTOR: FIN11": [[135, 140]], "MALWARE: AsyncRAT": [[176, 184]], "HASH: ebba9885f8f7ced31718ae3ded03d2c3": [[191, 223]], "FILEPATH: /tmp/dropper.ps1": [[245, 261]], "URL: hxxp://relaycloud.cc/assets/js/payload.js": [[296, 337]], "IP_ADDRESS: 172.139.222.10": [[358, 372]]}, "info": {"id": "synth_v2_00788", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2022-45142 is a critical heap overflow affecting Microsoft Exchange. Proofpoint confirmed active exploitation by Forest Blizzard in the wild. Exploitation delivers QakBot (MD5: 9555c6895cbcfc6e59eac8900149655c) which is dropped to C:\\Users\\admin\\Desktop\\csrss.exe. The exploit payload is hosted at http://cdnrelay.live/portal/verify and communicates to 104.70.24.85 for C2.", "spans": {"CVE_ID: CVE-2022-45142": [[24, 38]], "VULNERABILITY: heap overflow": [[53, 66]], "SYSTEM: Microsoft Exchange": [[77, 95]], "ORGANIZATION: Proofpoint": [[97, 107]], "THREAT_ACTOR: Forest Blizzard": [[141, 156]], "MALWARE: QakBot": [[192, 198]], "HASH: 9555c6895cbcfc6e59eac8900149655c": [[205, 237]], "FILEPATH: C:\\Users\\admin\\Desktop\\csrss.exe": [[259, 291]], "URL: http://cdnrelay.live/portal/verify": [[326, 360]], "IP_ADDRESS: 104.70.24.85": [[381, 393]]}, "info": {"id": "synth_v2_00789", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2024-30673 is a critical integer overflow affecting Ubuntu 22.04. SentinelOne confirmed active exploitation by Kimsuky in the wild. Exploitation delivers Cobalt Strike (SHA1: da34f12d2972e8fb4fc37c5cc7f2f39b26c3f8e4) which is dropped to /dev/shm/agent.py. The exploit payload is hosted at https://static-cdn.io/secure/token and communicates to 41.105.93.187 for C2.", "spans": {"CVE_ID: CVE-2024-30673": [[24, 38]], "VULNERABILITY: integer overflow": [[53, 69]], "SYSTEM: Ubuntu 22.04": [[80, 92]], "ORGANIZATION: SentinelOne": [[94, 105]], "THREAT_ACTOR: Kimsuky": [[139, 146]], "MALWARE: Cobalt Strike": [[182, 195]], "HASH: da34f12d2972e8fb4fc37c5cc7f2f39b26c3f8e4": [[203, 243]], "FILEPATH: /dev/shm/agent.py": [[265, 282]], "URL: https://static-cdn.io/secure/token": [[317, 351]], "IP_ADDRESS: 41.105.93.187": [[372, 385]]}, "info": {"id": "synth_v2_00790", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2020-45741 is a critical type confusion affecting VMware ESXi. Symantec confirmed active exploitation by Scattered Spider in the wild. Exploitation delivers Gootloader (SHA256: a31dfc350e678d710b79fb8f71e9e44a434568c617ab617a3a924126c891448a) which is dropped to C:\\Windows\\Tasks\\lsass.dmp. The exploit payload is hosted at hxxps://authstatic.top/download/update.exe and communicates to 10.42.51.119 for C2.", "spans": {"CVE_ID: CVE-2020-45741": [[24, 38]], "VULNERABILITY: type confusion": [[53, 67]], "SYSTEM: VMware ESXi": [[78, 89]], "ORGANIZATION: Symantec": [[91, 99]], "THREAT_ACTOR: Scattered Spider": [[133, 149]], "MALWARE: Gootloader": [[185, 195]], "HASH: a31dfc350e678d710b79fb8f71e9e44a434568c617ab617a3a924126c891448a": [[205, 269]], "FILEPATH: C:\\Windows\\Tasks\\lsass.dmp": [[291, 317]], "URL: hxxps://authstatic.top/download/update.exe": [[352, 394]], "IP_ADDRESS: 10.42.51.119": [[415, 427]]}, "info": {"id": "synth_v2_00791", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2022-45142 is a critical authentication bypass affecting Windows Server 2019. Proofpoint confirmed active exploitation by Mustang Panda in the wild. Exploitation delivers DarkSide (SHA1: a1c2543142b0d47896b2dca69b0276b7d13281e4) which is dropped to C:\\Windows\\Tasks\\winlogon.exe. The exploit payload is hosted at hxxps://secure-update.dev/admin/config and communicates to 60.161.137.179 for C2.", "spans": {"CVE_ID: CVE-2022-45142": [[24, 38]], "VULNERABILITY: authentication bypass": [[53, 74]], "SYSTEM: Windows Server 2019": [[85, 104]], "ORGANIZATION: Proofpoint": [[106, 116]], "THREAT_ACTOR: Mustang Panda": [[150, 163]], "MALWARE: DarkSide": [[199, 207]], "HASH: a1c2543142b0d47896b2dca69b0276b7d13281e4": [[215, 255]], "FILEPATH: C:\\Windows\\Tasks\\winlogon.exe": [[277, 306]], "URL: hxxps://secure-update.dev/admin/config": [[341, 379]], "IP_ADDRESS: 60.161.137.179": [[400, 414]]}, "info": {"id": "synth_v2_00792", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2024-30622 is a critical remote code execution affecting Windows Server 2019. Google TAG confirmed active exploitation by Granite Typhoon in the wild. Exploitation delivers Lumma Stealer (SHA1: 0a013cec2d748bb8c192917583bfb522c6fa5953) which is dropped to /usr/local/bin/sam.hive. The exploit payload is hosted at hxxp://storage-cloud.live/secure/token and communicates to 195.25.40.82 for C2.", "spans": {"CVE_ID: CVE-2024-30622": [[24, 38]], "VULNERABILITY: remote code execution": [[53, 74]], "SYSTEM: Windows Server 2019": [[85, 104]], "ORGANIZATION: Google TAG": [[106, 116]], "THREAT_ACTOR: Granite Typhoon": [[150, 165]], "MALWARE: Lumma Stealer": [[201, 214]], "HASH: 0a013cec2d748bb8c192917583bfb522c6fa5953": [[222, 262]], "FILEPATH: /usr/local/bin/sam.hive": [[284, 307]], "URL: hxxp://storage-cloud.live/secure/token": [[342, 380]], "IP_ADDRESS: 195.25.40.82": [[401, 413]]}, "info": {"id": "synth_v2_00793", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2024-36290 is a critical remote code execution affecting Zyxel USG. Trend Micro confirmed active exploitation by Forest Blizzard in the wild. Exploitation delivers Lumma Stealer (SHA256: e73c5523060665c8e2b5559518acff04518f6b43f0870d44efb3cf4abd61592d) which is dropped to /etc/cron.d/svchost.exe. The exploit payload is hosted at hxxps://login-relay.cc/secure/token and communicates to 172.51.226.181 for C2.", "spans": {"CVE_ID: CVE-2024-36290": [[24, 38]], "VULNERABILITY: remote code execution": [[53, 74]], "SYSTEM: Zyxel USG": [[85, 94]], "ORGANIZATION: Trend Micro": [[96, 107]], "THREAT_ACTOR: Forest Blizzard": [[141, 156]], "MALWARE: Lumma Stealer": [[192, 205]], "HASH: e73c5523060665c8e2b5559518acff04518f6b43f0870d44efb3cf4abd61592d": [[215, 279]], "FILEPATH: /etc/cron.d/svchost.exe": [[301, 324]], "URL: hxxps://login-relay.cc/secure/token": [[359, 394]], "IP_ADDRESS: 172.51.226.181": [[415, 429]]}, "info": {"id": "synth_v2_00794", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2020-43118 is a critical remote code execution affecting Windows Server 2019. Proofpoint confirmed active exploitation by BlackTech in the wild. Exploitation delivers BlackCat (MD5: ef39cf5daffec65ed3011ca4c621141d) which is dropped to C:\\Users\\admin\\AppData\\Local\\Temp\\runtime.dll. The exploit payload is hosted at hxxps://cloud-cache.net/portal/verify and communicates to 174.110.155.198 for C2.", "spans": {"CVE_ID: CVE-2020-43118": [[24, 38]], "VULNERABILITY: remote code execution": [[53, 74]], "SYSTEM: Windows Server 2019": [[85, 104]], "ORGANIZATION: Proofpoint": [[106, 116]], "THREAT_ACTOR: BlackTech": [[150, 159]], "MALWARE: BlackCat": [[195, 203]], "HASH: ef39cf5daffec65ed3011ca4c621141d": [[210, 242]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\runtime.dll": [[264, 309]], "URL: hxxps://cloud-cache.net/portal/verify": [[344, 381]], "IP_ADDRESS: 174.110.155.198": [[402, 417]]}, "info": {"id": "synth_v2_00795", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2020-12082 is a critical CSRF vulnerability affecting Progress Telerik. Secureworks confirmed active exploitation by BlackTech in the wild. Exploitation delivers AgentTesla (SHA1: 82b86cca2b4fc9c55dbf930856b92eda568ad134) which is dropped to /var/tmp/csrss.exe. The exploit payload is hosted at hxxp://data-storage.dev/panel/index.html and communicates to 17.36.153.161 for C2.", "spans": {"CVE_ID: CVE-2020-12082": [[24, 38]], "VULNERABILITY: CSRF vulnerability": [[53, 71]], "SYSTEM: Progress Telerik": [[82, 98]], "ORGANIZATION: Secureworks": [[100, 111]], "THREAT_ACTOR: BlackTech": [[145, 154]], "MALWARE: AgentTesla": [[190, 200]], "HASH: 82b86cca2b4fc9c55dbf930856b92eda568ad134": [[208, 248]], "FILEPATH: /var/tmp/csrss.exe": [[270, 288]], "URL: hxxp://data-storage.dev/panel/index.html": [[323, 363]], "IP_ADDRESS: 17.36.153.161": [[384, 397]]}, "info": {"id": "synth_v2_00796", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2024-27546 is a critical privilege escalation affecting Windows 11. SentinelOne confirmed active exploitation by OilRig in the wild. Exploitation delivers XLoader (SHA1: d1695472df975d7ad4802c5d249cd422d6a89470) which is dropped to C:\\Users\\admin\\AppData\\Local\\Temp\\chrome_helper.exe. The exploit payload is hosted at hxxps://cachecache.com/callback and communicates to 19.17.30.105 for C2.", "spans": {"CVE_ID: CVE-2024-27546": [[24, 38]], "VULNERABILITY: privilege escalation": [[53, 73]], "SYSTEM: Windows 11": [[84, 94]], "ORGANIZATION: SentinelOne": [[96, 107]], "THREAT_ACTOR: OilRig": [[141, 147]], "MALWARE: XLoader": [[183, 190]], "HASH: d1695472df975d7ad4802c5d249cd422d6a89470": [[198, 238]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\chrome_helper.exe": [[260, 311]], "URL: hxxps://cachecache.com/callback": [[346, 377]], "IP_ADDRESS: 19.17.30.105": [[398, 410]]}, "info": {"id": "synth_v2_00797", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2024-26162 is a critical XXE injection affecting F5 BIG-IP. Kaspersky GReAT confirmed active exploitation by Salt Typhoon in the wild. Exploitation delivers Gootloader (SHA1: 93deeabea0344f7cf74ff9aaf76788eedf317ad2) which is dropped to /home/user/.config/shell.php. The exploit payload is hosted at hxxp://logincloud.top/collect and communicates to 192.123.245.129 for C2.", "spans": {"CVE_ID: CVE-2024-26162": [[24, 38]], "VULNERABILITY: XXE injection": [[53, 66]], "SYSTEM: F5 BIG-IP": [[77, 86]], "ORGANIZATION: Kaspersky GReAT": [[88, 103]], "THREAT_ACTOR: Salt Typhoon": [[137, 149]], "MALWARE: Gootloader": [[185, 195]], "HASH: 93deeabea0344f7cf74ff9aaf76788eedf317ad2": [[203, 243]], "FILEPATH: /home/user/.config/shell.php": [[265, 293]], "URL: hxxp://logincloud.top/collect": [[328, 357]], "IP_ADDRESS: 192.123.245.129": [[378, 393]]}, "info": {"id": "synth_v2_00798", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2024-40071 is a critical command injection affecting Windows Server 2019. CrowdStrike confirmed active exploitation by UNC2452 in the wild. Exploitation delivers AgentTesla (MD5: 113995bd278c2d26d1136c8ece6a299d) which is dropped to C:\\Windows\\Temp\\chrome_helper.exe. The exploit payload is hosted at hxxp://storage-storage.com/download/update.exe and communicates to 126.234.193.195 for C2.", "spans": {"CVE_ID: CVE-2024-40071": [[24, 38]], "VULNERABILITY: command injection": [[53, 70]], "SYSTEM: Windows Server 2019": [[81, 100]], "ORGANIZATION: CrowdStrike": [[102, 113]], "THREAT_ACTOR: UNC2452": [[147, 154]], "MALWARE: AgentTesla": [[190, 200]], "HASH: 113995bd278c2d26d1136c8ece6a299d": [[207, 239]], "FILEPATH: C:\\Windows\\Temp\\chrome_helper.exe": [[261, 294]], "URL: hxxp://storage-storage.com/download/update.exe": [[329, 375]], "IP_ADDRESS: 126.234.193.195": [[396, 411]]}, "info": {"id": "synth_v2_00799", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2022-14558 is a critical race condition affecting Atlassian Confluence. Kaspersky GReAT confirmed active exploitation by Turla in the wild. Exploitation delivers DanaBot (SHA256: d2b636a1d3218179b9b3b9ca6b4f57af7adcae3bde8aaa1ef441cc487c0b16be) which is dropped to C:\\Windows\\System32\\helper.sh. The exploit payload is hosted at hxxps://edgesync.org/admin/config and communicates to 172.94.146.28 for C2.", "spans": {"CVE_ID: CVE-2022-14558": [[24, 38]], "VULNERABILITY: race condition": [[53, 67]], "SYSTEM: Atlassian Confluence": [[78, 98]], "ORGANIZATION: Kaspersky GReAT": [[100, 115]], "THREAT_ACTOR: Turla": [[149, 154]], "MALWARE: DanaBot": [[190, 197]], "HASH: d2b636a1d3218179b9b3b9ca6b4f57af7adcae3bde8aaa1ef441cc487c0b16be": [[207, 271]], "FILEPATH: C:\\Windows\\System32\\helper.sh": [[293, 322]], "URL: hxxps://edgesync.org/admin/config": [[357, 390]], "IP_ADDRESS: 172.94.146.28": [[411, 424]]}, "info": {"id": "synth_v2_00800", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2023-27691 is a critical heap overflow affecting VMware ESXi. Recorded Future confirmed active exploitation by Velvet Tempest in the wild. Exploitation delivers WarmCookie (MD5: 1559b4b122922b6d67529a55b4882971) which is dropped to C:\\Program Files\\Common Files\\loader.exe. The exploit payload is hosted at hxxps://cdnmail.xyz/admin/config and communicates to 192.16.20.165 for C2.", "spans": {"CVE_ID: CVE-2023-27691": [[24, 38]], "VULNERABILITY: heap overflow": [[53, 66]], "SYSTEM: VMware ESXi": [[77, 88]], "ORGANIZATION: Recorded Future": [[90, 105]], "THREAT_ACTOR: Velvet Tempest": [[139, 153]], "MALWARE: WarmCookie": [[189, 199]], "HASH: 1559b4b122922b6d67529a55b4882971": [[206, 238]], "FILEPATH: C:\\Program Files\\Common Files\\loader.exe": [[260, 300]], "URL: hxxps://cdnmail.xyz/admin/config": [[335, 367]], "IP_ADDRESS: 192.16.20.165": [[388, 401]]}, "info": {"id": "synth_v2_00801", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2023-28217 is a critical buffer overflow affecting Citrix NetScaler. Symantec confirmed active exploitation by Silk Typhoon in the wild. Exploitation delivers NjRAT (SHA1: 76e7cf14b8e479b4a7e6ed1b9ba72e14f76116a5) which is dropped to C:\\Windows\\Tasks\\winlogon.exe. The exploit payload is hosted at hxxps://login-static.dev/portal/verify and communicates to 10.196.201.114 for C2.", "spans": {"CVE_ID: CVE-2023-28217": [[24, 38]], "VULNERABILITY: buffer overflow": [[53, 68]], "SYSTEM: Citrix NetScaler": [[79, 95]], "ORGANIZATION: Symantec": [[97, 105]], "THREAT_ACTOR: Silk Typhoon": [[139, 151]], "MALWARE: NjRAT": [[187, 192]], "HASH: 76e7cf14b8e479b4a7e6ed1b9ba72e14f76116a5": [[200, 240]], "FILEPATH: C:\\Windows\\Tasks\\winlogon.exe": [[262, 291]], "URL: hxxps://login-static.dev/portal/verify": [[326, 364]], "IP_ADDRESS: 10.196.201.114": [[385, 399]]}, "info": {"id": "synth_v2_00802", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2026-42806 is a critical XXE injection affecting Atlassian Confluence. Qualys confirmed active exploitation by Star Blizzard in the wild. Exploitation delivers DarkSide (MD5: 4fefc23485e9092b71d6b3605ce67f91) which is dropped to C:\\Windows\\Temp\\payload.bin. The exploit payload is hosted at hxxp://portal-cdn.xyz/callback and communicates to 10.87.216.80 for C2.", "spans": {"CVE_ID: CVE-2026-42806": [[24, 38]], "VULNERABILITY: XXE injection": [[53, 66]], "SYSTEM: Atlassian Confluence": [[77, 97]], "ORGANIZATION: Qualys": [[99, 105]], "THREAT_ACTOR: Star Blizzard": [[139, 152]], "MALWARE: DarkSide": [[188, 196]], "HASH: 4fefc23485e9092b71d6b3605ce67f91": [[203, 235]], "FILEPATH: C:\\Windows\\Temp\\payload.bin": [[257, 284]], "URL: hxxp://portal-cdn.xyz/callback": [[319, 349]], "IP_ADDRESS: 10.87.216.80": [[370, 382]]}, "info": {"id": "synth_v2_00803", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2024-35928 is a critical integer overflow affecting Juniper SRX. Google TAG confirmed active exploitation by Lazarus Group in the wild. Exploitation delivers AgentTesla (SHA1: c583be68a3bc16a1e28b06ec4d22afdcf6155c63) which is dropped to C:\\Users\\admin\\Downloads\\helper.sh. The exploit payload is hosted at http://static-login.com/api/v2/auth and communicates to 172.236.237.228 for C2.", "spans": {"CVE_ID: CVE-2024-35928": [[24, 38]], "VULNERABILITY: integer overflow": [[53, 69]], "SYSTEM: Juniper SRX": [[80, 91]], "ORGANIZATION: Google TAG": [[93, 103]], "THREAT_ACTOR: Lazarus Group": [[137, 150]], "MALWARE: AgentTesla": [[186, 196]], "HASH: c583be68a3bc16a1e28b06ec4d22afdcf6155c63": [[204, 244]], "FILEPATH: C:\\Users\\admin\\Downloads\\helper.sh": [[266, 300]], "URL: http://static-login.com/api/v2/auth": [[335, 370]], "IP_ADDRESS: 172.236.237.228": [[391, 406]]}, "info": {"id": "synth_v2_00804", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2020-11639 is a critical authentication bypass affecting Palo Alto PAN-OS. Dragos confirmed active exploitation by APT28 in the wild. Exploitation delivers RedLine Stealer (SHA256: 6cdf6ee69212478e4d7bc2e6e66ac0560cdbd013c8a6d7d651edc6751e818d21) which is dropped to C:\\Users\\Public\\Documents\\ntds.dit. The exploit payload is hosted at http://node-cache.dev/assets/js/payload.js and communicates to 10.87.34.91 for C2.", "spans": {"CVE_ID: CVE-2020-11639": [[24, 38]], "VULNERABILITY: authentication bypass": [[53, 74]], "SYSTEM: Palo Alto PAN-OS": [[85, 101]], "ORGANIZATION: Dragos": [[103, 109]], "THREAT_ACTOR: APT28": [[143, 148]], "MALWARE: RedLine Stealer": [[184, 199]], "HASH: 6cdf6ee69212478e4d7bc2e6e66ac0560cdbd013c8a6d7d651edc6751e818d21": [[209, 273]], "FILEPATH: C:\\Users\\Public\\Documents\\ntds.dit": [[295, 329]], "URL: http://node-cache.dev/assets/js/payload.js": [[364, 406]], "IP_ADDRESS: 10.87.34.91": [[427, 438]]}, "info": {"id": "synth_v2_00805", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2021-20463 is a critical CSRF vulnerability affecting SonicWall SMA. Cisco Talos confirmed active exploitation by MuddyWater in the wild. Exploitation delivers PikaBot (MD5: c24368cbc473c40582f65345f1ae45b3) which is dropped to C:\\Users\\admin\\AppData\\Local\\Temp\\update.dll. The exploit payload is hosted at hxxps://proxysecure.club/callback and communicates to 86.41.160.146 for C2.", "spans": {"CVE_ID: CVE-2021-20463": [[24, 38]], "VULNERABILITY: CSRF vulnerability": [[53, 71]], "SYSTEM: SonicWall SMA": [[82, 95]], "ORGANIZATION: Cisco Talos": [[97, 108]], "THREAT_ACTOR: MuddyWater": [[142, 152]], "MALWARE: PikaBot": [[188, 195]], "HASH: c24368cbc473c40582f65345f1ae45b3": [[202, 234]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\update.dll": [[256, 300]], "URL: hxxps://proxysecure.club/callback": [[335, 368]], "IP_ADDRESS: 86.41.160.146": [[389, 402]]}, "info": {"id": "synth_v2_00806", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2023-16619 is a critical IDOR vulnerability affecting Barracuda ESG. Huntress confirmed active exploitation by Salt Typhoon in the wild. Exploitation delivers QakBot (SHA256: befe7fcbcb2a0a9daf8d7fab4ca0835d7f070ff083cd2178b4afbc47a69ba0eb) which is dropped to C:\\Users\\Public\\Documents\\loader.exe. The exploit payload is hosted at https://securenode.info/portal/verify and communicates to 10.192.79.131 for C2.", "spans": {"CVE_ID: CVE-2023-16619": [[24, 38]], "VULNERABILITY: IDOR vulnerability": [[53, 71]], "SYSTEM: Barracuda ESG": [[82, 95]], "ORGANIZATION: Huntress": [[97, 105]], "THREAT_ACTOR: Salt Typhoon": [[139, 151]], "MALWARE: QakBot": [[187, 193]], "HASH: befe7fcbcb2a0a9daf8d7fab4ca0835d7f070ff083cd2178b4afbc47a69ba0eb": [[203, 267]], "FILEPATH: C:\\Users\\Public\\Documents\\loader.exe": [[289, 325]], "URL: https://securenode.info/portal/verify": [[360, 397]], "IP_ADDRESS: 10.192.79.131": [[418, 431]]}, "info": {"id": "synth_v2_00807", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2022-12847 is a critical IDOR vulnerability affecting Fortinet FortiGate. CrowdStrike confirmed active exploitation by FIN11 in the wild. Exploitation delivers Dridex (MD5: 85aa3b4844b046e1f19e9358cfed7a50) which is dropped to /usr/local/bin/backdoor.elf. The exploit payload is hosted at hxxp://data-login.top/login and communicates to 10.109.150.138 for C2.", "spans": {"CVE_ID: CVE-2022-12847": [[24, 38]], "VULNERABILITY: IDOR vulnerability": [[53, 71]], "SYSTEM: Fortinet FortiGate": [[82, 100]], "ORGANIZATION: CrowdStrike": [[102, 113]], "THREAT_ACTOR: FIN11": [[147, 152]], "MALWARE: Dridex": [[188, 194]], "HASH: 85aa3b4844b046e1f19e9358cfed7a50": [[201, 233]], "FILEPATH: /usr/local/bin/backdoor.elf": [[255, 282]], "URL: hxxp://data-login.top/login": [[317, 344]], "IP_ADDRESS: 10.109.150.138": [[365, 379]]}, "info": {"id": "synth_v2_00808", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2023-49920 is a critical directory traversal affecting Citrix NetScaler. FireEye confirmed active exploitation by APT29 in the wild. Exploitation delivers Royal (SHA1: e4b70d4b24b2b15807d53baf9d6b6507c41ee62c) which is dropped to C:\\Users\\admin\\AppData\\Local\\Temp\\backdoor.elf. The exploit payload is hosted at hxxps://update-login.club/download/update.exe and communicates to 10.215.184.148 for C2.", "spans": {"CVE_ID: CVE-2023-49920": [[24, 38]], "VULNERABILITY: directory traversal": [[53, 72]], "SYSTEM: Citrix NetScaler": [[83, 99]], "ORGANIZATION: FireEye": [[101, 108]], "THREAT_ACTOR: APT29": [[142, 147]], "MALWARE: Royal": [[183, 188]], "HASH: e4b70d4b24b2b15807d53baf9d6b6507c41ee62c": [[196, 236]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\backdoor.elf": [[258, 304]], "URL: hxxps://update-login.club/download/update.exe": [[339, 384]], "IP_ADDRESS: 10.215.184.148": [[405, 419]]}, "info": {"id": "synth_v2_00809", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2021-16338 is a critical command injection affecting Citrix NetScaler. Microsoft MSRC confirmed active exploitation by Silk Typhoon in the wild. Exploitation delivers BlackCat (MD5: db8c180ea026a5b03447049556e2dd1e) which is dropped to C:\\ProgramData\\ntds.dit. The exploit payload is hosted at hxxp://data-mail.club/login and communicates to 128.183.65.179 for C2.", "spans": {"CVE_ID: CVE-2021-16338": [[24, 38]], "VULNERABILITY: command injection": [[53, 70]], "SYSTEM: Citrix NetScaler": [[81, 97]], "ORGANIZATION: Microsoft MSRC": [[99, 113]], "THREAT_ACTOR: Silk Typhoon": [[147, 159]], "MALWARE: BlackCat": [[195, 203]], "HASH: db8c180ea026a5b03447049556e2dd1e": [[210, 242]], "FILEPATH: C:\\ProgramData\\ntds.dit": [[264, 287]], "URL: hxxp://data-mail.club/login": [[322, 349]], "IP_ADDRESS: 128.183.65.179": [[370, 384]]}, "info": {"id": "synth_v2_00810", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2020-11952 is a critical SSRF vulnerability affecting Active Directory. Proofpoint confirmed active exploitation by Silk Typhoon in the wild. Exploitation delivers Lumma Stealer (SHA1: 5dc301573c95491df8eeb0c14b99c1a189e1ca77) which is dropped to C:\\Users\\Public\\Documents\\implant.so. The exploit payload is hosted at https://relay-relay.online/callback and communicates to 10.29.176.184 for C2.", "spans": {"CVE_ID: CVE-2020-11952": [[24, 38]], "VULNERABILITY: SSRF vulnerability": [[53, 71]], "SYSTEM: Active Directory": [[82, 98]], "ORGANIZATION: Proofpoint": [[100, 110]], "THREAT_ACTOR: Silk Typhoon": [[144, 156]], "MALWARE: Lumma Stealer": [[192, 205]], "HASH: 5dc301573c95491df8eeb0c14b99c1a189e1ca77": [[213, 253]], "FILEPATH: C:\\Users\\Public\\Documents\\implant.so": [[275, 311]], "URL: https://relay-relay.online/callback": [[346, 381]], "IP_ADDRESS: 10.29.176.184": [[402, 415]]}, "info": {"id": "synth_v2_00811", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2022-28965 is a critical privilege escalation affecting Ubuntu 22.04. Zscaler ThreatLabz confirmed active exploitation by OilRig in the wild. Exploitation delivers PikaBot (SHA256: 56e500ca7d83c6220c2f8eb11cad312e1abf3982c8c1512e11e39c76ae2cd56f) which is dropped to /tmp/taskhost.exe. The exploit payload is hosted at hxxps://proxy-backup.site/download/update.exe and communicates to 192.82.45.107 for C2.", "spans": {"CVE_ID: CVE-2022-28965": [[24, 38]], "VULNERABILITY: privilege escalation": [[53, 73]], "SYSTEM: Ubuntu 22.04": [[84, 96]], "ORGANIZATION: Zscaler ThreatLabz": [[98, 116]], "THREAT_ACTOR: OilRig": [[150, 156]], "MALWARE: PikaBot": [[192, 199]], "HASH: 56e500ca7d83c6220c2f8eb11cad312e1abf3982c8c1512e11e39c76ae2cd56f": [[209, 273]], "FILEPATH: /tmp/taskhost.exe": [[295, 312]], "URL: hxxps://proxy-backup.site/download/update.exe": [[347, 392]], "IP_ADDRESS: 192.82.45.107": [[413, 426]]}, "info": {"id": "synth_v2_00812", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2023-33283 is a critical command injection affecting Barracuda ESG. Tenable confirmed active exploitation by Storm-0558 in the wild. Exploitation delivers Qbot (SHA256: eb88958cef77f5f83c8df280e30cc8abe1f3198ad415119617d6a674d5297aca) which is dropped to C:\\Windows\\Temp\\loader.exe. The exploit payload is hosted at hxxp://cache-api.link/api/v2/auth and communicates to 18.198.200.42 for C2.", "spans": {"CVE_ID: CVE-2023-33283": [[24, 38]], "VULNERABILITY: command injection": [[53, 70]], "SYSTEM: Barracuda ESG": [[81, 94]], "ORGANIZATION: Tenable": [[96, 103]], "THREAT_ACTOR: Storm-0558": [[137, 147]], "MALWARE: Qbot": [[183, 187]], "HASH: eb88958cef77f5f83c8df280e30cc8abe1f3198ad415119617d6a674d5297aca": [[197, 261]], "FILEPATH: C:\\Windows\\Temp\\loader.exe": [[283, 309]], "URL: hxxp://cache-api.link/api/v2/auth": [[344, 377]], "IP_ADDRESS: 18.198.200.42": [[398, 411]]}, "info": {"id": "synth_v2_00813", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2024-42717 is a critical race condition affecting Barracuda ESG. Symantec confirmed active exploitation by Lazarus Group in the wild. Exploitation delivers DanaBot (MD5: f136316f681f72f7a1e31d9fcfa66d71) which is dropped to C:\\Users\\admin\\Desktop\\csrss.exe. The exploit payload is hosted at http://portal-data.club/download/update.exe and communicates to 216.213.201.118 for C2.", "spans": {"CVE_ID: CVE-2024-42717": [[24, 38]], "VULNERABILITY: race condition": [[53, 67]], "SYSTEM: Barracuda ESG": [[78, 91]], "ORGANIZATION: Symantec": [[93, 101]], "THREAT_ACTOR: Lazarus Group": [[135, 148]], "MALWARE: DanaBot": [[184, 191]], "HASH: f136316f681f72f7a1e31d9fcfa66d71": [[198, 230]], "FILEPATH: C:\\Users\\admin\\Desktop\\csrss.exe": [[252, 284]], "URL: http://portal-data.club/download/update.exe": [[319, 362]], "IP_ADDRESS: 216.213.201.118": [[383, 398]]}, "info": {"id": "synth_v2_00814", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2020-25247 is a critical use-after-free affecting MOVEit Transfer. Trend Micro confirmed active exploitation by Velvet Tempest in the wild. Exploitation delivers Hive (MD5: a2ee9f69463b7ec667c51354aeaab66d) which is dropped to /var/tmp/shell.php. The exploit payload is hosted at https://portalcloud.top/collect and communicates to 77.18.225.248 for C2.", "spans": {"CVE_ID: CVE-2020-25247": [[24, 38]], "VULNERABILITY: use-after-free": [[53, 67]], "SYSTEM: MOVEit Transfer": [[78, 93]], "ORGANIZATION: Trend Micro": [[95, 106]], "THREAT_ACTOR: Velvet Tempest": [[140, 154]], "MALWARE: Hive": [[190, 194]], "HASH: a2ee9f69463b7ec667c51354aeaab66d": [[201, 233]], "FILEPATH: /var/tmp/shell.php": [[255, 273]], "URL: https://portalcloud.top/collect": [[308, 339]], "IP_ADDRESS: 77.18.225.248": [[360, 373]]}, "info": {"id": "synth_v2_00815", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2024-14337 is a critical buffer overflow affecting Apache Struts. Check Point Research confirmed active exploitation by TA505 in the wild. Exploitation delivers LockBit (MD5: 8db355aff3ba0cfd3a608c100b9225b3) which is dropped to /usr/local/bin/runtime.dll. The exploit payload is hosted at hxxps://portal-login.site/api/v2/auth and communicates to 43.232.97.34 for C2.", "spans": {"CVE_ID: CVE-2024-14337": [[24, 38]], "VULNERABILITY: buffer overflow": [[53, 68]], "SYSTEM: Apache Struts": [[79, 92]], "ORGANIZATION: Check Point Research": [[94, 114]], "THREAT_ACTOR: TA505": [[148, 153]], "MALWARE: LockBit": [[189, 196]], "HASH: 8db355aff3ba0cfd3a608c100b9225b3": [[203, 235]], "FILEPATH: /usr/local/bin/runtime.dll": [[257, 283]], "URL: hxxps://portal-login.site/api/v2/auth": [[318, 355]], "IP_ADDRESS: 43.232.97.34": [[376, 388]]}, "info": {"id": "synth_v2_00816", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2021-16698 is a critical heap overflow affecting Barracuda ESG. Secureworks confirmed active exploitation by Gamaredon in the wild. Exploitation delivers FormBook (SHA1: a3019a2964dbf9f9fd02bf38289b52ecc2ef7fe9) which is dropped to C:\\Windows\\System32\\helper.sh. The exploit payload is hosted at hxxps://edge-proxy.cc/assets/js/payload.js and communicates to 69.77.51.174 for C2.", "spans": {"CVE_ID: CVE-2021-16698": [[24, 38]], "VULNERABILITY: heap overflow": [[53, 66]], "SYSTEM: Barracuda ESG": [[77, 90]], "ORGANIZATION: Secureworks": [[92, 103]], "THREAT_ACTOR: Gamaredon": [[137, 146]], "MALWARE: FormBook": [[182, 190]], "HASH: a3019a2964dbf9f9fd02bf38289b52ecc2ef7fe9": [[198, 238]], "FILEPATH: C:\\Windows\\System32\\helper.sh": [[260, 289]], "URL: hxxps://edge-proxy.cc/assets/js/payload.js": [[324, 366]], "IP_ADDRESS: 69.77.51.174": [[387, 399]]}, "info": {"id": "synth_v2_00817", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2023-46500 is a critical SQL injection affecting Progress Telerik. Europol confirmed active exploitation by Turla in the wild. Exploitation delivers RedLine Stealer (SHA1: 2edaf7b95638c06d07f9afff5d2c4d6fc795513f) which is dropped to C:\\Users\\admin\\AppData\\Local\\Temp\\csrss.exe. The exploit payload is hosted at https://datalogin.club/gate.php and communicates to 68.112.102.144 for C2.", "spans": {"CVE_ID: CVE-2023-46500": [[24, 38]], "VULNERABILITY: SQL injection": [[53, 66]], "SYSTEM: Progress Telerik": [[77, 93]], "ORGANIZATION: Europol": [[95, 102]], "THREAT_ACTOR: Turla": [[136, 141]], "MALWARE: RedLine Stealer": [[177, 192]], "HASH: 2edaf7b95638c06d07f9afff5d2c4d6fc795513f": [[200, 240]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\csrss.exe": [[262, 305]], "URL: https://datalogin.club/gate.php": [[340, 371]], "IP_ADDRESS: 68.112.102.144": [[392, 406]]}, "info": {"id": "synth_v2_00818", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2023-16619 is a critical command injection affecting Microsoft Exchange. Kaspersky GReAT confirmed active exploitation by Aqua Blizzard in the wild. Exploitation delivers SystemBC (SHA1: 9cd647030ac2d0ca1e192f33c7fcea1edd1aa4fc) which is dropped to /etc/cron.d/sam.hive. The exploit payload is hosted at hxxps://nodeproxy.site/secure/token and communicates to 10.123.39.21 for C2.", "spans": {"CVE_ID: CVE-2023-16619": [[24, 38]], "VULNERABILITY: command injection": [[53, 70]], "SYSTEM: Microsoft Exchange": [[81, 99]], "ORGANIZATION: Kaspersky GReAT": [[101, 116]], "THREAT_ACTOR: Aqua Blizzard": [[150, 163]], "MALWARE: SystemBC": [[199, 207]], "HASH: 9cd647030ac2d0ca1e192f33c7fcea1edd1aa4fc": [[215, 255]], "FILEPATH: /etc/cron.d/sam.hive": [[277, 297]], "URL: hxxps://nodeproxy.site/secure/token": [[332, 367]], "IP_ADDRESS: 10.123.39.21": [[388, 400]]}, "info": {"id": "synth_v2_00819", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2024-26162 is a critical null pointer dereference affecting Active Directory. FBI confirmed active exploitation by BlackTech in the wild. Exploitation delivers DanaBot (MD5: 048040f2ed2095a33f0587d234824275) which is dropped to /dev/shm/backdoor.elf. The exploit payload is hosted at hxxp://storagecloud.tech/callback and communicates to 204.232.205.151 for C2.", "spans": {"CVE_ID: CVE-2024-26162": [[24, 38]], "VULNERABILITY: null pointer dereference": [[53, 77]], "SYSTEM: Active Directory": [[88, 104]], "ORGANIZATION: FBI": [[106, 109]], "THREAT_ACTOR: BlackTech": [[143, 152]], "MALWARE: DanaBot": [[188, 195]], "HASH: 048040f2ed2095a33f0587d234824275": [[202, 234]], "FILEPATH: /dev/shm/backdoor.elf": [[256, 277]], "URL: hxxp://storagecloud.tech/callback": [[312, 345]], "IP_ADDRESS: 204.232.205.151": [[366, 381]]}, "info": {"id": "synth_v2_00820", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2024-19150 is a critical type confusion affecting Juniper SRX. Proofpoint confirmed active exploitation by MuddyWater in the wild. Exploitation delivers Emotet (MD5: 2c5f8dd03aafb740c06ee41aec4865c7) which is dropped to /opt/app/bin/implant.so. The exploit payload is hosted at https://secure-storage.info/login and communicates to 172.106.143.33 for C2.", "spans": {"CVE_ID: CVE-2024-19150": [[24, 38]], "VULNERABILITY: type confusion": [[53, 67]], "SYSTEM: Juniper SRX": [[78, 89]], "ORGANIZATION: Proofpoint": [[91, 101]], "THREAT_ACTOR: MuddyWater": [[135, 145]], "MALWARE: Emotet": [[181, 187]], "HASH: 2c5f8dd03aafb740c06ee41aec4865c7": [[194, 226]], "FILEPATH: /opt/app/bin/implant.so": [[248, 271]], "URL: https://secure-storage.info/login": [[306, 339]], "IP_ADDRESS: 172.106.143.33": [[360, 374]]}, "info": {"id": "synth_v2_00821", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2026-27486 is a critical SQL injection affecting Atlassian Confluence. Google TAG confirmed active exploitation by Turla in the wild. Exploitation delivers Conti (MD5: 03a91c32e8529fbc7cb403943bad4879) which is dropped to /var/tmp/svchost.exe. The exploit payload is hosted at https://cacheportal.site/gate.php and communicates to 153.73.165.202 for C2.", "spans": {"CVE_ID: CVE-2026-27486": [[24, 38]], "VULNERABILITY: SQL injection": [[53, 66]], "SYSTEM: Atlassian Confluence": [[77, 97]], "ORGANIZATION: Google TAG": [[99, 109]], "THREAT_ACTOR: Turla": [[143, 148]], "MALWARE: Conti": [[184, 189]], "HASH: 03a91c32e8529fbc7cb403943bad4879": [[196, 228]], "FILEPATH: /var/tmp/svchost.exe": [[250, 270]], "URL: https://cacheportal.site/gate.php": [[305, 338]], "IP_ADDRESS: 153.73.165.202": [[359, 373]]}, "info": {"id": "synth_v2_00822", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2023-14679 is a critical privilege escalation affecting Microsoft Exchange. SentinelOne confirmed active exploitation by Granite Typhoon in the wild. Exploitation delivers REvil (MD5: aae87e8a5a3fd301a0d0cab69f4c6f29) which is dropped to C:\\Program Files\\Common Files\\taskhost.exe. The exploit payload is hosted at hxxp://cdnsync.top/wp-content/uploads/doc.php and communicates to 172.92.197.32 for C2.", "spans": {"CVE_ID: CVE-2023-14679": [[24, 38]], "VULNERABILITY: privilege escalation": [[53, 73]], "SYSTEM: Microsoft Exchange": [[84, 102]], "ORGANIZATION: SentinelOne": [[104, 115]], "THREAT_ACTOR: Granite Typhoon": [[149, 164]], "MALWARE: REvil": [[200, 205]], "HASH: aae87e8a5a3fd301a0d0cab69f4c6f29": [[212, 244]], "FILEPATH: C:\\Program Files\\Common Files\\taskhost.exe": [[266, 308]], "URL: hxxp://cdnsync.top/wp-content/uploads/doc.php": [[343, 388]], "IP_ADDRESS: 172.92.197.32": [[409, 422]]}, "info": {"id": "synth_v2_00823", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2024-31252 is a critical use-after-free affecting Palo Alto PAN-OS. Secureworks confirmed active exploitation by MuddyWater in the wild. Exploitation delivers Conti (MD5: 79c0570fefe4c222f367eb4e443e6786) which is dropped to /dev/shm/loader.exe. The exploit payload is hosted at hxxps://dataauth.dev/login and communicates to 172.211.112.169 for C2.", "spans": {"CVE_ID: CVE-2024-31252": [[24, 38]], "VULNERABILITY: use-after-free": [[53, 67]], "SYSTEM: Palo Alto PAN-OS": [[78, 94]], "ORGANIZATION: Secureworks": [[96, 107]], "THREAT_ACTOR: MuddyWater": [[141, 151]], "MALWARE: Conti": [[187, 192]], "HASH: 79c0570fefe4c222f367eb4e443e6786": [[199, 231]], "FILEPATH: /dev/shm/loader.exe": [[253, 272]], "URL: hxxps://dataauth.dev/login": [[307, 333]], "IP_ADDRESS: 172.211.112.169": [[354, 369]]}, "info": {"id": "synth_v2_00824", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2022-27335 is a critical privilege escalation affecting VMware ESXi. Recorded Future confirmed active exploitation by FIN11 in the wild. Exploitation delivers DarkSide (MD5: b073f6778cb6472fe5a94cbc5e84fdbc) which is dropped to C:\\Program Files\\Common Files\\loader.exe. The exploit payload is hosted at https://storagesecure.xyz/admin/config and communicates to 187.228.47.235 for C2.", "spans": {"CVE_ID: CVE-2022-27335": [[24, 38]], "VULNERABILITY: privilege escalation": [[53, 73]], "SYSTEM: VMware ESXi": [[84, 95]], "ORGANIZATION: Recorded Future": [[97, 112]], "THREAT_ACTOR: FIN11": [[146, 151]], "MALWARE: DarkSide": [[187, 195]], "HASH: b073f6778cb6472fe5a94cbc5e84fdbc": [[202, 234]], "FILEPATH: C:\\Program Files\\Common Files\\loader.exe": [[256, 296]], "URL: https://storagesecure.xyz/admin/config": [[331, 369]], "IP_ADDRESS: 187.228.47.235": [[390, 404]]}, "info": {"id": "synth_v2_00825", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2023-34260 is a critical deserialization flaw affecting F5 BIG-IP. Mandiant confirmed active exploitation by Flax Typhoon in the wild. Exploitation delivers LockBit (MD5: 92524d006c4e584012354d7dfd797402) which is dropped to /var/tmp/sam.hive. The exploit payload is hosted at https://node-gateway.link/assets/js/payload.js and communicates to 172.99.83.223 for C2.", "spans": {"CVE_ID: CVE-2023-34260": [[24, 38]], "VULNERABILITY: deserialization flaw": [[53, 73]], "SYSTEM: F5 BIG-IP": [[84, 93]], "ORGANIZATION: Mandiant": [[95, 103]], "THREAT_ACTOR: Flax Typhoon": [[137, 149]], "MALWARE: LockBit": [[185, 192]], "HASH: 92524d006c4e584012354d7dfd797402": [[199, 231]], "FILEPATH: /var/tmp/sam.hive": [[253, 270]], "URL: https://node-gateway.link/assets/js/payload.js": [[305, 351]], "IP_ADDRESS: 172.99.83.223": [[372, 385]]}, "info": {"id": "synth_v2_00826", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2025-20016 is a critical privilege escalation affecting MOVEit Transfer. Dragos confirmed active exploitation by UNC2452 in the wild. Exploitation delivers Cobalt Strike (MD5: 1293ac04279637154d3c768dd2cc61e2) which is dropped to /etc/cron.d/payload.bin. The exploit payload is hosted at https://relay-update.net/login and communicates to 175.165.208.49 for C2.", "spans": {"CVE_ID: CVE-2025-20016": [[24, 38]], "VULNERABILITY: privilege escalation": [[53, 73]], "SYSTEM: MOVEit Transfer": [[84, 99]], "ORGANIZATION: Dragos": [[101, 107]], "THREAT_ACTOR: UNC2452": [[141, 148]], "MALWARE: Cobalt Strike": [[184, 197]], "HASH: 1293ac04279637154d3c768dd2cc61e2": [[204, 236]], "FILEPATH: /etc/cron.d/payload.bin": [[258, 281]], "URL: https://relay-update.net/login": [[316, 346]], "IP_ADDRESS: 175.165.208.49": [[367, 381]]}, "info": {"id": "synth_v2_00827", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2026-10212 is a critical SQL injection affecting Windows Server 2019. FireEye confirmed active exploitation by TA505 in the wild. Exploitation delivers DarkSide (SHA1: 63bf4f1664bdcf03917c0866d5ccfb4c7d519942) which is dropped to /opt/app/bin/sam.hive. The exploit payload is hosted at hxxp://proxy-secure.club/api/v2/auth and communicates to 84.23.18.7 for C2.", "spans": {"CVE_ID: CVE-2026-10212": [[24, 38]], "VULNERABILITY: SQL injection": [[53, 66]], "SYSTEM: Windows Server 2019": [[77, 96]], "ORGANIZATION: FireEye": [[98, 105]], "THREAT_ACTOR: TA505": [[139, 144]], "MALWARE: DarkSide": [[180, 188]], "HASH: 63bf4f1664bdcf03917c0866d5ccfb4c7d519942": [[196, 236]], "FILEPATH: /opt/app/bin/sam.hive": [[258, 279]], "URL: hxxp://proxy-secure.club/api/v2/auth": [[314, 350]], "IP_ADDRESS: 84.23.18.7": [[371, 381]]}, "info": {"id": "synth_v2_00828", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2022-46178 is a critical cross-site scripting affecting SonicWall SMA. CrowdStrike confirmed active exploitation by Sandworm in the wild. Exploitation delivers Conti (SHA1: c91a653c5981c3859b73a4810be1749cf31983e8) which is dropped to /tmp/lsass.dmp. The exploit payload is hosted at hxxp://nodeapi.online/login and communicates to 59.63.111.196 for C2.", "spans": {"CVE_ID: CVE-2022-46178": [[24, 38]], "VULNERABILITY: cross-site scripting": [[53, 73]], "SYSTEM: SonicWall SMA": [[84, 97]], "ORGANIZATION: CrowdStrike": [[99, 110]], "THREAT_ACTOR: Sandworm": [[144, 152]], "MALWARE: Conti": [[188, 193]], "HASH: c91a653c5981c3859b73a4810be1749cf31983e8": [[201, 241]], "FILEPATH: /tmp/lsass.dmp": [[263, 277]], "URL: hxxp://nodeapi.online/login": [[312, 339]], "IP_ADDRESS: 59.63.111.196": [[360, 373]]}, "info": {"id": "synth_v2_00829", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2024-14337 is a critical integer overflow affecting Citrix NetScaler. NSA confirmed active exploitation by BlackTech in the wild. Exploitation delivers Royal (SHA256: 07ff6db98cb4a9faabbda1125cb27981dbec96de58daa960c555d4527aba5792) which is dropped to /var/tmp/payload.bin. The exploit payload is hosted at https://datamail.org/collect and communicates to 46.13.95.148 for C2.", "spans": {"CVE_ID: CVE-2024-14337": [[24, 38]], "VULNERABILITY: integer overflow": [[53, 69]], "SYSTEM: Citrix NetScaler": [[80, 96]], "ORGANIZATION: NSA": [[98, 101]], "THREAT_ACTOR: BlackTech": [[135, 144]], "MALWARE: Royal": [[180, 185]], "HASH: 07ff6db98cb4a9faabbda1125cb27981dbec96de58daa960c555d4527aba5792": [[195, 259]], "FILEPATH: /var/tmp/payload.bin": [[281, 301]], "URL: https://datamail.org/collect": [[336, 364]], "IP_ADDRESS: 46.13.95.148": [[385, 397]]}, "info": {"id": "synth_v2_00830", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2021-16338 is a critical XXE injection affecting Microsoft Exchange. Secureworks confirmed active exploitation by Mustang Panda in the wild. Exploitation delivers Play (SHA256: b3efc0e16e0fb59ca2aefd436d80a1d72e96bf5947cdab16721c50a75dd91e5b) which is dropped to C:\\Program Files\\Common Files\\ntds.dit. The exploit payload is hosted at https://proxydata.link/wp-content/uploads/doc.php and communicates to 192.89.0.74 for C2.", "spans": {"CVE_ID: CVE-2021-16338": [[24, 38]], "VULNERABILITY: XXE injection": [[53, 66]], "SYSTEM: Microsoft Exchange": [[77, 95]], "ORGANIZATION: Secureworks": [[97, 108]], "THREAT_ACTOR: Mustang Panda": [[142, 155]], "MALWARE: Play": [[191, 195]], "HASH: b3efc0e16e0fb59ca2aefd436d80a1d72e96bf5947cdab16721c50a75dd91e5b": [[205, 269]], "FILEPATH: C:\\Program Files\\Common Files\\ntds.dit": [[291, 329]], "URL: https://proxydata.link/wp-content/uploads/doc.php": [[364, 413]], "IP_ADDRESS: 192.89.0.74": [[434, 445]]}, "info": {"id": "synth_v2_00831", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2026-45190 is a critical integer overflow affecting Windows 11. FBI confirmed active exploitation by Granite Typhoon in the wild. Exploitation delivers REvil (SHA256: fde353fc20406265505c7c548f781d7bd0973b73e4788d2e0a9ad6cdfe8273ba) which is dropped to /tmp/lsass.dmp. The exploit payload is hosted at hxxps://portal-static.online/panel/index.html and communicates to 24.25.235.12 for C2.", "spans": {"CVE_ID: CVE-2026-45190": [[24, 38]], "VULNERABILITY: integer overflow": [[53, 69]], "SYSTEM: Windows 11": [[80, 90]], "ORGANIZATION: FBI": [[92, 95]], "THREAT_ACTOR: Granite Typhoon": [[129, 144]], "MALWARE: REvil": [[180, 185]], "HASH: fde353fc20406265505c7c548f781d7bd0973b73e4788d2e0a9ad6cdfe8273ba": [[195, 259]], "FILEPATH: /tmp/lsass.dmp": [[281, 295]], "URL: hxxps://portal-static.online/panel/index.html": [[330, 375]], "IP_ADDRESS: 24.25.235.12": [[396, 408]]}, "info": {"id": "synth_v2_00832", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2021-48618 is a critical buffer overflow affecting F5 BIG-IP. Palo Alto Unit 42 confirmed active exploitation by Lazarus Group in the wild. Exploitation delivers Qbot (SHA1: ab2e4bf35db0d78b55659e8baa74fe2f8741ebba) which is dropped to C:\\Program Files\\Common Files\\backdoor.elf. The exploit payload is hosted at hxxp://edge-edge.top/assets/js/payload.js and communicates to 172.51.181.166 for C2.", "spans": {"CVE_ID: CVE-2021-48618": [[24, 38]], "VULNERABILITY: buffer overflow": [[53, 68]], "SYSTEM: F5 BIG-IP": [[79, 88]], "ORGANIZATION: Palo Alto Unit 42": [[90, 107]], "THREAT_ACTOR: Lazarus Group": [[141, 154]], "MALWARE: Qbot": [[190, 194]], "HASH: ab2e4bf35db0d78b55659e8baa74fe2f8741ebba": [[202, 242]], "FILEPATH: C:\\Program Files\\Common Files\\backdoor.elf": [[264, 306]], "URL: hxxp://edge-edge.top/assets/js/payload.js": [[341, 382]], "IP_ADDRESS: 172.51.181.166": [[403, 417]]}, "info": {"id": "synth_v2_00833", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2023-34260 is a critical race condition affecting F5 BIG-IP. Cisco Talos confirmed active exploitation by Charming Kitten in the wild. Exploitation delivers TrickBot (MD5: 449dc1c435b99d64efde00ea0c7ba82e) which is dropped to C:\\Users\\Public\\Documents\\implant.so. The exploit payload is hosted at hxxp://cloud-login.org/assets/js/payload.js and communicates to 114.134.67.38 for C2.", "spans": {"CVE_ID: CVE-2023-34260": [[24, 38]], "VULNERABILITY: race condition": [[53, 67]], "SYSTEM: F5 BIG-IP": [[78, 87]], "ORGANIZATION: Cisco Talos": [[89, 100]], "THREAT_ACTOR: Charming Kitten": [[134, 149]], "MALWARE: TrickBot": [[185, 193]], "HASH: 449dc1c435b99d64efde00ea0c7ba82e": [[200, 232]], "FILEPATH: C:\\Users\\Public\\Documents\\implant.so": [[254, 290]], "URL: hxxp://cloud-login.org/assets/js/payload.js": [[325, 368]], "IP_ADDRESS: 114.134.67.38": [[389, 402]]}, "info": {"id": "synth_v2_00834", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2023-33909 is a critical privilege escalation affecting Ivanti Connect Secure. NCSC confirmed active exploitation by Scattered Spider in the wild. Exploitation delivers Royal (MD5: 25469cb308392fc432c8ed0ed27c63ef) which is dropped to /etc/cron.d/update.dll. The exploit payload is hosted at hxxp://portalcdn.site/collect and communicates to 192.94.91.188 for C2.", "spans": {"CVE_ID: CVE-2023-33909": [[24, 38]], "VULNERABILITY: privilege escalation": [[53, 73]], "SYSTEM: Ivanti Connect Secure": [[84, 105]], "ORGANIZATION: NCSC": [[107, 111]], "THREAT_ACTOR: Scattered Spider": [[145, 161]], "MALWARE: Royal": [[197, 202]], "HASH: 25469cb308392fc432c8ed0ed27c63ef": [[209, 241]], "FILEPATH: /etc/cron.d/update.dll": [[263, 285]], "URL: hxxp://portalcdn.site/collect": [[320, 349]], "IP_ADDRESS: 192.94.91.188": [[370, 383]]}, "info": {"id": "synth_v2_00835", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2023-28217 is a critical IDOR vulnerability affecting Microsoft Exchange. Recorded Future confirmed active exploitation by Ember Bear in the wild. Exploitation delivers RemcosRAT (MD5: 40749139f62bef91fbb3266f4da32349) which is dropped to /var/tmp/dropper.ps1. The exploit payload is hosted at hxxp://syncauth.live/login and communicates to 192.28.139.102 for C2.", "spans": {"CVE_ID: CVE-2023-28217": [[24, 38]], "VULNERABILITY: IDOR vulnerability": [[53, 71]], "SYSTEM: Microsoft Exchange": [[82, 100]], "ORGANIZATION: Recorded Future": [[102, 117]], "THREAT_ACTOR: Ember Bear": [[151, 161]], "MALWARE: RemcosRAT": [[197, 206]], "HASH: 40749139f62bef91fbb3266f4da32349": [[213, 245]], "FILEPATH: /var/tmp/dropper.ps1": [[267, 287]], "URL: hxxp://syncauth.live/login": [[322, 348]], "IP_ADDRESS: 192.28.139.102": [[369, 383]]}, "info": {"id": "synth_v2_00836", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2021-28210 is a critical memory corruption affecting Atlassian Confluence. Microsoft MSRC confirmed active exploitation by Granite Typhoon in the wild. Exploitation delivers Gootloader (SHA1: 7d28f5028ff4ec9d0dbc83ace56f8898a67e5c4a) which is dropped to C:\\Users\\admin\\Desktop\\helper.sh. The exploit payload is hosted at hxxps://secureportal.top/panel/index.html and communicates to 192.36.112.199 for C2.", "spans": {"CVE_ID: CVE-2021-28210": [[24, 38]], "VULNERABILITY: memory corruption": [[53, 70]], "SYSTEM: Atlassian Confluence": [[81, 101]], "ORGANIZATION: Microsoft MSRC": [[103, 117]], "THREAT_ACTOR: Granite Typhoon": [[151, 166]], "MALWARE: Gootloader": [[202, 212]], "HASH: 7d28f5028ff4ec9d0dbc83ace56f8898a67e5c4a": [[220, 260]], "FILEPATH: C:\\Users\\admin\\Desktop\\helper.sh": [[282, 314]], "URL: hxxps://secureportal.top/panel/index.html": [[349, 390]], "IP_ADDRESS: 192.36.112.199": [[411, 425]]}, "info": {"id": "synth_v2_00837", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2026-35009 is a critical integer overflow affecting Cisco ASA. Recorded Future confirmed active exploitation by Diamond Sleet in the wild. Exploitation delivers IcedID (MD5: b9d99810a3fb15f4857f267b0af2030a) which is dropped to /etc/cron.d/chrome_helper.exe. The exploit payload is hosted at hxxps://storagesync.cc/download/update.exe and communicates to 188.141.243.12 for C2.", "spans": {"CVE_ID: CVE-2026-35009": [[24, 38]], "VULNERABILITY: integer overflow": [[53, 69]], "SYSTEM: Cisco ASA": [[80, 89]], "ORGANIZATION: Recorded Future": [[91, 106]], "THREAT_ACTOR: Diamond Sleet": [[140, 153]], "MALWARE: IcedID": [[189, 195]], "HASH: b9d99810a3fb15f4857f267b0af2030a": [[202, 234]], "FILEPATH: /etc/cron.d/chrome_helper.exe": [[256, 285]], "URL: hxxps://storagesync.cc/download/update.exe": [[320, 362]], "IP_ADDRESS: 188.141.243.12": [[383, 397]]}, "info": {"id": "synth_v2_00838", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2023-23730 is a critical SQL injection affecting Ubuntu 22.04. Europol confirmed active exploitation by Scattered Spider in the wild. Exploitation delivers PlugX (SHA256: c2574efcee6f817e34d336b66d111cd373aad8a4ad6019416e13f6c0785f0900) which is dropped to /dev/shm/csrss.exe. The exploit payload is hosted at hxxp://cache-portal.cc/collect and communicates to 85.219.139.5 for C2.", "spans": {"CVE_ID: CVE-2023-23730": [[24, 38]], "VULNERABILITY: SQL injection": [[53, 66]], "SYSTEM: Ubuntu 22.04": [[77, 89]], "ORGANIZATION: Europol": [[91, 98]], "THREAT_ACTOR: Scattered Spider": [[132, 148]], "MALWARE: PlugX": [[184, 189]], "HASH: c2574efcee6f817e34d336b66d111cd373aad8a4ad6019416e13f6c0785f0900": [[199, 263]], "FILEPATH: /dev/shm/csrss.exe": [[285, 303]], "URL: hxxp://cache-portal.cc/collect": [[338, 368]], "IP_ADDRESS: 85.219.139.5": [[389, 401]]}, "info": {"id": "synth_v2_00839", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2020-25247 is a critical IDOR vulnerability affecting Windows Server 2019. Rapid7 confirmed active exploitation by Mustang Panda in the wild. Exploitation delivers Dridex (SHA256: b29a01579cb4ab50e927ec7e79b2b21619d828c9f4dc1bf052a2f07bd5e37f49) which is dropped to C:\\Windows\\System32\\agent.py. The exploit payload is hosted at http://update-api.cc/api/v2/auth and communicates to 10.129.86.112 for C2.", "spans": {"CVE_ID: CVE-2020-25247": [[24, 38]], "VULNERABILITY: IDOR vulnerability": [[53, 71]], "SYSTEM: Windows Server 2019": [[82, 101]], "ORGANIZATION: Rapid7": [[103, 109]], "THREAT_ACTOR: Mustang Panda": [[143, 156]], "MALWARE: Dridex": [[192, 198]], "HASH: b29a01579cb4ab50e927ec7e79b2b21619d828c9f4dc1bf052a2f07bd5e37f49": [[208, 272]], "FILEPATH: C:\\Windows\\System32\\agent.py": [[294, 322]], "URL: http://update-api.cc/api/v2/auth": [[357, 389]], "IP_ADDRESS: 10.129.86.112": [[410, 423]]}, "info": {"id": "synth_v2_00840", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2022-33700 is a critical null pointer dereference affecting Microsoft Exchange. Huntress confirmed active exploitation by Lazarus Group in the wild. Exploitation delivers REvil (MD5: 19f5fcc4ce0647391950c22f57079178) which is dropped to C:\\Program Files\\Common Files\\beacon.dll. The exploit payload is hosted at http://portalcdn.cc/wp-content/uploads/doc.php and communicates to 159.206.236.137 for C2.", "spans": {"CVE_ID: CVE-2022-33700": [[24, 38]], "VULNERABILITY: null pointer dereference": [[53, 77]], "SYSTEM: Microsoft Exchange": [[88, 106]], "ORGANIZATION: Huntress": [[108, 116]], "THREAT_ACTOR: Lazarus Group": [[150, 163]], "MALWARE: REvil": [[199, 204]], "HASH: 19f5fcc4ce0647391950c22f57079178": [[211, 243]], "FILEPATH: C:\\Program Files\\Common Files\\beacon.dll": [[265, 305]], "URL: http://portalcdn.cc/wp-content/uploads/doc.php": [[340, 386]], "IP_ADDRESS: 159.206.236.137": [[407, 422]]}, "info": {"id": "synth_v2_00841", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2022-25256 is a critical SQL injection affecting Progress Telerik. Huntress confirmed active exploitation by MuddyWater in the wild. Exploitation delivers FormBook (SHA1: 410f82707ea99d07614049d33afeadc33c462dc3) which is dropped to /etc/cron.d/helper.sh. The exploit payload is hosted at http://relay-storage.club/admin/config and communicates to 10.224.199.173 for C2.", "spans": {"CVE_ID: CVE-2022-25256": [[24, 38]], "VULNERABILITY: SQL injection": [[53, 66]], "SYSTEM: Progress Telerik": [[77, 93]], "ORGANIZATION: Huntress": [[95, 103]], "THREAT_ACTOR: MuddyWater": [[137, 147]], "MALWARE: FormBook": [[183, 191]], "HASH: 410f82707ea99d07614049d33afeadc33c462dc3": [[199, 239]], "FILEPATH: /etc/cron.d/helper.sh": [[261, 282]], "URL: http://relay-storage.club/admin/config": [[317, 355]], "IP_ADDRESS: 10.224.199.173": [[376, 390]]}, "info": {"id": "synth_v2_00842", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2022-22601 is a critical null pointer dereference affecting Apache Struts. Cisco Talos confirmed active exploitation by FIN7 in the wild. Exploitation delivers Conti (SHA256: 63b7c4bf2443db87111e346e8732c6aeb01454523abbeb0f63a765fe489e9bf0) which is dropped to C:\\Windows\\System32\\update.dll. The exploit payload is hosted at https://cloudupdate.io/download/update.exe and communicates to 192.46.195.85 for C2.", "spans": {"CVE_ID: CVE-2022-22601": [[24, 38]], "VULNERABILITY: null pointer dereference": [[53, 77]], "SYSTEM: Apache Struts": [[88, 101]], "ORGANIZATION: Cisco Talos": [[103, 114]], "THREAT_ACTOR: FIN7": [[148, 152]], "MALWARE: Conti": [[188, 193]], "HASH: 63b7c4bf2443db87111e346e8732c6aeb01454523abbeb0f63a765fe489e9bf0": [[203, 267]], "FILEPATH: C:\\Windows\\System32\\update.dll": [[289, 319]], "URL: https://cloudupdate.io/download/update.exe": [[354, 396]], "IP_ADDRESS: 192.46.195.85": [[417, 430]]}, "info": {"id": "synth_v2_00843", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2021-32298 is a critical null pointer dereference affecting Ubuntu 22.04. SentinelOne confirmed active exploitation by APT28 in the wild. Exploitation delivers QakBot (MD5: 5dca444377a5310770d5ee807c95005d) which is dropped to C:\\Windows\\Temp\\payload.bin. The exploit payload is hosted at https://cacherelay.link/gate.php and communicates to 172.248.193.70 for C2.", "spans": {"CVE_ID: CVE-2021-32298": [[24, 38]], "VULNERABILITY: null pointer dereference": [[53, 77]], "SYSTEM: Ubuntu 22.04": [[88, 100]], "ORGANIZATION: SentinelOne": [[102, 113]], "THREAT_ACTOR: APT28": [[147, 152]], "MALWARE: QakBot": [[188, 194]], "HASH: 5dca444377a5310770d5ee807c95005d": [[201, 233]], "FILEPATH: C:\\Windows\\Temp\\payload.bin": [[255, 282]], "URL: https://cacherelay.link/gate.php": [[317, 349]], "IP_ADDRESS: 172.248.193.70": [[370, 384]]}, "info": {"id": "synth_v2_00844", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2025-49086 is a critical race condition affecting Apache Struts. Trend Micro confirmed active exploitation by Storm-0558 in the wild. Exploitation delivers Hive (MD5: 5995e7914920a0d6afd0bc6850bc7517) which is dropped to C:\\Users\\admin\\Desktop\\csrss.exe. The exploit payload is hosted at https://cacherelay.dev/api/v2/auth and communicates to 128.205.152.147 for C2.", "spans": {"CVE_ID: CVE-2025-49086": [[24, 38]], "VULNERABILITY: race condition": [[53, 67]], "SYSTEM: Apache Struts": [[78, 91]], "ORGANIZATION: Trend Micro": [[93, 104]], "THREAT_ACTOR: Storm-0558": [[138, 148]], "MALWARE: Hive": [[184, 188]], "HASH: 5995e7914920a0d6afd0bc6850bc7517": [[195, 227]], "FILEPATH: C:\\Users\\admin\\Desktop\\csrss.exe": [[249, 281]], "URL: https://cacherelay.dev/api/v2/auth": [[316, 350]], "IP_ADDRESS: 128.205.152.147": [[371, 386]]}, "info": {"id": "synth_v2_00845", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2020-15697 is a critical deserialization flaw affecting Atlassian Confluence. Mandiant confirmed active exploitation by OilRig in the wild. Exploitation delivers XLoader (MD5: 15bbda24e4f35d8380cbda63998a30e5) which is dropped to C:\\Users\\admin\\Downloads\\sam.hive. The exploit payload is hosted at http://proxy-cloud.com/portal/verify and communicates to 172.125.180.81 for C2.", "spans": {"CVE_ID: CVE-2020-15697": [[24, 38]], "VULNERABILITY: deserialization flaw": [[53, 73]], "SYSTEM: Atlassian Confluence": [[84, 104]], "ORGANIZATION: Mandiant": [[106, 114]], "THREAT_ACTOR: OilRig": [[148, 154]], "MALWARE: XLoader": [[190, 197]], "HASH: 15bbda24e4f35d8380cbda63998a30e5": [[204, 236]], "FILEPATH: C:\\Users\\admin\\Downloads\\sam.hive": [[258, 291]], "URL: http://proxy-cloud.com/portal/verify": [[326, 362]], "IP_ADDRESS: 172.125.180.81": [[383, 397]]}, "info": {"id": "synth_v2_00846", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2021-23031 is a critical cross-site scripting affecting MOVEit Transfer. Check Point Research confirmed active exploitation by APT28 in the wild. Exploitation delivers DarkSide (SHA256: 9017342262450e9926c7b8c5cf859b0a380c8793df964918ee1707414851e803) which is dropped to /etc/cron.d/csrss.exe. The exploit payload is hosted at http://cdn-mail.cc/assets/js/payload.js and communicates to 36.194.114.83 for C2.", "spans": {"CVE_ID: CVE-2021-23031": [[24, 38]], "VULNERABILITY: cross-site scripting": [[53, 73]], "SYSTEM: MOVEit Transfer": [[84, 99]], "ORGANIZATION: Check Point Research": [[101, 121]], "THREAT_ACTOR: APT28": [[155, 160]], "MALWARE: DarkSide": [[196, 204]], "HASH: 9017342262450e9926c7b8c5cf859b0a380c8793df964918ee1707414851e803": [[214, 278]], "FILEPATH: /etc/cron.d/csrss.exe": [[300, 321]], "URL: http://cdn-mail.cc/assets/js/payload.js": [[356, 395]], "IP_ADDRESS: 36.194.114.83": [[416, 429]]}, "info": {"id": "synth_v2_00847", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2022-49565 is a critical CSRF vulnerability affecting Fortinet FortiGate. CISA confirmed active exploitation by Gamaredon in the wild. Exploitation delivers Latrodectus (MD5: 14002449b55a0787c563a3b413454423) which is dropped to /opt/app/bin/implant.so. The exploit payload is hosted at https://api-storage.cc/panel/index.html and communicates to 173.105.218.77 for C2.", "spans": {"CVE_ID: CVE-2022-49565": [[24, 38]], "VULNERABILITY: CSRF vulnerability": [[53, 71]], "SYSTEM: Fortinet FortiGate": [[82, 100]], "ORGANIZATION: CISA": [[102, 106]], "THREAT_ACTOR: Gamaredon": [[140, 149]], "MALWARE: Latrodectus": [[185, 196]], "HASH: 14002449b55a0787c563a3b413454423": [[203, 235]], "FILEPATH: /opt/app/bin/implant.so": [[257, 280]], "URL: https://api-storage.cc/panel/index.html": [[315, 354]], "IP_ADDRESS: 173.105.218.77": [[375, 389]]}, "info": {"id": "synth_v2_00848", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2024-23826 is a critical use-after-free affecting SonicWall SMA. Zscaler ThreatLabz confirmed active exploitation by Granite Typhoon in the wild. Exploitation delivers AsyncRAT (SHA1: cae555f12d0970b695ad8d92a72f89dd3b2c69d9) which is dropped to C:\\Users\\Public\\Documents\\lsass.dmp. The exploit payload is hosted at https://backupdata.info/api/v2/auth and communicates to 64.152.169.193 for C2.", "spans": {"CVE_ID: CVE-2024-23826": [[24, 38]], "VULNERABILITY: use-after-free": [[53, 67]], "SYSTEM: SonicWall SMA": [[78, 91]], "ORGANIZATION: Zscaler ThreatLabz": [[93, 111]], "THREAT_ACTOR: Granite Typhoon": [[145, 160]], "MALWARE: AsyncRAT": [[196, 204]], "HASH: cae555f12d0970b695ad8d92a72f89dd3b2c69d9": [[212, 252]], "FILEPATH: C:\\Users\\Public\\Documents\\lsass.dmp": [[274, 309]], "URL: https://backupdata.info/api/v2/auth": [[344, 379]], "IP_ADDRESS: 64.152.169.193": [[400, 414]]}, "info": {"id": "synth_v2_00849", "source": "synthetic_v2"}}
+{"text": "Vulnerability Advisory: CVE-2023-28217 is a critical type confusion affecting Microsoft Exchange. Tenable confirmed active exploitation by FIN7 in the wild. Exploitation delivers QakBot (MD5: 1cd84ad33a86c69bd05f046557c65500) which is dropped to /opt/app/bin/loader.exe. The exploit payload is hosted at hxxp://gatewaysync.com/download/update.exe and communicates to 71.230.145.58 for C2.", "spans": {"CVE_ID: CVE-2023-28217": [[24, 38]], "VULNERABILITY: type confusion": [[53, 67]], "SYSTEM: Microsoft Exchange": [[78, 96]], "ORGANIZATION: Tenable": [[98, 105]], "THREAT_ACTOR: FIN7": [[139, 143]], "MALWARE: QakBot": [[179, 185]], "HASH: 1cd84ad33a86c69bd05f046557c65500": [[192, 224]], "FILEPATH: /opt/app/bin/loader.exe": [[246, 269]], "URL: hxxp://gatewaysync.com/download/update.exe": [[304, 346]], "IP_ADDRESS: 71.230.145.58": [[367, 380]]}, "info": {"id": "synth_v2_00850", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Symantec identified a large-scale phishing operation. Emails originated from noreply@document-share.link and verify@login-portal.tech, spoofing legitimate services. Victims were directed to hxxps://authdata.org/login which hosted a credential harvesting page on cdnproxy.tech. A secondary link hxxp://logincdn.club/api/v2/auth delivered AsyncRAT (SHA1: 18b5a660d19fb447592bcc50833637323ca5047b). The malware was saved to /etc/cron.d/runtime.dll and established C2 with 162.211.189.87.", "spans": {"ORGANIZATION: Symantec": [[26, 34]], "EMAIL: noreply@document-share.link": [[103, 130]], "EMAIL: verify@login-portal.tech": [[135, 159]], "URL: hxxps://authdata.org/login": [[216, 242]], "DOMAIN: cdnproxy.tech": [[288, 301]], "URL: hxxp://logincdn.club/api/v2/auth": [[320, 352]], "MALWARE: AsyncRAT": [[363, 371]], "HASH: 18b5a660d19fb447592bcc50833637323ca5047b": [[379, 419]], "FILEPATH: /etc/cron.d/runtime.dll": [[447, 470]], "IP_ADDRESS: 162.211.189.87": [[495, 509]]}, "info": {"id": "synth_v2_00851", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Microsoft MSRC identified a large-scale phishing operation. Emails originated from verify@document-share.link and noreply@account-update.xyz, spoofing legitimate services. Victims were directed to https://data-update.com/portal/verify which hosted a credential harvesting page on cache-cdn.live. A secondary link hxxps://backupportal.dev/download/update.exe delivered TrickBot (SHA1: 439c563f1da2931362ca05f3616b57774ed6b59f). The malware was saved to /etc/cron.d/taskhost.exe and established C2 with 10.104.236.86.", "spans": {"ORGANIZATION: Microsoft MSRC": [[26, 40]], "EMAIL: verify@document-share.link": [[109, 135]], "EMAIL: noreply@account-update.xyz": [[140, 166]], "URL: https://data-update.com/portal/verify": [[223, 260]], "DOMAIN: cache-cdn.live": [[306, 320]], "URL: hxxps://backupportal.dev/download/update.exe": [[339, 383]], "MALWARE: TrickBot": [[394, 402]], "HASH: 439c563f1da2931362ca05f3616b57774ed6b59f": [[410, 450]], "FILEPATH: /etc/cron.d/taskhost.exe": [[478, 502]], "IP_ADDRESS: 10.104.236.86": [[527, 540]]}, "info": {"id": "synth_v2_00852", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: NCSC identified a large-scale phishing operation. Emails originated from service@auth-check.org and account@document-share.link, spoofing legitimate services. Victims were directed to https://cloudstorage.cc/admin/config which hosted a credential harvesting page on api-sync.club. A secondary link hxxps://updateedge.site/collect delivered RedLine Stealer (MD5: 5d086aed358d43679fd6aa0fbb4af342). The malware was saved to /tmp/backdoor.elf and established C2 with 102.198.113.22.", "spans": {"ORGANIZATION: NCSC": [[26, 30]], "EMAIL: service@auth-check.org": [[99, 121]], "EMAIL: account@document-share.link": [[126, 153]], "URL: https://cloudstorage.cc/admin/config": [[210, 246]], "DOMAIN: api-sync.club": [[292, 305]], "URL: hxxps://updateedge.site/collect": [[324, 355]], "MALWARE: RedLine Stealer": [[366, 381]], "HASH: 5d086aed358d43679fd6aa0fbb4af342": [[388, 420]], "FILEPATH: /tmp/backdoor.elf": [[448, 465]], "IP_ADDRESS: 102.198.113.22": [[490, 504]]}, "info": {"id": "synth_v2_00853", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Dragos identified a large-scale phishing operation. Emails originated from info@login-portal.tech and confirm@urgent-notice.online, spoofing legitimate services. Victims were directed to hxxp://cdncloud.info/wp-content/uploads/doc.php which hosted a credential harvesting page on relaybackup.org. A secondary link hxxp://securelogin.com/wp-content/uploads/doc.php delivered SmokeLoader (SHA256: b7dbf8cf5b39aee0fabe793ebe5203e842bf8388915f1b58a1e7babe0cc84066). The malware was saved to C:\\Users\\Public\\Documents\\svchost.exe and established C2 with 60.230.212.130.", "spans": {"ORGANIZATION: Dragos": [[26, 32]], "EMAIL: info@login-portal.tech": [[101, 123]], "EMAIL: confirm@urgent-notice.online": [[128, 156]], "URL: hxxp://cdncloud.info/wp-content/uploads/doc.php": [[213, 260]], "DOMAIN: relaybackup.org": [[306, 321]], "URL: hxxp://securelogin.com/wp-content/uploads/doc.php": [[340, 389]], "MALWARE: SmokeLoader": [[400, 411]], "HASH: b7dbf8cf5b39aee0fabe793ebe5203e842bf8388915f1b58a1e7babe0cc84066": [[421, 485]], "FILEPATH: C:\\Users\\Public\\Documents\\svchost.exe": [[513, 550]], "IP_ADDRESS: 60.230.212.130": [[575, 589]]}, "info": {"id": "synth_v2_00854", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Mandiant identified a large-scale phishing operation. Emails originated from service@urgent-notice.online and admin@phishing-domain.com, spoofing legitimate services. Victims were directed to https://logincache.live/callback which hosted a credential harvesting page on apirelay.info. A secondary link http://login-api.top/gate.php delivered Hive (MD5: 4a579523218349e21a46453fffc1d4df). The malware was saved to /tmp/winlogon.exe and established C2 with 10.116.187.243.", "spans": {"ORGANIZATION: Mandiant": [[26, 34]], "EMAIL: service@urgent-notice.online": [[103, 131]], "EMAIL: admin@phishing-domain.com": [[136, 161]], "URL: https://logincache.live/callback": [[218, 250]], "DOMAIN: apirelay.info": [[296, 309]], "URL: http://login-api.top/gate.php": [[328, 357]], "MALWARE: Hive": [[368, 372]], "HASH: 4a579523218349e21a46453fffc1d4df": [[379, 411]], "FILEPATH: /tmp/winlogon.exe": [[439, 456]], "IP_ADDRESS: 10.116.187.243": [[481, 495]]}, "info": {"id": "synth_v2_00855", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: CrowdStrike identified a large-scale phishing operation. Emails originated from support@account-update.xyz and security@urgent-notice.online, spoofing legitimate services. Victims were directed to hxxp://gatewayportal.tech/gate.php which hosted a credential harvesting page on static-data.com. A secondary link hxxp://securecloud.xyz/panel/index.html delivered BlackCat (SHA256: d4e94b5bb47ac248ee00c635a052cdf8471ecc1f12918a4cc9baa32a0e3ea780). The malware was saved to /opt/app/bin/lsass.dmp and established C2 with 10.104.5.59.", "spans": {"ORGANIZATION: CrowdStrike": [[26, 37]], "EMAIL: support@account-update.xyz": [[106, 132]], "EMAIL: security@urgent-notice.online": [[137, 166]], "URL: hxxp://gatewayportal.tech/gate.php": [[223, 257]], "DOMAIN: static-data.com": [[303, 318]], "URL: hxxp://securecloud.xyz/panel/index.html": [[337, 376]], "MALWARE: BlackCat": [[387, 395]], "HASH: d4e94b5bb47ac248ee00c635a052cdf8471ecc1f12918a4cc9baa32a0e3ea780": [[405, 469]], "FILEPATH: /opt/app/bin/lsass.dmp": [[497, 519]], "IP_ADDRESS: 10.104.5.59": [[544, 555]]}, "info": {"id": "synth_v2_00856", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: SentinelOne identified a large-scale phishing operation. Emails originated from admin@login-portal.tech and billing@mail-service.info, spoofing legitimate services. Victims were directed to hxxps://relayrelay.net/admin/config which hosted a credential harvesting page on loginproxy.cc. A secondary link hxxps://relaymail.dev/gate.php delivered Meduza Stealer (MD5: bd84c9780491d4dd79c21f971e90cecc). The malware was saved to /var/tmp/update.dll and established C2 with 172.189.107.15.", "spans": {"ORGANIZATION: SentinelOne": [[26, 37]], "EMAIL: admin@login-portal.tech": [[106, 129]], "EMAIL: billing@mail-service.info": [[134, 159]], "URL: hxxps://relayrelay.net/admin/config": [[216, 251]], "DOMAIN: loginproxy.cc": [[297, 310]], "URL: hxxps://relaymail.dev/gate.php": [[329, 359]], "MALWARE: Meduza Stealer": [[370, 384]], "HASH: bd84c9780491d4dd79c21f971e90cecc": [[391, 423]], "FILEPATH: /var/tmp/update.dll": [[451, 470]], "IP_ADDRESS: 172.189.107.15": [[495, 509]]}, "info": {"id": "synth_v2_00857", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Secureworks identified a large-scale phishing operation. Emails originated from info@account-update.xyz and helpdesk@document-share.link, spoofing legitimate services. Victims were directed to hxxps://proxysecure.xyz/wp-content/uploads/doc.php which hosted a credential harvesting page on cache-update.net. A secondary link https://logincdn.org/gate.php delivered ShadowPad (SHA256: 78d76bee8726103f89b6cbc509a6eceaec5db95e7ed480432afe45bef77823fc). The malware was saved to C:\\Users\\admin\\Downloads\\payload.bin and established C2 with 14.191.29.113.", "spans": {"ORGANIZATION: Secureworks": [[26, 37]], "EMAIL: info@account-update.xyz": [[106, 129]], "EMAIL: helpdesk@document-share.link": [[134, 162]], "URL: hxxps://proxysecure.xyz/wp-content/uploads/doc.php": [[219, 269]], "DOMAIN: cache-update.net": [[315, 331]], "URL: https://logincdn.org/gate.php": [[350, 379]], "MALWARE: ShadowPad": [[390, 399]], "HASH: 78d76bee8726103f89b6cbc509a6eceaec5db95e7ed480432afe45bef77823fc": [[409, 473]], "FILEPATH: C:\\Users\\admin\\Downloads\\payload.bin": [[501, 537]], "IP_ADDRESS: 14.191.29.113": [[562, 575]]}, "info": {"id": "synth_v2_00858", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: ESET Research identified a large-scale phishing operation. Emails originated from contact@mail-service.info and confirm@credential-check.site, spoofing legitimate services. Victims were directed to https://proxy-proxy.tech/callback which hosted a credential harvesting page on portal-mail.top. A secondary link hxxp://static-static.dev/portal/verify delivered WarmCookie (SHA1: 1146676b03ea61fda06fa13dfafd45e40d29ee88). The malware was saved to C:\\Windows\\Tasks\\payload.bin and established C2 with 162.75.173.130.", "spans": {"ORGANIZATION: ESET Research": [[26, 39]], "EMAIL: contact@mail-service.info": [[108, 133]], "EMAIL: confirm@credential-check.site": [[138, 167]], "URL: https://proxy-proxy.tech/callback": [[224, 257]], "DOMAIN: portal-mail.top": [[303, 318]], "URL: hxxp://static-static.dev/portal/verify": [[337, 375]], "MALWARE: WarmCookie": [[386, 396]], "HASH: 1146676b03ea61fda06fa13dfafd45e40d29ee88": [[404, 444]], "FILEPATH: C:\\Windows\\Tasks\\payload.bin": [[472, 500]], "IP_ADDRESS: 162.75.173.130": [[525, 539]]}, "info": {"id": "synth_v2_00859", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Huntress identified a large-scale phishing operation. Emails originated from info@account-update.xyz and noreply@auth-check.org, spoofing legitimate services. Victims were directed to http://cache-storage.site/panel/index.html which hosted a credential harvesting page on datacloud.online. A secondary link hxxp://syncnode.club/wp-content/uploads/doc.php delivered DanaBot (SHA256: 5e8f02d0217e758dfb23b357a96e17b301ff4bad7de100ae0faed7d30176a1ed). The malware was saved to C:\\Users\\admin\\Downloads\\taskhost.exe and established C2 with 10.44.24.31.", "spans": {"ORGANIZATION: Huntress": [[26, 34]], "EMAIL: info@account-update.xyz": [[103, 126]], "EMAIL: noreply@auth-check.org": [[131, 153]], "URL: http://cache-storage.site/panel/index.html": [[210, 252]], "DOMAIN: datacloud.online": [[298, 314]], "URL: hxxp://syncnode.club/wp-content/uploads/doc.php": [[333, 380]], "MALWARE: DanaBot": [[391, 398]], "HASH: 5e8f02d0217e758dfb23b357a96e17b301ff4bad7de100ae0faed7d30176a1ed": [[408, 472]], "FILEPATH: C:\\Users\\admin\\Downloads\\taskhost.exe": [[500, 537]], "IP_ADDRESS: 10.44.24.31": [[562, 573]]}, "info": {"id": "synth_v2_00860", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Palo Alto Unit 42 identified a large-scale phishing operation. Emails originated from account@credential-check.site and account@phishing-domain.com, spoofing legitimate services. Victims were directed to hxxps://mail-edge.site/admin/config which hosted a credential harvesting page on data-static.org. A secondary link http://relay-cdn.live/portal/verify delivered AgentTesla (SHA1: e05ec0473a3af8219095e65a4590480afa66d5dc). The malware was saved to /usr/local/bin/csrss.exe and established C2 with 192.162.56.127.", "spans": {"ORGANIZATION: Palo Alto Unit 42": [[26, 43]], "EMAIL: account@credential-check.site": [[112, 141]], "EMAIL: account@phishing-domain.com": [[146, 173]], "URL: hxxps://mail-edge.site/admin/config": [[230, 265]], "DOMAIN: data-static.org": [[311, 326]], "URL: http://relay-cdn.live/portal/verify": [[345, 380]], "MALWARE: AgentTesla": [[391, 401]], "HASH: e05ec0473a3af8219095e65a4590480afa66d5dc": [[409, 449]], "FILEPATH: /usr/local/bin/csrss.exe": [[477, 501]], "IP_ADDRESS: 192.162.56.127": [[526, 540]]}, "info": {"id": "synth_v2_00861", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Proofpoint identified a large-scale phishing operation. Emails originated from alert@account-update.xyz and security@account-update.xyz, spoofing legitimate services. Victims were directed to hxxp://portalsync.xyz/panel/index.html which hosted a credential harvesting page on login-auth.site. A secondary link https://securesecure.com/portal/verify delivered DarkSide (SHA1: d649b48289f9a688ba84181428b87cb603e348ac). The malware was saved to /opt/app/bin/backdoor.elf and established C2 with 218.98.99.190.", "spans": {"ORGANIZATION: Proofpoint": [[26, 36]], "EMAIL: alert@account-update.xyz": [[105, 129]], "EMAIL: security@account-update.xyz": [[134, 161]], "URL: hxxp://portalsync.xyz/panel/index.html": [[218, 256]], "DOMAIN: login-auth.site": [[302, 317]], "URL: https://securesecure.com/portal/verify": [[336, 374]], "MALWARE: DarkSide": [[385, 393]], "HASH: d649b48289f9a688ba84181428b87cb603e348ac": [[401, 441]], "FILEPATH: /opt/app/bin/backdoor.elf": [[469, 494]], "IP_ADDRESS: 218.98.99.190": [[519, 532]]}, "info": {"id": "synth_v2_00862", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: CrowdStrike identified a large-scale phishing operation. Emails originated from admin@urgent-notice.online and billing@login-portal.tech, spoofing legitimate services. Victims were directed to hxxps://backupbackup.online/portal/verify which hosted a credential harvesting page on relayupdate.link. A secondary link https://nodestatic.cc/login delivered REvil (MD5: 3699598cbff150c86cffa512bb51bfa7). The malware was saved to C:\\Users\\admin\\Desktop\\loader.exe and established C2 with 19.160.97.202.", "spans": {"ORGANIZATION: CrowdStrike": [[26, 37]], "EMAIL: admin@urgent-notice.online": [[106, 132]], "EMAIL: billing@login-portal.tech": [[137, 162]], "URL: hxxps://backupbackup.online/portal/verify": [[219, 260]], "DOMAIN: relayupdate.link": [[306, 322]], "URL: https://nodestatic.cc/login": [[341, 368]], "MALWARE: REvil": [[379, 384]], "HASH: 3699598cbff150c86cffa512bb51bfa7": [[391, 423]], "FILEPATH: C:\\Users\\admin\\Desktop\\loader.exe": [[451, 484]], "IP_ADDRESS: 19.160.97.202": [[509, 522]]}, "info": {"id": "synth_v2_00863", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Google TAG identified a large-scale phishing operation. Emails originated from updates@credential-check.site and hr@document-share.link, spoofing legitimate services. Victims were directed to hxxp://portal-gateway.top/download/update.exe which hosted a credential harvesting page on proxystorage.link. A secondary link hxxp://gatewaydata.info/gate.php delivered REvil (MD5: eaf593de4724e469919ebd305be7d7e1). The malware was saved to C:\\Windows\\System32\\svchost.exe and established C2 with 21.204.178.139.", "spans": {"ORGANIZATION: Google TAG": [[26, 36]], "EMAIL: updates@credential-check.site": [[105, 134]], "EMAIL: hr@document-share.link": [[139, 161]], "URL: hxxp://portal-gateway.top/download/update.exe": [[218, 263]], "DOMAIN: proxystorage.link": [[309, 326]], "URL: hxxp://gatewaydata.info/gate.php": [[345, 377]], "MALWARE: REvil": [[388, 393]], "HASH: eaf593de4724e469919ebd305be7d7e1": [[400, 432]], "FILEPATH: C:\\Windows\\System32\\svchost.exe": [[460, 491]], "IP_ADDRESS: 21.204.178.139": [[516, 530]]}, "info": {"id": "synth_v2_00864", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Huntress identified a large-scale phishing operation. Emails originated from info@account-update.xyz and report@account-update.xyz, spoofing legitimate services. Victims were directed to hxxp://mail-cache.club/download/update.exe which hosted a credential harvesting page on login-cache.tech. A secondary link http://authapi.tech/wp-content/uploads/doc.php delivered RemcosRAT (SHA1: 95744d675ee05e8e5951cf6cfc30c9339e0fcbb4). The malware was saved to C:\\Users\\admin\\Desktop\\helper.sh and established C2 with 63.237.78.166.", "spans": {"ORGANIZATION: Huntress": [[26, 34]], "EMAIL: info@account-update.xyz": [[103, 126]], "EMAIL: report@account-update.xyz": [[131, 156]], "URL: hxxp://mail-cache.club/download/update.exe": [[213, 255]], "DOMAIN: login-cache.tech": [[301, 317]], "URL: http://authapi.tech/wp-content/uploads/doc.php": [[336, 382]], "MALWARE: RemcosRAT": [[393, 402]], "HASH: 95744d675ee05e8e5951cf6cfc30c9339e0fcbb4": [[410, 450]], "FILEPATH: C:\\Users\\admin\\Desktop\\helper.sh": [[478, 510]], "IP_ADDRESS: 63.237.78.166": [[535, 548]]}, "info": {"id": "synth_v2_00865", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Huntress identified a large-scale phishing operation. Emails originated from contact@account-update.xyz and report@mail-service.info, spoofing legitimate services. Victims were directed to hxxps://cdn-gateway.site/secure/token which hosted a credential harvesting page on cloud-auth.xyz. A secondary link https://staticnode.com/api/v2/auth delivered WarmCookie (SHA256: c40c1e97b1c75850302e9cc023f4bd1c59b19e57997e07c520e6ea5d5a39fe0b). The malware was saved to C:\\Users\\admin\\AppData\\Local\\Temp\\backdoor.elf and established C2 with 192.80.32.210.", "spans": {"ORGANIZATION: Huntress": [[26, 34]], "EMAIL: contact@account-update.xyz": [[103, 129]], "EMAIL: report@mail-service.info": [[134, 158]], "URL: hxxps://cdn-gateway.site/secure/token": [[215, 252]], "DOMAIN: cloud-auth.xyz": [[298, 312]], "URL: https://staticnode.com/api/v2/auth": [[331, 365]], "MALWARE: WarmCookie": [[376, 386]], "HASH: c40c1e97b1c75850302e9cc023f4bd1c59b19e57997e07c520e6ea5d5a39fe0b": [[396, 460]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\backdoor.elf": [[488, 534]], "IP_ADDRESS: 192.80.32.210": [[559, 572]]}, "info": {"id": "synth_v2_00866", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Symantec identified a large-scale phishing operation. Emails originated from info@account-update.xyz and noreply@secure-verify.net, spoofing legitimate services. Victims were directed to https://api-mail.club/panel/index.html which hosted a credential harvesting page on edgeproxy.site. A secondary link http://mail-edge.org/panel/index.html delivered AsyncRAT (SHA256: 6301f01762aea2a24dd8edd5880252acc7ae8e9c1dc8b6fa8677d30b55276cd5). The malware was saved to C:\\Users\\Public\\Documents\\shell.php and established C2 with 192.167.134.143.", "spans": {"ORGANIZATION: Symantec": [[26, 34]], "EMAIL: info@account-update.xyz": [[103, 126]], "EMAIL: noreply@secure-verify.net": [[131, 156]], "URL: https://api-mail.club/panel/index.html": [[213, 251]], "DOMAIN: edgeproxy.site": [[297, 311]], "URL: http://mail-edge.org/panel/index.html": [[330, 367]], "MALWARE: AsyncRAT": [[378, 386]], "HASH: 6301f01762aea2a24dd8edd5880252acc7ae8e9c1dc8b6fa8677d30b55276cd5": [[396, 460]], "FILEPATH: C:\\Users\\Public\\Documents\\shell.php": [[488, 523]], "IP_ADDRESS: 192.167.134.143": [[548, 563]]}, "info": {"id": "synth_v2_00867", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Volexity identified a large-scale phishing operation. Emails originated from confirm@phishing-domain.com and service@mail-service.info, spoofing legitimate services. Victims were directed to http://loginupdate.com/download/update.exe which hosted a credential harvesting page on portalportal.info. A secondary link hxxp://relaynode.online/secure/token delivered Vidar (MD5: e8b7a5d23d9dde6be874d9428d3ff8b4). The malware was saved to C:\\Users\\Public\\Documents\\implant.so and established C2 with 186.66.111.76.", "spans": {"ORGANIZATION: Volexity": [[26, 34]], "EMAIL: confirm@phishing-domain.com": [[103, 130]], "EMAIL: service@mail-service.info": [[135, 160]], "URL: http://loginupdate.com/download/update.exe": [[217, 259]], "DOMAIN: portalportal.info": [[305, 322]], "URL: hxxp://relaynode.online/secure/token": [[341, 377]], "MALWARE: Vidar": [[388, 393]], "HASH: e8b7a5d23d9dde6be874d9428d3ff8b4": [[400, 432]], "FILEPATH: C:\\Users\\Public\\Documents\\implant.so": [[460, 496]], "IP_ADDRESS: 186.66.111.76": [[521, 534]]}, "info": {"id": "synth_v2_00868", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Trend Micro identified a large-scale phishing operation. Emails originated from security@secure-verify.net and report@account-update.xyz, spoofing legitimate services. Victims were directed to hxxp://loginsecure.net/download/update.exe which hosted a credential harvesting page on edgecloud.link. A secondary link https://backup-api.com/download/update.exe delivered Conti (SHA1: c45fe489ecd3bcb1db8164f874b7e2267a6ef350). The malware was saved to /dev/shm/loader.exe and established C2 with 10.241.228.40.", "spans": {"ORGANIZATION: Trend Micro": [[26, 37]], "EMAIL: security@secure-verify.net": [[106, 132]], "EMAIL: report@account-update.xyz": [[137, 162]], "URL: hxxp://loginsecure.net/download/update.exe": [[219, 261]], "DOMAIN: edgecloud.link": [[307, 321]], "URL: https://backup-api.com/download/update.exe": [[340, 382]], "MALWARE: Conti": [[393, 398]], "HASH: c45fe489ecd3bcb1db8164f874b7e2267a6ef350": [[406, 446]], "FILEPATH: /dev/shm/loader.exe": [[474, 493]], "IP_ADDRESS: 10.241.228.40": [[518, 531]]}, "info": {"id": "synth_v2_00869", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Secureworks identified a large-scale phishing operation. Emails originated from contact@document-share.link and report@document-share.link, spoofing legitimate services. Victims were directed to hxxp://cachenode.net/panel/index.html which hosted a credential harvesting page on gatewaygateway.com. A secondary link hxxps://auth-edge.com/wp-content/uploads/doc.php delivered REvil (SHA256: fe9aaf3a63f76ab0792f35fe66e3a580529fff5162405ef4c59e71f85b221683). The malware was saved to C:\\Users\\admin\\AppData\\Local\\Temp\\svchost.exe and established C2 with 51.82.172.50.", "spans": {"ORGANIZATION: Secureworks": [[26, 37]], "EMAIL: contact@document-share.link": [[106, 133]], "EMAIL: report@document-share.link": [[138, 164]], "URL: hxxp://cachenode.net/panel/index.html": [[221, 258]], "DOMAIN: gatewaygateway.com": [[304, 322]], "URL: hxxps://auth-edge.com/wp-content/uploads/doc.php": [[341, 389]], "MALWARE: REvil": [[400, 405]], "HASH: fe9aaf3a63f76ab0792f35fe66e3a580529fff5162405ef4c59e71f85b221683": [[415, 479]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\svchost.exe": [[507, 552]], "IP_ADDRESS: 51.82.172.50": [[577, 589]]}, "info": {"id": "synth_v2_00870", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Huntress identified a large-scale phishing operation. Emails originated from confirm@identity-verify.cc and billing@secure-verify.net, spoofing legitimate services. Victims were directed to hxxp://storage-cdn.tech/portal/verify which hosted a credential harvesting page on gateway-static.org. A secondary link hxxps://node-data.io/secure/token delivered DanaBot (SHA1: 9be0547df73658c34afae3b3d425daa45ee3a1ff). The malware was saved to C:\\Users\\admin\\AppData\\Local\\Temp\\update.dll and established C2 with 102.221.83.211.", "spans": {"ORGANIZATION: Huntress": [[26, 34]], "EMAIL: confirm@identity-verify.cc": [[103, 129]], "EMAIL: billing@secure-verify.net": [[134, 159]], "URL: hxxp://storage-cdn.tech/portal/verify": [[216, 253]], "DOMAIN: gateway-static.org": [[299, 317]], "URL: hxxps://node-data.io/secure/token": [[336, 369]], "MALWARE: DanaBot": [[380, 387]], "HASH: 9be0547df73658c34afae3b3d425daa45ee3a1ff": [[395, 435]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\update.dll": [[463, 507]], "IP_ADDRESS: 102.221.83.211": [[532, 546]]}, "info": {"id": "synth_v2_00871", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Google TAG identified a large-scale phishing operation. Emails originated from updates@identity-verify.cc and helpdesk@login-portal.tech, spoofing legitimate services. Victims were directed to http://edge-cloud.dev/admin/config which hosted a credential harvesting page on authedge.dev. A secondary link hxxps://cloud-proxy.site/panel/index.html delivered Vidar (MD5: 642373cce74722a963bbad7b82ae3dc0). The malware was saved to C:\\Windows\\Tasks\\taskhost.exe and established C2 with 172.156.55.1.", "spans": {"ORGANIZATION: Google TAG": [[26, 36]], "EMAIL: updates@identity-verify.cc": [[105, 131]], "EMAIL: helpdesk@login-portal.tech": [[136, 162]], "URL: http://edge-cloud.dev/admin/config": [[219, 253]], "DOMAIN: authedge.dev": [[299, 311]], "URL: hxxps://cloud-proxy.site/panel/index.html": [[330, 371]], "MALWARE: Vidar": [[382, 387]], "HASH: 642373cce74722a963bbad7b82ae3dc0": [[394, 426]], "FILEPATH: C:\\Windows\\Tasks\\taskhost.exe": [[454, 483]], "IP_ADDRESS: 172.156.55.1": [[508, 520]]}, "info": {"id": "synth_v2_00872", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: FBI identified a large-scale phishing operation. Emails originated from info@login-portal.tech and noreply@urgent-notice.online, spoofing legitimate services. Victims were directed to hxxp://cloud-data.club/api/v2/auth which hosted a credential harvesting page on storageupdate.site. A secondary link hxxps://mail-secure.online/panel/index.html delivered Amadey (MD5: 991d289969f4aabfb6b1fe0fb9cadcd9). The malware was saved to C:\\Users\\Public\\Documents\\update.dll and established C2 with 194.189.85.2.", "spans": {"ORGANIZATION: FBI": [[26, 29]], "EMAIL: info@login-portal.tech": [[98, 120]], "EMAIL: noreply@urgent-notice.online": [[125, 153]], "URL: hxxp://cloud-data.club/api/v2/auth": [[210, 244]], "DOMAIN: storageupdate.site": [[290, 308]], "URL: hxxps://mail-secure.online/panel/index.html": [[327, 370]], "MALWARE: Amadey": [[381, 387]], "HASH: 991d289969f4aabfb6b1fe0fb9cadcd9": [[394, 426]], "FILEPATH: C:\\Users\\Public\\Documents\\update.dll": [[454, 490]], "IP_ADDRESS: 194.189.85.2": [[515, 527]]}, "info": {"id": "synth_v2_00873", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: NCSC identified a large-scale phishing operation. Emails originated from confirm@urgent-notice.online and alert@mail-service.info, spoofing legitimate services. Victims were directed to http://api-static.org/collect which hosted a credential harvesting page on cacheedge.top. A secondary link hxxps://gatewayauth.online/secure/token delivered BumbleBee (SHA1: 5c4958bd7bcec41bf43116da1bac4fe213d801c1). The malware was saved to /home/user/.config/csrss.exe and established C2 with 46.8.77.180.", "spans": {"ORGANIZATION: NCSC": [[26, 30]], "EMAIL: confirm@urgent-notice.online": [[99, 127]], "EMAIL: alert@mail-service.info": [[132, 155]], "URL: http://api-static.org/collect": [[212, 241]], "DOMAIN: cacheedge.top": [[287, 300]], "URL: hxxps://gatewayauth.online/secure/token": [[319, 358]], "MALWARE: BumbleBee": [[369, 378]], "HASH: 5c4958bd7bcec41bf43116da1bac4fe213d801c1": [[386, 426]], "FILEPATH: /home/user/.config/csrss.exe": [[454, 482]], "IP_ADDRESS: 46.8.77.180": [[507, 518]]}, "info": {"id": "synth_v2_00874", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Kaspersky GReAT identified a large-scale phishing operation. Emails originated from service@identity-verify.cc and it@identity-verify.cc, spoofing legitimate services. Victims were directed to https://securestatic.live/collect which hosted a credential harvesting page on storage-storage.xyz. A secondary link hxxp://login-storage.online/portal/verify delivered StealC (SHA1: 6fc7007f58cc5584914a46c4d4333999c92f9dcb). The malware was saved to C:\\Program Files\\Common Files\\svchost.exe and established C2 with 189.152.69.149.", "spans": {"ORGANIZATION: Kaspersky GReAT": [[26, 41]], "EMAIL: service@identity-verify.cc": [[110, 136]], "EMAIL: it@identity-verify.cc": [[141, 162]], "URL: https://securestatic.live/collect": [[219, 252]], "DOMAIN: storage-storage.xyz": [[298, 317]], "URL: hxxp://login-storage.online/portal/verify": [[336, 377]], "MALWARE: StealC": [[388, 394]], "HASH: 6fc7007f58cc5584914a46c4d4333999c92f9dcb": [[402, 442]], "FILEPATH: C:\\Program Files\\Common Files\\svchost.exe": [[470, 511]], "IP_ADDRESS: 189.152.69.149": [[536, 550]]}, "info": {"id": "synth_v2_00875", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: CISA identified a large-scale phishing operation. Emails originated from report@phishing-domain.com and updates@mail-service.info, spoofing legitimate services. Victims were directed to http://loginstatic.site/collect which hosted a credential harvesting page on edge-update.io. A secondary link http://apirelay.cc/gate.php delivered StealC (MD5: 8f5d70944f8fa1c679dbd1233627a742). The malware was saved to /dev/shm/backdoor.elf and established C2 with 176.145.207.71.", "spans": {"ORGANIZATION: CISA": [[26, 30]], "EMAIL: report@phishing-domain.com": [[99, 125]], "EMAIL: updates@mail-service.info": [[130, 155]], "URL: http://loginstatic.site/collect": [[212, 243]], "DOMAIN: edge-update.io": [[289, 303]], "URL: http://apirelay.cc/gate.php": [[322, 349]], "MALWARE: StealC": [[360, 366]], "HASH: 8f5d70944f8fa1c679dbd1233627a742": [[373, 405]], "FILEPATH: /dev/shm/backdoor.elf": [[433, 454]], "IP_ADDRESS: 176.145.207.71": [[479, 493]]}, "info": {"id": "synth_v2_00876", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: NCSC identified a large-scale phishing operation. Emails originated from info@urgent-notice.online and billing@document-share.link, spoofing legitimate services. Victims were directed to hxxp://authgateway.online/portal/verify which hosted a credential harvesting page on portal-backup.link. A secondary link http://nodestorage.xyz/assets/js/payload.js delivered Lumma Stealer (SHA256: 9495629dd448f444eea33bd0d08f68da7b315af8b62ff341d23d4307d4ff1be0). The malware was saved to /usr/local/bin/agent.py and established C2 with 3.85.201.225.", "spans": {"ORGANIZATION: NCSC": [[26, 30]], "EMAIL: info@urgent-notice.online": [[99, 124]], "EMAIL: billing@document-share.link": [[129, 156]], "URL: hxxp://authgateway.online/portal/verify": [[213, 252]], "DOMAIN: portal-backup.link": [[298, 316]], "URL: http://nodestorage.xyz/assets/js/payload.js": [[335, 378]], "MALWARE: Lumma Stealer": [[389, 402]], "HASH: 9495629dd448f444eea33bd0d08f68da7b315af8b62ff341d23d4307d4ff1be0": [[412, 476]], "FILEPATH: /usr/local/bin/agent.py": [[504, 527]], "IP_ADDRESS: 3.85.201.225": [[552, 564]]}, "info": {"id": "synth_v2_00877", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: SentinelOne identified a large-scale phishing operation. Emails originated from admin@auth-check.org and security@secure-verify.net, spoofing legitimate services. Victims were directed to http://secure-portal.org/login which hosted a credential harvesting page on sync-edge.live. A secondary link hxxps://portalbackup.io/login delivered SmokeLoader (SHA1: 3b4cb32a398300a5a06cd313ad99a8a29a43e65a). The malware was saved to C:\\Users\\Public\\Documents\\helper.sh and established C2 with 192.97.21.85.", "spans": {"ORGANIZATION: SentinelOne": [[26, 37]], "EMAIL: admin@auth-check.org": [[106, 126]], "EMAIL: security@secure-verify.net": [[131, 157]], "URL: http://secure-portal.org/login": [[214, 244]], "DOMAIN: sync-edge.live": [[290, 304]], "URL: hxxps://portalbackup.io/login": [[323, 352]], "MALWARE: SmokeLoader": [[363, 374]], "HASH: 3b4cb32a398300a5a06cd313ad99a8a29a43e65a": [[382, 422]], "FILEPATH: C:\\Users\\Public\\Documents\\helper.sh": [[450, 485]], "IP_ADDRESS: 192.97.21.85": [[510, 522]]}, "info": {"id": "synth_v2_00878", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Mandiant identified a large-scale phishing operation. Emails originated from verify@mail-service.info and confirm@urgent-notice.online, spoofing legitimate services. Victims were directed to http://static-static.club/portal/verify which hosted a credential harvesting page on relay-mail.dev. A secondary link hxxp://edge-mail.site/login delivered Emotet (SHA256: 3bf7d3c91132b6d5231429b9b547b91951c423589d1e09945ff9e86ca3448c46). The malware was saved to /tmp/update.dll and established C2 with 185.199.206.27.", "spans": {"ORGANIZATION: Mandiant": [[26, 34]], "EMAIL: verify@mail-service.info": [[103, 127]], "EMAIL: confirm@urgent-notice.online": [[132, 160]], "URL: http://static-static.club/portal/verify": [[217, 256]], "DOMAIN: relay-mail.dev": [[302, 316]], "URL: hxxp://edge-mail.site/login": [[335, 362]], "MALWARE: Emotet": [[373, 379]], "HASH: 3bf7d3c91132b6d5231429b9b547b91951c423589d1e09945ff9e86ca3448c46": [[389, 453]], "FILEPATH: /tmp/update.dll": [[481, 496]], "IP_ADDRESS: 185.199.206.27": [[521, 535]]}, "info": {"id": "synth_v2_00879", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: NSA identified a large-scale phishing operation. Emails originated from notification@document-share.link and it@login-portal.tech, spoofing legitimate services. Victims were directed to hxxps://mail-portal.info/panel/index.html which hosted a credential harvesting page on gatewayrelay.cc. A secondary link http://cachecloud.live/panel/index.html delivered QakBot (MD5: 266eed990bd2a4508a9a15fb5e3fc7fe). The malware was saved to C:\\Windows\\Temp\\taskhost.exe and established C2 with 42.212.17.8.", "spans": {"ORGANIZATION: NSA": [[26, 29]], "EMAIL: notification@document-share.link": [[98, 130]], "EMAIL: it@login-portal.tech": [[135, 155]], "URL: hxxps://mail-portal.info/panel/index.html": [[212, 253]], "DOMAIN: gatewayrelay.cc": [[299, 314]], "URL: http://cachecloud.live/panel/index.html": [[333, 372]], "MALWARE: QakBot": [[383, 389]], "HASH: 266eed990bd2a4508a9a15fb5e3fc7fe": [[396, 428]], "FILEPATH: C:\\Windows\\Temp\\taskhost.exe": [[456, 484]], "IP_ADDRESS: 42.212.17.8": [[509, 520]]}, "info": {"id": "synth_v2_00880", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Symantec identified a large-scale phishing operation. Emails originated from alert@login-portal.tech and contact@auth-check.org, spoofing legitimate services. Victims were directed to https://cdn-data.info/portal/verify which hosted a credential harvesting page on syncstorage.site. A secondary link hxxps://loginstatic.cc/callback delivered Latrodectus (MD5: 00cfc5e357ac483e48c9a8e35e64803a). The malware was saved to /etc/cron.d/config.dat and established C2 with 10.193.72.202.", "spans": {"ORGANIZATION: Symantec": [[26, 34]], "EMAIL: alert@login-portal.tech": [[103, 126]], "EMAIL: contact@auth-check.org": [[131, 153]], "URL: https://cdn-data.info/portal/verify": [[210, 245]], "DOMAIN: syncstorage.site": [[291, 307]], "URL: hxxps://loginstatic.cc/callback": [[326, 357]], "MALWARE: Latrodectus": [[368, 379]], "HASH: 00cfc5e357ac483e48c9a8e35e64803a": [[386, 418]], "FILEPATH: /etc/cron.d/config.dat": [[446, 468]], "IP_ADDRESS: 10.193.72.202": [[493, 506]]}, "info": {"id": "synth_v2_00881", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Kaspersky GReAT identified a large-scale phishing operation. Emails originated from noreply@secure-verify.net and ceo@auth-check.org, spoofing legitimate services. Victims were directed to http://proxylogin.tech/download/update.exe which hosted a credential harvesting page on cloud-backup.online. A secondary link hxxps://secure-auth.cc/secure/token delivered TrickBot (MD5: d01a12bd63e750a5b267afa89261c29e). The malware was saved to /home/user/.config/beacon.dll and established C2 with 78.147.166.96.", "spans": {"ORGANIZATION: Kaspersky GReAT": [[26, 41]], "EMAIL: noreply@secure-verify.net": [[110, 135]], "EMAIL: ceo@auth-check.org": [[140, 158]], "URL: http://proxylogin.tech/download/update.exe": [[215, 257]], "DOMAIN: cloud-backup.online": [[303, 322]], "URL: hxxps://secure-auth.cc/secure/token": [[341, 376]], "MALWARE: TrickBot": [[387, 395]], "HASH: d01a12bd63e750a5b267afa89261c29e": [[402, 434]], "FILEPATH: /home/user/.config/beacon.dll": [[462, 491]], "IP_ADDRESS: 78.147.166.96": [[516, 529]]}, "info": {"id": "synth_v2_00882", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Google TAG identified a large-scale phishing operation. Emails originated from report@login-portal.tech and report@identity-verify.cc, spoofing legitimate services. Victims were directed to hxxp://secureauth.live/panel/index.html which hosted a credential harvesting page on storagemail.xyz. A secondary link hxxps://storage-update.online/download/update.exe delivered Ryuk (SHA1: 9d9381f9e86f1469dfee49e586002d7fc2b20c55). The malware was saved to C:\\Users\\admin\\AppData\\Local\\Temp\\svchost.exe and established C2 with 172.65.94.243.", "spans": {"ORGANIZATION: Google TAG": [[26, 36]], "EMAIL: report@login-portal.tech": [[105, 129]], "EMAIL: report@identity-verify.cc": [[134, 159]], "URL: hxxp://secureauth.live/panel/index.html": [[216, 255]], "DOMAIN: storagemail.xyz": [[301, 316]], "URL: hxxps://storage-update.online/download/update.exe": [[335, 384]], "MALWARE: Ryuk": [[395, 399]], "HASH: 9d9381f9e86f1469dfee49e586002d7fc2b20c55": [[407, 447]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\svchost.exe": [[475, 520]], "IP_ADDRESS: 172.65.94.243": [[545, 558]]}, "info": {"id": "synth_v2_00883", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Europol identified a large-scale phishing operation. Emails originated from info@secure-verify.net and verify@login-portal.tech, spoofing legitimate services. Victims were directed to http://relay-proxy.org/portal/verify which hosted a credential harvesting page on edgestorage.org. A secondary link https://static-mail.io/assets/js/payload.js delivered DarkSide (SHA1: 2d02586de9d285bdad8ef76db905868dd77a8e14). The malware was saved to /home/user/.config/config.dat and established C2 with 36.160.51.104.", "spans": {"ORGANIZATION: Europol": [[26, 33]], "EMAIL: info@secure-verify.net": [[102, 124]], "EMAIL: verify@login-portal.tech": [[129, 153]], "URL: http://relay-proxy.org/portal/verify": [[210, 246]], "DOMAIN: edgestorage.org": [[292, 307]], "URL: https://static-mail.io/assets/js/payload.js": [[326, 369]], "MALWARE: DarkSide": [[380, 388]], "HASH: 2d02586de9d285bdad8ef76db905868dd77a8e14": [[396, 436]], "FILEPATH: /home/user/.config/config.dat": [[464, 493]], "IP_ADDRESS: 36.160.51.104": [[518, 531]]}, "info": {"id": "synth_v2_00884", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: CISA identified a large-scale phishing operation. Emails originated from alert@urgent-notice.online and ceo@credential-check.site, spoofing legitimate services. Victims were directed to hxxps://staticapi.online/login which hosted a credential harvesting page on staticapi.info. A secondary link hxxps://cdnnode.live/secure/token delivered PlugX (MD5: 6614f59fa687faa7ddd8cf4afbf1e59b). The malware was saved to /usr/local/bin/beacon.dll and established C2 with 172.109.182.198.", "spans": {"ORGANIZATION: CISA": [[26, 30]], "EMAIL: alert@urgent-notice.online": [[99, 125]], "EMAIL: ceo@credential-check.site": [[130, 155]], "URL: hxxps://staticapi.online/login": [[212, 242]], "DOMAIN: staticapi.info": [[288, 302]], "URL: hxxps://cdnnode.live/secure/token": [[321, 354]], "MALWARE: PlugX": [[365, 370]], "HASH: 6614f59fa687faa7ddd8cf4afbf1e59b": [[377, 409]], "FILEPATH: /usr/local/bin/beacon.dll": [[437, 462]], "IP_ADDRESS: 172.109.182.198": [[487, 502]]}, "info": {"id": "synth_v2_00885", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: NSA identified a large-scale phishing operation. Emails originated from noreply@mail-service.info and updates@urgent-notice.online, spoofing legitimate services. Victims were directed to https://authrelay.net/collect which hosted a credential harvesting page on cdn-storage.xyz. A secondary link https://cacherelay.xyz/portal/verify delivered Qbot (SHA1: ec04e1f1cf2264ecf417a2542f85e722d6e87ffe). The malware was saved to C:\\Windows\\Temp\\helper.sh and established C2 with 10.111.215.22.", "spans": {"ORGANIZATION: NSA": [[26, 29]], "EMAIL: noreply@mail-service.info": [[98, 123]], "EMAIL: updates@urgent-notice.online": [[128, 156]], "URL: https://authrelay.net/collect": [[213, 242]], "DOMAIN: cdn-storage.xyz": [[288, 303]], "URL: https://cacherelay.xyz/portal/verify": [[322, 358]], "MALWARE: Qbot": [[369, 373]], "HASH: ec04e1f1cf2264ecf417a2542f85e722d6e87ffe": [[381, 421]], "FILEPATH: C:\\Windows\\Temp\\helper.sh": [[449, 474]], "IP_ADDRESS: 10.111.215.22": [[499, 512]]}, "info": {"id": "synth_v2_00886", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Dragos identified a large-scale phishing operation. Emails originated from info@login-portal.tech and helpdesk@urgent-notice.online, spoofing legitimate services. Victims were directed to http://gateway-cdn.io/panel/index.html which hosted a credential harvesting page on cloudupdate.info. A secondary link hxxp://edge-api.tech/gate.php delivered Latrodectus (SHA256: c0998c2f24fa4e4977df921b8009f496a47ff79ea71a91a66bd01eefeedc4dbd). The malware was saved to /opt/app/bin/chrome_helper.exe and established C2 with 47.62.227.178.", "spans": {"ORGANIZATION: Dragos": [[26, 32]], "EMAIL: info@login-portal.tech": [[101, 123]], "EMAIL: helpdesk@urgent-notice.online": [[128, 157]], "URL: http://gateway-cdn.io/panel/index.html": [[214, 252]], "DOMAIN: cloudupdate.info": [[298, 314]], "URL: hxxp://edge-api.tech/gate.php": [[333, 362]], "MALWARE: Latrodectus": [[373, 384]], "HASH: c0998c2f24fa4e4977df921b8009f496a47ff79ea71a91a66bd01eefeedc4dbd": [[394, 458]], "FILEPATH: /opt/app/bin/chrome_helper.exe": [[486, 516]], "IP_ADDRESS: 47.62.227.178": [[541, 554]]}, "info": {"id": "synth_v2_00887", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Volexity identified a large-scale phishing operation. Emails originated from finance@identity-verify.cc and ceo@login-portal.tech, spoofing legitimate services. Victims were directed to hxxps://dataproxy.link/api/v2/auth which hosted a credential harvesting page on syncportal.online. A secondary link http://mail-gateway.top/wp-content/uploads/doc.php delivered Dridex (MD5: 4ec0072b34651c804ec034cdb6795c9e). The malware was saved to C:\\Windows\\Tasks\\lsass.dmp and established C2 with 192.203.33.253.", "spans": {"ORGANIZATION: Volexity": [[26, 34]], "EMAIL: finance@identity-verify.cc": [[103, 129]], "EMAIL: ceo@login-portal.tech": [[134, 155]], "URL: hxxps://dataproxy.link/api/v2/auth": [[212, 246]], "DOMAIN: syncportal.online": [[292, 309]], "URL: http://mail-gateway.top/wp-content/uploads/doc.php": [[328, 378]], "MALWARE: Dridex": [[389, 395]], "HASH: 4ec0072b34651c804ec034cdb6795c9e": [[402, 434]], "FILEPATH: C:\\Windows\\Tasks\\lsass.dmp": [[462, 488]], "IP_ADDRESS: 192.203.33.253": [[513, 527]]}, "info": {"id": "synth_v2_00888", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: NCSC identified a large-scale phishing operation. Emails originated from finance@login-portal.tech and billing@identity-verify.cc, spoofing legitimate services. Victims were directed to https://cache-static.cc/callback which hosted a credential harvesting page on auth-cdn.io. A secondary link hxxps://syncstorage.com/assets/js/payload.js delivered StealC (MD5: 4adc29400ed734004dab71b19e3da6bb). The malware was saved to /dev/shm/helper.sh and established C2 with 192.119.174.42.", "spans": {"ORGANIZATION: NCSC": [[26, 30]], "EMAIL: finance@login-portal.tech": [[99, 124]], "EMAIL: billing@identity-verify.cc": [[129, 155]], "URL: https://cache-static.cc/callback": [[212, 244]], "DOMAIN: auth-cdn.io": [[290, 301]], "URL: hxxps://syncstorage.com/assets/js/payload.js": [[320, 364]], "MALWARE: StealC": [[375, 381]], "HASH: 4adc29400ed734004dab71b19e3da6bb": [[388, 420]], "FILEPATH: /dev/shm/helper.sh": [[448, 466]], "IP_ADDRESS: 192.119.174.42": [[491, 505]]}, "info": {"id": "synth_v2_00889", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: NCSC identified a large-scale phishing operation. Emails originated from alert@secure-verify.net and confirm@document-share.link, spoofing legitimate services. Victims were directed to https://nodebackup.dev/download/update.exe which hosted a credential harvesting page on cachemail.online. A secondary link https://portalsync.club/collect delivered REvil (MD5: bd1f390128381e503e45e864a4199839). The malware was saved to /dev/shm/winlogon.exe and established C2 with 194.64.56.216.", "spans": {"ORGANIZATION: NCSC": [[26, 30]], "EMAIL: alert@secure-verify.net": [[99, 122]], "EMAIL: confirm@document-share.link": [[127, 154]], "URL: https://nodebackup.dev/download/update.exe": [[211, 253]], "DOMAIN: cachemail.online": [[299, 315]], "URL: https://portalsync.club/collect": [[334, 365]], "MALWARE: REvil": [[376, 381]], "HASH: bd1f390128381e503e45e864a4199839": [[388, 420]], "FILEPATH: /dev/shm/winlogon.exe": [[448, 469]], "IP_ADDRESS: 194.64.56.216": [[494, 507]]}, "info": {"id": "synth_v2_00890", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: NSA identified a large-scale phishing operation. Emails originated from notification@phishing-domain.com and security@account-update.xyz, spoofing legitimate services. Victims were directed to hxxps://relay-cache.online/download/update.exe which hosted a credential harvesting page on updatestorage.link. A secondary link http://nodeedge.xyz/api/v2/auth delivered Lumma Stealer (MD5: 997c461147915e593a953357855c5336). The malware was saved to /usr/local/bin/winlogon.exe and established C2 with 172.105.217.128.", "spans": {"ORGANIZATION: NSA": [[26, 29]], "EMAIL: notification@phishing-domain.com": [[98, 130]], "EMAIL: security@account-update.xyz": [[135, 162]], "URL: hxxps://relay-cache.online/download/update.exe": [[219, 265]], "DOMAIN: updatestorage.link": [[311, 329]], "URL: http://nodeedge.xyz/api/v2/auth": [[348, 379]], "MALWARE: Lumma Stealer": [[390, 403]], "HASH: 997c461147915e593a953357855c5336": [[410, 442]], "FILEPATH: /usr/local/bin/winlogon.exe": [[470, 497]], "IP_ADDRESS: 172.105.217.128": [[522, 537]]}, "info": {"id": "synth_v2_00891", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: FBI identified a large-scale phishing operation. Emails originated from security@urgent-notice.online and service@urgent-notice.online, spoofing legitimate services. Victims were directed to hxxp://api-secure.club/admin/config which hosted a credential harvesting page on api-cache.xyz. A secondary link https://cloud-node.io/callback delivered Meduza Stealer (SHA1: 88cb3d7c781f676e3d01fb7e737776a99814b11a). The malware was saved to C:\\ProgramData\\backdoor.elf and established C2 with 148.5.11.189.", "spans": {"ORGANIZATION: FBI": [[26, 29]], "EMAIL: security@urgent-notice.online": [[98, 127]], "EMAIL: service@urgent-notice.online": [[132, 160]], "URL: hxxp://api-secure.club/admin/config": [[217, 252]], "DOMAIN: api-cache.xyz": [[298, 311]], "URL: https://cloud-node.io/callback": [[330, 360]], "MALWARE: Meduza Stealer": [[371, 385]], "HASH: 88cb3d7c781f676e3d01fb7e737776a99814b11a": [[393, 433]], "FILEPATH: C:\\ProgramData\\backdoor.elf": [[461, 488]], "IP_ADDRESS: 148.5.11.189": [[513, 525]]}, "info": {"id": "synth_v2_00892", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Volexity identified a large-scale phishing operation. Emails originated from report@document-share.link and security@secure-verify.net, spoofing legitimate services. Victims were directed to https://relaycache.com/secure/token which hosted a credential harvesting page on data-mail.net. A secondary link http://edge-gateway.dev/collect delivered RemcosRAT (SHA1: 9b313309a0b6aff369130c389698c6aca00fe6d4). The malware was saved to C:\\Windows\\Temp\\sam.hive and established C2 with 192.163.99.33.", "spans": {"ORGANIZATION: Volexity": [[26, 34]], "EMAIL: report@document-share.link": [[103, 129]], "EMAIL: security@secure-verify.net": [[134, 160]], "URL: https://relaycache.com/secure/token": [[217, 252]], "DOMAIN: data-mail.net": [[298, 311]], "URL: http://edge-gateway.dev/collect": [[330, 361]], "MALWARE: RemcosRAT": [[372, 381]], "HASH: 9b313309a0b6aff369130c389698c6aca00fe6d4": [[389, 429]], "FILEPATH: C:\\Windows\\Temp\\sam.hive": [[457, 481]], "IP_ADDRESS: 192.163.99.33": [[506, 519]]}, "info": {"id": "synth_v2_00893", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Mandiant identified a large-scale phishing operation. Emails originated from service@phishing-domain.com and alert@secure-verify.net, spoofing legitimate services. Victims were directed to hxxp://cache-api.com/panel/index.html which hosted a credential harvesting page on mailauth.xyz. A secondary link hxxp://cache-proxy.info/admin/config delivered XLoader (SHA1: 12fd8df0b48bbff062fe975ef441159baa9e569d). The malware was saved to C:\\Users\\admin\\AppData\\Local\\Temp\\loader.exe and established C2 with 212.51.62.11.", "spans": {"ORGANIZATION: Mandiant": [[26, 34]], "EMAIL: service@phishing-domain.com": [[103, 130]], "EMAIL: alert@secure-verify.net": [[135, 158]], "URL: hxxp://cache-api.com/panel/index.html": [[215, 252]], "DOMAIN: mailauth.xyz": [[298, 310]], "URL: hxxp://cache-proxy.info/admin/config": [[329, 365]], "MALWARE: XLoader": [[376, 383]], "HASH: 12fd8df0b48bbff062fe975ef441159baa9e569d": [[391, 431]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\loader.exe": [[459, 503]], "IP_ADDRESS: 212.51.62.11": [[528, 540]]}, "info": {"id": "synth_v2_00894", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: NSA identified a large-scale phishing operation. Emails originated from finance@auth-check.org and support@account-update.xyz, spoofing legitimate services. Victims were directed to http://cloudrelay.xyz/api/v2/auth which hosted a credential harvesting page on relay-api.xyz. A secondary link http://nodeproxy.xyz/callback delivered AgentTesla (SHA1: 1ca174c0cf3db898a4ae7f0523145b26e0479387). The malware was saved to C:\\Users\\admin\\Desktop\\shell.php and established C2 with 10.180.123.205.", "spans": {"ORGANIZATION: NSA": [[26, 29]], "EMAIL: finance@auth-check.org": [[98, 120]], "EMAIL: support@account-update.xyz": [[125, 151]], "URL: http://cloudrelay.xyz/api/v2/auth": [[208, 241]], "DOMAIN: relay-api.xyz": [[287, 300]], "URL: http://nodeproxy.xyz/callback": [[319, 348]], "MALWARE: AgentTesla": [[359, 369]], "HASH: 1ca174c0cf3db898a4ae7f0523145b26e0479387": [[377, 417]], "FILEPATH: C:\\Users\\admin\\Desktop\\shell.php": [[445, 477]], "IP_ADDRESS: 10.180.123.205": [[502, 516]]}, "info": {"id": "synth_v2_00895", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: SentinelOne identified a large-scale phishing operation. Emails originated from report@phishing-domain.com and admin@auth-check.org, spoofing legitimate services. Victims were directed to https://gatewayapi.tech/gate.php which hosted a credential harvesting page on cache-proxy.cc. A secondary link http://api-storage.live/callback delivered DarkSide (MD5: dcb7bc72e41d570176986f6a2f689ee9). The malware was saved to C:\\Users\\Public\\Documents\\taskhost.exe and established C2 with 75.126.201.245.", "spans": {"ORGANIZATION: SentinelOne": [[26, 37]], "EMAIL: report@phishing-domain.com": [[106, 132]], "EMAIL: admin@auth-check.org": [[137, 157]], "URL: https://gatewayapi.tech/gate.php": [[214, 246]], "DOMAIN: cache-proxy.cc": [[292, 306]], "URL: http://api-storage.live/callback": [[325, 357]], "MALWARE: DarkSide": [[368, 376]], "HASH: dcb7bc72e41d570176986f6a2f689ee9": [[383, 415]], "FILEPATH: C:\\Users\\Public\\Documents\\taskhost.exe": [[443, 481]], "IP_ADDRESS: 75.126.201.245": [[506, 520]]}, "info": {"id": "synth_v2_00896", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: NSA identified a large-scale phishing operation. Emails originated from report@phishing-domain.com and noreply@urgent-notice.online, spoofing legitimate services. Victims were directed to http://proxy-proxy.org/login which hosted a credential harvesting page on storage-data.info. A secondary link http://edge-static.site/callback delivered DarkSide (SHA256: 9883f88e3bca20ebf700f15e6f7ce5f574c9a321c926e9b473782387f14e2c84). The malware was saved to C:\\Users\\admin\\Desktop\\backdoor.elf and established C2 with 18.211.39.9.", "spans": {"ORGANIZATION: NSA": [[26, 29]], "EMAIL: report@phishing-domain.com": [[98, 124]], "EMAIL: noreply@urgent-notice.online": [[129, 157]], "URL: http://proxy-proxy.org/login": [[214, 242]], "DOMAIN: storage-data.info": [[288, 305]], "URL: http://edge-static.site/callback": [[324, 356]], "MALWARE: DarkSide": [[367, 375]], "HASH: 9883f88e3bca20ebf700f15e6f7ce5f574c9a321c926e9b473782387f14e2c84": [[385, 449]], "FILEPATH: C:\\Users\\admin\\Desktop\\backdoor.elf": [[477, 512]], "IP_ADDRESS: 18.211.39.9": [[537, 548]]}, "info": {"id": "synth_v2_00897", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Kaspersky GReAT identified a large-scale phishing operation. Emails originated from alert@document-share.link and updates@auth-check.org, spoofing legitimate services. Victims were directed to https://storage-edge.live/callback which hosted a credential harvesting page on login-proxy.xyz. A secondary link hxxps://cdnmail.net/wp-content/uploads/doc.php delivered Emotet (SHA256: b7ae0d3f44c01a3cba737a7dbea9a291effeecc22040109c2ad56203959ca587). The malware was saved to /dev/shm/ntds.dit and established C2 with 172.68.52.68.", "spans": {"ORGANIZATION: Kaspersky GReAT": [[26, 41]], "EMAIL: alert@document-share.link": [[110, 135]], "EMAIL: updates@auth-check.org": [[140, 162]], "URL: https://storage-edge.live/callback": [[219, 253]], "DOMAIN: login-proxy.xyz": [[299, 314]], "URL: hxxps://cdnmail.net/wp-content/uploads/doc.php": [[333, 379]], "MALWARE: Emotet": [[390, 396]], "HASH: b7ae0d3f44c01a3cba737a7dbea9a291effeecc22040109c2ad56203959ca587": [[406, 470]], "FILEPATH: /dev/shm/ntds.dit": [[498, 515]], "IP_ADDRESS: 172.68.52.68": [[540, 552]]}, "info": {"id": "synth_v2_00898", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Google TAG identified a large-scale phishing operation. Emails originated from hr@mail-service.info and updates@secure-verify.net, spoofing legitimate services. Victims were directed to hxxp://cache-storage.link/login which hosted a credential harvesting page on staticupdate.cc. A secondary link http://cachecdn.site/callback delivered DarkSide (SHA1: 9be20a73967c65f34d39ee66230cc0f4a783c755). The malware was saved to /usr/local/bin/implant.so and established C2 with 196.138.163.194.", "spans": {"ORGANIZATION: Google TAG": [[26, 36]], "EMAIL: hr@mail-service.info": [[105, 125]], "EMAIL: updates@secure-verify.net": [[130, 155]], "URL: hxxp://cache-storage.link/login": [[212, 243]], "DOMAIN: staticupdate.cc": [[289, 304]], "URL: http://cachecdn.site/callback": [[323, 352]], "MALWARE: DarkSide": [[363, 371]], "HASH: 9be20a73967c65f34d39ee66230cc0f4a783c755": [[379, 419]], "FILEPATH: /usr/local/bin/implant.so": [[447, 472]], "IP_ADDRESS: 196.138.163.194": [[497, 512]]}, "info": {"id": "synth_v2_00899", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Cisco Talos identified a large-scale phishing operation. Emails originated from it@secure-verify.net and helpdesk@auth-check.org, spoofing legitimate services. Victims were directed to http://loginproxy.net/portal/verify which hosted a credential harvesting page on synccdn.xyz. A secondary link hxxps://update-gateway.link/api/v2/auth delivered AsyncRAT (SHA1: 533af5d8a1bc2564927972a3e74d51c04ee4720d). The malware was saved to C:\\ProgramData\\loader.exe and established C2 with 53.240.226.167.", "spans": {"ORGANIZATION: Cisco Talos": [[26, 37]], "EMAIL: it@secure-verify.net": [[106, 126]], "EMAIL: helpdesk@auth-check.org": [[131, 154]], "URL: http://loginproxy.net/portal/verify": [[211, 246]], "DOMAIN: synccdn.xyz": [[292, 303]], "URL: hxxps://update-gateway.link/api/v2/auth": [[322, 361]], "MALWARE: AsyncRAT": [[372, 380]], "HASH: 533af5d8a1bc2564927972a3e74d51c04ee4720d": [[388, 428]], "FILEPATH: C:\\ProgramData\\loader.exe": [[456, 481]], "IP_ADDRESS: 53.240.226.167": [[506, 520]]}, "info": {"id": "synth_v2_00900", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: NSA identified a large-scale phishing operation. Emails originated from it@urgent-notice.online and helpdesk@login-portal.tech, spoofing legitimate services. Victims were directed to http://portal-backup.link/gate.php which hosted a credential harvesting page on static-auth.tech. A secondary link hxxps://sync-auth.xyz/collect delivered Hive (SHA1: 436bcec69aa7b3007157be97c8dbfdc91861a5e2). The malware was saved to C:\\Program Files\\Common Files\\svchost.exe and established C2 with 192.65.202.35.", "spans": {"ORGANIZATION: NSA": [[26, 29]], "EMAIL: it@urgent-notice.online": [[98, 121]], "EMAIL: helpdesk@login-portal.tech": [[126, 152]], "URL: http://portal-backup.link/gate.php": [[209, 243]], "DOMAIN: static-auth.tech": [[289, 305]], "URL: hxxps://sync-auth.xyz/collect": [[324, 353]], "MALWARE: Hive": [[364, 368]], "HASH: 436bcec69aa7b3007157be97c8dbfdc91861a5e2": [[376, 416]], "FILEPATH: C:\\Program Files\\Common Files\\svchost.exe": [[444, 485]], "IP_ADDRESS: 192.65.202.35": [[510, 523]]}, "info": {"id": "synth_v2_00901", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Secureworks identified a large-scale phishing operation. Emails originated from it@mail-service.info and security@phishing-domain.com, spoofing legitimate services. Victims were directed to hxxp://apisecure.live/api/v2/auth which hosted a credential harvesting page on syncapi.com. A secondary link hxxp://mail-relay.online/login delivered QakBot (SHA1: 77846fb590500bbd5c8fc8cb6f45e76e959e178c). The malware was saved to /dev/shm/shell.php and established C2 with 26.110.81.70.", "spans": {"ORGANIZATION: Secureworks": [[26, 37]], "EMAIL: it@mail-service.info": [[106, 126]], "EMAIL: security@phishing-domain.com": [[131, 159]], "URL: hxxp://apisecure.live/api/v2/auth": [[216, 249]], "DOMAIN: syncapi.com": [[295, 306]], "URL: hxxp://mail-relay.online/login": [[325, 355]], "MALWARE: QakBot": [[366, 372]], "HASH: 77846fb590500bbd5c8fc8cb6f45e76e959e178c": [[380, 420]], "FILEPATH: /dev/shm/shell.php": [[448, 466]], "IP_ADDRESS: 26.110.81.70": [[491, 503]]}, "info": {"id": "synth_v2_00902", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Dragos identified a large-scale phishing operation. Emails originated from it@login-portal.tech and confirm@secure-verify.net, spoofing legitimate services. Victims were directed to https://static-proxy.club/api/v2/auth which hosted a credential harvesting page on loginportal.info. A secondary link http://login-sync.io/login delivered DanaBot (SHA256: 8933a93338b8ff6d28fa75b4a16c6eb306c3d0e54bb8849755ae38e1eb93fc27). The malware was saved to C:\\Users\\admin\\Downloads\\config.dat and established C2 with 21.253.152.204.", "spans": {"ORGANIZATION: Dragos": [[26, 32]], "EMAIL: it@login-portal.tech": [[101, 121]], "EMAIL: confirm@secure-verify.net": [[126, 151]], "URL: https://static-proxy.club/api/v2/auth": [[208, 245]], "DOMAIN: loginportal.info": [[291, 307]], "URL: http://login-sync.io/login": [[326, 352]], "MALWARE: DanaBot": [[363, 370]], "HASH: 8933a93338b8ff6d28fa75b4a16c6eb306c3d0e54bb8849755ae38e1eb93fc27": [[380, 444]], "FILEPATH: C:\\Users\\admin\\Downloads\\config.dat": [[472, 507]], "IP_ADDRESS: 21.253.152.204": [[532, 546]]}, "info": {"id": "synth_v2_00903", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: FBI identified a large-scale phishing operation. Emails originated from noreply@account-update.xyz and finance@phishing-domain.com, spoofing legitimate services. Victims were directed to hxxps://cloudsecure.site/api/v2/auth which hosted a credential harvesting page on authportal.xyz. A secondary link http://cdn-cloud.info/panel/index.html delivered QakBot (SHA256: 4e530da80209dadd414e6d5f89c746edcfd105a4671d11f0480aaf5784a9e74a). The malware was saved to C:\\Windows\\System32\\dropper.ps1 and established C2 with 115.86.28.240.", "spans": {"ORGANIZATION: FBI": [[26, 29]], "EMAIL: noreply@account-update.xyz": [[98, 124]], "EMAIL: finance@phishing-domain.com": [[129, 156]], "URL: hxxps://cloudsecure.site/api/v2/auth": [[213, 249]], "DOMAIN: authportal.xyz": [[295, 309]], "URL: http://cdn-cloud.info/panel/index.html": [[328, 366]], "MALWARE: QakBot": [[377, 383]], "HASH: 4e530da80209dadd414e6d5f89c746edcfd105a4671d11f0480aaf5784a9e74a": [[393, 457]], "FILEPATH: C:\\Windows\\System32\\dropper.ps1": [[485, 516]], "IP_ADDRESS: 115.86.28.240": [[541, 554]]}, "info": {"id": "synth_v2_00904", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: INTERPOL identified a large-scale phishing operation. Emails originated from noreply@phishing-domain.com and support@document-share.link, spoofing legitimate services. Victims were directed to http://dataportal.dev/assets/js/payload.js which hosted a credential harvesting page on update-storage.online. A secondary link hxxp://api-cache.tech/callback delivered Amadey (MD5: b65810763d73a98074710263afe3a908). The malware was saved to C:\\Windows\\Temp\\update.dll and established C2 with 172.124.69.86.", "spans": {"ORGANIZATION: INTERPOL": [[26, 34]], "EMAIL: noreply@phishing-domain.com": [[103, 130]], "EMAIL: support@document-share.link": [[135, 162]], "URL: http://dataportal.dev/assets/js/payload.js": [[219, 261]], "DOMAIN: update-storage.online": [[307, 328]], "URL: hxxp://api-cache.tech/callback": [[347, 377]], "MALWARE: Amadey": [[388, 394]], "HASH: b65810763d73a98074710263afe3a908": [[401, 433]], "FILEPATH: C:\\Windows\\Temp\\update.dll": [[461, 487]], "IP_ADDRESS: 172.124.69.86": [[512, 525]]}, "info": {"id": "synth_v2_00905", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: FBI identified a large-scale phishing operation. Emails originated from notification@phishing-domain.com and admin@credential-check.site, spoofing legitimate services. Victims were directed to hxxp://static-relay.net/login which hosted a credential harvesting page on cachecdn.club. A secondary link hxxps://securesecure.net/wp-content/uploads/doc.php delivered BatLoader (SHA256: 9c6a97fa0f97651517ff045abbf104965344379689816357b54082f07e95bc88). The malware was saved to C:\\Users\\admin\\Desktop\\beacon.dll and established C2 with 10.61.12.206.", "spans": {"ORGANIZATION: FBI": [[26, 29]], "EMAIL: notification@phishing-domain.com": [[98, 130]], "EMAIL: admin@credential-check.site": [[135, 162]], "URL: hxxp://static-relay.net/login": [[219, 248]], "DOMAIN: cachecdn.club": [[294, 307]], "URL: hxxps://securesecure.net/wp-content/uploads/doc.php": [[326, 377]], "MALWARE: BatLoader": [[388, 397]], "HASH: 9c6a97fa0f97651517ff045abbf104965344379689816357b54082f07e95bc88": [[407, 471]], "FILEPATH: C:\\Users\\admin\\Desktop\\beacon.dll": [[499, 532]], "IP_ADDRESS: 10.61.12.206": [[557, 569]]}, "info": {"id": "synth_v2_00906", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Huntress identified a large-scale phishing operation. Emails originated from hr@auth-check.org and hr@identity-verify.cc, spoofing legitimate services. Victims were directed to hxxp://proxy-auth.cc/panel/index.html which hosted a credential harvesting page on gateway-cdn.org. A secondary link https://proxy-update.online/portal/verify delivered Play (MD5: 25f49454f877341e0c3e37632333541d). The malware was saved to /home/user/.config/payload.bin and established C2 with 172.73.47.166.", "spans": {"ORGANIZATION: Huntress": [[26, 34]], "EMAIL: hr@auth-check.org": [[103, 120]], "EMAIL: hr@identity-verify.cc": [[125, 146]], "URL: hxxp://proxy-auth.cc/panel/index.html": [[203, 240]], "DOMAIN: gateway-cdn.org": [[286, 301]], "URL: https://proxy-update.online/portal/verify": [[320, 361]], "MALWARE: Play": [[372, 376]], "HASH: 25f49454f877341e0c3e37632333541d": [[383, 415]], "FILEPATH: /home/user/.config/payload.bin": [[443, 473]], "IP_ADDRESS: 172.73.47.166": [[498, 511]]}, "info": {"id": "synth_v2_00907", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Zscaler ThreatLabz identified a large-scale phishing operation. Emails originated from service@phishing-domain.com and noreply@auth-check.org, spoofing legitimate services. Victims were directed to hxxps://cloud-cache.info/download/update.exe which hosted a credential harvesting page on portal-static.com. A secondary link http://cache-sync.info/gate.php delivered Royal (SHA256: 020eea7df28f93622f29278c3b94c1f76b8e3d59e6b5bee30ba0095eb0347cdc). The malware was saved to C:\\Program Files\\Common Files\\csrss.exe and established C2 with 25.115.66.121.", "spans": {"ORGANIZATION: Zscaler ThreatLabz": [[26, 44]], "EMAIL: service@phishing-domain.com": [[113, 140]], "EMAIL: noreply@auth-check.org": [[145, 167]], "URL: hxxps://cloud-cache.info/download/update.exe": [[224, 268]], "DOMAIN: portal-static.com": [[314, 331]], "URL: http://cache-sync.info/gate.php": [[350, 381]], "MALWARE: Royal": [[392, 397]], "HASH: 020eea7df28f93622f29278c3b94c1f76b8e3d59e6b5bee30ba0095eb0347cdc": [[407, 471]], "FILEPATH: C:\\Program Files\\Common Files\\csrss.exe": [[499, 538]], "IP_ADDRESS: 25.115.66.121": [[563, 576]]}, "info": {"id": "synth_v2_00908", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Europol identified a large-scale phishing operation. Emails originated from contact@secure-verify.net and updates@document-share.link, spoofing legitimate services. Victims were directed to hxxp://edgeupdate.top/portal/verify which hosted a credential harvesting page on cdnlogin.net. A secondary link https://mailcache.io/api/v2/auth delivered Ryuk (SHA1: b02ebc3ccd0a0e848159f1f2079e6663005a5b70). The malware was saved to C:\\Users\\Public\\Documents\\winlogon.exe and established C2 with 10.220.207.194.", "spans": {"ORGANIZATION: Europol": [[26, 33]], "EMAIL: contact@secure-verify.net": [[102, 127]], "EMAIL: updates@document-share.link": [[132, 159]], "URL: hxxp://edgeupdate.top/portal/verify": [[216, 251]], "DOMAIN: cdnlogin.net": [[297, 309]], "URL: https://mailcache.io/api/v2/auth": [[328, 360]], "MALWARE: Ryuk": [[371, 375]], "HASH: b02ebc3ccd0a0e848159f1f2079e6663005a5b70": [[383, 423]], "FILEPATH: C:\\Users\\Public\\Documents\\winlogon.exe": [[451, 489]], "IP_ADDRESS: 10.220.207.194": [[514, 528]]}, "info": {"id": "synth_v2_00909", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: NSA identified a large-scale phishing operation. Emails originated from finance@document-share.link and confirm@identity-verify.cc, spoofing legitimate services. Victims were directed to http://proxyedge.site/download/update.exe which hosted a credential harvesting page on backuprelay.info. A secondary link hxxps://relay-portal.com/panel/index.html delivered TrickBot (SHA1: 40b463ed4ba6b8c5fb67cf1dd1facb58df8323e2). The malware was saved to /var/tmp/sam.hive and established C2 with 192.56.16.126.", "spans": {"ORGANIZATION: NSA": [[26, 29]], "EMAIL: finance@document-share.link": [[98, 125]], "EMAIL: confirm@identity-verify.cc": [[130, 156]], "URL: http://proxyedge.site/download/update.exe": [[213, 254]], "DOMAIN: backuprelay.info": [[300, 316]], "URL: hxxps://relay-portal.com/panel/index.html": [[335, 376]], "MALWARE: TrickBot": [[387, 395]], "HASH: 40b463ed4ba6b8c5fb67cf1dd1facb58df8323e2": [[403, 443]], "FILEPATH: /var/tmp/sam.hive": [[471, 488]], "IP_ADDRESS: 192.56.16.126": [[513, 526]]}, "info": {"id": "synth_v2_00910", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: NSA identified a large-scale phishing operation. Emails originated from finance@document-share.link and notification@account-update.xyz, spoofing legitimate services. Victims were directed to hxxps://gateway-backup.com/callback which hosted a credential harvesting page on datasync.io. A secondary link hxxp://portal-static.club/wp-content/uploads/doc.php delivered SystemBC (MD5: b767b2e84d8ece2f6d0342b75ed0e898). The malware was saved to /usr/local/bin/sam.hive and established C2 with 192.80.60.58.", "spans": {"ORGANIZATION: NSA": [[26, 29]], "EMAIL: finance@document-share.link": [[98, 125]], "EMAIL: notification@account-update.xyz": [[130, 161]], "URL: hxxps://gateway-backup.com/callback": [[218, 253]], "DOMAIN: datasync.io": [[299, 310]], "URL: hxxp://portal-static.club/wp-content/uploads/doc.php": [[329, 381]], "MALWARE: SystemBC": [[392, 400]], "HASH: b767b2e84d8ece2f6d0342b75ed0e898": [[407, 439]], "FILEPATH: /usr/local/bin/sam.hive": [[467, 490]], "IP_ADDRESS: 192.80.60.58": [[515, 527]]}, "info": {"id": "synth_v2_00911", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: CrowdStrike identified a large-scale phishing operation. Emails originated from notification@urgent-notice.online and contact@auth-check.org, spoofing legitimate services. Victims were directed to hxxps://gatewaysecure.org/download/update.exe which hosted a credential harvesting page on update-mail.dev. A secondary link http://secure-cloud.club/admin/config delivered NjRAT (SHA256: fd94894a16772fc852de488d158c774a62eacef12116e733614f9eaf93814fb9). The malware was saved to /tmp/svchost.exe and established C2 with 10.9.192.64.", "spans": {"ORGANIZATION: CrowdStrike": [[26, 37]], "EMAIL: notification@urgent-notice.online": [[106, 139]], "EMAIL: contact@auth-check.org": [[144, 166]], "URL: hxxps://gatewaysecure.org/download/update.exe": [[223, 268]], "DOMAIN: update-mail.dev": [[314, 329]], "URL: http://secure-cloud.club/admin/config": [[348, 385]], "MALWARE: NjRAT": [[396, 401]], "HASH: fd94894a16772fc852de488d158c774a62eacef12116e733614f9eaf93814fb9": [[411, 475]], "FILEPATH: /tmp/svchost.exe": [[503, 519]], "IP_ADDRESS: 10.9.192.64": [[544, 555]]}, "info": {"id": "synth_v2_00912", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Tenable identified a large-scale phishing operation. Emails originated from finance@identity-verify.cc and updates@login-portal.tech, spoofing legitimate services. Victims were directed to hxxps://static-update.com/api/v2/auth which hosted a credential harvesting page on portal-cache.link. A secondary link hxxps://authportal.link/login delivered LockBit (SHA256: 683537f5f02ae8c0159f6acfcbb909575eb8bdd8fee31761abde64978382b4f6). The malware was saved to C:\\Windows\\System32\\beacon.dll and established C2 with 172.235.22.100.", "spans": {"ORGANIZATION: Tenable": [[26, 33]], "EMAIL: finance@identity-verify.cc": [[102, 128]], "EMAIL: updates@login-portal.tech": [[133, 158]], "URL: hxxps://static-update.com/api/v2/auth": [[215, 252]], "DOMAIN: portal-cache.link": [[298, 315]], "URL: hxxps://authportal.link/login": [[334, 363]], "MALWARE: LockBit": [[374, 381]], "HASH: 683537f5f02ae8c0159f6acfcbb909575eb8bdd8fee31761abde64978382b4f6": [[391, 455]], "FILEPATH: C:\\Windows\\System32\\beacon.dll": [[483, 513]], "IP_ADDRESS: 172.235.22.100": [[538, 552]]}, "info": {"id": "synth_v2_00913", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Volexity identified a large-scale phishing operation. Emails originated from admin@urgent-notice.online and ceo@mail-service.info, spoofing legitimate services. Victims were directed to https://edge-gateway.online/callback which hosted a credential harvesting page on data-gateway.net. A secondary link https://cdn-cdn.com/admin/config delivered Ryuk (SHA256: c1547549316258ca58cf61442f777b5f1f9a6c3aa89da7c89417df160ae17c29). The malware was saved to C:\\Windows\\Tasks\\chrome_helper.exe and established C2 with 192.43.162.24.", "spans": {"ORGANIZATION: Volexity": [[26, 34]], "EMAIL: admin@urgent-notice.online": [[103, 129]], "EMAIL: ceo@mail-service.info": [[134, 155]], "URL: https://edge-gateway.online/callback": [[212, 248]], "DOMAIN: data-gateway.net": [[294, 310]], "URL: https://cdn-cdn.com/admin/config": [[329, 361]], "MALWARE: Ryuk": [[372, 376]], "HASH: c1547549316258ca58cf61442f777b5f1f9a6c3aa89da7c89417df160ae17c29": [[386, 450]], "FILEPATH: C:\\Windows\\Tasks\\chrome_helper.exe": [[478, 512]], "IP_ADDRESS: 192.43.162.24": [[537, 550]]}, "info": {"id": "synth_v2_00914", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Kaspersky GReAT identified a large-scale phishing operation. Emails originated from report@urgent-notice.online and it@mail-service.info, spoofing legitimate services. Victims were directed to https://nodelogin.link/download/update.exe which hosted a credential harvesting page on cloudstorage.link. A secondary link hxxps://cloud-sync.link/api/v2/auth delivered BumbleBee (MD5: d6cf4c31d7b62faca89029882d5902b1). The malware was saved to C:\\Program Files\\Common Files\\svchost.exe and established C2 with 83.192.128.73.", "spans": {"ORGANIZATION: Kaspersky GReAT": [[26, 41]], "EMAIL: report@urgent-notice.online": [[110, 137]], "EMAIL: it@mail-service.info": [[142, 162]], "URL: https://nodelogin.link/download/update.exe": [[219, 261]], "DOMAIN: cloudstorage.link": [[307, 324]], "URL: hxxps://cloud-sync.link/api/v2/auth": [[343, 378]], "MALWARE: BumbleBee": [[389, 398]], "HASH: d6cf4c31d7b62faca89029882d5902b1": [[405, 437]], "FILEPATH: C:\\Program Files\\Common Files\\svchost.exe": [[465, 506]], "IP_ADDRESS: 83.192.128.73": [[531, 544]]}, "info": {"id": "synth_v2_00915", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Check Point Research identified a large-scale phishing operation. Emails originated from notification@mail-service.info and service@identity-verify.cc, spoofing legitimate services. Victims were directed to hxxps://logincdn.net/panel/index.html which hosted a credential harvesting page on node-login.dev. A secondary link hxxp://sync-update.link/assets/js/payload.js delivered BlackCat (SHA256: 21ffb20ef4d851ecba27c2772a38ac7d43e6027cc218b2bf982a5b6ab6d8634b). The malware was saved to C:\\Windows\\Tasks\\implant.so and established C2 with 1.76.200.37.", "spans": {"ORGANIZATION: Check Point Research": [[26, 46]], "EMAIL: notification@mail-service.info": [[115, 145]], "EMAIL: service@identity-verify.cc": [[150, 176]], "URL: hxxps://logincdn.net/panel/index.html": [[233, 270]], "DOMAIN: node-login.dev": [[316, 330]], "URL: hxxp://sync-update.link/assets/js/payload.js": [[349, 393]], "MALWARE: BlackCat": [[404, 412]], "HASH: 21ffb20ef4d851ecba27c2772a38ac7d43e6027cc218b2bf982a5b6ab6d8634b": [[422, 486]], "FILEPATH: C:\\Windows\\Tasks\\implant.so": [[514, 541]], "IP_ADDRESS: 1.76.200.37": [[566, 577]]}, "info": {"id": "synth_v2_00916", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: CrowdStrike identified a large-scale phishing operation. Emails originated from support@urgent-notice.online and it@urgent-notice.online, spoofing legitimate services. Victims were directed to https://proxy-sync.club/download/update.exe which hosted a credential harvesting page on securedata.tech. A secondary link hxxp://datamail.top/callback delivered ShadowPad (SHA256: c6d19b0e123b234e3950b62fde9f712dd0055a6abde50d6edd50197a4998f1de). The malware was saved to /home/user/.config/chrome_helper.exe and established C2 with 192.48.71.142.", "spans": {"ORGANIZATION: CrowdStrike": [[26, 37]], "EMAIL: support@urgent-notice.online": [[106, 134]], "EMAIL: it@urgent-notice.online": [[139, 162]], "URL: https://proxy-sync.club/download/update.exe": [[219, 262]], "DOMAIN: securedata.tech": [[308, 323]], "URL: hxxp://datamail.top/callback": [[342, 370]], "MALWARE: ShadowPad": [[381, 390]], "HASH: c6d19b0e123b234e3950b62fde9f712dd0055a6abde50d6edd50197a4998f1de": [[400, 464]], "FILEPATH: /home/user/.config/chrome_helper.exe": [[492, 528]], "IP_ADDRESS: 192.48.71.142": [[553, 566]]}, "info": {"id": "synth_v2_00917", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Kaspersky GReAT identified a large-scale phishing operation. Emails originated from ceo@secure-verify.net and confirm@secure-verify.net, spoofing legitimate services. Victims were directed to https://apisecure.link/secure/token which hosted a credential harvesting page on staticsecure.xyz. A secondary link hxxps://backup-portal.net/login delivered QakBot (MD5: 346425f10741b14b073f868c85b443c3). The malware was saved to C:\\Program Files\\Common Files\\svchost.exe and established C2 with 10.65.124.134.", "spans": {"ORGANIZATION: Kaspersky GReAT": [[26, 41]], "EMAIL: ceo@secure-verify.net": [[110, 131]], "EMAIL: confirm@secure-verify.net": [[136, 161]], "URL: https://apisecure.link/secure/token": [[218, 253]], "DOMAIN: staticsecure.xyz": [[299, 315]], "URL: hxxps://backup-portal.net/login": [[334, 365]], "MALWARE: QakBot": [[376, 382]], "HASH: 346425f10741b14b073f868c85b443c3": [[389, 421]], "FILEPATH: C:\\Program Files\\Common Files\\svchost.exe": [[449, 490]], "IP_ADDRESS: 10.65.124.134": [[515, 528]]}, "info": {"id": "synth_v2_00918", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Volexity identified a large-scale phishing operation. Emails originated from noreply@credential-check.site and info@phishing-domain.com, spoofing legitimate services. Victims were directed to hxxp://secure-cloud.dev/collect which hosted a credential harvesting page on edgemail.com. A secondary link hxxp://apimail.net/login delivered Qbot (MD5: 68b8e891e8185a00039ea8a0bfd66a23). The malware was saved to C:\\Program Files\\Common Files\\winlogon.exe and established C2 with 192.132.159.98.", "spans": {"ORGANIZATION: Volexity": [[26, 34]], "EMAIL: noreply@credential-check.site": [[103, 132]], "EMAIL: info@phishing-domain.com": [[137, 161]], "URL: hxxp://secure-cloud.dev/collect": [[218, 249]], "DOMAIN: edgemail.com": [[295, 307]], "URL: hxxp://apimail.net/login": [[326, 350]], "MALWARE: Qbot": [[361, 365]], "HASH: 68b8e891e8185a00039ea8a0bfd66a23": [[372, 404]], "FILEPATH: C:\\Program Files\\Common Files\\winlogon.exe": [[432, 474]], "IP_ADDRESS: 192.132.159.98": [[499, 513]]}, "info": {"id": "synth_v2_00919", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Volexity identified a large-scale phishing operation. Emails originated from support@mail-service.info and security@account-update.xyz, spoofing legitimate services. Victims were directed to https://gatewaydata.live/callback which hosted a credential harvesting page on mail-proxy.club. A secondary link https://auth-static.net/wp-content/uploads/doc.php delivered Royal (MD5: 0ba67cf6be506e816c20ec20030c7edf). The malware was saved to /dev/shm/payload.bin and established C2 with 61.179.215.22.", "spans": {"ORGANIZATION: Volexity": [[26, 34]], "EMAIL: support@mail-service.info": [[103, 128]], "EMAIL: security@account-update.xyz": [[133, 160]], "URL: https://gatewaydata.live/callback": [[217, 250]], "DOMAIN: mail-proxy.club": [[296, 311]], "URL: https://auth-static.net/wp-content/uploads/doc.php": [[330, 380]], "MALWARE: Royal": [[391, 396]], "HASH: 0ba67cf6be506e816c20ec20030c7edf": [[403, 435]], "FILEPATH: /dev/shm/payload.bin": [[463, 483]], "IP_ADDRESS: 61.179.215.22": [[508, 521]]}, "info": {"id": "synth_v2_00920", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Kaspersky GReAT identified a large-scale phishing operation. Emails originated from verify@identity-verify.cc and confirm@account-update.xyz, spoofing legitimate services. Victims were directed to hxxp://storage-auth.club/gate.php which hosted a credential harvesting page on mailportal.org. A secondary link http://portal-relay.com/callback delivered BlackCat (SHA256: aebc9934bf1d5fa730d047987251de7ac87fb69773bb26fa67dffbace7810af7). The malware was saved to C:\\Windows\\Tasks\\ntds.dit and established C2 with 131.138.150.122.", "spans": {"ORGANIZATION: Kaspersky GReAT": [[26, 41]], "EMAIL: verify@identity-verify.cc": [[110, 135]], "EMAIL: confirm@account-update.xyz": [[140, 166]], "URL: hxxp://storage-auth.club/gate.php": [[223, 256]], "DOMAIN: mailportal.org": [[302, 316]], "URL: http://portal-relay.com/callback": [[335, 367]], "MALWARE: BlackCat": [[378, 386]], "HASH: aebc9934bf1d5fa730d047987251de7ac87fb69773bb26fa67dffbace7810af7": [[396, 460]], "FILEPATH: C:\\Windows\\Tasks\\ntds.dit": [[488, 513]], "IP_ADDRESS: 131.138.150.122": [[538, 553]]}, "info": {"id": "synth_v2_00921", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Rapid7 identified a large-scale phishing operation. Emails originated from updates@secure-verify.net and security@document-share.link, spoofing legitimate services. Victims were directed to hxxps://cloud-mail.com/callback which hosted a credential harvesting page on login-data.tech. A secondary link http://node-backup.io/portal/verify delivered SystemBC (SHA256: 4f37ce1a20322a17f0fa7cb7787a9e35b63b63eaab1641d071b3664b9a81fb1c). The malware was saved to /home/user/.config/update.dll and established C2 with 186.214.193.141.", "spans": {"ORGANIZATION: Rapid7": [[26, 32]], "EMAIL: updates@secure-verify.net": [[101, 126]], "EMAIL: security@document-share.link": [[131, 159]], "URL: hxxps://cloud-mail.com/callback": [[216, 247]], "DOMAIN: login-data.tech": [[293, 308]], "URL: http://node-backup.io/portal/verify": [[327, 362]], "MALWARE: SystemBC": [[373, 381]], "HASH: 4f37ce1a20322a17f0fa7cb7787a9e35b63b63eaab1641d071b3664b9a81fb1c": [[391, 455]], "FILEPATH: /home/user/.config/update.dll": [[483, 512]], "IP_ADDRESS: 186.214.193.141": [[537, 552]]}, "info": {"id": "synth_v2_00922", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Huntress identified a large-scale phishing operation. Emails originated from noreply@secure-verify.net and noreply@secure-verify.net, spoofing legitimate services. Victims were directed to https://gatewaysync.cc/download/update.exe which hosted a credential harvesting page on syncbackup.top. A secondary link hxxp://synccache.link/login delivered Dridex (SHA256: e24013265f68e863b0f7b101cf166fb0b86d57885f51f5a46f8dcb0065186697). The malware was saved to C:\\Users\\Public\\Documents\\implant.so and established C2 with 199.100.41.136.", "spans": {"ORGANIZATION: Huntress": [[26, 34]], "EMAIL: noreply@secure-verify.net": [[103, 128], [103, 128]], "URL: https://gatewaysync.cc/download/update.exe": [[215, 257]], "DOMAIN: syncbackup.top": [[303, 317]], "URL: hxxp://synccache.link/login": [[336, 363]], "MALWARE: Dridex": [[374, 380]], "HASH: e24013265f68e863b0f7b101cf166fb0b86d57885f51f5a46f8dcb0065186697": [[390, 454]], "FILEPATH: C:\\Users\\Public\\Documents\\implant.so": [[482, 518]], "IP_ADDRESS: 199.100.41.136": [[543, 557]]}, "info": {"id": "synth_v2_00923", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Rapid7 identified a large-scale phishing operation. Emails originated from noreply@credential-check.site and helpdesk@phishing-domain.com, spoofing legitimate services. Victims were directed to https://databackup.xyz/admin/config which hosted a credential harvesting page on node-node.info. A secondary link hxxp://nodenode.link/assets/js/payload.js delivered Lumma Stealer (MD5: 417c799df483476277b5e10d9f438d1e). The malware was saved to C:\\Windows\\Temp\\lsass.dmp and established C2 with 67.9.177.217.", "spans": {"ORGANIZATION: Rapid7": [[26, 32]], "EMAIL: noreply@credential-check.site": [[101, 130]], "EMAIL: helpdesk@phishing-domain.com": [[135, 163]], "URL: https://databackup.xyz/admin/config": [[220, 255]], "DOMAIN: node-node.info": [[301, 315]], "URL: hxxp://nodenode.link/assets/js/payload.js": [[334, 375]], "MALWARE: Lumma Stealer": [[386, 399]], "HASH: 417c799df483476277b5e10d9f438d1e": [[406, 438]], "FILEPATH: C:\\Windows\\Temp\\lsass.dmp": [[466, 491]], "IP_ADDRESS: 67.9.177.217": [[516, 528]]}, "info": {"id": "synth_v2_00924", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Dragos identified a large-scale phishing operation. Emails originated from alert@secure-verify.net and support@account-update.xyz, spoofing legitimate services. Victims were directed to hxxp://secure-mail.info/admin/config which hosted a credential harvesting page on cdnbackup.cc. A secondary link hxxps://apisecure.xyz/api/v2/auth delivered PikaBot (SHA256: 99d7e700590147b8db85ffa272a8e0d70dcda1ee7acab74dd8171f66a26b6438). The malware was saved to /var/tmp/beacon.dll and established C2 with 10.197.27.253.", "spans": {"ORGANIZATION: Dragos": [[26, 32]], "EMAIL: alert@secure-verify.net": [[101, 124]], "EMAIL: support@account-update.xyz": [[129, 155]], "URL: hxxp://secure-mail.info/admin/config": [[212, 248]], "DOMAIN: cdnbackup.cc": [[294, 306]], "URL: hxxps://apisecure.xyz/api/v2/auth": [[325, 358]], "MALWARE: PikaBot": [[369, 376]], "HASH: 99d7e700590147b8db85ffa272a8e0d70dcda1ee7acab74dd8171f66a26b6438": [[386, 450]], "FILEPATH: /var/tmp/beacon.dll": [[478, 497]], "IP_ADDRESS: 10.197.27.253": [[522, 535]]}, "info": {"id": "synth_v2_00925", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Volexity identified a large-scale phishing operation. Emails originated from support@login-portal.tech and security@phishing-domain.com, spoofing legitimate services. Victims were directed to hxxps://auth-static.online/api/v2/auth which hosted a credential harvesting page on authdata.net. A secondary link hxxp://sync-cdn.com/portal/verify delivered Qbot (SHA256: d0b5484a1aaddea8fa4a6fca035c1e996bd14e1021c62ac152cd24e41daf0fc2). The malware was saved to C:\\Windows\\Tasks\\dropper.ps1 and established C2 with 12.53.198.227.", "spans": {"ORGANIZATION: Volexity": [[26, 34]], "EMAIL: support@login-portal.tech": [[103, 128]], "EMAIL: security@phishing-domain.com": [[133, 161]], "URL: hxxps://auth-static.online/api/v2/auth": [[218, 256]], "DOMAIN: authdata.net": [[302, 314]], "URL: hxxp://sync-cdn.com/portal/verify": [[333, 366]], "MALWARE: Qbot": [[377, 381]], "HASH: d0b5484a1aaddea8fa4a6fca035c1e996bd14e1021c62ac152cd24e41daf0fc2": [[391, 455]], "FILEPATH: C:\\Windows\\Tasks\\dropper.ps1": [[483, 511]], "IP_ADDRESS: 12.53.198.227": [[536, 549]]}, "info": {"id": "synth_v2_00926", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: ESET Research identified a large-scale phishing operation. Emails originated from noreply@auth-check.org and report@phishing-domain.com, spoofing legitimate services. Victims were directed to https://authcache.top/admin/config which hosted a credential harvesting page on api-cloud.online. A secondary link https://nodestorage.live/login delivered NjRAT (MD5: 380e739daf19db9fca0bc0853226ba47). The malware was saved to C:\\Users\\admin\\Downloads\\taskhost.exe and established C2 with 172.85.227.134.", "spans": {"ORGANIZATION: ESET Research": [[26, 39]], "EMAIL: noreply@auth-check.org": [[108, 130]], "EMAIL: report@phishing-domain.com": [[135, 161]], "URL: https://authcache.top/admin/config": [[218, 252]], "DOMAIN: api-cloud.online": [[298, 314]], "URL: https://nodestorage.live/login": [[333, 363]], "MALWARE: NjRAT": [[374, 379]], "HASH: 380e739daf19db9fca0bc0853226ba47": [[386, 418]], "FILEPATH: C:\\Users\\admin\\Downloads\\taskhost.exe": [[446, 483]], "IP_ADDRESS: 172.85.227.134": [[508, 522]]}, "info": {"id": "synth_v2_00927", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Zscaler ThreatLabz identified a large-scale phishing operation. Emails originated from admin@credential-check.site and noreply@credential-check.site, spoofing legitimate services. Victims were directed to http://data-relay.net/api/v2/auth which hosted a credential harvesting page on loginlogin.dev. A secondary link hxxps://updateedge.club/collect delivered Hive (SHA1: a98a1432984b12d124a1cba9a828099114e2e95f). The malware was saved to C:\\Users\\admin\\Desktop\\backdoor.elf and established C2 with 126.61.101.125.", "spans": {"ORGANIZATION: Zscaler ThreatLabz": [[26, 44]], "EMAIL: admin@credential-check.site": [[113, 140]], "EMAIL: noreply@credential-check.site": [[145, 174]], "URL: http://data-relay.net/api/v2/auth": [[231, 264]], "DOMAIN: loginlogin.dev": [[310, 324]], "URL: hxxps://updateedge.club/collect": [[343, 374]], "MALWARE: Hive": [[385, 389]], "HASH: a98a1432984b12d124a1cba9a828099114e2e95f": [[397, 437]], "FILEPATH: C:\\Users\\admin\\Desktop\\backdoor.elf": [[465, 500]], "IP_ADDRESS: 126.61.101.125": [[525, 539]]}, "info": {"id": "synth_v2_00928", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Check Point Research identified a large-scale phishing operation. Emails originated from ceo@login-portal.tech and support@credential-check.site, spoofing legitimate services. Victims were directed to hxxps://edgeauth.dev/download/update.exe which hosted a credential harvesting page on nodecdn.com. A secondary link https://edgeupdate.top/secure/token delivered REvil (MD5: 8e70a7c651eae2d0aef8b356b927751b). The malware was saved to /home/user/.config/runtime.dll and established C2 with 10.202.95.42.", "spans": {"ORGANIZATION: Check Point Research": [[26, 46]], "EMAIL: ceo@login-portal.tech": [[115, 136]], "EMAIL: support@credential-check.site": [[141, 170]], "URL: hxxps://edgeauth.dev/download/update.exe": [[227, 267]], "DOMAIN: nodecdn.com": [[313, 324]], "URL: https://edgeupdate.top/secure/token": [[343, 378]], "MALWARE: REvil": [[389, 394]], "HASH: 8e70a7c651eae2d0aef8b356b927751b": [[401, 433]], "FILEPATH: /home/user/.config/runtime.dll": [[461, 491]], "IP_ADDRESS: 10.202.95.42": [[516, 528]]}, "info": {"id": "synth_v2_00929", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: ESET Research identified a large-scale phishing operation. Emails originated from alert@identity-verify.cc and notification@phishing-domain.com, spoofing legitimate services. Victims were directed to https://staticportal.io/gate.php which hosted a credential harvesting page on apigateway.cc. A secondary link http://portalproxy.com/gate.php delivered Conti (SHA1: 5f374de82bc07b4a97d45acd4593e7bbf734d351). The malware was saved to /etc/cron.d/payload.bin and established C2 with 172.28.59.215.", "spans": {"ORGANIZATION: ESET Research": [[26, 39]], "EMAIL: alert@identity-verify.cc": [[108, 132]], "EMAIL: notification@phishing-domain.com": [[137, 169]], "URL: https://staticportal.io/gate.php": [[226, 258]], "DOMAIN: apigateway.cc": [[304, 317]], "URL: http://portalproxy.com/gate.php": [[336, 367]], "MALWARE: Conti": [[378, 383]], "HASH: 5f374de82bc07b4a97d45acd4593e7bbf734d351": [[391, 431]], "FILEPATH: /etc/cron.d/payload.bin": [[459, 482]], "IP_ADDRESS: 172.28.59.215": [[507, 520]]}, "info": {"id": "synth_v2_00930", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Qualys identified a large-scale phishing operation. Emails originated from contact@mail-service.info and noreply@identity-verify.cc, spoofing legitimate services. Victims were directed to hxxps://update-proxy.dev/wp-content/uploads/doc.php which hosted a credential harvesting page on cloudauth.cc. A secondary link https://mail-cdn.live/download/update.exe delivered WarmCookie (SHA256: 833d708f12c9684d8dfce7b3983958582f1a5a46d26898a91e6e8367cdc8cd7d). The malware was saved to C:\\Windows\\System32\\agent.py and established C2 with 129.33.112.7.", "spans": {"ORGANIZATION: Qualys": [[26, 32]], "EMAIL: contact@mail-service.info": [[101, 126]], "EMAIL: noreply@identity-verify.cc": [[131, 157]], "URL: hxxps://update-proxy.dev/wp-content/uploads/doc.php": [[214, 265]], "DOMAIN: cloudauth.cc": [[311, 323]], "URL: https://mail-cdn.live/download/update.exe": [[342, 383]], "MALWARE: WarmCookie": [[394, 404]], "HASH: 833d708f12c9684d8dfce7b3983958582f1a5a46d26898a91e6e8367cdc8cd7d": [[414, 478]], "FILEPATH: C:\\Windows\\System32\\agent.py": [[506, 534]], "IP_ADDRESS: 129.33.112.7": [[559, 571]]}, "info": {"id": "synth_v2_00931", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Proofpoint identified a large-scale phishing operation. Emails originated from admin@mail-service.info and alert@identity-verify.cc, spoofing legitimate services. Victims were directed to hxxp://update-storage.live/login which hosted a credential harvesting page on mailedge.site. A secondary link hxxps://auth-mail.dev/callback delivered Gootloader (SHA1: 3530996f64f99ea5b9acda39b55feef3570b983e). The malware was saved to /var/tmp/helper.sh and established C2 with 60.158.46.24.", "spans": {"ORGANIZATION: Proofpoint": [[26, 36]], "EMAIL: admin@mail-service.info": [[105, 128]], "EMAIL: alert@identity-verify.cc": [[133, 157]], "URL: hxxp://update-storage.live/login": [[214, 246]], "DOMAIN: mailedge.site": [[292, 305]], "URL: hxxps://auth-mail.dev/callback": [[324, 354]], "MALWARE: Gootloader": [[365, 375]], "HASH: 3530996f64f99ea5b9acda39b55feef3570b983e": [[383, 423]], "FILEPATH: /var/tmp/helper.sh": [[451, 469]], "IP_ADDRESS: 60.158.46.24": [[494, 506]]}, "info": {"id": "synth_v2_00932", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Huntress identified a large-scale phishing operation. Emails originated from admin@auth-check.org and admin@secure-verify.net, spoofing legitimate services. Victims were directed to hxxp://proxygateway.info/gate.php which hosted a credential harvesting page on storageauth.org. A secondary link hxxp://authstorage.online/panel/index.html delivered WarmCookie (SHA256: 6e2042e8e9c59ffc5b2fc6f8406432cf7d527458df6bcc7d7012e57ba90167e8). The malware was saved to C:\\Windows\\Tasks\\beacon.dll and established C2 with 207.50.68.60.", "spans": {"ORGANIZATION: Huntress": [[26, 34]], "EMAIL: admin@auth-check.org": [[103, 123]], "EMAIL: admin@secure-verify.net": [[128, 151]], "URL: hxxp://proxygateway.info/gate.php": [[208, 241]], "DOMAIN: storageauth.org": [[287, 302]], "URL: hxxp://authstorage.online/panel/index.html": [[321, 363]], "MALWARE: WarmCookie": [[374, 384]], "HASH: 6e2042e8e9c59ffc5b2fc6f8406432cf7d527458df6bcc7d7012e57ba90167e8": [[394, 458]], "FILEPATH: C:\\Windows\\Tasks\\beacon.dll": [[486, 513]], "IP_ADDRESS: 207.50.68.60": [[538, 550]]}, "info": {"id": "synth_v2_00933", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Dragos identified a large-scale phishing operation. Emails originated from notification@auth-check.org and notification@credential-check.site, spoofing legitimate services. Victims were directed to hxxp://storage-mail.info/callback which hosted a credential harvesting page on updatelogin.info. A secondary link hxxp://static-relay.org/assets/js/payload.js delivered Gootloader (SHA1: aefa29ba47718ecfeff70cf4ad28a363b3f8b28f). The malware was saved to /etc/cron.d/backdoor.elf and established C2 with 198.236.239.37.", "spans": {"ORGANIZATION: Dragos": [[26, 32]], "EMAIL: notification@auth-check.org": [[101, 128]], "EMAIL: notification@credential-check.site": [[133, 167]], "URL: hxxp://storage-mail.info/callback": [[224, 257]], "DOMAIN: updatelogin.info": [[303, 319]], "URL: hxxp://static-relay.org/assets/js/payload.js": [[338, 382]], "MALWARE: Gootloader": [[393, 403]], "HASH: aefa29ba47718ecfeff70cf4ad28a363b3f8b28f": [[411, 451]], "FILEPATH: /etc/cron.d/backdoor.elf": [[479, 503]], "IP_ADDRESS: 198.236.239.37": [[528, 542]]}, "info": {"id": "synth_v2_00934", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Cisco Talos identified a large-scale phishing operation. Emails originated from support@auth-check.org and info@credential-check.site, spoofing legitimate services. Victims were directed to hxxps://update-relay.xyz/panel/index.html which hosted a credential harvesting page on edgedata.online. A secondary link https://authmail.site/admin/config delivered QakBot (SHA256: 5144950e048284bee94201af0e388d81460da1864c0d666a9c8a928bb226fc58). The malware was saved to /dev/shm/winlogon.exe and established C2 with 59.8.95.228.", "spans": {"ORGANIZATION: Cisco Talos": [[26, 37]], "EMAIL: support@auth-check.org": [[106, 128]], "EMAIL: info@credential-check.site": [[133, 159]], "URL: hxxps://update-relay.xyz/panel/index.html": [[216, 257]], "DOMAIN: edgedata.online": [[303, 318]], "URL: https://authmail.site/admin/config": [[337, 371]], "MALWARE: QakBot": [[382, 388]], "HASH: 5144950e048284bee94201af0e388d81460da1864c0d666a9c8a928bb226fc58": [[398, 462]], "FILEPATH: /dev/shm/winlogon.exe": [[490, 511]], "IP_ADDRESS: 59.8.95.228": [[536, 547]]}, "info": {"id": "synth_v2_00935", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: NSA identified a large-scale phishing operation. Emails originated from updates@mail-service.info and info@mail-service.info, spoofing legitimate services. Victims were directed to hxxps://relaysecure.site/download/update.exe which hosted a credential harvesting page on loginrelay.org. A secondary link http://storage-sync.link/admin/config delivered Latrodectus (MD5: 1f566229bfa88d2c68ad2241f3ea523e). The malware was saved to C:\\Users\\admin\\AppData\\Local\\Temp\\sam.hive and established C2 with 110.128.69.3.", "spans": {"ORGANIZATION: NSA": [[26, 29]], "EMAIL: updates@mail-service.info": [[98, 123]], "EMAIL: info@mail-service.info": [[128, 150]], "URL: hxxps://relaysecure.site/download/update.exe": [[207, 251]], "DOMAIN: loginrelay.org": [[297, 311]], "URL: http://storage-sync.link/admin/config": [[330, 367]], "MALWARE: Latrodectus": [[378, 389]], "HASH: 1f566229bfa88d2c68ad2241f3ea523e": [[396, 428]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\sam.hive": [[456, 498]], "IP_ADDRESS: 110.128.69.3": [[523, 535]]}, "info": {"id": "synth_v2_00936", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Tenable identified a large-scale phishing operation. Emails originated from updates@identity-verify.cc and billing@account-update.xyz, spoofing legitimate services. Victims were directed to hxxp://apicloud.tech/assets/js/payload.js which hosted a credential harvesting page on cloud-node.site. A secondary link hxxp://proxygateway.club/secure/token delivered BatLoader (MD5: 6270e25d36ff1337cf83ab29c6758a7b). The malware was saved to C:\\Users\\admin\\AppData\\Local\\Temp\\ntds.dit and established C2 with 172.201.119.46.", "spans": {"ORGANIZATION: Tenable": [[26, 33]], "EMAIL: updates@identity-verify.cc": [[102, 128]], "EMAIL: billing@account-update.xyz": [[133, 159]], "URL: hxxp://apicloud.tech/assets/js/payload.js": [[216, 257]], "DOMAIN: cloud-node.site": [[303, 318]], "URL: hxxp://proxygateway.club/secure/token": [[337, 374]], "MALWARE: BatLoader": [[385, 394]], "HASH: 6270e25d36ff1337cf83ab29c6758a7b": [[401, 433]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\ntds.dit": [[461, 503]], "IP_ADDRESS: 172.201.119.46": [[528, 542]]}, "info": {"id": "synth_v2_00937", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Dragos identified a large-scale phishing operation. Emails originated from support@auth-check.org and it@login-portal.tech, spoofing legitimate services. Victims were directed to hxxps://updatemail.link/admin/config which hosted a credential harvesting page on storage-static.live. A secondary link http://proxy-cloud.cc/assets/js/payload.js delivered PlugX (MD5: 32e0030d5163c1897bfbfade7cacbce9). The malware was saved to C:\\Windows\\Temp\\winlogon.exe and established C2 with 192.164.210.116.", "spans": {"ORGANIZATION: Dragos": [[26, 32]], "EMAIL: support@auth-check.org": [[101, 123]], "EMAIL: it@login-portal.tech": [[128, 148]], "URL: hxxps://updatemail.link/admin/config": [[205, 241]], "DOMAIN: storage-static.live": [[287, 306]], "URL: http://proxy-cloud.cc/assets/js/payload.js": [[325, 367]], "MALWARE: PlugX": [[378, 383]], "HASH: 32e0030d5163c1897bfbfade7cacbce9": [[390, 422]], "FILEPATH: C:\\Windows\\Temp\\winlogon.exe": [[450, 478]], "IP_ADDRESS: 192.164.210.116": [[503, 518]]}, "info": {"id": "synth_v2_00938", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Qualys identified a large-scale phishing operation. Emails originated from support@credential-check.site and account@document-share.link, spoofing legitimate services. Victims were directed to https://proxystorage.tech/download/update.exe which hosted a credential harvesting page on loginsecure.online. A secondary link hxxps://apicache.club/wp-content/uploads/doc.php delivered Royal (MD5: cdb98c872350d8018dc314a4c133b88a). The malware was saved to C:\\Windows\\System32\\sam.hive and established C2 with 10.30.90.45.", "spans": {"ORGANIZATION: Qualys": [[26, 32]], "EMAIL: support@credential-check.site": [[101, 130]], "EMAIL: account@document-share.link": [[135, 162]], "URL: https://proxystorage.tech/download/update.exe": [[219, 264]], "DOMAIN: loginsecure.online": [[310, 328]], "URL: hxxps://apicache.club/wp-content/uploads/doc.php": [[347, 395]], "MALWARE: Royal": [[406, 411]], "HASH: cdb98c872350d8018dc314a4c133b88a": [[418, 450]], "FILEPATH: C:\\Windows\\System32\\sam.hive": [[478, 506]], "IP_ADDRESS: 10.30.90.45": [[531, 542]]}, "info": {"id": "synth_v2_00939", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: SentinelOne identified a large-scale phishing operation. Emails originated from noreply@credential-check.site and alert@secure-verify.net, spoofing legitimate services. Victims were directed to http://relay-mail.top/callback which hosted a credential harvesting page on securestatic.dev. A secondary link hxxp://proxy-auth.site/login delivered WarmCookie (SHA256: c0e98b7c0352c6a6c057be2b9d7c2af013aa2503137d362de85a36975a49f8ad). The malware was saved to /home/user/.config/backdoor.elf and established C2 with 148.119.16.96.", "spans": {"ORGANIZATION: SentinelOne": [[26, 37]], "EMAIL: noreply@credential-check.site": [[106, 135]], "EMAIL: alert@secure-verify.net": [[140, 163]], "URL: http://relay-mail.top/callback": [[220, 250]], "DOMAIN: securestatic.dev": [[296, 312]], "URL: hxxp://proxy-auth.site/login": [[331, 359]], "MALWARE: WarmCookie": [[370, 380]], "HASH: c0e98b7c0352c6a6c057be2b9d7c2af013aa2503137d362de85a36975a49f8ad": [[390, 454]], "FILEPATH: /home/user/.config/backdoor.elf": [[482, 513]], "IP_ADDRESS: 148.119.16.96": [[538, 551]]}, "info": {"id": "synth_v2_00940", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Tenable identified a large-scale phishing operation. Emails originated from security@secure-verify.net and contact@document-share.link, spoofing legitimate services. Victims were directed to hxxp://cloud-cache.live/download/update.exe which hosted a credential harvesting page on secureportal.info. A secondary link hxxps://secure-gateway.cc/api/v2/auth delivered Qbot (SHA256: fa72486ad996d713efbc916c83c674d38b28c76e4e9302f5b72138bce159a4c8). The malware was saved to C:\\Users\\admin\\AppData\\Local\\Temp\\ntds.dit and established C2 with 10.230.237.227.", "spans": {"ORGANIZATION: Tenable": [[26, 33]], "EMAIL: security@secure-verify.net": [[102, 128]], "EMAIL: contact@document-share.link": [[133, 160]], "URL: hxxp://cloud-cache.live/download/update.exe": [[217, 260]], "DOMAIN: secureportal.info": [[306, 323]], "URL: hxxps://secure-gateway.cc/api/v2/auth": [[342, 379]], "MALWARE: Qbot": [[390, 394]], "HASH: fa72486ad996d713efbc916c83c674d38b28c76e4e9302f5b72138bce159a4c8": [[404, 468]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\ntds.dit": [[496, 538]], "IP_ADDRESS: 10.230.237.227": [[563, 577]]}, "info": {"id": "synth_v2_00941", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: FireEye identified a large-scale phishing operation. Emails originated from admin@login-portal.tech and info@identity-verify.cc, spoofing legitimate services. Victims were directed to https://relay-cdn.dev/admin/config which hosted a credential harvesting page on gateway-relay.org. A secondary link hxxp://cdn-backup.cc/wp-content/uploads/doc.php delivered SmokeLoader (MD5: 47a321342f44ccaa5427240422eb7faf). The malware was saved to C:\\Users\\admin\\Desktop\\shell.php and established C2 with 10.225.81.145.", "spans": {"ORGANIZATION: FireEye": [[26, 33]], "EMAIL: admin@login-portal.tech": [[102, 125]], "EMAIL: info@identity-verify.cc": [[130, 153]], "URL: https://relay-cdn.dev/admin/config": [[210, 244]], "DOMAIN: gateway-relay.org": [[290, 307]], "URL: hxxp://cdn-backup.cc/wp-content/uploads/doc.php": [[326, 373]], "MALWARE: SmokeLoader": [[384, 395]], "HASH: 47a321342f44ccaa5427240422eb7faf": [[402, 434]], "FILEPATH: C:\\Users\\admin\\Desktop\\shell.php": [[462, 494]], "IP_ADDRESS: 10.225.81.145": [[519, 532]]}, "info": {"id": "synth_v2_00942", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: ESET Research identified a large-scale phishing operation. Emails originated from hr@credential-check.site and contact@login-portal.tech, spoofing legitimate services. Victims were directed to hxxps://edge-data.cc/assets/js/payload.js which hosted a credential harvesting page on authstatic.xyz. A secondary link hxxp://storagesync.com/secure/token delivered StealC (SHA256: 5fbe016192f7767e4b7517ab218818dd47c425ceb04a23ca7919de51fba72b3d). The malware was saved to C:\\Windows\\Tasks\\config.dat and established C2 with 47.44.81.230.", "spans": {"ORGANIZATION: ESET Research": [[26, 39]], "EMAIL: hr@credential-check.site": [[108, 132]], "EMAIL: contact@login-portal.tech": [[137, 162]], "URL: hxxps://edge-data.cc/assets/js/payload.js": [[219, 260]], "DOMAIN: authstatic.xyz": [[306, 320]], "URL: hxxp://storagesync.com/secure/token": [[339, 374]], "MALWARE: StealC": [[385, 391]], "HASH: 5fbe016192f7767e4b7517ab218818dd47c425ceb04a23ca7919de51fba72b3d": [[401, 465]], "FILEPATH: C:\\Windows\\Tasks\\config.dat": [[493, 520]], "IP_ADDRESS: 47.44.81.230": [[545, 557]]}, "info": {"id": "synth_v2_00943", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: NCSC identified a large-scale phishing operation. Emails originated from notification@secure-verify.net and service@login-portal.tech, spoofing legitimate services. Victims were directed to http://cdnbackup.link/login which hosted a credential harvesting page on securerelay.live. A secondary link http://gateway-gateway.online/admin/config delivered REvil (SHA1: 91d9221dd11d7e51f1fef0efb0e3083e9c50fbac). The malware was saved to /home/user/.config/csrss.exe and established C2 with 192.250.135.160.", "spans": {"ORGANIZATION: NCSC": [[26, 30]], "EMAIL: notification@secure-verify.net": [[99, 129]], "EMAIL: service@login-portal.tech": [[134, 159]], "URL: http://cdnbackup.link/login": [[216, 243]], "DOMAIN: securerelay.live": [[289, 305]], "URL: http://gateway-gateway.online/admin/config": [[324, 366]], "MALWARE: REvil": [[377, 382]], "HASH: 91d9221dd11d7e51f1fef0efb0e3083e9c50fbac": [[390, 430]], "FILEPATH: /home/user/.config/csrss.exe": [[458, 486]], "IP_ADDRESS: 192.250.135.160": [[511, 526]]}, "info": {"id": "synth_v2_00944", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Europol identified a large-scale phishing operation. Emails originated from notification@auth-check.org and admin@credential-check.site, spoofing legitimate services. Victims were directed to https://node-edge.site/login which hosted a credential harvesting page on cdn-edge.com. A secondary link http://proxymail.link/login delivered Ryuk (SHA256: 7f93ffbeae05b3ff6a1b061cb08c17fb3b7c6aaf18f710cca8a8719cb1eb805d). The malware was saved to C:\\Users\\admin\\AppData\\Local\\Temp\\config.dat and established C2 with 10.190.153.226.", "spans": {"ORGANIZATION: Europol": [[26, 33]], "EMAIL: notification@auth-check.org": [[102, 129]], "EMAIL: admin@credential-check.site": [[134, 161]], "URL: https://node-edge.site/login": [[218, 246]], "DOMAIN: cdn-edge.com": [[292, 304]], "URL: http://proxymail.link/login": [[323, 350]], "MALWARE: Ryuk": [[361, 365]], "HASH: 7f93ffbeae05b3ff6a1b061cb08c17fb3b7c6aaf18f710cca8a8719cb1eb805d": [[375, 439]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\config.dat": [[467, 511]], "IP_ADDRESS: 10.190.153.226": [[536, 550]]}, "info": {"id": "synth_v2_00945", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: SentinelOne identified a large-scale phishing operation. Emails originated from helpdesk@document-share.link and support@mail-service.info, spoofing legitimate services. Victims were directed to hxxps://edgecache.dev/collect which hosted a credential harvesting page on secure-update.org. A secondary link hxxp://secure-secure.tech/wp-content/uploads/doc.php delivered BumbleBee (SHA256: 84acb5e380ab6fe2b73fbb93c0b47c72de792fbbf38c91e61dcad238c9c7ca04). The malware was saved to C:\\Users\\admin\\AppData\\Local\\Temp\\payload.bin and established C2 with 167.169.176.219.", "spans": {"ORGANIZATION: SentinelOne": [[26, 37]], "EMAIL: helpdesk@document-share.link": [[106, 134]], "EMAIL: support@mail-service.info": [[139, 164]], "URL: hxxps://edgecache.dev/collect": [[221, 250]], "DOMAIN: secure-update.org": [[296, 313]], "URL: hxxp://secure-secure.tech/wp-content/uploads/doc.php": [[332, 384]], "MALWARE: BumbleBee": [[395, 404]], "HASH: 84acb5e380ab6fe2b73fbb93c0b47c72de792fbbf38c91e61dcad238c9c7ca04": [[414, 478]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\payload.bin": [[506, 551]], "IP_ADDRESS: 167.169.176.219": [[576, 591]]}, "info": {"id": "synth_v2_00946", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Cisco Talos identified a large-scale phishing operation. Emails originated from support@secure-verify.net and report@login-portal.tech, spoofing legitimate services. Victims were directed to hxxps://backupstorage.link/wp-content/uploads/doc.php which hosted a credential harvesting page on static-cloud.link. A secondary link https://cachenode.live/assets/js/payload.js delivered BumbleBee (SHA256: 0574fd3a2e0b3bc4c0c82818840f9035ce431741791294da0f80cf914632a80c). The malware was saved to /home/user/.config/helper.sh and established C2 with 42.218.67.2.", "spans": {"ORGANIZATION: Cisco Talos": [[26, 37]], "EMAIL: support@secure-verify.net": [[106, 131]], "EMAIL: report@login-portal.tech": [[136, 160]], "URL: hxxps://backupstorage.link/wp-content/uploads/doc.php": [[217, 270]], "DOMAIN: static-cloud.link": [[316, 333]], "URL: https://cachenode.live/assets/js/payload.js": [[352, 395]], "MALWARE: BumbleBee": [[406, 415]], "HASH: 0574fd3a2e0b3bc4c0c82818840f9035ce431741791294da0f80cf914632a80c": [[425, 489]], "FILEPATH: /home/user/.config/helper.sh": [[517, 545]], "IP_ADDRESS: 42.218.67.2": [[570, 581]]}, "info": {"id": "synth_v2_00947", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Microsoft MSRC identified a large-scale phishing operation. Emails originated from confirm@phishing-domain.com and it@document-share.link, spoofing legitimate services. Victims were directed to https://auth-login.live/portal/verify which hosted a credential harvesting page on storagestatic.cc. A secondary link http://secure-cache.com/secure/token delivered Meduza Stealer (SHA256: 66a282c45e27ce9328111ae8c1fcee81ca2c7cd7ca5b3c54dea94ade436a63d3). The malware was saved to C:\\Users\\Public\\Documents\\payload.bin and established C2 with 172.205.101.20.", "spans": {"ORGANIZATION: Microsoft MSRC": [[26, 40]], "EMAIL: confirm@phishing-domain.com": [[109, 136]], "EMAIL: it@document-share.link": [[141, 163]], "URL: https://auth-login.live/portal/verify": [[220, 257]], "DOMAIN: storagestatic.cc": [[303, 319]], "URL: http://secure-cache.com/secure/token": [[338, 374]], "MALWARE: Meduza Stealer": [[385, 399]], "HASH: 66a282c45e27ce9328111ae8c1fcee81ca2c7cd7ca5b3c54dea94ade436a63d3": [[409, 473]], "FILEPATH: C:\\Users\\Public\\Documents\\payload.bin": [[501, 538]], "IP_ADDRESS: 172.205.101.20": [[563, 577]]}, "info": {"id": "synth_v2_00948", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Europol identified a large-scale phishing operation. Emails originated from verify@credential-check.site and finance@document-share.link, spoofing legitimate services. Victims were directed to hxxps://syncsecure.net/callback which hosted a credential harvesting page on relay-storage.cc. A secondary link hxxps://static-sync.top/collect delivered Ryuk (SHA256: f3e3a7cc4c229bc2b679cfdae9fc264d20529dada7e0ca1d440b0b76c147cbef). The malware was saved to C:\\Users\\admin\\Downloads\\lsass.dmp and established C2 with 20.117.51.124.", "spans": {"ORGANIZATION: Europol": [[26, 33]], "EMAIL: verify@credential-check.site": [[102, 130]], "EMAIL: finance@document-share.link": [[135, 162]], "URL: hxxps://syncsecure.net/callback": [[219, 250]], "DOMAIN: relay-storage.cc": [[296, 312]], "URL: hxxps://static-sync.top/collect": [[331, 362]], "MALWARE: Ryuk": [[373, 377]], "HASH: f3e3a7cc4c229bc2b679cfdae9fc264d20529dada7e0ca1d440b0b76c147cbef": [[387, 451]], "FILEPATH: C:\\Users\\admin\\Downloads\\lsass.dmp": [[479, 513]], "IP_ADDRESS: 20.117.51.124": [[538, 551]]}, "info": {"id": "synth_v2_00949", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Rapid7 identified a large-scale phishing operation. Emails originated from it@login-portal.tech and service@account-update.xyz, spoofing legitimate services. Victims were directed to hxxp://syncproxy.tech/admin/config which hosted a credential harvesting page on static-gateway.net. A secondary link hxxp://syncportal.net/assets/js/payload.js delivered PlugX (SHA256: 9ab28c6cb5bf779baa2623f3b6491293c5f0606f86c89d37b05960303360efcd). The malware was saved to C:\\Windows\\Temp\\svchost.exe and established C2 with 192.137.161.224.", "spans": {"ORGANIZATION: Rapid7": [[26, 32]], "EMAIL: it@login-portal.tech": [[101, 121]], "EMAIL: service@account-update.xyz": [[126, 152]], "URL: hxxp://syncproxy.tech/admin/config": [[209, 243]], "DOMAIN: static-gateway.net": [[289, 307]], "URL: hxxp://syncportal.net/assets/js/payload.js": [[326, 368]], "MALWARE: PlugX": [[379, 384]], "HASH: 9ab28c6cb5bf779baa2623f3b6491293c5f0606f86c89d37b05960303360efcd": [[394, 458]], "FILEPATH: C:\\Windows\\Temp\\svchost.exe": [[486, 513]], "IP_ADDRESS: 192.137.161.224": [[538, 553]]}, "info": {"id": "synth_v2_00950", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Trend Micro identified a large-scale phishing operation. Emails originated from noreply@mail-service.info and support@login-portal.tech, spoofing legitimate services. Victims were directed to hxxp://auth-api.tech/secure/token which hosted a credential harvesting page on auth-cache.top. A secondary link https://updatestorage.net/wp-content/uploads/doc.php delivered Ryuk (SHA256: 015633eee1014c2a187fe9dcc7d680b0626a318154d1f5b0d7e63016e3d97ab2). The malware was saved to C:\\Users\\admin\\AppData\\Local\\Temp\\loader.exe and established C2 with 125.236.71.67.", "spans": {"ORGANIZATION: Trend Micro": [[26, 37]], "EMAIL: noreply@mail-service.info": [[106, 131]], "EMAIL: support@login-portal.tech": [[136, 161]], "URL: hxxp://auth-api.tech/secure/token": [[218, 251]], "DOMAIN: auth-cache.top": [[297, 311]], "URL: https://updatestorage.net/wp-content/uploads/doc.php": [[330, 382]], "MALWARE: Ryuk": [[393, 397]], "HASH: 015633eee1014c2a187fe9dcc7d680b0626a318154d1f5b0d7e63016e3d97ab2": [[407, 471]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\loader.exe": [[499, 543]], "IP_ADDRESS: 125.236.71.67": [[568, 581]]}, "info": {"id": "synth_v2_00951", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: FBI identified a large-scale phishing operation. Emails originated from updates@document-share.link and noreply@auth-check.org, spoofing legitimate services. Victims were directed to hxxp://loginlogin.net/assets/js/payload.js which hosted a credential harvesting page on update-backup.link. A secondary link hxxps://storageedge.link/collect delivered WarmCookie (MD5: 297b109ea1d2d6efd678b41059f00153). The malware was saved to C:\\Users\\admin\\AppData\\Local\\Temp\\ntds.dit and established C2 with 163.195.101.247.", "spans": {"ORGANIZATION: FBI": [[26, 29]], "EMAIL: updates@document-share.link": [[98, 125]], "EMAIL: noreply@auth-check.org": [[130, 152]], "URL: hxxp://loginlogin.net/assets/js/payload.js": [[209, 251]], "DOMAIN: update-backup.link": [[297, 315]], "URL: hxxps://storageedge.link/collect": [[334, 366]], "MALWARE: WarmCookie": [[377, 387]], "HASH: 297b109ea1d2d6efd678b41059f00153": [[394, 426]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\ntds.dit": [[454, 496]], "IP_ADDRESS: 163.195.101.247": [[521, 536]]}, "info": {"id": "synth_v2_00952", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Rapid7 identified a large-scale phishing operation. Emails originated from billing@login-portal.tech and security@document-share.link, spoofing legitimate services. Victims were directed to hxxps://mailauth.tech/download/update.exe which hosted a credential harvesting page on cdnnode.tech. A secondary link https://relayedge.top/callback delivered BatLoader (MD5: 7ba3bfb6e2a77aaa1f02ffaa51991d9a). The malware was saved to /tmp/dropper.ps1 and established C2 with 172.223.244.35.", "spans": {"ORGANIZATION: Rapid7": [[26, 32]], "EMAIL: billing@login-portal.tech": [[101, 126]], "EMAIL: security@document-share.link": [[131, 159]], "URL: hxxps://mailauth.tech/download/update.exe": [[216, 257]], "DOMAIN: cdnnode.tech": [[303, 315]], "URL: https://relayedge.top/callback": [[334, 364]], "MALWARE: BatLoader": [[375, 384]], "HASH: 7ba3bfb6e2a77aaa1f02ffaa51991d9a": [[391, 423]], "FILEPATH: /tmp/dropper.ps1": [[451, 467]], "IP_ADDRESS: 172.223.244.35": [[492, 506]]}, "info": {"id": "synth_v2_00953", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Google TAG identified a large-scale phishing operation. Emails originated from service@account-update.xyz and admin@urgent-notice.online, spoofing legitimate services. Victims were directed to hxxp://portalproxy.org/secure/token which hosted a credential harvesting page on secureedge.org. A secondary link https://cloudstorage.club/api/v2/auth delivered DarkSide (MD5: 3143b6b9b8cac5d56c6a150f33dcb948). The malware was saved to C:\\Windows\\Temp\\taskhost.exe and established C2 with 172.207.86.194.", "spans": {"ORGANIZATION: Google TAG": [[26, 36]], "EMAIL: service@account-update.xyz": [[105, 131]], "EMAIL: admin@urgent-notice.online": [[136, 162]], "URL: hxxp://portalproxy.org/secure/token": [[219, 254]], "DOMAIN: secureedge.org": [[300, 314]], "URL: https://cloudstorage.club/api/v2/auth": [[333, 370]], "MALWARE: DarkSide": [[381, 389]], "HASH: 3143b6b9b8cac5d56c6a150f33dcb948": [[396, 428]], "FILEPATH: C:\\Windows\\Temp\\taskhost.exe": [[456, 484]], "IP_ADDRESS: 172.207.86.194": [[509, 523]]}, "info": {"id": "synth_v2_00954", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Google TAG identified a large-scale phishing operation. Emails originated from finance@credential-check.site and security@urgent-notice.online, spoofing legitimate services. Victims were directed to https://cloudcache.link/download/update.exe which hosted a credential harvesting page on apibackup.cc. A secondary link hxxp://api-secure.link/wp-content/uploads/doc.php delivered DanaBot (SHA1: e282da3132776d4c456f0fd1ad8db261a42d024c). The malware was saved to C:\\Windows\\Temp\\svchost.exe and established C2 with 101.87.227.11.", "spans": {"ORGANIZATION: Google TAG": [[26, 36]], "EMAIL: finance@credential-check.site": [[105, 134]], "EMAIL: security@urgent-notice.online": [[139, 168]], "URL: https://cloudcache.link/download/update.exe": [[225, 268]], "DOMAIN: apibackup.cc": [[314, 326]], "URL: hxxp://api-secure.link/wp-content/uploads/doc.php": [[345, 394]], "MALWARE: DanaBot": [[405, 412]], "HASH: e282da3132776d4c456f0fd1ad8db261a42d024c": [[420, 460]], "FILEPATH: C:\\Windows\\Temp\\svchost.exe": [[488, 515]], "IP_ADDRESS: 101.87.227.11": [[540, 553]]}, "info": {"id": "synth_v2_00955", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Mandiant identified a large-scale phishing operation. Emails originated from noreply@identity-verify.cc and service@phishing-domain.com, spoofing legitimate services. Victims were directed to https://storagecdn.cc/callback which hosted a credential harvesting page on update-data.cc. A secondary link https://secure-api.online/admin/config delivered IcedID (SHA1: 69e6beaa22276b0e99deb015313fff3a420494ca). The malware was saved to C:\\ProgramData\\shell.php and established C2 with 10.189.102.138.", "spans": {"ORGANIZATION: Mandiant": [[26, 34]], "EMAIL: noreply@identity-verify.cc": [[103, 129]], "EMAIL: service@phishing-domain.com": [[134, 161]], "URL: https://storagecdn.cc/callback": [[218, 248]], "DOMAIN: update-data.cc": [[294, 308]], "URL: https://secure-api.online/admin/config": [[327, 365]], "MALWARE: IcedID": [[376, 382]], "HASH: 69e6beaa22276b0e99deb015313fff3a420494ca": [[390, 430]], "FILEPATH: C:\\ProgramData\\shell.php": [[458, 482]], "IP_ADDRESS: 10.189.102.138": [[507, 521]]}, "info": {"id": "synth_v2_00956", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Proofpoint identified a large-scale phishing operation. Emails originated from report@account-update.xyz and noreply@account-update.xyz, spoofing legitimate services. Victims were directed to hxxp://relayapi.net/callback which hosted a credential harvesting page on cdnstorage.site. A secondary link hxxp://cdn-gateway.com/gate.php delivered SystemBC (SHA256: e8fc2be02a35aaeb12b0d99d8f4b8b2aecf34f77c2455c280950c1f6d1f453a8). The malware was saved to C:\\Program Files\\Common Files\\update.dll and established C2 with 112.66.200.73.", "spans": {"ORGANIZATION: Proofpoint": [[26, 36]], "EMAIL: report@account-update.xyz": [[105, 130]], "EMAIL: noreply@account-update.xyz": [[135, 161]], "URL: hxxp://relayapi.net/callback": [[218, 246]], "DOMAIN: cdnstorage.site": [[292, 307]], "URL: hxxp://cdn-gateway.com/gate.php": [[326, 357]], "MALWARE: SystemBC": [[368, 376]], "HASH: e8fc2be02a35aaeb12b0d99d8f4b8b2aecf34f77c2455c280950c1f6d1f453a8": [[386, 450]], "FILEPATH: C:\\Program Files\\Common Files\\update.dll": [[478, 518]], "IP_ADDRESS: 112.66.200.73": [[543, 556]]}, "info": {"id": "synth_v2_00957", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Rapid7 identified a large-scale phishing operation. Emails originated from billing@urgent-notice.online and it@phishing-domain.com, spoofing legitimate services. Victims were directed to http://cache-storage.xyz/download/update.exe which hosted a credential harvesting page on data-auth.xyz. A secondary link http://sync-gateway.net/callback delivered Hive (MD5: bc89b387babe79b554ccab80c5b73f79). The malware was saved to C:\\Users\\Public\\Documents\\svchost.exe and established C2 with 73.47.222.77.", "spans": {"ORGANIZATION: Rapid7": [[26, 32]], "EMAIL: billing@urgent-notice.online": [[101, 129]], "EMAIL: it@phishing-domain.com": [[134, 156]], "URL: http://cache-storage.xyz/download/update.exe": [[213, 257]], "DOMAIN: data-auth.xyz": [[303, 316]], "URL: http://sync-gateway.net/callback": [[335, 367]], "MALWARE: Hive": [[378, 382]], "HASH: bc89b387babe79b554ccab80c5b73f79": [[389, 421]], "FILEPATH: C:\\Users\\Public\\Documents\\svchost.exe": [[449, 486]], "IP_ADDRESS: 73.47.222.77": [[511, 523]]}, "info": {"id": "synth_v2_00958", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Dragos identified a large-scale phishing operation. Emails originated from noreply@login-portal.tech and alert@identity-verify.cc, spoofing legitimate services. Victims were directed to hxxp://syncbackup.net/gate.php which hosted a credential harvesting page on proxygateway.dev. A secondary link http://relay-proxy.top/panel/index.html delivered Cobalt Strike (SHA1: 2ae7621193a6a852792dc2dc5c57fb9a24c5df1d). The malware was saved to /tmp/backdoor.elf and established C2 with 47.23.142.226.", "spans": {"ORGANIZATION: Dragos": [[26, 32]], "EMAIL: noreply@login-portal.tech": [[101, 126]], "EMAIL: alert@identity-verify.cc": [[131, 155]], "URL: hxxp://syncbackup.net/gate.php": [[212, 242]], "DOMAIN: proxygateway.dev": [[288, 304]], "URL: http://relay-proxy.top/panel/index.html": [[323, 362]], "MALWARE: Cobalt Strike": [[373, 386]], "HASH: 2ae7621193a6a852792dc2dc5c57fb9a24c5df1d": [[394, 434]], "FILEPATH: /tmp/backdoor.elf": [[462, 479]], "IP_ADDRESS: 47.23.142.226": [[504, 517]]}, "info": {"id": "synth_v2_00959", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Trend Micro identified a large-scale phishing operation. Emails originated from contact@secure-verify.net and verify@auth-check.org, spoofing legitimate services. Victims were directed to http://authnode.io/login which hosted a credential harvesting page on securecdn.dev. A secondary link hxxp://proxy-static.cc/download/update.exe delivered REvil (SHA1: 4f3cb25fdf54112dfa003fb2fcc3ba5f7ff05699). The malware was saved to /var/tmp/sam.hive and established C2 with 69.136.39.197.", "spans": {"ORGANIZATION: Trend Micro": [[26, 37]], "EMAIL: contact@secure-verify.net": [[106, 131]], "EMAIL: verify@auth-check.org": [[136, 157]], "URL: http://authnode.io/login": [[214, 238]], "DOMAIN: securecdn.dev": [[284, 297]], "URL: hxxp://proxy-static.cc/download/update.exe": [[316, 358]], "MALWARE: REvil": [[369, 374]], "HASH: 4f3cb25fdf54112dfa003fb2fcc3ba5f7ff05699": [[382, 422]], "FILEPATH: /var/tmp/sam.hive": [[450, 467]], "IP_ADDRESS: 69.136.39.197": [[492, 505]]}, "info": {"id": "synth_v2_00960", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Proofpoint identified a large-scale phishing operation. Emails originated from verify@account-update.xyz and helpdesk@mail-service.info, spoofing legitimate services. Victims were directed to hxxp://gatewaystorage.link/panel/index.html which hosted a credential harvesting page on backupedge.tech. A secondary link hxxps://cachesync.online/download/update.exe delivered Play (SHA256: 65d18eb1c2f37aff3af81ac0355b74658e21a7362383bed1532995d3f68fe96f). The malware was saved to C:\\Program Files\\Common Files\\dropper.ps1 and established C2 with 172.239.88.51.", "spans": {"ORGANIZATION: Proofpoint": [[26, 36]], "EMAIL: verify@account-update.xyz": [[105, 130]], "EMAIL: helpdesk@mail-service.info": [[135, 161]], "URL: hxxp://gatewaystorage.link/panel/index.html": [[218, 261]], "DOMAIN: backupedge.tech": [[307, 322]], "URL: hxxps://cachesync.online/download/update.exe": [[341, 385]], "MALWARE: Play": [[396, 400]], "HASH: 65d18eb1c2f37aff3af81ac0355b74658e21a7362383bed1532995d3f68fe96f": [[410, 474]], "FILEPATH: C:\\Program Files\\Common Files\\dropper.ps1": [[502, 543]], "IP_ADDRESS: 172.239.88.51": [[568, 581]]}, "info": {"id": "synth_v2_00961", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Huntress identified a large-scale phishing operation. Emails originated from account@identity-verify.cc and hr@secure-verify.net, spoofing legitimate services. Victims were directed to hxxp://update-static.tech/panel/index.html which hosted a credential harvesting page on portal-sync.xyz. A secondary link https://storageproxy.club/download/update.exe delivered RemcosRAT (SHA1: 1161360566e0e46ef38610222fd945922fe73ed4). The malware was saved to C:\\Windows\\Temp\\update.dll and established C2 with 172.39.134.173.", "spans": {"ORGANIZATION: Huntress": [[26, 34]], "EMAIL: account@identity-verify.cc": [[103, 129]], "EMAIL: hr@secure-verify.net": [[134, 154]], "URL: hxxp://update-static.tech/panel/index.html": [[211, 253]], "DOMAIN: portal-sync.xyz": [[299, 314]], "URL: https://storageproxy.club/download/update.exe": [[333, 378]], "MALWARE: RemcosRAT": [[389, 398]], "HASH: 1161360566e0e46ef38610222fd945922fe73ed4": [[406, 446]], "FILEPATH: C:\\Windows\\Temp\\update.dll": [[474, 500]], "IP_ADDRESS: 172.39.134.173": [[525, 539]]}, "info": {"id": "synth_v2_00962", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Tenable identified a large-scale phishing operation. Emails originated from contact@phishing-domain.com and finance@credential-check.site, spoofing legitimate services. Victims were directed to http://authbackup.xyz/panel/index.html which hosted a credential harvesting page on apiedge.link. A secondary link hxxps://synccloud.online/callback delivered PlugX (SHA1: fb4d4dc37d31b1cd076e63dbf47590c5e81c9af8). The malware was saved to /etc/cron.d/ntds.dit and established C2 with 107.239.67.174.", "spans": {"ORGANIZATION: Tenable": [[26, 33]], "EMAIL: contact@phishing-domain.com": [[102, 129]], "EMAIL: finance@credential-check.site": [[134, 163]], "URL: http://authbackup.xyz/panel/index.html": [[220, 258]], "DOMAIN: apiedge.link": [[304, 316]], "URL: hxxps://synccloud.online/callback": [[335, 368]], "MALWARE: PlugX": [[379, 384]], "HASH: fb4d4dc37d31b1cd076e63dbf47590c5e81c9af8": [[392, 432]], "FILEPATH: /etc/cron.d/ntds.dit": [[460, 480]], "IP_ADDRESS: 107.239.67.174": [[505, 519]]}, "info": {"id": "synth_v2_00963", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Europol identified a large-scale phishing operation. Emails originated from service@login-portal.tech and service@urgent-notice.online, spoofing legitimate services. Victims were directed to hxxps://mail-backup.dev/panel/index.html which hosted a credential harvesting page on relay-proxy.dev. A secondary link hxxps://nodestatic.cc/login delivered REvil (SHA256: 14d9f7553ef90ee21a71068730b5dadbf3712c5af07ad52b7b4606d8f22c3de8). The malware was saved to C:\\Windows\\Temp\\loader.exe and established C2 with 86.20.232.167.", "spans": {"ORGANIZATION: Europol": [[26, 33]], "EMAIL: service@login-portal.tech": [[102, 127]], "EMAIL: service@urgent-notice.online": [[132, 160]], "URL: hxxps://mail-backup.dev/panel/index.html": [[217, 257]], "DOMAIN: relay-proxy.dev": [[303, 318]], "URL: hxxps://nodestatic.cc/login": [[337, 364]], "MALWARE: REvil": [[375, 380]], "HASH: 14d9f7553ef90ee21a71068730b5dadbf3712c5af07ad52b7b4606d8f22c3de8": [[390, 454]], "FILEPATH: C:\\Windows\\Temp\\loader.exe": [[482, 508]], "IP_ADDRESS: 86.20.232.167": [[533, 546]]}, "info": {"id": "synth_v2_00964", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Cisco Talos identified a large-scale phishing operation. Emails originated from confirm@identity-verify.cc and admin@mail-service.info, spoofing legitimate services. Victims were directed to http://mail-gateway.link/login which hosted a credential harvesting page on gatewaycache.io. A secondary link hxxp://cdndata.club/gate.php delivered BumbleBee (SHA256: 4ca1f0ac34d08010b789a840b2b83bb47b8ada602041ffe8c214fd361b466b3d). The malware was saved to C:\\Users\\admin\\Desktop\\beacon.dll and established C2 with 171.108.11.210.", "spans": {"ORGANIZATION: Cisco Talos": [[26, 37]], "EMAIL: confirm@identity-verify.cc": [[106, 132]], "EMAIL: admin@mail-service.info": [[137, 160]], "URL: http://mail-gateway.link/login": [[217, 247]], "DOMAIN: gatewaycache.io": [[293, 308]], "URL: hxxp://cdndata.club/gate.php": [[327, 355]], "MALWARE: BumbleBee": [[366, 375]], "HASH: 4ca1f0ac34d08010b789a840b2b83bb47b8ada602041ffe8c214fd361b466b3d": [[385, 449]], "FILEPATH: C:\\Users\\admin\\Desktop\\beacon.dll": [[477, 510]], "IP_ADDRESS: 171.108.11.210": [[535, 549]]}, "info": {"id": "synth_v2_00965", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Zscaler ThreatLabz identified a large-scale phishing operation. Emails originated from service@credential-check.site and alert@urgent-notice.online, spoofing legitimate services. Victims were directed to http://secure-secure.site/gate.php which hosted a credential harvesting page on storagecloud.io. A secondary link http://apistatic.com/panel/index.html delivered NjRAT (SHA1: 4dcaf686d60d644bad49d03e864a1c320ec0b461). The malware was saved to C:\\Users\\admin\\AppData\\Local\\Temp\\lsass.dmp and established C2 with 193.105.212.53.", "spans": {"ORGANIZATION: Zscaler ThreatLabz": [[26, 44]], "EMAIL: service@credential-check.site": [[113, 142]], "EMAIL: alert@urgent-notice.online": [[147, 173]], "URL: http://secure-secure.site/gate.php": [[230, 264]], "DOMAIN: storagecloud.io": [[310, 325]], "URL: http://apistatic.com/panel/index.html": [[344, 381]], "MALWARE: NjRAT": [[392, 397]], "HASH: 4dcaf686d60d644bad49d03e864a1c320ec0b461": [[405, 445]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\lsass.dmp": [[473, 516]], "IP_ADDRESS: 193.105.212.53": [[541, 555]]}, "info": {"id": "synth_v2_00966", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Dragos identified a large-scale phishing operation. Emails originated from finance@account-update.xyz and account@document-share.link, spoofing legitimate services. Victims were directed to https://portalupdate.club/admin/config which hosted a credential harvesting page on relay-cdn.info. A secondary link hxxp://updatebackup.cc/download/update.exe delivered Latrodectus (SHA1: 36d70e9797459ebf70fc608d9d1f66c1dae796fc). The malware was saved to C:\\ProgramData\\dropper.ps1 and established C2 with 175.226.15.105.", "spans": {"ORGANIZATION: Dragos": [[26, 32]], "EMAIL: finance@account-update.xyz": [[101, 127]], "EMAIL: account@document-share.link": [[132, 159]], "URL: https://portalupdate.club/admin/config": [[216, 254]], "DOMAIN: relay-cdn.info": [[300, 314]], "URL: hxxp://updatebackup.cc/download/update.exe": [[333, 375]], "MALWARE: Latrodectus": [[386, 397]], "HASH: 36d70e9797459ebf70fc608d9d1f66c1dae796fc": [[405, 445]], "FILEPATH: C:\\ProgramData\\dropper.ps1": [[473, 499]], "IP_ADDRESS: 175.226.15.105": [[524, 538]]}, "info": {"id": "synth_v2_00967", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Dragos identified a large-scale phishing operation. Emails originated from service@login-portal.tech and security@phishing-domain.com, spoofing legitimate services. Victims were directed to hxxps://portal-secure.cc/gate.php which hosted a credential harvesting page on proxy-auth.io. A secondary link hxxps://cache-cache.org/admin/config delivered LockBit (SHA1: 487db18d0a78f7962f5171e7c78ca9b9ca88f529). The malware was saved to /opt/app/bin/runtime.dll and established C2 with 172.46.234.189.", "spans": {"ORGANIZATION: Dragos": [[26, 32]], "EMAIL: service@login-portal.tech": [[101, 126]], "EMAIL: security@phishing-domain.com": [[131, 159]], "URL: hxxps://portal-secure.cc/gate.php": [[216, 249]], "DOMAIN: proxy-auth.io": [[295, 308]], "URL: hxxps://cache-cache.org/admin/config": [[327, 363]], "MALWARE: LockBit": [[374, 381]], "HASH: 487db18d0a78f7962f5171e7c78ca9b9ca88f529": [[389, 429]], "FILEPATH: /opt/app/bin/runtime.dll": [[457, 481]], "IP_ADDRESS: 172.46.234.189": [[506, 520]]}, "info": {"id": "synth_v2_00968", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Secureworks identified a large-scale phishing operation. Emails originated from admin@urgent-notice.online and contact@mail-service.info, spoofing legitimate services. Victims were directed to https://secureportal.cc/download/update.exe which hosted a credential harvesting page on storage-backup.top. A secondary link hxxp://cloud-cache.io/api/v2/auth delivered StealC (SHA256: ffcea2e5f17d08158b1e9a95a1bf60eaea742f7e03788671b64bea3522ac9c0d). The malware was saved to C:\\Users\\Public\\Documents\\agent.py and established C2 with 199.214.230.7.", "spans": {"ORGANIZATION: Secureworks": [[26, 37]], "EMAIL: admin@urgent-notice.online": [[106, 132]], "EMAIL: contact@mail-service.info": [[137, 162]], "URL: https://secureportal.cc/download/update.exe": [[219, 262]], "DOMAIN: storage-backup.top": [[308, 326]], "URL: hxxp://cloud-cache.io/api/v2/auth": [[345, 378]], "MALWARE: StealC": [[389, 395]], "HASH: ffcea2e5f17d08158b1e9a95a1bf60eaea742f7e03788671b64bea3522ac9c0d": [[405, 469]], "FILEPATH: C:\\Users\\Public\\Documents\\agent.py": [[497, 531]], "IP_ADDRESS: 199.214.230.7": [[556, 569]]}, "info": {"id": "synth_v2_00969", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Rapid7 identified a large-scale phishing operation. Emails originated from service@document-share.link and security@secure-verify.net, spoofing legitimate services. Victims were directed to hxxps://edgerelay.xyz/secure/token which hosted a credential harvesting page on datacdn.club. A secondary link https://staticnode.org/wp-content/uploads/doc.php delivered LockBit (SHA1: f64a447e94fc293798d6702a1c93a1f024220669). The malware was saved to C:\\ProgramData\\sam.hive and established C2 with 172.241.2.99.", "spans": {"ORGANIZATION: Rapid7": [[26, 32]], "EMAIL: service@document-share.link": [[101, 128]], "EMAIL: security@secure-verify.net": [[133, 159]], "URL: hxxps://edgerelay.xyz/secure/token": [[216, 250]], "DOMAIN: datacdn.club": [[296, 308]], "URL: https://staticnode.org/wp-content/uploads/doc.php": [[327, 376]], "MALWARE: LockBit": [[387, 394]], "HASH: f64a447e94fc293798d6702a1c93a1f024220669": [[402, 442]], "FILEPATH: C:\\ProgramData\\sam.hive": [[470, 493]], "IP_ADDRESS: 172.241.2.99": [[518, 530]]}, "info": {"id": "synth_v2_00970", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Huntress identified a large-scale phishing operation. Emails originated from service@mail-service.info and helpdesk@secure-verify.net, spoofing legitimate services. Victims were directed to hxxps://nodecache.live/api/v2/auth which hosted a credential harvesting page on storage-update.xyz. A secondary link hxxp://synccache.dev/admin/config delivered PlugX (SHA256: 05866d0690a030adf87fa0cea27c1919544292b2bb90d61c369cb80c0d5909f2). The malware was saved to C:\\Users\\Public\\Documents\\beacon.dll and established C2 with 192.79.211.162.", "spans": {"ORGANIZATION: Huntress": [[26, 34]], "EMAIL: service@mail-service.info": [[103, 128]], "EMAIL: helpdesk@secure-verify.net": [[133, 159]], "URL: hxxps://nodecache.live/api/v2/auth": [[216, 250]], "DOMAIN: storage-update.xyz": [[296, 314]], "URL: hxxp://synccache.dev/admin/config": [[333, 366]], "MALWARE: PlugX": [[377, 382]], "HASH: 05866d0690a030adf87fa0cea27c1919544292b2bb90d61c369cb80c0d5909f2": [[392, 456]], "FILEPATH: C:\\Users\\Public\\Documents\\beacon.dll": [[484, 520]], "IP_ADDRESS: 192.79.211.162": [[545, 559]]}, "info": {"id": "synth_v2_00971", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Check Point Research identified a large-scale phishing operation. Emails originated from finance@phishing-domain.com and updates@phishing-domain.com, spoofing legitimate services. Victims were directed to hxxps://update-node.top/panel/index.html which hosted a credential harvesting page on static-gateway.io. A secondary link hxxp://relay-secure.site/panel/index.html delivered DarkSide (MD5: 7e4e7a566f86698f8c0094801d8e3f67). The malware was saved to /home/user/.config/loader.exe and established C2 with 193.15.9.118.", "spans": {"ORGANIZATION: Check Point Research": [[26, 46]], "EMAIL: finance@phishing-domain.com": [[115, 142]], "EMAIL: updates@phishing-domain.com": [[147, 174]], "URL: hxxps://update-node.top/panel/index.html": [[231, 271]], "DOMAIN: static-gateway.io": [[317, 334]], "URL: hxxp://relay-secure.site/panel/index.html": [[353, 394]], "MALWARE: DarkSide": [[405, 413]], "HASH: 7e4e7a566f86698f8c0094801d8e3f67": [[420, 452]], "FILEPATH: /home/user/.config/loader.exe": [[480, 509]], "IP_ADDRESS: 193.15.9.118": [[534, 546]]}, "info": {"id": "synth_v2_00972", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Google TAG identified a large-scale phishing operation. Emails originated from noreply@urgent-notice.online and account@document-share.link, spoofing legitimate services. Victims were directed to http://cachesecure.top/admin/config which hosted a credential harvesting page on static-portal.live. A secondary link hxxps://apiapi.site/callback delivered Conti (MD5: d4374e3e5198395fe4ec337da37ac6d4). The malware was saved to C:\\Users\\admin\\Desktop\\lsass.dmp and established C2 with 10.16.68.216.", "spans": {"ORGANIZATION: Google TAG": [[26, 36]], "EMAIL: noreply@urgent-notice.online": [[105, 133]], "EMAIL: account@document-share.link": [[138, 165]], "URL: http://cachesecure.top/admin/config": [[222, 257]], "DOMAIN: static-portal.live": [[303, 321]], "URL: hxxps://apiapi.site/callback": [[340, 368]], "MALWARE: Conti": [[379, 384]], "HASH: d4374e3e5198395fe4ec337da37ac6d4": [[391, 423]], "FILEPATH: C:\\Users\\admin\\Desktop\\lsass.dmp": [[451, 483]], "IP_ADDRESS: 10.16.68.216": [[508, 520]]}, "info": {"id": "synth_v2_00973", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Zscaler ThreatLabz identified a large-scale phishing operation. Emails originated from admin@login-portal.tech and report@secure-verify.net, spoofing legitimate services. Victims were directed to http://cdnsecure.dev/wp-content/uploads/doc.php which hosted a credential harvesting page on securesync.tech. A secondary link https://syncsync.xyz/collect delivered PikaBot (MD5: 821c9449d6c8073e730561b55c8189c0). The malware was saved to C:\\Windows\\Temp\\chrome_helper.exe and established C2 with 10.151.73.77.", "spans": {"ORGANIZATION: Zscaler ThreatLabz": [[26, 44]], "EMAIL: admin@login-portal.tech": [[113, 136]], "EMAIL: report@secure-verify.net": [[141, 165]], "URL: http://cdnsecure.dev/wp-content/uploads/doc.php": [[222, 269]], "DOMAIN: securesync.tech": [[315, 330]], "URL: https://syncsync.xyz/collect": [[349, 377]], "MALWARE: PikaBot": [[388, 395]], "HASH: 821c9449d6c8073e730561b55c8189c0": [[402, 434]], "FILEPATH: C:\\Windows\\Temp\\chrome_helper.exe": [[462, 495]], "IP_ADDRESS: 10.151.73.77": [[520, 532]]}, "info": {"id": "synth_v2_00974", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: ESET Research identified a large-scale phishing operation. Emails originated from security@auth-check.org and billing@identity-verify.cc, spoofing legitimate services. Victims were directed to hxxp://cache-api.dev/wp-content/uploads/doc.php which hosted a credential harvesting page on cacherelay.site. A secondary link hxxp://maildata.com/panel/index.html delivered QakBot (SHA1: af49ba357fac313d7d32256b00dbc330bc6e12d3). The malware was saved to C:\\Users\\admin\\Desktop\\sam.hive and established C2 with 10.150.124.97.", "spans": {"ORGANIZATION: ESET Research": [[26, 39]], "EMAIL: security@auth-check.org": [[108, 131]], "EMAIL: billing@identity-verify.cc": [[136, 162]], "URL: hxxp://cache-api.dev/wp-content/uploads/doc.php": [[219, 266]], "DOMAIN: cacherelay.site": [[312, 327]], "URL: hxxp://maildata.com/panel/index.html": [[346, 382]], "MALWARE: QakBot": [[393, 399]], "HASH: af49ba357fac313d7d32256b00dbc330bc6e12d3": [[407, 447]], "FILEPATH: C:\\Users\\admin\\Desktop\\sam.hive": [[475, 506]], "IP_ADDRESS: 10.150.124.97": [[531, 544]]}, "info": {"id": "synth_v2_00975", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Tenable identified a large-scale phishing operation. Emails originated from ceo@account-update.xyz and finance@phishing-domain.com, spoofing legitimate services. Victims were directed to http://maildata.club/portal/verify which hosted a credential harvesting page on data-portal.live. A secondary link https://edge-relay.link/portal/verify delivered SystemBC (SHA1: c1f216300d72bc20608a32b96eb8dcfed703d452). The malware was saved to C:\\Windows\\System32\\taskhost.exe and established C2 with 184.231.255.64.", "spans": {"ORGANIZATION: Tenable": [[26, 33]], "EMAIL: ceo@account-update.xyz": [[102, 124]], "EMAIL: finance@phishing-domain.com": [[129, 156]], "URL: http://maildata.club/portal/verify": [[213, 247]], "DOMAIN: data-portal.live": [[293, 309]], "URL: https://edge-relay.link/portal/verify": [[328, 365]], "MALWARE: SystemBC": [[376, 384]], "HASH: c1f216300d72bc20608a32b96eb8dcfed703d452": [[392, 432]], "FILEPATH: C:\\Windows\\System32\\taskhost.exe": [[460, 492]], "IP_ADDRESS: 184.231.255.64": [[517, 531]]}, "info": {"id": "synth_v2_00976", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: SentinelOne identified a large-scale phishing operation. Emails originated from account@auth-check.org and hr@identity-verify.cc, spoofing legitimate services. Victims were directed to hxxp://logincloud.org/callback which hosted a credential harvesting page on backupcache.net. A secondary link http://portal-portal.link/collect delivered BlackCat (SHA1: eb95c88c1dc2b4b4cd734c2c5519b23f35e4b348). The malware was saved to /home/user/.config/shell.php and established C2 with 219.89.69.192.", "spans": {"ORGANIZATION: SentinelOne": [[26, 37]], "EMAIL: account@auth-check.org": [[106, 128]], "EMAIL: hr@identity-verify.cc": [[133, 154]], "URL: hxxp://logincloud.org/callback": [[211, 241]], "DOMAIN: backupcache.net": [[287, 302]], "URL: http://portal-portal.link/collect": [[321, 354]], "MALWARE: BlackCat": [[365, 373]], "HASH: eb95c88c1dc2b4b4cd734c2c5519b23f35e4b348": [[381, 421]], "FILEPATH: /home/user/.config/shell.php": [[449, 477]], "IP_ADDRESS: 219.89.69.192": [[502, 515]]}, "info": {"id": "synth_v2_00977", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Proofpoint identified a large-scale phishing operation. Emails originated from support@mail-service.info and security@document-share.link, spoofing legitimate services. Victims were directed to hxxp://securesecure.site/login which hosted a credential harvesting page on securecloud.dev. A secondary link http://gatewayportal.net/collect delivered AgentTesla (SHA1: fc667b5775a5a54571dacc0fae1638f63edf5204). The malware was saved to C:\\Windows\\System32\\shell.php and established C2 with 10.164.244.222.", "spans": {"ORGANIZATION: Proofpoint": [[26, 36]], "EMAIL: support@mail-service.info": [[105, 130]], "EMAIL: security@document-share.link": [[135, 163]], "URL: hxxp://securesecure.site/login": [[220, 250]], "DOMAIN: securecloud.dev": [[296, 311]], "URL: http://gatewayportal.net/collect": [[330, 362]], "MALWARE: AgentTesla": [[373, 383]], "HASH: fc667b5775a5a54571dacc0fae1638f63edf5204": [[391, 431]], "FILEPATH: C:\\Windows\\System32\\shell.php": [[459, 488]], "IP_ADDRESS: 10.164.244.222": [[513, 527]]}, "info": {"id": "synth_v2_00978", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Symantec identified a large-scale phishing operation. Emails originated from service@urgent-notice.online and account@credential-check.site, spoofing legitimate services. Victims were directed to https://relaystatic.org/callback which hosted a credential harvesting page on cdn-node.live. A secondary link https://backup-auth.xyz/panel/index.html delivered SmokeLoader (SHA1: 7dedaa6d3aa3544a75d9a5f7b9124484e1a93b2e). The malware was saved to /var/tmp/taskhost.exe and established C2 with 52.97.43.40.", "spans": {"ORGANIZATION: Symantec": [[26, 34]], "EMAIL: service@urgent-notice.online": [[103, 131]], "EMAIL: account@credential-check.site": [[136, 165]], "URL: https://relaystatic.org/callback": [[222, 254]], "DOMAIN: cdn-node.live": [[300, 313]], "URL: https://backup-auth.xyz/panel/index.html": [[332, 372]], "MALWARE: SmokeLoader": [[383, 394]], "HASH: 7dedaa6d3aa3544a75d9a5f7b9124484e1a93b2e": [[402, 442]], "FILEPATH: /var/tmp/taskhost.exe": [[470, 491]], "IP_ADDRESS: 52.97.43.40": [[516, 527]]}, "info": {"id": "synth_v2_00979", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Recorded Future identified a large-scale phishing operation. Emails originated from noreply@identity-verify.cc and admin@phishing-domain.com, spoofing legitimate services. Victims were directed to hxxps://api-backup.info/admin/config which hosted a credential harvesting page on cdn-backup.club. A secondary link hxxps://portallogin.live/portal/verify delivered DanaBot (SHA256: c1b01bbe5fa4559b573b46e417592c20d80674249eb799b59a1ce14670b62709). The malware was saved to /home/user/.config/taskhost.exe and established C2 with 10.253.164.39.", "spans": {"ORGANIZATION: Recorded Future": [[26, 41]], "EMAIL: noreply@identity-verify.cc": [[110, 136]], "EMAIL: admin@phishing-domain.com": [[141, 166]], "URL: hxxps://api-backup.info/admin/config": [[223, 259]], "DOMAIN: cdn-backup.club": [[305, 320]], "URL: hxxps://portallogin.live/portal/verify": [[339, 377]], "MALWARE: DanaBot": [[388, 395]], "HASH: c1b01bbe5fa4559b573b46e417592c20d80674249eb799b59a1ce14670b62709": [[405, 469]], "FILEPATH: /home/user/.config/taskhost.exe": [[497, 528]], "IP_ADDRESS: 10.253.164.39": [[553, 566]]}, "info": {"id": "synth_v2_00980", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: CrowdStrike identified a large-scale phishing operation. Emails originated from confirm@credential-check.site and noreply@phishing-domain.com, spoofing legitimate services. Victims were directed to hxxp://storageportal.info/assets/js/payload.js which hosted a credential harvesting page on data-storage.live. A secondary link hxxp://backup-update.tech/login delivered Play (SHA1: c49c939de808c898cb29e1c1639363cf2d0b31b4). The malware was saved to /dev/shm/ntds.dit and established C2 with 156.52.133.144.", "spans": {"ORGANIZATION: CrowdStrike": [[26, 37]], "EMAIL: confirm@credential-check.site": [[106, 135]], "EMAIL: noreply@phishing-domain.com": [[140, 167]], "URL: hxxp://storageportal.info/assets/js/payload.js": [[224, 270]], "DOMAIN: data-storage.live": [[316, 333]], "URL: hxxp://backup-update.tech/login": [[352, 383]], "MALWARE: Play": [[394, 398]], "HASH: c49c939de808c898cb29e1c1639363cf2d0b31b4": [[406, 446]], "FILEPATH: /dev/shm/ntds.dit": [[474, 491]], "IP_ADDRESS: 156.52.133.144": [[516, 530]]}, "info": {"id": "synth_v2_00981", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Dragos identified a large-scale phishing operation. Emails originated from report@identity-verify.cc and noreply@document-share.link, spoofing legitimate services. Victims were directed to hxxp://mail-portal.io/login which hosted a credential harvesting page on gatewayauth.dev. A secondary link hxxps://proxy-mail.xyz/gate.php delivered PikaBot (SHA1: 6769423ece0aa4e1fd14dbb283784d8e5c903a70). The malware was saved to /opt/app/bin/beacon.dll and established C2 with 192.148.3.80.", "spans": {"ORGANIZATION: Dragos": [[26, 32]], "EMAIL: report@identity-verify.cc": [[101, 126]], "EMAIL: noreply@document-share.link": [[131, 158]], "URL: hxxp://mail-portal.io/login": [[215, 242]], "DOMAIN: gatewayauth.dev": [[288, 303]], "URL: hxxps://proxy-mail.xyz/gate.php": [[322, 353]], "MALWARE: PikaBot": [[364, 371]], "HASH: 6769423ece0aa4e1fd14dbb283784d8e5c903a70": [[379, 419]], "FILEPATH: /opt/app/bin/beacon.dll": [[447, 470]], "IP_ADDRESS: 192.148.3.80": [[495, 507]]}, "info": {"id": "synth_v2_00982", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Cisco Talos identified a large-scale phishing operation. Emails originated from helpdesk@mail-service.info and verify@mail-service.info, spoofing legitimate services. Victims were directed to hxxps://secure-storage.xyz/admin/config which hosted a credential harvesting page on cdn-proxy.online. A secondary link http://proxy-static.tech/api/v2/auth delivered Qbot (SHA1: 08de67f0dca5ccf4ec6354b9a03c7b5bb584b087). The malware was saved to C:\\Users\\admin\\Downloads\\chrome_helper.exe and established C2 with 90.31.115.108.", "spans": {"ORGANIZATION: Cisco Talos": [[26, 37]], "EMAIL: helpdesk@mail-service.info": [[106, 132]], "EMAIL: verify@mail-service.info": [[137, 161]], "URL: hxxps://secure-storage.xyz/admin/config": [[218, 257]], "DOMAIN: cdn-proxy.online": [[303, 319]], "URL: http://proxy-static.tech/api/v2/auth": [[338, 374]], "MALWARE: Qbot": [[385, 389]], "HASH: 08de67f0dca5ccf4ec6354b9a03c7b5bb584b087": [[397, 437]], "FILEPATH: C:\\Users\\admin\\Downloads\\chrome_helper.exe": [[465, 507]], "IP_ADDRESS: 90.31.115.108": [[532, 545]]}, "info": {"id": "synth_v2_00983", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Rapid7 identified a large-scale phishing operation. Emails originated from info@document-share.link and security@phishing-domain.com, spoofing legitimate services. Victims were directed to hxxps://storage-static.club/collect which hosted a credential harvesting page on cloud-backup.club. A secondary link hxxp://node-proxy.xyz/gate.php delivered DarkSide (MD5: 2f6ea165cabc3934316a4c6fe05e300c). The malware was saved to /home/user/.config/backdoor.elf and established C2 with 74.0.138.127.", "spans": {"ORGANIZATION: Rapid7": [[26, 32]], "EMAIL: info@document-share.link": [[101, 125]], "EMAIL: security@phishing-domain.com": [[130, 158]], "URL: hxxps://storage-static.club/collect": [[215, 250]], "DOMAIN: cloud-backup.club": [[296, 313]], "URL: hxxp://node-proxy.xyz/gate.php": [[332, 362]], "MALWARE: DarkSide": [[373, 381]], "HASH: 2f6ea165cabc3934316a4c6fe05e300c": [[388, 420]], "FILEPATH: /home/user/.config/backdoor.elf": [[448, 479]], "IP_ADDRESS: 74.0.138.127": [[504, 516]]}, "info": {"id": "synth_v2_00984", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Secureworks identified a large-scale phishing operation. Emails originated from contact@phishing-domain.com and updates@urgent-notice.online, spoofing legitimate services. Victims were directed to hxxps://logindata.tech/login which hosted a credential harvesting page on edge-mail.net. A secondary link hxxps://gatewaystorage.net/gate.php delivered Amadey (SHA256: 97bba60e12117f78e983ce8af38ad03b1995022abc4e229ff59c65181c459dad). The malware was saved to C:\\Users\\admin\\Downloads\\dropper.ps1 and established C2 with 21.137.180.99.", "spans": {"ORGANIZATION: Secureworks": [[26, 37]], "EMAIL: contact@phishing-domain.com": [[106, 133]], "EMAIL: updates@urgent-notice.online": [[138, 166]], "URL: hxxps://logindata.tech/login": [[223, 251]], "DOMAIN: edge-mail.net": [[297, 310]], "URL: hxxps://gatewaystorage.net/gate.php": [[329, 364]], "MALWARE: Amadey": [[375, 381]], "HASH: 97bba60e12117f78e983ce8af38ad03b1995022abc4e229ff59c65181c459dad": [[391, 455]], "FILEPATH: C:\\Users\\admin\\Downloads\\dropper.ps1": [[483, 519]], "IP_ADDRESS: 21.137.180.99": [[544, 557]]}, "info": {"id": "synth_v2_00985", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Proofpoint identified a large-scale phishing operation. Emails originated from billing@mail-service.info and support@document-share.link, spoofing legitimate services. Victims were directed to hxxps://edge-mail.io/secure/token which hosted a credential harvesting page on syncsync.club. A secondary link hxxps://edgeapi.club/secure/token delivered Meduza Stealer (SHA1: 443143ac22eeffea929d6bde3795e4ac59c3c835). The malware was saved to /etc/cron.d/helper.sh and established C2 with 172.24.251.211.", "spans": {"ORGANIZATION: Proofpoint": [[26, 36]], "EMAIL: billing@mail-service.info": [[105, 130]], "EMAIL: support@document-share.link": [[135, 162]], "URL: hxxps://edge-mail.io/secure/token": [[219, 252]], "DOMAIN: syncsync.club": [[298, 311]], "URL: hxxps://edgeapi.club/secure/token": [[330, 363]], "MALWARE: Meduza Stealer": [[374, 388]], "HASH: 443143ac22eeffea929d6bde3795e4ac59c3c835": [[396, 436]], "FILEPATH: /etc/cron.d/helper.sh": [[464, 485]], "IP_ADDRESS: 172.24.251.211": [[510, 524]]}, "info": {"id": "synth_v2_00986", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Recorded Future identified a large-scale phishing operation. Emails originated from verify@phishing-domain.com and support@mail-service.info, spoofing legitimate services. Victims were directed to hxxps://cache-data.dev/assets/js/payload.js which hosted a credential harvesting page on static-edge.org. A secondary link https://storagebackup.net/login delivered DarkSide (SHA1: 187bdab14bd1bf0491d4057b7731c60d9dbe63e5). The malware was saved to C:\\Windows\\Temp\\runtime.dll and established C2 with 101.82.20.62.", "spans": {"ORGANIZATION: Recorded Future": [[26, 41]], "EMAIL: verify@phishing-domain.com": [[110, 136]], "EMAIL: support@mail-service.info": [[141, 166]], "URL: hxxps://cache-data.dev/assets/js/payload.js": [[223, 266]], "DOMAIN: static-edge.org": [[312, 327]], "URL: https://storagebackup.net/login": [[346, 377]], "MALWARE: DarkSide": [[388, 396]], "HASH: 187bdab14bd1bf0491d4057b7731c60d9dbe63e5": [[404, 444]], "FILEPATH: C:\\Windows\\Temp\\runtime.dll": [[472, 499]], "IP_ADDRESS: 101.82.20.62": [[524, 536]]}, "info": {"id": "synth_v2_00987", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Secureworks identified a large-scale phishing operation. Emails originated from account@auth-check.org and confirm@urgent-notice.online, spoofing legitimate services. Victims were directed to http://syncupdate.top/panel/index.html which hosted a credential harvesting page on apiportal.info. A secondary link hxxp://login-portal.tech/collect delivered XLoader (SHA1: 2adbaf41b1279bee9982c478c04f8fb651f2e80d). The malware was saved to /tmp/runtime.dll and established C2 with 172.213.67.52.", "spans": {"ORGANIZATION: Secureworks": [[26, 37]], "EMAIL: account@auth-check.org": [[106, 128]], "EMAIL: confirm@urgent-notice.online": [[133, 161]], "URL: http://syncupdate.top/panel/index.html": [[218, 256]], "DOMAIN: apiportal.info": [[302, 316]], "URL: hxxp://login-portal.tech/collect": [[335, 367]], "MALWARE: XLoader": [[378, 385]], "HASH: 2adbaf41b1279bee9982c478c04f8fb651f2e80d": [[393, 433]], "FILEPATH: /tmp/runtime.dll": [[461, 477]], "IP_ADDRESS: 172.213.67.52": [[502, 515]]}, "info": {"id": "synth_v2_00988", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Recorded Future identified a large-scale phishing operation. Emails originated from support@login-portal.tech and report@credential-check.site, spoofing legitimate services. Victims were directed to hxxps://syncupdate.io/callback which hosted a credential harvesting page on cdn-auth.cc. A secondary link http://cdnnode.club/login delivered Meduza Stealer (SHA1: 508befdba746b9fe006b7f79d98f7487f5be54e8). The malware was saved to /home/user/.config/helper.sh and established C2 with 10.102.74.208.", "spans": {"ORGANIZATION: Recorded Future": [[26, 41]], "EMAIL: support@login-portal.tech": [[110, 135]], "EMAIL: report@credential-check.site": [[140, 168]], "URL: hxxps://syncupdate.io/callback": [[225, 255]], "DOMAIN: cdn-auth.cc": [[301, 312]], "URL: http://cdnnode.club/login": [[331, 356]], "MALWARE: Meduza Stealer": [[367, 381]], "HASH: 508befdba746b9fe006b7f79d98f7487f5be54e8": [[389, 429]], "FILEPATH: /home/user/.config/helper.sh": [[457, 485]], "IP_ADDRESS: 10.102.74.208": [[510, 523]]}, "info": {"id": "synth_v2_00989", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Mandiant identified a large-scale phishing operation. Emails originated from service@identity-verify.cc and alert@secure-verify.net, spoofing legitimate services. Victims were directed to https://edgesync.io/panel/index.html which hosted a credential harvesting page on auth-auth.cc. A secondary link http://storage-secure.link/wp-content/uploads/doc.php delivered Vidar (MD5: bd481a84ee73ed5abc4fbd563ef5217c). The malware was saved to C:\\Windows\\Tasks\\config.dat and established C2 with 10.160.115.154.", "spans": {"ORGANIZATION: Mandiant": [[26, 34]], "EMAIL: service@identity-verify.cc": [[103, 129]], "EMAIL: alert@secure-verify.net": [[134, 157]], "URL: https://edgesync.io/panel/index.html": [[214, 250]], "DOMAIN: auth-auth.cc": [[296, 308]], "URL: http://storage-secure.link/wp-content/uploads/doc.php": [[327, 380]], "MALWARE: Vidar": [[391, 396]], "HASH: bd481a84ee73ed5abc4fbd563ef5217c": [[403, 435]], "FILEPATH: C:\\Windows\\Tasks\\config.dat": [[463, 490]], "IP_ADDRESS: 10.160.115.154": [[515, 529]]}, "info": {"id": "synth_v2_00990", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Tenable identified a large-scale phishing operation. Emails originated from verify@phishing-domain.com and verify@credential-check.site, spoofing legitimate services. Victims were directed to http://mailsync.info/assets/js/payload.js which hosted a credential harvesting page on apibackup.site. A secondary link hxxp://edge-login.dev/api/v2/auth delivered IcedID (SHA1: 7f621723a29e0d15c417f54bb2bd88462fc1bcd5). The malware was saved to /opt/app/bin/helper.sh and established C2 with 108.248.198.105.", "spans": {"ORGANIZATION: Tenable": [[26, 33]], "EMAIL: verify@phishing-domain.com": [[102, 128]], "EMAIL: verify@credential-check.site": [[133, 161]], "URL: http://mailsync.info/assets/js/payload.js": [[218, 259]], "DOMAIN: apibackup.site": [[305, 319]], "URL: hxxp://edge-login.dev/api/v2/auth": [[338, 371]], "MALWARE: IcedID": [[382, 388]], "HASH: 7f621723a29e0d15c417f54bb2bd88462fc1bcd5": [[396, 436]], "FILEPATH: /opt/app/bin/helper.sh": [[464, 486]], "IP_ADDRESS: 108.248.198.105": [[511, 526]]}, "info": {"id": "synth_v2_00991", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Tenable identified a large-scale phishing operation. Emails originated from noreply@identity-verify.cc and security@login-portal.tech, spoofing legitimate services. Victims were directed to hxxps://cacheportal.dev/secure/token which hosted a credential harvesting page on updatelogin.tech. A secondary link http://update-login.club/api/v2/auth delivered Qbot (SHA1: f51793f0bc44bb120513afff4ee929f19b53e40b). The malware was saved to C:\\Windows\\Tasks\\svchost.exe and established C2 with 172.205.24.85.", "spans": {"ORGANIZATION: Tenable": [[26, 33]], "EMAIL: noreply@identity-verify.cc": [[102, 128]], "EMAIL: security@login-portal.tech": [[133, 159]], "URL: hxxps://cacheportal.dev/secure/token": [[216, 252]], "DOMAIN: updatelogin.tech": [[298, 314]], "URL: http://update-login.club/api/v2/auth": [[333, 369]], "MALWARE: Qbot": [[380, 384]], "HASH: f51793f0bc44bb120513afff4ee929f19b53e40b": [[392, 432]], "FILEPATH: C:\\Windows\\Tasks\\svchost.exe": [[460, 488]], "IP_ADDRESS: 172.205.24.85": [[513, 526]]}, "info": {"id": "synth_v2_00992", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Europol identified a large-scale phishing operation. Emails originated from support@identity-verify.cc and helpdesk@phishing-domain.com, spoofing legitimate services. Victims were directed to hxxps://portaldata.site/secure/token which hosted a credential harvesting page on syncupdate.cc. A secondary link hxxps://login-node.dev/admin/config delivered WarmCookie (SHA256: 274dc300477a778a4b5cd1bc463182742a326950ea36cfdc04a2576a1a610622). The malware was saved to C:\\Windows\\Temp\\runtime.dll and established C2 with 192.60.84.16.", "spans": {"ORGANIZATION: Europol": [[26, 33]], "EMAIL: support@identity-verify.cc": [[102, 128]], "EMAIL: helpdesk@phishing-domain.com": [[133, 161]], "URL: hxxps://portaldata.site/secure/token": [[218, 254]], "DOMAIN: syncupdate.cc": [[300, 313]], "URL: hxxps://login-node.dev/admin/config": [[332, 367]], "MALWARE: WarmCookie": [[378, 388]], "HASH: 274dc300477a778a4b5cd1bc463182742a326950ea36cfdc04a2576a1a610622": [[398, 462]], "FILEPATH: C:\\Windows\\Temp\\runtime.dll": [[490, 517]], "IP_ADDRESS: 192.60.84.16": [[542, 554]]}, "info": {"id": "synth_v2_00993", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Proofpoint identified a large-scale phishing operation. Emails originated from helpdesk@phishing-domain.com and noreply@auth-check.org, spoofing legitimate services. Victims were directed to https://update-static.info/download/update.exe which hosted a credential harvesting page on dataauth.cc. A secondary link http://relay-mail.cc/assets/js/payload.js delivered DarkSide (SHA256: 8aab0c3d27847582657c5321b5e0d3716223b4df94098b5057f868683f5b88c5). The malware was saved to C:\\Users\\admin\\AppData\\Local\\Temp\\implant.so and established C2 with 12.68.237.90.", "spans": {"ORGANIZATION: Proofpoint": [[26, 36]], "EMAIL: helpdesk@phishing-domain.com": [[105, 133]], "EMAIL: noreply@auth-check.org": [[138, 160]], "URL: https://update-static.info/download/update.exe": [[217, 263]], "DOMAIN: dataauth.cc": [[309, 320]], "URL: http://relay-mail.cc/assets/js/payload.js": [[339, 380]], "MALWARE: DarkSide": [[391, 399]], "HASH: 8aab0c3d27847582657c5321b5e0d3716223b4df94098b5057f868683f5b88c5": [[409, 473]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\implant.so": [[501, 545]], "IP_ADDRESS: 12.68.237.90": [[570, 582]]}, "info": {"id": "synth_v2_00994", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: INTERPOL identified a large-scale phishing operation. Emails originated from verify@mail-service.info and ceo@mail-service.info, spoofing legitimate services. Victims were directed to https://cachelogin.com/portal/verify which hosted a credential harvesting page on edge-auth.club. A secondary link hxxps://backupstorage.xyz/api/v2/auth delivered Latrodectus (MD5: 2075d2fab84cffd03fe5e5a2bb0ce530). The malware was saved to /etc/cron.d/csrss.exe and established C2 with 172.144.169.102.", "spans": {"ORGANIZATION: INTERPOL": [[26, 34]], "EMAIL: verify@mail-service.info": [[103, 127]], "EMAIL: ceo@mail-service.info": [[132, 153]], "URL: https://cachelogin.com/portal/verify": [[210, 246]], "DOMAIN: edge-auth.club": [[292, 306]], "URL: hxxps://backupstorage.xyz/api/v2/auth": [[325, 362]], "MALWARE: Latrodectus": [[373, 384]], "HASH: 2075d2fab84cffd03fe5e5a2bb0ce530": [[391, 423]], "FILEPATH: /etc/cron.d/csrss.exe": [[451, 472]], "IP_ADDRESS: 172.144.169.102": [[497, 512]]}, "info": {"id": "synth_v2_00995", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Dragos identified a large-scale phishing operation. Emails originated from service@account-update.xyz and security@document-share.link, spoofing legitimate services. Victims were directed to http://loginauth.online/login which hosted a credential harvesting page on gateway-login.info. A secondary link hxxp://gatewayportal.com/callback delivered WarmCookie (SHA256: 10109649985d337bf5736221811e1c3278f8b3a1f553e9e34bd2ae7a6191c9da). The malware was saved to C:\\Windows\\Tasks\\svchost.exe and established C2 with 115.78.215.231.", "spans": {"ORGANIZATION: Dragos": [[26, 32]], "EMAIL: service@account-update.xyz": [[101, 127]], "EMAIL: security@document-share.link": [[132, 160]], "URL: http://loginauth.online/login": [[217, 246]], "DOMAIN: gateway-login.info": [[292, 310]], "URL: hxxp://gatewayportal.com/callback": [[329, 362]], "MALWARE: WarmCookie": [[373, 383]], "HASH: 10109649985d337bf5736221811e1c3278f8b3a1f553e9e34bd2ae7a6191c9da": [[393, 457]], "FILEPATH: C:\\Windows\\Tasks\\svchost.exe": [[485, 513]], "IP_ADDRESS: 115.78.215.231": [[538, 552]]}, "info": {"id": "synth_v2_00996", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Rapid7 identified a large-scale phishing operation. Emails originated from service@phishing-domain.com and noreply@login-portal.tech, spoofing legitimate services. Victims were directed to https://apimail.io/login which hosted a credential harvesting page on dataapi.site. A secondary link hxxps://mail-cloud.top/api/v2/auth delivered Qbot (SHA256: 72305e3e0f1e2e8686764719606ff741bccd9e3ad888901fce81fe09fec26ef9). The malware was saved to /opt/app/bin/ntds.dit and established C2 with 172.225.31.96.", "spans": {"ORGANIZATION: Rapid7": [[26, 32]], "EMAIL: service@phishing-domain.com": [[101, 128]], "EMAIL: noreply@login-portal.tech": [[133, 158]], "URL: https://apimail.io/login": [[215, 239]], "DOMAIN: dataapi.site": [[285, 297]], "URL: hxxps://mail-cloud.top/api/v2/auth": [[316, 350]], "MALWARE: Qbot": [[361, 365]], "HASH: 72305e3e0f1e2e8686764719606ff741bccd9e3ad888901fce81fe09fec26ef9": [[375, 439]], "FILEPATH: /opt/app/bin/ntds.dit": [[467, 488]], "IP_ADDRESS: 172.225.31.96": [[513, 526]]}, "info": {"id": "synth_v2_00997", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Secureworks identified a large-scale phishing operation. Emails originated from noreply@account-update.xyz and hr@mail-service.info, spoofing legitimate services. Victims were directed to https://cloud-data.cc/portal/verify which hosted a credential harvesting page on cloudauth.top. A secondary link http://cachesync.com/portal/verify delivered RemcosRAT (MD5: e1479d5fb9e0d9d41d3a09bbcc229d60). The malware was saved to C:\\Users\\admin\\AppData\\Local\\Temp\\winlogon.exe and established C2 with 32.40.203.112.", "spans": {"ORGANIZATION: Secureworks": [[26, 37]], "EMAIL: noreply@account-update.xyz": [[106, 132]], "EMAIL: hr@mail-service.info": [[137, 157]], "URL: https://cloud-data.cc/portal/verify": [[214, 249]], "DOMAIN: cloudauth.top": [[295, 308]], "URL: http://cachesync.com/portal/verify": [[327, 361]], "MALWARE: RemcosRAT": [[372, 381]], "HASH: e1479d5fb9e0d9d41d3a09bbcc229d60": [[388, 420]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\winlogon.exe": [[448, 494]], "IP_ADDRESS: 32.40.203.112": [[519, 532]]}, "info": {"id": "synth_v2_00998", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Zscaler ThreatLabz identified a large-scale phishing operation. Emails originated from finance@identity-verify.cc and notification@login-portal.tech, spoofing legitimate services. Victims were directed to hxxps://storageportal.dev/panel/index.html which hosted a credential harvesting page on portaledge.com. A secondary link http://cloud-storage.club/portal/verify delivered RedLine Stealer (MD5: 7b9040f7ff5a8fcbc4a48b9539f67612). The malware was saved to C:\\Users\\admin\\AppData\\Local\\Temp\\config.dat and established C2 with 192.244.242.206.", "spans": {"ORGANIZATION: Zscaler ThreatLabz": [[26, 44]], "EMAIL: finance@identity-verify.cc": [[113, 139]], "EMAIL: notification@login-portal.tech": [[144, 174]], "URL: hxxps://storageportal.dev/panel/index.html": [[231, 273]], "DOMAIN: portaledge.com": [[319, 333]], "URL: http://cloud-storage.club/portal/verify": [[352, 391]], "MALWARE: RedLine Stealer": [[402, 417]], "HASH: 7b9040f7ff5a8fcbc4a48b9539f67612": [[424, 456]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\config.dat": [[484, 528]], "IP_ADDRESS: 192.244.242.206": [[553, 568]]}, "info": {"id": "synth_v2_00999", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Cisco Talos identified a large-scale phishing operation. Emails originated from info@urgent-notice.online and hr@login-portal.tech, spoofing legitimate services. Victims were directed to hxxp://auth-cache.org/login which hosted a credential harvesting page on static-proxy.xyz. A secondary link hxxp://gatewayproxy.xyz/wp-content/uploads/doc.php delivered BlackCat (SHA1: 15529b78ea3a38033423a8fd154dbd12f25aed91). The malware was saved to C:\\Users\\admin\\Desktop\\agent.py and established C2 with 11.95.68.83.", "spans": {"ORGANIZATION: Cisco Talos": [[26, 37]], "EMAIL: info@urgent-notice.online": [[106, 131]], "EMAIL: hr@login-portal.tech": [[136, 156]], "URL: hxxp://auth-cache.org/login": [[213, 240]], "DOMAIN: static-proxy.xyz": [[286, 302]], "URL: hxxp://gatewayproxy.xyz/wp-content/uploads/doc.php": [[321, 371]], "MALWARE: BlackCat": [[382, 390]], "HASH: 15529b78ea3a38033423a8fd154dbd12f25aed91": [[398, 438]], "FILEPATH: C:\\Users\\admin\\Desktop\\agent.py": [[466, 497]], "IP_ADDRESS: 11.95.68.83": [[522, 533]]}, "info": {"id": "synth_v2_01000", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Check Point Research identified a large-scale phishing operation. Emails originated from helpdesk@account-update.xyz and service@credential-check.site, spoofing legitimate services. Victims were directed to hxxp://staticcache.top/portal/verify which hosted a credential harvesting page on data-edge.live. A secondary link hxxp://relay-proxy.dev/collect delivered NjRAT (SHA256: 8bfcaa6393779a8c056eb9757bc2dfaeba635e96fa0ee3ac1bdb12cb318e72f6). The malware was saved to C:\\Users\\admin\\AppData\\Local\\Temp\\payload.bin and established C2 with 192.93.11.148.", "spans": {"ORGANIZATION: Check Point Research": [[26, 46]], "EMAIL: helpdesk@account-update.xyz": [[115, 142]], "EMAIL: service@credential-check.site": [[147, 176]], "URL: hxxp://staticcache.top/portal/verify": [[233, 269]], "DOMAIN: data-edge.live": [[315, 329]], "URL: hxxp://relay-proxy.dev/collect": [[348, 378]], "MALWARE: NjRAT": [[389, 394]], "HASH: 8bfcaa6393779a8c056eb9757bc2dfaeba635e96fa0ee3ac1bdb12cb318e72f6": [[404, 468]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\payload.bin": [[496, 541]], "IP_ADDRESS: 192.93.11.148": [[566, 579]]}, "info": {"id": "synth_v2_01001", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Symantec identified a large-scale phishing operation. Emails originated from alert@mail-service.info and admin@secure-verify.net, spoofing legitimate services. Victims were directed to hxxp://staticcloud.xyz/panel/index.html which hosted a credential harvesting page on static-cache.io. A secondary link https://backuplogin.xyz/gate.php delivered LockBit (SHA1: 4548cc09dd75d69ba426ac16da01ce91003d1253). The malware was saved to C:\\Windows\\Temp\\beacon.dll and established C2 with 210.164.43.85.", "spans": {"ORGANIZATION: Symantec": [[26, 34]], "EMAIL: alert@mail-service.info": [[103, 126]], "EMAIL: admin@secure-verify.net": [[131, 154]], "URL: hxxp://staticcloud.xyz/panel/index.html": [[211, 250]], "DOMAIN: static-cache.io": [[296, 311]], "URL: https://backuplogin.xyz/gate.php": [[330, 362]], "MALWARE: LockBit": [[373, 380]], "HASH: 4548cc09dd75d69ba426ac16da01ce91003d1253": [[388, 428]], "FILEPATH: C:\\Windows\\Temp\\beacon.dll": [[456, 482]], "IP_ADDRESS: 210.164.43.85": [[507, 520]]}, "info": {"id": "synth_v2_01002", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Check Point Research identified a large-scale phishing operation. Emails originated from hr@auth-check.org and noreply@identity-verify.cc, spoofing legitimate services. Victims were directed to hxxps://relay-storage.site/wp-content/uploads/doc.php which hosted a credential harvesting page on cloud-login.org. A secondary link http://auth-update.com/portal/verify delivered XLoader (SHA1: 37b545bcf9b8376a505942560e00bdf7247433b7). The malware was saved to C:\\Windows\\System32\\payload.bin and established C2 with 116.239.239.56.", "spans": {"ORGANIZATION: Check Point Research": [[26, 46]], "EMAIL: hr@auth-check.org": [[115, 132]], "EMAIL: noreply@identity-verify.cc": [[137, 163]], "URL: hxxps://relay-storage.site/wp-content/uploads/doc.php": [[220, 273]], "DOMAIN: cloud-login.org": [[319, 334]], "URL: http://auth-update.com/portal/verify": [[353, 389]], "MALWARE: XLoader": [[400, 407]], "HASH: 37b545bcf9b8376a505942560e00bdf7247433b7": [[415, 455]], "FILEPATH: C:\\Windows\\System32\\payload.bin": [[483, 514]], "IP_ADDRESS: 116.239.239.56": [[539, 553]]}, "info": {"id": "synth_v2_01003", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Sophos X-Ops identified a large-scale phishing operation. Emails originated from billing@secure-verify.net and contact@urgent-notice.online, spoofing legitimate services. Victims were directed to https://portal-portal.dev/assets/js/payload.js which hosted a credential harvesting page on cdndata.site. A secondary link hxxp://updaterelay.com/panel/index.html delivered Cobalt Strike (SHA1: eb1d59803e56f48384a1f5cfb823b08a1e695e40). The malware was saved to /opt/app/bin/config.dat and established C2 with 35.147.43.187.", "spans": {"ORGANIZATION: Sophos X-Ops": [[26, 38]], "EMAIL: billing@secure-verify.net": [[107, 132]], "EMAIL: contact@urgent-notice.online": [[137, 165]], "URL: https://portal-portal.dev/assets/js/payload.js": [[222, 268]], "DOMAIN: cdndata.site": [[314, 326]], "URL: hxxp://updaterelay.com/panel/index.html": [[345, 384]], "MALWARE: Cobalt Strike": [[395, 408]], "HASH: eb1d59803e56f48384a1f5cfb823b08a1e695e40": [[416, 456]], "FILEPATH: /opt/app/bin/config.dat": [[484, 507]], "IP_ADDRESS: 35.147.43.187": [[532, 545]]}, "info": {"id": "synth_v2_01004", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Tenable identified a large-scale phishing operation. Emails originated from support@credential-check.site and finance@phishing-domain.com, spoofing legitimate services. Victims were directed to http://proxy-sync.com/gate.php which hosted a credential harvesting page on mail-cache.dev. A secondary link http://nodesecure.site/callback delivered Emotet (MD5: 538e0ff29d6cf2856ca31fe8169e763b). The malware was saved to C:\\Users\\admin\\Downloads\\svchost.exe and established C2 with 10.207.97.207.", "spans": {"ORGANIZATION: Tenable": [[26, 33]], "EMAIL: support@credential-check.site": [[102, 131]], "EMAIL: finance@phishing-domain.com": [[136, 163]], "URL: http://proxy-sync.com/gate.php": [[220, 250]], "DOMAIN: mail-cache.dev": [[296, 310]], "URL: http://nodesecure.site/callback": [[329, 360]], "MALWARE: Emotet": [[371, 377]], "HASH: 538e0ff29d6cf2856ca31fe8169e763b": [[384, 416]], "FILEPATH: C:\\Users\\admin\\Downloads\\svchost.exe": [[444, 480]], "IP_ADDRESS: 10.207.97.207": [[505, 518]]}, "info": {"id": "synth_v2_01005", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Volexity identified a large-scale phishing operation. Emails originated from account@auth-check.org and service@mail-service.info, spoofing legitimate services. Victims were directed to http://apibackup.cc/portal/verify which hosted a credential harvesting page on cache-cache.top. A secondary link hxxp://staticproxy.top/api/v2/auth delivered Qbot (SHA1: bbff937c6779ddc0bd9b611929153f6fe301f6f4). The malware was saved to /usr/local/bin/implant.so and established C2 with 172.218.17.151.", "spans": {"ORGANIZATION: Volexity": [[26, 34]], "EMAIL: account@auth-check.org": [[103, 125]], "EMAIL: service@mail-service.info": [[130, 155]], "URL: http://apibackup.cc/portal/verify": [[212, 245]], "DOMAIN: cache-cache.top": [[291, 306]], "URL: hxxp://staticproxy.top/api/v2/auth": [[325, 359]], "MALWARE: Qbot": [[370, 374]], "HASH: bbff937c6779ddc0bd9b611929153f6fe301f6f4": [[382, 422]], "FILEPATH: /usr/local/bin/implant.so": [[450, 475]], "IP_ADDRESS: 172.218.17.151": [[500, 514]]}, "info": {"id": "synth_v2_01006", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Google TAG identified a large-scale phishing operation. Emails originated from report@auth-check.org and ceo@phishing-domain.com, spoofing legitimate services. Victims were directed to http://staticcloud.org/callback which hosted a credential harvesting page on portalauth.org. A secondary link hxxp://cloudlogin.org/collect delivered Ryuk (SHA1: 3385a62a95e9854d360bbcd0cd7b30f5ed7673ba). The malware was saved to C:\\ProgramData\\taskhost.exe and established C2 with 158.147.173.59.", "spans": {"ORGANIZATION: Google TAG": [[26, 36]], "EMAIL: report@auth-check.org": [[105, 126]], "EMAIL: ceo@phishing-domain.com": [[131, 154]], "URL: http://staticcloud.org/callback": [[211, 242]], "DOMAIN: portalauth.org": [[288, 302]], "URL: hxxp://cloudlogin.org/collect": [[321, 350]], "MALWARE: Ryuk": [[361, 365]], "HASH: 3385a62a95e9854d360bbcd0cd7b30f5ed7673ba": [[373, 413]], "FILEPATH: C:\\ProgramData\\taskhost.exe": [[441, 468]], "IP_ADDRESS: 158.147.173.59": [[493, 507]]}, "info": {"id": "synth_v2_01007", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Secureworks identified a large-scale phishing operation. Emails originated from hr@phishing-domain.com and admin@secure-verify.net, spoofing legitimate services. Victims were directed to hxxp://relay-gateway.club/download/update.exe which hosted a credential harvesting page on securesecure.tech. A secondary link https://cache-node.club/gate.php delivered Vidar (MD5: 2531025e366c96da685e058bf681502a). The malware was saved to /dev/shm/chrome_helper.exe and established C2 with 10.104.230.135.", "spans": {"ORGANIZATION: Secureworks": [[26, 37]], "EMAIL: hr@phishing-domain.com": [[106, 128]], "EMAIL: admin@secure-verify.net": [[133, 156]], "URL: hxxp://relay-gateway.club/download/update.exe": [[213, 258]], "DOMAIN: securesecure.tech": [[304, 321]], "URL: https://cache-node.club/gate.php": [[340, 372]], "MALWARE: Vidar": [[383, 388]], "HASH: 2531025e366c96da685e058bf681502a": [[395, 427]], "FILEPATH: /dev/shm/chrome_helper.exe": [[455, 481]], "IP_ADDRESS: 10.104.230.135": [[506, 520]]}, "info": {"id": "synth_v2_01008", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Qualys identified a large-scale phishing operation. Emails originated from confirm@credential-check.site and support@auth-check.org, spoofing legitimate services. Victims were directed to hxxps://apiportal.io/callback which hosted a credential harvesting page on relaycache.cc. A secondary link https://cloud-sync.cc/callback delivered WarmCookie (MD5: ec8c039bc0befc1dc510b83101b923fe). The malware was saved to C:\\Users\\admin\\Desktop\\svchost.exe and established C2 with 132.219.227.160.", "spans": {"ORGANIZATION: Qualys": [[26, 32]], "EMAIL: confirm@credential-check.site": [[101, 130]], "EMAIL: support@auth-check.org": [[135, 157]], "URL: hxxps://apiportal.io/callback": [[214, 243]], "DOMAIN: relaycache.cc": [[289, 302]], "URL: https://cloud-sync.cc/callback": [[321, 351]], "MALWARE: WarmCookie": [[362, 372]], "HASH: ec8c039bc0befc1dc510b83101b923fe": [[379, 411]], "FILEPATH: C:\\Users\\admin\\Desktop\\svchost.exe": [[439, 473]], "IP_ADDRESS: 132.219.227.160": [[498, 513]]}, "info": {"id": "synth_v2_01009", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Microsoft MSRC identified a large-scale phishing operation. Emails originated from hr@document-share.link and service@login-portal.tech, spoofing legitimate services. Victims were directed to http://update-static.live/download/update.exe which hosted a credential harvesting page on gateway-api.site. A secondary link hxxps://portal-auth.com/collect delivered Vidar (SHA256: ab0f4d1f456f257fe6dce53c120f65d48393c9fdd6aebee8f6b191a6009ca746). The malware was saved to C:\\Users\\Public\\Documents\\ntds.dit and established C2 with 92.163.230.176.", "spans": {"ORGANIZATION: Microsoft MSRC": [[26, 40]], "EMAIL: hr@document-share.link": [[109, 131]], "EMAIL: service@login-portal.tech": [[136, 161]], "URL: http://update-static.live/download/update.exe": [[218, 263]], "DOMAIN: gateway-api.site": [[309, 325]], "URL: hxxps://portal-auth.com/collect": [[344, 375]], "MALWARE: Vidar": [[386, 391]], "HASH: ab0f4d1f456f257fe6dce53c120f65d48393c9fdd6aebee8f6b191a6009ca746": [[401, 465]], "FILEPATH: C:\\Users\\Public\\Documents\\ntds.dit": [[493, 527]], "IP_ADDRESS: 92.163.230.176": [[552, 566]]}, "info": {"id": "synth_v2_01010", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Proofpoint identified a large-scale phishing operation. Emails originated from account@identity-verify.cc and hr@auth-check.org, spoofing legitimate services. Victims were directed to https://nodeportal.tech/secure/token which hosted a credential harvesting page on syncupdate.com. A secondary link https://mailauth.org/gate.php delivered QakBot (SHA1: 7e72cbec80af605c8a0b409f87fce46eaedc1052). The malware was saved to C:\\Windows\\Tasks\\winlogon.exe and established C2 with 207.67.149.175.", "spans": {"ORGANIZATION: Proofpoint": [[26, 36]], "EMAIL: account@identity-verify.cc": [[105, 131]], "EMAIL: hr@auth-check.org": [[136, 153]], "URL: https://nodeportal.tech/secure/token": [[210, 246]], "DOMAIN: syncupdate.com": [[292, 306]], "URL: https://mailauth.org/gate.php": [[325, 354]], "MALWARE: QakBot": [[365, 371]], "HASH: 7e72cbec80af605c8a0b409f87fce46eaedc1052": [[379, 419]], "FILEPATH: C:\\Windows\\Tasks\\winlogon.exe": [[447, 476]], "IP_ADDRESS: 207.67.149.175": [[501, 515]]}, "info": {"id": "synth_v2_01011", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Cisco Talos identified a large-scale phishing operation. Emails originated from support@auth-check.org and info@identity-verify.cc, spoofing legitimate services. Victims were directed to hxxps://mailsync.tech/download/update.exe which hosted a credential harvesting page on backupupdate.org. A secondary link hxxps://sync-backup.info/panel/index.html delivered Hive (SHA1: 6be675b404f934eb4372c1c4b5c503471d73e6e8). The malware was saved to C:\\Program Files\\Common Files\\dropper.ps1 and established C2 with 5.119.162.211.", "spans": {"ORGANIZATION: Cisco Talos": [[26, 37]], "EMAIL: support@auth-check.org": [[106, 128]], "EMAIL: info@identity-verify.cc": [[133, 156]], "URL: hxxps://mailsync.tech/download/update.exe": [[213, 254]], "DOMAIN: backupupdate.org": [[300, 316]], "URL: hxxps://sync-backup.info/panel/index.html": [[335, 376]], "MALWARE: Hive": [[387, 391]], "HASH: 6be675b404f934eb4372c1c4b5c503471d73e6e8": [[399, 439]], "FILEPATH: C:\\Program Files\\Common Files\\dropper.ps1": [[467, 508]], "IP_ADDRESS: 5.119.162.211": [[533, 546]]}, "info": {"id": "synth_v2_01012", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Volexity identified a large-scale phishing operation. Emails originated from verify@phishing-domain.com and info@credential-check.site, spoofing legitimate services. Victims were directed to hxxps://data-gateway.xyz/collect which hosted a credential harvesting page on cdnsecure.com. A secondary link hxxp://synclogin.dev/panel/index.html delivered NjRAT (SHA256: dc8a96d9a6eeabe205cd7debc6d993a27b6863d7012ac2a1f29b86d4e455252a). The malware was saved to /var/tmp/svchost.exe and established C2 with 192.35.108.69.", "spans": {"ORGANIZATION: Volexity": [[26, 34]], "EMAIL: verify@phishing-domain.com": [[103, 129]], "EMAIL: info@credential-check.site": [[134, 160]], "URL: hxxps://data-gateway.xyz/collect": [[217, 249]], "DOMAIN: cdnsecure.com": [[295, 308]], "URL: hxxp://synclogin.dev/panel/index.html": [[327, 364]], "MALWARE: NjRAT": [[375, 380]], "HASH: dc8a96d9a6eeabe205cd7debc6d993a27b6863d7012ac2a1f29b86d4e455252a": [[390, 454]], "FILEPATH: /var/tmp/svchost.exe": [[482, 502]], "IP_ADDRESS: 192.35.108.69": [[527, 540]]}, "info": {"id": "synth_v2_01013", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: INTERPOL identified a large-scale phishing operation. Emails originated from notification@phishing-domain.com and notification@identity-verify.cc, spoofing legitimate services. Victims were directed to http://static-proxy.cc/collect which hosted a credential harvesting page on authcloud.tech. A secondary link hxxp://loginsync.tech/panel/index.html delivered Raccoon Stealer (MD5: a00c4e02ef68d7b0ebcf23063a138afc). The malware was saved to C:\\Windows\\Temp\\agent.py and established C2 with 11.237.104.91.", "spans": {"ORGANIZATION: INTERPOL": [[26, 34]], "EMAIL: notification@phishing-domain.com": [[103, 135]], "EMAIL: notification@identity-verify.cc": [[140, 171]], "URL: http://static-proxy.cc/collect": [[228, 258]], "DOMAIN: authcloud.tech": [[304, 318]], "URL: hxxp://loginsync.tech/panel/index.html": [[337, 375]], "MALWARE: Raccoon Stealer": [[386, 401]], "HASH: a00c4e02ef68d7b0ebcf23063a138afc": [[408, 440]], "FILEPATH: C:\\Windows\\Temp\\agent.py": [[468, 492]], "IP_ADDRESS: 11.237.104.91": [[517, 530]]}, "info": {"id": "synth_v2_01014", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Kaspersky GReAT identified a large-scale phishing operation. Emails originated from service@credential-check.site and finance@urgent-notice.online, spoofing legitimate services. Victims were directed to hxxp://cache-storage.online/collect which hosted a credential harvesting page on updatesecure.club. A secondary link hxxps://updatestorage.cc/download/update.exe delivered Meduza Stealer (MD5: 808d7052d24678ca57e929a42e426409). The malware was saved to C:\\Windows\\System32\\update.dll and established C2 with 10.181.71.86.", "spans": {"ORGANIZATION: Kaspersky GReAT": [[26, 41]], "EMAIL: service@credential-check.site": [[110, 139]], "EMAIL: finance@urgent-notice.online": [[144, 172]], "URL: hxxp://cache-storage.online/collect": [[229, 264]], "DOMAIN: updatesecure.club": [[310, 327]], "URL: hxxps://updatestorage.cc/download/update.exe": [[346, 390]], "MALWARE: Meduza Stealer": [[401, 415]], "HASH: 808d7052d24678ca57e929a42e426409": [[422, 454]], "FILEPATH: C:\\Windows\\System32\\update.dll": [[482, 512]], "IP_ADDRESS: 10.181.71.86": [[537, 549]]}, "info": {"id": "synth_v2_01015", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: INTERPOL identified a large-scale phishing operation. Emails originated from account@mail-service.info and report@phishing-domain.com, spoofing legitimate services. Victims were directed to hxxps://cloudbackup.org/wp-content/uploads/doc.php which hosted a credential harvesting page on edgegateway.online. A secondary link http://cache-relay.top/gate.php delivered RedLine Stealer (MD5: 3c5a69d7d426552b0b7e8bafa7fdc25d). The malware was saved to C:\\Users\\Public\\Documents\\agent.py and established C2 with 192.217.136.233.", "spans": {"ORGANIZATION: INTERPOL": [[26, 34]], "EMAIL: account@mail-service.info": [[103, 128]], "EMAIL: report@phishing-domain.com": [[133, 159]], "URL: hxxps://cloudbackup.org/wp-content/uploads/doc.php": [[216, 266]], "DOMAIN: edgegateway.online": [[312, 330]], "URL: http://cache-relay.top/gate.php": [[349, 380]], "MALWARE: RedLine Stealer": [[391, 406]], "HASH: 3c5a69d7d426552b0b7e8bafa7fdc25d": [[413, 445]], "FILEPATH: C:\\Users\\Public\\Documents\\agent.py": [[473, 507]], "IP_ADDRESS: 192.217.136.233": [[532, 547]]}, "info": {"id": "synth_v2_01016", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Volexity identified a large-scale phishing operation. Emails originated from account@account-update.xyz and billing@phishing-domain.com, spoofing legitimate services. Victims were directed to http://static-storage.link/assets/js/payload.js which hosted a credential harvesting page on secure-gateway.com. A secondary link hxxp://authcache.site/wp-content/uploads/doc.php delivered RedLine Stealer (SHA1: db2ed39947ee3f6d6425528b1f58be0edd8fcaec). The malware was saved to C:\\Users\\admin\\Desktop\\implant.so and established C2 with 43.235.215.215.", "spans": {"ORGANIZATION: Volexity": [[26, 34]], "EMAIL: account@account-update.xyz": [[103, 129]], "EMAIL: billing@phishing-domain.com": [[134, 161]], "URL: http://static-storage.link/assets/js/payload.js": [[218, 265]], "DOMAIN: secure-gateway.com": [[311, 329]], "URL: hxxp://authcache.site/wp-content/uploads/doc.php": [[348, 396]], "MALWARE: RedLine Stealer": [[407, 422]], "HASH: db2ed39947ee3f6d6425528b1f58be0edd8fcaec": [[430, 470]], "FILEPATH: C:\\Users\\admin\\Desktop\\implant.so": [[498, 531]], "IP_ADDRESS: 43.235.215.215": [[556, 570]]}, "info": {"id": "synth_v2_01017", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: NSA identified a large-scale phishing operation. Emails originated from verify@mail-service.info and account@login-portal.tech, spoofing legitimate services. Victims were directed to hxxps://relay-cloud.club/callback which hosted a credential harvesting page on node-api.online. A secondary link hxxps://securecache.xyz/secure/token delivered WarmCookie (SHA256: dcaab862c474b782cecaba7df67958c94366c06a7a0b97718669bd903263a3de). The malware was saved to /home/user/.config/payload.bin and established C2 with 211.185.174.145.", "spans": {"ORGANIZATION: NSA": [[26, 29]], "EMAIL: verify@mail-service.info": [[98, 122]], "EMAIL: account@login-portal.tech": [[127, 152]], "URL: hxxps://relay-cloud.club/callback": [[209, 242]], "DOMAIN: node-api.online": [[288, 303]], "URL: hxxps://securecache.xyz/secure/token": [[322, 358]], "MALWARE: WarmCookie": [[369, 379]], "HASH: dcaab862c474b782cecaba7df67958c94366c06a7a0b97718669bd903263a3de": [[389, 453]], "FILEPATH: /home/user/.config/payload.bin": [[481, 511]], "IP_ADDRESS: 211.185.174.145": [[536, 551]]}, "info": {"id": "synth_v2_01018", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Zscaler ThreatLabz identified a large-scale phishing operation. Emails originated from finance@identity-verify.cc and report@urgent-notice.online, spoofing legitimate services. Victims were directed to hxxp://gateway-login.xyz/gate.php which hosted a credential harvesting page on login-secure.xyz. A secondary link http://data-proxy.net/collect delivered Amadey (SHA1: 76147d4b47f9c7f9bbdf60c08be95505eb9f195c). The malware was saved to C:\\Users\\admin\\AppData\\Local\\Temp\\update.dll and established C2 with 81.139.229.15.", "spans": {"ORGANIZATION: Zscaler ThreatLabz": [[26, 44]], "EMAIL: finance@identity-verify.cc": [[113, 139]], "EMAIL: report@urgent-notice.online": [[144, 171]], "URL: hxxp://gateway-login.xyz/gate.php": [[228, 261]], "DOMAIN: login-secure.xyz": [[307, 323]], "URL: http://data-proxy.net/collect": [[342, 371]], "MALWARE: Amadey": [[382, 388]], "HASH: 76147d4b47f9c7f9bbdf60c08be95505eb9f195c": [[396, 436]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\update.dll": [[464, 508]], "IP_ADDRESS: 81.139.229.15": [[533, 546]]}, "info": {"id": "synth_v2_01019", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Recorded Future identified a large-scale phishing operation. Emails originated from confirm@mail-service.info and updates@credential-check.site, spoofing legitimate services. Victims were directed to http://syncapi.top/callback which hosted a credential harvesting page on relay-cloud.online. A secondary link hxxps://storagestorage.xyz/panel/index.html delivered BatLoader (MD5: d7b1ef2bdf7c2d26e17c37cab5a41de6). The malware was saved to C:\\ProgramData\\winlogon.exe and established C2 with 155.29.154.95.", "spans": {"ORGANIZATION: Recorded Future": [[26, 41]], "EMAIL: confirm@mail-service.info": [[110, 135]], "EMAIL: updates@credential-check.site": [[140, 169]], "URL: http://syncapi.top/callback": [[226, 253]], "DOMAIN: relay-cloud.online": [[299, 317]], "URL: hxxps://storagestorage.xyz/panel/index.html": [[336, 379]], "MALWARE: BatLoader": [[390, 399]], "HASH: d7b1ef2bdf7c2d26e17c37cab5a41de6": [[406, 438]], "FILEPATH: C:\\ProgramData\\winlogon.exe": [[466, 493]], "IP_ADDRESS: 155.29.154.95": [[518, 531]]}, "info": {"id": "synth_v2_01020", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: ESET Research identified a large-scale phishing operation. Emails originated from account@document-share.link and service@account-update.xyz, spoofing legitimate services. Victims were directed to https://edgecloud.io/panel/index.html which hosted a credential harvesting page on proxy-portal.net. A secondary link hxxps://gatewaycloud.io/download/update.exe delivered LockBit (SHA1: 9e05889736c6a9d90ec384cd3906717ec7dee7aa). The malware was saved to C:\\Users\\admin\\Desktop\\taskhost.exe and established C2 with 10.14.170.189.", "spans": {"ORGANIZATION: ESET Research": [[26, 39]], "EMAIL: account@document-share.link": [[108, 135]], "EMAIL: service@account-update.xyz": [[140, 166]], "URL: https://edgecloud.io/panel/index.html": [[223, 260]], "DOMAIN: proxy-portal.net": [[306, 322]], "URL: hxxps://gatewaycloud.io/download/update.exe": [[341, 384]], "MALWARE: LockBit": [[395, 402]], "HASH: 9e05889736c6a9d90ec384cd3906717ec7dee7aa": [[410, 450]], "FILEPATH: C:\\Users\\admin\\Desktop\\taskhost.exe": [[478, 513]], "IP_ADDRESS: 10.14.170.189": [[538, 551]]}, "info": {"id": "synth_v2_01021", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Mandiant identified a large-scale phishing operation. Emails originated from info@urgent-notice.online and confirm@secure-verify.net, spoofing legitimate services. Victims were directed to http://cache-edge.io/admin/config which hosted a credential harvesting page on updateportal.site. A secondary link hxxps://node-login.live/admin/config delivered StealC (SHA256: 53a02c04fef8201bbb88751feebd113413eb5ed0f7860496a44b3b860373086a). The malware was saved to C:\\Users\\admin\\AppData\\Local\\Temp\\sam.hive and established C2 with 10.246.75.151.", "spans": {"ORGANIZATION: Mandiant": [[26, 34]], "EMAIL: info@urgent-notice.online": [[103, 128]], "EMAIL: confirm@secure-verify.net": [[133, 158]], "URL: http://cache-edge.io/admin/config": [[215, 248]], "DOMAIN: updateportal.site": [[294, 311]], "URL: hxxps://node-login.live/admin/config": [[330, 366]], "MALWARE: StealC": [[377, 383]], "HASH: 53a02c04fef8201bbb88751feebd113413eb5ed0f7860496a44b3b860373086a": [[393, 457]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\sam.hive": [[485, 527]], "IP_ADDRESS: 10.246.75.151": [[552, 565]]}, "info": {"id": "synth_v2_01022", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: CISA identified a large-scale phishing operation. Emails originated from confirm@account-update.xyz and service@urgent-notice.online, spoofing legitimate services. Victims were directed to http://data-sync.dev/admin/config which hosted a credential harvesting page on cdngateway.online. A secondary link hxxps://staticrelay.dev/wp-content/uploads/doc.php delivered RemcosRAT (SHA1: 8f774aa2a62b2dc5c7310e53bb4f37b949716ae0). The malware was saved to C:\\Program Files\\Common Files\\loader.exe and established C2 with 10.173.181.177.", "spans": {"ORGANIZATION: CISA": [[26, 30]], "EMAIL: confirm@account-update.xyz": [[99, 125]], "EMAIL: service@urgent-notice.online": [[130, 158]], "URL: http://data-sync.dev/admin/config": [[215, 248]], "DOMAIN: cdngateway.online": [[294, 311]], "URL: hxxps://staticrelay.dev/wp-content/uploads/doc.php": [[330, 380]], "MALWARE: RemcosRAT": [[391, 400]], "HASH: 8f774aa2a62b2dc5c7310e53bb4f37b949716ae0": [[408, 448]], "FILEPATH: C:\\Program Files\\Common Files\\loader.exe": [[476, 516]], "IP_ADDRESS: 10.173.181.177": [[541, 555]]}, "info": {"id": "synth_v2_01023", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Check Point Research identified a large-scale phishing operation. Emails originated from updates@phishing-domain.com and verify@credential-check.site, spoofing legitimate services. Victims were directed to hxxp://auth-secure.live/api/v2/auth which hosted a credential harvesting page on relaycdn.tech. A secondary link hxxps://storagestorage.top/admin/config delivered BlackCat (SHA256: 490fccf478db0a983fec83e704a42275e8b2b148ec8076ba03b12ced6f47ec7a). The malware was saved to /dev/shm/implant.so and established C2 with 192.140.143.68.", "spans": {"ORGANIZATION: Check Point Research": [[26, 46]], "EMAIL: updates@phishing-domain.com": [[115, 142]], "EMAIL: verify@credential-check.site": [[147, 175]], "URL: hxxp://auth-secure.live/api/v2/auth": [[232, 267]], "DOMAIN: relaycdn.tech": [[313, 326]], "URL: hxxps://storagestorage.top/admin/config": [[345, 384]], "MALWARE: BlackCat": [[395, 403]], "HASH: 490fccf478db0a983fec83e704a42275e8b2b148ec8076ba03b12ced6f47ec7a": [[413, 477]], "FILEPATH: /dev/shm/implant.so": [[505, 524]], "IP_ADDRESS: 192.140.143.68": [[549, 563]]}, "info": {"id": "synth_v2_01024", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: CISA identified a large-scale phishing operation. Emails originated from support@mail-service.info and it@urgent-notice.online, spoofing legitimate services. Victims were directed to hxxps://auth-api.info/portal/verify which hosted a credential harvesting page on cdncloud.site. A secondary link hxxp://cdnauth.link/wp-content/uploads/doc.php delivered WarmCookie (SHA256: 2c100c4df22c160a3df1154b49d52d102c8db4d9897cd2778ba0a647ed14d2b5). The malware was saved to /opt/app/bin/lsass.dmp and established C2 with 192.19.224.225.", "spans": {"ORGANIZATION: CISA": [[26, 30]], "EMAIL: support@mail-service.info": [[99, 124]], "EMAIL: it@urgent-notice.online": [[129, 152]], "URL: hxxps://auth-api.info/portal/verify": [[209, 244]], "DOMAIN: cdncloud.site": [[290, 303]], "URL: hxxp://cdnauth.link/wp-content/uploads/doc.php": [[322, 368]], "MALWARE: WarmCookie": [[379, 389]], "HASH: 2c100c4df22c160a3df1154b49d52d102c8db4d9897cd2778ba0a647ed14d2b5": [[399, 463]], "FILEPATH: /opt/app/bin/lsass.dmp": [[491, 513]], "IP_ADDRESS: 192.19.224.225": [[538, 552]]}, "info": {"id": "synth_v2_01025", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: CrowdStrike identified a large-scale phishing operation. Emails originated from updates@document-share.link and updates@urgent-notice.online, spoofing legitimate services. Victims were directed to https://login-data.top/admin/config which hosted a credential harvesting page on proxycache.link. A secondary link https://mailgateway.io/portal/verify delivered Gootloader (SHA256: 1435898cb7c23425eb14eb401ef1d006e4729337072d75ca97845245fef22440). The malware was saved to C:\\Program Files\\Common Files\\ntds.dit and established C2 with 209.11.33.111.", "spans": {"ORGANIZATION: CrowdStrike": [[26, 37]], "EMAIL: updates@document-share.link": [[106, 133]], "EMAIL: updates@urgent-notice.online": [[138, 166]], "URL: https://login-data.top/admin/config": [[223, 258]], "DOMAIN: proxycache.link": [[304, 319]], "URL: https://mailgateway.io/portal/verify": [[338, 374]], "MALWARE: Gootloader": [[385, 395]], "HASH: 1435898cb7c23425eb14eb401ef1d006e4729337072d75ca97845245fef22440": [[405, 469]], "FILEPATH: C:\\Program Files\\Common Files\\ntds.dit": [[497, 535]], "IP_ADDRESS: 209.11.33.111": [[560, 573]]}, "info": {"id": "synth_v2_01026", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: ESET Research identified a large-scale phishing operation. Emails originated from billing@account-update.xyz and report@auth-check.org, spoofing legitimate services. Victims were directed to hxxp://cloudproxy.io/api/v2/auth which hosted a credential harvesting page on static-login.top. A secondary link http://cacheproxy.tech/assets/js/payload.js delivered PlugX (SHA256: e741864efbd22d1ff7fd24c1997cc7188f4747a6e8a05adb52ab40531afcba8c). The malware was saved to C:\\Users\\admin\\Desktop\\dropper.ps1 and established C2 with 192.19.69.145.", "spans": {"ORGANIZATION: ESET Research": [[26, 39]], "EMAIL: billing@account-update.xyz": [[108, 134]], "EMAIL: report@auth-check.org": [[139, 160]], "URL: hxxp://cloudproxy.io/api/v2/auth": [[217, 249]], "DOMAIN: static-login.top": [[295, 311]], "URL: http://cacheproxy.tech/assets/js/payload.js": [[330, 373]], "MALWARE: PlugX": [[384, 389]], "HASH: e741864efbd22d1ff7fd24c1997cc7188f4747a6e8a05adb52ab40531afcba8c": [[399, 463]], "FILEPATH: C:\\Users\\admin\\Desktop\\dropper.ps1": [[491, 525]], "IP_ADDRESS: 192.19.69.145": [[550, 563]]}, "info": {"id": "synth_v2_01027", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Rapid7 identified a large-scale phishing operation. Emails originated from info@auth-check.org and confirm@auth-check.org, spoofing legitimate services. Victims were directed to hxxp://securedata.xyz/portal/verify which hosted a credential harvesting page on edgedata.cc. A secondary link https://portal-mail.net/admin/config delivered XLoader (MD5: b727f7e3ac3ad1429b27f83bc4d22aeb). The malware was saved to C:\\Windows\\Temp\\sam.hive and established C2 with 172.149.196.217.", "spans": {"ORGANIZATION: Rapid7": [[26, 32]], "EMAIL: info@auth-check.org": [[101, 120]], "EMAIL: confirm@auth-check.org": [[125, 147]], "URL: hxxp://securedata.xyz/portal/verify": [[204, 239]], "DOMAIN: edgedata.cc": [[285, 296]], "URL: https://portal-mail.net/admin/config": [[315, 351]], "MALWARE: XLoader": [[362, 369]], "HASH: b727f7e3ac3ad1429b27f83bc4d22aeb": [[376, 408]], "FILEPATH: C:\\Windows\\Temp\\sam.hive": [[436, 460]], "IP_ADDRESS: 172.149.196.217": [[485, 500]]}, "info": {"id": "synth_v2_01028", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Google TAG identified a large-scale phishing operation. Emails originated from verify@mail-service.info and service@account-update.xyz, spoofing legitimate services. Victims were directed to https://mail-cache.tech/admin/config which hosted a credential harvesting page on relay-update.tech. A secondary link hxxps://proxy-sync.club/callback delivered Emotet (SHA256: baf1bff803b873742f9e967a991e568e220ee06f96701283b1b05ba2f073641f). The malware was saved to C:\\ProgramData\\loader.exe and established C2 with 172.36.146.229.", "spans": {"ORGANIZATION: Google TAG": [[26, 36]], "EMAIL: verify@mail-service.info": [[105, 129]], "EMAIL: service@account-update.xyz": [[134, 160]], "URL: https://mail-cache.tech/admin/config": [[217, 253]], "DOMAIN: relay-update.tech": [[299, 316]], "URL: hxxps://proxy-sync.club/callback": [[335, 367]], "MALWARE: Emotet": [[378, 384]], "HASH: baf1bff803b873742f9e967a991e568e220ee06f96701283b1b05ba2f073641f": [[394, 458]], "FILEPATH: C:\\ProgramData\\loader.exe": [[486, 511]], "IP_ADDRESS: 172.36.146.229": [[536, 550]]}, "info": {"id": "synth_v2_01029", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Trend Micro identified a large-scale phishing operation. Emails originated from alert@login-portal.tech and finance@mail-service.info, spoofing legitimate services. Victims were directed to https://portalcdn.club/panel/index.html which hosted a credential harvesting page on cache-login.io. A secondary link hxxps://proxy-relay.info/assets/js/payload.js delivered Vidar (SHA1: db1be04fd0e8aca6b47de7b2183e277dd1376c9b). The malware was saved to /var/tmp/runtime.dll and established C2 with 10.217.178.249.", "spans": {"ORGANIZATION: Trend Micro": [[26, 37]], "EMAIL: alert@login-portal.tech": [[106, 129]], "EMAIL: finance@mail-service.info": [[134, 159]], "URL: https://portalcdn.club/panel/index.html": [[216, 255]], "DOMAIN: cache-login.io": [[301, 315]], "URL: hxxps://proxy-relay.info/assets/js/payload.js": [[334, 379]], "MALWARE: Vidar": [[390, 395]], "HASH: db1be04fd0e8aca6b47de7b2183e277dd1376c9b": [[403, 443]], "FILEPATH: /var/tmp/runtime.dll": [[471, 491]], "IP_ADDRESS: 10.217.178.249": [[516, 530]]}, "info": {"id": "synth_v2_01030", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Sophos X-Ops identified a large-scale phishing operation. Emails originated from admin@document-share.link and notification@identity-verify.cc, spoofing legitimate services. Victims were directed to hxxp://auth-edge.dev/callback which hosted a credential harvesting page on gatewayapi.com. A secondary link http://relayrelay.net/callback delivered BlackCat (SHA1: fc7a98ac71a83bff54b4cdedbbe647e9fc615c69). The malware was saved to C:\\Users\\admin\\Desktop\\helper.sh and established C2 with 45.16.68.204.", "spans": {"ORGANIZATION: Sophos X-Ops": [[26, 38]], "EMAIL: admin@document-share.link": [[107, 132]], "EMAIL: notification@identity-verify.cc": [[137, 168]], "URL: hxxp://auth-edge.dev/callback": [[225, 254]], "DOMAIN: gatewayapi.com": [[300, 314]], "URL: http://relayrelay.net/callback": [[333, 363]], "MALWARE: BlackCat": [[374, 382]], "HASH: fc7a98ac71a83bff54b4cdedbbe647e9fc615c69": [[390, 430]], "FILEPATH: C:\\Users\\admin\\Desktop\\helper.sh": [[458, 490]], "IP_ADDRESS: 45.16.68.204": [[515, 527]]}, "info": {"id": "synth_v2_01031", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Microsoft MSRC identified a large-scale phishing operation. Emails originated from noreply@account-update.xyz and helpdesk@mail-service.info, spoofing legitimate services. Victims were directed to http://api-cloud.club/callback which hosted a credential harvesting page on relaystatic.net. A secondary link hxxps://gateway-proxy.tech/api/v2/auth delivered RemcosRAT (SHA1: c4f6e30755df1d8787f4dd0b9495fbe5dd3cf43a). The malware was saved to /home/user/.config/backdoor.elf and established C2 with 31.140.150.7.", "spans": {"ORGANIZATION: Microsoft MSRC": [[26, 40]], "EMAIL: noreply@account-update.xyz": [[109, 135]], "EMAIL: helpdesk@mail-service.info": [[140, 166]], "URL: http://api-cloud.club/callback": [[223, 253]], "DOMAIN: relaystatic.net": [[299, 314]], "URL: hxxps://gateway-proxy.tech/api/v2/auth": [[333, 371]], "MALWARE: RemcosRAT": [[382, 391]], "HASH: c4f6e30755df1d8787f4dd0b9495fbe5dd3cf43a": [[399, 439]], "FILEPATH: /home/user/.config/backdoor.elf": [[467, 498]], "IP_ADDRESS: 31.140.150.7": [[523, 535]]}, "info": {"id": "synth_v2_01032", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Huntress identified a large-scale phishing operation. Emails originated from report@account-update.xyz and billing@login-portal.tech, spoofing legitimate services. Victims were directed to http://apirelay.info/secure/token which hosted a credential harvesting page on edge-portal.xyz. A secondary link http://backuplogin.live/login delivered Qbot (SHA256: da2e3d0c8d304194d39c9aa3b1ca09580e54e3029bdab02c77cb7946e22ab787). The malware was saved to C:\\Users\\admin\\Desktop\\runtime.dll and established C2 with 192.182.195.229.", "spans": {"ORGANIZATION: Huntress": [[26, 34]], "EMAIL: report@account-update.xyz": [[103, 128]], "EMAIL: billing@login-portal.tech": [[133, 158]], "URL: http://apirelay.info/secure/token": [[215, 248]], "DOMAIN: edge-portal.xyz": [[294, 309]], "URL: http://backuplogin.live/login": [[328, 357]], "MALWARE: Qbot": [[368, 372]], "HASH: da2e3d0c8d304194d39c9aa3b1ca09580e54e3029bdab02c77cb7946e22ab787": [[382, 446]], "FILEPATH: C:\\Users\\admin\\Desktop\\runtime.dll": [[474, 508]], "IP_ADDRESS: 192.182.195.229": [[533, 548]]}, "info": {"id": "synth_v2_01033", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Volexity identified a large-scale phishing operation. Emails originated from report@auth-check.org and it@document-share.link, spoofing legitimate services. Victims were directed to http://secure-proxy.top/callback which hosted a credential harvesting page on edge-storage.com. A secondary link hxxps://apibackup.cc/login delivered DarkSide (MD5: d64ed40267123be39effbb6c2df5785e). The malware was saved to /opt/app/bin/chrome_helper.exe and established C2 with 172.147.130.225.", "spans": {"ORGANIZATION: Volexity": [[26, 34]], "EMAIL: report@auth-check.org": [[103, 124]], "EMAIL: it@document-share.link": [[129, 151]], "URL: http://secure-proxy.top/callback": [[208, 240]], "DOMAIN: edge-storage.com": [[286, 302]], "URL: hxxps://apibackup.cc/login": [[321, 347]], "MALWARE: DarkSide": [[358, 366]], "HASH: d64ed40267123be39effbb6c2df5785e": [[373, 405]], "FILEPATH: /opt/app/bin/chrome_helper.exe": [[433, 463]], "IP_ADDRESS: 172.147.130.225": [[488, 503]]}, "info": {"id": "synth_v2_01034", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Trend Micro identified a large-scale phishing operation. Emails originated from confirm@identity-verify.cc and verify@account-update.xyz, spoofing legitimate services. Victims were directed to hxxps://edge-edge.xyz/portal/verify which hosted a credential harvesting page on portalapi.tech. A secondary link https://datadata.net/secure/token delivered Amadey (SHA1: 00ab48377441deb58f00bfeae146bfa9141527b9). The malware was saved to /tmp/payload.bin and established C2 with 24.58.133.179.", "spans": {"ORGANIZATION: Trend Micro": [[26, 37]], "EMAIL: confirm@identity-verify.cc": [[106, 132]], "EMAIL: verify@account-update.xyz": [[137, 162]], "URL: hxxps://edge-edge.xyz/portal/verify": [[219, 254]], "DOMAIN: portalapi.tech": [[300, 314]], "URL: https://datadata.net/secure/token": [[333, 366]], "MALWARE: Amadey": [[377, 383]], "HASH: 00ab48377441deb58f00bfeae146bfa9141527b9": [[391, 431]], "FILEPATH: /tmp/payload.bin": [[459, 475]], "IP_ADDRESS: 24.58.133.179": [[500, 513]]}, "info": {"id": "synth_v2_01035", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Dragos identified a large-scale phishing operation. Emails originated from notification@credential-check.site and account@urgent-notice.online, spoofing legitimate services. Victims were directed to hxxps://cachestorage.xyz/download/update.exe which hosted a credential harvesting page on relay-proxy.top. A secondary link https://backup-update.cc/portal/verify delivered XLoader (SHA256: e931163920495328018a48bbf3d841bec1c0d113779fe165d0adb3df45187fc1). The malware was saved to /tmp/update.dll and established C2 with 129.26.30.26.", "spans": {"ORGANIZATION: Dragos": [[26, 32]], "EMAIL: notification@credential-check.site": [[101, 135]], "EMAIL: account@urgent-notice.online": [[140, 168]], "URL: hxxps://cachestorage.xyz/download/update.exe": [[225, 269]], "DOMAIN: relay-proxy.top": [[315, 330]], "URL: https://backup-update.cc/portal/verify": [[349, 387]], "MALWARE: XLoader": [[398, 405]], "HASH: e931163920495328018a48bbf3d841bec1c0d113779fe165d0adb3df45187fc1": [[415, 479]], "FILEPATH: /tmp/update.dll": [[507, 522]], "IP_ADDRESS: 129.26.30.26": [[547, 559]]}, "info": {"id": "synth_v2_01036", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: FBI identified a large-scale phishing operation. Emails originated from confirm@credential-check.site and helpdesk@secure-verify.net, spoofing legitimate services. Victims were directed to https://cloudcache.net/api/v2/auth which hosted a credential harvesting page on secureauth.link. A secondary link http://sync-data.site/panel/index.html delivered Emotet (SHA1: 079a229d284d628f6d19fde5552704f93b3d3c0e). The malware was saved to C:\\ProgramData\\dropper.ps1 and established C2 with 25.23.207.162.", "spans": {"ORGANIZATION: FBI": [[26, 29]], "EMAIL: confirm@credential-check.site": [[98, 127]], "EMAIL: helpdesk@secure-verify.net": [[132, 158]], "URL: https://cloudcache.net/api/v2/auth": [[215, 249]], "DOMAIN: secureauth.link": [[295, 310]], "URL: http://sync-data.site/panel/index.html": [[329, 367]], "MALWARE: Emotet": [[378, 384]], "HASH: 079a229d284d628f6d19fde5552704f93b3d3c0e": [[392, 432]], "FILEPATH: C:\\ProgramData\\dropper.ps1": [[460, 486]], "IP_ADDRESS: 25.23.207.162": [[511, 524]]}, "info": {"id": "synth_v2_01037", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: CrowdStrike identified a large-scale phishing operation. Emails originated from account@auth-check.org and contact@mail-service.info, spoofing legitimate services. Victims were directed to hxxps://storage-relay.live/callback which hosted a credential harvesting page on mail-sync.org. A secondary link hxxp://login-gateway.live/wp-content/uploads/doc.php delivered Hive (MD5: 3a47630010104e4b3786ee2b8d6f26d1). The malware was saved to C:\\Users\\admin\\AppData\\Local\\Temp\\update.dll and established C2 with 10.27.94.246.", "spans": {"ORGANIZATION: CrowdStrike": [[26, 37]], "EMAIL: account@auth-check.org": [[106, 128]], "EMAIL: contact@mail-service.info": [[133, 158]], "URL: hxxps://storage-relay.live/callback": [[215, 250]], "DOMAIN: mail-sync.org": [[296, 309]], "URL: hxxp://login-gateway.live/wp-content/uploads/doc.php": [[328, 380]], "MALWARE: Hive": [[391, 395]], "HASH: 3a47630010104e4b3786ee2b8d6f26d1": [[402, 434]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\update.dll": [[462, 506]], "IP_ADDRESS: 10.27.94.246": [[531, 543]]}, "info": {"id": "synth_v2_01038", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Sophos X-Ops identified a large-scale phishing operation. Emails originated from account@identity-verify.cc and ceo@auth-check.org, spoofing legitimate services. Victims were directed to https://storage-login.org/assets/js/payload.js which hosted a credential harvesting page on gatewayproxy.com. A secondary link hxxp://auth-backup.link/login delivered Ryuk (SHA256: 829548717eac38897bea47900c502c63545b0780a21815bb08ca3232e56a72d5). The malware was saved to /usr/local/bin/winlogon.exe and established C2 with 10.48.205.109.", "spans": {"ORGANIZATION: Sophos X-Ops": [[26, 38]], "EMAIL: account@identity-verify.cc": [[107, 133]], "EMAIL: ceo@auth-check.org": [[138, 156]], "URL: https://storage-login.org/assets/js/payload.js": [[213, 259]], "DOMAIN: gatewayproxy.com": [[305, 321]], "URL: hxxp://auth-backup.link/login": [[340, 369]], "MALWARE: Ryuk": [[380, 384]], "HASH: 829548717eac38897bea47900c502c63545b0780a21815bb08ca3232e56a72d5": [[394, 458]], "FILEPATH: /usr/local/bin/winlogon.exe": [[486, 513]], "IP_ADDRESS: 10.48.205.109": [[538, 551]]}, "info": {"id": "synth_v2_01039", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Check Point Research identified a large-scale phishing operation. Emails originated from helpdesk@login-portal.tech and account@account-update.xyz, spoofing legitimate services. Victims were directed to hxxps://login-login.info/login which hosted a credential harvesting page on cdn-mail.site. A secondary link hxxp://datacache.org/admin/config delivered BlackCat (SHA256: 5fea0499e94cdcafd3ca229afda628f5eb42f515a3ce70caf95e816442ab66c6). The malware was saved to C:\\Users\\Public\\Documents\\implant.so and established C2 with 10.58.106.66.", "spans": {"ORGANIZATION: Check Point Research": [[26, 46]], "EMAIL: helpdesk@login-portal.tech": [[115, 141]], "EMAIL: account@account-update.xyz": [[146, 172]], "URL: hxxps://login-login.info/login": [[229, 259]], "DOMAIN: cdn-mail.site": [[305, 318]], "URL: hxxp://datacache.org/admin/config": [[337, 370]], "MALWARE: BlackCat": [[381, 389]], "HASH: 5fea0499e94cdcafd3ca229afda628f5eb42f515a3ce70caf95e816442ab66c6": [[399, 463]], "FILEPATH: C:\\Users\\Public\\Documents\\implant.so": [[491, 527]], "IP_ADDRESS: 10.58.106.66": [[552, 564]]}, "info": {"id": "synth_v2_01040", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Zscaler ThreatLabz identified a large-scale phishing operation. Emails originated from confirm@mail-service.info and billing@login-portal.tech, spoofing legitimate services. Victims were directed to hxxp://cloud-data.top/secure/token which hosted a credential harvesting page on static-sync.tech. A secondary link hxxp://node-portal.net/download/update.exe delivered FormBook (MD5: 410cdd0ebbbe8086c372d4033dcca27d). The malware was saved to /opt/app/bin/payload.bin and established C2 with 172.95.204.77.", "spans": {"ORGANIZATION: Zscaler ThreatLabz": [[26, 44]], "EMAIL: confirm@mail-service.info": [[113, 138]], "EMAIL: billing@login-portal.tech": [[143, 168]], "URL: hxxp://cloud-data.top/secure/token": [[225, 259]], "DOMAIN: static-sync.tech": [[305, 321]], "URL: hxxp://node-portal.net/download/update.exe": [[340, 382]], "MALWARE: FormBook": [[393, 401]], "HASH: 410cdd0ebbbe8086c372d4033dcca27d": [[408, 440]], "FILEPATH: /opt/app/bin/payload.bin": [[468, 492]], "IP_ADDRESS: 172.95.204.77": [[517, 530]]}, "info": {"id": "synth_v2_01041", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Check Point Research identified a large-scale phishing operation. Emails originated from finance@document-share.link and updates@identity-verify.cc, spoofing legitimate services. Victims were directed to http://secure-sync.cc/callback which hosted a credential harvesting page on datagateway.link. A secondary link hxxps://sync-secure.club/assets/js/payload.js delivered ShadowPad (SHA1: 699f3b0ef61a6ca7500802942deb399f836b4292). The malware was saved to /dev/shm/helper.sh and established C2 with 170.184.90.160.", "spans": {"ORGANIZATION: Check Point Research": [[26, 46]], "EMAIL: finance@document-share.link": [[115, 142]], "EMAIL: updates@identity-verify.cc": [[147, 173]], "URL: http://secure-sync.cc/callback": [[230, 260]], "DOMAIN: datagateway.link": [[306, 322]], "URL: hxxps://sync-secure.club/assets/js/payload.js": [[341, 386]], "MALWARE: ShadowPad": [[397, 406]], "HASH: 699f3b0ef61a6ca7500802942deb399f836b4292": [[414, 454]], "FILEPATH: /dev/shm/helper.sh": [[482, 500]], "IP_ADDRESS: 170.184.90.160": [[525, 539]]}, "info": {"id": "synth_v2_01042", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Mandiant identified a large-scale phishing operation. Emails originated from verify@login-portal.tech and it@identity-verify.cc, spoofing legitimate services. Victims were directed to http://storage-secure.site/secure/token which hosted a credential harvesting page on mail-data.live. A secondary link http://cacheapi.info/callback delivered BatLoader (SHA1: 0ff53d6457b88090ff44d02d4bf1a9c26170010d). The malware was saved to C:\\Program Files\\Common Files\\ntds.dit and established C2 with 27.136.242.201.", "spans": {"ORGANIZATION: Mandiant": [[26, 34]], "EMAIL: verify@login-portal.tech": [[103, 127]], "EMAIL: it@identity-verify.cc": [[132, 153]], "URL: http://storage-secure.site/secure/token": [[210, 249]], "DOMAIN: mail-data.live": [[295, 309]], "URL: http://cacheapi.info/callback": [[328, 357]], "MALWARE: BatLoader": [[368, 377]], "HASH: 0ff53d6457b88090ff44d02d4bf1a9c26170010d": [[385, 425]], "FILEPATH: C:\\Program Files\\Common Files\\ntds.dit": [[453, 491]], "IP_ADDRESS: 27.136.242.201": [[516, 530]]}, "info": {"id": "synth_v2_01043", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Microsoft MSRC identified a large-scale phishing operation. Emails originated from it@login-portal.tech and helpdesk@identity-verify.cc, spoofing legitimate services. Victims were directed to http://securebackup.dev/portal/verify which hosted a credential harvesting page on edge-cache.club. A secondary link hxxp://gatewaystorage.top/secure/token delivered FormBook (SHA1: 3a9af2d26d0ab2db5d2eaeb9985df6ea912a402a). The malware was saved to /opt/app/bin/helper.sh and established C2 with 172.103.198.127.", "spans": {"ORGANIZATION: Microsoft MSRC": [[26, 40]], "EMAIL: it@login-portal.tech": [[109, 129]], "EMAIL: helpdesk@identity-verify.cc": [[134, 161]], "URL: http://securebackup.dev/portal/verify": [[218, 255]], "DOMAIN: edge-cache.club": [[301, 316]], "URL: hxxp://gatewaystorage.top/secure/token": [[335, 373]], "MALWARE: FormBook": [[384, 392]], "HASH: 3a9af2d26d0ab2db5d2eaeb9985df6ea912a402a": [[400, 440]], "FILEPATH: /opt/app/bin/helper.sh": [[468, 490]], "IP_ADDRESS: 172.103.198.127": [[515, 530]]}, "info": {"id": "synth_v2_01044", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Sophos X-Ops identified a large-scale phishing operation. Emails originated from notification@account-update.xyz and finance@secure-verify.net, spoofing legitimate services. Victims were directed to http://proxyapi.org/admin/config which hosted a credential harvesting page on cloudbackup.site. A secondary link hxxp://cloudedge.dev/secure/token delivered Latrodectus (SHA1: 4afb1ff32cdceffc710023df543123f9e22cd3ab). The malware was saved to C:\\Program Files\\Common Files\\helper.sh and established C2 with 172.51.201.188.", "spans": {"ORGANIZATION: Sophos X-Ops": [[26, 38]], "EMAIL: notification@account-update.xyz": [[107, 138]], "EMAIL: finance@secure-verify.net": [[143, 168]], "URL: http://proxyapi.org/admin/config": [[225, 257]], "DOMAIN: cloudbackup.site": [[303, 319]], "URL: hxxp://cloudedge.dev/secure/token": [[338, 371]], "MALWARE: Latrodectus": [[382, 393]], "HASH: 4afb1ff32cdceffc710023df543123f9e22cd3ab": [[401, 441]], "FILEPATH: C:\\Program Files\\Common Files\\helper.sh": [[469, 508]], "IP_ADDRESS: 172.51.201.188": [[533, 547]]}, "info": {"id": "synth_v2_01045", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Recorded Future identified a large-scale phishing operation. Emails originated from confirm@account-update.xyz and finance@document-share.link, spoofing legitimate services. Victims were directed to hxxps://cachedata.cc/callback which hosted a credential harvesting page on nodecloud.club. A secondary link hxxps://mail-data.top/api/v2/auth delivered ShadowPad (SHA256: 85cc003f56ae70bca4bd18b039f25c7b4e2f3a739a651567d33e972e033958be). The malware was saved to /var/tmp/svchost.exe and established C2 with 207.106.242.34.", "spans": {"ORGANIZATION: Recorded Future": [[26, 41]], "EMAIL: confirm@account-update.xyz": [[110, 136]], "EMAIL: finance@document-share.link": [[141, 168]], "URL: hxxps://cachedata.cc/callback": [[225, 254]], "DOMAIN: nodecloud.club": [[300, 314]], "URL: hxxps://mail-data.top/api/v2/auth": [[333, 366]], "MALWARE: ShadowPad": [[377, 386]], "HASH: 85cc003f56ae70bca4bd18b039f25c7b4e2f3a739a651567d33e972e033958be": [[396, 460]], "FILEPATH: /var/tmp/svchost.exe": [[488, 508]], "IP_ADDRESS: 207.106.242.34": [[533, 547]]}, "info": {"id": "synth_v2_01046", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Proofpoint identified a large-scale phishing operation. Emails originated from service@phishing-domain.com and verify@account-update.xyz, spoofing legitimate services. Victims were directed to http://auth-sync.io/gate.php which hosted a credential harvesting page on auth-login.net. A secondary link https://edge-login.site/collect delivered Gootloader (SHA256: 903cc5c2686e430681a8ddd1a0a178423db0bd5c00c5358e603e45e389f42927). The malware was saved to /home/user/.config/sam.hive and established C2 with 48.165.142.215.", "spans": {"ORGANIZATION: Proofpoint": [[26, 36]], "EMAIL: service@phishing-domain.com": [[105, 132]], "EMAIL: verify@account-update.xyz": [[137, 162]], "URL: http://auth-sync.io/gate.php": [[219, 247]], "DOMAIN: auth-login.net": [[293, 307]], "URL: https://edge-login.site/collect": [[326, 357]], "MALWARE: Gootloader": [[368, 378]], "HASH: 903cc5c2686e430681a8ddd1a0a178423db0bd5c00c5358e603e45e389f42927": [[388, 452]], "FILEPATH: /home/user/.config/sam.hive": [[480, 507]], "IP_ADDRESS: 48.165.142.215": [[532, 546]]}, "info": {"id": "synth_v2_01047", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Qualys identified a large-scale phishing operation. Emails originated from noreply@document-share.link and security@identity-verify.cc, spoofing legitimate services. Victims were directed to hxxp://mailportal.xyz/collect which hosted a credential harvesting page on portal-cache.info. A secondary link https://relay-login.club/login delivered BatLoader (SHA1: 37016389bc9dd797a72b0787b04dd66f911baafe). The malware was saved to C:\\ProgramData\\taskhost.exe and established C2 with 192.211.196.184.", "spans": {"ORGANIZATION: Qualys": [[26, 32]], "EMAIL: noreply@document-share.link": [[101, 128]], "EMAIL: security@identity-verify.cc": [[133, 160]], "URL: hxxp://mailportal.xyz/collect": [[217, 246]], "DOMAIN: portal-cache.info": [[292, 309]], "URL: https://relay-login.club/login": [[328, 358]], "MALWARE: BatLoader": [[369, 378]], "HASH: 37016389bc9dd797a72b0787b04dd66f911baafe": [[386, 426]], "FILEPATH: C:\\ProgramData\\taskhost.exe": [[454, 481]], "IP_ADDRESS: 192.211.196.184": [[506, 521]]}, "info": {"id": "synth_v2_01048", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: CrowdStrike identified a large-scale phishing operation. Emails originated from finance@document-share.link and updates@secure-verify.net, spoofing legitimate services. Victims were directed to hxxp://relayupdate.site/wp-content/uploads/doc.php which hosted a credential harvesting page on authsecure.tech. A secondary link hxxps://datastatic.net/api/v2/auth delivered DanaBot (SHA256: ac0597e1ec1ba0dfb23796937775a3f8279032cbb4ec407189f2320476a0cdb4). The malware was saved to C:\\Users\\admin\\Desktop\\helper.sh and established C2 with 188.17.41.50.", "spans": {"ORGANIZATION: CrowdStrike": [[26, 37]], "EMAIL: finance@document-share.link": [[106, 133]], "EMAIL: updates@secure-verify.net": [[138, 163]], "URL: hxxp://relayupdate.site/wp-content/uploads/doc.php": [[220, 270]], "DOMAIN: authsecure.tech": [[316, 331]], "URL: hxxps://datastatic.net/api/v2/auth": [[350, 384]], "MALWARE: DanaBot": [[395, 402]], "HASH: ac0597e1ec1ba0dfb23796937775a3f8279032cbb4ec407189f2320476a0cdb4": [[412, 476]], "FILEPATH: C:\\Users\\admin\\Desktop\\helper.sh": [[504, 536]], "IP_ADDRESS: 188.17.41.50": [[561, 573]]}, "info": {"id": "synth_v2_01049", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Recorded Future identified a large-scale phishing operation. Emails originated from helpdesk@login-portal.tech and hr@mail-service.info, spoofing legitimate services. Victims were directed to http://proxy-gateway.live/admin/config which hosted a credential harvesting page on cache-edge.link. A secondary link hxxps://sync-edge.link/portal/verify delivered SmokeLoader (SHA1: 1b4eb2b900cad4fb2c93bdcc384404a5f4be4042). The malware was saved to C:\\Users\\admin\\AppData\\Local\\Temp\\chrome_helper.exe and established C2 with 127.110.19.19.", "spans": {"ORGANIZATION: Recorded Future": [[26, 41]], "EMAIL: helpdesk@login-portal.tech": [[110, 136]], "EMAIL: hr@mail-service.info": [[141, 161]], "URL: http://proxy-gateway.live/admin/config": [[218, 256]], "DOMAIN: cache-edge.link": [[302, 317]], "URL: hxxps://sync-edge.link/portal/verify": [[336, 372]], "MALWARE: SmokeLoader": [[383, 394]], "HASH: 1b4eb2b900cad4fb2c93bdcc384404a5f4be4042": [[402, 442]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\chrome_helper.exe": [[470, 521]], "IP_ADDRESS: 127.110.19.19": [[546, 559]]}, "info": {"id": "synth_v2_01050", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Mandiant identified a large-scale phishing operation. Emails originated from hr@urgent-notice.online and info@secure-verify.net, spoofing legitimate services. Victims were directed to hxxps://updatebackup.cc/login which hosted a credential harvesting page on gatewayauth.site. A secondary link hxxps://backup-secure.dev/download/update.exe delivered WarmCookie (SHA1: 26eb6494b7554fd3474d2dd0c0a0c4a1077f500c). The malware was saved to C:\\ProgramData\\implant.so and established C2 with 10.149.73.32.", "spans": {"ORGANIZATION: Mandiant": [[26, 34]], "EMAIL: hr@urgent-notice.online": [[103, 126]], "EMAIL: info@secure-verify.net": [[131, 153]], "URL: hxxps://updatebackup.cc/login": [[210, 239]], "DOMAIN: gatewayauth.site": [[285, 301]], "URL: hxxps://backup-secure.dev/download/update.exe": [[320, 365]], "MALWARE: WarmCookie": [[376, 386]], "HASH: 26eb6494b7554fd3474d2dd0c0a0c4a1077f500c": [[394, 434]], "FILEPATH: C:\\ProgramData\\implant.so": [[462, 487]], "IP_ADDRESS: 10.149.73.32": [[512, 524]]}, "info": {"id": "synth_v2_01051", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Palo Alto Unit 42 identified a large-scale phishing operation. Emails originated from billing@mail-service.info and account@auth-check.org, spoofing legitimate services. Victims were directed to hxxp://edgesync.dev/login which hosted a credential harvesting page on cacheauth.online. A secondary link http://storage-cloud.net/login delivered Lumma Stealer (SHA256: 41cd57465a0984388d4d2dc26fa60ec8d70bdbdda8d7eb4dc412c6700392aa9a). The malware was saved to C:\\Users\\admin\\Desktop\\update.dll and established C2 with 172.246.50.219.", "spans": {"ORGANIZATION: Palo Alto Unit 42": [[26, 43]], "EMAIL: billing@mail-service.info": [[112, 137]], "EMAIL: account@auth-check.org": [[142, 164]], "URL: hxxp://edgesync.dev/login": [[221, 246]], "DOMAIN: cacheauth.online": [[292, 308]], "URL: http://storage-cloud.net/login": [[327, 357]], "MALWARE: Lumma Stealer": [[368, 381]], "HASH: 41cd57465a0984388d4d2dc26fa60ec8d70bdbdda8d7eb4dc412c6700392aa9a": [[391, 455]], "FILEPATH: C:\\Users\\admin\\Desktop\\update.dll": [[483, 516]], "IP_ADDRESS: 172.246.50.219": [[541, 555]]}, "info": {"id": "synth_v2_01052", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Tenable identified a large-scale phishing operation. Emails originated from info@credential-check.site and alert@login-portal.tech, spoofing legitimate services. Victims were directed to https://auth-cache.top/login which hosted a credential harvesting page on backup-api.net. A secondary link hxxps://backup-relay.top/download/update.exe delivered BlackCat (SHA1: 3842fdc616d56430f15a3ba446b0f4041b4512c3). The malware was saved to C:\\Windows\\Tasks\\agent.py and established C2 with 35.248.38.198.", "spans": {"ORGANIZATION: Tenable": [[26, 33]], "EMAIL: info@credential-check.site": [[102, 128]], "EMAIL: alert@login-portal.tech": [[133, 156]], "URL: https://auth-cache.top/login": [[213, 241]], "DOMAIN: backup-api.net": [[287, 301]], "URL: hxxps://backup-relay.top/download/update.exe": [[320, 364]], "MALWARE: BlackCat": [[375, 383]], "HASH: 3842fdc616d56430f15a3ba446b0f4041b4512c3": [[391, 431]], "FILEPATH: C:\\Windows\\Tasks\\agent.py": [[459, 484]], "IP_ADDRESS: 35.248.38.198": [[509, 522]]}, "info": {"id": "synth_v2_01053", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Palo Alto Unit 42 identified a large-scale phishing operation. Emails originated from report@login-portal.tech and contact@credential-check.site, spoofing legitimate services. Victims were directed to http://proxyportal.info/wp-content/uploads/doc.php which hosted a credential harvesting page on backupstatic.net. A secondary link hxxps://data-edge.link/login delivered Raccoon Stealer (SHA1: 0da7d0bb03dcc45315122234294df2a529b817e6). The malware was saved to /home/user/.config/config.dat and established C2 with 192.77.60.90.", "spans": {"ORGANIZATION: Palo Alto Unit 42": [[26, 43]], "EMAIL: report@login-portal.tech": [[112, 136]], "EMAIL: contact@credential-check.site": [[141, 170]], "URL: http://proxyportal.info/wp-content/uploads/doc.php": [[227, 277]], "DOMAIN: backupstatic.net": [[323, 339]], "URL: hxxps://data-edge.link/login": [[358, 386]], "MALWARE: Raccoon Stealer": [[397, 412]], "HASH: 0da7d0bb03dcc45315122234294df2a529b817e6": [[420, 460]], "FILEPATH: /home/user/.config/config.dat": [[488, 517]], "IP_ADDRESS: 192.77.60.90": [[542, 554]]}, "info": {"id": "synth_v2_01054", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Google TAG identified a large-scale phishing operation. Emails originated from finance@phishing-domain.com and info@login-portal.tech, spoofing legitimate services. Victims were directed to hxxps://storage-cloud.tech/callback which hosted a credential harvesting page on mailstorage.org. A secondary link http://secureportal.net/panel/index.html delivered RemcosRAT (SHA1: 6bae7eabf5d21713d633433fb38ce2cb2ba4fee2). The malware was saved to /dev/shm/agent.py and established C2 with 10.71.186.73.", "spans": {"ORGANIZATION: Google TAG": [[26, 36]], "EMAIL: finance@phishing-domain.com": [[105, 132]], "EMAIL: info@login-portal.tech": [[137, 159]], "URL: hxxps://storage-cloud.tech/callback": [[216, 251]], "DOMAIN: mailstorage.org": [[297, 312]], "URL: http://secureportal.net/panel/index.html": [[331, 371]], "MALWARE: RemcosRAT": [[382, 391]], "HASH: 6bae7eabf5d21713d633433fb38ce2cb2ba4fee2": [[399, 439]], "FILEPATH: /dev/shm/agent.py": [[467, 484]], "IP_ADDRESS: 10.71.186.73": [[509, 521]]}, "info": {"id": "synth_v2_01055", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Dragos identified a large-scale phishing operation. Emails originated from verify@secure-verify.net and updates@document-share.link, spoofing legitimate services. Victims were directed to https://nodenode.dev/callback which hosted a credential harvesting page on mail-auth.cc. A secondary link hxxp://staticbackup.io/login delivered NjRAT (MD5: 6d1e68fa3ee0151d3fa89edf70d32b46). The malware was saved to /etc/cron.d/lsass.dmp and established C2 with 172.186.151.227.", "spans": {"ORGANIZATION: Dragos": [[26, 32]], "EMAIL: verify@secure-verify.net": [[101, 125]], "EMAIL: updates@document-share.link": [[130, 157]], "URL: https://nodenode.dev/callback": [[214, 243]], "DOMAIN: mail-auth.cc": [[289, 301]], "URL: hxxp://staticbackup.io/login": [[320, 348]], "MALWARE: NjRAT": [[359, 364]], "HASH: 6d1e68fa3ee0151d3fa89edf70d32b46": [[371, 403]], "FILEPATH: /etc/cron.d/lsass.dmp": [[431, 452]], "IP_ADDRESS: 172.186.151.227": [[477, 492]]}, "info": {"id": "synth_v2_01056", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Recorded Future identified a large-scale phishing operation. Emails originated from noreply@account-update.xyz and updates@secure-verify.net, spoofing legitimate services. Victims were directed to hxxp://loginportal.site/admin/config which hosted a credential harvesting page on proxy-update.top. A secondary link https://portalmail.com/callback delivered Cobalt Strike (MD5: 3273f400313a6299159989ed01de5273). The malware was saved to /usr/local/bin/taskhost.exe and established C2 with 10.193.215.221.", "spans": {"ORGANIZATION: Recorded Future": [[26, 41]], "EMAIL: noreply@account-update.xyz": [[110, 136]], "EMAIL: updates@secure-verify.net": [[141, 166]], "URL: hxxp://loginportal.site/admin/config": [[223, 259]], "DOMAIN: proxy-update.top": [[305, 321]], "URL: https://portalmail.com/callback": [[340, 371]], "MALWARE: Cobalt Strike": [[382, 395]], "HASH: 3273f400313a6299159989ed01de5273": [[402, 434]], "FILEPATH: /usr/local/bin/taskhost.exe": [[462, 489]], "IP_ADDRESS: 10.193.215.221": [[514, 528]]}, "info": {"id": "synth_v2_01057", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Cisco Talos identified a large-scale phishing operation. Emails originated from security@mail-service.info and support@urgent-notice.online, spoofing legitimate services. Victims were directed to http://authupdate.com/callback which hosted a credential harvesting page on update-proxy.site. A secondary link hxxp://sync-auth.online/panel/index.html delivered REvil (SHA1: 9633da31b19ec76f18d124399586c498eebf6977). The malware was saved to C:\\Users\\Public\\Documents\\taskhost.exe and established C2 with 223.82.71.59.", "spans": {"ORGANIZATION: Cisco Talos": [[26, 37]], "EMAIL: security@mail-service.info": [[106, 132]], "EMAIL: support@urgent-notice.online": [[137, 165]], "URL: http://authupdate.com/callback": [[222, 252]], "DOMAIN: update-proxy.site": [[298, 315]], "URL: hxxp://sync-auth.online/panel/index.html": [[334, 374]], "MALWARE: REvil": [[385, 390]], "HASH: 9633da31b19ec76f18d124399586c498eebf6977": [[398, 438]], "FILEPATH: C:\\Users\\Public\\Documents\\taskhost.exe": [[466, 504]], "IP_ADDRESS: 223.82.71.59": [[529, 541]]}, "info": {"id": "synth_v2_01058", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Trend Micro identified a large-scale phishing operation. Emails originated from noreply@urgent-notice.online and noreply@account-update.xyz, spoofing legitimate services. Victims were directed to hxxps://edge-login.info/panel/index.html which hosted a credential harvesting page on mail-static.cc. A secondary link hxxp://proxystorage.live/panel/index.html delivered StealC (SHA256: 53c4028ac2d0840150553f219aa90cc910ce2dca5ab9808c62fb497972d3fdbe). The malware was saved to C:\\Windows\\Temp\\backdoor.elf and established C2 with 10.137.231.155.", "spans": {"ORGANIZATION: Trend Micro": [[26, 37]], "EMAIL: noreply@urgent-notice.online": [[106, 134]], "EMAIL: noreply@account-update.xyz": [[139, 165]], "URL: hxxps://edge-login.info/panel/index.html": [[222, 262]], "DOMAIN: mail-static.cc": [[308, 322]], "URL: hxxp://proxystorage.live/panel/index.html": [[341, 382]], "MALWARE: StealC": [[393, 399]], "HASH: 53c4028ac2d0840150553f219aa90cc910ce2dca5ab9808c62fb497972d3fdbe": [[409, 473]], "FILEPATH: C:\\Windows\\Temp\\backdoor.elf": [[501, 529]], "IP_ADDRESS: 10.137.231.155": [[554, 568]]}, "info": {"id": "synth_v2_01059", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Check Point Research identified a large-scale phishing operation. Emails originated from alert@login-portal.tech and it@secure-verify.net, spoofing legitimate services. Victims were directed to hxxps://data-mail.top/secure/token which hosted a credential harvesting page on update-gateway.info. A secondary link hxxp://storage-relay.dev/download/update.exe delivered Conti (SHA1: aee34fba81237601b8e27c58f209937a4c5f013e). The malware was saved to /etc/cron.d/beacon.dll and established C2 with 192.237.123.8.", "spans": {"ORGANIZATION: Check Point Research": [[26, 46]], "EMAIL: alert@login-portal.tech": [[115, 138]], "EMAIL: it@secure-verify.net": [[143, 163]], "URL: hxxps://data-mail.top/secure/token": [[220, 254]], "DOMAIN: update-gateway.info": [[300, 319]], "URL: hxxp://storage-relay.dev/download/update.exe": [[338, 382]], "MALWARE: Conti": [[393, 398]], "HASH: aee34fba81237601b8e27c58f209937a4c5f013e": [[406, 446]], "FILEPATH: /etc/cron.d/beacon.dll": [[474, 496]], "IP_ADDRESS: 192.237.123.8": [[521, 534]]}, "info": {"id": "synth_v2_01060", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Dragos identified a large-scale phishing operation. Emails originated from noreply@urgent-notice.online and admin@secure-verify.net, spoofing legitimate services. Victims were directed to https://backup-auth.cc/assets/js/payload.js which hosted a credential harvesting page on sync-backup.online. A secondary link https://databackup.net/download/update.exe delivered Latrodectus (MD5: 0f175b09deb346d508073b6526611520). The malware was saved to /home/user/.config/payload.bin and established C2 with 10.43.114.6.", "spans": {"ORGANIZATION: Dragos": [[26, 32]], "EMAIL: noreply@urgent-notice.online": [[101, 129]], "EMAIL: admin@secure-verify.net": [[134, 157]], "URL: https://backup-auth.cc/assets/js/payload.js": [[214, 257]], "DOMAIN: sync-backup.online": [[303, 321]], "URL: https://databackup.net/download/update.exe": [[340, 382]], "MALWARE: Latrodectus": [[393, 404]], "HASH: 0f175b09deb346d508073b6526611520": [[411, 443]], "FILEPATH: /home/user/.config/payload.bin": [[471, 501]], "IP_ADDRESS: 10.43.114.6": [[526, 537]]}, "info": {"id": "synth_v2_01061", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Sophos X-Ops identified a large-scale phishing operation. Emails originated from service@login-portal.tech and it@credential-check.site, spoofing legitimate services. Victims were directed to hxxps://data-relay.io/admin/config which hosted a credential harvesting page on portal-static.cc. A secondary link http://auth-data.live/portal/verify delivered Emotet (MD5: 501f0f78502de88dd125e7807cd8bf7f). The malware was saved to /opt/app/bin/csrss.exe and established C2 with 201.190.156.179.", "spans": {"ORGANIZATION: Sophos X-Ops": [[26, 38]], "EMAIL: service@login-portal.tech": [[107, 132]], "EMAIL: it@credential-check.site": [[137, 161]], "URL: hxxps://data-relay.io/admin/config": [[218, 252]], "DOMAIN: portal-static.cc": [[298, 314]], "URL: http://auth-data.live/portal/verify": [[333, 368]], "MALWARE: Emotet": [[379, 385]], "HASH: 501f0f78502de88dd125e7807cd8bf7f": [[392, 424]], "FILEPATH: /opt/app/bin/csrss.exe": [[452, 474]], "IP_ADDRESS: 201.190.156.179": [[499, 514]]}, "info": {"id": "synth_v2_01062", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Dragos identified a large-scale phishing operation. Emails originated from admin@urgent-notice.online and hr@account-update.xyz, spoofing legitimate services. Victims were directed to hxxps://gateway-static.site/assets/js/payload.js which hosted a credential harvesting page on apicdn.site. A secondary link http://maillogin.io/login delivered NjRAT (MD5: 91a21c7677d6b5248d14c821a5149544). The malware was saved to /var/tmp/helper.sh and established C2 with 194.139.190.114.", "spans": {"ORGANIZATION: Dragos": [[26, 32]], "EMAIL: admin@urgent-notice.online": [[101, 127]], "EMAIL: hr@account-update.xyz": [[132, 153]], "URL: hxxps://gateway-static.site/assets/js/payload.js": [[210, 258]], "DOMAIN: apicdn.site": [[304, 315]], "URL: http://maillogin.io/login": [[334, 359]], "MALWARE: NjRAT": [[370, 375]], "HASH: 91a21c7677d6b5248d14c821a5149544": [[382, 414]], "FILEPATH: /var/tmp/helper.sh": [[442, 460]], "IP_ADDRESS: 194.139.190.114": [[485, 500]]}, "info": {"id": "synth_v2_01063", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Cisco Talos identified a large-scale phishing operation. Emails originated from support@secure-verify.net and service@auth-check.org, spoofing legitimate services. Victims were directed to hxxp://relay-gateway.net/callback which hosted a credential harvesting page on dataupdate.io. A secondary link hxxps://backup-cache.dev/download/update.exe delivered SystemBC (MD5: 51fa0a9da6d7d70513e19ada91799be1). The malware was saved to C:\\Users\\admin\\Desktop\\implant.so and established C2 with 192.203.151.69.", "spans": {"ORGANIZATION: Cisco Talos": [[26, 37]], "EMAIL: support@secure-verify.net": [[106, 131]], "EMAIL: service@auth-check.org": [[136, 158]], "URL: hxxp://relay-gateway.net/callback": [[215, 248]], "DOMAIN: dataupdate.io": [[294, 307]], "URL: hxxps://backup-cache.dev/download/update.exe": [[326, 370]], "MALWARE: SystemBC": [[381, 389]], "HASH: 51fa0a9da6d7d70513e19ada91799be1": [[396, 428]], "FILEPATH: C:\\Users\\admin\\Desktop\\implant.so": [[456, 489]], "IP_ADDRESS: 192.203.151.69": [[514, 528]]}, "info": {"id": "synth_v2_01064", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Secureworks identified a large-scale phishing operation. Emails originated from finance@credential-check.site and verify@account-update.xyz, spoofing legitimate services. Victims were directed to hxxp://updateedge.info/wp-content/uploads/doc.php which hosted a credential harvesting page on cdn-sync.net. A secondary link https://sync-secure.xyz/panel/index.html delivered ShadowPad (SHA256: ee189d531cf1659610508af2b64eaca170c0d433c61be9309b43eecd3aa66773). The malware was saved to /home/user/.config/taskhost.exe and established C2 with 88.126.203.154.", "spans": {"ORGANIZATION: Secureworks": [[26, 37]], "EMAIL: finance@credential-check.site": [[106, 135]], "EMAIL: verify@account-update.xyz": [[140, 165]], "URL: hxxp://updateedge.info/wp-content/uploads/doc.php": [[222, 271]], "DOMAIN: cdn-sync.net": [[317, 329]], "URL: https://sync-secure.xyz/panel/index.html": [[348, 388]], "MALWARE: ShadowPad": [[399, 408]], "HASH: ee189d531cf1659610508af2b64eaca170c0d433c61be9309b43eecd3aa66773": [[418, 482]], "FILEPATH: /home/user/.config/taskhost.exe": [[510, 541]], "IP_ADDRESS: 88.126.203.154": [[566, 580]]}, "info": {"id": "synth_v2_01065", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Mandiant identified a large-scale phishing operation. Emails originated from alert@auth-check.org and confirm@auth-check.org, spoofing legitimate services. Victims were directed to hxxps://relaybackup.live/callback which hosted a credential harvesting page on sync-secure.tech. A secondary link http://proxy-cache.link/login delivered PlugX (SHA256: cd9c75b65c86f18891bc0f12ac4f02a454f340c4890c480f7d602f4304ff838b). The malware was saved to /tmp/helper.sh and established C2 with 192.173.149.92.", "spans": {"ORGANIZATION: Mandiant": [[26, 34]], "EMAIL: alert@auth-check.org": [[103, 123]], "EMAIL: confirm@auth-check.org": [[128, 150]], "URL: hxxps://relaybackup.live/callback": [[207, 240]], "DOMAIN: sync-secure.tech": [[286, 302]], "URL: http://proxy-cache.link/login": [[321, 350]], "MALWARE: PlugX": [[361, 366]], "HASH: cd9c75b65c86f18891bc0f12ac4f02a454f340c4890c480f7d602f4304ff838b": [[376, 440]], "FILEPATH: /tmp/helper.sh": [[468, 482]], "IP_ADDRESS: 192.173.149.92": [[507, 521]]}, "info": {"id": "synth_v2_01066", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Trend Micro identified a large-scale phishing operation. Emails originated from security@login-portal.tech and info@auth-check.org, spoofing legitimate services. Victims were directed to hxxps://node-portal.xyz/portal/verify which hosted a credential harvesting page on relay-secure.net. A secondary link http://login-static.site/download/update.exe delivered Qbot (SHA256: d0dbafc37815c0644146d82d7a9e8455033bcbe7240e163655b39386d2d70c01). The malware was saved to C:\\Windows\\System32\\payload.bin and established C2 with 172.44.208.119.", "spans": {"ORGANIZATION: Trend Micro": [[26, 37]], "EMAIL: security@login-portal.tech": [[106, 132]], "EMAIL: info@auth-check.org": [[137, 156]], "URL: hxxps://node-portal.xyz/portal/verify": [[213, 250]], "DOMAIN: relay-secure.net": [[296, 312]], "URL: http://login-static.site/download/update.exe": [[331, 375]], "MALWARE: Qbot": [[386, 390]], "HASH: d0dbafc37815c0644146d82d7a9e8455033bcbe7240e163655b39386d2d70c01": [[400, 464]], "FILEPATH: C:\\Windows\\System32\\payload.bin": [[492, 523]], "IP_ADDRESS: 172.44.208.119": [[548, 562]]}, "info": {"id": "synth_v2_01067", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Europol identified a large-scale phishing operation. Emails originated from confirm@account-update.xyz and alert@auth-check.org, spoofing legitimate services. Victims were directed to http://cache-secure.dev/callback which hosted a credential harvesting page on cdncloud.net. A secondary link hxxp://proxy-update.site/download/update.exe delivered Play (SHA256: e8f1fb5a2924602e7ee92872875651fa2afbac836c2e5695e0332bccc89f33cf). The malware was saved to C:\\Users\\admin\\AppData\\Local\\Temp\\agent.py and established C2 with 2.94.77.12.", "spans": {"ORGANIZATION: Europol": [[26, 33]], "EMAIL: confirm@account-update.xyz": [[102, 128]], "EMAIL: alert@auth-check.org": [[133, 153]], "URL: http://cache-secure.dev/callback": [[210, 242]], "DOMAIN: cdncloud.net": [[288, 300]], "URL: hxxp://proxy-update.site/download/update.exe": [[319, 363]], "MALWARE: Play": [[374, 378]], "HASH: e8f1fb5a2924602e7ee92872875651fa2afbac836c2e5695e0332bccc89f33cf": [[388, 452]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\agent.py": [[480, 522]], "IP_ADDRESS: 2.94.77.12": [[547, 557]]}, "info": {"id": "synth_v2_01068", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Google TAG identified a large-scale phishing operation. Emails originated from contact@secure-verify.net and notification@phishing-domain.com, spoofing legitimate services. Victims were directed to hxxp://cache-data.top/wp-content/uploads/doc.php which hosted a credential harvesting page on update-cdn.top. A secondary link http://staticdata.online/api/v2/auth delivered TrickBot (SHA1: da19731fc62ca8252e4030763703b95e95e322f5). The malware was saved to /opt/app/bin/ntds.dit and established C2 with 172.74.94.216.", "spans": {"ORGANIZATION: Google TAG": [[26, 36]], "EMAIL: contact@secure-verify.net": [[105, 130]], "EMAIL: notification@phishing-domain.com": [[135, 167]], "URL: hxxp://cache-data.top/wp-content/uploads/doc.php": [[224, 272]], "DOMAIN: update-cdn.top": [[318, 332]], "URL: http://staticdata.online/api/v2/auth": [[351, 387]], "MALWARE: TrickBot": [[398, 406]], "HASH: da19731fc62ca8252e4030763703b95e95e322f5": [[414, 454]], "FILEPATH: /opt/app/bin/ntds.dit": [[482, 503]], "IP_ADDRESS: 172.74.94.216": [[528, 541]]}, "info": {"id": "synth_v2_01069", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Microsoft MSRC identified a large-scale phishing operation. Emails originated from ceo@identity-verify.cc and hr@credential-check.site, spoofing legitimate services. Victims were directed to https://node-mail.tech/login which hosted a credential harvesting page on backup-mail.club. A secondary link hxxp://cachestatic.link/wp-content/uploads/doc.php delivered Royal (SHA1: c5a5a2edfbc4a88bc9961ab208d50cfd177204b1). The malware was saved to /var/tmp/chrome_helper.exe and established C2 with 167.239.238.235.", "spans": {"ORGANIZATION: Microsoft MSRC": [[26, 40]], "EMAIL: ceo@identity-verify.cc": [[109, 131]], "EMAIL: hr@credential-check.site": [[136, 160]], "URL: https://node-mail.tech/login": [[217, 245]], "DOMAIN: backup-mail.club": [[291, 307]], "URL: hxxp://cachestatic.link/wp-content/uploads/doc.php": [[326, 376]], "MALWARE: Royal": [[387, 392]], "HASH: c5a5a2edfbc4a88bc9961ab208d50cfd177204b1": [[400, 440]], "FILEPATH: /var/tmp/chrome_helper.exe": [[468, 494]], "IP_ADDRESS: 167.239.238.235": [[519, 534]]}, "info": {"id": "synth_v2_01070", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Zscaler ThreatLabz identified a large-scale phishing operation. Emails originated from confirm@secure-verify.net and finance@auth-check.org, spoofing legitimate services. Victims were directed to https://backuprelay.club/wp-content/uploads/doc.php which hosted a credential harvesting page on static-auth.dev. A secondary link https://updateauth.cc/secure/token delivered Dridex (MD5: 16980bdfc57b526c6c1fabe7989f8be5). The malware was saved to /dev/shm/ntds.dit and established C2 with 183.219.174.15.", "spans": {"ORGANIZATION: Zscaler ThreatLabz": [[26, 44]], "EMAIL: confirm@secure-verify.net": [[113, 138]], "EMAIL: finance@auth-check.org": [[143, 165]], "URL: https://backuprelay.club/wp-content/uploads/doc.php": [[222, 273]], "DOMAIN: static-auth.dev": [[319, 334]], "URL: https://updateauth.cc/secure/token": [[353, 387]], "MALWARE: Dridex": [[398, 404]], "HASH: 16980bdfc57b526c6c1fabe7989f8be5": [[411, 443]], "FILEPATH: /dev/shm/ntds.dit": [[471, 488]], "IP_ADDRESS: 183.219.174.15": [[513, 527]]}, "info": {"id": "synth_v2_01071", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: ESET Research identified a large-scale phishing operation. Emails originated from it@account-update.xyz and verify@identity-verify.cc, spoofing legitimate services. Victims were directed to hxxp://login-update.link/panel/index.html which hosted a credential harvesting page on static-cdn.org. A secondary link hxxps://storage-proxy.io/callback delivered BlackCat (SHA256: 99a1d7b56b6b85a6440d0248899417fedc29587d536852ccb51e80438f414dd7). The malware was saved to C:\\Users\\Public\\Documents\\lsass.dmp and established C2 with 161.226.12.99.", "spans": {"ORGANIZATION: ESET Research": [[26, 39]], "EMAIL: it@account-update.xyz": [[108, 129]], "EMAIL: verify@identity-verify.cc": [[134, 159]], "URL: hxxp://login-update.link/panel/index.html": [[216, 257]], "DOMAIN: static-cdn.org": [[303, 317]], "URL: hxxps://storage-proxy.io/callback": [[336, 369]], "MALWARE: BlackCat": [[380, 388]], "HASH: 99a1d7b56b6b85a6440d0248899417fedc29587d536852ccb51e80438f414dd7": [[398, 462]], "FILEPATH: C:\\Users\\Public\\Documents\\lsass.dmp": [[490, 525]], "IP_ADDRESS: 161.226.12.99": [[550, 563]]}, "info": {"id": "synth_v2_01072", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: FireEye identified a large-scale phishing operation. Emails originated from verify@identity-verify.cc and billing@auth-check.org, spoofing legitimate services. Victims were directed to http://login-login.xyz/api/v2/auth which hosted a credential harvesting page on nodemail.site. A secondary link hxxp://cachelogin.net/callback delivered Play (MD5: 425e24094401e14206278cbb700a0ec1). The malware was saved to C:\\ProgramData\\chrome_helper.exe and established C2 with 217.77.159.50.", "spans": {"ORGANIZATION: FireEye": [[26, 33]], "EMAIL: verify@identity-verify.cc": [[102, 127]], "EMAIL: billing@auth-check.org": [[132, 154]], "URL: http://login-login.xyz/api/v2/auth": [[211, 245]], "DOMAIN: nodemail.site": [[291, 304]], "URL: hxxp://cachelogin.net/callback": [[323, 353]], "MALWARE: Play": [[364, 368]], "HASH: 425e24094401e14206278cbb700a0ec1": [[375, 407]], "FILEPATH: C:\\ProgramData\\chrome_helper.exe": [[435, 467]], "IP_ADDRESS: 217.77.159.50": [[492, 505]]}, "info": {"id": "synth_v2_01073", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: FBI identified a large-scale phishing operation. Emails originated from admin@phishing-domain.com and admin@login-portal.tech, spoofing legitimate services. Victims were directed to hxxp://storagedata.cc/wp-content/uploads/doc.php which hosted a credential harvesting page on portalstatic.xyz. A secondary link http://cloud-login.info/secure/token delivered BlackCat (SHA1: 1cd29059ab76b35abded8eed46a594e34d7d5551). The malware was saved to /usr/local/bin/taskhost.exe and established C2 with 169.103.254.106.", "spans": {"ORGANIZATION: FBI": [[26, 29]], "EMAIL: admin@phishing-domain.com": [[98, 123]], "EMAIL: admin@login-portal.tech": [[128, 151]], "URL: hxxp://storagedata.cc/wp-content/uploads/doc.php": [[208, 256]], "DOMAIN: portalstatic.xyz": [[302, 318]], "URL: http://cloud-login.info/secure/token": [[337, 373]], "MALWARE: BlackCat": [[384, 392]], "HASH: 1cd29059ab76b35abded8eed46a594e34d7d5551": [[400, 440]], "FILEPATH: /usr/local/bin/taskhost.exe": [[468, 495]], "IP_ADDRESS: 169.103.254.106": [[520, 535]]}, "info": {"id": "synth_v2_01074", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: CISA identified a large-scale phishing operation. Emails originated from ceo@document-share.link and info@auth-check.org, spoofing legitimate services. Victims were directed to hxxps://node-login.com/api/v2/auth which hosted a credential harvesting page on portalbackup.org. A secondary link https://updateportal.link/download/update.exe delivered XLoader (SHA256: ad0ab656282ea249f677ddab054edf586785a706d2df6f1c7630afd05c2101c2). The malware was saved to /etc/cron.d/chrome_helper.exe and established C2 with 172.93.143.81.", "spans": {"ORGANIZATION: CISA": [[26, 30]], "EMAIL: ceo@document-share.link": [[99, 122]], "EMAIL: info@auth-check.org": [[127, 146]], "URL: hxxps://node-login.com/api/v2/auth": [[203, 237]], "DOMAIN: portalbackup.org": [[283, 299]], "URL: https://updateportal.link/download/update.exe": [[318, 363]], "MALWARE: XLoader": [[374, 381]], "HASH: ad0ab656282ea249f677ddab054edf586785a706d2df6f1c7630afd05c2101c2": [[391, 455]], "FILEPATH: /etc/cron.d/chrome_helper.exe": [[483, 512]], "IP_ADDRESS: 172.93.143.81": [[537, 550]]}, "info": {"id": "synth_v2_01075", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Kaspersky GReAT identified a large-scale phishing operation. Emails originated from it@login-portal.tech and helpdesk@credential-check.site, spoofing legitimate services. Victims were directed to http://portalstorage.dev/collect which hosted a credential harvesting page on cachegateway.org. A secondary link http://gatewaysync.io/panel/index.html delivered REvil (SHA1: 31ebd72bfe664c2b4292d3e567df120b35f5bad1). The malware was saved to /home/user/.config/csrss.exe and established C2 with 10.157.208.161.", "spans": {"ORGANIZATION: Kaspersky GReAT": [[26, 41]], "EMAIL: it@login-portal.tech": [[110, 130]], "EMAIL: helpdesk@credential-check.site": [[135, 165]], "URL: http://portalstorage.dev/collect": [[222, 254]], "DOMAIN: cachegateway.org": [[300, 316]], "URL: http://gatewaysync.io/panel/index.html": [[335, 373]], "MALWARE: REvil": [[384, 389]], "HASH: 31ebd72bfe664c2b4292d3e567df120b35f5bad1": [[397, 437]], "FILEPATH: /home/user/.config/csrss.exe": [[465, 493]], "IP_ADDRESS: 10.157.208.161": [[518, 532]]}, "info": {"id": "synth_v2_01076", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Google TAG identified a large-scale phishing operation. Emails originated from noreply@auth-check.org and admin@identity-verify.cc, spoofing legitimate services. Victims were directed to http://cache-gateway.tech/panel/index.html which hosted a credential harvesting page on relay-gateway.club. A secondary link hxxps://authlogin.live/callback delivered Qbot (SHA1: 4c02f5b3ffc1bf4a77f2461f6a7e7e454e6a340d). The malware was saved to /var/tmp/winlogon.exe and established C2 with 192.225.110.66.", "spans": {"ORGANIZATION: Google TAG": [[26, 36]], "EMAIL: noreply@auth-check.org": [[105, 127]], "EMAIL: admin@identity-verify.cc": [[132, 156]], "URL: http://cache-gateway.tech/panel/index.html": [[213, 255]], "DOMAIN: relay-gateway.club": [[301, 319]], "URL: hxxps://authlogin.live/callback": [[338, 369]], "MALWARE: Qbot": [[380, 384]], "HASH: 4c02f5b3ffc1bf4a77f2461f6a7e7e454e6a340d": [[392, 432]], "FILEPATH: /var/tmp/winlogon.exe": [[460, 481]], "IP_ADDRESS: 192.225.110.66": [[506, 520]]}, "info": {"id": "synth_v2_01077", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: CISA identified a large-scale phishing operation. Emails originated from hr@account-update.xyz and info@account-update.xyz, spoofing legitimate services. Victims were directed to https://backup-gateway.live/login which hosted a credential harvesting page on backup-mail.online. A secondary link http://login-cloud.info/gate.php delivered DanaBot (SHA256: 079f62b2289cbb1948ff1f5449a7cfe122ff952c353ccc1202b8d3833e7aa20d). The malware was saved to /etc/cron.d/taskhost.exe and established C2 with 179.26.234.7.", "spans": {"ORGANIZATION: CISA": [[26, 30]], "EMAIL: hr@account-update.xyz": [[99, 120]], "EMAIL: info@account-update.xyz": [[125, 148]], "URL: https://backup-gateway.live/login": [[205, 238]], "DOMAIN: backup-mail.online": [[284, 302]], "URL: http://login-cloud.info/gate.php": [[321, 353]], "MALWARE: DanaBot": [[364, 371]], "HASH: 079f62b2289cbb1948ff1f5449a7cfe122ff952c353ccc1202b8d3833e7aa20d": [[381, 445]], "FILEPATH: /etc/cron.d/taskhost.exe": [[473, 497]], "IP_ADDRESS: 179.26.234.7": [[522, 534]]}, "info": {"id": "synth_v2_01078", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: FBI identified a large-scale phishing operation. Emails originated from billing@login-portal.tech and report@urgent-notice.online, spoofing legitimate services. Victims were directed to hxxp://api-backup.online/wp-content/uploads/doc.php which hosted a credential harvesting page on storageapi.club. A secondary link hxxps://relay-login.club/collect delivered Vidar (MD5: 8bed84c16529363b442c0a57cc2c62a9). The malware was saved to C:\\Windows\\Tasks\\svchost.exe and established C2 with 51.208.112.172.", "spans": {"ORGANIZATION: FBI": [[26, 29]], "EMAIL: billing@login-portal.tech": [[98, 123]], "EMAIL: report@urgent-notice.online": [[128, 155]], "URL: hxxp://api-backup.online/wp-content/uploads/doc.php": [[212, 263]], "DOMAIN: storageapi.club": [[309, 324]], "URL: hxxps://relay-login.club/collect": [[343, 375]], "MALWARE: Vidar": [[386, 391]], "HASH: 8bed84c16529363b442c0a57cc2c62a9": [[398, 430]], "FILEPATH: C:\\Windows\\Tasks\\svchost.exe": [[458, 486]], "IP_ADDRESS: 51.208.112.172": [[511, 525]]}, "info": {"id": "synth_v2_01079", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Huntress identified a large-scale phishing operation. Emails originated from noreply@urgent-notice.online and contact@login-portal.tech, spoofing legitimate services. Victims were directed to hxxp://auth-api.org/login which hosted a credential harvesting page on syncedge.xyz. A secondary link https://node-backup.io/download/update.exe delivered Royal (SHA256: 6d635fba6e397117af24e06070e0256cb9b8a201437c7b5216e5afcdc4cb2a5c). The malware was saved to C:\\Program Files\\Common Files\\sam.hive and established C2 with 6.85.207.128.", "spans": {"ORGANIZATION: Huntress": [[26, 34]], "EMAIL: noreply@urgent-notice.online": [[103, 131]], "EMAIL: contact@login-portal.tech": [[136, 161]], "URL: hxxp://auth-api.org/login": [[218, 243]], "DOMAIN: syncedge.xyz": [[289, 301]], "URL: https://node-backup.io/download/update.exe": [[320, 362]], "MALWARE: Royal": [[373, 378]], "HASH: 6d635fba6e397117af24e06070e0256cb9b8a201437c7b5216e5afcdc4cb2a5c": [[388, 452]], "FILEPATH: C:\\Program Files\\Common Files\\sam.hive": [[480, 518]], "IP_ADDRESS: 6.85.207.128": [[543, 555]]}, "info": {"id": "synth_v2_01080", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: INTERPOL identified a large-scale phishing operation. Emails originated from info@login-portal.tech and service@phishing-domain.com, spoofing legitimate services. Victims were directed to https://syncstatic.dev/callback which hosted a credential harvesting page on auth-cloud.org. A secondary link http://update-edge.tech/portal/verify delivered SmokeLoader (MD5: 5fd3f109d884a45f7c0c87bb59d21f2c). The malware was saved to C:\\ProgramData\\shell.php and established C2 with 172.25.0.20.", "spans": {"ORGANIZATION: INTERPOL": [[26, 34]], "EMAIL: info@login-portal.tech": [[103, 125]], "EMAIL: service@phishing-domain.com": [[130, 157]], "URL: https://syncstatic.dev/callback": [[214, 245]], "DOMAIN: auth-cloud.org": [[291, 305]], "URL: http://update-edge.tech/portal/verify": [[324, 361]], "MALWARE: SmokeLoader": [[372, 383]], "HASH: 5fd3f109d884a45f7c0c87bb59d21f2c": [[390, 422]], "FILEPATH: C:\\ProgramData\\shell.php": [[450, 474]], "IP_ADDRESS: 172.25.0.20": [[499, 510]]}, "info": {"id": "synth_v2_01081", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Kaspersky GReAT identified a large-scale phishing operation. Emails originated from alert@auth-check.org and finance@identity-verify.cc, spoofing legitimate services. Victims were directed to hxxps://proxy-mail.link/panel/index.html which hosted a credential harvesting page on apicdn.info. A secondary link hxxps://cloud-node.club/portal/verify delivered QakBot (SHA256: 1291e92e5bbba173be68a34922734af05b541ae39c6ac00fa6f54be47e0907f8). The malware was saved to C:\\ProgramData\\csrss.exe and established C2 with 99.174.38.176.", "spans": {"ORGANIZATION: Kaspersky GReAT": [[26, 41]], "EMAIL: alert@auth-check.org": [[110, 130]], "EMAIL: finance@identity-verify.cc": [[135, 161]], "URL: hxxps://proxy-mail.link/panel/index.html": [[218, 258]], "DOMAIN: apicdn.info": [[304, 315]], "URL: hxxps://cloud-node.club/portal/verify": [[334, 371]], "MALWARE: QakBot": [[382, 388]], "HASH: 1291e92e5bbba173be68a34922734af05b541ae39c6ac00fa6f54be47e0907f8": [[398, 462]], "FILEPATH: C:\\ProgramData\\csrss.exe": [[490, 514]], "IP_ADDRESS: 99.174.38.176": [[539, 552]]}, "info": {"id": "synth_v2_01082", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: NSA identified a large-scale phishing operation. Emails originated from billing@auth-check.org and billing@urgent-notice.online, spoofing legitimate services. Victims were directed to hxxp://sync-node.top/gate.php which hosted a credential harvesting page on static-update.net. A secondary link hxxps://relaystorage.tech/wp-content/uploads/doc.php delivered Vidar (MD5: fd02c62d70aaafe6a3a3def0a2f6fa5a). The malware was saved to C:\\Users\\admin\\Desktop\\agent.py and established C2 with 29.249.230.141.", "spans": {"ORGANIZATION: NSA": [[26, 29]], "EMAIL: billing@auth-check.org": [[98, 120]], "EMAIL: billing@urgent-notice.online": [[125, 153]], "URL: hxxp://sync-node.top/gate.php": [[210, 239]], "DOMAIN: static-update.net": [[285, 302]], "URL: hxxps://relaystorage.tech/wp-content/uploads/doc.php": [[321, 373]], "MALWARE: Vidar": [[384, 389]], "HASH: fd02c62d70aaafe6a3a3def0a2f6fa5a": [[396, 428]], "FILEPATH: C:\\Users\\admin\\Desktop\\agent.py": [[456, 487]], "IP_ADDRESS: 29.249.230.141": [[512, 526]]}, "info": {"id": "synth_v2_01083", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Dragos identified a large-scale phishing operation. Emails originated from hr@phishing-domain.com and info@document-share.link, spoofing legitimate services. Victims were directed to hxxps://login-relay.link/callback which hosted a credential harvesting page on nodeportal.site. A secondary link hxxps://proxy-auth.site/api/v2/auth delivered PikaBot (SHA256: 63f7fb97b8fcfd1baed37c84b6f4b6998872019e08f71e4d6fdacc5de80cd3a3). The malware was saved to C:\\ProgramData\\shell.php and established C2 with 212.197.224.92.", "spans": {"ORGANIZATION: Dragos": [[26, 32]], "EMAIL: hr@phishing-domain.com": [[101, 123]], "EMAIL: info@document-share.link": [[128, 152]], "URL: hxxps://login-relay.link/callback": [[209, 242]], "DOMAIN: nodeportal.site": [[288, 303]], "URL: hxxps://proxy-auth.site/api/v2/auth": [[322, 357]], "MALWARE: PikaBot": [[368, 375]], "HASH: 63f7fb97b8fcfd1baed37c84b6f4b6998872019e08f71e4d6fdacc5de80cd3a3": [[385, 449]], "FILEPATH: C:\\ProgramData\\shell.php": [[477, 501]], "IP_ADDRESS: 212.197.224.92": [[526, 540]]}, "info": {"id": "synth_v2_01084", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Recorded Future identified a large-scale phishing operation. Emails originated from notification@urgent-notice.online and billing@login-portal.tech, spoofing legitimate services. Victims were directed to hxxps://gateway-api.online/assets/js/payload.js which hosted a credential harvesting page on sync-mail.top. A secondary link hxxp://updatestorage.io/secure/token delivered WarmCookie (SHA1: 89580e72ffddd4a0d7785cdb8e836db32862c30a). The malware was saved to /etc/cron.d/ntds.dit and established C2 with 113.76.189.64.", "spans": {"ORGANIZATION: Recorded Future": [[26, 41]], "EMAIL: notification@urgent-notice.online": [[110, 143]], "EMAIL: billing@login-portal.tech": [[148, 173]], "URL: hxxps://gateway-api.online/assets/js/payload.js": [[230, 277]], "DOMAIN: sync-mail.top": [[323, 336]], "URL: hxxp://updatestorage.io/secure/token": [[355, 391]], "MALWARE: WarmCookie": [[402, 412]], "HASH: 89580e72ffddd4a0d7785cdb8e836db32862c30a": [[420, 460]], "FILEPATH: /etc/cron.d/ntds.dit": [[488, 508]], "IP_ADDRESS: 113.76.189.64": [[533, 546]]}, "info": {"id": "synth_v2_01085", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: FireEye identified a large-scale phishing operation. Emails originated from it@login-portal.tech and helpdesk@document-share.link, spoofing legitimate services. Victims were directed to http://backup-secure.site/admin/config which hosted a credential harvesting page on api-storage.io. A secondary link http://auth-relay.dev/secure/token delivered SystemBC (MD5: 63a6a9d93124b040a9ee5607e1bd6282). The malware was saved to C:\\Program Files\\Common Files\\dropper.ps1 and established C2 with 155.106.2.209.", "spans": {"ORGANIZATION: FireEye": [[26, 33]], "EMAIL: it@login-portal.tech": [[102, 122]], "EMAIL: helpdesk@document-share.link": [[127, 155]], "URL: http://backup-secure.site/admin/config": [[212, 250]], "DOMAIN: api-storage.io": [[296, 310]], "URL: http://auth-relay.dev/secure/token": [[329, 363]], "MALWARE: SystemBC": [[374, 382]], "HASH: 63a6a9d93124b040a9ee5607e1bd6282": [[389, 421]], "FILEPATH: C:\\Program Files\\Common Files\\dropper.ps1": [[449, 490]], "IP_ADDRESS: 155.106.2.209": [[515, 528]]}, "info": {"id": "synth_v2_01086", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Google TAG identified a large-scale phishing operation. Emails originated from billing@phishing-domain.com and noreply@urgent-notice.online, spoofing legitimate services. Victims were directed to http://cloudsecure.dev/download/update.exe which hosted a credential harvesting page on apimail.link. A secondary link hxxp://portalgateway.cc/portal/verify delivered QakBot (MD5: 34ddaca1ba2c98b38e4cedb4d27900c8). The malware was saved to C:\\Windows\\System32\\loader.exe and established C2 with 77.218.54.248.", "spans": {"ORGANIZATION: Google TAG": [[26, 36]], "EMAIL: billing@phishing-domain.com": [[105, 132]], "EMAIL: noreply@urgent-notice.online": [[137, 165]], "URL: http://cloudsecure.dev/download/update.exe": [[222, 264]], "DOMAIN: apimail.link": [[310, 322]], "URL: hxxp://portalgateway.cc/portal/verify": [[341, 378]], "MALWARE: QakBot": [[389, 395]], "HASH: 34ddaca1ba2c98b38e4cedb4d27900c8": [[402, 434]], "FILEPATH: C:\\Windows\\System32\\loader.exe": [[462, 492]], "IP_ADDRESS: 77.218.54.248": [[517, 530]]}, "info": {"id": "synth_v2_01087", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Palo Alto Unit 42 identified a large-scale phishing operation. Emails originated from helpdesk@phishing-domain.com and confirm@credential-check.site, spoofing legitimate services. Victims were directed to http://update-edge.dev/download/update.exe which hosted a credential harvesting page on proxyrelay.dev. A secondary link hxxp://relay-data.io/gate.php delivered Conti (SHA1: 36d4949990d108a477cc23c751aabc6cc8f8a9af). The malware was saved to /home/user/.config/payload.bin and established C2 with 33.246.199.51.", "spans": {"ORGANIZATION: Palo Alto Unit 42": [[26, 43]], "EMAIL: helpdesk@phishing-domain.com": [[112, 140]], "EMAIL: confirm@credential-check.site": [[145, 174]], "URL: http://update-edge.dev/download/update.exe": [[231, 273]], "DOMAIN: proxyrelay.dev": [[319, 333]], "URL: hxxp://relay-data.io/gate.php": [[352, 381]], "MALWARE: Conti": [[392, 397]], "HASH: 36d4949990d108a477cc23c751aabc6cc8f8a9af": [[405, 445]], "FILEPATH: /home/user/.config/payload.bin": [[473, 503]], "IP_ADDRESS: 33.246.199.51": [[528, 541]]}, "info": {"id": "synth_v2_01088", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Qualys identified a large-scale phishing operation. Emails originated from admin@document-share.link and support@phishing-domain.com, spoofing legitimate services. Victims were directed to hxxps://apilogin.net/download/update.exe which hosted a credential harvesting page on cdn-mail.club. A secondary link https://logincloud.info/gate.php delivered Amadey (SHA1: 64498ff275059b14c4397d6156639c4357c8d188). The malware was saved to C:\\Windows\\Tasks\\beacon.dll and established C2 with 192.218.61.174.", "spans": {"ORGANIZATION: Qualys": [[26, 32]], "EMAIL: admin@document-share.link": [[101, 126]], "EMAIL: support@phishing-domain.com": [[131, 158]], "URL: hxxps://apilogin.net/download/update.exe": [[215, 255]], "DOMAIN: cdn-mail.club": [[301, 314]], "URL: https://logincloud.info/gate.php": [[333, 365]], "MALWARE: Amadey": [[376, 382]], "HASH: 64498ff275059b14c4397d6156639c4357c8d188": [[390, 430]], "FILEPATH: C:\\Windows\\Tasks\\beacon.dll": [[458, 485]], "IP_ADDRESS: 192.218.61.174": [[510, 524]]}, "info": {"id": "synth_v2_01089", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Huntress identified a large-scale phishing operation. Emails originated from notification@document-share.link and verify@secure-verify.net, spoofing legitimate services. Victims were directed to https://mailstatic.site/callback which hosted a credential harvesting page on nodedata.xyz. A secondary link hxxps://relaygateway.info/collect delivered Gootloader (MD5: b530c22357846efd062c0176590d509b). The malware was saved to C:\\Windows\\Temp\\svchost.exe and established C2 with 39.82.144.242.", "spans": {"ORGANIZATION: Huntress": [[26, 34]], "EMAIL: notification@document-share.link": [[103, 135]], "EMAIL: verify@secure-verify.net": [[140, 164]], "URL: https://mailstatic.site/callback": [[221, 253]], "DOMAIN: nodedata.xyz": [[299, 311]], "URL: hxxps://relaygateway.info/collect": [[330, 363]], "MALWARE: Gootloader": [[374, 384]], "HASH: b530c22357846efd062c0176590d509b": [[391, 423]], "FILEPATH: C:\\Windows\\Temp\\svchost.exe": [[451, 478]], "IP_ADDRESS: 39.82.144.242": [[503, 516]]}, "info": {"id": "synth_v2_01090", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: FBI identified a large-scale phishing operation. Emails originated from noreply@identity-verify.cc and it@login-portal.tech, spoofing legitimate services. Victims were directed to hxxp://staticcloud.club/download/update.exe which hosted a credential harvesting page on relay-update.tech. A secondary link https://cache-api.link/wp-content/uploads/doc.php delivered Gootloader (SHA1: ff609ebf43385b53f2f27e12ccda354c779cbe56). The malware was saved to /var/tmp/ntds.dit and established C2 with 10.171.252.202.", "spans": {"ORGANIZATION: FBI": [[26, 29]], "EMAIL: noreply@identity-verify.cc": [[98, 124]], "EMAIL: it@login-portal.tech": [[129, 149]], "URL: hxxp://staticcloud.club/download/update.exe": [[206, 249]], "DOMAIN: relay-update.tech": [[295, 312]], "URL: https://cache-api.link/wp-content/uploads/doc.php": [[331, 380]], "MALWARE: Gootloader": [[391, 401]], "HASH: ff609ebf43385b53f2f27e12ccda354c779cbe56": [[409, 449]], "FILEPATH: /var/tmp/ntds.dit": [[477, 494]], "IP_ADDRESS: 10.171.252.202": [[519, 533]]}, "info": {"id": "synth_v2_01091", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Zscaler ThreatLabz identified a large-scale phishing operation. Emails originated from notification@secure-verify.net and info@auth-check.org, spoofing legitimate services. Victims were directed to http://auth-cdn.net/assets/js/payload.js which hosted a credential harvesting page on mailedge.cc. A secondary link hxxps://gateway-update.com/download/update.exe delivered Royal (MD5: 5dac42b0fe500fee8105e5676a273265). The malware was saved to C:\\Windows\\Tasks\\winlogon.exe and established C2 with 222.104.112.82.", "spans": {"ORGANIZATION: Zscaler ThreatLabz": [[26, 44]], "EMAIL: notification@secure-verify.net": [[113, 143]], "EMAIL: info@auth-check.org": [[148, 167]], "URL: http://auth-cdn.net/assets/js/payload.js": [[224, 264]], "DOMAIN: mailedge.cc": [[310, 321]], "URL: hxxps://gateway-update.com/download/update.exe": [[340, 386]], "MALWARE: Royal": [[397, 402]], "HASH: 5dac42b0fe500fee8105e5676a273265": [[409, 441]], "FILEPATH: C:\\Windows\\Tasks\\winlogon.exe": [[469, 498]], "IP_ADDRESS: 222.104.112.82": [[523, 537]]}, "info": {"id": "synth_v2_01092", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Check Point Research identified a large-scale phishing operation. Emails originated from finance@urgent-notice.online and account@login-portal.tech, spoofing legitimate services. Victims were directed to hxxp://proxyapi.cc/api/v2/auth which hosted a credential harvesting page on datanode.dev. A secondary link hxxps://cacheportal.online/portal/verify delivered FormBook (MD5: 7e4470d9bce1a8b5ee5a1b421e3b0e53). The malware was saved to /home/user/.config/helper.sh and established C2 with 10.106.46.242.", "spans": {"ORGANIZATION: Check Point Research": [[26, 46]], "EMAIL: finance@urgent-notice.online": [[115, 143]], "EMAIL: account@login-portal.tech": [[148, 173]], "URL: hxxp://proxyapi.cc/api/v2/auth": [[230, 260]], "DOMAIN: datanode.dev": [[306, 318]], "URL: hxxps://cacheportal.online/portal/verify": [[337, 377]], "MALWARE: FormBook": [[388, 396]], "HASH: 7e4470d9bce1a8b5ee5a1b421e3b0e53": [[403, 435]], "FILEPATH: /home/user/.config/helper.sh": [[463, 491]], "IP_ADDRESS: 10.106.46.242": [[516, 529]]}, "info": {"id": "synth_v2_01093", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Rapid7 identified a large-scale phishing operation. Emails originated from verify@account-update.xyz and contact@identity-verify.cc, spoofing legitimate services. Victims were directed to https://loginnode.org/callback which hosted a credential harvesting page on loginbackup.com. A secondary link hxxp://synccache.dev/assets/js/payload.js delivered Cobalt Strike (SHA256: 8085a5765eb49fe20a6aac8eec924d040c6aca7b19f94aa4fee2fdfa5a0dded3). The malware was saved to C:\\Windows\\System32\\svchost.exe and established C2 with 171.25.44.78.", "spans": {"ORGANIZATION: Rapid7": [[26, 32]], "EMAIL: verify@account-update.xyz": [[101, 126]], "EMAIL: contact@identity-verify.cc": [[131, 157]], "URL: https://loginnode.org/callback": [[214, 244]], "DOMAIN: loginbackup.com": [[290, 305]], "URL: hxxp://synccache.dev/assets/js/payload.js": [[324, 365]], "MALWARE: Cobalt Strike": [[376, 389]], "HASH: 8085a5765eb49fe20a6aac8eec924d040c6aca7b19f94aa4fee2fdfa5a0dded3": [[399, 463]], "FILEPATH: C:\\Windows\\System32\\svchost.exe": [[491, 522]], "IP_ADDRESS: 171.25.44.78": [[547, 559]]}, "info": {"id": "synth_v2_01094", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Qualys identified a large-scale phishing operation. Emails originated from service@phishing-domain.com and ceo@secure-verify.net, spoofing legitimate services. Victims were directed to hxxp://edge-storage.info/download/update.exe which hosted a credential harvesting page on cloud-data.tech. A secondary link hxxp://authportal.top/assets/js/payload.js delivered FormBook (SHA1: e591b59fb3f0d47818c1ba89e91c88b2f3fcf234). The malware was saved to /tmp/lsass.dmp and established C2 with 10.45.29.15.", "spans": {"ORGANIZATION: Qualys": [[26, 32]], "EMAIL: service@phishing-domain.com": [[101, 128]], "EMAIL: ceo@secure-verify.net": [[133, 154]], "URL: hxxp://edge-storage.info/download/update.exe": [[211, 255]], "DOMAIN: cloud-data.tech": [[301, 316]], "URL: hxxp://authportal.top/assets/js/payload.js": [[335, 377]], "MALWARE: FormBook": [[388, 396]], "HASH: e591b59fb3f0d47818c1ba89e91c88b2f3fcf234": [[404, 444]], "FILEPATH: /tmp/lsass.dmp": [[472, 486]], "IP_ADDRESS: 10.45.29.15": [[511, 522]]}, "info": {"id": "synth_v2_01095", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: NCSC identified a large-scale phishing operation. Emails originated from support@document-share.link and support@urgent-notice.online, spoofing legitimate services. Victims were directed to hxxps://api-edge.online/assets/js/payload.js which hosted a credential harvesting page on storage-sync.net. A secondary link hxxp://backup-edge.com/panel/index.html delivered NjRAT (SHA1: 1cef83726fffe803644b953a949cc7240dce1547). The malware was saved to C:\\Users\\admin\\Downloads\\implant.so and established C2 with 192.117.25.237.", "spans": {"ORGANIZATION: NCSC": [[26, 30]], "EMAIL: support@document-share.link": [[99, 126]], "EMAIL: support@urgent-notice.online": [[131, 159]], "URL: hxxps://api-edge.online/assets/js/payload.js": [[216, 260]], "DOMAIN: storage-sync.net": [[306, 322]], "URL: hxxp://backup-edge.com/panel/index.html": [[341, 380]], "MALWARE: NjRAT": [[391, 396]], "HASH: 1cef83726fffe803644b953a949cc7240dce1547": [[404, 444]], "FILEPATH: C:\\Users\\admin\\Downloads\\implant.so": [[472, 507]], "IP_ADDRESS: 192.117.25.237": [[532, 546]]}, "info": {"id": "synth_v2_01096", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Qualys identified a large-scale phishing operation. Emails originated from hr@login-portal.tech and updates@identity-verify.cc, spoofing legitimate services. Victims were directed to http://apidata.link/callback which hosted a credential harvesting page on gateway-node.net. A secondary link hxxps://edge-update.io/download/update.exe delivered AgentTesla (SHA1: c0fae2ecab350167c91048a4c590a1e162dabbc2). The malware was saved to /home/user/.config/sam.hive and established C2 with 197.234.1.224.", "spans": {"ORGANIZATION: Qualys": [[26, 32]], "EMAIL: hr@login-portal.tech": [[101, 121]], "EMAIL: updates@identity-verify.cc": [[126, 152]], "URL: http://apidata.link/callback": [[209, 237]], "DOMAIN: gateway-node.net": [[283, 299]], "URL: hxxps://edge-update.io/download/update.exe": [[318, 360]], "MALWARE: AgentTesla": [[371, 381]], "HASH: c0fae2ecab350167c91048a4c590a1e162dabbc2": [[389, 429]], "FILEPATH: /home/user/.config/sam.hive": [[457, 484]], "IP_ADDRESS: 197.234.1.224": [[509, 522]]}, "info": {"id": "synth_v2_01097", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: Palo Alto Unit 42 identified a large-scale phishing operation. Emails originated from it@login-portal.tech and info@secure-verify.net, spoofing legitimate services. Victims were directed to hxxp://mail-edge.xyz/login which hosted a credential harvesting page on loginauth.io. A secondary link http://proxycloud.cc/collect delivered Lumma Stealer (SHA1: b7f7faea666f9b7b21dbbd124a8f7d5e5a9f3c8d). The malware was saved to /home/user/.config/payload.bin and established C2 with 156.119.242.105.", "spans": {"ORGANIZATION: Palo Alto Unit 42": [[26, 43]], "EMAIL: it@login-portal.tech": [[112, 132]], "EMAIL: info@secure-verify.net": [[137, 159]], "URL: hxxp://mail-edge.xyz/login": [[216, 242]], "DOMAIN: loginauth.io": [[288, 300]], "URL: http://proxycloud.cc/collect": [[319, 347]], "MALWARE: Lumma Stealer": [[358, 371]], "HASH: b7f7faea666f9b7b21dbbd124a8f7d5e5a9f3c8d": [[379, 419]], "FILEPATH: /home/user/.config/payload.bin": [[447, 477]], "IP_ADDRESS: 156.119.242.105": [[502, 517]]}, "info": {"id": "synth_v2_01098", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: NSA identified a large-scale phishing operation. Emails originated from it@phishing-domain.com and alert@identity-verify.cc, spoofing legitimate services. Victims were directed to hxxps://gatewayproxy.club/panel/index.html which hosted a credential harvesting page on gateway-data.site. A secondary link hxxp://proxyportal.live/admin/config delivered WarmCookie (SHA1: 023943beb3e4bb120a2e9010efe6cc9e7a66578d). The malware was saved to /etc/cron.d/svchost.exe and established C2 with 192.203.82.118.", "spans": {"ORGANIZATION: NSA": [[26, 29]], "EMAIL: it@phishing-domain.com": [[98, 120]], "EMAIL: alert@identity-verify.cc": [[125, 149]], "URL: hxxps://gatewayproxy.club/panel/index.html": [[206, 248]], "DOMAIN: gateway-data.site": [[294, 311]], "URL: hxxp://proxyportal.live/admin/config": [[330, 366]], "MALWARE: WarmCookie": [[377, 387]], "HASH: 023943beb3e4bb120a2e9010efe6cc9e7a66578d": [[395, 435]], "FILEPATH: /etc/cron.d/svchost.exe": [[463, 486]], "IP_ADDRESS: 192.203.82.118": [[511, 525]]}, "info": {"id": "synth_v2_01099", "source": "synthetic_v2"}}
+{"text": "Phishing Campaign Report: FireEye identified a large-scale phishing operation. Emails originated from service@account-update.xyz and notification@account-update.xyz, spoofing legitimate services. Victims were directed to http://gateway-gateway.site/panel/index.html which hosted a credential harvesting page on storagesecure.org. A secondary link http://cache-cloud.online/api/v2/auth delivered Latrodectus (SHA1: cf7eb8228b84d725062f8dd8bab3ecc408912fac). The malware was saved to C:\\Windows\\Temp\\sam.hive and established C2 with 149.123.162.145.", "spans": {"ORGANIZATION: FireEye": [[26, 33]], "EMAIL: service@account-update.xyz": [[102, 128]], "EMAIL: notification@account-update.xyz": [[133, 164]], "URL: http://gateway-gateway.site/panel/index.html": [[221, 265]], "DOMAIN: storagesecure.org": [[311, 328]], "URL: http://cache-cloud.online/api/v2/auth": [[347, 384]], "MALWARE: Latrodectus": [[395, 406]], "HASH: cf7eb8228b84d725062f8dd8bab3ecc408912fac": [[414, 454]], "FILEPATH: C:\\Windows\\Temp\\sam.hive": [[482, 506]], "IP_ADDRESS: 149.123.162.145": [[531, 546]]}, "info": {"id": "synth_v2_01100", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Impacket artifacts at C:\\Users\\Public\\Documents\\payload.bin. Memory dump analysis confirmed execution of Merlin. Registry modifications pointed to persistence via /opt/app/bin/winlogon.exe. Network forensics identified connections to 83.253.194.76 and storage-update.dev. Email headers traced the initial vector to finance@secure-verify.net. File /dev/shm/beacon.dll (MD5: 8dff4072608e18e79badf38d2113e739) was identified as the initial dropper. A staging URL http://authportal.tech/panel/index.html resolved to 192.96.189.246. Secondary artifact hash: SHA256: 93df586b497c7d58730bb70c40a1608ca7732097797e3fa3046e28cfe6fd98ae.", "spans": {"TOOL: Impacket": [[72, 80]], "FILEPATH: C:\\Users\\Public\\Documents\\payload.bin": [[94, 131]], "TOOL: Merlin": [[177, 183]], "FILEPATH: /opt/app/bin/winlogon.exe": [[235, 260]], "IP_ADDRESS: 83.253.194.76": [[306, 319]], "DOMAIN: storage-update.dev": [[324, 342]], "EMAIL: finance@secure-verify.net": [[387, 412]], "FILEPATH: /dev/shm/beacon.dll": [[419, 438]], "HASH: 8dff4072608e18e79badf38d2113e739": [[445, 477]], "URL: http://authportal.tech/panel/index.html": [[532, 571]], "IP_ADDRESS: 192.96.189.246": [[584, 598]], "HASH: 93df586b497c7d58730bb70c40a1608ca7732097797e3fa3046e28cfe6fd98ae": [[633, 697]]}, "info": {"id": "synth_v2_01101", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Nmap artifacts at /tmp/shell.php. Memory dump analysis confirmed execution of ADFind. Registry modifications pointed to persistence via C:\\ProgramData\\payload.bin. Network forensics identified connections to 21.58.157.135 and update-static.org. Email headers traced the initial vector to security@urgent-notice.online. File /etc/cron.d/lsass.dmp (MD5: 8886a3dfe453a5efc1c980a32715ee65) was identified as the initial dropper. A staging URL http://edgeproxy.tech/login resolved to 11.28.184.199. Secondary artifact hash: SHA256: 6051c54e8d1cba19ab6fcb86902d14ce4690e6cf1a357ed374d4d5c066caa51d.", "spans": {"TOOL: Nmap": [[72, 76]], "FILEPATH: /tmp/shell.php": [[90, 104]], "TOOL: ADFind": [[150, 156]], "FILEPATH: C:\\ProgramData\\payload.bin": [[208, 234]], "IP_ADDRESS: 21.58.157.135": [[280, 293]], "DOMAIN: update-static.org": [[298, 315]], "EMAIL: security@urgent-notice.online": [[360, 389]], "FILEPATH: /etc/cron.d/lsass.dmp": [[396, 417]], "HASH: 8886a3dfe453a5efc1c980a32715ee65": [[424, 456]], "URL: http://edgeproxy.tech/login": [[511, 538]], "IP_ADDRESS: 11.28.184.199": [[551, 564]], "HASH: 6051c54e8d1cba19ab6fcb86902d14ce4690e6cf1a357ed374d4d5c066caa51d": [[599, 663]]}, "info": {"id": "synth_v2_01102", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed PowerView artifacts at /var/tmp/svchost.exe. Memory dump analysis confirmed execution of Sharphound. Registry modifications pointed to persistence via C:\\Windows\\System32\\shell.php. Network forensics identified connections to 172.6.32.165 and cache-update.site. Email headers traced the initial vector to report@auth-check.org. File /tmp/svchost.exe (SHA256: 6068b0e3688649aea8c3cca4864c99db8bde3de8908e1de3fdc140a1d79b27e1) was identified as the initial dropper. A staging URL hxxp://secure-secure.xyz/callback resolved to 214.18.252.71. Secondary artifact hash: SHA256: b75359ecd5b43117cce45c92381a40a71aac1e95de91752e8622d37e37de2a53.", "spans": {"TOOL: PowerView": [[72, 81]], "FILEPATH: /var/tmp/svchost.exe": [[95, 115]], "TOOL: Sharphound": [[161, 171]], "FILEPATH: C:\\Windows\\System32\\shell.php": [[223, 252]], "IP_ADDRESS: 172.6.32.165": [[298, 310]], "DOMAIN: cache-update.site": [[315, 332]], "EMAIL: report@auth-check.org": [[377, 398]], "FILEPATH: /tmp/svchost.exe": [[99, 115]], "HASH: 6068b0e3688649aea8c3cca4864c99db8bde3de8908e1de3fdc140a1d79b27e1": [[431, 495]], "URL: hxxp://secure-secure.xyz/callback": [[550, 583]], "IP_ADDRESS: 214.18.252.71": [[596, 609]], "HASH: b75359ecd5b43117cce45c92381a40a71aac1e95de91752e8622d37e37de2a53": [[644, 708]]}, "info": {"id": "synth_v2_01103", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed GhostPack artifacts at /tmp/taskhost.exe. Memory dump analysis confirmed execution of LinPEAS. Registry modifications pointed to persistence via C:\\Windows\\Temp\\lsass.dmp. Network forensics identified connections to 10.69.133.202 and maildata.online. Email headers traced the initial vector to finance@phishing-domain.com. File C:\\Users\\admin\\Downloads\\update.dll (SHA256: a270f068d86259619469f03c062ac0dd92d3485c728bdfb587fa009ee37644fb) was identified as the initial dropper. A staging URL https://proxyapi.link/portal/verify resolved to 172.216.71.67. Secondary artifact hash: MD5: 508380f00eb43725cb7ab4ba89c1dfb9.", "spans": {"TOOL: GhostPack": [[72, 81]], "FILEPATH: /tmp/taskhost.exe": [[95, 112]], "TOOL: LinPEAS": [[158, 165]], "FILEPATH: C:\\Windows\\Temp\\lsass.dmp": [[217, 242]], "IP_ADDRESS: 10.69.133.202": [[288, 301]], "DOMAIN: maildata.online": [[306, 321]], "EMAIL: finance@phishing-domain.com": [[366, 393]], "FILEPATH: C:\\Users\\admin\\Downloads\\update.dll": [[400, 435]], "HASH: a270f068d86259619469f03c062ac0dd92d3485c728bdfb587fa009ee37644fb": [[445, 509]], "URL: https://proxyapi.link/portal/verify": [[564, 599]], "IP_ADDRESS: 172.216.71.67": [[612, 625]], "HASH: 508380f00eb43725cb7ab4ba89c1dfb9": [[657, 689]]}, "info": {"id": "synth_v2_01104", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Sharphound artifacts at C:\\Users\\admin\\Desktop\\implant.so. Memory dump analysis confirmed execution of Sliver. Registry modifications pointed to persistence via /etc/cron.d/ntds.dit. Network forensics identified connections to 139.252.106.93 and apisync.site. Email headers traced the initial vector to confirm@urgent-notice.online. File /dev/shm/backdoor.elf (SHA256: 75d479a2be58f83ef38848c0e221d28d859e43472515b31e57acee3d82bf0bf7) was identified as the initial dropper. A staging URL https://mailnode.xyz/panel/index.html resolved to 65.190.112.66. Secondary artifact hash: SHA1: f02a9b799e6d1eabb5f60cfe168de6752daeea4e.", "spans": {"TOOL: Sharphound": [[72, 82]], "FILEPATH: C:\\Users\\admin\\Desktop\\implant.so": [[96, 129]], "TOOL: Sliver": [[175, 181]], "FILEPATH: /etc/cron.d/ntds.dit": [[233, 253]], "IP_ADDRESS: 139.252.106.93": [[299, 313]], "DOMAIN: apisync.site": [[318, 330]], "EMAIL: confirm@urgent-notice.online": [[375, 403]], "FILEPATH: /dev/shm/backdoor.elf": [[410, 431]], "HASH: 75d479a2be58f83ef38848c0e221d28d859e43472515b31e57acee3d82bf0bf7": [[441, 505]], "URL: https://mailnode.xyz/panel/index.html": [[560, 597]], "IP_ADDRESS: 65.190.112.66": [[610, 623]], "HASH: f02a9b799e6d1eabb5f60cfe168de6752daeea4e": [[656, 696]]}, "info": {"id": "synth_v2_01105", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed PowerShell Empire artifacts at /tmp/agent.py. Memory dump analysis confirmed execution of Mimikatz. Registry modifications pointed to persistence via /var/tmp/csrss.exe. Network forensics identified connections to 172.200.153.133 and proxymail.io. Email headers traced the initial vector to account@document-share.link. File C:\\Program Files\\Common Files\\config.dat (MD5: d0150deab73bd97fbc6d611bc202e58e) was identified as the initial dropper. A staging URL http://datasecure.link/collect resolved to 62.78.15.221. Secondary artifact hash: MD5: bf607140b8bb36bafa54a198d8ab8e65.", "spans": {"TOOL: PowerShell Empire": [[72, 89]], "FILEPATH: /tmp/agent.py": [[103, 116]], "TOOL: Mimikatz": [[162, 170]], "FILEPATH: /var/tmp/csrss.exe": [[222, 240]], "IP_ADDRESS: 172.200.153.133": [[286, 301]], "DOMAIN: proxymail.io": [[306, 318]], "EMAIL: account@document-share.link": [[363, 390]], "FILEPATH: C:\\Program Files\\Common Files\\config.dat": [[397, 437]], "HASH: d0150deab73bd97fbc6d611bc202e58e": [[444, 476]], "URL: http://datasecure.link/collect": [[531, 561]], "IP_ADDRESS: 62.78.15.221": [[574, 586]], "HASH: bf607140b8bb36bafa54a198d8ab8e65": [[618, 650]]}, "info": {"id": "synth_v2_01106", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed LinPEAS artifacts at /tmp/backdoor.elf. Memory dump analysis confirmed execution of Covenant. Registry modifications pointed to persistence via /home/user/.config/helper.sh. Network forensics identified connections to 172.12.156.82 and portalrelay.org. Email headers traced the initial vector to admin@phishing-domain.com. File C:\\Program Files\\Common Files\\implant.so (SHA1: 86122be981bc302f825671bde6ef44e37d8daaf7) was identified as the initial dropper. A staging URL hxxp://cloudsync.org/collect resolved to 172.16.89.137. Secondary artifact hash: MD5: 32962f203d09618932e00aabcc76fc1d.", "spans": {"TOOL: LinPEAS": [[72, 79]], "FILEPATH: /tmp/backdoor.elf": [[93, 110]], "TOOL: Covenant": [[156, 164]], "FILEPATH: /home/user/.config/helper.sh": [[216, 244]], "IP_ADDRESS: 172.12.156.82": [[290, 303]], "DOMAIN: portalrelay.org": [[308, 323]], "EMAIL: admin@phishing-domain.com": [[368, 393]], "FILEPATH: C:\\Program Files\\Common Files\\implant.so": [[400, 440]], "HASH: 86122be981bc302f825671bde6ef44e37d8daaf7": [[448, 488]], "URL: hxxp://cloudsync.org/collect": [[543, 571]], "IP_ADDRESS: 172.16.89.137": [[584, 597]], "HASH: 32962f203d09618932e00aabcc76fc1d": [[629, 661]]}, "info": {"id": "synth_v2_01107", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed PowerView artifacts at C:\\Users\\admin\\AppData\\Local\\Temp\\sam.hive. Memory dump analysis confirmed execution of CrackMapExec. Registry modifications pointed to persistence via C:\\Windows\\Tasks\\helper.sh. Network forensics identified connections to 163.176.2.62 and authmail.com. Email headers traced the initial vector to admin@mail-service.info. File /dev/shm/payload.bin (SHA1: 6cf5d77a31ee288115c7b547596ca87d6f227e1b) was identified as the initial dropper. A staging URL hxxps://updatesecure.io/portal/verify resolved to 10.215.70.86. Secondary artifact hash: MD5: 0ff06103cedfb88b2c4743ad1740e274.", "spans": {"TOOL: PowerView": [[72, 81]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\sam.hive": [[95, 137]], "TOOL: CrackMapExec": [[183, 195]], "FILEPATH: C:\\Windows\\Tasks\\helper.sh": [[247, 273]], "IP_ADDRESS: 163.176.2.62": [[319, 331]], "DOMAIN: authmail.com": [[336, 348]], "EMAIL: admin@mail-service.info": [[393, 416]], "FILEPATH: /dev/shm/payload.bin": [[423, 443]], "HASH: 6cf5d77a31ee288115c7b547596ca87d6f227e1b": [[451, 491]], "URL: hxxps://updatesecure.io/portal/verify": [[546, 583]], "IP_ADDRESS: 10.215.70.86": [[596, 608]], "HASH: 0ff06103cedfb88b2c4743ad1740e274": [[640, 672]]}, "info": {"id": "synth_v2_01108", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Nmap artifacts at /tmp/winlogon.exe. Memory dump analysis confirmed execution of Havoc. Registry modifications pointed to persistence via /var/tmp/chrome_helper.exe. Network forensics identified connections to 10.251.169.49 and mail-cache.com. Email headers traced the initial vector to security@identity-verify.cc. File C:\\Windows\\System32\\sam.hive (SHA1: debf7e4f98336905b5118d23d96b3e65c1aed2fa) was identified as the initial dropper. A staging URL https://securerelay.live/download/update.exe resolved to 192.51.57.37. Secondary artifact hash: MD5: 86248dac92592a9c25c1e1d013f29e1e.", "spans": {"TOOL: Nmap": [[72, 76]], "FILEPATH: /tmp/winlogon.exe": [[90, 107]], "TOOL: Havoc": [[153, 158]], "FILEPATH: /var/tmp/chrome_helper.exe": [[210, 236]], "IP_ADDRESS: 10.251.169.49": [[282, 295]], "DOMAIN: mail-cache.com": [[300, 314]], "EMAIL: security@identity-verify.cc": [[359, 386]], "FILEPATH: C:\\Windows\\System32\\sam.hive": [[393, 421]], "HASH: debf7e4f98336905b5118d23d96b3e65c1aed2fa": [[429, 469]], "URL: https://securerelay.live/download/update.exe": [[524, 568]], "IP_ADDRESS: 192.51.57.37": [[581, 593]], "HASH: 86248dac92592a9c25c1e1d013f29e1e": [[625, 657]]}, "info": {"id": "synth_v2_01109", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Merlin artifacts at C:\\Program Files\\Common Files\\lsass.dmp. Memory dump analysis confirmed execution of Sharphound. Registry modifications pointed to persistence via C:\\Users\\admin\\Downloads\\csrss.exe. Network forensics identified connections to 58.98.179.90 and cdnstatic.live. Email headers traced the initial vector to info@document-share.link. File C:\\Users\\Public\\Documents\\update.dll (SHA1: b94d93a5fb42d02c93f10c8bf0c8c1a3b4262bb1) was identified as the initial dropper. A staging URL http://storage-auth.net/admin/config resolved to 88.41.132.162. Secondary artifact hash: MD5: 631f801b13c48003ca98262149cd9238.", "spans": {"TOOL: Merlin": [[72, 78]], "FILEPATH: C:\\Program Files\\Common Files\\lsass.dmp": [[92, 131]], "TOOL: Sharphound": [[177, 187]], "FILEPATH: C:\\Users\\admin\\Downloads\\csrss.exe": [[239, 273]], "IP_ADDRESS: 58.98.179.90": [[319, 331]], "DOMAIN: cdnstatic.live": [[336, 350]], "EMAIL: info@document-share.link": [[395, 419]], "FILEPATH: C:\\Users\\Public\\Documents\\update.dll": [[426, 462]], "HASH: b94d93a5fb42d02c93f10c8bf0c8c1a3b4262bb1": [[470, 510]], "URL: http://storage-auth.net/admin/config": [[565, 601]], "IP_ADDRESS: 88.41.132.162": [[614, 627]], "HASH: 631f801b13c48003ca98262149cd9238": [[659, 691]]}, "info": {"id": "synth_v2_01110", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Covenant artifacts at /home/user/.config/csrss.exe. Memory dump analysis confirmed execution of CrackMapExec. Registry modifications pointed to persistence via /etc/cron.d/winlogon.exe. Network forensics identified connections to 35.242.95.140 and syncportal.net. Email headers traced the initial vector to info@auth-check.org. File /var/tmp/sam.hive (SHA1: 1076081d3c86a6b206b8fdd633df129e93b8446d) was identified as the initial dropper. A staging URL hxxp://mailgateway.club/callback resolved to 172.233.102.64. Secondary artifact hash: SHA256: c4ce8f71359818bf567a3623886bf75a36678f4055a693531481182d6ea4900e.", "spans": {"TOOL: Covenant": [[72, 80]], "FILEPATH: /home/user/.config/csrss.exe": [[94, 122]], "TOOL: CrackMapExec": [[168, 180]], "FILEPATH: /etc/cron.d/winlogon.exe": [[232, 256]], "IP_ADDRESS: 35.242.95.140": [[302, 315]], "DOMAIN: syncportal.net": [[320, 334]], "EMAIL: info@auth-check.org": [[379, 398]], "FILEPATH: /var/tmp/sam.hive": [[405, 422]], "HASH: 1076081d3c86a6b206b8fdd633df129e93b8446d": [[430, 470]], "URL: hxxp://mailgateway.club/callback": [[525, 557]], "IP_ADDRESS: 172.233.102.64": [[570, 584]], "HASH: c4ce8f71359818bf567a3623886bf75a36678f4055a693531481182d6ea4900e": [[619, 683]]}, "info": {"id": "synth_v2_01111", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Sliver artifacts at /usr/local/bin/taskhost.exe. Memory dump analysis confirmed execution of PsExec. Registry modifications pointed to persistence via C:\\Users\\admin\\Downloads\\ntds.dit. Network forensics identified connections to 192.226.200.41 and api-static.live. Email headers traced the initial vector to admin@login-portal.tech. File C:\\Windows\\Temp\\loader.exe (MD5: 672fc99dd0e2128936dcc7dd4e2c6743) was identified as the initial dropper. A staging URL http://apigateway.club/login resolved to 192.30.217.147. Secondary artifact hash: SHA1: 06a905d934739f42947e20585f64dd2282c24c40.", "spans": {"TOOL: Sliver": [[72, 78]], "FILEPATH: /usr/local/bin/taskhost.exe": [[92, 119]], "TOOL: PsExec": [[165, 171]], "FILEPATH: C:\\Users\\admin\\Downloads\\ntds.dit": [[223, 256]], "IP_ADDRESS: 192.226.200.41": [[302, 316]], "DOMAIN: api-static.live": [[321, 336]], "EMAIL: admin@login-portal.tech": [[381, 404]], "FILEPATH: C:\\Windows\\Temp\\loader.exe": [[411, 437]], "HASH: 672fc99dd0e2128936dcc7dd4e2c6743": [[444, 476]], "URL: http://apigateway.club/login": [[531, 559]], "IP_ADDRESS: 192.30.217.147": [[572, 586]], "HASH: 06a905d934739f42947e20585f64dd2282c24c40": [[619, 659]]}, "info": {"id": "synth_v2_01112", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Havoc artifacts at /home/user/.config/winlogon.exe. Memory dump analysis confirmed execution of Merlin. Registry modifications pointed to persistence via C:\\Users\\admin\\AppData\\Local\\Temp\\winlogon.exe. Network forensics identified connections to 113.116.51.243 and backup-node.tech. Email headers traced the initial vector to info@mail-service.info. File C:\\Windows\\System32\\payload.bin (SHA1: a8e8efc33eb8468d23ed3d20b890f128c179e8ed) was identified as the initial dropper. A staging URL hxxp://cdn-login.tech/callback resolved to 10.143.117.212. Secondary artifact hash: SHA1: 663254acc13c6c7e14596ef3875b4dd07c6d16d7.", "spans": {"TOOL: Havoc": [[72, 77]], "FILEPATH: /home/user/.config/winlogon.exe": [[91, 122]], "TOOL: Merlin": [[168, 174]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\winlogon.exe": [[226, 272]], "IP_ADDRESS: 113.116.51.243": [[318, 332]], "DOMAIN: backup-node.tech": [[337, 353]], "EMAIL: info@mail-service.info": [[398, 420]], "FILEPATH: C:\\Windows\\System32\\payload.bin": [[427, 458]], "HASH: a8e8efc33eb8468d23ed3d20b890f128c179e8ed": [[466, 506]], "URL: hxxp://cdn-login.tech/callback": [[561, 591]], "IP_ADDRESS: 10.143.117.212": [[604, 618]], "HASH: 663254acc13c6c7e14596ef3875b4dd07c6d16d7": [[651, 691]]}, "info": {"id": "synth_v2_01113", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed BITSAdmin artifacts at /home/user/.config/csrss.exe. Memory dump analysis confirmed execution of Mimikatz. Registry modifications pointed to persistence via C:\\Users\\admin\\AppData\\Local\\Temp\\payload.bin. Network forensics identified connections to 34.241.185.197 and auth-storage.info. Email headers traced the initial vector to finance@mail-service.info. File C:\\Users\\admin\\Downloads\\helper.sh (SHA256: 3b32cba1e085a0f4543bc4938f2408139d00ea09e1882c54c6006a7ac4cc8e0e) was identified as the initial dropper. A staging URL hxxp://api-node.live/admin/config resolved to 114.193.238.48. Secondary artifact hash: SHA256: 0c218a3ada1c81616585140490276368681735988cc27b7e3a8f413afd6dcb87.", "spans": {"TOOL: BITSAdmin": [[72, 81]], "FILEPATH: /home/user/.config/csrss.exe": [[95, 123]], "TOOL: Mimikatz": [[169, 177]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\payload.bin": [[229, 274]], "IP_ADDRESS: 34.241.185.197": [[320, 334]], "DOMAIN: auth-storage.info": [[339, 356]], "EMAIL: finance@mail-service.info": [[401, 426]], "FILEPATH: C:\\Users\\admin\\Downloads\\helper.sh": [[433, 467]], "HASH: 3b32cba1e085a0f4543bc4938f2408139d00ea09e1882c54c6006a7ac4cc8e0e": [[477, 541]], "URL: hxxp://api-node.live/admin/config": [[596, 629]], "IP_ADDRESS: 114.193.238.48": [[642, 656]], "HASH: 0c218a3ada1c81616585140490276368681735988cc27b7e3a8f413afd6dcb87": [[691, 755]]}, "info": {"id": "synth_v2_01114", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Ligolo artifacts at /home/user/.config/helper.sh. Memory dump analysis confirmed execution of Mythic. Registry modifications pointed to persistence via C:\\Program Files\\Common Files\\implant.so. Network forensics identified connections to 192.247.247.31 and relay-static.org. Email headers traced the initial vector to ceo@secure-verify.net. File /etc/cron.d/helper.sh (SHA256: bc00a75cb4707d719398fadb1fd7602a41c8f76d56a538c2770f23bba93448b8) was identified as the initial dropper. A staging URL hxxps://cloudsecure.io/callback resolved to 172.8.208.38. Secondary artifact hash: SHA256: 9e834e48b2c2ddb6c002d2b3183ef6877e95570801d79a1ae42ab2ca2404880d.", "spans": {"TOOL: Ligolo": [[72, 78]], "FILEPATH: /home/user/.config/helper.sh": [[92, 120]], "TOOL: Mythic": [[166, 172]], "FILEPATH: C:\\Program Files\\Common Files\\implant.so": [[224, 264]], "IP_ADDRESS: 192.247.247.31": [[310, 324]], "DOMAIN: relay-static.org": [[329, 345]], "EMAIL: ceo@secure-verify.net": [[390, 411]], "FILEPATH: /etc/cron.d/helper.sh": [[418, 439]], "HASH: bc00a75cb4707d719398fadb1fd7602a41c8f76d56a538c2770f23bba93448b8": [[449, 513]], "URL: hxxps://cloudsecure.io/callback": [[568, 599]], "IP_ADDRESS: 172.8.208.38": [[612, 624]], "HASH: 9e834e48b2c2ddb6c002d2b3183ef6877e95570801d79a1ae42ab2ca2404880d": [[659, 723]]}, "info": {"id": "synth_v2_01115", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Seatbelt artifacts at C:\\Windows\\System32\\implant.so. Memory dump analysis confirmed execution of Mimikatz. Registry modifications pointed to persistence via C:\\ProgramData\\update.dll. Network forensics identified connections to 10.126.203.146 and gatewayproxy.net. Email headers traced the initial vector to it@account-update.xyz. File /dev/shm/helper.sh (SHA1: 1fcc6ed43c2a71725e33e122ad36cbc0106159aa) was identified as the initial dropper. A staging URL https://proxyupdate.online/secure/token resolved to 172.226.111.174. Secondary artifact hash: SHA256: 66eb685f5bb0ca01e7c0a78c71f5b609cc4a308f788c398925e88831cd679d88.", "spans": {"TOOL: Seatbelt": [[72, 80]], "FILEPATH: C:\\Windows\\System32\\implant.so": [[94, 124]], "TOOL: Mimikatz": [[170, 178]], "FILEPATH: C:\\ProgramData\\update.dll": [[230, 255]], "IP_ADDRESS: 10.126.203.146": [[301, 315]], "DOMAIN: gatewayproxy.net": [[320, 336]], "EMAIL: it@account-update.xyz": [[381, 402]], "FILEPATH: /dev/shm/helper.sh": [[409, 427]], "HASH: 1fcc6ed43c2a71725e33e122ad36cbc0106159aa": [[435, 475]], "URL: https://proxyupdate.online/secure/token": [[530, 569]], "IP_ADDRESS: 172.226.111.174": [[582, 597]], "HASH: 66eb685f5bb0ca01e7c0a78c71f5b609cc4a308f788c398925e88831cd679d88": [[632, 696]]}, "info": {"id": "synth_v2_01116", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Chisel artifacts at C:\\ProgramData\\csrss.exe. Memory dump analysis confirmed execution of Mythic. Registry modifications pointed to persistence via /tmp/update.dll. Network forensics identified connections to 10.3.67.199 and cloud-backup.top. Email headers traced the initial vector to support@account-update.xyz. File /usr/local/bin/backdoor.elf (MD5: 07c8a765c53befd52b71c101e95dd825) was identified as the initial dropper. A staging URL http://nodeportal.online/login resolved to 191.124.253.143. Secondary artifact hash: SHA256: 92ffe7d857c20a3b8186b23a4a4150d47507f3f97662e749f6867616648e836a.", "spans": {"TOOL: Chisel": [[72, 78]], "FILEPATH: C:\\ProgramData\\csrss.exe": [[92, 116]], "TOOL: Mythic": [[162, 168]], "FILEPATH: /tmp/update.dll": [[220, 235]], "IP_ADDRESS: 10.3.67.199": [[281, 292]], "DOMAIN: cloud-backup.top": [[297, 313]], "EMAIL: support@account-update.xyz": [[358, 384]], "FILEPATH: /usr/local/bin/backdoor.elf": [[391, 418]], "HASH: 07c8a765c53befd52b71c101e95dd825": [[425, 457]], "URL: http://nodeportal.online/login": [[512, 542]], "IP_ADDRESS: 191.124.253.143": [[555, 570]], "HASH: 92ffe7d857c20a3b8186b23a4a4150d47507f3f97662e749f6867616648e836a": [[605, 669]]}, "info": {"id": "synth_v2_01117", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed BloodHound artifacts at /var/tmp/update.dll. Memory dump analysis confirmed execution of Impacket. Registry modifications pointed to persistence via /usr/local/bin/svchost.exe. Network forensics identified connections to 174.178.152.161 and edgenode.net. Email headers traced the initial vector to helpdesk@urgent-notice.online. File /tmp/backdoor.elf (MD5: 79d7d3fb55602d8fa529e53928a26e6a) was identified as the initial dropper. A staging URL hxxps://relay-secure.net/secure/token resolved to 192.74.122.202. Secondary artifact hash: SHA1: afac24953001f6ffa8a2beff87f277daec95b7f0.", "spans": {"TOOL: BloodHound": [[72, 82]], "FILEPATH: /var/tmp/update.dll": [[96, 115]], "TOOL: Impacket": [[161, 169]], "FILEPATH: /usr/local/bin/svchost.exe": [[221, 247]], "IP_ADDRESS: 174.178.152.161": [[293, 308]], "DOMAIN: edgenode.net": [[313, 325]], "EMAIL: helpdesk@urgent-notice.online": [[370, 399]], "FILEPATH: /tmp/backdoor.elf": [[406, 423]], "HASH: 79d7d3fb55602d8fa529e53928a26e6a": [[430, 462]], "URL: hxxps://relay-secure.net/secure/token": [[517, 554]], "IP_ADDRESS: 192.74.122.202": [[567, 581]], "HASH: afac24953001f6ffa8a2beff87f277daec95b7f0": [[614, 654]]}, "info": {"id": "synth_v2_01118", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Certutil artifacts at C:\\Users\\Public\\Documents\\helper.sh. Memory dump analysis confirmed execution of LinPEAS. Registry modifications pointed to persistence via /var/tmp/backdoor.elf. Network forensics identified connections to 41.76.1.26 and secure-cdn.link. Email headers traced the initial vector to billing@secure-verify.net. File C:\\Users\\admin\\Desktop\\update.dll (SHA256: 43e8dcd50f74e891d97bb67aa31d7b105110fddf89e0a9e92f11ff80c9fd19b4) was identified as the initial dropper. A staging URL http://nodeauth.club/wp-content/uploads/doc.php resolved to 192.86.185.204. Secondary artifact hash: SHA1: ca9aea6ae641689061742546886bc006a93dc7a8.", "spans": {"TOOL: Certutil": [[72, 80]], "FILEPATH: C:\\Users\\Public\\Documents\\helper.sh": [[94, 129]], "TOOL: LinPEAS": [[175, 182]], "FILEPATH: /var/tmp/backdoor.elf": [[234, 255]], "IP_ADDRESS: 41.76.1.26": [[301, 311]], "DOMAIN: secure-cdn.link": [[316, 331]], "EMAIL: billing@secure-verify.net": [[376, 401]], "FILEPATH: C:\\Users\\admin\\Desktop\\update.dll": [[408, 441]], "HASH: 43e8dcd50f74e891d97bb67aa31d7b105110fddf89e0a9e92f11ff80c9fd19b4": [[451, 515]], "URL: http://nodeauth.club/wp-content/uploads/doc.php": [[570, 617]], "IP_ADDRESS: 192.86.185.204": [[630, 644]], "HASH: ca9aea6ae641689061742546886bc006a93dc7a8": [[677, 717]]}, "info": {"id": "synth_v2_01119", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Chisel artifacts at C:\\Program Files\\Common Files\\svchost.exe. Memory dump analysis confirmed execution of CrackMapExec. Registry modifications pointed to persistence via /var/tmp/dropper.ps1. Network forensics identified connections to 154.6.238.192 and cdn-cdn.com. Email headers traced the initial vector to info@mail-service.info. File C:\\ProgramData\\beacon.dll (SHA256: 78f1abc36baf1fcc18c60e40afbdc51df37d449b782dd2ac9e5ebfe0767497f2) was identified as the initial dropper. A staging URL hxxps://cdn-proxy.dev/gate.php resolved to 166.248.219.124. Secondary artifact hash: SHA1: 6a1333cc93bceea9367a959275a655f96ac9748c.", "spans": {"TOOL: Chisel": [[72, 78]], "FILEPATH: C:\\Program Files\\Common Files\\svchost.exe": [[92, 133]], "TOOL: CrackMapExec": [[179, 191]], "FILEPATH: /var/tmp/dropper.ps1": [[243, 263]], "IP_ADDRESS: 154.6.238.192": [[309, 322]], "DOMAIN: cdn-cdn.com": [[327, 338]], "EMAIL: info@mail-service.info": [[383, 405]], "FILEPATH: C:\\ProgramData\\beacon.dll": [[412, 437]], "HASH: 78f1abc36baf1fcc18c60e40afbdc51df37d449b782dd2ac9e5ebfe0767497f2": [[447, 511]], "URL: hxxps://cdn-proxy.dev/gate.php": [[566, 596]], "IP_ADDRESS: 166.248.219.124": [[609, 624]], "HASH: 6a1333cc93bceea9367a959275a655f96ac9748c": [[657, 697]]}, "info": {"id": "synth_v2_01120", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Nmap artifacts at C:\\Users\\Public\\Documents\\ntds.dit. Memory dump analysis confirmed execution of GhostPack. Registry modifications pointed to persistence via /var/tmp/backdoor.elf. Network forensics identified connections to 27.92.110.118 and cache-api.cc. Email headers traced the initial vector to finance@auth-check.org. File /etc/cron.d/svchost.exe (SHA1: 97b6f18343f6815ffcdcbffe6e6cc8b043fce58a) was identified as the initial dropper. A staging URL http://mailgateway.cc/download/update.exe resolved to 192.190.41.196. Secondary artifact hash: SHA1: f98eb835a4cfea8b144ac9ddd2a5e064384fcb4d.", "spans": {"TOOL: Nmap": [[72, 76]], "FILEPATH: C:\\Users\\Public\\Documents\\ntds.dit": [[90, 124]], "TOOL: GhostPack": [[170, 179]], "FILEPATH: /var/tmp/backdoor.elf": [[231, 252]], "IP_ADDRESS: 27.92.110.118": [[298, 311]], "DOMAIN: cache-api.cc": [[316, 328]], "EMAIL: finance@auth-check.org": [[373, 395]], "FILEPATH: /etc/cron.d/svchost.exe": [[402, 425]], "HASH: 97b6f18343f6815ffcdcbffe6e6cc8b043fce58a": [[433, 473]], "URL: http://mailgateway.cc/download/update.exe": [[528, 569]], "IP_ADDRESS: 192.190.41.196": [[582, 596]], "HASH: f98eb835a4cfea8b144ac9ddd2a5e064384fcb4d": [[629, 669]]}, "info": {"id": "synth_v2_01121", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Chisel artifacts at C:\\Users\\admin\\Desktop\\csrss.exe. Memory dump analysis confirmed execution of Ligolo. Registry modifications pointed to persistence via /opt/app/bin/lsass.dmp. Network forensics identified connections to 128.40.120.113 and gateway-data.cc. Email headers traced the initial vector to alert@account-update.xyz. File C:\\Users\\Public\\Documents\\implant.so (SHA256: 403bda1b5a63a0daa61c4dc0e67620662e09dd36ad7988bc99449fb97baf170d) was identified as the initial dropper. A staging URL hxxp://portalrelay.io/login resolved to 188.59.212.193. Secondary artifact hash: MD5: 63df7a51ded305d1a681b7aab547dfc5.", "spans": {"TOOL: Chisel": [[72, 78]], "FILEPATH: C:\\Users\\admin\\Desktop\\csrss.exe": [[92, 124]], "TOOL: Ligolo": [[170, 176]], "FILEPATH: /opt/app/bin/lsass.dmp": [[228, 250]], "IP_ADDRESS: 128.40.120.113": [[296, 310]], "DOMAIN: gateway-data.cc": [[315, 330]], "EMAIL: alert@account-update.xyz": [[375, 399]], "FILEPATH: C:\\Users\\Public\\Documents\\implant.so": [[406, 442]], "HASH: 403bda1b5a63a0daa61c4dc0e67620662e09dd36ad7988bc99449fb97baf170d": [[452, 516]], "URL: hxxp://portalrelay.io/login": [[571, 598]], "IP_ADDRESS: 188.59.212.193": [[611, 625]], "HASH: 63df7a51ded305d1a681b7aab547dfc5": [[657, 689]]}, "info": {"id": "synth_v2_01122", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Ligolo artifacts at /etc/cron.d/csrss.exe. Memory dump analysis confirmed execution of Mythic. Registry modifications pointed to persistence via /dev/shm/runtime.dll. Network forensics identified connections to 192.146.23.43 and backup-backup.link. Email headers traced the initial vector to service@account-update.xyz. File C:\\Windows\\Tasks\\taskhost.exe (SHA256: 1ff87a3242603df5ce3ddba89cc5f2f31079c78864870f82fc55c1c768413c65) was identified as the initial dropper. A staging URL hxxp://gatewaycloud.club/login resolved to 10.147.194.247. Secondary artifact hash: SHA1: 24190d58ef6ef86fbaa35fd3ea497f19b60589e8.", "spans": {"TOOL: Ligolo": [[72, 78]], "FILEPATH: /etc/cron.d/csrss.exe": [[92, 113]], "TOOL: Mythic": [[159, 165]], "FILEPATH: /dev/shm/runtime.dll": [[217, 237]], "IP_ADDRESS: 192.146.23.43": [[283, 296]], "DOMAIN: backup-backup.link": [[301, 319]], "EMAIL: service@account-update.xyz": [[364, 390]], "FILEPATH: C:\\Windows\\Tasks\\taskhost.exe": [[397, 426]], "HASH: 1ff87a3242603df5ce3ddba89cc5f2f31079c78864870f82fc55c1c768413c65": [[436, 500]], "URL: hxxp://gatewaycloud.club/login": [[555, 585]], "IP_ADDRESS: 10.147.194.247": [[598, 612]], "HASH: 24190d58ef6ef86fbaa35fd3ea497f19b60589e8": [[645, 685]]}, "info": {"id": "synth_v2_01123", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Mythic artifacts at /home/user/.config/taskhost.exe. Memory dump analysis confirmed execution of Merlin. Registry modifications pointed to persistence via C:\\ProgramData\\sam.hive. Network forensics identified connections to 192.52.191.48 and edgegateway.xyz. Email headers traced the initial vector to contact@mail-service.info. File C:\\Program Files\\Common Files\\taskhost.exe (SHA1: 9db30425e0da60608dbfb1058edc02feef683f4f) was identified as the initial dropper. A staging URL https://updatesync.site/callback resolved to 131.116.57.154. Secondary artifact hash: MD5: 76c58d3f7effd27ed16bca1f3ea2afa1.", "spans": {"TOOL: Mythic": [[72, 78]], "FILEPATH: /home/user/.config/taskhost.exe": [[92, 123]], "TOOL: Merlin": [[169, 175]], "FILEPATH: C:\\ProgramData\\sam.hive": [[227, 250]], "IP_ADDRESS: 192.52.191.48": [[296, 309]], "DOMAIN: edgegateway.xyz": [[314, 329]], "EMAIL: contact@mail-service.info": [[374, 399]], "FILEPATH: C:\\Program Files\\Common Files\\taskhost.exe": [[406, 448]], "HASH: 9db30425e0da60608dbfb1058edc02feef683f4f": [[456, 496]], "URL: https://updatesync.site/callback": [[551, 583]], "IP_ADDRESS: 131.116.57.154": [[596, 610]], "HASH: 76c58d3f7effd27ed16bca1f3ea2afa1": [[642, 674]]}, "info": {"id": "synth_v2_01124", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Rubeus artifacts at C:\\Users\\admin\\Desktop\\shell.php. Memory dump analysis confirmed execution of LinPEAS. Registry modifications pointed to persistence via /dev/shm/svchost.exe. Network forensics identified connections to 10.14.142.139 and api-mail.cc. Email headers traced the initial vector to noreply@document-share.link. File /tmp/lsass.dmp (SHA1: 63c17df861124a09243259db7690ccdefcd5e78b) was identified as the initial dropper. A staging URL hxxps://secure-proxy.dev/callback resolved to 172.116.205.187. Secondary artifact hash: SHA1: 3ecdd1811d7a860a0768ce80e12ee475ab7eb51b.", "spans": {"TOOL: Rubeus": [[72, 78]], "FILEPATH: C:\\Users\\admin\\Desktop\\shell.php": [[92, 124]], "TOOL: LinPEAS": [[170, 177]], "FILEPATH: /dev/shm/svchost.exe": [[229, 249]], "IP_ADDRESS: 10.14.142.139": [[295, 308]], "DOMAIN: api-mail.cc": [[313, 324]], "EMAIL: noreply@document-share.link": [[369, 396]], "FILEPATH: /tmp/lsass.dmp": [[403, 417]], "HASH: 63c17df861124a09243259db7690ccdefcd5e78b": [[425, 465]], "URL: hxxps://secure-proxy.dev/callback": [[520, 553]], "IP_ADDRESS: 172.116.205.187": [[566, 581]], "HASH: 3ecdd1811d7a860a0768ce80e12ee475ab7eb51b": [[614, 654]]}, "info": {"id": "synth_v2_01125", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Mimikatz artifacts at /opt/app/bin/implant.so. Memory dump analysis confirmed execution of Impacket. Registry modifications pointed to persistence via /var/tmp/backdoor.elf. Network forensics identified connections to 191.74.48.21 and authnode.xyz. Email headers traced the initial vector to confirm@secure-verify.net. File C:\\ProgramData\\update.dll (MD5: a51ce9d7bfc3d1a998e514ed328dea07) was identified as the initial dropper. A staging URL hxxps://cacheportal.top/gate.php resolved to 44.65.80.72. Secondary artifact hash: SHA256: 74255276c5eeb7477976357672b8b3c4ac77008e32f6d624d0521836445f1d2d.", "spans": {"TOOL: Mimikatz": [[72, 80]], "FILEPATH: /opt/app/bin/implant.so": [[94, 117]], "TOOL: Impacket": [[163, 171]], "FILEPATH: /var/tmp/backdoor.elf": [[223, 244]], "IP_ADDRESS: 191.74.48.21": [[290, 302]], "DOMAIN: authnode.xyz": [[307, 319]], "EMAIL: confirm@secure-verify.net": [[364, 389]], "FILEPATH: C:\\ProgramData\\update.dll": [[396, 421]], "HASH: a51ce9d7bfc3d1a998e514ed328dea07": [[428, 460]], "URL: hxxps://cacheportal.top/gate.php": [[515, 547]], "IP_ADDRESS: 44.65.80.72": [[560, 571]], "HASH: 74255276c5eeb7477976357672b8b3c4ac77008e32f6d624d0521836445f1d2d": [[606, 670]]}, "info": {"id": "synth_v2_01126", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Hashcat artifacts at /opt/app/bin/sam.hive. Memory dump analysis confirmed execution of Sliver. Registry modifications pointed to persistence via /usr/local/bin/shell.php. Network forensics identified connections to 160.29.161.42 and edgegateway.link. Email headers traced the initial vector to it@urgent-notice.online. File /dev/shm/agent.py (SHA1: e52e3e70f2b284a36b76249b59c647fad1fde353) was identified as the initial dropper. A staging URL hxxps://edge-static.io/login resolved to 10.251.63.29. Secondary artifact hash: SHA1: 6281e7febc12a977bc81e7f9a50c2c5d7d344868.", "spans": {"TOOL: Hashcat": [[72, 79]], "FILEPATH: /opt/app/bin/sam.hive": [[93, 114]], "TOOL: Sliver": [[160, 166]], "FILEPATH: /usr/local/bin/shell.php": [[218, 242]], "IP_ADDRESS: 160.29.161.42": [[288, 301]], "DOMAIN: edgegateway.link": [[306, 322]], "EMAIL: it@urgent-notice.online": [[367, 390]], "FILEPATH: /dev/shm/agent.py": [[397, 414]], "HASH: e52e3e70f2b284a36b76249b59c647fad1fde353": [[422, 462]], "URL: hxxps://edge-static.io/login": [[517, 545]], "IP_ADDRESS: 10.251.63.29": [[558, 570]], "HASH: 6281e7febc12a977bc81e7f9a50c2c5d7d344868": [[603, 643]]}, "info": {"id": "synth_v2_01127", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed ADFind artifacts at C:\\Program Files\\Common Files\\chrome_helper.exe. Memory dump analysis confirmed execution of Burp Suite. Registry modifications pointed to persistence via /dev/shm/runtime.dll. Network forensics identified connections to 52.48.86.153 and gateway-auth.site. Email headers traced the initial vector to report@identity-verify.cc. File /opt/app/bin/ntds.dit (SHA256: 88ca2dd3ec81c86f2114fbddcb8151db2453760a558b04144503a272ca2ca17b) was identified as the initial dropper. A staging URL hxxps://proxy-edge.io/api/v2/auth resolved to 94.180.229.210. Secondary artifact hash: SHA256: 8b78809a9833591a016a08cb09f918bb93d5f70fa81eaddd81e6d2cfe50f6fa9.", "spans": {"TOOL: ADFind": [[72, 78]], "FILEPATH: C:\\Program Files\\Common Files\\chrome_helper.exe": [[92, 139]], "TOOL: Burp Suite": [[185, 195]], "FILEPATH: /dev/shm/runtime.dll": [[247, 267]], "IP_ADDRESS: 52.48.86.153": [[313, 325]], "DOMAIN: gateway-auth.site": [[330, 347]], "EMAIL: report@identity-verify.cc": [[392, 417]], "FILEPATH: /opt/app/bin/ntds.dit": [[424, 445]], "HASH: 88ca2dd3ec81c86f2114fbddcb8151db2453760a558b04144503a272ca2ca17b": [[455, 519]], "URL: hxxps://proxy-edge.io/api/v2/auth": [[574, 607]], "IP_ADDRESS: 94.180.229.210": [[620, 634]], "HASH: 8b78809a9833591a016a08cb09f918bb93d5f70fa81eaddd81e6d2cfe50f6fa9": [[669, 733]]}, "info": {"id": "synth_v2_01128", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Merlin artifacts at /tmp/loader.exe. Memory dump analysis confirmed execution of Metasploit. Registry modifications pointed to persistence via C:\\Users\\admin\\AppData\\Local\\Temp\\lsass.dmp. Network forensics identified connections to 172.39.218.254 and datacloud.site. Email headers traced the initial vector to helpdesk@secure-verify.net. File C:\\Users\\admin\\Downloads\\update.dll (SHA256: ea5b38c145be6e88f5a14b1569e80f6a597f2f297279b70ab2f0b64eb6aa37c6) was identified as the initial dropper. A staging URL https://staticnode.tech/collect resolved to 90.96.87.30. Secondary artifact hash: SHA256: 1b813fe60298c2d99f225b8fbb2e8a5841b1376ee5daf888c0bb4384ab98a869.", "spans": {"TOOL: Merlin": [[72, 78]], "FILEPATH: /tmp/loader.exe": [[92, 107]], "TOOL: Metasploit": [[153, 163]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\lsass.dmp": [[215, 258]], "IP_ADDRESS: 172.39.218.254": [[304, 318]], "DOMAIN: datacloud.site": [[323, 337]], "EMAIL: helpdesk@secure-verify.net": [[382, 408]], "FILEPATH: C:\\Users\\admin\\Downloads\\update.dll": [[415, 450]], "HASH: ea5b38c145be6e88f5a14b1569e80f6a597f2f297279b70ab2f0b64eb6aa37c6": [[460, 524]], "URL: https://staticnode.tech/collect": [[579, 610]], "IP_ADDRESS: 90.96.87.30": [[623, 634]], "HASH: 1b813fe60298c2d99f225b8fbb2e8a5841b1376ee5daf888c0bb4384ab98a869": [[669, 733]]}, "info": {"id": "synth_v2_01129", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed BITSAdmin artifacts at C:\\Users\\admin\\AppData\\Local\\Temp\\update.dll. Memory dump analysis confirmed execution of Certutil. Registry modifications pointed to persistence via /home/user/.config/implant.so. Network forensics identified connections to 192.182.151.96 and datastatic.dev. Email headers traced the initial vector to alert@account-update.xyz. File C:\\Users\\admin\\AppData\\Local\\Temp\\helper.sh (MD5: 06a45626e64b339570ba3cbaf07f6117) was identified as the initial dropper. A staging URL hxxp://synccloud.cc/download/update.exe resolved to 129.115.174.178. Secondary artifact hash: SHA1: bccc0f8890a6fada5b18c2107652b296c2930580.", "spans": {"TOOL: BITSAdmin": [[72, 81]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\update.dll": [[95, 139]], "TOOL: Certutil": [[185, 193]], "FILEPATH: /home/user/.config/implant.so": [[245, 274]], "IP_ADDRESS: 192.182.151.96": [[320, 334]], "DOMAIN: datastatic.dev": [[339, 353]], "EMAIL: alert@account-update.xyz": [[398, 422]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\helper.sh": [[429, 472]], "HASH: 06a45626e64b339570ba3cbaf07f6117": [[479, 511]], "URL: hxxp://synccloud.cc/download/update.exe": [[566, 605]], "IP_ADDRESS: 129.115.174.178": [[618, 633]], "HASH: bccc0f8890a6fada5b18c2107652b296c2930580": [[666, 706]]}, "info": {"id": "synth_v2_01130", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed GhostPack artifacts at /opt/app/bin/winlogon.exe. Memory dump analysis confirmed execution of BloodHound. Registry modifications pointed to persistence via C:\\Users\\Public\\Documents\\sam.hive. Network forensics identified connections to 172.34.130.214 and secure-cloud.site. Email headers traced the initial vector to alert@urgent-notice.online. File /usr/local/bin/chrome_helper.exe (SHA1: f6dedeb7f359524b5d8994e5deefa01eddc45209) was identified as the initial dropper. A staging URL https://datacache.cc/secure/token resolved to 223.215.91.232. Secondary artifact hash: SHA1: b192a4d9866044906f1fefe6e38f6c2e6b4ebdae.", "spans": {"TOOL: GhostPack": [[72, 81]], "FILEPATH: /opt/app/bin/winlogon.exe": [[95, 120]], "TOOL: BloodHound": [[166, 176]], "FILEPATH: C:\\Users\\Public\\Documents\\sam.hive": [[228, 262]], "IP_ADDRESS: 172.34.130.214": [[308, 322]], "DOMAIN: secure-cloud.site": [[327, 344]], "EMAIL: alert@urgent-notice.online": [[389, 415]], "FILEPATH: /usr/local/bin/chrome_helper.exe": [[422, 454]], "HASH: f6dedeb7f359524b5d8994e5deefa01eddc45209": [[462, 502]], "URL: https://datacache.cc/secure/token": [[557, 590]], "IP_ADDRESS: 223.215.91.232": [[603, 617]], "HASH: b192a4d9866044906f1fefe6e38f6c2e6b4ebdae": [[650, 690]]}, "info": {"id": "synth_v2_01131", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed BITSAdmin artifacts at /usr/local/bin/taskhost.exe. Memory dump analysis confirmed execution of Sliver. Registry modifications pointed to persistence via /tmp/dropper.ps1. Network forensics identified connections to 100.111.26.155 and staticcdn.top. Email headers traced the initial vector to finance@auth-check.org. File /usr/local/bin/winlogon.exe (SHA256: a886cf170956e5477466b88f4790af46132b743ad51cd307c7df153b41f1a3b7) was identified as the initial dropper. A staging URL hxxps://loginsync.dev/panel/index.html resolved to 10.240.204.134. Secondary artifact hash: SHA256: 55d2006d8aa9d05fa04a34a23a3e1932b777ad71b5b611e1a3aa264182e84a44.", "spans": {"TOOL: BITSAdmin": [[72, 81]], "FILEPATH: /usr/local/bin/taskhost.exe": [[95, 122]], "TOOL: Sliver": [[168, 174]], "FILEPATH: /tmp/dropper.ps1": [[226, 242]], "IP_ADDRESS: 100.111.26.155": [[288, 302]], "DOMAIN: staticcdn.top": [[307, 320]], "EMAIL: finance@auth-check.org": [[365, 387]], "FILEPATH: /usr/local/bin/winlogon.exe": [[394, 421]], "HASH: a886cf170956e5477466b88f4790af46132b743ad51cd307c7df153b41f1a3b7": [[431, 495]], "URL: hxxps://loginsync.dev/panel/index.html": [[550, 588]], "IP_ADDRESS: 10.240.204.134": [[601, 615]], "HASH: 55d2006d8aa9d05fa04a34a23a3e1932b777ad71b5b611e1a3aa264182e84a44": [[650, 714]]}, "info": {"id": "synth_v2_01132", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed WinPEAS artifacts at C:\\Users\\admin\\Downloads\\taskhost.exe. Memory dump analysis confirmed execution of CrackMapExec. Registry modifications pointed to persistence via C:\\Windows\\Tasks\\beacon.dll. Network forensics identified connections to 103.32.34.225 and relayupdate.online. Email headers traced the initial vector to alert@credential-check.site. File /tmp/winlogon.exe (SHA1: 2d8b99173fb7fc510e6a59bed7d173f5ad56b055) was identified as the initial dropper. A staging URL hxxp://backup-update.club/portal/verify resolved to 10.240.98.240. Secondary artifact hash: SHA256: 0fa8196b824c8a921dac46b3b1ab4e49c48a0801543617a7154f8ffe2fb1b43e.", "spans": {"TOOL: WinPEAS": [[72, 79]], "FILEPATH: C:\\Users\\admin\\Downloads\\taskhost.exe": [[93, 130]], "TOOL: CrackMapExec": [[176, 188]], "FILEPATH: C:\\Windows\\Tasks\\beacon.dll": [[240, 267]], "IP_ADDRESS: 103.32.34.225": [[313, 326]], "DOMAIN: relayupdate.online": [[331, 349]], "EMAIL: alert@credential-check.site": [[394, 421]], "FILEPATH: /tmp/winlogon.exe": [[428, 445]], "HASH: 2d8b99173fb7fc510e6a59bed7d173f5ad56b055": [[453, 493]], "URL: hxxp://backup-update.club/portal/verify": [[548, 587]], "IP_ADDRESS: 10.240.98.240": [[600, 613]], "HASH: 0fa8196b824c8a921dac46b3b1ab4e49c48a0801543617a7154f8ffe2fb1b43e": [[648, 712]]}, "info": {"id": "synth_v2_01133", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Sharphound artifacts at C:\\Windows\\System32\\config.dat. Memory dump analysis confirmed execution of GhostPack. Registry modifications pointed to persistence via C:\\Users\\admin\\Downloads\\backdoor.elf. Network forensics identified connections to 10.210.125.48 and auth-edge.net. Email headers traced the initial vector to finance@mail-service.info. File C:\\Users\\Public\\Documents\\implant.so (SHA1: 212effc3dae43cd0de555adde2786da7c8973dfb) was identified as the initial dropper. A staging URL https://securebackup.link/download/update.exe resolved to 172.160.157.231. Secondary artifact hash: SHA1: 4eb75ba1d6dbed442affdb929b07e49d88a8f53f.", "spans": {"TOOL: Sharphound": [[72, 82]], "FILEPATH: C:\\Windows\\System32\\config.dat": [[96, 126]], "TOOL: GhostPack": [[172, 181]], "FILEPATH: C:\\Users\\admin\\Downloads\\backdoor.elf": [[233, 270]], "IP_ADDRESS: 10.210.125.48": [[316, 329]], "DOMAIN: auth-edge.net": [[334, 347]], "EMAIL: finance@mail-service.info": [[392, 417]], "FILEPATH: C:\\Users\\Public\\Documents\\implant.so": [[424, 460]], "HASH: 212effc3dae43cd0de555adde2786da7c8973dfb": [[468, 508]], "URL: https://securebackup.link/download/update.exe": [[563, 608]], "IP_ADDRESS: 172.160.157.231": [[621, 636]], "HASH: 4eb75ba1d6dbed442affdb929b07e49d88a8f53f": [[669, 709]]}, "info": {"id": "synth_v2_01134", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed ADFind artifacts at C:\\Windows\\Temp\\config.dat. Memory dump analysis confirmed execution of GhostPack. Registry modifications pointed to persistence via /usr/local/bin/helper.sh. Network forensics identified connections to 113.210.179.180 and gatewaysync.com. Email headers traced the initial vector to notification@mail-service.info. File /etc/cron.d/svchost.exe (SHA1: 9e579c46d2dc527dea22b28dfef6ddf2861ba642) was identified as the initial dropper. A staging URL hxxp://backup-proxy.tech/collect resolved to 10.218.33.251. Secondary artifact hash: SHA1: 9ce43eb034060ab02c12b27b05638d97e58e4b03.", "spans": {"TOOL: ADFind": [[72, 78]], "FILEPATH: C:\\Windows\\Temp\\config.dat": [[92, 118]], "TOOL: GhostPack": [[164, 173]], "FILEPATH: /usr/local/bin/helper.sh": [[225, 249]], "IP_ADDRESS: 113.210.179.180": [[295, 310]], "DOMAIN: gatewaysync.com": [[315, 330]], "EMAIL: notification@mail-service.info": [[375, 405]], "FILEPATH: /etc/cron.d/svchost.exe": [[412, 435]], "HASH: 9e579c46d2dc527dea22b28dfef6ddf2861ba642": [[443, 483]], "URL: hxxp://backup-proxy.tech/collect": [[538, 570]], "IP_ADDRESS: 10.218.33.251": [[583, 596]], "HASH: 9ce43eb034060ab02c12b27b05638d97e58e4b03": [[629, 669]]}, "info": {"id": "synth_v2_01135", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed SharpHound artifacts at C:\\ProgramData\\runtime.dll. Memory dump analysis confirmed execution of Hashcat. Registry modifications pointed to persistence via C:\\Windows\\Tasks\\update.dll. Network forensics identified connections to 215.166.47.176 and api-update.top. Email headers traced the initial vector to service@auth-check.org. File /opt/app/bin/agent.py (SHA1: 815f61a943bd531946f3403e0c4eaa58634f2711) was identified as the initial dropper. A staging URL hxxp://securecache.cc/login resolved to 192.91.197.221. Secondary artifact hash: SHA256: 8a4349c58fe98cc4b3df4ad2fa3a1aa9a548305046f6ada349cea3ccdc9812e6.", "spans": {"TOOL: SharpHound": [[72, 82]], "FILEPATH: C:\\ProgramData\\runtime.dll": [[96, 122]], "TOOL: Hashcat": [[168, 175]], "FILEPATH: C:\\Windows\\Tasks\\update.dll": [[227, 254]], "IP_ADDRESS: 215.166.47.176": [[300, 314]], "DOMAIN: api-update.top": [[319, 333]], "EMAIL: service@auth-check.org": [[378, 400]], "FILEPATH: /opt/app/bin/agent.py": [[407, 428]], "HASH: 815f61a943bd531946f3403e0c4eaa58634f2711": [[436, 476]], "URL: hxxp://securecache.cc/login": [[531, 558]], "IP_ADDRESS: 192.91.197.221": [[571, 585]], "HASH: 8a4349c58fe98cc4b3df4ad2fa3a1aa9a548305046f6ada349cea3ccdc9812e6": [[620, 684]]}, "info": {"id": "synth_v2_01136", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Covenant artifacts at C:\\Users\\admin\\Downloads\\helper.sh. Memory dump analysis confirmed execution of Certutil. Registry modifications pointed to persistence via /dev/shm/lsass.dmp. Network forensics identified connections to 154.88.85.146 and apiapi.top. Email headers traced the initial vector to billing@document-share.link. File C:\\Users\\admin\\Desktop\\ntds.dit (SHA1: 1b3e977428278619fd921184f9e7dad9050a84c8) was identified as the initial dropper. A staging URL https://static-data.link/download/update.exe resolved to 60.118.196.24. Secondary artifact hash: SHA1: 776d6f7e5834097c0f1ed789acb98af54965492f.", "spans": {"TOOL: Covenant": [[72, 80]], "FILEPATH: C:\\Users\\admin\\Downloads\\helper.sh": [[94, 128]], "TOOL: Certutil": [[174, 182]], "FILEPATH: /dev/shm/lsass.dmp": [[234, 252]], "IP_ADDRESS: 154.88.85.146": [[298, 311]], "DOMAIN: apiapi.top": [[316, 326]], "EMAIL: billing@document-share.link": [[371, 398]], "FILEPATH: C:\\Users\\admin\\Desktop\\ntds.dit": [[405, 436]], "HASH: 1b3e977428278619fd921184f9e7dad9050a84c8": [[444, 484]], "URL: https://static-data.link/download/update.exe": [[539, 583]], "IP_ADDRESS: 60.118.196.24": [[596, 609]], "HASH: 776d6f7e5834097c0f1ed789acb98af54965492f": [[642, 682]]}, "info": {"id": "synth_v2_01137", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed LinPEAS artifacts at /usr/local/bin/payload.bin. Memory dump analysis confirmed execution of LaZagne. Registry modifications pointed to persistence via /home/user/.config/svchost.exe. Network forensics identified connections to 172.209.97.52 and proxy-mail.net. Email headers traced the initial vector to service@identity-verify.cc. File C:\\Users\\admin\\Desktop\\ntds.dit (SHA1: 25c76c99d5fa1435e6460153d4758353829662bb) was identified as the initial dropper. A staging URL https://cdnnode.site/portal/verify resolved to 173.117.121.66. Secondary artifact hash: SHA256: a79611f355238376a6b7f9c5e45ebf63a7996ad376cf2c2e9691f37ffa501783.", "spans": {"TOOL: LinPEAS": [[72, 79]], "FILEPATH: /usr/local/bin/payload.bin": [[93, 119]], "TOOL: LaZagne": [[165, 172]], "FILEPATH: /home/user/.config/svchost.exe": [[224, 254]], "IP_ADDRESS: 172.209.97.52": [[300, 313]], "DOMAIN: proxy-mail.net": [[318, 332]], "EMAIL: service@identity-verify.cc": [[377, 403]], "FILEPATH: C:\\Users\\admin\\Desktop\\ntds.dit": [[410, 441]], "HASH: 25c76c99d5fa1435e6460153d4758353829662bb": [[449, 489]], "URL: https://cdnnode.site/portal/verify": [[544, 578]], "IP_ADDRESS: 173.117.121.66": [[591, 605]], "HASH: a79611f355238376a6b7f9c5e45ebf63a7996ad376cf2c2e9691f37ffa501783": [[640, 704]]}, "info": {"id": "synth_v2_01138", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Merlin artifacts at C:\\Users\\admin\\Downloads\\agent.py. Memory dump analysis confirmed execution of PowerShell Empire. Registry modifications pointed to persistence via /var/tmp/dropper.ps1. Network forensics identified connections to 88.10.230.69 and staticsync.dev. Email headers traced the initial vector to admin@login-portal.tech. File C:\\Users\\admin\\Downloads\\lsass.dmp (SHA1: ae3d16263e58bfa0a677b1ee6b210a0caf73630e) was identified as the initial dropper. A staging URL https://staticgateway.info/wp-content/uploads/doc.php resolved to 172.11.177.42. Secondary artifact hash: SHA256: 2a7cd051324007715a838d9875881e215d18022c00bd5dd9943c6c2ebe78ce01.", "spans": {"TOOL: Merlin": [[72, 78]], "FILEPATH: C:\\Users\\admin\\Downloads\\agent.py": [[92, 125]], "TOOL: PowerShell Empire": [[171, 188]], "FILEPATH: /var/tmp/dropper.ps1": [[240, 260]], "IP_ADDRESS: 88.10.230.69": [[306, 318]], "DOMAIN: staticsync.dev": [[323, 337]], "EMAIL: admin@login-portal.tech": [[382, 405]], "FILEPATH: C:\\Users\\admin\\Downloads\\lsass.dmp": [[412, 446]], "HASH: ae3d16263e58bfa0a677b1ee6b210a0caf73630e": [[454, 494]], "URL: https://staticgateway.info/wp-content/uploads/doc.php": [[549, 602]], "IP_ADDRESS: 172.11.177.42": [[615, 628]], "HASH: 2a7cd051324007715a838d9875881e215d18022c00bd5dd9943c6c2ebe78ce01": [[663, 727]]}, "info": {"id": "synth_v2_01139", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Ligolo artifacts at /opt/app/bin/implant.so. Memory dump analysis confirmed execution of PowerView. Registry modifications pointed to persistence via C:\\Users\\Public\\Documents\\beacon.dll. Network forensics identified connections to 32.103.2.10 and backupstatic.top. Email headers traced the initial vector to service@urgent-notice.online. File C:\\Users\\admin\\Desktop\\winlogon.exe (SHA256: c8d1cfcb22d50aa34fd40e7c62b855957fe926c728c17877116891b69b795192) was identified as the initial dropper. A staging URL https://gatewayrelay.cc/gate.php resolved to 71.69.233.55. Secondary artifact hash: MD5: 63d2cf9b70a62ca2470dfdea68f8dff7.", "spans": {"TOOL: Ligolo": [[72, 78]], "FILEPATH: /opt/app/bin/implant.so": [[92, 115]], "TOOL: PowerView": [[161, 170]], "FILEPATH: C:\\Users\\Public\\Documents\\beacon.dll": [[222, 258]], "IP_ADDRESS: 32.103.2.10": [[304, 315]], "DOMAIN: backupstatic.top": [[320, 336]], "EMAIL: service@urgent-notice.online": [[381, 409]], "FILEPATH: C:\\Users\\admin\\Desktop\\winlogon.exe": [[416, 451]], "HASH: c8d1cfcb22d50aa34fd40e7c62b855957fe926c728c17877116891b69b795192": [[461, 525]], "URL: https://gatewayrelay.cc/gate.php": [[580, 612]], "IP_ADDRESS: 71.69.233.55": [[625, 637]], "HASH: 63d2cf9b70a62ca2470dfdea68f8dff7": [[669, 701]]}, "info": {"id": "synth_v2_01140", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Chisel artifacts at C:\\Windows\\Temp\\ntds.dit. Memory dump analysis confirmed execution of Sliver. Registry modifications pointed to persistence via C:\\Users\\Public\\Documents\\sam.hive. Network forensics identified connections to 172.225.42.21 and portalproxy.live. Email headers traced the initial vector to contact@auth-check.org. File C:\\Windows\\Temp\\ntds.dit (SHA1: f23bbe759d71dc88bdcbcda2bd653942f81809f8) was identified as the initial dropper. A staging URL http://storage-api.io/login resolved to 10.133.229.27. Secondary artifact hash: SHA256: ceb9dfc1fec8c27a3674093fbabc208a418d82864bc02bbcfa3a732fbac9287c.", "spans": {"TOOL: Chisel": [[72, 78]], "FILEPATH: C:\\Windows\\Temp\\ntds.dit": [[92, 116], [92, 116]], "TOOL: Sliver": [[162, 168]], "FILEPATH: C:\\Users\\Public\\Documents\\sam.hive": [[220, 254]], "IP_ADDRESS: 172.225.42.21": [[300, 313]], "DOMAIN: portalproxy.live": [[318, 334]], "EMAIL: contact@auth-check.org": [[379, 401]], "HASH: f23bbe759d71dc88bdcbcda2bd653942f81809f8": [[440, 480]], "URL: http://storage-api.io/login": [[535, 562]], "IP_ADDRESS: 10.133.229.27": [[575, 588]], "HASH: ceb9dfc1fec8c27a3674093fbabc208a418d82864bc02bbcfa3a732fbac9287c": [[623, 687]]}, "info": {"id": "synth_v2_01141", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Hashcat artifacts at C:\\Users\\Public\\Documents\\lsass.dmp. Memory dump analysis confirmed execution of GhostPack. Registry modifications pointed to persistence via /dev/shm/agent.py. Network forensics identified connections to 10.145.106.249 and storageupdate.top. Email headers traced the initial vector to contact@identity-verify.cc. File /usr/local/bin/shell.php (SHA1: 47719100c560f07125ddf2ae8c8c6741ef46e1fa) was identified as the initial dropper. A staging URL hxxps://proxy-storage.info/download/update.exe resolved to 157.222.167.5. Secondary artifact hash: SHA1: cb282f70f0828903a18d0e12266d0a893356e919.", "spans": {"TOOL: Hashcat": [[72, 79]], "FILEPATH: C:\\Users\\Public\\Documents\\lsass.dmp": [[93, 128]], "TOOL: GhostPack": [[174, 183]], "FILEPATH: /dev/shm/agent.py": [[235, 252]], "IP_ADDRESS: 10.145.106.249": [[298, 312]], "DOMAIN: storageupdate.top": [[317, 334]], "EMAIL: contact@identity-verify.cc": [[379, 405]], "FILEPATH: /usr/local/bin/shell.php": [[412, 436]], "HASH: 47719100c560f07125ddf2ae8c8c6741ef46e1fa": [[444, 484]], "URL: hxxps://proxy-storage.info/download/update.exe": [[539, 585]], "IP_ADDRESS: 157.222.167.5": [[598, 611]], "HASH: cb282f70f0828903a18d0e12266d0a893356e919": [[644, 684]]}, "info": {"id": "synth_v2_01142", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed WinPEAS artifacts at /usr/local/bin/config.dat. Memory dump analysis confirmed execution of PowerShell Empire. Registry modifications pointed to persistence via C:\\Program Files\\Common Files\\chrome_helper.exe. Network forensics identified connections to 206.228.63.77 and edge-storage.live. Email headers traced the initial vector to contact@account-update.xyz. File /dev/shm/dropper.ps1 (SHA1: ad327435f85fd18f6aecdfaed620bfa1e7665fa3) was identified as the initial dropper. A staging URL hxxps://backupnode.link/admin/config resolved to 10.169.28.251. Secondary artifact hash: SHA256: 278f25d69df821172d5ea19e58af4fd260110ea4666375b621c25e1cf0ff06a0.", "spans": {"TOOL: WinPEAS": [[72, 79]], "FILEPATH: /usr/local/bin/config.dat": [[93, 118]], "TOOL: PowerShell Empire": [[164, 181]], "FILEPATH: C:\\Program Files\\Common Files\\chrome_helper.exe": [[233, 280]], "IP_ADDRESS: 206.228.63.77": [[326, 339]], "DOMAIN: edge-storage.live": [[344, 361]], "EMAIL: contact@account-update.xyz": [[406, 432]], "FILEPATH: /dev/shm/dropper.ps1": [[439, 459]], "HASH: ad327435f85fd18f6aecdfaed620bfa1e7665fa3": [[467, 507]], "URL: hxxps://backupnode.link/admin/config": [[562, 598]], "IP_ADDRESS: 10.169.28.251": [[611, 624]], "HASH: 278f25d69df821172d5ea19e58af4fd260110ea4666375b621c25e1cf0ff06a0": [[659, 723]]}, "info": {"id": "synth_v2_01143", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed BITSAdmin artifacts at C:\\Program Files\\Common Files\\helper.sh. Memory dump analysis confirmed execution of Ligolo. Registry modifications pointed to persistence via /home/user/.config/shell.php. Network forensics identified connections to 51.165.179.57 and login-relay.io. Email headers traced the initial vector to report@auth-check.org. File /var/tmp/ntds.dit (SHA1: 1d42e0e0a2aaa6b9237bef58d941df4453c24d30) was identified as the initial dropper. A staging URL https://static-cloud.com/admin/config resolved to 192.43.11.198. Secondary artifact hash: SHA256: b21dcb0444cccbb89d6e6e5f4f312f22a1bc0acaf3dcb47e73db93615d5e2a9c.", "spans": {"TOOL: BITSAdmin": [[72, 81]], "FILEPATH: C:\\Program Files\\Common Files\\helper.sh": [[95, 134]], "TOOL: Ligolo": [[180, 186]], "FILEPATH: /home/user/.config/shell.php": [[238, 266]], "IP_ADDRESS: 51.165.179.57": [[312, 325]], "DOMAIN: login-relay.io": [[330, 344]], "EMAIL: report@auth-check.org": [[389, 410]], "FILEPATH: /var/tmp/ntds.dit": [[417, 434]], "HASH: 1d42e0e0a2aaa6b9237bef58d941df4453c24d30": [[442, 482]], "URL: https://static-cloud.com/admin/config": [[537, 574]], "IP_ADDRESS: 192.43.11.198": [[587, 600]], "HASH: b21dcb0444cccbb89d6e6e5f4f312f22a1bc0acaf3dcb47e73db93615d5e2a9c": [[635, 699]]}, "info": {"id": "synth_v2_01144", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Sharphound artifacts at /etc/cron.d/payload.bin. Memory dump analysis confirmed execution of ADFind. Registry modifications pointed to persistence via /dev/shm/sam.hive. Network forensics identified connections to 10.198.167.107 and backupbackup.xyz. Email headers traced the initial vector to hr@identity-verify.cc. File /etc/cron.d/loader.exe (MD5: 51ec2620632bf78d6be51f39d6ca7c78) was identified as the initial dropper. A staging URL hxxps://datadata.net/admin/config resolved to 10.99.216.56. Secondary artifact hash: MD5: 45fd5a232c3be063d28dc12f3130db50.", "spans": {"TOOL: Sharphound": [[72, 82]], "FILEPATH: /etc/cron.d/payload.bin": [[96, 119]], "TOOL: ADFind": [[165, 171]], "FILEPATH: /dev/shm/sam.hive": [[223, 240]], "IP_ADDRESS: 10.198.167.107": [[286, 300]], "DOMAIN: backupbackup.xyz": [[305, 321]], "EMAIL: hr@identity-verify.cc": [[366, 387]], "FILEPATH: /etc/cron.d/loader.exe": [[394, 416]], "HASH: 51ec2620632bf78d6be51f39d6ca7c78": [[423, 455]], "URL: hxxps://datadata.net/admin/config": [[510, 543]], "IP_ADDRESS: 10.99.216.56": [[556, 568]], "HASH: 45fd5a232c3be063d28dc12f3130db50": [[600, 632]]}, "info": {"id": "synth_v2_01145", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Sliver artifacts at C:\\Windows\\System32\\runtime.dll. Memory dump analysis confirmed execution of Mythic. Registry modifications pointed to persistence via /var/tmp/csrss.exe. Network forensics identified connections to 172.112.63.227 and gatewaysecure.top. Email headers traced the initial vector to noreply@identity-verify.cc. File C:\\Windows\\Tasks\\ntds.dit (SHA256: 81d7a62ecd8b00de5030cd519e535c0b970e8677e830f3a1f1e75f3452f34979) was identified as the initial dropper. A staging URL https://portal-relay.io/assets/js/payload.js resolved to 78.143.182.119. Secondary artifact hash: MD5: 08ef0a531047b0968339a0d6058df5a5.", "spans": {"TOOL: Sliver": [[72, 78]], "FILEPATH: C:\\Windows\\System32\\runtime.dll": [[92, 123]], "TOOL: Mythic": [[169, 175]], "FILEPATH: /var/tmp/csrss.exe": [[227, 245]], "IP_ADDRESS: 172.112.63.227": [[291, 305]], "DOMAIN: gatewaysecure.top": [[310, 327]], "EMAIL: noreply@identity-verify.cc": [[372, 398]], "FILEPATH: C:\\Windows\\Tasks\\ntds.dit": [[405, 430]], "HASH: 81d7a62ecd8b00de5030cd519e535c0b970e8677e830f3a1f1e75f3452f34979": [[440, 504]], "URL: https://portal-relay.io/assets/js/payload.js": [[559, 603]], "IP_ADDRESS: 78.143.182.119": [[616, 630]], "HASH: 08ef0a531047b0968339a0d6058df5a5": [[662, 694]]}, "info": {"id": "synth_v2_01146", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Brute Ratel artifacts at C:\\Users\\admin\\AppData\\Local\\Temp\\loader.exe. Memory dump analysis confirmed execution of GhostPack. Registry modifications pointed to persistence via /dev/shm/beacon.dll. Network forensics identified connections to 176.146.122.241 and cloudrelay.club. Email headers traced the initial vector to hr@phishing-domain.com. File /usr/local/bin/beacon.dll (MD5: b653caa707f8cd58a24fab7fa59a0735) was identified as the initial dropper. A staging URL http://proxy-portal.online/panel/index.html resolved to 215.171.70.151. Secondary artifact hash: SHA1: b08a1ea2f3b2d40d6d2126041f168b7606ab3762.", "spans": {"TOOL: Brute Ratel": [[72, 83]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\loader.exe": [[97, 141]], "TOOL: GhostPack": [[187, 196]], "FILEPATH: /dev/shm/beacon.dll": [[248, 267]], "IP_ADDRESS: 176.146.122.241": [[313, 328]], "DOMAIN: cloudrelay.club": [[333, 348]], "EMAIL: hr@phishing-domain.com": [[393, 415]], "FILEPATH: /usr/local/bin/beacon.dll": [[422, 447]], "HASH: b653caa707f8cd58a24fab7fa59a0735": [[454, 486]], "URL: http://proxy-portal.online/panel/index.html": [[541, 584]], "IP_ADDRESS: 215.171.70.151": [[597, 611]], "HASH: b08a1ea2f3b2d40d6d2126041f168b7606ab3762": [[644, 684]]}, "info": {"id": "synth_v2_01147", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed SharpHound artifacts at /dev/shm/agent.py. Memory dump analysis confirmed execution of Sharphound. Registry modifications pointed to persistence via C:\\Windows\\Temp\\backdoor.elf. Network forensics identified connections to 91.41.157.153 and storage-proxy.link. Email headers traced the initial vector to billing@phishing-domain.com. File C:\\Windows\\System32\\svchost.exe (MD5: 12efbae8d15872eb97f37df951c8783b) was identified as the initial dropper. A staging URL https://cdn-cdn.cc/assets/js/payload.js resolved to 90.102.152.23. Secondary artifact hash: MD5: 2dc1e3e3aec00df390e446936d30cef3.", "spans": {"TOOL: SharpHound": [[72, 82]], "FILEPATH: /dev/shm/agent.py": [[96, 113]], "TOOL: Sharphound": [[159, 169]], "FILEPATH: C:\\Windows\\Temp\\backdoor.elf": [[221, 249]], "IP_ADDRESS: 91.41.157.153": [[295, 308]], "DOMAIN: storage-proxy.link": [[313, 331]], "EMAIL: billing@phishing-domain.com": [[376, 403]], "FILEPATH: C:\\Windows\\System32\\svchost.exe": [[410, 441]], "HASH: 12efbae8d15872eb97f37df951c8783b": [[448, 480]], "URL: https://cdn-cdn.cc/assets/js/payload.js": [[535, 574]], "IP_ADDRESS: 90.102.152.23": [[587, 600]], "HASH: 2dc1e3e3aec00df390e446936d30cef3": [[632, 664]]}, "info": {"id": "synth_v2_01148", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed PowerView artifacts at C:\\Users\\admin\\AppData\\Local\\Temp\\ntds.dit. Memory dump analysis confirmed execution of CrackMapExec. Registry modifications pointed to persistence via /etc/cron.d/lsass.dmp. Network forensics identified connections to 185.134.175.63 and securecloud.live. Email headers traced the initial vector to contact@identity-verify.cc. File /etc/cron.d/loader.exe (SHA256: ac2200ec9b2b50b90faac294bba278decb4f30d9e5a7ba3819fe92f661f29561) was identified as the initial dropper. A staging URL http://update-cdn.info/login resolved to 168.216.187.63. Secondary artifact hash: SHA256: 41ee6167e67a874e0caf23853e87c92cbf23e3a03d0f95caefe71aa021287f1b.", "spans": {"TOOL: PowerView": [[72, 81]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\ntds.dit": [[95, 137]], "TOOL: CrackMapExec": [[183, 195]], "FILEPATH: /etc/cron.d/lsass.dmp": [[247, 268]], "IP_ADDRESS: 185.134.175.63": [[314, 328]], "DOMAIN: securecloud.live": [[333, 349]], "EMAIL: contact@identity-verify.cc": [[394, 420]], "FILEPATH: /etc/cron.d/loader.exe": [[427, 449]], "HASH: ac2200ec9b2b50b90faac294bba278decb4f30d9e5a7ba3819fe92f661f29561": [[459, 523]], "URL: http://update-cdn.info/login": [[578, 606]], "IP_ADDRESS: 168.216.187.63": [[619, 633]], "HASH: 41ee6167e67a874e0caf23853e87c92cbf23e3a03d0f95caefe71aa021287f1b": [[668, 732]]}, "info": {"id": "synth_v2_01149", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Brute Ratel artifacts at C:\\ProgramData\\chrome_helper.exe. Memory dump analysis confirmed execution of GhostPack. Registry modifications pointed to persistence via C:\\Users\\admin\\AppData\\Local\\Temp\\helper.sh. Network forensics identified connections to 20.40.204.214 and nodecloud.club. Email headers traced the initial vector to hr@identity-verify.cc. File /home/user/.config/shell.php (SHA1: ef84894859cb8551aa54b2a42f139cddacda7a1d) was identified as the initial dropper. A staging URL https://apibackup.club/gate.php resolved to 21.44.52.175. Secondary artifact hash: MD5: 532a3d38927cc72c92dbb027d3cd594d.", "spans": {"TOOL: Brute Ratel": [[72, 83]], "FILEPATH: C:\\ProgramData\\chrome_helper.exe": [[97, 129]], "TOOL: GhostPack": [[175, 184]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\helper.sh": [[236, 279]], "IP_ADDRESS: 20.40.204.214": [[325, 338]], "DOMAIN: nodecloud.club": [[343, 357]], "EMAIL: hr@identity-verify.cc": [[402, 423]], "FILEPATH: /home/user/.config/shell.php": [[430, 458]], "HASH: ef84894859cb8551aa54b2a42f139cddacda7a1d": [[466, 506]], "URL: https://apibackup.club/gate.php": [[561, 592]], "IP_ADDRESS: 21.44.52.175": [[605, 617]], "HASH: 532a3d38927cc72c92dbb027d3cd594d": [[649, 681]]}, "info": {"id": "synth_v2_01150", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Hashcat artifacts at C:\\Windows\\Tasks\\ntds.dit. Memory dump analysis confirmed execution of ADFind. Registry modifications pointed to persistence via C:\\ProgramData\\loader.exe. Network forensics identified connections to 172.236.210.103 and loginmail.site. Email headers traced the initial vector to notification@auth-check.org. File C:\\Program Files\\Common Files\\loader.exe (MD5: 61736131561a1dcc216c90540374e895) was identified as the initial dropper. A staging URL https://node-static.net/assets/js/payload.js resolved to 141.75.8.190. Secondary artifact hash: SHA1: 2c1cb55403a1938b72030d825f03ac1a4801d318.", "spans": {"TOOL: Hashcat": [[72, 79]], "FILEPATH: C:\\Windows\\Tasks\\ntds.dit": [[93, 118]], "TOOL: ADFind": [[164, 170]], "FILEPATH: C:\\ProgramData\\loader.exe": [[222, 247]], "IP_ADDRESS: 172.236.210.103": [[293, 308]], "DOMAIN: loginmail.site": [[313, 327]], "EMAIL: notification@auth-check.org": [[372, 399]], "FILEPATH: C:\\Program Files\\Common Files\\loader.exe": [[406, 446]], "HASH: 61736131561a1dcc216c90540374e895": [[453, 485]], "URL: https://node-static.net/assets/js/payload.js": [[540, 584]], "IP_ADDRESS: 141.75.8.190": [[597, 609]], "HASH: 2c1cb55403a1938b72030d825f03ac1a4801d318": [[642, 682]]}, "info": {"id": "synth_v2_01151", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Nmap artifacts at C:\\Users\\admin\\Downloads\\helper.sh. Memory dump analysis confirmed execution of BloodHound. Registry modifications pointed to persistence via /var/tmp/svchost.exe. Network forensics identified connections to 109.146.8.81 and securelogin.net. Email headers traced the initial vector to it@secure-verify.net. File C:\\Users\\admin\\Downloads\\shell.php (SHA1: 780a2f6055fd5b3ada318fb8cee450d1d9f50478) was identified as the initial dropper. A staging URL http://api-edge.site/login resolved to 215.246.123.160. Secondary artifact hash: SHA256: df4e312cc92286b5477c912ee22ce7c27bf8a195ada2efe8af521773da1bc578.", "spans": {"TOOL: Nmap": [[72, 76]], "FILEPATH: C:\\Users\\admin\\Downloads\\helper.sh": [[90, 124]], "TOOL: BloodHound": [[170, 180]], "FILEPATH: /var/tmp/svchost.exe": [[232, 252]], "IP_ADDRESS: 109.146.8.81": [[298, 310]], "DOMAIN: securelogin.net": [[315, 330]], "EMAIL: it@secure-verify.net": [[375, 395]], "FILEPATH: C:\\Users\\admin\\Downloads\\shell.php": [[402, 436]], "HASH: 780a2f6055fd5b3ada318fb8cee450d1d9f50478": [[444, 484]], "URL: http://api-edge.site/login": [[539, 565]], "IP_ADDRESS: 215.246.123.160": [[578, 593]], "HASH: df4e312cc92286b5477c912ee22ce7c27bf8a195ada2efe8af521773da1bc578": [[628, 692]]}, "info": {"id": "synth_v2_01152", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed ADFind artifacts at /home/user/.config/beacon.dll. Memory dump analysis confirmed execution of Nmap. Registry modifications pointed to persistence via /home/user/.config/sam.hive. Network forensics identified connections to 172.232.173.43 and update-cloud.tech. Email headers traced the initial vector to finance@secure-verify.net. File /var/tmp/runtime.dll (SHA1: e178909baff16e1d2877b330a73732751d083344) was identified as the initial dropper. A staging URL http://secure-data.link/admin/config resolved to 117.153.154.212. Secondary artifact hash: SHA1: 4280be449dfade9c158f0eaed52b07fa10be3b2d.", "spans": {"TOOL: ADFind": [[72, 78]], "FILEPATH: /home/user/.config/beacon.dll": [[92, 121]], "TOOL: Nmap": [[167, 171]], "FILEPATH: /home/user/.config/sam.hive": [[223, 250]], "IP_ADDRESS: 172.232.173.43": [[296, 310]], "DOMAIN: update-cloud.tech": [[315, 332]], "EMAIL: finance@secure-verify.net": [[377, 402]], "FILEPATH: /var/tmp/runtime.dll": [[409, 429]], "HASH: e178909baff16e1d2877b330a73732751d083344": [[437, 477]], "URL: http://secure-data.link/admin/config": [[532, 568]], "IP_ADDRESS: 117.153.154.212": [[581, 596]], "HASH: 4280be449dfade9c158f0eaed52b07fa10be3b2d": [[629, 669]]}, "info": {"id": "synth_v2_01153", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed SharpHound artifacts at /var/tmp/csrss.exe. Memory dump analysis confirmed execution of Nmap. Registry modifications pointed to persistence via C:\\ProgramData\\dropper.ps1. Network forensics identified connections to 78.48.104.24 and mail-node.tech. Email headers traced the initial vector to contact@auth-check.org. File C:\\Program Files\\Common Files\\ntds.dit (MD5: d0ff17410737c72764ae666de5d21d03) was identified as the initial dropper. A staging URL https://mail-cloud.cc/admin/config resolved to 172.39.96.3. Secondary artifact hash: MD5: 51e75def40795f5ae388444a8a872b2a.", "spans": {"TOOL: SharpHound": [[72, 82]], "FILEPATH: /var/tmp/csrss.exe": [[96, 114]], "TOOL: Nmap": [[160, 164]], "FILEPATH: C:\\ProgramData\\dropper.ps1": [[216, 242]], "IP_ADDRESS: 78.48.104.24": [[288, 300]], "DOMAIN: mail-node.tech": [[305, 319]], "EMAIL: contact@auth-check.org": [[364, 386]], "FILEPATH: C:\\Program Files\\Common Files\\ntds.dit": [[393, 431]], "HASH: d0ff17410737c72764ae666de5d21d03": [[438, 470]], "URL: https://mail-cloud.cc/admin/config": [[525, 559]], "IP_ADDRESS: 172.39.96.3": [[572, 583]], "HASH: 51e75def40795f5ae388444a8a872b2a": [[615, 647]]}, "info": {"id": "synth_v2_01154", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Seatbelt artifacts at C:\\Users\\admin\\Downloads\\taskhost.exe. Memory dump analysis confirmed execution of ADFind. Registry modifications pointed to persistence via /dev/shm/dropper.ps1. Network forensics identified connections to 192.155.38.235 and portal-relay.tech. Email headers traced the initial vector to security@login-portal.tech. File /opt/app/bin/winlogon.exe (SHA1: fc037c369afb4c148277b21663ca6fa1a1d6779f) was identified as the initial dropper. A staging URL https://auth-cache.xyz/panel/index.html resolved to 192.192.169.93. Secondary artifact hash: SHA1: b747466656ec2f6d313573189c9678fcc2b0c175.", "spans": {"TOOL: Seatbelt": [[72, 80]], "FILEPATH: C:\\Users\\admin\\Downloads\\taskhost.exe": [[94, 131]], "TOOL: ADFind": [[177, 183]], "FILEPATH: /dev/shm/dropper.ps1": [[235, 255]], "IP_ADDRESS: 192.155.38.235": [[301, 315]], "DOMAIN: portal-relay.tech": [[320, 337]], "EMAIL: security@login-portal.tech": [[382, 408]], "FILEPATH: /opt/app/bin/winlogon.exe": [[415, 440]], "HASH: fc037c369afb4c148277b21663ca6fa1a1d6779f": [[448, 488]], "URL: https://auth-cache.xyz/panel/index.html": [[543, 582]], "IP_ADDRESS: 192.192.169.93": [[595, 609]], "HASH: b747466656ec2f6d313573189c9678fcc2b0c175": [[642, 682]]}, "info": {"id": "synth_v2_01155", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Covenant artifacts at C:\\ProgramData\\dropper.ps1. Memory dump analysis confirmed execution of PsExec. Registry modifications pointed to persistence via C:\\Users\\admin\\AppData\\Local\\Temp\\update.dll. Network forensics identified connections to 49.132.65.181 and cacherelay.club. Email headers traced the initial vector to support@document-share.link. File /tmp/dropper.ps1 (SHA256: efc579ca54aa436e24649bf9892e593a2928c4bb29d888f81827610ff935cfa1) was identified as the initial dropper. A staging URL https://secure-api.io/download/update.exe resolved to 172.80.52.177. Secondary artifact hash: MD5: 8dced8f9485739c43b692f78b7041a9f.", "spans": {"TOOL: Covenant": [[72, 80]], "FILEPATH: C:\\ProgramData\\dropper.ps1": [[94, 120]], "TOOL: PsExec": [[166, 172]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\update.dll": [[224, 268]], "IP_ADDRESS: 49.132.65.181": [[314, 327]], "DOMAIN: cacherelay.club": [[332, 347]], "EMAIL: support@document-share.link": [[392, 419]], "FILEPATH: /tmp/dropper.ps1": [[426, 442]], "HASH: efc579ca54aa436e24649bf9892e593a2928c4bb29d888f81827610ff935cfa1": [[452, 516]], "URL: https://secure-api.io/download/update.exe": [[571, 612]], "IP_ADDRESS: 172.80.52.177": [[625, 638]], "HASH: 8dced8f9485739c43b692f78b7041a9f": [[670, 702]]}, "info": {"id": "synth_v2_01156", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed SharpHound artifacts at /dev/shm/runtime.dll. Memory dump analysis confirmed execution of BloodHound. Registry modifications pointed to persistence via /home/user/.config/chrome_helper.exe. Network forensics identified connections to 10.127.42.86 and storage-data.com. Email headers traced the initial vector to finance@mail-service.info. File C:\\ProgramData\\agent.py (SHA1: 4681e5b856d59e5036457d2eb2031d8718051687) was identified as the initial dropper. A staging URL hxxps://relay-relay.io/admin/config resolved to 93.100.27.244. Secondary artifact hash: MD5: 3fc82c6c184cf65deace2dfa93bad4a1.", "spans": {"TOOL: SharpHound": [[72, 82]], "FILEPATH: /dev/shm/runtime.dll": [[96, 116]], "TOOL: BloodHound": [[162, 172]], "FILEPATH: /home/user/.config/chrome_helper.exe": [[224, 260]], "IP_ADDRESS: 10.127.42.86": [[306, 318]], "DOMAIN: storage-data.com": [[323, 339]], "EMAIL: finance@mail-service.info": [[384, 409]], "FILEPATH: C:\\ProgramData\\agent.py": [[416, 439]], "HASH: 4681e5b856d59e5036457d2eb2031d8718051687": [[447, 487]], "URL: hxxps://relay-relay.io/admin/config": [[542, 577]], "IP_ADDRESS: 93.100.27.244": [[590, 603]], "HASH: 3fc82c6c184cf65deace2dfa93bad4a1": [[635, 667]]}, "info": {"id": "synth_v2_01157", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed CrackMapExec artifacts at C:\\Users\\Public\\Documents\\update.dll. Memory dump analysis confirmed execution of Sliver. Registry modifications pointed to persistence via C:\\Program Files\\Common Files\\csrss.exe. Network forensics identified connections to 190.221.121.192 and static-cache.net. Email headers traced the initial vector to report@document-share.link. File /home/user/.config/winlogon.exe (MD5: 957c97c1ca25e1785d27696c248975cd) was identified as the initial dropper. A staging URL http://storagelogin.com/portal/verify resolved to 84.155.61.201. Secondary artifact hash: MD5: 741e805361b89941c2bf2026ec7852c2.", "spans": {"TOOL: CrackMapExec": [[72, 84]], "FILEPATH: C:\\Users\\Public\\Documents\\update.dll": [[98, 134]], "TOOL: Sliver": [[180, 186]], "FILEPATH: C:\\Program Files\\Common Files\\csrss.exe": [[238, 277]], "IP_ADDRESS: 190.221.121.192": [[323, 338]], "DOMAIN: static-cache.net": [[343, 359]], "EMAIL: report@document-share.link": [[404, 430]], "FILEPATH: /home/user/.config/winlogon.exe": [[437, 468]], "HASH: 957c97c1ca25e1785d27696c248975cd": [[475, 507]], "URL: http://storagelogin.com/portal/verify": [[562, 599]], "IP_ADDRESS: 84.155.61.201": [[612, 625]], "HASH: 741e805361b89941c2bf2026ec7852c2": [[657, 689]]}, "info": {"id": "synth_v2_01158", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Certutil artifacts at C:\\ProgramData\\implant.so. Memory dump analysis confirmed execution of CrackMapExec. Registry modifications pointed to persistence via C:\\Users\\Public\\Documents\\svchost.exe. Network forensics identified connections to 165.194.47.5 and loginauth.site. Email headers traced the initial vector to contact@urgent-notice.online. File C:\\Program Files\\Common Files\\taskhost.exe (SHA1: f2ced5a1df3a4e8769902d1282d536d987665292) was identified as the initial dropper. A staging URL http://login-api.top/secure/token resolved to 192.67.81.171. Secondary artifact hash: SHA1: c55a95118f286de674c162d21b02f3df66e83873.", "spans": {"TOOL: Certutil": [[72, 80]], "FILEPATH: C:\\ProgramData\\implant.so": [[94, 119]], "TOOL: CrackMapExec": [[165, 177]], "FILEPATH: C:\\Users\\Public\\Documents\\svchost.exe": [[229, 266]], "IP_ADDRESS: 165.194.47.5": [[312, 324]], "DOMAIN: loginauth.site": [[329, 343]], "EMAIL: contact@urgent-notice.online": [[388, 416]], "FILEPATH: C:\\Program Files\\Common Files\\taskhost.exe": [[423, 465]], "HASH: f2ced5a1df3a4e8769902d1282d536d987665292": [[473, 513]], "URL: http://login-api.top/secure/token": [[568, 601]], "IP_ADDRESS: 192.67.81.171": [[614, 627]], "HASH: c55a95118f286de674c162d21b02f3df66e83873": [[660, 700]]}, "info": {"id": "synth_v2_01159", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed CrackMapExec artifacts at C:\\Users\\admin\\Desktop\\config.dat. Memory dump analysis confirmed execution of Seatbelt. Registry modifications pointed to persistence via C:\\Users\\admin\\Desktop\\implant.so. Network forensics identified connections to 192.138.254.147 and login-mail.online. Email headers traced the initial vector to noreply@urgent-notice.online. File C:\\Users\\admin\\Desktop\\payload.bin (SHA256: 899ca48a05fca3d061f05b9991eabe487bce735b595c9f28c6c279ea1d0bc18b) was identified as the initial dropper. A staging URL hxxp://cdncloud.org/login resolved to 192.1.5.89. Secondary artifact hash: SHA1: 469f7ae1a07aae4c98da7005c2d88af5b83bf4d6.", "spans": {"TOOL: CrackMapExec": [[72, 84]], "FILEPATH: C:\\Users\\admin\\Desktop\\config.dat": [[98, 131]], "TOOL: Seatbelt": [[177, 185]], "FILEPATH: C:\\Users\\admin\\Desktop\\implant.so": [[237, 270]], "IP_ADDRESS: 192.138.254.147": [[316, 331]], "DOMAIN: login-mail.online": [[336, 353]], "EMAIL: noreply@urgent-notice.online": [[398, 426]], "FILEPATH: C:\\Users\\admin\\Desktop\\payload.bin": [[433, 467]], "HASH: 899ca48a05fca3d061f05b9991eabe487bce735b595c9f28c6c279ea1d0bc18b": [[477, 541]], "URL: hxxp://cdncloud.org/login": [[596, 621]], "IP_ADDRESS: 192.1.5.89": [[634, 644]], "HASH: 469f7ae1a07aae4c98da7005c2d88af5b83bf4d6": [[677, 717]]}, "info": {"id": "synth_v2_01160", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed PowerView artifacts at C:\\Users\\admin\\AppData\\Local\\Temp\\sam.hive. Memory dump analysis confirmed execution of LaZagne. Registry modifications pointed to persistence via /usr/local/bin/dropper.ps1. Network forensics identified connections to 172.97.237.241 and securecdn.tech. Email headers traced the initial vector to admin@account-update.xyz. File /opt/app/bin/implant.so (MD5: aec11a3effad6d34eedd1b1e561da08c) was identified as the initial dropper. A staging URL https://updateportal.com/panel/index.html resolved to 10.179.45.76. Secondary artifact hash: SHA1: fc7cd02ff5a28a7b4ea73852d08186782d761e59.", "spans": {"TOOL: PowerView": [[72, 81]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\sam.hive": [[95, 137]], "TOOL: LaZagne": [[183, 190]], "FILEPATH: /usr/local/bin/dropper.ps1": [[242, 268]], "IP_ADDRESS: 172.97.237.241": [[314, 328]], "DOMAIN: securecdn.tech": [[333, 347]], "EMAIL: admin@account-update.xyz": [[392, 416]], "FILEPATH: /opt/app/bin/implant.so": [[423, 446]], "HASH: aec11a3effad6d34eedd1b1e561da08c": [[453, 485]], "URL: https://updateportal.com/panel/index.html": [[540, 581]], "IP_ADDRESS: 10.179.45.76": [[594, 606]], "HASH: fc7cd02ff5a28a7b4ea73852d08186782d761e59": [[639, 679]]}, "info": {"id": "synth_v2_01161", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Hashcat artifacts at C:\\Windows\\Temp\\config.dat. Memory dump analysis confirmed execution of Sliver. Registry modifications pointed to persistence via C:\\Users\\admin\\Downloads\\backdoor.elf. Network forensics identified connections to 68.230.204.178 and node-cache.io. Email headers traced the initial vector to service@mail-service.info. File C:\\Windows\\Temp\\ntds.dit (MD5: 9b0ff016906de92cf1e84c1ce2e7f553) was identified as the initial dropper. A staging URL http://cdn-auth.dev/secure/token resolved to 11.11.131.223. Secondary artifact hash: MD5: b79dad70f528eba4fbbd43718108ce1e.", "spans": {"TOOL: Hashcat": [[72, 79]], "FILEPATH: C:\\Windows\\Temp\\config.dat": [[93, 119]], "TOOL: Sliver": [[165, 171]], "FILEPATH: C:\\Users\\admin\\Downloads\\backdoor.elf": [[223, 260]], "IP_ADDRESS: 68.230.204.178": [[306, 320]], "DOMAIN: node-cache.io": [[325, 338]], "EMAIL: service@mail-service.info": [[383, 408]], "FILEPATH: C:\\Windows\\Temp\\ntds.dit": [[415, 439]], "HASH: 9b0ff016906de92cf1e84c1ce2e7f553": [[446, 478]], "URL: http://cdn-auth.dev/secure/token": [[533, 565]], "IP_ADDRESS: 11.11.131.223": [[578, 591]], "HASH: b79dad70f528eba4fbbd43718108ce1e": [[623, 655]]}, "info": {"id": "synth_v2_01162", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Merlin artifacts at /etc/cron.d/ntds.dit. Memory dump analysis confirmed execution of CrackMapExec. Registry modifications pointed to persistence via C:\\Windows\\System32\\helper.sh. Network forensics identified connections to 187.195.177.109 and gateway-login.dev. Email headers traced the initial vector to notification@phishing-domain.com. File /dev/shm/loader.exe (SHA1: d2fddf9c9cf2aa7818fd8df6504ea8cd1cac3852) was identified as the initial dropper. A staging URL http://auth-cloud.io/login resolved to 10.105.199.169. Secondary artifact hash: SHA1: dcffcd59fb25a4b0348d3d02579024a948ac999a.", "spans": {"TOOL: Merlin": [[72, 78]], "FILEPATH: /etc/cron.d/ntds.dit": [[92, 112]], "TOOL: CrackMapExec": [[158, 170]], "FILEPATH: C:\\Windows\\System32\\helper.sh": [[222, 251]], "IP_ADDRESS: 187.195.177.109": [[297, 312]], "DOMAIN: gateway-login.dev": [[317, 334]], "EMAIL: notification@phishing-domain.com": [[379, 411]], "FILEPATH: /dev/shm/loader.exe": [[418, 437]], "HASH: d2fddf9c9cf2aa7818fd8df6504ea8cd1cac3852": [[445, 485]], "URL: http://auth-cloud.io/login": [[540, 566]], "IP_ADDRESS: 10.105.199.169": [[579, 593]], "HASH: dcffcd59fb25a4b0348d3d02579024a948ac999a": [[626, 666]]}, "info": {"id": "synth_v2_01163", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed BITSAdmin artifacts at /usr/local/bin/beacon.dll. Memory dump analysis confirmed execution of Burp Suite. Registry modifications pointed to persistence via /usr/local/bin/sam.hive. Network forensics identified connections to 192.8.106.85 and edge-secure.club. Email headers traced the initial vector to finance@secure-verify.net. File C:\\ProgramData\\shell.php (SHA1: ef97785c16b8e1aca953a72947b111b34d647e54) was identified as the initial dropper. A staging URL hxxps://sync-relay.link/secure/token resolved to 192.131.165.187. Secondary artifact hash: SHA256: e826f894a0feccd054b3c5b70617519e4d86c48beb534c33224d5d8290340212.", "spans": {"TOOL: BITSAdmin": [[72, 81]], "FILEPATH: /usr/local/bin/beacon.dll": [[95, 120]], "TOOL: Burp Suite": [[166, 176]], "FILEPATH: /usr/local/bin/sam.hive": [[228, 251]], "IP_ADDRESS: 192.8.106.85": [[297, 309]], "DOMAIN: edge-secure.club": [[314, 330]], "EMAIL: finance@secure-verify.net": [[375, 400]], "FILEPATH: C:\\ProgramData\\shell.php": [[407, 431]], "HASH: ef97785c16b8e1aca953a72947b111b34d647e54": [[439, 479]], "URL: hxxps://sync-relay.link/secure/token": [[534, 570]], "IP_ADDRESS: 192.131.165.187": [[583, 598]], "HASH: e826f894a0feccd054b3c5b70617519e4d86c48beb534c33224d5d8290340212": [[633, 697]]}, "info": {"id": "synth_v2_01164", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Certutil artifacts at /var/tmp/agent.py. Memory dump analysis confirmed execution of Nmap. Registry modifications pointed to persistence via C:\\Windows\\Tasks\\payload.bin. Network forensics identified connections to 122.110.28.210 and proxyupdate.link. Email headers traced the initial vector to account@urgent-notice.online. File /var/tmp/shell.php (MD5: f3cb935b98de5ab1f88cb0a8c29d34e0) was identified as the initial dropper. A staging URL https://nodegateway.live/callback resolved to 187.113.64.169. Secondary artifact hash: SHA256: 68902d29541a21b6d563f4cc80415f88d0111dc7a8c8cc98b6641ee403499e05.", "spans": {"TOOL: Certutil": [[72, 80]], "FILEPATH: /var/tmp/agent.py": [[94, 111]], "TOOL: Nmap": [[157, 161]], "FILEPATH: C:\\Windows\\Tasks\\payload.bin": [[213, 241]], "IP_ADDRESS: 122.110.28.210": [[287, 301]], "DOMAIN: proxyupdate.link": [[306, 322]], "EMAIL: account@urgent-notice.online": [[367, 395]], "FILEPATH: /var/tmp/shell.php": [[402, 420]], "HASH: f3cb935b98de5ab1f88cb0a8c29d34e0": [[427, 459]], "URL: https://nodegateway.live/callback": [[514, 547]], "IP_ADDRESS: 187.113.64.169": [[560, 574]], "HASH: 68902d29541a21b6d563f4cc80415f88d0111dc7a8c8cc98b6641ee403499e05": [[609, 673]]}, "info": {"id": "synth_v2_01165", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Burp Suite artifacts at C:\\Windows\\System32\\shell.php. Memory dump analysis confirmed execution of PowerView. Registry modifications pointed to persistence via C:\\Users\\admin\\Downloads\\csrss.exe. Network forensics identified connections to 10.111.78.63 and gatewayedge.club. Email headers traced the initial vector to contact@credential-check.site. File C:\\Users\\admin\\Downloads\\config.dat (SHA1: 72c2a3c0bd19e42888e49e68382dfd398e4af720) was identified as the initial dropper. A staging URL http://proxynode.com/portal/verify resolved to 54.21.223.230. Secondary artifact hash: SHA256: 2f77f71a2c08c6cbac30fdcbba509f7003be71405d0c22b90fdced9c203397cc.", "spans": {"TOOL: Burp Suite": [[72, 82]], "FILEPATH: C:\\Windows\\System32\\shell.php": [[96, 125]], "TOOL: PowerView": [[171, 180]], "FILEPATH: C:\\Users\\admin\\Downloads\\csrss.exe": [[232, 266]], "IP_ADDRESS: 10.111.78.63": [[312, 324]], "DOMAIN: gatewayedge.club": [[329, 345]], "EMAIL: contact@credential-check.site": [[390, 419]], "FILEPATH: C:\\Users\\admin\\Downloads\\config.dat": [[426, 461]], "HASH: 72c2a3c0bd19e42888e49e68382dfd398e4af720": [[469, 509]], "URL: http://proxynode.com/portal/verify": [[564, 598]], "IP_ADDRESS: 54.21.223.230": [[611, 624]], "HASH: 2f77f71a2c08c6cbac30fdcbba509f7003be71405d0c22b90fdced9c203397cc": [[659, 723]]}, "info": {"id": "synth_v2_01166", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed GhostPack artifacts at /opt/app/bin/dropper.ps1. Memory dump analysis confirmed execution of WinPEAS. Registry modifications pointed to persistence via /var/tmp/beacon.dll. Network forensics identified connections to 86.75.40.60 and storagemail.top. Email headers traced the initial vector to ceo@document-share.link. File /usr/local/bin/backdoor.elf (SHA1: beb9f396f5b89e44699ecf672d45f956d823c016) was identified as the initial dropper. A staging URL https://node-static.online/panel/index.html resolved to 163.102.41.241. Secondary artifact hash: MD5: 55fbf2d19b6e510f76f9c2b0f5efb81b.", "spans": {"TOOL: GhostPack": [[72, 81]], "FILEPATH: /opt/app/bin/dropper.ps1": [[95, 119]], "TOOL: WinPEAS": [[165, 172]], "FILEPATH: /var/tmp/beacon.dll": [[224, 243]], "IP_ADDRESS: 86.75.40.60": [[289, 300]], "DOMAIN: storagemail.top": [[305, 320]], "EMAIL: ceo@document-share.link": [[365, 388]], "FILEPATH: /usr/local/bin/backdoor.elf": [[395, 422]], "HASH: beb9f396f5b89e44699ecf672d45f956d823c016": [[430, 470]], "URL: https://node-static.online/panel/index.html": [[525, 568]], "IP_ADDRESS: 163.102.41.241": [[581, 595]], "HASH: 55fbf2d19b6e510f76f9c2b0f5efb81b": [[627, 659]]}, "info": {"id": "synth_v2_01167", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed ADFind artifacts at C:\\Windows\\Tasks\\backdoor.elf. Memory dump analysis confirmed execution of Sliver. Registry modifications pointed to persistence via C:\\ProgramData\\chrome_helper.exe. Network forensics identified connections to 172.227.165.195 and storagedata.info. Email headers traced the initial vector to it@auth-check.org. File /home/user/.config/loader.exe (MD5: 007d0c419075844a85c8ec9b07e2686b) was identified as the initial dropper. A staging URL hxxps://mail-gateway.info/collect resolved to 192.60.252.109. Secondary artifact hash: SHA1: 1d7428e9adc06b53f68dfe7b4989514ce56d6b88.", "spans": {"TOOL: ADFind": [[72, 78]], "FILEPATH: C:\\Windows\\Tasks\\backdoor.elf": [[92, 121]], "TOOL: Sliver": [[167, 173]], "FILEPATH: C:\\ProgramData\\chrome_helper.exe": [[225, 257]], "IP_ADDRESS: 172.227.165.195": [[303, 318]], "DOMAIN: storagedata.info": [[323, 339]], "EMAIL: it@auth-check.org": [[384, 401]], "FILEPATH: /home/user/.config/loader.exe": [[408, 437]], "HASH: 007d0c419075844a85c8ec9b07e2686b": [[444, 476]], "URL: hxxps://mail-gateway.info/collect": [[531, 564]], "IP_ADDRESS: 192.60.252.109": [[577, 591]], "HASH: 1d7428e9adc06b53f68dfe7b4989514ce56d6b88": [[624, 664]]}, "info": {"id": "synth_v2_01168", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Sharphound artifacts at C:\\Users\\admin\\Desktop\\sam.hive. Memory dump analysis confirmed execution of CrackMapExec. Registry modifications pointed to persistence via C:\\Program Files\\Common Files\\helper.sh. Network forensics identified connections to 189.94.31.214 and cacheproxy.top. Email headers traced the initial vector to security@mail-service.info. File C:\\Windows\\Temp\\update.dll (SHA1: e12466a2460396ee74915b8f9912bf832bf1e76f) was identified as the initial dropper. A staging URL hxxp://login-node.info/portal/verify resolved to 172.98.19.22. Secondary artifact hash: SHA256: 1077d226afc07516ccade0010d864d3aebb35ce45d5f123fae3d21af18b38c49.", "spans": {"TOOL: Sharphound": [[72, 82]], "FILEPATH: C:\\Users\\admin\\Desktop\\sam.hive": [[96, 127]], "TOOL: CrackMapExec": [[173, 185]], "FILEPATH: C:\\Program Files\\Common Files\\helper.sh": [[237, 276]], "IP_ADDRESS: 189.94.31.214": [[322, 335]], "DOMAIN: cacheproxy.top": [[340, 354]], "EMAIL: security@mail-service.info": [[399, 425]], "FILEPATH: C:\\Windows\\Temp\\update.dll": [[432, 458]], "HASH: e12466a2460396ee74915b8f9912bf832bf1e76f": [[466, 506]], "URL: hxxp://login-node.info/portal/verify": [[561, 597]], "IP_ADDRESS: 172.98.19.22": [[610, 622]], "HASH: 1077d226afc07516ccade0010d864d3aebb35ce45d5f123fae3d21af18b38c49": [[657, 721]]}, "info": {"id": "synth_v2_01169", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Covenant artifacts at C:\\Users\\admin\\Downloads\\beacon.dll. Memory dump analysis confirmed execution of Havoc. Registry modifications pointed to persistence via C:\\Users\\admin\\Desktop\\ntds.dit. Network forensics identified connections to 112.25.42.206 and edgeupdate.net. Email headers traced the initial vector to ceo@login-portal.tech. File C:\\Users\\admin\\AppData\\Local\\Temp\\shell.php (SHA1: 6fbd1ea03dc1749d4a6937358d6dc1c1ed977ced) was identified as the initial dropper. A staging URL http://datamail.link/callback resolved to 172.4.104.51. Secondary artifact hash: SHA1: 87c9429b8496df279c3e271773d463b3c877585f.", "spans": {"TOOL: Covenant": [[72, 80]], "FILEPATH: C:\\Users\\admin\\Downloads\\beacon.dll": [[94, 129]], "TOOL: Havoc": [[175, 180]], "FILEPATH: C:\\Users\\admin\\Desktop\\ntds.dit": [[232, 263]], "IP_ADDRESS: 112.25.42.206": [[309, 322]], "DOMAIN: edgeupdate.net": [[327, 341]], "EMAIL: ceo@login-portal.tech": [[386, 407]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\shell.php": [[414, 457]], "HASH: 6fbd1ea03dc1749d4a6937358d6dc1c1ed977ced": [[465, 505]], "URL: http://datamail.link/callback": [[560, 589]], "IP_ADDRESS: 172.4.104.51": [[602, 614]], "HASH: 87c9429b8496df279c3e271773d463b3c877585f": [[647, 687]]}, "info": {"id": "synth_v2_01170", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Sharphound artifacts at /dev/shm/taskhost.exe. Memory dump analysis confirmed execution of Hashcat. Registry modifications pointed to persistence via /etc/cron.d/winlogon.exe. Network forensics identified connections to 63.78.201.11 and proxy-login.com. Email headers traced the initial vector to billing@identity-verify.cc. File /usr/local/bin/backdoor.elf (MD5: 3b475ae00a89a394509026902caa7a3b) was identified as the initial dropper. A staging URL hxxps://staticcache.net/collect resolved to 125.136.206.163. Secondary artifact hash: SHA256: 654ff8b548489a71a8ffe81591016b04da3d219c5a9d5bfcd957c3e1bb87ed52.", "spans": {"TOOL: Sharphound": [[72, 82]], "FILEPATH: /dev/shm/taskhost.exe": [[96, 117]], "TOOL: Hashcat": [[163, 170]], "FILEPATH: /etc/cron.d/winlogon.exe": [[222, 246]], "IP_ADDRESS: 63.78.201.11": [[292, 304]], "DOMAIN: proxy-login.com": [[309, 324]], "EMAIL: billing@identity-verify.cc": [[369, 395]], "FILEPATH: /usr/local/bin/backdoor.elf": [[402, 429]], "HASH: 3b475ae00a89a394509026902caa7a3b": [[436, 468]], "URL: hxxps://staticcache.net/collect": [[523, 554]], "IP_ADDRESS: 125.136.206.163": [[567, 582]], "HASH: 654ff8b548489a71a8ffe81591016b04da3d219c5a9d5bfcd957c3e1bb87ed52": [[617, 681]]}, "info": {"id": "synth_v2_01171", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Havoc artifacts at C:\\Windows\\System32\\loader.exe. Memory dump analysis confirmed execution of Hashcat. Registry modifications pointed to persistence via /etc/cron.d/ntds.dit. Network forensics identified connections to 10.43.182.249 and proxy-relay.tech. Email headers traced the initial vector to confirm@account-update.xyz. File C:\\Windows\\Tasks\\payload.bin (SHA1: cfc8d12241a5d24a9b2c8808ba471120108cc75a) was identified as the initial dropper. A staging URL http://secure-portal.org/portal/verify resolved to 185.111.125.221. Secondary artifact hash: MD5: af0b6abbf3b0dc5964b3536a85a2bfe6.", "spans": {"TOOL: Havoc": [[72, 77]], "FILEPATH: C:\\Windows\\System32\\loader.exe": [[91, 121]], "TOOL: Hashcat": [[167, 174]], "FILEPATH: /etc/cron.d/ntds.dit": [[226, 246]], "IP_ADDRESS: 10.43.182.249": [[292, 305]], "DOMAIN: proxy-relay.tech": [[310, 326]], "EMAIL: confirm@account-update.xyz": [[371, 397]], "FILEPATH: C:\\Windows\\Tasks\\payload.bin": [[404, 432]], "HASH: cfc8d12241a5d24a9b2c8808ba471120108cc75a": [[440, 480]], "URL: http://secure-portal.org/portal/verify": [[535, 573]], "IP_ADDRESS: 185.111.125.221": [[586, 601]], "HASH: af0b6abbf3b0dc5964b3536a85a2bfe6": [[633, 665]]}, "info": {"id": "synth_v2_01172", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Brute Ratel artifacts at /tmp/implant.so. Memory dump analysis confirmed execution of PowerShell Empire. Registry modifications pointed to persistence via /etc/cron.d/lsass.dmp. Network forensics identified connections to 1.228.11.213 and static-node.net. Email headers traced the initial vector to it@auth-check.org. File /dev/shm/loader.exe (MD5: 8d852ddc394da2366c238ccf07d8f827) was identified as the initial dropper. A staging URL https://login-cache.top/portal/verify resolved to 213.175.42.171. Secondary artifact hash: MD5: 837d71a564d65ec8accc1907b704b50f.", "spans": {"TOOL: Brute Ratel": [[72, 83]], "FILEPATH: /tmp/implant.so": [[97, 112]], "TOOL: PowerShell Empire": [[158, 175]], "FILEPATH: /etc/cron.d/lsass.dmp": [[227, 248]], "IP_ADDRESS: 1.228.11.213": [[294, 306]], "DOMAIN: static-node.net": [[311, 326]], "EMAIL: it@auth-check.org": [[371, 388]], "FILEPATH: /dev/shm/loader.exe": [[395, 414]], "HASH: 8d852ddc394da2366c238ccf07d8f827": [[421, 453]], "URL: https://login-cache.top/portal/verify": [[508, 545]], "IP_ADDRESS: 213.175.42.171": [[558, 572]], "HASH: 837d71a564d65ec8accc1907b704b50f": [[604, 636]]}, "info": {"id": "synth_v2_01173", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Mythic artifacts at C:\\Users\\Public\\Documents\\agent.py. Memory dump analysis confirmed execution of BloodHound. Registry modifications pointed to persistence via C:\\Users\\admin\\Downloads\\winlogon.exe. Network forensics identified connections to 192.125.172.170 and portalstorage.cc. Email headers traced the initial vector to verify@phishing-domain.com. File /tmp/taskhost.exe (MD5: 8eac6863fcdc0bcba6dcf5c13df69cfe) was identified as the initial dropper. A staging URL https://storagebackup.club/admin/config resolved to 70.225.227.112. Secondary artifact hash: MD5: 426ed2e78ea72dbb8922cf31e9acd77f.", "spans": {"TOOL: Mythic": [[72, 78]], "FILEPATH: C:\\Users\\Public\\Documents\\agent.py": [[92, 126]], "TOOL: BloodHound": [[172, 182]], "FILEPATH: C:\\Users\\admin\\Downloads\\winlogon.exe": [[234, 271]], "IP_ADDRESS: 192.125.172.170": [[317, 332]], "DOMAIN: portalstorage.cc": [[337, 353]], "EMAIL: verify@phishing-domain.com": [[398, 424]], "FILEPATH: /tmp/taskhost.exe": [[431, 448]], "HASH: 8eac6863fcdc0bcba6dcf5c13df69cfe": [[455, 487]], "URL: https://storagebackup.club/admin/config": [[542, 581]], "IP_ADDRESS: 70.225.227.112": [[594, 608]], "HASH: 426ed2e78ea72dbb8922cf31e9acd77f": [[640, 672]]}, "info": {"id": "synth_v2_01174", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Metasploit artifacts at /tmp/agent.py. Memory dump analysis confirmed execution of Chisel. Registry modifications pointed to persistence via /var/tmp/ntds.dit. Network forensics identified connections to 205.89.72.186 and databackup.live. Email headers traced the initial vector to billing@auth-check.org. File /dev/shm/beacon.dll (SHA256: 59dbbb67daba322fb1ea439f819be2a6fa600b7fbd413315eb79b740525aab40) was identified as the initial dropper. A staging URL hxxps://relayauth.com/api/v2/auth resolved to 192.136.27.125. Secondary artifact hash: MD5: f435621b2eb843ae45737f81868806a1.", "spans": {"TOOL: Metasploit": [[72, 82]], "FILEPATH: /tmp/agent.py": [[96, 109]], "TOOL: Chisel": [[155, 161]], "FILEPATH: /var/tmp/ntds.dit": [[213, 230]], "IP_ADDRESS: 205.89.72.186": [[276, 289]], "DOMAIN: databackup.live": [[294, 309]], "EMAIL: billing@auth-check.org": [[354, 376]], "FILEPATH: /dev/shm/beacon.dll": [[383, 402]], "HASH: 59dbbb67daba322fb1ea439f819be2a6fa600b7fbd413315eb79b740525aab40": [[412, 476]], "URL: hxxps://relayauth.com/api/v2/auth": [[531, 564]], "IP_ADDRESS: 192.136.27.125": [[577, 591]], "HASH: f435621b2eb843ae45737f81868806a1": [[623, 655]]}, "info": {"id": "synth_v2_01175", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Ligolo artifacts at C:\\Users\\Public\\Documents\\winlogon.exe. Memory dump analysis confirmed execution of Nmap. Registry modifications pointed to persistence via /usr/local/bin/sam.hive. Network forensics identified connections to 62.36.134.178 and relaynode.tech. Email headers traced the initial vector to alert@login-portal.tech. File C:\\Windows\\Tasks\\helper.sh (MD5: 3907b7f91da58708dd0e6ee9fb4e7f51) was identified as the initial dropper. A staging URL hxxps://syncproxy.info/callback resolved to 35.88.180.242. Secondary artifact hash: SHA1: 0212854989ed01c67f6250e5485bb650fe56e008.", "spans": {"TOOL: Ligolo": [[72, 78]], "FILEPATH: C:\\Users\\Public\\Documents\\winlogon.exe": [[92, 130]], "TOOL: Nmap": [[176, 180]], "FILEPATH: /usr/local/bin/sam.hive": [[232, 255]], "IP_ADDRESS: 62.36.134.178": [[301, 314]], "DOMAIN: relaynode.tech": [[319, 333]], "EMAIL: alert@login-portal.tech": [[378, 401]], "FILEPATH: C:\\Windows\\Tasks\\helper.sh": [[408, 434]], "HASH: 3907b7f91da58708dd0e6ee9fb4e7f51": [[441, 473]], "URL: hxxps://syncproxy.info/callback": [[528, 559]], "IP_ADDRESS: 35.88.180.242": [[572, 585]], "HASH: 0212854989ed01c67f6250e5485bb650fe56e008": [[618, 658]]}, "info": {"id": "synth_v2_01176", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed CrackMapExec artifacts at /opt/app/bin/csrss.exe. Memory dump analysis confirmed execution of GhostPack. Registry modifications pointed to persistence via C:\\Windows\\Tasks\\runtime.dll. Network forensics identified connections to 96.178.9.214 and gateway-portal.com. Email headers traced the initial vector to account@mail-service.info. File /opt/app/bin/payload.bin (SHA256: fbd3d9c0cbae32967244f2ef27a3bf7b44515ad8726de5ddf9982c6e94123801) was identified as the initial dropper. A staging URL hxxp://cloud-gateway.org/wp-content/uploads/doc.php resolved to 125.154.249.93. Secondary artifact hash: SHA256: 3b9ead3b3e4438feea83ebb8260040819a2cb4f2e4a3bb9ca5a18ce5f51e8cae.", "spans": {"TOOL: CrackMapExec": [[72, 84]], "FILEPATH: /opt/app/bin/csrss.exe": [[98, 120]], "TOOL: GhostPack": [[166, 175]], "FILEPATH: C:\\Windows\\Tasks\\runtime.dll": [[227, 255]], "IP_ADDRESS: 96.178.9.214": [[301, 313]], "DOMAIN: gateway-portal.com": [[318, 336]], "EMAIL: account@mail-service.info": [[381, 406]], "FILEPATH: /opt/app/bin/payload.bin": [[413, 437]], "HASH: fbd3d9c0cbae32967244f2ef27a3bf7b44515ad8726de5ddf9982c6e94123801": [[447, 511]], "URL: hxxp://cloud-gateway.org/wp-content/uploads/doc.php": [[566, 617]], "IP_ADDRESS: 125.154.249.93": [[630, 644]], "HASH: 3b9ead3b3e4438feea83ebb8260040819a2cb4f2e4a3bb9ca5a18ce5f51e8cae": [[679, 743]]}, "info": {"id": "synth_v2_01177", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed WinPEAS artifacts at /home/user/.config/sam.hive. Memory dump analysis confirmed execution of Hashcat. Registry modifications pointed to persistence via C:\\Windows\\Temp\\agent.py. Network forensics identified connections to 207.227.49.66 and authedge.tech. Email headers traced the initial vector to notification@auth-check.org. File C:\\Windows\\Temp\\sam.hive (SHA256: d41372dd2da9739c0613aa1cf181a91a7628316c65cdd42744069c7203294f18) was identified as the initial dropper. A staging URL https://node-cloud.online/secure/token resolved to 172.250.125.250. Secondary artifact hash: MD5: 8ad07133d461910c2e99090c9c58ae27.", "spans": {"TOOL: WinPEAS": [[72, 79]], "FILEPATH: /home/user/.config/sam.hive": [[93, 120]], "TOOL: Hashcat": [[166, 173]], "FILEPATH: C:\\Windows\\Temp\\agent.py": [[225, 249]], "IP_ADDRESS: 207.227.49.66": [[295, 308]], "DOMAIN: authedge.tech": [[313, 326]], "EMAIL: notification@auth-check.org": [[371, 398]], "FILEPATH: C:\\Windows\\Temp\\sam.hive": [[405, 429]], "HASH: d41372dd2da9739c0613aa1cf181a91a7628316c65cdd42744069c7203294f18": [[439, 503]], "URL: https://node-cloud.online/secure/token": [[558, 596]], "IP_ADDRESS: 172.250.125.250": [[609, 624]], "HASH: 8ad07133d461910c2e99090c9c58ae27": [[656, 688]]}, "info": {"id": "synth_v2_01178", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed GhostPack artifacts at C:\\Users\\admin\\Desktop\\update.dll. Memory dump analysis confirmed execution of Sharphound. Registry modifications pointed to persistence via C:\\Users\\Public\\Documents\\sam.hive. Network forensics identified connections to 10.39.235.90 and portal-relay.cc. Email headers traced the initial vector to hr@document-share.link. File C:\\Windows\\Temp\\runtime.dll (SHA1: 00b472a7ef475a63668c17948525561e7c369d96) was identified as the initial dropper. A staging URL hxxp://proxy-edge.site/panel/index.html resolved to 192.20.53.113. Secondary artifact hash: MD5: c48b4cf283597b4f25d38ba6bf4eff08.", "spans": {"TOOL: GhostPack": [[72, 81]], "FILEPATH: C:\\Users\\admin\\Desktop\\update.dll": [[95, 128]], "TOOL: Sharphound": [[174, 184]], "FILEPATH: C:\\Users\\Public\\Documents\\sam.hive": [[236, 270]], "IP_ADDRESS: 10.39.235.90": [[316, 328]], "DOMAIN: portal-relay.cc": [[333, 348]], "EMAIL: hr@document-share.link": [[393, 415]], "FILEPATH: C:\\Windows\\Temp\\runtime.dll": [[422, 449]], "HASH: 00b472a7ef475a63668c17948525561e7c369d96": [[457, 497]], "URL: hxxp://proxy-edge.site/panel/index.html": [[552, 591]], "IP_ADDRESS: 192.20.53.113": [[604, 617]], "HASH: c48b4cf283597b4f25d38ba6bf4eff08": [[649, 681]]}, "info": {"id": "synth_v2_01179", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed LaZagne artifacts at /opt/app/bin/winlogon.exe. Memory dump analysis confirmed execution of ADFind. Registry modifications pointed to persistence via C:\\Users\\Public\\Documents\\lsass.dmp. Network forensics identified connections to 192.217.227.103 and mail-mail.club. Email headers traced the initial vector to contact@phishing-domain.com. File C:\\Windows\\System32\\taskhost.exe (SHA1: b925ef5a1bfe13ed90fb0d58cac8fb4840c97931) was identified as the initial dropper. A staging URL hxxp://cdnrelay.org/panel/index.html resolved to 172.101.219.125. Secondary artifact hash: MD5: c53468ce263953cd06f72b572bdaf3be.", "spans": {"TOOL: LaZagne": [[72, 79]], "FILEPATH: /opt/app/bin/winlogon.exe": [[93, 118]], "TOOL: ADFind": [[164, 170]], "FILEPATH: C:\\Users\\Public\\Documents\\lsass.dmp": [[222, 257]], "IP_ADDRESS: 192.217.227.103": [[303, 318]], "DOMAIN: mail-mail.club": [[323, 337]], "EMAIL: contact@phishing-domain.com": [[382, 409]], "FILEPATH: C:\\Windows\\System32\\taskhost.exe": [[416, 448]], "HASH: b925ef5a1bfe13ed90fb0d58cac8fb4840c97931": [[456, 496]], "URL: hxxp://cdnrelay.org/panel/index.html": [[551, 587]], "IP_ADDRESS: 172.101.219.125": [[600, 615]], "HASH: c53468ce263953cd06f72b572bdaf3be": [[647, 679]]}, "info": {"id": "synth_v2_01180", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Ligolo artifacts at /tmp/backdoor.elf. Memory dump analysis confirmed execution of Havoc. Registry modifications pointed to persistence via C:\\ProgramData\\runtime.dll. Network forensics identified connections to 10.139.97.13 and staticdata.site. Email headers traced the initial vector to helpdesk@auth-check.org. File /var/tmp/csrss.exe (SHA256: eca409dd8e0dd22accc1dc85728be4b9714d4b28f917ea74ace5daddcc7f5703) was identified as the initial dropper. A staging URL hxxps://cachegateway.online/assets/js/payload.js resolved to 220.158.84.127. Secondary artifact hash: SHA256: cd3ab10f7d3c6ad3da62e14db14ecd84a00109997635dfffd3f303c4ecaf44a9.", "spans": {"TOOL: Ligolo": [[72, 78]], "FILEPATH: /tmp/backdoor.elf": [[92, 109]], "TOOL: Havoc": [[155, 160]], "FILEPATH: C:\\ProgramData\\runtime.dll": [[212, 238]], "IP_ADDRESS: 10.139.97.13": [[284, 296]], "DOMAIN: staticdata.site": [[301, 316]], "EMAIL: helpdesk@auth-check.org": [[361, 384]], "FILEPATH: /var/tmp/csrss.exe": [[391, 409]], "HASH: eca409dd8e0dd22accc1dc85728be4b9714d4b28f917ea74ace5daddcc7f5703": [[419, 483]], "URL: hxxps://cachegateway.online/assets/js/payload.js": [[538, 586]], "IP_ADDRESS: 220.158.84.127": [[599, 613]], "HASH: cd3ab10f7d3c6ad3da62e14db14ecd84a00109997635dfffd3f303c4ecaf44a9": [[648, 712]]}, "info": {"id": "synth_v2_01181", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Mythic artifacts at /usr/local/bin/loader.exe. Memory dump analysis confirmed execution of LinPEAS. Registry modifications pointed to persistence via C:\\Windows\\Temp\\runtime.dll. Network forensics identified connections to 172.223.186.144 and securegateway.xyz. Email headers traced the initial vector to verify@document-share.link. File C:\\Windows\\Temp\\update.dll (MD5: 25dd4e3dbff622622ba62cdfb52da5e2) was identified as the initial dropper. A staging URL http://apilogin.dev/callback resolved to 172.12.89.250. Secondary artifact hash: SHA1: f55c73ad686980efb9fb329606b2ed241a5e0321.", "spans": {"TOOL: Mythic": [[72, 78]], "FILEPATH: /usr/local/bin/loader.exe": [[92, 117]], "TOOL: LinPEAS": [[163, 170]], "FILEPATH: C:\\Windows\\Temp\\runtime.dll": [[222, 249]], "IP_ADDRESS: 172.223.186.144": [[295, 310]], "DOMAIN: securegateway.xyz": [[315, 332]], "EMAIL: verify@document-share.link": [[377, 403]], "FILEPATH: C:\\Windows\\Temp\\update.dll": [[410, 436]], "HASH: 25dd4e3dbff622622ba62cdfb52da5e2": [[443, 475]], "URL: http://apilogin.dev/callback": [[530, 558]], "IP_ADDRESS: 172.12.89.250": [[571, 584]], "HASH: f55c73ad686980efb9fb329606b2ed241a5e0321": [[617, 657]]}, "info": {"id": "synth_v2_01182", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Seatbelt artifacts at C:\\Users\\Public\\Documents\\chrome_helper.exe. Memory dump analysis confirmed execution of Hashcat. Registry modifications pointed to persistence via C:\\Windows\\System32\\payload.bin. Network forensics identified connections to 172.81.193.22 and staticbackup.site. Email headers traced the initial vector to updates@mail-service.info. File /tmp/config.dat (SHA256: 6020ba3371a662a792583c8c57d6458b29b9d839deb02b6fad8f62cb29a40752) was identified as the initial dropper. A staging URL hxxp://portalmail.club/download/update.exe resolved to 192.250.75.216. Secondary artifact hash: MD5: c824da4473e88f4315149d186def9d40.", "spans": {"TOOL: Seatbelt": [[72, 80]], "FILEPATH: C:\\Users\\Public\\Documents\\chrome_helper.exe": [[94, 137]], "TOOL: Hashcat": [[183, 190]], "FILEPATH: C:\\Windows\\System32\\payload.bin": [[242, 273]], "IP_ADDRESS: 172.81.193.22": [[319, 332]], "DOMAIN: staticbackup.site": [[337, 354]], "EMAIL: updates@mail-service.info": [[399, 424]], "FILEPATH: /tmp/config.dat": [[431, 446]], "HASH: 6020ba3371a662a792583c8c57d6458b29b9d839deb02b6fad8f62cb29a40752": [[456, 520]], "URL: hxxp://portalmail.club/download/update.exe": [[575, 617]], "IP_ADDRESS: 192.250.75.216": [[630, 644]], "HASH: c824da4473e88f4315149d186def9d40": [[676, 708]]}, "info": {"id": "synth_v2_01183", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Sharphound artifacts at /etc/cron.d/winlogon.exe. Memory dump analysis confirmed execution of Certutil. Registry modifications pointed to persistence via /usr/local/bin/agent.py. Network forensics identified connections to 22.109.195.236 and cloud-edge.live. Email headers traced the initial vector to alert@document-share.link. File C:\\ProgramData\\taskhost.exe (SHA1: 213fe93b81928609f1b06209c4151478790cda64) was identified as the initial dropper. A staging URL https://relay-gateway.io/api/v2/auth resolved to 49.9.173.37. Secondary artifact hash: SHA256: 57d7e72f63a13cd53260efd61521680f35f37bc1ba68bdad5736b28ac80a4420.", "spans": {"TOOL: Sharphound": [[72, 82]], "FILEPATH: /etc/cron.d/winlogon.exe": [[96, 120]], "TOOL: Certutil": [[166, 174]], "FILEPATH: /usr/local/bin/agent.py": [[226, 249]], "IP_ADDRESS: 22.109.195.236": [[295, 309]], "DOMAIN: cloud-edge.live": [[314, 329]], "EMAIL: alert@document-share.link": [[374, 399]], "FILEPATH: C:\\ProgramData\\taskhost.exe": [[406, 433]], "HASH: 213fe93b81928609f1b06209c4151478790cda64": [[441, 481]], "URL: https://relay-gateway.io/api/v2/auth": [[536, 572]], "IP_ADDRESS: 49.9.173.37": [[585, 596]], "HASH: 57d7e72f63a13cd53260efd61521680f35f37bc1ba68bdad5736b28ac80a4420": [[631, 695]]}, "info": {"id": "synth_v2_01184", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed SharpHound artifacts at /usr/local/bin/beacon.dll. Memory dump analysis confirmed execution of Merlin. Registry modifications pointed to persistence via C:\\ProgramData\\backdoor.elf. Network forensics identified connections to 172.124.101.63 and relay-secure.io. Email headers traced the initial vector to service@phishing-domain.com. File C:\\Users\\admin\\Desktop\\payload.bin (SHA256: a0e0c676f1f7c2be4d95ca9263b202536e129cb78a4e3c8add640e0fe7f5b983) was identified as the initial dropper. A staging URL http://update-node.online/portal/verify resolved to 69.30.49.29. Secondary artifact hash: SHA256: b1f45be04ecddcb1d8f5aa7ebf865b7d6fc3a7f076680ed3d8b192c4bbdb99f0.", "spans": {"TOOL: SharpHound": [[72, 82]], "FILEPATH: /usr/local/bin/beacon.dll": [[96, 121]], "TOOL: Merlin": [[167, 173]], "FILEPATH: C:\\ProgramData\\backdoor.elf": [[225, 252]], "IP_ADDRESS: 172.124.101.63": [[298, 312]], "DOMAIN: relay-secure.io": [[317, 332]], "EMAIL: service@phishing-domain.com": [[377, 404]], "FILEPATH: C:\\Users\\admin\\Desktop\\payload.bin": [[411, 445]], "HASH: a0e0c676f1f7c2be4d95ca9263b202536e129cb78a4e3c8add640e0fe7f5b983": [[455, 519]], "URL: http://update-node.online/portal/verify": [[574, 613]], "IP_ADDRESS: 69.30.49.29": [[626, 637]], "HASH: b1f45be04ecddcb1d8f5aa7ebf865b7d6fc3a7f076680ed3d8b192c4bbdb99f0": [[672, 736]]}, "info": {"id": "synth_v2_01185", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Covenant artifacts at C:\\Windows\\Tasks\\beacon.dll. Memory dump analysis confirmed execution of Impacket. Registry modifications pointed to persistence via C:\\Users\\admin\\AppData\\Local\\Temp\\shell.php. Network forensics identified connections to 112.55.121.199 and gatewayproxy.club. Email headers traced the initial vector to contact@account-update.xyz. File C:\\Windows\\Temp\\ntds.dit (SHA1: ff1264517e7f9008f3d6ae77a4ab7ec4754ba7be) was identified as the initial dropper. A staging URL https://proxy-login.com/panel/index.html resolved to 97.73.191.1. Secondary artifact hash: SHA1: 0c962f371cf05264eebcf1faa399691b86541f7f.", "spans": {"TOOL: Covenant": [[72, 80]], "FILEPATH: C:\\Windows\\Tasks\\beacon.dll": [[94, 121]], "TOOL: Impacket": [[167, 175]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\shell.php": [[227, 270]], "IP_ADDRESS: 112.55.121.199": [[316, 330]], "DOMAIN: gatewayproxy.club": [[335, 352]], "EMAIL: contact@account-update.xyz": [[397, 423]], "FILEPATH: C:\\Windows\\Temp\\ntds.dit": [[430, 454]], "HASH: ff1264517e7f9008f3d6ae77a4ab7ec4754ba7be": [[462, 502]], "URL: https://proxy-login.com/panel/index.html": [[557, 597]], "IP_ADDRESS: 97.73.191.1": [[610, 621]], "HASH: 0c962f371cf05264eebcf1faa399691b86541f7f": [[654, 694]]}, "info": {"id": "synth_v2_01186", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed BITSAdmin artifacts at C:\\Users\\admin\\Desktop\\dropper.ps1. Memory dump analysis confirmed execution of ADFind. Registry modifications pointed to persistence via C:\\Users\\admin\\AppData\\Local\\Temp\\agent.py. Network forensics identified connections to 10.115.82.100 and relaybackup.net. Email headers traced the initial vector to info@identity-verify.cc. File C:\\Users\\Public\\Documents\\loader.exe (MD5: fb1997cdf75f005338ba055108262574) was identified as the initial dropper. A staging URL hxxps://storage-data.cc/callback resolved to 168.168.205.66. Secondary artifact hash: SHA1: 5688978ac750cc96f89feedf187a3f54534fda66.", "spans": {"TOOL: BITSAdmin": [[72, 81]], "FILEPATH: C:\\Users\\admin\\Desktop\\dropper.ps1": [[95, 129]], "TOOL: ADFind": [[175, 181]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\agent.py": [[233, 275]], "IP_ADDRESS: 10.115.82.100": [[321, 334]], "DOMAIN: relaybackup.net": [[339, 354]], "EMAIL: info@identity-verify.cc": [[399, 422]], "FILEPATH: C:\\Users\\Public\\Documents\\loader.exe": [[429, 465]], "HASH: fb1997cdf75f005338ba055108262574": [[472, 504]], "URL: hxxps://storage-data.cc/callback": [[559, 591]], "IP_ADDRESS: 168.168.205.66": [[604, 618]], "HASH: 5688978ac750cc96f89feedf187a3f54534fda66": [[651, 691]]}, "info": {"id": "synth_v2_01187", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed CrackMapExec artifacts at /usr/local/bin/shell.php. Memory dump analysis confirmed execution of BITSAdmin. Registry modifications pointed to persistence via C:\\Users\\admin\\AppData\\Local\\Temp\\shell.php. Network forensics identified connections to 172.58.230.175 and cloud-portal.io. Email headers traced the initial vector to service@credential-check.site. File /dev/shm/svchost.exe (SHA256: 936e4eaadb4717d1990c15dc24e401d2a9f0d47dbad03bc26b02e0e8ed4a24f4) was identified as the initial dropper. A staging URL hxxps://relay-sync.org/secure/token resolved to 10.35.191.144. Secondary artifact hash: MD5: 64c6c797c30f7e11cd114ee28a5751eb.", "spans": {"TOOL: CrackMapExec": [[72, 84]], "FILEPATH: /usr/local/bin/shell.php": [[98, 122]], "TOOL: BITSAdmin": [[168, 177]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\shell.php": [[229, 272]], "IP_ADDRESS: 172.58.230.175": [[318, 332]], "DOMAIN: cloud-portal.io": [[337, 352]], "EMAIL: service@credential-check.site": [[397, 426]], "FILEPATH: /dev/shm/svchost.exe": [[433, 453]], "HASH: 936e4eaadb4717d1990c15dc24e401d2a9f0d47dbad03bc26b02e0e8ed4a24f4": [[463, 527]], "URL: hxxps://relay-sync.org/secure/token": [[582, 617]], "IP_ADDRESS: 10.35.191.144": [[630, 643]], "HASH: 64c6c797c30f7e11cd114ee28a5751eb": [[675, 707]]}, "info": {"id": "synth_v2_01188", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Havoc artifacts at /var/tmp/chrome_helper.exe. Memory dump analysis confirmed execution of Covenant. Registry modifications pointed to persistence via /var/tmp/lsass.dmp. Network forensics identified connections to 10.89.57.109 and nodeupdate.org. Email headers traced the initial vector to report@login-portal.tech. File C:\\Windows\\System32\\winlogon.exe (SHA256: 1ad1da004cd3d5cfca8762f44ebbd556159d01d134a17386bda8e3b4e9d5fbc1) was identified as the initial dropper. A staging URL https://mail-edge.xyz/wp-content/uploads/doc.php resolved to 192.233.187.203. Secondary artifact hash: MD5: 45fccbaef432937befcd158a8399982b.", "spans": {"TOOL: Havoc": [[72, 77]], "FILEPATH: /var/tmp/chrome_helper.exe": [[91, 117]], "TOOL: Covenant": [[163, 171]], "FILEPATH: /var/tmp/lsass.dmp": [[223, 241]], "IP_ADDRESS: 10.89.57.109": [[287, 299]], "DOMAIN: nodeupdate.org": [[304, 318]], "EMAIL: report@login-portal.tech": [[363, 387]], "FILEPATH: C:\\Windows\\System32\\winlogon.exe": [[394, 426]], "HASH: 1ad1da004cd3d5cfca8762f44ebbd556159d01d134a17386bda8e3b4e9d5fbc1": [[436, 500]], "URL: https://mail-edge.xyz/wp-content/uploads/doc.php": [[555, 603]], "IP_ADDRESS: 192.233.187.203": [[616, 631]], "HASH: 45fccbaef432937befcd158a8399982b": [[663, 695]]}, "info": {"id": "synth_v2_01189", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Merlin artifacts at C:\\ProgramData\\svchost.exe. Memory dump analysis confirmed execution of GhostPack. Registry modifications pointed to persistence via C:\\Program Files\\Common Files\\csrss.exe. Network forensics identified connections to 80.173.129.97 and api-backup.com. Email headers traced the initial vector to info@account-update.xyz. File C:\\Windows\\Tasks\\helper.sh (MD5: c211ee1e68447fe7d7870f46fbdacbb7) was identified as the initial dropper. A staging URL https://cloud-api.cc/secure/token resolved to 192.176.62.7. Secondary artifact hash: SHA256: 8a5cc2effcc53140675759b5f3e5a15769f1b7faffbcd1d4121b3bfb95ac9363.", "spans": {"TOOL: Merlin": [[72, 78]], "FILEPATH: C:\\ProgramData\\svchost.exe": [[92, 118]], "TOOL: GhostPack": [[164, 173]], "FILEPATH: C:\\Program Files\\Common Files\\csrss.exe": [[225, 264]], "IP_ADDRESS: 80.173.129.97": [[310, 323]], "DOMAIN: api-backup.com": [[328, 342]], "EMAIL: info@account-update.xyz": [[387, 410]], "FILEPATH: C:\\Windows\\Tasks\\helper.sh": [[417, 443]], "HASH: c211ee1e68447fe7d7870f46fbdacbb7": [[450, 482]], "URL: https://cloud-api.cc/secure/token": [[537, 570]], "IP_ADDRESS: 192.176.62.7": [[583, 595]], "HASH: 8a5cc2effcc53140675759b5f3e5a15769f1b7faffbcd1d4121b3bfb95ac9363": [[630, 694]]}, "info": {"id": "synth_v2_01190", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Impacket artifacts at /dev/shm/shell.php. Memory dump analysis confirmed execution of CrackMapExec. Registry modifications pointed to persistence via C:\\Windows\\Temp\\helper.sh. Network forensics identified connections to 127.41.248.180 and cdncache.info. Email headers traced the initial vector to hr@identity-verify.cc. File /opt/app/bin/implant.so (MD5: 6a115677993d4691477f2fb952a642a0) was identified as the initial dropper. A staging URL https://storage-api.site/panel/index.html resolved to 10.16.176.106. Secondary artifact hash: SHA256: 139229bc5787d6b98ec393bab060212dce46cff080016305cf7df3e64c1838ae.", "spans": {"TOOL: Impacket": [[72, 80]], "FILEPATH: /dev/shm/shell.php": [[94, 112]], "TOOL: CrackMapExec": [[158, 170]], "FILEPATH: C:\\Windows\\Temp\\helper.sh": [[222, 247]], "IP_ADDRESS: 127.41.248.180": [[293, 307]], "DOMAIN: cdncache.info": [[312, 325]], "EMAIL: hr@identity-verify.cc": [[370, 391]], "FILEPATH: /opt/app/bin/implant.so": [[398, 421]], "HASH: 6a115677993d4691477f2fb952a642a0": [[428, 460]], "URL: https://storage-api.site/panel/index.html": [[515, 556]], "IP_ADDRESS: 10.16.176.106": [[569, 582]], "HASH: 139229bc5787d6b98ec393bab060212dce46cff080016305cf7df3e64c1838ae": [[617, 681]]}, "info": {"id": "synth_v2_01191", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Hashcat artifacts at /var/tmp/dropper.ps1. Memory dump analysis confirmed execution of Sharphound. Registry modifications pointed to persistence via /opt/app/bin/runtime.dll. Network forensics identified connections to 30.232.206.118 and syncdata.info. Email headers traced the initial vector to notification@credential-check.site. File /var/tmp/sam.hive (MD5: 6bbc016c66942019e0042e624f36cb26) was identified as the initial dropper. A staging URL hxxp://api-proxy.link/login resolved to 222.223.31.3. Secondary artifact hash: SHA1: de234f683902f93c597b9f70480c059ca7105608.", "spans": {"TOOL: Hashcat": [[72, 79]], "FILEPATH: /var/tmp/dropper.ps1": [[93, 113]], "TOOL: Sharphound": [[159, 169]], "FILEPATH: /opt/app/bin/runtime.dll": [[221, 245]], "IP_ADDRESS: 30.232.206.118": [[291, 305]], "DOMAIN: syncdata.info": [[310, 323]], "EMAIL: notification@credential-check.site": [[368, 402]], "FILEPATH: /var/tmp/sam.hive": [[409, 426]], "HASH: 6bbc016c66942019e0042e624f36cb26": [[433, 465]], "URL: hxxp://api-proxy.link/login": [[520, 547]], "IP_ADDRESS: 222.223.31.3": [[560, 572]], "HASH: de234f683902f93c597b9f70480c059ca7105608": [[605, 645]]}, "info": {"id": "synth_v2_01192", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Metasploit artifacts at /var/tmp/helper.sh. Memory dump analysis confirmed execution of Certutil. Registry modifications pointed to persistence via C:\\Users\\admin\\Downloads\\backdoor.elf. Network forensics identified connections to 223.174.59.200 and relaycloud.live. Email headers traced the initial vector to info@auth-check.org. File C:\\Program Files\\Common Files\\sam.hive (MD5: e90b5c6f63028736b96242d567db123a) was identified as the initial dropper. A staging URL https://updatestorage.live/download/update.exe resolved to 172.143.22.151. Secondary artifact hash: MD5: 3c55d5377d8b8b08f7b53a75325b22fa.", "spans": {"TOOL: Metasploit": [[72, 82]], "FILEPATH: /var/tmp/helper.sh": [[96, 114]], "TOOL: Certutil": [[160, 168]], "FILEPATH: C:\\Users\\admin\\Downloads\\backdoor.elf": [[220, 257]], "IP_ADDRESS: 223.174.59.200": [[303, 317]], "DOMAIN: relaycloud.live": [[322, 337]], "EMAIL: info@auth-check.org": [[382, 401]], "FILEPATH: C:\\Program Files\\Common Files\\sam.hive": [[408, 446]], "HASH: e90b5c6f63028736b96242d567db123a": [[453, 485]], "URL: https://updatestorage.live/download/update.exe": [[540, 586]], "IP_ADDRESS: 172.143.22.151": [[599, 613]], "HASH: 3c55d5377d8b8b08f7b53a75325b22fa": [[645, 677]]}, "info": {"id": "synth_v2_01193", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed LinPEAS artifacts at /dev/shm/update.dll. Memory dump analysis confirmed execution of Chisel. Registry modifications pointed to persistence via C:\\Windows\\Tasks\\implant.so. Network forensics identified connections to 106.60.53.28 and mailbackup.top. Email headers traced the initial vector to contact@auth-check.org. File /etc/cron.d/shell.php (SHA1: cf2190edd3bf57c794d13b2bf730275966045f7e) was identified as the initial dropper. A staging URL http://loginnode.cc/download/update.exe resolved to 172.242.200.79. Secondary artifact hash: MD5: d5650ee4cb905ef3351d05e23657789a.", "spans": {"TOOL: LinPEAS": [[72, 79]], "FILEPATH: /dev/shm/update.dll": [[93, 112]], "TOOL: Chisel": [[158, 164]], "FILEPATH: C:\\Windows\\Tasks\\implant.so": [[216, 243]], "IP_ADDRESS: 106.60.53.28": [[289, 301]], "DOMAIN: mailbackup.top": [[306, 320]], "EMAIL: contact@auth-check.org": [[365, 387]], "FILEPATH: /etc/cron.d/shell.php": [[394, 415]], "HASH: cf2190edd3bf57c794d13b2bf730275966045f7e": [[423, 463]], "URL: http://loginnode.cc/download/update.exe": [[518, 557]], "IP_ADDRESS: 172.242.200.79": [[570, 584]], "HASH: d5650ee4cb905ef3351d05e23657789a": [[616, 648]]}, "info": {"id": "synth_v2_01194", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed ADFind artifacts at C:\\Users\\admin\\Downloads\\lsass.dmp. Memory dump analysis confirmed execution of Rubeus. Registry modifications pointed to persistence via /tmp/agent.py. Network forensics identified connections to 192.5.132.245 and portalcache.club. Email headers traced the initial vector to contact@secure-verify.net. File /opt/app/bin/backdoor.elf (SHA1: 2f06e5e77c2316bcc698764210ecbb4911f3a7b8) was identified as the initial dropper. A staging URL http://node-login.dev/panel/index.html resolved to 136.178.213.3. Secondary artifact hash: SHA256: f16b28019a254c809fa3ef4c7f20e19cb8d5c03a8fcdeceedff3211119567cb6.", "spans": {"TOOL: ADFind": [[72, 78]], "FILEPATH: C:\\Users\\admin\\Downloads\\lsass.dmp": [[92, 126]], "TOOL: Rubeus": [[172, 178]], "FILEPATH: /tmp/agent.py": [[230, 243]], "IP_ADDRESS: 192.5.132.245": [[289, 302]], "DOMAIN: portalcache.club": [[307, 323]], "EMAIL: contact@secure-verify.net": [[368, 393]], "FILEPATH: /opt/app/bin/backdoor.elf": [[400, 425]], "HASH: 2f06e5e77c2316bcc698764210ecbb4911f3a7b8": [[433, 473]], "URL: http://node-login.dev/panel/index.html": [[528, 566]], "IP_ADDRESS: 136.178.213.3": [[579, 592]], "HASH: f16b28019a254c809fa3ef4c7f20e19cb8d5c03a8fcdeceedff3211119567cb6": [[627, 691]]}, "info": {"id": "synth_v2_01195", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed GhostPack artifacts at /dev/shm/update.dll. Memory dump analysis confirmed execution of Impacket. Registry modifications pointed to persistence via C:\\Windows\\Tasks\\sam.hive. Network forensics identified connections to 11.105.208.37 and relay-api.top. Email headers traced the initial vector to support@credential-check.site. File C:\\Windows\\Tasks\\sam.hive (SHA1: cbfcb01457735f027b930200bd4ace3fbde0d043) was identified as the initial dropper. A staging URL http://mail-auth.org/download/update.exe resolved to 58.254.239.151. Secondary artifact hash: MD5: d2101a073e6a732570fcab70298516a4.", "spans": {"TOOL: GhostPack": [[72, 81]], "FILEPATH: /dev/shm/update.dll": [[95, 114]], "TOOL: Impacket": [[160, 168]], "FILEPATH: C:\\Windows\\Tasks\\sam.hive": [[220, 245], [220, 245]], "IP_ADDRESS: 11.105.208.37": [[291, 304]], "DOMAIN: relay-api.top": [[309, 322]], "EMAIL: support@credential-check.site": [[367, 396]], "HASH: cbfcb01457735f027b930200bd4ace3fbde0d043": [[436, 476]], "URL: http://mail-auth.org/download/update.exe": [[531, 571]], "IP_ADDRESS: 58.254.239.151": [[584, 598]], "HASH: d2101a073e6a732570fcab70298516a4": [[630, 662]]}, "info": {"id": "synth_v2_01196", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed WinPEAS artifacts at C:\\Users\\admin\\Downloads\\update.dll. Memory dump analysis confirmed execution of Mythic. Registry modifications pointed to persistence via C:\\Program Files\\Common Files\\dropper.ps1. Network forensics identified connections to 10.123.26.202 and updateportal.live. Email headers traced the initial vector to admin@identity-verify.cc. File C:\\Users\\admin\\Downloads\\agent.py (SHA256: 62f57f3e7ff60d48cd8c4c7e1f95c4d48abb90fbc0728a7c0537b567adfa777b) was identified as the initial dropper. A staging URL https://dataupdate.site/admin/config resolved to 10.117.129.72. Secondary artifact hash: SHA256: 72bce74331d3aa18022936633fbece31d60da5356cd78419cd8d2f9aefd82f2a.", "spans": {"TOOL: WinPEAS": [[72, 79]], "FILEPATH: C:\\Users\\admin\\Downloads\\update.dll": [[93, 128]], "TOOL: Mythic": [[174, 180]], "FILEPATH: C:\\Program Files\\Common Files\\dropper.ps1": [[232, 273]], "IP_ADDRESS: 10.123.26.202": [[319, 332]], "DOMAIN: updateportal.live": [[337, 354]], "EMAIL: admin@identity-verify.cc": [[399, 423]], "FILEPATH: C:\\Users\\admin\\Downloads\\agent.py": [[430, 463]], "HASH: 62f57f3e7ff60d48cd8c4c7e1f95c4d48abb90fbc0728a7c0537b567adfa777b": [[473, 537]], "URL: https://dataupdate.site/admin/config": [[592, 628]], "IP_ADDRESS: 10.117.129.72": [[641, 654]], "HASH: 72bce74331d3aa18022936633fbece31d60da5356cd78419cd8d2f9aefd82f2a": [[689, 753]]}, "info": {"id": "synth_v2_01197", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Mythic artifacts at C:\\Windows\\System32\\runtime.dll. Memory dump analysis confirmed execution of Covenant. Registry modifications pointed to persistence via /opt/app/bin/sam.hive. Network forensics identified connections to 24.69.175.63 and syncsync.io. Email headers traced the initial vector to confirm@auth-check.org. File C:\\Users\\admin\\Desktop\\winlogon.exe (SHA256: b86e29372fdc04cd8ef14e6b2160d1838f222c2b1948bc4ce94095a243a58a6b) was identified as the initial dropper. A staging URL https://edgeproxy.link/wp-content/uploads/doc.php resolved to 184.24.16.202. Secondary artifact hash: SHA1: b05554c70364f2f60a798729b13872fe29f2ce54.", "spans": {"TOOL: Mythic": [[72, 78]], "FILEPATH: C:\\Windows\\System32\\runtime.dll": [[92, 123]], "TOOL: Covenant": [[169, 177]], "FILEPATH: /opt/app/bin/sam.hive": [[229, 250]], "IP_ADDRESS: 24.69.175.63": [[296, 308]], "DOMAIN: syncsync.io": [[313, 324]], "EMAIL: confirm@auth-check.org": [[369, 391]], "FILEPATH: C:\\Users\\admin\\Desktop\\winlogon.exe": [[398, 433]], "HASH: b86e29372fdc04cd8ef14e6b2160d1838f222c2b1948bc4ce94095a243a58a6b": [[443, 507]], "URL: https://edgeproxy.link/wp-content/uploads/doc.php": [[562, 611]], "IP_ADDRESS: 184.24.16.202": [[624, 637]], "HASH: b05554c70364f2f60a798729b13872fe29f2ce54": [[670, 710]]}, "info": {"id": "synth_v2_01198", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Havoc artifacts at C:\\Users\\Public\\Documents\\taskhost.exe. Memory dump analysis confirmed execution of Sliver. Registry modifications pointed to persistence via C:\\Windows\\Temp\\backdoor.elf. Network forensics identified connections to 192.3.165.64 and updateproxy.io. Email headers traced the initial vector to confirm@urgent-notice.online. File C:\\Users\\admin\\Downloads\\csrss.exe (MD5: ca2e43e0d51d5aa85fb9ed9fdf332d94) was identified as the initial dropper. A staging URL hxxp://edgeportal.com/login resolved to 106.154.67.94. Secondary artifact hash: MD5: d278f188220e7ccfa1ecb1e51fbc3a94.", "spans": {"TOOL: Havoc": [[72, 77]], "FILEPATH: C:\\Users\\Public\\Documents\\taskhost.exe": [[91, 129]], "TOOL: Sliver": [[175, 181]], "FILEPATH: C:\\Windows\\Temp\\backdoor.elf": [[233, 261]], "IP_ADDRESS: 192.3.165.64": [[307, 319]], "DOMAIN: updateproxy.io": [[324, 338]], "EMAIL: confirm@urgent-notice.online": [[383, 411]], "FILEPATH: C:\\Users\\admin\\Downloads\\csrss.exe": [[418, 452]], "HASH: ca2e43e0d51d5aa85fb9ed9fdf332d94": [[459, 491]], "URL: hxxp://edgeportal.com/login": [[546, 573]], "IP_ADDRESS: 106.154.67.94": [[586, 599]], "HASH: d278f188220e7ccfa1ecb1e51fbc3a94": [[631, 663]]}, "info": {"id": "synth_v2_01199", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed SharpHound artifacts at /var/tmp/shell.php. Memory dump analysis confirmed execution of Covenant. Registry modifications pointed to persistence via C:\\Windows\\System32\\config.dat. Network forensics identified connections to 10.166.205.247 and securenode.online. Email headers traced the initial vector to info@mail-service.info. File C:\\Users\\Public\\Documents\\helper.sh (SHA256: b7f0f4cf45fca295d1ade884e5f7db5157b3f2dd093337305f1a8340b7ab6f1f) was identified as the initial dropper. A staging URL http://backup-cache.tech/download/update.exe resolved to 54.67.241.145. Secondary artifact hash: MD5: 199d4e83864eb06462efbd89a5951e57.", "spans": {"TOOL: SharpHound": [[72, 82]], "FILEPATH: /var/tmp/shell.php": [[96, 114]], "TOOL: Covenant": [[160, 168]], "FILEPATH: C:\\Windows\\System32\\config.dat": [[220, 250]], "IP_ADDRESS: 10.166.205.247": [[296, 310]], "DOMAIN: securenode.online": [[315, 332]], "EMAIL: info@mail-service.info": [[377, 399]], "FILEPATH: C:\\Users\\Public\\Documents\\helper.sh": [[406, 441]], "HASH: b7f0f4cf45fca295d1ade884e5f7db5157b3f2dd093337305f1a8340b7ab6f1f": [[451, 515]], "URL: http://backup-cache.tech/download/update.exe": [[570, 614]], "IP_ADDRESS: 54.67.241.145": [[627, 640]], "HASH: 199d4e83864eb06462efbd89a5951e57": [[672, 704]]}, "info": {"id": "synth_v2_01200", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Burp Suite artifacts at C:\\Users\\Public\\Documents\\beacon.dll. Memory dump analysis confirmed execution of Hashcat. Registry modifications pointed to persistence via C:\\Users\\admin\\Desktop\\agent.py. Network forensics identified connections to 10.93.3.121 and secure-node.online. Email headers traced the initial vector to info@account-update.xyz. File /home/user/.config/taskhost.exe (MD5: a87444b41ea4b2d200b047d3f044e276) was identified as the initial dropper. A staging URL hxxps://login-secure.club/api/v2/auth resolved to 10.165.40.180. Secondary artifact hash: SHA256: ae619e98a6b28a5cd6cd2e4fc03c81572cecd892766e6c5e6bc0717cdf19be43.", "spans": {"TOOL: Burp Suite": [[72, 82]], "FILEPATH: C:\\Users\\Public\\Documents\\beacon.dll": [[96, 132]], "TOOL: Hashcat": [[178, 185]], "FILEPATH: C:\\Users\\admin\\Desktop\\agent.py": [[237, 268]], "IP_ADDRESS: 10.93.3.121": [[314, 325]], "DOMAIN: secure-node.online": [[330, 348]], "EMAIL: info@account-update.xyz": [[393, 416]], "FILEPATH: /home/user/.config/taskhost.exe": [[423, 454]], "HASH: a87444b41ea4b2d200b047d3f044e276": [[461, 493]], "URL: hxxps://login-secure.club/api/v2/auth": [[548, 585]], "IP_ADDRESS: 10.165.40.180": [[598, 611]], "HASH: ae619e98a6b28a5cd6cd2e4fc03c81572cecd892766e6c5e6bc0717cdf19be43": [[646, 710]]}, "info": {"id": "synth_v2_01201", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Metasploit artifacts at /dev/shm/csrss.exe. Memory dump analysis confirmed execution of Chisel. Registry modifications pointed to persistence via /home/user/.config/csrss.exe. Network forensics identified connections to 159.70.34.15 and storageupdate.link. Email headers traced the initial vector to security@identity-verify.cc. File /usr/local/bin/chrome_helper.exe (MD5: 846560ce3c1096a71b0c9faffc5c7d6e) was identified as the initial dropper. A staging URL hxxps://syncsync.org/wp-content/uploads/doc.php resolved to 104.212.67.224. Secondary artifact hash: MD5: 16bf9a924f6956a8830b5d638fae4124.", "spans": {"TOOL: Metasploit": [[72, 82]], "FILEPATH: /dev/shm/csrss.exe": [[96, 114]], "TOOL: Chisel": [[160, 166]], "FILEPATH: /home/user/.config/csrss.exe": [[218, 246]], "IP_ADDRESS: 159.70.34.15": [[292, 304]], "DOMAIN: storageupdate.link": [[309, 327]], "EMAIL: security@identity-verify.cc": [[372, 399]], "FILEPATH: /usr/local/bin/chrome_helper.exe": [[406, 438]], "HASH: 846560ce3c1096a71b0c9faffc5c7d6e": [[445, 477]], "URL: hxxps://syncsync.org/wp-content/uploads/doc.php": [[532, 579]], "IP_ADDRESS: 104.212.67.224": [[592, 606]], "HASH: 16bf9a924f6956a8830b5d638fae4124": [[638, 670]]}, "info": {"id": "synth_v2_01202", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Impacket artifacts at C:\\Users\\admin\\Desktop\\update.dll. Memory dump analysis confirmed execution of Havoc. Registry modifications pointed to persistence via /dev/shm/dropper.ps1. Network forensics identified connections to 10.6.190.130 and gateway-cdn.link. Email headers traced the initial vector to hr@auth-check.org. File /opt/app/bin/agent.py (SHA1: a55243413e5b2edd6ede7684f3d77d883454013d) was identified as the initial dropper. A staging URL hxxp://staticlogin.xyz/callback resolved to 37.121.110.102. Secondary artifact hash: SHA1: ce25ca7064f5d36994832f369f8a92fd6c128d47.", "spans": {"TOOL: Impacket": [[72, 80]], "FILEPATH: C:\\Users\\admin\\Desktop\\update.dll": [[94, 127]], "TOOL: Havoc": [[173, 178]], "FILEPATH: /dev/shm/dropper.ps1": [[230, 250]], "IP_ADDRESS: 10.6.190.130": [[296, 308]], "DOMAIN: gateway-cdn.link": [[313, 329]], "EMAIL: hr@auth-check.org": [[374, 391]], "FILEPATH: /opt/app/bin/agent.py": [[398, 419]], "HASH: a55243413e5b2edd6ede7684f3d77d883454013d": [[427, 467]], "URL: hxxp://staticlogin.xyz/callback": [[522, 553]], "IP_ADDRESS: 37.121.110.102": [[566, 580]], "HASH: ce25ca7064f5d36994832f369f8a92fd6c128d47": [[613, 653]]}, "info": {"id": "synth_v2_01203", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed CrackMapExec artifacts at /dev/shm/chrome_helper.exe. Memory dump analysis confirmed execution of Chisel. Registry modifications pointed to persistence via /usr/local/bin/dropper.ps1. Network forensics identified connections to 2.48.186.12 and loginupdate.cc. Email headers traced the initial vector to info@document-share.link. File /opt/app/bin/loader.exe (SHA1: c86f64bc9ee77d30f5bce6341c0a300c93b29e09) was identified as the initial dropper. A staging URL hxxp://cdn-auth.live/panel/index.html resolved to 192.221.254.156. Secondary artifact hash: SHA256: 570400991888f798b5a4b7714f01079e1f820f7701d5c5657dae4d6a5f228ceb.", "spans": {"TOOL: CrackMapExec": [[72, 84]], "FILEPATH: /dev/shm/chrome_helper.exe": [[98, 124]], "TOOL: Chisel": [[170, 176]], "FILEPATH: /usr/local/bin/dropper.ps1": [[228, 254]], "IP_ADDRESS: 2.48.186.12": [[300, 311]], "DOMAIN: loginupdate.cc": [[316, 330]], "EMAIL: info@document-share.link": [[375, 399]], "FILEPATH: /opt/app/bin/loader.exe": [[406, 429]], "HASH: c86f64bc9ee77d30f5bce6341c0a300c93b29e09": [[437, 477]], "URL: hxxp://cdn-auth.live/panel/index.html": [[532, 569]], "IP_ADDRESS: 192.221.254.156": [[582, 597]], "HASH: 570400991888f798b5a4b7714f01079e1f820f7701d5c5657dae4d6a5f228ceb": [[632, 696]]}, "info": {"id": "synth_v2_01204", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Sliver artifacts at /etc/cron.d/payload.bin. Memory dump analysis confirmed execution of Covenant. Registry modifications pointed to persistence via /var/tmp/helper.sh. Network forensics identified connections to 148.101.244.150 and storageauth.net. Email headers traced the initial vector to billing@document-share.link. File C:\\Windows\\System32\\shell.php (MD5: f6995f79dd9359bc2da92c020bd6cef0) was identified as the initial dropper. A staging URL hxxp://apibackup.cc/login resolved to 130.82.52.88. Secondary artifact hash: SHA256: c686c256e6fc5fc08c95e325977f2395ab9085b935411ef0680a1b42dcb2f79e.", "spans": {"TOOL: Sliver": [[72, 78]], "FILEPATH: /etc/cron.d/payload.bin": [[92, 115]], "TOOL: Covenant": [[161, 169]], "FILEPATH: /var/tmp/helper.sh": [[221, 239]], "IP_ADDRESS: 148.101.244.150": [[285, 300]], "DOMAIN: storageauth.net": [[305, 320]], "EMAIL: billing@document-share.link": [[365, 392]], "FILEPATH: C:\\Windows\\System32\\shell.php": [[399, 428]], "HASH: f6995f79dd9359bc2da92c020bd6cef0": [[435, 467]], "URL: hxxp://apibackup.cc/login": [[522, 547]], "IP_ADDRESS: 130.82.52.88": [[560, 572]], "HASH: c686c256e6fc5fc08c95e325977f2395ab9085b935411ef0680a1b42dcb2f79e": [[607, 671]]}, "info": {"id": "synth_v2_01205", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Sharphound artifacts at C:\\Windows\\Tasks\\winlogon.exe. Memory dump analysis confirmed execution of BITSAdmin. Registry modifications pointed to persistence via C:\\Windows\\Tasks\\agent.py. Network forensics identified connections to 212.121.210.41 and api-secure.info. Email headers traced the initial vector to verify@credential-check.site. File C:\\Users\\Public\\Documents\\agent.py (SHA256: 19f5795942180767228cc378c475432066be5c42b780ea35c3feb5c2d544edd0) was identified as the initial dropper. A staging URL hxxp://gateway-relay.online/portal/verify resolved to 34.177.40.133. Secondary artifact hash: MD5: c34efaeb1e5351816675f6a16daa8496.", "spans": {"TOOL: Sharphound": [[72, 82]], "FILEPATH: C:\\Windows\\Tasks\\winlogon.exe": [[96, 125]], "TOOL: BITSAdmin": [[171, 180]], "FILEPATH: C:\\Windows\\Tasks\\agent.py": [[232, 257]], "IP_ADDRESS: 212.121.210.41": [[303, 317]], "DOMAIN: api-secure.info": [[322, 337]], "EMAIL: verify@credential-check.site": [[382, 410]], "FILEPATH: C:\\Users\\Public\\Documents\\agent.py": [[417, 451]], "HASH: 19f5795942180767228cc378c475432066be5c42b780ea35c3feb5c2d544edd0": [[461, 525]], "URL: hxxp://gateway-relay.online/portal/verify": [[580, 621]], "IP_ADDRESS: 34.177.40.133": [[634, 647]], "HASH: c34efaeb1e5351816675f6a16daa8496": [[679, 711]]}, "info": {"id": "synth_v2_01206", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed BITSAdmin artifacts at /home/user/.config/runtime.dll. Memory dump analysis confirmed execution of BloodHound. Registry modifications pointed to persistence via /home/user/.config/runtime.dll. Network forensics identified connections to 43.192.185.122 and secure-static.dev. Email headers traced the initial vector to helpdesk@mail-service.info. File /opt/app/bin/agent.py (SHA1: 2dc4c23329049eea88ca496befb5dc81b1b86492) was identified as the initial dropper. A staging URL http://backup-login.info/collect resolved to 172.207.157.58. Secondary artifact hash: MD5: 08e56a543e26d209532bc4115f1fdd78.", "spans": {"TOOL: BITSAdmin": [[72, 81]], "FILEPATH: /home/user/.config/runtime.dll": [[95, 125], [95, 125]], "TOOL: BloodHound": [[171, 181]], "IP_ADDRESS: 43.192.185.122": [[309, 323]], "DOMAIN: secure-static.dev": [[328, 345]], "EMAIL: helpdesk@mail-service.info": [[390, 416]], "FILEPATH: /opt/app/bin/agent.py": [[423, 444]], "HASH: 2dc4c23329049eea88ca496befb5dc81b1b86492": [[452, 492]], "URL: http://backup-login.info/collect": [[547, 579]], "IP_ADDRESS: 172.207.157.58": [[592, 606]], "HASH: 08e56a543e26d209532bc4115f1fdd78": [[638, 670]]}, "info": {"id": "synth_v2_01207", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Seatbelt artifacts at C:\\Program Files\\Common Files\\update.dll. Memory dump analysis confirmed execution of WinPEAS. Registry modifications pointed to persistence via C:\\Windows\\Temp\\update.dll. Network forensics identified connections to 179.181.247.59 and portal-portal.club. Email headers traced the initial vector to noreply@account-update.xyz. File /home/user/.config/svchost.exe (SHA1: ea1770a8c791419e9d4ba854f93baa64f7efa0a5) was identified as the initial dropper. A staging URL hxxps://syncstatic.org/wp-content/uploads/doc.php resolved to 107.65.147.226. Secondary artifact hash: SHA256: 2ce7e92bf743efdf5b75af69d3c02dc00c72d155ca0e3776240d734335db3389.", "spans": {"TOOL: Seatbelt": [[72, 80]], "FILEPATH: C:\\Program Files\\Common Files\\update.dll": [[94, 134]], "TOOL: WinPEAS": [[180, 187]], "FILEPATH: C:\\Windows\\Temp\\update.dll": [[239, 265]], "IP_ADDRESS: 179.181.247.59": [[311, 325]], "DOMAIN: portal-portal.club": [[330, 348]], "EMAIL: noreply@account-update.xyz": [[393, 419]], "FILEPATH: /home/user/.config/svchost.exe": [[426, 456]], "HASH: ea1770a8c791419e9d4ba854f93baa64f7efa0a5": [[464, 504]], "URL: hxxps://syncstatic.org/wp-content/uploads/doc.php": [[559, 608]], "IP_ADDRESS: 107.65.147.226": [[621, 635]], "HASH: 2ce7e92bf743efdf5b75af69d3c02dc00c72d155ca0e3776240d734335db3389": [[670, 734]]}, "info": {"id": "synth_v2_01208", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Impacket artifacts at C:\\Program Files\\Common Files\\implant.so. Memory dump analysis confirmed execution of Nmap. Registry modifications pointed to persistence via /var/tmp/update.dll. Network forensics identified connections to 192.170.75.120 and portal-backup.dev. Email headers traced the initial vector to verify@auth-check.org. File C:\\ProgramData\\backdoor.elf (SHA1: b6d4c26a4710006384e7129246055564e4d307a0) was identified as the initial dropper. A staging URL hxxps://cacheupdate.dev/admin/config resolved to 10.58.235.48. Secondary artifact hash: SHA256: 7f91f92264bf002ada975440a1b29821f26576d3643ee602cec90b935705f49a.", "spans": {"TOOL: Impacket": [[72, 80]], "FILEPATH: C:\\Program Files\\Common Files\\implant.so": [[94, 134]], "TOOL: Nmap": [[180, 184]], "FILEPATH: /var/tmp/update.dll": [[236, 255]], "IP_ADDRESS: 192.170.75.120": [[301, 315]], "DOMAIN: portal-backup.dev": [[320, 337]], "EMAIL: verify@auth-check.org": [[382, 403]], "FILEPATH: C:\\ProgramData\\backdoor.elf": [[410, 437]], "HASH: b6d4c26a4710006384e7129246055564e4d307a0": [[445, 485]], "URL: hxxps://cacheupdate.dev/admin/config": [[540, 576]], "IP_ADDRESS: 10.58.235.48": [[589, 601]], "HASH: 7f91f92264bf002ada975440a1b29821f26576d3643ee602cec90b935705f49a": [[636, 700]]}, "info": {"id": "synth_v2_01209", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Merlin artifacts at C:\\ProgramData\\loader.exe. Memory dump analysis confirmed execution of Impacket. Registry modifications pointed to persistence via /usr/local/bin/payload.bin. Network forensics identified connections to 115.156.83.41 and proxyproxy.link. Email headers traced the initial vector to it@login-portal.tech. File /var/tmp/runtime.dll (MD5: 85a1466e4e86f82b6d0fe8baa0dc4781) was identified as the initial dropper. A staging URL hxxp://secure-secure.site/assets/js/payload.js resolved to 192.165.213.176. Secondary artifact hash: SHA1: 9fbafb71b8fccb96f76d8d18debe2e07d6de6604.", "spans": {"TOOL: Merlin": [[72, 78]], "FILEPATH: C:\\ProgramData\\loader.exe": [[92, 117]], "TOOL: Impacket": [[163, 171]], "FILEPATH: /usr/local/bin/payload.bin": [[223, 249]], "IP_ADDRESS: 115.156.83.41": [[295, 308]], "DOMAIN: proxyproxy.link": [[313, 328]], "EMAIL: it@login-portal.tech": [[373, 393]], "FILEPATH: /var/tmp/runtime.dll": [[400, 420]], "HASH: 85a1466e4e86f82b6d0fe8baa0dc4781": [[427, 459]], "URL: hxxp://secure-secure.site/assets/js/payload.js": [[514, 560]], "IP_ADDRESS: 192.165.213.176": [[573, 588]], "HASH: 9fbafb71b8fccb96f76d8d18debe2e07d6de6604": [[621, 661]]}, "info": {"id": "synth_v2_01210", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Brute Ratel artifacts at /home/user/.config/sam.hive. Memory dump analysis confirmed execution of LaZagne. Registry modifications pointed to persistence via /var/tmp/lsass.dmp. Network forensics identified connections to 10.8.19.181 and backup-backup.org. Email headers traced the initial vector to verify@login-portal.tech. File /opt/app/bin/svchost.exe (SHA256: 7c1b2e633c278cd2f296d5f2fe45d21b7aac649b3590be6feec766fa17b09a69) was identified as the initial dropper. A staging URL hxxps://storagesync.top/assets/js/payload.js resolved to 172.153.232.105. Secondary artifact hash: SHA1: 93c752654a64a34d8b30263ca579e573f38a5506.", "spans": {"TOOL: Brute Ratel": [[72, 83]], "FILEPATH: /home/user/.config/sam.hive": [[97, 124]], "TOOL: LaZagne": [[170, 177]], "FILEPATH: /var/tmp/lsass.dmp": [[229, 247]], "IP_ADDRESS: 10.8.19.181": [[293, 304]], "DOMAIN: backup-backup.org": [[309, 326]], "EMAIL: verify@login-portal.tech": [[371, 395]], "FILEPATH: /opt/app/bin/svchost.exe": [[402, 426]], "HASH: 7c1b2e633c278cd2f296d5f2fe45d21b7aac649b3590be6feec766fa17b09a69": [[436, 500]], "URL: hxxps://storagesync.top/assets/js/payload.js": [[555, 599]], "IP_ADDRESS: 172.153.232.105": [[612, 627]], "HASH: 93c752654a64a34d8b30263ca579e573f38a5506": [[660, 700]]}, "info": {"id": "synth_v2_01211", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed BITSAdmin artifacts at /home/user/.config/config.dat. Memory dump analysis confirmed execution of Ligolo. Registry modifications pointed to persistence via /var/tmp/taskhost.exe. Network forensics identified connections to 192.31.221.114 and backup-data.top. Email headers traced the initial vector to notification@phishing-domain.com. File C:\\Users\\admin\\Desktop\\implant.so (MD5: 60b5c8b909899da177be196e1f249415) was identified as the initial dropper. A staging URL hxxp://storagecloud.club/assets/js/payload.js resolved to 208.137.115.160. Secondary artifact hash: SHA1: 7a2588961d8ba92da62dad5672993037a3d4d3e1.", "spans": {"TOOL: BITSAdmin": [[72, 81]], "FILEPATH: /home/user/.config/config.dat": [[95, 124]], "TOOL: Ligolo": [[170, 176]], "FILEPATH: /var/tmp/taskhost.exe": [[228, 249]], "IP_ADDRESS: 192.31.221.114": [[295, 309]], "DOMAIN: backup-data.top": [[314, 329]], "EMAIL: notification@phishing-domain.com": [[374, 406]], "FILEPATH: C:\\Users\\admin\\Desktop\\implant.so": [[413, 446]], "HASH: 60b5c8b909899da177be196e1f249415": [[453, 485]], "URL: hxxp://storagecloud.club/assets/js/payload.js": [[540, 585]], "IP_ADDRESS: 208.137.115.160": [[598, 613]], "HASH: 7a2588961d8ba92da62dad5672993037a3d4d3e1": [[646, 686]]}, "info": {"id": "synth_v2_01212", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed PsExec artifacts at /etc/cron.d/config.dat. Memory dump analysis confirmed execution of Sliver. Registry modifications pointed to persistence via /dev/shm/dropper.ps1. Network forensics identified connections to 192.50.113.64 and cloud-cdn.org. Email headers traced the initial vector to finance@secure-verify.net. File /var/tmp/winlogon.exe (MD5: e44101d9609bf1d52e4d28e3dba5f6ee) was identified as the initial dropper. A staging URL http://login-backup.link/portal/verify resolved to 172.119.141.88. Secondary artifact hash: SHA256: ff6321b03e02967fb6c494bd6f72fc244a9dca9755e4f23fbe1acabfcddd2775.", "spans": {"TOOL: PsExec": [[72, 78]], "FILEPATH: /etc/cron.d/config.dat": [[92, 114]], "TOOL: Sliver": [[160, 166]], "FILEPATH: /dev/shm/dropper.ps1": [[218, 238]], "IP_ADDRESS: 192.50.113.64": [[284, 297]], "DOMAIN: cloud-cdn.org": [[302, 315]], "EMAIL: finance@secure-verify.net": [[360, 385]], "FILEPATH: /var/tmp/winlogon.exe": [[392, 413]], "HASH: e44101d9609bf1d52e4d28e3dba5f6ee": [[420, 452]], "URL: http://login-backup.link/portal/verify": [[507, 545]], "IP_ADDRESS: 172.119.141.88": [[558, 572]], "HASH: ff6321b03e02967fb6c494bd6f72fc244a9dca9755e4f23fbe1acabfcddd2775": [[607, 671]]}, "info": {"id": "synth_v2_01213", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Mimikatz artifacts at C:\\Windows\\Temp\\shell.php. Memory dump analysis confirmed execution of PowerShell Empire. Registry modifications pointed to persistence via /etc/cron.d/runtime.dll. Network forensics identified connections to 172.22.165.235 and storage-auth.live. Email headers traced the initial vector to info@auth-check.org. File C:\\Windows\\Tasks\\config.dat (SHA256: 4bf4c62d0406287a63ebac6599b1e026d392671bb6d6f0e7c30b367bdbb0621c) was identified as the initial dropper. A staging URL http://storageedge.live/login resolved to 172.24.64.64. Secondary artifact hash: SHA256: 0275a4e5f4a35de4bfbf652741de4a489c4e4b4e5bc0a34ef4e09fa66cf4995b.", "spans": {"TOOL: Mimikatz": [[72, 80]], "FILEPATH: C:\\Windows\\Temp\\shell.php": [[94, 119]], "TOOL: PowerShell Empire": [[165, 182]], "FILEPATH: /etc/cron.d/runtime.dll": [[234, 257]], "IP_ADDRESS: 172.22.165.235": [[303, 317]], "DOMAIN: storage-auth.live": [[322, 339]], "EMAIL: info@auth-check.org": [[384, 403]], "FILEPATH: C:\\Windows\\Tasks\\config.dat": [[410, 437]], "HASH: 4bf4c62d0406287a63ebac6599b1e026d392671bb6d6f0e7c30b367bdbb0621c": [[447, 511]], "URL: http://storageedge.live/login": [[566, 595]], "IP_ADDRESS: 172.24.64.64": [[608, 620]], "HASH: 0275a4e5f4a35de4bfbf652741de4a489c4e4b4e5bc0a34ef4e09fa66cf4995b": [[655, 719]]}, "info": {"id": "synth_v2_01214", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Seatbelt artifacts at /usr/local/bin/update.dll. Memory dump analysis confirmed execution of LaZagne. Registry modifications pointed to persistence via /usr/local/bin/payload.bin. Network forensics identified connections to 19.40.80.96 and node-cdn.online. Email headers traced the initial vector to info@document-share.link. File C:\\Windows\\System32\\agent.py (MD5: 2fc8739d4c5ab2b5afcec4540af3074f) was identified as the initial dropper. A staging URL hxxps://data-mail.dev/secure/token resolved to 220.44.67.83. Secondary artifact hash: MD5: cfb71a80eb61496f0b8dcb2e661fabd9.", "spans": {"TOOL: Seatbelt": [[72, 80]], "FILEPATH: /usr/local/bin/update.dll": [[94, 119]], "TOOL: LaZagne": [[165, 172]], "FILEPATH: /usr/local/bin/payload.bin": [[224, 250]], "IP_ADDRESS: 19.40.80.96": [[296, 307]], "DOMAIN: node-cdn.online": [[312, 327]], "EMAIL: info@document-share.link": [[372, 396]], "FILEPATH: C:\\Windows\\System32\\agent.py": [[403, 431]], "HASH: 2fc8739d4c5ab2b5afcec4540af3074f": [[438, 470]], "URL: hxxps://data-mail.dev/secure/token": [[525, 559]], "IP_ADDRESS: 220.44.67.83": [[572, 584]], "HASH: cfb71a80eb61496f0b8dcb2e661fabd9": [[616, 648]]}, "info": {"id": "synth_v2_01215", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Mimikatz artifacts at /var/tmp/agent.py. Memory dump analysis confirmed execution of Covenant. Registry modifications pointed to persistence via /usr/local/bin/chrome_helper.exe. Network forensics identified connections to 220.160.183.128 and sync-gateway.xyz. Email headers traced the initial vector to contact@secure-verify.net. File /dev/shm/taskhost.exe (MD5: 0be6383fdc3e9ae48b1d8a47606bc5a6) was identified as the initial dropper. A staging URL https://loginapi.top/assets/js/payload.js resolved to 172.221.118.45. Secondary artifact hash: SHA1: d37d89f867324261d0e44634f39529788fd32387.", "spans": {"TOOL: Mimikatz": [[72, 80]], "FILEPATH: /var/tmp/agent.py": [[94, 111]], "TOOL: Covenant": [[157, 165]], "FILEPATH: /usr/local/bin/chrome_helper.exe": [[217, 249]], "IP_ADDRESS: 220.160.183.128": [[295, 310]], "DOMAIN: sync-gateway.xyz": [[315, 331]], "EMAIL: contact@secure-verify.net": [[376, 401]], "FILEPATH: /dev/shm/taskhost.exe": [[408, 429]], "HASH: 0be6383fdc3e9ae48b1d8a47606bc5a6": [[436, 468]], "URL: https://loginapi.top/assets/js/payload.js": [[523, 564]], "IP_ADDRESS: 172.221.118.45": [[577, 591]], "HASH: d37d89f867324261d0e44634f39529788fd32387": [[624, 664]]}, "info": {"id": "synth_v2_01216", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Mythic artifacts at C:\\Program Files\\Common Files\\helper.sh. Memory dump analysis confirmed execution of Impacket. Registry modifications pointed to persistence via /opt/app/bin/payload.bin. Network forensics identified connections to 172.21.148.40 and staticrelay.online. Email headers traced the initial vector to finance@login-portal.tech. File C:\\Windows\\Temp\\svchost.exe (MD5: 72c453e7ea2832a4f35a1a8fd52aa284) was identified as the initial dropper. A staging URL hxxps://gateway-update.dev/assets/js/payload.js resolved to 172.197.183.171. Secondary artifact hash: MD5: 3a9b6f376de5578d52a52fdf62dfea31.", "spans": {"TOOL: Mythic": [[72, 78]], "FILEPATH: C:\\Program Files\\Common Files\\helper.sh": [[92, 131]], "TOOL: Impacket": [[177, 185]], "FILEPATH: /opt/app/bin/payload.bin": [[237, 261]], "IP_ADDRESS: 172.21.148.40": [[307, 320]], "DOMAIN: staticrelay.online": [[325, 343]], "EMAIL: finance@login-portal.tech": [[388, 413]], "FILEPATH: C:\\Windows\\Temp\\svchost.exe": [[420, 447]], "HASH: 72c453e7ea2832a4f35a1a8fd52aa284": [[454, 486]], "URL: hxxps://gateway-update.dev/assets/js/payload.js": [[541, 588]], "IP_ADDRESS: 172.197.183.171": [[601, 616]], "HASH: 3a9b6f376de5578d52a52fdf62dfea31": [[648, 680]]}, "info": {"id": "synth_v2_01217", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Certutil artifacts at C:\\Users\\admin\\AppData\\Local\\Temp\\taskhost.exe. Memory dump analysis confirmed execution of LaZagne. Registry modifications pointed to persistence via C:\\Users\\admin\\AppData\\Local\\Temp\\chrome_helper.exe. Network forensics identified connections to 192.110.76.125 and authportal.xyz. Email headers traced the initial vector to alert@identity-verify.cc. File /home/user/.config/ntds.dit (SHA1: 3a510bdafffd53483c1879790fc47d8af0f85326) was identified as the initial dropper. A staging URL https://edgemail.net/callback resolved to 192.106.19.72. Secondary artifact hash: SHA256: 1db99cd164f01b294d64e353545117da0745184ae951bac91bc622f0a506099e.", "spans": {"TOOL: Certutil": [[72, 80]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\taskhost.exe": [[94, 140]], "TOOL: LaZagne": [[186, 193]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\chrome_helper.exe": [[245, 296]], "IP_ADDRESS: 192.110.76.125": [[342, 356]], "DOMAIN: authportal.xyz": [[361, 375]], "EMAIL: alert@identity-verify.cc": [[420, 444]], "FILEPATH: /home/user/.config/ntds.dit": [[451, 478]], "HASH: 3a510bdafffd53483c1879790fc47d8af0f85326": [[486, 526]], "URL: https://edgemail.net/callback": [[581, 610]], "IP_ADDRESS: 192.106.19.72": [[623, 636]], "HASH: 1db99cd164f01b294d64e353545117da0745184ae951bac91bc622f0a506099e": [[671, 735]]}, "info": {"id": "synth_v2_01218", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Sharphound artifacts at C:\\Users\\admin\\AppData\\Local\\Temp\\csrss.exe. Memory dump analysis confirmed execution of Certutil. Registry modifications pointed to persistence via C:\\Users\\admin\\AppData\\Local\\Temp\\shell.php. Network forensics identified connections to 172.245.90.135 and secureupdate.club. Email headers traced the initial vector to alert@mail-service.info. File C:\\Users\\admin\\Desktop\\winlogon.exe (MD5: 7935e8f78b9fe82de865144598c9fb3d) was identified as the initial dropper. A staging URL hxxp://logincloud.online/secure/token resolved to 10.245.79.183. Secondary artifact hash: SHA1: 65c0e21901b008953fb35877e60af0683ca3f095.", "spans": {"TOOL: Sharphound": [[72, 82]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\csrss.exe": [[96, 139]], "TOOL: Certutil": [[185, 193]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\shell.php": [[245, 288]], "IP_ADDRESS: 172.245.90.135": [[334, 348]], "DOMAIN: secureupdate.club": [[353, 370]], "EMAIL: alert@mail-service.info": [[415, 438]], "FILEPATH: C:\\Users\\admin\\Desktop\\winlogon.exe": [[445, 480]], "HASH: 7935e8f78b9fe82de865144598c9fb3d": [[487, 519]], "URL: hxxp://logincloud.online/secure/token": [[574, 611]], "IP_ADDRESS: 10.245.79.183": [[624, 637]], "HASH: 65c0e21901b008953fb35877e60af0683ca3f095": [[670, 710]]}, "info": {"id": "synth_v2_01219", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed PowerShell Empire artifacts at C:\\Program Files\\Common Files\\agent.py. Memory dump analysis confirmed execution of Nmap. Registry modifications pointed to persistence via C:\\Windows\\Temp\\sam.hive. Network forensics identified connections to 172.227.190.27 and apisync.site. Email headers traced the initial vector to notification@phishing-domain.com. File /var/tmp/svchost.exe (SHA1: ff462eed44b9277c2ca2b6c4c8e69543e0effc1e) was identified as the initial dropper. A staging URL http://portalnode.io/gate.php resolved to 89.145.104.106. Secondary artifact hash: SHA256: aef3f88227dddbced576df997ff1bbb8b94ae99dd2395ffe214b673a8b66010e.", "spans": {"TOOL: PowerShell Empire": [[72, 89]], "FILEPATH: C:\\Program Files\\Common Files\\agent.py": [[103, 141]], "TOOL: Nmap": [[187, 191]], "FILEPATH: C:\\Windows\\Temp\\sam.hive": [[243, 267]], "IP_ADDRESS: 172.227.190.27": [[313, 327]], "DOMAIN: apisync.site": [[332, 344]], "EMAIL: notification@phishing-domain.com": [[389, 421]], "FILEPATH: /var/tmp/svchost.exe": [[428, 448]], "HASH: ff462eed44b9277c2ca2b6c4c8e69543e0effc1e": [[456, 496]], "URL: http://portalnode.io/gate.php": [[551, 580]], "IP_ADDRESS: 89.145.104.106": [[593, 607]], "HASH: aef3f88227dddbced576df997ff1bbb8b94ae99dd2395ffe214b673a8b66010e": [[642, 706]]}, "info": {"id": "synth_v2_01220", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Merlin artifacts at /etc/cron.d/chrome_helper.exe. Memory dump analysis confirmed execution of Sharphound. Registry modifications pointed to persistence via /opt/app/bin/beacon.dll. Network forensics identified connections to 111.23.179.172 and api-node.com. Email headers traced the initial vector to updates@login-portal.tech. File C:\\Users\\Public\\Documents\\chrome_helper.exe (MD5: 927e5db7b8dbca2aa2aed483ecd9b826) was identified as the initial dropper. A staging URL https://update-cdn.org/panel/index.html resolved to 211.205.106.78. Secondary artifact hash: MD5: eb5038d2b8f98e63290ebecfaadeb234.", "spans": {"TOOL: Merlin": [[72, 78]], "FILEPATH: /etc/cron.d/chrome_helper.exe": [[92, 121]], "TOOL: Sharphound": [[167, 177]], "FILEPATH: /opt/app/bin/beacon.dll": [[229, 252]], "IP_ADDRESS: 111.23.179.172": [[298, 312]], "DOMAIN: api-node.com": [[317, 329]], "EMAIL: updates@login-portal.tech": [[374, 399]], "FILEPATH: C:\\Users\\Public\\Documents\\chrome_helper.exe": [[406, 449]], "HASH: 927e5db7b8dbca2aa2aed483ecd9b826": [[456, 488]], "URL: https://update-cdn.org/panel/index.html": [[543, 582]], "IP_ADDRESS: 211.205.106.78": [[595, 609]], "HASH: eb5038d2b8f98e63290ebecfaadeb234": [[641, 673]]}, "info": {"id": "synth_v2_01221", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Rubeus artifacts at /etc/cron.d/ntds.dit. Memory dump analysis confirmed execution of Covenant. Registry modifications pointed to persistence via /opt/app/bin/runtime.dll. Network forensics identified connections to 204.123.9.174 and authcache.link. Email headers traced the initial vector to contact@secure-verify.net. File /var/tmp/beacon.dll (SHA1: aefb874c29b87f07d2167dbf1af18fb511dc92cb) was identified as the initial dropper. A staging URL hxxp://backupedge.online/login resolved to 10.193.253.177. Secondary artifact hash: MD5: 3420a0c88c210223520d8798a1c2b975.", "spans": {"TOOL: Rubeus": [[72, 78]], "FILEPATH: /etc/cron.d/ntds.dit": [[92, 112]], "TOOL: Covenant": [[158, 166]], "FILEPATH: /opt/app/bin/runtime.dll": [[218, 242]], "IP_ADDRESS: 204.123.9.174": [[288, 301]], "DOMAIN: authcache.link": [[306, 320]], "EMAIL: contact@secure-verify.net": [[365, 390]], "FILEPATH: /var/tmp/beacon.dll": [[397, 416]], "HASH: aefb874c29b87f07d2167dbf1af18fb511dc92cb": [[424, 464]], "URL: hxxp://backupedge.online/login": [[519, 549]], "IP_ADDRESS: 10.193.253.177": [[562, 576]], "HASH: 3420a0c88c210223520d8798a1c2b975": [[608, 640]]}, "info": {"id": "synth_v2_01222", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed LaZagne artifacts at C:\\Users\\Public\\Documents\\payload.bin. Memory dump analysis confirmed execution of PowerShell Empire. Registry modifications pointed to persistence via /usr/local/bin/update.dll. Network forensics identified connections to 7.29.175.76 and portalrelay.xyz. Email headers traced the initial vector to noreply@mail-service.info. File C:\\Windows\\System32\\csrss.exe (MD5: 54d50a5e98dd6f90eb7680909e49a431) was identified as the initial dropper. A staging URL hxxps://authportal.xyz/wp-content/uploads/doc.php resolved to 192.18.106.146. Secondary artifact hash: MD5: 682db8603d8178596213a53b5e8fcaaf.", "spans": {"TOOL: LaZagne": [[72, 79]], "FILEPATH: C:\\Users\\Public\\Documents\\payload.bin": [[93, 130]], "TOOL: PowerShell Empire": [[176, 193]], "FILEPATH: /usr/local/bin/update.dll": [[245, 270]], "IP_ADDRESS: 7.29.175.76": [[316, 327]], "DOMAIN: portalrelay.xyz": [[332, 347]], "EMAIL: noreply@mail-service.info": [[392, 417]], "FILEPATH: C:\\Windows\\System32\\csrss.exe": [[424, 453]], "HASH: 54d50a5e98dd6f90eb7680909e49a431": [[460, 492]], "URL: hxxps://authportal.xyz/wp-content/uploads/doc.php": [[547, 596]], "IP_ADDRESS: 192.18.106.146": [[609, 623]], "HASH: 682db8603d8178596213a53b5e8fcaaf": [[655, 687]]}, "info": {"id": "synth_v2_01223", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed BITSAdmin artifacts at /home/user/.config/helper.sh. Memory dump analysis confirmed execution of Sharphound. Registry modifications pointed to persistence via /var/tmp/update.dll. Network forensics identified connections to 58.160.80.158 and authrelay.cc. Email headers traced the initial vector to contact@auth-check.org. File C:\\Windows\\Temp\\svchost.exe (SHA1: 191f002c6f4a341f6a04b46da27d2a19acc21ddb) was identified as the initial dropper. A staging URL http://gatewayportal.org/assets/js/payload.js resolved to 159.115.9.126. Secondary artifact hash: SHA256: e1b1ab6378c4a9ca5edb2d656ed21f3c764b5ba759ecfe14e9ca7086171234c3.", "spans": {"TOOL: BITSAdmin": [[72, 81]], "FILEPATH: /home/user/.config/helper.sh": [[95, 123]], "TOOL: Sharphound": [[169, 179]], "FILEPATH: /var/tmp/update.dll": [[231, 250]], "IP_ADDRESS: 58.160.80.158": [[296, 309]], "DOMAIN: authrelay.cc": [[314, 326]], "EMAIL: contact@auth-check.org": [[371, 393]], "FILEPATH: C:\\Windows\\Temp\\svchost.exe": [[400, 427]], "HASH: 191f002c6f4a341f6a04b46da27d2a19acc21ddb": [[435, 475]], "URL: http://gatewayportal.org/assets/js/payload.js": [[530, 575]], "IP_ADDRESS: 159.115.9.126": [[588, 601]], "HASH: e1b1ab6378c4a9ca5edb2d656ed21f3c764b5ba759ecfe14e9ca7086171234c3": [[636, 700]]}, "info": {"id": "synth_v2_01224", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Chisel artifacts at /tmp/csrss.exe. Memory dump analysis confirmed execution of Ligolo. Registry modifications pointed to persistence via C:\\Users\\Public\\Documents\\loader.exe. Network forensics identified connections to 172.167.206.15 and data-backup.com. Email headers traced the initial vector to updates@credential-check.site. File C:\\Users\\admin\\Desktop\\config.dat (SHA256: a7014c28e3407ce844ca9946b11a6dbf129786eb05dfa018ff0f17f127193460) was identified as the initial dropper. A staging URL https://secure-mail.net/panel/index.html resolved to 10.65.127.10. Secondary artifact hash: MD5: 273682b11d313cc43020580110056737.", "spans": {"TOOL: Chisel": [[72, 78]], "FILEPATH: /tmp/csrss.exe": [[92, 106]], "TOOL: Ligolo": [[152, 158]], "FILEPATH: C:\\Users\\Public\\Documents\\loader.exe": [[210, 246]], "IP_ADDRESS: 172.167.206.15": [[292, 306]], "DOMAIN: data-backup.com": [[311, 326]], "EMAIL: updates@credential-check.site": [[371, 400]], "FILEPATH: C:\\Users\\admin\\Desktop\\config.dat": [[407, 440]], "HASH: a7014c28e3407ce844ca9946b11a6dbf129786eb05dfa018ff0f17f127193460": [[450, 514]], "URL: https://secure-mail.net/panel/index.html": [[569, 609]], "IP_ADDRESS: 10.65.127.10": [[622, 634]], "HASH: 273682b11d313cc43020580110056737": [[666, 698]]}, "info": {"id": "synth_v2_01225", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed ADFind artifacts at C:\\Users\\admin\\AppData\\Local\\Temp\\backdoor.elf. Memory dump analysis confirmed execution of BloodHound. Registry modifications pointed to persistence via C:\\Users\\Public\\Documents\\loader.exe. Network forensics identified connections to 172.206.220.12 and syncproxy.top. Email headers traced the initial vector to notification@urgent-notice.online. File C:\\Users\\admin\\Downloads\\loader.exe (SHA256: dae10011278a06fc0e3897ac50c55860172949d68e2af67971935ffe4afee9d9) was identified as the initial dropper. A staging URL https://cloudgateway.net/download/update.exe resolved to 10.111.65.125. Secondary artifact hash: MD5: 011ebe322979a2b61ca679514edfe3d6.", "spans": {"TOOL: ADFind": [[72, 78]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\backdoor.elf": [[92, 138]], "TOOL: BloodHound": [[184, 194]], "FILEPATH: C:\\Users\\Public\\Documents\\loader.exe": [[246, 282]], "IP_ADDRESS: 172.206.220.12": [[328, 342]], "DOMAIN: syncproxy.top": [[347, 360]], "EMAIL: notification@urgent-notice.online": [[405, 438]], "FILEPATH: C:\\Users\\admin\\Downloads\\loader.exe": [[445, 480]], "HASH: dae10011278a06fc0e3897ac50c55860172949d68e2af67971935ffe4afee9d9": [[490, 554]], "URL: https://cloudgateway.net/download/update.exe": [[609, 653]], "IP_ADDRESS: 10.111.65.125": [[666, 679]], "HASH: 011ebe322979a2b61ca679514edfe3d6": [[711, 743]]}, "info": {"id": "synth_v2_01226", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Brute Ratel artifacts at /dev/shm/lsass.dmp. Memory dump analysis confirmed execution of Impacket. Registry modifications pointed to persistence via /opt/app/bin/dropper.ps1. Network forensics identified connections to 10.81.132.178 and data-relay.xyz. Email headers traced the initial vector to finance@auth-check.org. File /home/user/.config/agent.py (MD5: fdc7e61a8a7f2450b81e0806b6823ec6) was identified as the initial dropper. A staging URL hxxps://data-api.live/panel/index.html resolved to 172.201.97.186. Secondary artifact hash: SHA256: 1b5bc5901a6c11a892975e4e1e8c329abb196b9506532825abb6d6d4c6624ce2.", "spans": {"TOOL: Brute Ratel": [[72, 83]], "FILEPATH: /dev/shm/lsass.dmp": [[97, 115]], "TOOL: Impacket": [[161, 169]], "FILEPATH: /opt/app/bin/dropper.ps1": [[221, 245]], "IP_ADDRESS: 10.81.132.178": [[291, 304]], "DOMAIN: data-relay.xyz": [[309, 323]], "EMAIL: finance@auth-check.org": [[368, 390]], "FILEPATH: /home/user/.config/agent.py": [[397, 424]], "HASH: fdc7e61a8a7f2450b81e0806b6823ec6": [[431, 463]], "URL: hxxps://data-api.live/panel/index.html": [[518, 556]], "IP_ADDRESS: 172.201.97.186": [[569, 583]], "HASH: 1b5bc5901a6c11a892975e4e1e8c329abb196b9506532825abb6d6d4c6624ce2": [[618, 682]]}, "info": {"id": "synth_v2_01227", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed LinPEAS artifacts at C:\\Users\\admin\\AppData\\Local\\Temp\\payload.bin. Memory dump analysis confirmed execution of Metasploit. Registry modifications pointed to persistence via C:\\Users\\admin\\Desktop\\lsass.dmp. Network forensics identified connections to 192.209.3.99 and node-cache.live. Email headers traced the initial vector to alert@document-share.link. File C:\\Users\\Public\\Documents\\backdoor.elf (SHA256: 2d8d7761553f026654d921c8caf1bbccac88a6f9bf5b757045441a7607fcf377) was identified as the initial dropper. A staging URL hxxp://storage-portal.top/portal/verify resolved to 10.135.232.239. Secondary artifact hash: SHA1: ef81507f1031d04d8cd39f95f9b30b07b59a16cd.", "spans": {"TOOL: LinPEAS": [[72, 79]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\payload.bin": [[93, 138]], "TOOL: Metasploit": [[184, 194]], "FILEPATH: C:\\Users\\admin\\Desktop\\lsass.dmp": [[246, 278]], "IP_ADDRESS: 192.209.3.99": [[324, 336]], "DOMAIN: node-cache.live": [[341, 356]], "EMAIL: alert@document-share.link": [[401, 426]], "FILEPATH: C:\\Users\\Public\\Documents\\backdoor.elf": [[433, 471]], "HASH: 2d8d7761553f026654d921c8caf1bbccac88a6f9bf5b757045441a7607fcf377": [[481, 545]], "URL: hxxp://storage-portal.top/portal/verify": [[600, 639]], "IP_ADDRESS: 10.135.232.239": [[652, 666]], "HASH: ef81507f1031d04d8cd39f95f9b30b07b59a16cd": [[699, 739]]}, "info": {"id": "synth_v2_01228", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Merlin artifacts at /dev/shm/ntds.dit. Memory dump analysis confirmed execution of Impacket. Registry modifications pointed to persistence via /tmp/agent.py. Network forensics identified connections to 172.47.101.194 and backup-update.tech. Email headers traced the initial vector to helpdesk@account-update.xyz. File C:\\ProgramData\\update.dll (SHA256: 6bf125aa6367aafaf4717c64ccf8d15e02656e3e63b6d6ed59582bedecc69935) was identified as the initial dropper. A staging URL hxxps://authrelay.live/portal/verify resolved to 192.53.56.242. Secondary artifact hash: MD5: 9f081681c17f2fbcaa0d8052505e9179.", "spans": {"TOOL: Merlin": [[72, 78]], "FILEPATH: /dev/shm/ntds.dit": [[92, 109]], "TOOL: Impacket": [[155, 163]], "FILEPATH: /tmp/agent.py": [[215, 228]], "IP_ADDRESS: 172.47.101.194": [[274, 288]], "DOMAIN: backup-update.tech": [[293, 311]], "EMAIL: helpdesk@account-update.xyz": [[356, 383]], "FILEPATH: C:\\ProgramData\\update.dll": [[390, 415]], "HASH: 6bf125aa6367aafaf4717c64ccf8d15e02656e3e63b6d6ed59582bedecc69935": [[425, 489]], "URL: hxxps://authrelay.live/portal/verify": [[544, 580]], "IP_ADDRESS: 192.53.56.242": [[593, 606]], "HASH: 9f081681c17f2fbcaa0d8052505e9179": [[638, 670]]}, "info": {"id": "synth_v2_01229", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed GhostPack artifacts at /home/user/.config/sam.hive. Memory dump analysis confirmed execution of Chisel. Registry modifications pointed to persistence via C:\\Users\\admin\\AppData\\Local\\Temp\\loader.exe. Network forensics identified connections to 203.24.197.117 and cloud-auth.info. Email headers traced the initial vector to service@mail-service.info. File /etc/cron.d/ntds.dit (SHA256: ef76741aa4beea4ec9d32c7ddeecd56c638ed5fd2708442328cef4de39e6ba67) was identified as the initial dropper. A staging URL hxxp://proxylogin.link/gate.php resolved to 172.234.108.18. Secondary artifact hash: SHA1: 6124b066ecbc1a51d0f7d8cb064d4196f0b7b015.", "spans": {"TOOL: GhostPack": [[72, 81]], "FILEPATH: /home/user/.config/sam.hive": [[95, 122]], "TOOL: Chisel": [[168, 174]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\loader.exe": [[226, 270]], "IP_ADDRESS: 203.24.197.117": [[316, 330]], "DOMAIN: cloud-auth.info": [[335, 350]], "EMAIL: service@mail-service.info": [[395, 420]], "FILEPATH: /etc/cron.d/ntds.dit": [[427, 447]], "HASH: ef76741aa4beea4ec9d32c7ddeecd56c638ed5fd2708442328cef4de39e6ba67": [[457, 521]], "URL: hxxp://proxylogin.link/gate.php": [[576, 607]], "IP_ADDRESS: 172.234.108.18": [[620, 634]], "HASH: 6124b066ecbc1a51d0f7d8cb064d4196f0b7b015": [[667, 707]]}, "info": {"id": "synth_v2_01230", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed ADFind artifacts at /opt/app/bin/beacon.dll. Memory dump analysis confirmed execution of Burp Suite. Registry modifications pointed to persistence via /usr/local/bin/update.dll. Network forensics identified connections to 172.135.132.159 and data-portal.club. Email headers traced the initial vector to info@account-update.xyz. File C:\\Windows\\Tasks\\backdoor.elf (SHA256: 4e283a44e8dfd0fd92ee54eabaac3e6eba7e186e054617d2662b1379314d5bbf) was identified as the initial dropper. A staging URL http://backupapi.com/login resolved to 1.117.126.156. Secondary artifact hash: SHA256: c2a9622fe351cfa7bbb2464c8d70c160aef2eca3638abebebb5a09ddad4678ce.", "spans": {"TOOL: ADFind": [[72, 78]], "FILEPATH: /opt/app/bin/beacon.dll": [[92, 115]], "TOOL: Burp Suite": [[161, 171]], "FILEPATH: /usr/local/bin/update.dll": [[223, 248]], "IP_ADDRESS: 172.135.132.159": [[294, 309]], "DOMAIN: data-portal.club": [[314, 330]], "EMAIL: info@account-update.xyz": [[375, 398]], "FILEPATH: C:\\Windows\\Tasks\\backdoor.elf": [[405, 434]], "HASH: 4e283a44e8dfd0fd92ee54eabaac3e6eba7e186e054617d2662b1379314d5bbf": [[444, 508]], "URL: http://backupapi.com/login": [[563, 589]], "IP_ADDRESS: 1.117.126.156": [[602, 615]], "HASH: c2a9622fe351cfa7bbb2464c8d70c160aef2eca3638abebebb5a09ddad4678ce": [[650, 714]]}, "info": {"id": "synth_v2_01231", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed GhostPack artifacts at /var/tmp/config.dat. Memory dump analysis confirmed execution of Metasploit. Registry modifications pointed to persistence via C:\\Program Files\\Common Files\\sam.hive. Network forensics identified connections to 172.250.203.62 and storagebackup.site. Email headers traced the initial vector to security@auth-check.org. File /etc/cron.d/helper.sh (SHA256: dd505695fa7f4e99641212b9972547afab943c4a7fbab018d88e82954acfa8b9) was identified as the initial dropper. A staging URL https://portal-cdn.site/login resolved to 192.18.41.7. Secondary artifact hash: SHA1: 0d42c75081ef62141355253253159559da2aa96f.", "spans": {"TOOL: GhostPack": [[72, 81]], "FILEPATH: /var/tmp/config.dat": [[95, 114]], "TOOL: Metasploit": [[160, 170]], "FILEPATH: C:\\Program Files\\Common Files\\sam.hive": [[222, 260]], "IP_ADDRESS: 172.250.203.62": [[306, 320]], "DOMAIN: storagebackup.site": [[325, 343]], "EMAIL: security@auth-check.org": [[388, 411]], "FILEPATH: /etc/cron.d/helper.sh": [[418, 439]], "HASH: dd505695fa7f4e99641212b9972547afab943c4a7fbab018d88e82954acfa8b9": [[449, 513]], "URL: https://portal-cdn.site/login": [[568, 597]], "IP_ADDRESS: 192.18.41.7": [[610, 621]], "HASH: 0d42c75081ef62141355253253159559da2aa96f": [[654, 694]]}, "info": {"id": "synth_v2_01232", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Mythic artifacts at C:\\Users\\admin\\AppData\\Local\\Temp\\backdoor.elf. Memory dump analysis confirmed execution of Brute Ratel. Registry modifications pointed to persistence via C:\\Windows\\Tasks\\agent.py. Network forensics identified connections to 199.139.129.133 and update-cdn.dev. Email headers traced the initial vector to updates@phishing-domain.com. File C:\\Users\\admin\\Desktop\\sam.hive (SHA1: a2057b5b7495095dec5f47d4a7e086ac6ce11c35) was identified as the initial dropper. A staging URL hxxp://relay-proxy.link/admin/config resolved to 172.6.126.104. Secondary artifact hash: MD5: 6d2fb6b799c14869160d59f5fba5bdab.", "spans": {"TOOL: Mythic": [[72, 78]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\backdoor.elf": [[92, 138]], "TOOL: Brute Ratel": [[184, 195]], "FILEPATH: C:\\Windows\\Tasks\\agent.py": [[247, 272]], "IP_ADDRESS: 199.139.129.133": [[318, 333]], "DOMAIN: update-cdn.dev": [[338, 352]], "EMAIL: updates@phishing-domain.com": [[397, 424]], "FILEPATH: C:\\Users\\admin\\Desktop\\sam.hive": [[431, 462]], "HASH: a2057b5b7495095dec5f47d4a7e086ac6ce11c35": [[470, 510]], "URL: hxxp://relay-proxy.link/admin/config": [[565, 601]], "IP_ADDRESS: 172.6.126.104": [[614, 627]], "HASH: 6d2fb6b799c14869160d59f5fba5bdab": [[659, 691]]}, "info": {"id": "synth_v2_01233", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Burp Suite artifacts at /dev/shm/winlogon.exe. Memory dump analysis confirmed execution of Impacket. Registry modifications pointed to persistence via /home/user/.config/implant.so. Network forensics identified connections to 10.37.226.28 and secure-api.info. Email headers traced the initial vector to it@auth-check.org. File /tmp/runtime.dll (SHA256: 1c83abb833a14fd32fc6b74d71f539304467548ba8f98edd431e852c009a44f8) was identified as the initial dropper. A staging URL hxxp://relaysync.xyz/wp-content/uploads/doc.php resolved to 214.26.18.72. Secondary artifact hash: MD5: 9fdc464bd8979fe0dcf0e032b677256e.", "spans": {"TOOL: Burp Suite": [[72, 82]], "FILEPATH: /dev/shm/winlogon.exe": [[96, 117]], "TOOL: Impacket": [[163, 171]], "FILEPATH: /home/user/.config/implant.so": [[223, 252]], "IP_ADDRESS: 10.37.226.28": [[298, 310]], "DOMAIN: secure-api.info": [[315, 330]], "EMAIL: it@auth-check.org": [[375, 392]], "FILEPATH: /tmp/runtime.dll": [[399, 415]], "HASH: 1c83abb833a14fd32fc6b74d71f539304467548ba8f98edd431e852c009a44f8": [[425, 489]], "URL: hxxp://relaysync.xyz/wp-content/uploads/doc.php": [[544, 591]], "IP_ADDRESS: 214.26.18.72": [[604, 616]], "HASH: 9fdc464bd8979fe0dcf0e032b677256e": [[648, 680]]}, "info": {"id": "synth_v2_01234", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed GhostPack artifacts at /home/user/.config/shell.php. Memory dump analysis confirmed execution of BITSAdmin. Registry modifications pointed to persistence via C:\\Program Files\\Common Files\\winlogon.exe. Network forensics identified connections to 172.13.108.187 and backup-static.club. Email headers traced the initial vector to notification@account-update.xyz. File /etc/cron.d/config.dat (SHA256: 5c1c3348575deb6dd697c07a44a8225b7bd5bfe3baa461ddf0b193e7c7832b54) was identified as the initial dropper. A staging URL http://portalmail.xyz/assets/js/payload.js resolved to 172.124.0.225. Secondary artifact hash: SHA1: 2e51ee56525d79e1fa6563fd975cae5e7b46110d.", "spans": {"TOOL: GhostPack": [[72, 81]], "FILEPATH: /home/user/.config/shell.php": [[95, 123]], "TOOL: BITSAdmin": [[169, 178]], "FILEPATH: C:\\Program Files\\Common Files\\winlogon.exe": [[230, 272]], "IP_ADDRESS: 172.13.108.187": [[318, 332]], "DOMAIN: backup-static.club": [[337, 355]], "EMAIL: notification@account-update.xyz": [[400, 431]], "FILEPATH: /etc/cron.d/config.dat": [[438, 460]], "HASH: 5c1c3348575deb6dd697c07a44a8225b7bd5bfe3baa461ddf0b193e7c7832b54": [[470, 534]], "URL: http://portalmail.xyz/assets/js/payload.js": [[589, 631]], "IP_ADDRESS: 172.124.0.225": [[644, 657]], "HASH: 2e51ee56525d79e1fa6563fd975cae5e7b46110d": [[690, 730]]}, "info": {"id": "synth_v2_01235", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Hashcat artifacts at C:\\Users\\Public\\Documents\\implant.so. Memory dump analysis confirmed execution of PowerView. Registry modifications pointed to persistence via /dev/shm/sam.hive. Network forensics identified connections to 196.218.79.70 and nodeportal.live. Email headers traced the initial vector to helpdesk@document-share.link. File /var/tmp/taskhost.exe (MD5: c6515cb220045fcce617de02f8fe2101) was identified as the initial dropper. A staging URL http://proxy-portal.io/admin/config resolved to 184.77.100.203. Secondary artifact hash: SHA256: d39e3adb7100acd0703fe52a6097a1c21474858b1506a591f9aca812610b6e2d.", "spans": {"TOOL: Hashcat": [[72, 79]], "FILEPATH: C:\\Users\\Public\\Documents\\implant.so": [[93, 129]], "TOOL: PowerView": [[175, 184]], "FILEPATH: /dev/shm/sam.hive": [[236, 253]], "IP_ADDRESS: 196.218.79.70": [[299, 312]], "DOMAIN: nodeportal.live": [[317, 332]], "EMAIL: helpdesk@document-share.link": [[377, 405]], "FILEPATH: /var/tmp/taskhost.exe": [[412, 433]], "HASH: c6515cb220045fcce617de02f8fe2101": [[440, 472]], "URL: http://proxy-portal.io/admin/config": [[527, 562]], "IP_ADDRESS: 184.77.100.203": [[575, 589]], "HASH: d39e3adb7100acd0703fe52a6097a1c21474858b1506a591f9aca812610b6e2d": [[624, 688]]}, "info": {"id": "synth_v2_01236", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Hashcat artifacts at C:\\ProgramData\\backdoor.elf. Memory dump analysis confirmed execution of Brute Ratel. Registry modifications pointed to persistence via C:\\ProgramData\\helper.sh. Network forensics identified connections to 156.199.225.240 and proxy-data.live. Email headers traced the initial vector to report@account-update.xyz. File /usr/local/bin/shell.php (SHA256: ec26ceba3abee3469b38a8b0a71df845ec07e78f0f8c6021bef5a80bd495c676) was identified as the initial dropper. A staging URL https://auth-portal.org/login resolved to 172.3.187.94. Secondary artifact hash: SHA256: 882b90bbef9386158031451a11e1a24f1c8647c08bc3089d6173ca7fbdf2a99a.", "spans": {"TOOL: Hashcat": [[72, 79]], "FILEPATH: C:\\ProgramData\\backdoor.elf": [[93, 120]], "TOOL: Brute Ratel": [[166, 177]], "FILEPATH: C:\\ProgramData\\helper.sh": [[229, 253]], "IP_ADDRESS: 156.199.225.240": [[299, 314]], "DOMAIN: proxy-data.live": [[319, 334]], "EMAIL: report@account-update.xyz": [[379, 404]], "FILEPATH: /usr/local/bin/shell.php": [[411, 435]], "HASH: ec26ceba3abee3469b38a8b0a71df845ec07e78f0f8c6021bef5a80bd495c676": [[445, 509]], "URL: https://auth-portal.org/login": [[564, 593]], "IP_ADDRESS: 172.3.187.94": [[606, 618]], "HASH: 882b90bbef9386158031451a11e1a24f1c8647c08bc3089d6173ca7fbdf2a99a": [[653, 717]]}, "info": {"id": "synth_v2_01237", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed PsExec artifacts at C:\\Users\\admin\\Desktop\\shell.php. Memory dump analysis confirmed execution of Nmap. Registry modifications pointed to persistence via /tmp/csrss.exe. Network forensics identified connections to 192.229.7.27 and data-static.club. Email headers traced the initial vector to noreply@credential-check.site. File /usr/local/bin/lsass.dmp (MD5: b88251e006c6349b74bfefd9bdeadd52) was identified as the initial dropper. A staging URL hxxp://edge-portal.site/secure/token resolved to 170.167.184.125. Secondary artifact hash: MD5: d59477304a0aa779f692d49cb1c1a8f1.", "spans": {"TOOL: PsExec": [[72, 78]], "FILEPATH: C:\\Users\\admin\\Desktop\\shell.php": [[92, 124]], "TOOL: Nmap": [[170, 174]], "FILEPATH: /tmp/csrss.exe": [[226, 240]], "IP_ADDRESS: 192.229.7.27": [[286, 298]], "DOMAIN: data-static.club": [[303, 319]], "EMAIL: noreply@credential-check.site": [[364, 393]], "FILEPATH: /usr/local/bin/lsass.dmp": [[400, 424]], "HASH: b88251e006c6349b74bfefd9bdeadd52": [[431, 463]], "URL: hxxp://edge-portal.site/secure/token": [[518, 554]], "IP_ADDRESS: 170.167.184.125": [[567, 582]], "HASH: d59477304a0aa779f692d49cb1c1a8f1": [[614, 646]]}, "info": {"id": "synth_v2_01238", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Impacket artifacts at /opt/app/bin/payload.bin. Memory dump analysis confirmed execution of Havoc. Registry modifications pointed to persistence via C:\\Users\\admin\\AppData\\Local\\Temp\\winlogon.exe. Network forensics identified connections to 10.24.41.201 and gatewayapi.site. Email headers traced the initial vector to notification@credential-check.site. File C:\\Windows\\Temp\\implant.so (SHA256: cedbac21ccc21b0e37fed177a5db1b4f31da4fe08de9c4dc2015491822f56c27) was identified as the initial dropper. A staging URL https://edge-sync.link/assets/js/payload.js resolved to 192.28.42.210. Secondary artifact hash: MD5: 942c30b21fdfc3b6ceeee69ffcd36dff.", "spans": {"TOOL: Impacket": [[72, 80]], "FILEPATH: /opt/app/bin/payload.bin": [[94, 118]], "TOOL: Havoc": [[164, 169]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\winlogon.exe": [[221, 267]], "IP_ADDRESS: 10.24.41.201": [[313, 325]], "DOMAIN: gatewayapi.site": [[330, 345]], "EMAIL: notification@credential-check.site": [[390, 424]], "FILEPATH: C:\\Windows\\Temp\\implant.so": [[431, 457]], "HASH: cedbac21ccc21b0e37fed177a5db1b4f31da4fe08de9c4dc2015491822f56c27": [[467, 531]], "URL: https://edge-sync.link/assets/js/payload.js": [[586, 629]], "IP_ADDRESS: 192.28.42.210": [[642, 655]], "HASH: 942c30b21fdfc3b6ceeee69ffcd36dff": [[687, 719]]}, "info": {"id": "synth_v2_01239", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed BloodHound artifacts at C:\\ProgramData\\payload.bin. Memory dump analysis confirmed execution of Nmap. Registry modifications pointed to persistence via C:\\ProgramData\\helper.sh. Network forensics identified connections to 192.98.155.171 and cloud-cloud.net. Email headers traced the initial vector to hr@urgent-notice.online. File C:\\Windows\\Temp\\update.dll (SHA1: 5168782bbb16b009c3fd7854b20f68751df9aebd) was identified as the initial dropper. A staging URL hxxp://proxy-relay.top/admin/config resolved to 214.26.207.123. Secondary artifact hash: SHA1: 5d06dee3ceeeafa8eca8a2d668865476b821ca17.", "spans": {"TOOL: BloodHound": [[72, 82]], "FILEPATH: C:\\ProgramData\\payload.bin": [[96, 122]], "TOOL: Nmap": [[168, 172]], "FILEPATH: C:\\ProgramData\\helper.sh": [[224, 248]], "IP_ADDRESS: 192.98.155.171": [[294, 308]], "DOMAIN: cloud-cloud.net": [[313, 328]], "EMAIL: hr@urgent-notice.online": [[373, 396]], "FILEPATH: C:\\Windows\\Temp\\update.dll": [[403, 429]], "HASH: 5168782bbb16b009c3fd7854b20f68751df9aebd": [[437, 477]], "URL: hxxp://proxy-relay.top/admin/config": [[532, 567]], "IP_ADDRESS: 214.26.207.123": [[580, 594]], "HASH: 5d06dee3ceeeafa8eca8a2d668865476b821ca17": [[627, 667]]}, "info": {"id": "synth_v2_01240", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Impacket artifacts at C:\\Program Files\\Common Files\\csrss.exe. Memory dump analysis confirmed execution of Sharphound. Registry modifications pointed to persistence via /opt/app/bin/ntds.dit. Network forensics identified connections to 192.69.71.6 and authproxy.site. Email headers traced the initial vector to helpdesk@phishing-domain.com. File C:\\ProgramData\\implant.so (SHA256: f67cbb1e615ab57a3f0f4eafc53951d1c09bf9e7ea3b874d81ad54750e86918c) was identified as the initial dropper. A staging URL hxxps://cloud-gateway.info/assets/js/payload.js resolved to 55.41.203.211. Secondary artifact hash: SHA256: a2e780266501a625cf76aaddda467bcccf5b2ab2896703914727170fef0b6967.", "spans": {"TOOL: Impacket": [[72, 80]], "FILEPATH: C:\\Program Files\\Common Files\\csrss.exe": [[94, 133]], "TOOL: Sharphound": [[179, 189]], "FILEPATH: /opt/app/bin/ntds.dit": [[241, 262]], "IP_ADDRESS: 192.69.71.6": [[308, 319]], "DOMAIN: authproxy.site": [[324, 338]], "EMAIL: helpdesk@phishing-domain.com": [[383, 411]], "FILEPATH: C:\\ProgramData\\implant.so": [[418, 443]], "HASH: f67cbb1e615ab57a3f0f4eafc53951d1c09bf9e7ea3b874d81ad54750e86918c": [[453, 517]], "URL: hxxps://cloud-gateway.info/assets/js/payload.js": [[572, 619]], "IP_ADDRESS: 55.41.203.211": [[632, 645]], "HASH: a2e780266501a625cf76aaddda467bcccf5b2ab2896703914727170fef0b6967": [[680, 744]]}, "info": {"id": "synth_v2_01241", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Rubeus artifacts at C:\\Program Files\\Common Files\\implant.so. Memory dump analysis confirmed execution of Hashcat. Registry modifications pointed to persistence via /var/tmp/ntds.dit. Network forensics identified connections to 172.236.222.71 and cache-data.top. Email headers traced the initial vector to noreply@urgent-notice.online. File /tmp/winlogon.exe (SHA1: a388f8001e9270bba0a6af817d760b8f0a615896) was identified as the initial dropper. A staging URL hxxps://portal-relay.dev/download/update.exe resolved to 10.75.115.201. Secondary artifact hash: SHA1: e84df837b7e0cb9aecfb187f90d1625e142ba1ee.", "spans": {"TOOL: Rubeus": [[72, 78]], "FILEPATH: C:\\Program Files\\Common Files\\implant.so": [[92, 132]], "TOOL: Hashcat": [[178, 185]], "FILEPATH: /var/tmp/ntds.dit": [[237, 254]], "IP_ADDRESS: 172.236.222.71": [[300, 314]], "DOMAIN: cache-data.top": [[319, 333]], "EMAIL: noreply@urgent-notice.online": [[378, 406]], "FILEPATH: /tmp/winlogon.exe": [[413, 430]], "HASH: a388f8001e9270bba0a6af817d760b8f0a615896": [[438, 478]], "URL: hxxps://portal-relay.dev/download/update.exe": [[533, 577]], "IP_ADDRESS: 10.75.115.201": [[590, 603]], "HASH: e84df837b7e0cb9aecfb187f90d1625e142ba1ee": [[636, 676]]}, "info": {"id": "synth_v2_01242", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed PsExec artifacts at C:\\Users\\admin\\Desktop\\implant.so. Memory dump analysis confirmed execution of GhostPack. Registry modifications pointed to persistence via /var/tmp/sam.hive. Network forensics identified connections to 217.84.95.81 and nodesync.link. Email headers traced the initial vector to contact@urgent-notice.online. File /usr/local/bin/implant.so (SHA1: 974b30fcb9e91a8bee97e1ff1313a9986ab1cbae) was identified as the initial dropper. A staging URL hxxps://nodeauth.live/api/v2/auth resolved to 192.212.131.67. Secondary artifact hash: SHA1: b03e81b7ca2e4f24b8273e1f0b0b7573175e788f.", "spans": {"TOOL: PsExec": [[72, 78]], "FILEPATH: C:\\Users\\admin\\Desktop\\implant.so": [[92, 125]], "TOOL: GhostPack": [[171, 180]], "FILEPATH: /var/tmp/sam.hive": [[232, 249]], "IP_ADDRESS: 217.84.95.81": [[295, 307]], "DOMAIN: nodesync.link": [[312, 325]], "EMAIL: contact@urgent-notice.online": [[370, 398]], "FILEPATH: /usr/local/bin/implant.so": [[405, 430]], "HASH: 974b30fcb9e91a8bee97e1ff1313a9986ab1cbae": [[438, 478]], "URL: hxxps://nodeauth.live/api/v2/auth": [[533, 566]], "IP_ADDRESS: 192.212.131.67": [[579, 593]], "HASH: b03e81b7ca2e4f24b8273e1f0b0b7573175e788f": [[626, 666]]}, "info": {"id": "synth_v2_01243", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed PowerShell Empire artifacts at /home/user/.config/helper.sh. Memory dump analysis confirmed execution of Merlin. Registry modifications pointed to persistence via /var/tmp/update.dll. Network forensics identified connections to 172.255.245.22 and secureproxy.io. Email headers traced the initial vector to report@phishing-domain.com. File C:\\Program Files\\Common Files\\backdoor.elf (SHA256: 5d606006e5846768b5ba739fcd1515c4525a033380d65006abac790c5179d1da) was identified as the initial dropper. A staging URL hxxp://mail-cache.net/login resolved to 82.178.28.198. Secondary artifact hash: SHA1: 4db3461e28013177d28b2aea5be20a2eda416168.", "spans": {"TOOL: PowerShell Empire": [[72, 89]], "FILEPATH: /home/user/.config/helper.sh": [[103, 131]], "TOOL: Merlin": [[177, 183]], "FILEPATH: /var/tmp/update.dll": [[235, 254]], "IP_ADDRESS: 172.255.245.22": [[300, 314]], "DOMAIN: secureproxy.io": [[319, 333]], "EMAIL: report@phishing-domain.com": [[378, 404]], "FILEPATH: C:\\Program Files\\Common Files\\backdoor.elf": [[411, 453]], "HASH: 5d606006e5846768b5ba739fcd1515c4525a033380d65006abac790c5179d1da": [[463, 527]], "URL: hxxp://mail-cache.net/login": [[582, 609]], "IP_ADDRESS: 82.178.28.198": [[622, 635]], "HASH: 4db3461e28013177d28b2aea5be20a2eda416168": [[668, 708]]}, "info": {"id": "synth_v2_01244", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Chisel artifacts at /usr/local/bin/lsass.dmp. Memory dump analysis confirmed execution of PowerView. Registry modifications pointed to persistence via /var/tmp/sam.hive. Network forensics identified connections to 102.11.110.38 and secure-static.tech. Email headers traced the initial vector to report@document-share.link. File C:\\Users\\admin\\Downloads\\taskhost.exe (MD5: 79453a7147bc47adcc84203273bc0114) was identified as the initial dropper. A staging URL http://relaydata.club/collect resolved to 172.152.37.138. Secondary artifact hash: SHA256: 2eda58c885ea72f87853e0cb2aa8ae1923988cffd920d231b38b08e3432fcba6.", "spans": {"TOOL: Chisel": [[72, 78]], "FILEPATH: /usr/local/bin/lsass.dmp": [[92, 116]], "TOOL: PowerView": [[162, 171]], "FILEPATH: /var/tmp/sam.hive": [[223, 240]], "IP_ADDRESS: 102.11.110.38": [[286, 299]], "DOMAIN: secure-static.tech": [[304, 322]], "EMAIL: report@document-share.link": [[367, 393]], "FILEPATH: C:\\Users\\admin\\Downloads\\taskhost.exe": [[400, 437]], "HASH: 79453a7147bc47adcc84203273bc0114": [[444, 476]], "URL: http://relaydata.club/collect": [[531, 560]], "IP_ADDRESS: 172.152.37.138": [[573, 587]], "HASH: 2eda58c885ea72f87853e0cb2aa8ae1923988cffd920d231b38b08e3432fcba6": [[622, 686]]}, "info": {"id": "synth_v2_01245", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed SharpHound artifacts at /tmp/implant.so. Memory dump analysis confirmed execution of WinPEAS. Registry modifications pointed to persistence via /etc/cron.d/beacon.dll. Network forensics identified connections to 172.231.137.175 and portal-relay.com. Email headers traced the initial vector to account@identity-verify.cc. File /opt/app/bin/csrss.exe (SHA256: 67617ee243a2415b145297c0393788569234334f1b9eb5e5c1fc1405f07612f4) was identified as the initial dropper. A staging URL http://mail-portal.top/callback resolved to 10.32.245.173. Secondary artifact hash: SHA1: 52864be824859bb93458376532dab6b294738981.", "spans": {"TOOL: SharpHound": [[72, 82]], "FILEPATH: /tmp/implant.so": [[96, 111]], "TOOL: WinPEAS": [[157, 164]], "FILEPATH: /etc/cron.d/beacon.dll": [[216, 238]], "IP_ADDRESS: 172.231.137.175": [[284, 299]], "DOMAIN: portal-relay.com": [[304, 320]], "EMAIL: account@identity-verify.cc": [[365, 391]], "FILEPATH: /opt/app/bin/csrss.exe": [[398, 420]], "HASH: 67617ee243a2415b145297c0393788569234334f1b9eb5e5c1fc1405f07612f4": [[430, 494]], "URL: http://mail-portal.top/callback": [[549, 580]], "IP_ADDRESS: 10.32.245.173": [[593, 606]], "HASH: 52864be824859bb93458376532dab6b294738981": [[639, 679]]}, "info": {"id": "synth_v2_01246", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Brute Ratel artifacts at C:\\Users\\Public\\Documents\\taskhost.exe. Memory dump analysis confirmed execution of PsExec. Registry modifications pointed to persistence via C:\\Users\\admin\\Downloads\\csrss.exe. Network forensics identified connections to 10.21.185.102 and edgelogin.io. Email headers traced the initial vector to security@secure-verify.net. File /home/user/.config/config.dat (SHA256: dafb592edcc9f033605628a0a7b1ef6b7c3bde2c1bce56df265119636b4db146) was identified as the initial dropper. A staging URL hxxp://proxy-node.io/api/v2/auth resolved to 10.74.85.161. Secondary artifact hash: SHA256: 2b3ebc495dc4d598d2e2625943c95fd5e80323c74d571659bd3c96f3661ce733.", "spans": {"TOOL: Brute Ratel": [[72, 83]], "FILEPATH: C:\\Users\\Public\\Documents\\taskhost.exe": [[97, 135]], "TOOL: PsExec": [[181, 187]], "FILEPATH: C:\\Users\\admin\\Downloads\\csrss.exe": [[239, 273]], "IP_ADDRESS: 10.21.185.102": [[319, 332]], "DOMAIN: edgelogin.io": [[337, 349]], "EMAIL: security@secure-verify.net": [[394, 420]], "FILEPATH: /home/user/.config/config.dat": [[427, 456]], "HASH: dafb592edcc9f033605628a0a7b1ef6b7c3bde2c1bce56df265119636b4db146": [[466, 530]], "URL: hxxp://proxy-node.io/api/v2/auth": [[585, 617]], "IP_ADDRESS: 10.74.85.161": [[630, 642]], "HASH: 2b3ebc495dc4d598d2e2625943c95fd5e80323c74d571659bd3c96f3661ce733": [[677, 741]]}, "info": {"id": "synth_v2_01247", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Nmap artifacts at C:\\Users\\admin\\Downloads\\sam.hive. Memory dump analysis confirmed execution of Covenant. Registry modifications pointed to persistence via /var/tmp/ntds.dit. Network forensics identified connections to 10.1.241.35 and loginedge.online. Email headers traced the initial vector to info@identity-verify.cc. File /etc/cron.d/agent.py (SHA1: a40c5251aa10ad9ded3ef1d34f7dcd407e3b9a1c) was identified as the initial dropper. A staging URL http://proxy-static.club/wp-content/uploads/doc.php resolved to 10.229.11.141. Secondary artifact hash: MD5: 5c60b38fb7565a418b37e38904108e4a.", "spans": {"TOOL: Nmap": [[72, 76]], "FILEPATH: C:\\Users\\admin\\Downloads\\sam.hive": [[90, 123]], "TOOL: Covenant": [[169, 177]], "FILEPATH: /var/tmp/ntds.dit": [[229, 246]], "IP_ADDRESS: 10.1.241.35": [[292, 303]], "DOMAIN: loginedge.online": [[308, 324]], "EMAIL: info@identity-verify.cc": [[369, 392]], "FILEPATH: /etc/cron.d/agent.py": [[399, 419]], "HASH: a40c5251aa10ad9ded3ef1d34f7dcd407e3b9a1c": [[427, 467]], "URL: http://proxy-static.club/wp-content/uploads/doc.php": [[522, 573]], "IP_ADDRESS: 10.229.11.141": [[586, 599]], "HASH: 5c60b38fb7565a418b37e38904108e4a": [[631, 663]]}, "info": {"id": "synth_v2_01248", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Rubeus artifacts at C:\\Users\\admin\\Desktop\\winlogon.exe. Memory dump analysis confirmed execution of SharpHound. Registry modifications pointed to persistence via C:\\ProgramData\\config.dat. Network forensics identified connections to 10.186.41.9 and login-gateway.dev. Email headers traced the initial vector to support@phishing-domain.com. File /opt/app/bin/csrss.exe (MD5: 3db205e2f4e6ec748589acc0a2742610) was identified as the initial dropper. A staging URL hxxp://gateway-update.online/download/update.exe resolved to 192.155.131.182. Secondary artifact hash: SHA256: 3ee0b2533436b8fd3abf39cc3847cc9eec0b98ef09df46d8fb6236f0885fe66e.", "spans": {"TOOL: Rubeus": [[72, 78]], "FILEPATH: C:\\Users\\admin\\Desktop\\winlogon.exe": [[92, 127]], "TOOL: SharpHound": [[173, 183]], "FILEPATH: C:\\ProgramData\\config.dat": [[235, 260]], "IP_ADDRESS: 10.186.41.9": [[306, 317]], "DOMAIN: login-gateway.dev": [[322, 339]], "EMAIL: support@phishing-domain.com": [[384, 411]], "FILEPATH: /opt/app/bin/csrss.exe": [[418, 440]], "HASH: 3db205e2f4e6ec748589acc0a2742610": [[447, 479]], "URL: hxxp://gateway-update.online/download/update.exe": [[534, 582]], "IP_ADDRESS: 192.155.131.182": [[595, 610]], "HASH: 3ee0b2533436b8fd3abf39cc3847cc9eec0b98ef09df46d8fb6236f0885fe66e": [[645, 709]]}, "info": {"id": "synth_v2_01249", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Certutil artifacts at /var/tmp/winlogon.exe. Memory dump analysis confirmed execution of Mimikatz. Registry modifications pointed to persistence via C:\\Users\\admin\\AppData\\Local\\Temp\\payload.bin. Network forensics identified connections to 175.72.140.51 and cachelogin.live. Email headers traced the initial vector to report@secure-verify.net. File /var/tmp/svchost.exe (SHA1: 3dd2eb650f715139bbd6cd7c317028e7b2d2a5d3) was identified as the initial dropper. A staging URL http://portaldata.net/callback resolved to 85.104.58.252. Secondary artifact hash: SHA256: d74934538bb0704219358e06ef5e713fd969b78ec5c4281f41f894352eb9faab.", "spans": {"TOOL: Certutil": [[72, 80]], "FILEPATH: /var/tmp/winlogon.exe": [[94, 115]], "TOOL: Mimikatz": [[161, 169]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\payload.bin": [[221, 266]], "IP_ADDRESS: 175.72.140.51": [[312, 325]], "DOMAIN: cachelogin.live": [[330, 345]], "EMAIL: report@secure-verify.net": [[390, 414]], "FILEPATH: /var/tmp/svchost.exe": [[421, 441]], "HASH: 3dd2eb650f715139bbd6cd7c317028e7b2d2a5d3": [[449, 489]], "URL: http://portaldata.net/callback": [[544, 574]], "IP_ADDRESS: 85.104.58.252": [[587, 600]], "HASH: d74934538bb0704219358e06ef5e713fd969b78ec5c4281f41f894352eb9faab": [[635, 699]]}, "info": {"id": "synth_v2_01250", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Mimikatz artifacts at C:\\Users\\admin\\Desktop\\dropper.ps1. Memory dump analysis confirmed execution of PowerView. Registry modifications pointed to persistence via /dev/shm/agent.py. Network forensics identified connections to 96.142.129.17 and cacherelay.com. Email headers traced the initial vector to confirm@mail-service.info. File C:\\Windows\\Temp\\helper.sh (SHA256: 13d365c4532896bac68852e075aa8b99d0165a1279454dbc8816723515da3a5f) was identified as the initial dropper. A staging URL hxxps://storageedge.com/secure/token resolved to 172.50.223.101. Secondary artifact hash: SHA256: dc8217c1ff77fad2583557d1499f6c685fb4ad6976693d5a287b83c41cb8a7f4.", "spans": {"TOOL: Mimikatz": [[72, 80]], "FILEPATH: C:\\Users\\admin\\Desktop\\dropper.ps1": [[94, 128]], "TOOL: PowerView": [[174, 183]], "FILEPATH: /dev/shm/agent.py": [[235, 252]], "IP_ADDRESS: 96.142.129.17": [[298, 311]], "DOMAIN: cacherelay.com": [[316, 330]], "EMAIL: confirm@mail-service.info": [[375, 400]], "FILEPATH: C:\\Windows\\Temp\\helper.sh": [[407, 432]], "HASH: 13d365c4532896bac68852e075aa8b99d0165a1279454dbc8816723515da3a5f": [[442, 506]], "URL: hxxps://storageedge.com/secure/token": [[561, 597]], "IP_ADDRESS: 172.50.223.101": [[610, 624]], "HASH: dc8217c1ff77fad2583557d1499f6c685fb4ad6976693d5a287b83c41cb8a7f4": [[659, 723]]}, "info": {"id": "synth_v2_01251", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed BITSAdmin artifacts at C:\\Users\\Public\\Documents\\beacon.dll. Memory dump analysis confirmed execution of WinPEAS. Registry modifications pointed to persistence via C:\\Program Files\\Common Files\\agent.py. Network forensics identified connections to 192.1.66.76 and static-gateway.cc. Email headers traced the initial vector to contact@secure-verify.net. File C:\\Windows\\System32\\shell.php (MD5: 3397dc598d5123caccdf69b34c1fbc4b) was identified as the initial dropper. A staging URL hxxp://auth-storage.live/assets/js/payload.js resolved to 10.183.3.82. Secondary artifact hash: SHA1: 6b04002aa3bbc0e67d7243e7eb33e41da0f7125b.", "spans": {"TOOL: BITSAdmin": [[72, 81]], "FILEPATH: C:\\Users\\Public\\Documents\\beacon.dll": [[95, 131]], "TOOL: WinPEAS": [[177, 184]], "FILEPATH: C:\\Program Files\\Common Files\\agent.py": [[236, 274]], "IP_ADDRESS: 192.1.66.76": [[320, 331]], "DOMAIN: static-gateway.cc": [[336, 353]], "EMAIL: contact@secure-verify.net": [[398, 423]], "FILEPATH: C:\\Windows\\System32\\shell.php": [[430, 459]], "HASH: 3397dc598d5123caccdf69b34c1fbc4b": [[466, 498]], "URL: hxxp://auth-storage.live/assets/js/payload.js": [[553, 598]], "IP_ADDRESS: 10.183.3.82": [[611, 622]], "HASH: 6b04002aa3bbc0e67d7243e7eb33e41da0f7125b": [[655, 695]]}, "info": {"id": "synth_v2_01252", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Ligolo artifacts at /opt/app/bin/csrss.exe. Memory dump analysis confirmed execution of Rubeus. Registry modifications pointed to persistence via C:\\Users\\admin\\Downloads\\helper.sh. Network forensics identified connections to 172.98.233.166 and cdnbackup.online. Email headers traced the initial vector to ceo@login-portal.tech. File C:\\Users\\admin\\Downloads\\payload.bin (SHA1: 21bb4dcaf516182cad3981db9bb87cb1f7f5e166) was identified as the initial dropper. A staging URL hxxps://cdnauth.net/secure/token resolved to 163.155.120.90. Secondary artifact hash: SHA1: 13618451d5c53e92871c56707c861acb5e3a91dd.", "spans": {"TOOL: Ligolo": [[72, 78]], "FILEPATH: /opt/app/bin/csrss.exe": [[92, 114]], "TOOL: Rubeus": [[160, 166]], "FILEPATH: C:\\Users\\admin\\Downloads\\helper.sh": [[218, 252]], "IP_ADDRESS: 172.98.233.166": [[298, 312]], "DOMAIN: cdnbackup.online": [[317, 333]], "EMAIL: ceo@login-portal.tech": [[378, 399]], "FILEPATH: C:\\Users\\admin\\Downloads\\payload.bin": [[406, 442]], "HASH: 21bb4dcaf516182cad3981db9bb87cb1f7f5e166": [[450, 490]], "URL: hxxps://cdnauth.net/secure/token": [[545, 577]], "IP_ADDRESS: 163.155.120.90": [[590, 604]], "HASH: 13618451d5c53e92871c56707c861acb5e3a91dd": [[637, 677]]}, "info": {"id": "synth_v2_01253", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed GhostPack artifacts at C:\\Users\\admin\\Downloads\\winlogon.exe. Memory dump analysis confirmed execution of LaZagne. Registry modifications pointed to persistence via /opt/app/bin/loader.exe. Network forensics identified connections to 172.20.113.22 and mailedge.dev. Email headers traced the initial vector to admin@document-share.link. File C:\\Program Files\\Common Files\\config.dat (MD5: d734ff0838a33dd15ae2c8d5c6089b62) was identified as the initial dropper. A staging URL hxxps://authedge.site/portal/verify resolved to 71.9.121.6. Secondary artifact hash: MD5: 6478fccc188d34653833b2b2791778f1.", "spans": {"TOOL: GhostPack": [[72, 81]], "FILEPATH: C:\\Users\\admin\\Downloads\\winlogon.exe": [[95, 132]], "TOOL: LaZagne": [[178, 185]], "FILEPATH: /opt/app/bin/loader.exe": [[237, 260]], "IP_ADDRESS: 172.20.113.22": [[306, 319]], "DOMAIN: mailedge.dev": [[324, 336]], "EMAIL: admin@document-share.link": [[381, 406]], "FILEPATH: C:\\Program Files\\Common Files\\config.dat": [[413, 453]], "HASH: d734ff0838a33dd15ae2c8d5c6089b62": [[460, 492]], "URL: hxxps://authedge.site/portal/verify": [[547, 582]], "IP_ADDRESS: 71.9.121.6": [[595, 605]], "HASH: 6478fccc188d34653833b2b2791778f1": [[637, 669]]}, "info": {"id": "synth_v2_01254", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Havoc artifacts at C:\\Windows\\System32\\config.dat. Memory dump analysis confirmed execution of Impacket. Registry modifications pointed to persistence via /var/tmp/csrss.exe. Network forensics identified connections to 153.92.23.84 and proxystatic.cc. Email headers traced the initial vector to alert@login-portal.tech. File /opt/app/bin/agent.py (SHA1: f983743a4a9ea71efa490b7b5326ec6d25ba1b02) was identified as the initial dropper. A staging URL hxxps://cacheedge.xyz/assets/js/payload.js resolved to 145.208.226.83. Secondary artifact hash: SHA1: 2277308359c4fa577b3154bed57a5cc42abacf9f.", "spans": {"TOOL: Havoc": [[72, 77]], "FILEPATH: C:\\Windows\\System32\\config.dat": [[91, 121]], "TOOL: Impacket": [[167, 175]], "FILEPATH: /var/tmp/csrss.exe": [[227, 245]], "IP_ADDRESS: 153.92.23.84": [[291, 303]], "DOMAIN: proxystatic.cc": [[308, 322]], "EMAIL: alert@login-portal.tech": [[367, 390]], "FILEPATH: /opt/app/bin/agent.py": [[397, 418]], "HASH: f983743a4a9ea71efa490b7b5326ec6d25ba1b02": [[426, 466]], "URL: hxxps://cacheedge.xyz/assets/js/payload.js": [[521, 563]], "IP_ADDRESS: 145.208.226.83": [[576, 590]], "HASH: 2277308359c4fa577b3154bed57a5cc42abacf9f": [[623, 663]]}, "info": {"id": "synth_v2_01255", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Metasploit artifacts at /home/user/.config/winlogon.exe. Memory dump analysis confirmed execution of Seatbelt. Registry modifications pointed to persistence via C:\\Windows\\Tasks\\ntds.dit. Network forensics identified connections to 10.199.0.141 and mail-secure.org. Email headers traced the initial vector to billing@login-portal.tech. File C:\\Windows\\System32\\sam.hive (MD5: 4da8a950755f390be0291f15d4f0fc53) was identified as the initial dropper. A staging URL http://nodestatic.link/login resolved to 136.237.19.205. Secondary artifact hash: MD5: cf1ff038a57843dc01450d2eb47eb3bc.", "spans": {"TOOL: Metasploit": [[72, 82]], "FILEPATH: /home/user/.config/winlogon.exe": [[96, 127]], "TOOL: Seatbelt": [[173, 181]], "FILEPATH: C:\\Windows\\Tasks\\ntds.dit": [[233, 258]], "IP_ADDRESS: 10.199.0.141": [[304, 316]], "DOMAIN: mail-secure.org": [[321, 336]], "EMAIL: billing@login-portal.tech": [[381, 406]], "FILEPATH: C:\\Windows\\System32\\sam.hive": [[413, 441]], "HASH: 4da8a950755f390be0291f15d4f0fc53": [[448, 480]], "URL: http://nodestatic.link/login": [[535, 563]], "IP_ADDRESS: 136.237.19.205": [[576, 590]], "HASH: cf1ff038a57843dc01450d2eb47eb3bc": [[622, 654]]}, "info": {"id": "synth_v2_01256", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Seatbelt artifacts at C:\\Windows\\Temp\\loader.exe. Memory dump analysis confirmed execution of Sharphound. Registry modifications pointed to persistence via /tmp/backdoor.elf. Network forensics identified connections to 10.116.3.176 and data-cache.cc. Email headers traced the initial vector to verify@document-share.link. File C:\\Windows\\Tasks\\ntds.dit (SHA1: 0f7495554694f9b0007dedc62a68f9f4fd3a8a83) was identified as the initial dropper. A staging URL https://relay-auth.top/assets/js/payload.js resolved to 72.199.54.190. Secondary artifact hash: SHA1: d732bd33f9e38df6e353cd5be703754a45572be8.", "spans": {"TOOL: Seatbelt": [[72, 80]], "FILEPATH: C:\\Windows\\Temp\\loader.exe": [[94, 120]], "TOOL: Sharphound": [[166, 176]], "FILEPATH: /tmp/backdoor.elf": [[228, 245]], "IP_ADDRESS: 10.116.3.176": [[291, 303]], "DOMAIN: data-cache.cc": [[308, 321]], "EMAIL: verify@document-share.link": [[366, 392]], "FILEPATH: C:\\Windows\\Tasks\\ntds.dit": [[399, 424]], "HASH: 0f7495554694f9b0007dedc62a68f9f4fd3a8a83": [[432, 472]], "URL: https://relay-auth.top/assets/js/payload.js": [[527, 570]], "IP_ADDRESS: 72.199.54.190": [[583, 596]], "HASH: d732bd33f9e38df6e353cd5be703754a45572be8": [[629, 669]]}, "info": {"id": "synth_v2_01257", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed WinPEAS artifacts at C:\\Users\\admin\\Desktop\\update.dll. Memory dump analysis confirmed execution of PsExec. Registry modifications pointed to persistence via /var/tmp/runtime.dll. Network forensics identified connections to 213.74.187.188 and cache-relay.site. Email headers traced the initial vector to support@document-share.link. File /dev/shm/dropper.ps1 (SHA1: 26fd0e0fb2a1c0ef03328d88a5a76bba190b6ff3) was identified as the initial dropper. A staging URL http://update-proxy.xyz/collect resolved to 132.53.132.199. Secondary artifact hash: SHA1: 981e98302fefc773bdf76bd00793ece57e8251c5.", "spans": {"TOOL: WinPEAS": [[72, 79]], "FILEPATH: C:\\Users\\admin\\Desktop\\update.dll": [[93, 126]], "TOOL: PsExec": [[172, 178]], "FILEPATH: /var/tmp/runtime.dll": [[230, 250]], "IP_ADDRESS: 213.74.187.188": [[296, 310]], "DOMAIN: cache-relay.site": [[315, 331]], "EMAIL: support@document-share.link": [[376, 403]], "FILEPATH: /dev/shm/dropper.ps1": [[410, 430]], "HASH: 26fd0e0fb2a1c0ef03328d88a5a76bba190b6ff3": [[438, 478]], "URL: http://update-proxy.xyz/collect": [[533, 564]], "IP_ADDRESS: 132.53.132.199": [[577, 591]], "HASH: 981e98302fefc773bdf76bd00793ece57e8251c5": [[624, 664]]}, "info": {"id": "synth_v2_01258", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Seatbelt artifacts at /home/user/.config/implant.so. Memory dump analysis confirmed execution of Merlin. Registry modifications pointed to persistence via /home/user/.config/backdoor.elf. Network forensics identified connections to 223.158.141.29 and loginportal.top. Email headers traced the initial vector to ceo@mail-service.info. File /opt/app/bin/sam.hive (SHA1: 0789f4c167013f7b2b02cd9e8dda707f2d2efb5c) was identified as the initial dropper. A staging URL https://backup-relay.live/collect resolved to 172.206.87.191. Secondary artifact hash: SHA1: 28409093cba43a118374f634550713b013644794.", "spans": {"TOOL: Seatbelt": [[72, 80]], "FILEPATH: /home/user/.config/implant.so": [[94, 123]], "TOOL: Merlin": [[169, 175]], "FILEPATH: /home/user/.config/backdoor.elf": [[227, 258]], "IP_ADDRESS: 223.158.141.29": [[304, 318]], "DOMAIN: loginportal.top": [[323, 338]], "EMAIL: ceo@mail-service.info": [[383, 404]], "FILEPATH: /opt/app/bin/sam.hive": [[411, 432]], "HASH: 0789f4c167013f7b2b02cd9e8dda707f2d2efb5c": [[440, 480]], "URL: https://backup-relay.live/collect": [[535, 568]], "IP_ADDRESS: 172.206.87.191": [[581, 595]], "HASH: 28409093cba43a118374f634550713b013644794": [[628, 668]]}, "info": {"id": "synth_v2_01259", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed PowerView artifacts at C:\\Users\\Public\\Documents\\lsass.dmp. Memory dump analysis confirmed execution of GhostPack. Registry modifications pointed to persistence via C:\\Windows\\Temp\\backdoor.elf. Network forensics identified connections to 192.168.27.119 and proxy-storage.site. Email headers traced the initial vector to confirm@secure-verify.net. File /var/tmp/winlogon.exe (SHA1: 408b815d248d95f797ca33e4cff1da8ecaeffa12) was identified as the initial dropper. A staging URL hxxp://proxynode.info/portal/verify resolved to 94.160.230.130. Secondary artifact hash: SHA1: b040cfc785c1bda8a0b31dce697178bad813c260.", "spans": {"TOOL: PowerView": [[72, 81]], "FILEPATH: C:\\Users\\Public\\Documents\\lsass.dmp": [[95, 130]], "TOOL: GhostPack": [[176, 185]], "FILEPATH: C:\\Windows\\Temp\\backdoor.elf": [[237, 265]], "IP_ADDRESS: 192.168.27.119": [[311, 325]], "DOMAIN: proxy-storage.site": [[330, 348]], "EMAIL: confirm@secure-verify.net": [[393, 418]], "FILEPATH: /var/tmp/winlogon.exe": [[425, 446]], "HASH: 408b815d248d95f797ca33e4cff1da8ecaeffa12": [[454, 494]], "URL: hxxp://proxynode.info/portal/verify": [[549, 584]], "IP_ADDRESS: 94.160.230.130": [[597, 611]], "HASH: b040cfc785c1bda8a0b31dce697178bad813c260": [[644, 684]]}, "info": {"id": "synth_v2_01260", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed CrackMapExec artifacts at C:\\Users\\admin\\AppData\\Local\\Temp\\beacon.dll. Memory dump analysis confirmed execution of SharpHound. Registry modifications pointed to persistence via /tmp/update.dll. Network forensics identified connections to 100.48.98.81 and portal-cache.org. Email headers traced the initial vector to billing@urgent-notice.online. File C:\\Windows\\Tasks\\taskhost.exe (SHA1: 6e82a1d8fac3a2ea0858ba706ec315f3437e5c9b) was identified as the initial dropper. A staging URL hxxp://backupupdate.xyz/callback resolved to 192.1.251.131. Secondary artifact hash: MD5: d8740c0b1698820674d7c0b76bb97f77.", "spans": {"TOOL: CrackMapExec": [[72, 84]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\beacon.dll": [[98, 142]], "TOOL: SharpHound": [[188, 198]], "FILEPATH: /tmp/update.dll": [[250, 265]], "IP_ADDRESS: 100.48.98.81": [[311, 323]], "DOMAIN: portal-cache.org": [[328, 344]], "EMAIL: billing@urgent-notice.online": [[389, 417]], "FILEPATH: C:\\Windows\\Tasks\\taskhost.exe": [[424, 453]], "HASH: 6e82a1d8fac3a2ea0858ba706ec315f3437e5c9b": [[461, 501]], "URL: hxxp://backupupdate.xyz/callback": [[556, 588]], "IP_ADDRESS: 192.1.251.131": [[601, 614]], "HASH: d8740c0b1698820674d7c0b76bb97f77": [[646, 678]]}, "info": {"id": "synth_v2_01261", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed WinPEAS artifacts at /opt/app/bin/payload.bin. Memory dump analysis confirmed execution of BloodHound. Registry modifications pointed to persistence via /opt/app/bin/update.dll. Network forensics identified connections to 81.100.81.118 and loginsync.cc. Email headers traced the initial vector to billing@account-update.xyz. File C:\\Users\\admin\\Downloads\\helper.sh (SHA256: b9129fd69d142aa211d46f0c62109f5aed20b61a69583e2f8f50d0b907afba26) was identified as the initial dropper. A staging URL http://data-sync.online/api/v2/auth resolved to 172.169.60.73. Secondary artifact hash: SHA256: 0ebf46845afb8ecdb0a78d131de17dadb11f2665ecac94cb4443d790afa1ff51.", "spans": {"TOOL: WinPEAS": [[72, 79]], "FILEPATH: /opt/app/bin/payload.bin": [[93, 117]], "TOOL: BloodHound": [[163, 173]], "FILEPATH: /opt/app/bin/update.dll": [[225, 248]], "IP_ADDRESS: 81.100.81.118": [[294, 307]], "DOMAIN: loginsync.cc": [[312, 324]], "EMAIL: billing@account-update.xyz": [[369, 395]], "FILEPATH: C:\\Users\\admin\\Downloads\\helper.sh": [[402, 436]], "HASH: b9129fd69d142aa211d46f0c62109f5aed20b61a69583e2f8f50d0b907afba26": [[446, 510]], "URL: http://data-sync.online/api/v2/auth": [[565, 600]], "IP_ADDRESS: 172.169.60.73": [[613, 626]], "HASH: 0ebf46845afb8ecdb0a78d131de17dadb11f2665ecac94cb4443d790afa1ff51": [[661, 725]]}, "info": {"id": "synth_v2_01262", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Sliver artifacts at /home/user/.config/ntds.dit. Memory dump analysis confirmed execution of Burp Suite. Registry modifications pointed to persistence via /opt/app/bin/update.dll. Network forensics identified connections to 178.231.21.234 and syncapi.xyz. Email headers traced the initial vector to hr@auth-check.org. File /var/tmp/csrss.exe (MD5: 3ab6762e89c051bd7e4a2e00ba8e5d24) was identified as the initial dropper. A staging URL hxxp://proxyportal.net/api/v2/auth resolved to 10.20.210.30. Secondary artifact hash: MD5: 4d23d94b55d5bfe53e572301d3045ff0.", "spans": {"TOOL: Sliver": [[72, 78]], "FILEPATH: /home/user/.config/ntds.dit": [[92, 119]], "TOOL: Burp Suite": [[165, 175]], "FILEPATH: /opt/app/bin/update.dll": [[227, 250]], "IP_ADDRESS: 178.231.21.234": [[296, 310]], "DOMAIN: syncapi.xyz": [[315, 326]], "EMAIL: hr@auth-check.org": [[371, 388]], "FILEPATH: /var/tmp/csrss.exe": [[395, 413]], "HASH: 3ab6762e89c051bd7e4a2e00ba8e5d24": [[420, 452]], "URL: hxxp://proxyportal.net/api/v2/auth": [[507, 541]], "IP_ADDRESS: 10.20.210.30": [[554, 566]], "HASH: 4d23d94b55d5bfe53e572301d3045ff0": [[598, 630]]}, "info": {"id": "synth_v2_01263", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Burp Suite artifacts at /var/tmp/implant.so. Memory dump analysis confirmed execution of Sliver. Registry modifications pointed to persistence via C:\\ProgramData\\payload.bin. Network forensics identified connections to 172.207.52.232 and mail-portal.info. Email headers traced the initial vector to confirm@auth-check.org. File /dev/shm/svchost.exe (MD5: ca015b60a8c303da0cbaffd30435febf) was identified as the initial dropper. A staging URL https://update-sync.tech/secure/token resolved to 10.76.121.168. Secondary artifact hash: MD5: 12027871cced67ce2649d1131311a3a3.", "spans": {"TOOL: Burp Suite": [[72, 82]], "FILEPATH: /var/tmp/implant.so": [[96, 115]], "TOOL: Sliver": [[161, 167]], "FILEPATH: C:\\ProgramData\\payload.bin": [[219, 245]], "IP_ADDRESS: 172.207.52.232": [[291, 305]], "DOMAIN: mail-portal.info": [[310, 326]], "EMAIL: confirm@auth-check.org": [[371, 393]], "FILEPATH: /dev/shm/svchost.exe": [[400, 420]], "HASH: ca015b60a8c303da0cbaffd30435febf": [[427, 459]], "URL: https://update-sync.tech/secure/token": [[514, 551]], "IP_ADDRESS: 10.76.121.168": [[564, 577]], "HASH: 12027871cced67ce2649d1131311a3a3": [[609, 641]]}, "info": {"id": "synth_v2_01264", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed SharpHound artifacts at /opt/app/bin/shell.php. Memory dump analysis confirmed execution of BITSAdmin. Registry modifications pointed to persistence via /opt/app/bin/update.dll. Network forensics identified connections to 110.3.255.128 and proxy-gateway.live. Email headers traced the initial vector to report@phishing-domain.com. File C:\\Windows\\System32\\ntds.dit (SHA256: f64f2099b56c91015dba7f653670eafc60fa694a52c3d480bb0226e7c21914eb) was identified as the initial dropper. A staging URL hxxp://gatewaycdn.com/assets/js/payload.js resolved to 197.159.110.60. Secondary artifact hash: SHA1: 03d67898780c130d85ae4278e18dd2037c2525e2.", "spans": {"TOOL: SharpHound": [[72, 82]], "FILEPATH: /opt/app/bin/shell.php": [[96, 118]], "TOOL: BITSAdmin": [[164, 173]], "FILEPATH: /opt/app/bin/update.dll": [[225, 248]], "IP_ADDRESS: 110.3.255.128": [[294, 307]], "DOMAIN: proxy-gateway.live": [[312, 330]], "EMAIL: report@phishing-domain.com": [[375, 401]], "FILEPATH: C:\\Windows\\System32\\ntds.dit": [[408, 436]], "HASH: f64f2099b56c91015dba7f653670eafc60fa694a52c3d480bb0226e7c21914eb": [[446, 510]], "URL: hxxp://gatewaycdn.com/assets/js/payload.js": [[565, 607]], "IP_ADDRESS: 197.159.110.60": [[620, 634]], "HASH: 03d67898780c130d85ae4278e18dd2037c2525e2": [[667, 707]]}, "info": {"id": "synth_v2_01265", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Sharphound artifacts at /var/tmp/lsass.dmp. Memory dump analysis confirmed execution of Merlin. Registry modifications pointed to persistence via C:\\Users\\admin\\Desktop\\payload.bin. Network forensics identified connections to 10.31.227.96 and staticcdn.site. Email headers traced the initial vector to updates@phishing-domain.com. File C:\\Program Files\\Common Files\\shell.php (SHA256: b7f96c25122d971a30a6da7d828ac0491c59cec9826a9f2f8092c08610872b0a) was identified as the initial dropper. A staging URL hxxps://storage-auth.org/login resolved to 174.11.205.27. Secondary artifact hash: SHA256: c66646656e6293aceb4c06e63a13d5ed9ea0d2962b25fd3fd8025a12f242ac3b.", "spans": {"TOOL: Sharphound": [[72, 82]], "FILEPATH: /var/tmp/lsass.dmp": [[96, 114]], "TOOL: Merlin": [[160, 166]], "FILEPATH: C:\\Users\\admin\\Desktop\\payload.bin": [[218, 252]], "IP_ADDRESS: 10.31.227.96": [[298, 310]], "DOMAIN: staticcdn.site": [[315, 329]], "EMAIL: updates@phishing-domain.com": [[374, 401]], "FILEPATH: C:\\Program Files\\Common Files\\shell.php": [[408, 447]], "HASH: b7f96c25122d971a30a6da7d828ac0491c59cec9826a9f2f8092c08610872b0a": [[457, 521]], "URL: hxxps://storage-auth.org/login": [[576, 606]], "IP_ADDRESS: 174.11.205.27": [[619, 632]], "HASH: c66646656e6293aceb4c06e63a13d5ed9ea0d2962b25fd3fd8025a12f242ac3b": [[667, 731]]}, "info": {"id": "synth_v2_01266", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed LinPEAS artifacts at /tmp/shell.php. Memory dump analysis confirmed execution of Sharphound. Registry modifications pointed to persistence via /tmp/backdoor.elf. Network forensics identified connections to 154.243.83.234 and data-data.cc. Email headers traced the initial vector to info@document-share.link. File /home/user/.config/implant.so (SHA256: beb0961fbbf08f707a8ec792fe0084b8c9e00dc41183220cdc08fa250511fe08) was identified as the initial dropper. A staging URL hxxp://cache-portal.link/api/v2/auth resolved to 172.93.37.142. Secondary artifact hash: MD5: 66a94f3c5243ba48e5e43000adc450ae.", "spans": {"TOOL: LinPEAS": [[72, 79]], "FILEPATH: /tmp/shell.php": [[93, 107]], "TOOL: Sharphound": [[153, 163]], "FILEPATH: /tmp/backdoor.elf": [[215, 232]], "IP_ADDRESS: 154.243.83.234": [[278, 292]], "DOMAIN: data-data.cc": [[297, 309]], "EMAIL: info@document-share.link": [[354, 378]], "FILEPATH: /home/user/.config/implant.so": [[385, 414]], "HASH: beb0961fbbf08f707a8ec792fe0084b8c9e00dc41183220cdc08fa250511fe08": [[424, 488]], "URL: hxxp://cache-portal.link/api/v2/auth": [[543, 579]], "IP_ADDRESS: 172.93.37.142": [[592, 605]], "HASH: 66a94f3c5243ba48e5e43000adc450ae": [[637, 669]]}, "info": {"id": "synth_v2_01267", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed BloodHound artifacts at C:\\Windows\\Temp\\winlogon.exe. Memory dump analysis confirmed execution of Hashcat. Registry modifications pointed to persistence via /var/tmp/svchost.exe. Network forensics identified connections to 11.28.64.227 and securerelay.link. Email headers traced the initial vector to finance@document-share.link. File /dev/shm/chrome_helper.exe (SHA256: b08e79c1a358c8d48d4ce919498771c26eef32b4fc85975eb9f56827f8f5722a) was identified as the initial dropper. A staging URL http://proxyedge.io/download/update.exe resolved to 192.119.237.114. Secondary artifact hash: SHA256: af6f774ac4a31b2683fcbbe530a60bf0c03bccbb9783d82c392e6150fa5be283.", "spans": {"TOOL: BloodHound": [[72, 82]], "FILEPATH: C:\\Windows\\Temp\\winlogon.exe": [[96, 124]], "TOOL: Hashcat": [[170, 177]], "FILEPATH: /var/tmp/svchost.exe": [[229, 249]], "IP_ADDRESS: 11.28.64.227": [[295, 307]], "DOMAIN: securerelay.link": [[312, 328]], "EMAIL: finance@document-share.link": [[373, 400]], "FILEPATH: /dev/shm/chrome_helper.exe": [[407, 433]], "HASH: b08e79c1a358c8d48d4ce919498771c26eef32b4fc85975eb9f56827f8f5722a": [[443, 507]], "URL: http://proxyedge.io/download/update.exe": [[562, 601]], "IP_ADDRESS: 192.119.237.114": [[614, 629]], "HASH: af6f774ac4a31b2683fcbbe530a60bf0c03bccbb9783d82c392e6150fa5be283": [[664, 728]]}, "info": {"id": "synth_v2_01268", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Hashcat artifacts at C:\\Windows\\System32\\update.dll. Memory dump analysis confirmed execution of CrackMapExec. Registry modifications pointed to persistence via C:\\Users\\admin\\Desktop\\runtime.dll. Network forensics identified connections to 10.85.215.250 and mailnode.cc. Email headers traced the initial vector to hr@credential-check.site. File C:\\Windows\\System32\\config.dat (SHA1: 299f3b3c423337422cb8b93f9f54990a7d3f0748) was identified as the initial dropper. A staging URL hxxps://updatecache.site/admin/config resolved to 172.132.212.181. Secondary artifact hash: SHA1: a92eda0da6735c3c93191bda0a9e475009f7802f.", "spans": {"TOOL: Hashcat": [[72, 79]], "FILEPATH: C:\\Windows\\System32\\update.dll": [[93, 123]], "TOOL: CrackMapExec": [[169, 181]], "FILEPATH: C:\\Users\\admin\\Desktop\\runtime.dll": [[233, 267]], "IP_ADDRESS: 10.85.215.250": [[313, 326]], "DOMAIN: mailnode.cc": [[331, 342]], "EMAIL: hr@credential-check.site": [[387, 411]], "FILEPATH: C:\\Windows\\System32\\config.dat": [[418, 448]], "HASH: 299f3b3c423337422cb8b93f9f54990a7d3f0748": [[456, 496]], "URL: hxxps://updatecache.site/admin/config": [[551, 588]], "IP_ADDRESS: 172.132.212.181": [[601, 616]], "HASH: a92eda0da6735c3c93191bda0a9e475009f7802f": [[649, 689]]}, "info": {"id": "synth_v2_01269", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Sliver artifacts at C:\\Program Files\\Common Files\\backdoor.elf. Memory dump analysis confirmed execution of Hashcat. Registry modifications pointed to persistence via C:\\Windows\\Tasks\\payload.bin. Network forensics identified connections to 56.231.238.178 and updatestatic.info. Email headers traced the initial vector to verify@credential-check.site. File /usr/local/bin/winlogon.exe (SHA256: 7cd47eaa2464dfa44c5efbb5f343e041a835d7296f56de34f1197967352a0ccb) was identified as the initial dropper. A staging URL hxxp://cdngateway.net/collect resolved to 121.253.133.4. Secondary artifact hash: MD5: a54bbeaee0ab5065f49d1cae8e67e658.", "spans": {"TOOL: Sliver": [[72, 78]], "FILEPATH: C:\\Program Files\\Common Files\\backdoor.elf": [[92, 134]], "TOOL: Hashcat": [[180, 187]], "FILEPATH: C:\\Windows\\Tasks\\payload.bin": [[239, 267]], "IP_ADDRESS: 56.231.238.178": [[313, 327]], "DOMAIN: updatestatic.info": [[332, 349]], "EMAIL: verify@credential-check.site": [[394, 422]], "FILEPATH: /usr/local/bin/winlogon.exe": [[429, 456]], "HASH: 7cd47eaa2464dfa44c5efbb5f343e041a835d7296f56de34f1197967352a0ccb": [[466, 530]], "URL: hxxp://cdngateway.net/collect": [[585, 614]], "IP_ADDRESS: 121.253.133.4": [[627, 640]], "HASH: a54bbeaee0ab5065f49d1cae8e67e658": [[672, 704]]}, "info": {"id": "synth_v2_01270", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed SharpHound artifacts at C:\\Windows\\Tasks\\payload.bin. Memory dump analysis confirmed execution of Havoc. Registry modifications pointed to persistence via /home/user/.config/payload.bin. Network forensics identified connections to 192.75.205.176 and updateupdate.tech. Email headers traced the initial vector to verify@secure-verify.net. File C:\\Users\\admin\\Desktop\\loader.exe (SHA256: 66d43902925cef3c05693039a5d30dc53b251d892c9d4e55354ecb0665178cee) was identified as the initial dropper. A staging URL http://cdnstorage.site/panel/index.html resolved to 192.193.131.31. Secondary artifact hash: SHA1: 56c6896bfd571d719003472670aeffaba90a7b18.", "spans": {"TOOL: SharpHound": [[72, 82]], "FILEPATH: C:\\Windows\\Tasks\\payload.bin": [[96, 124]], "TOOL: Havoc": [[170, 175]], "FILEPATH: /home/user/.config/payload.bin": [[227, 257]], "IP_ADDRESS: 192.75.205.176": [[303, 317]], "DOMAIN: updateupdate.tech": [[322, 339]], "EMAIL: verify@secure-verify.net": [[384, 408]], "FILEPATH: C:\\Users\\admin\\Desktop\\loader.exe": [[415, 448]], "HASH: 66d43902925cef3c05693039a5d30dc53b251d892c9d4e55354ecb0665178cee": [[458, 522]], "URL: http://cdnstorage.site/panel/index.html": [[577, 616]], "IP_ADDRESS: 192.193.131.31": [[629, 643]], "HASH: 56c6896bfd571d719003472670aeffaba90a7b18": [[676, 716]]}, "info": {"id": "synth_v2_01271", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed PowerView artifacts at C:\\Windows\\Temp\\runtime.dll. Memory dump analysis confirmed execution of Nmap. Registry modifications pointed to persistence via C:\\ProgramData\\lsass.dmp. Network forensics identified connections to 163.32.73.120 and datamail.top. Email headers traced the initial vector to info@identity-verify.cc. File C:\\Users\\admin\\Desktop\\agent.py (MD5: 27530415a91fef25ca115872d73b182a) was identified as the initial dropper. A staging URL hxxps://api-cache.cc/collect resolved to 10.89.134.35. Secondary artifact hash: SHA1: f4f16c10535c0619990979d9b5e7c29410a44d3f.", "spans": {"TOOL: PowerView": [[72, 81]], "FILEPATH: C:\\Windows\\Temp\\runtime.dll": [[95, 122]], "TOOL: Nmap": [[168, 172]], "FILEPATH: C:\\ProgramData\\lsass.dmp": [[224, 248]], "IP_ADDRESS: 163.32.73.120": [[294, 307]], "DOMAIN: datamail.top": [[312, 324]], "EMAIL: info@identity-verify.cc": [[369, 392]], "FILEPATH: C:\\Users\\admin\\Desktop\\agent.py": [[399, 430]], "HASH: 27530415a91fef25ca115872d73b182a": [[437, 469]], "URL: hxxps://api-cache.cc/collect": [[524, 552]], "IP_ADDRESS: 10.89.134.35": [[565, 577]], "HASH: f4f16c10535c0619990979d9b5e7c29410a44d3f": [[610, 650]]}, "info": {"id": "synth_v2_01272", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Covenant artifacts at /usr/local/bin/dropper.ps1. Memory dump analysis confirmed execution of Burp Suite. Registry modifications pointed to persistence via C:\\Windows\\Temp\\loader.exe. Network forensics identified connections to 1.204.248.224 and authcdn.online. Email headers traced the initial vector to support@mail-service.info. File C:\\Windows\\Tasks\\svchost.exe (SHA1: 77090bb3d031e9f40770744b5e8eda511c1b5c20) was identified as the initial dropper. A staging URL https://data-gateway.io/assets/js/payload.js resolved to 172.87.20.123. Secondary artifact hash: SHA256: 6f6351e8ddfb837f42e631bcdacc5011966738f1123b534effd234139f3f8cb1.", "spans": {"TOOL: Covenant": [[72, 80]], "FILEPATH: /usr/local/bin/dropper.ps1": [[94, 120]], "TOOL: Burp Suite": [[166, 176]], "FILEPATH: C:\\Windows\\Temp\\loader.exe": [[228, 254]], "IP_ADDRESS: 1.204.248.224": [[300, 313]], "DOMAIN: authcdn.online": [[318, 332]], "EMAIL: support@mail-service.info": [[377, 402]], "FILEPATH: C:\\Windows\\Tasks\\svchost.exe": [[409, 437]], "HASH: 77090bb3d031e9f40770744b5e8eda511c1b5c20": [[445, 485]], "URL: https://data-gateway.io/assets/js/payload.js": [[540, 584]], "IP_ADDRESS: 172.87.20.123": [[597, 610]], "HASH: 6f6351e8ddfb837f42e631bcdacc5011966738f1123b534effd234139f3f8cb1": [[645, 709]]}, "info": {"id": "synth_v2_01273", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Chisel artifacts at C:\\Windows\\Tasks\\implant.so. Memory dump analysis confirmed execution of Mimikatz. Registry modifications pointed to persistence via C:\\Users\\admin\\Desktop\\sam.hive. Network forensics identified connections to 172.34.46.9 and proxy-edge.club. Email headers traced the initial vector to security@phishing-domain.com. File C:\\Windows\\System32\\agent.py (MD5: ac7b76f2de888e32908d9d2b681495a4) was identified as the initial dropper. A staging URL https://cdnlogin.tech/collect resolved to 10.240.26.209. Secondary artifact hash: SHA256: d18deb2b2b15e02e3f4c086199d7cea5874d41993209fcf71d543c9968ed0a6f.", "spans": {"TOOL: Chisel": [[72, 78]], "FILEPATH: C:\\Windows\\Tasks\\implant.so": [[92, 119]], "TOOL: Mimikatz": [[165, 173]], "FILEPATH: C:\\Users\\admin\\Desktop\\sam.hive": [[225, 256]], "IP_ADDRESS: 172.34.46.9": [[302, 313]], "DOMAIN: proxy-edge.club": [[318, 333]], "EMAIL: security@phishing-domain.com": [[378, 406]], "FILEPATH: C:\\Windows\\System32\\agent.py": [[413, 441]], "HASH: ac7b76f2de888e32908d9d2b681495a4": [[448, 480]], "URL: https://cdnlogin.tech/collect": [[535, 564]], "IP_ADDRESS: 10.240.26.209": [[577, 590]], "HASH: d18deb2b2b15e02e3f4c086199d7cea5874d41993209fcf71d543c9968ed0a6f": [[625, 689]]}, "info": {"id": "synth_v2_01274", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed ADFind artifacts at /dev/shm/config.dat. Memory dump analysis confirmed execution of Havoc. Registry modifications pointed to persistence via /var/tmp/implant.so. Network forensics identified connections to 192.240.186.232 and static-gateway.tech. Email headers traced the initial vector to updates@mail-service.info. File C:\\Users\\admin\\Downloads\\update.dll (SHA256: 8ec0f50de8338e23f1588118dfb0ac15320906f33c05fba1d2ec1c0436503220) was identified as the initial dropper. A staging URL http://securemail.org/admin/config resolved to 69.235.170.164. Secondary artifact hash: SHA256: c0ae70d62e54be47d125637c4244d155358bd8044cb9bea5b82fb48535a61b44.", "spans": {"TOOL: ADFind": [[72, 78]], "FILEPATH: /dev/shm/config.dat": [[92, 111]], "TOOL: Havoc": [[157, 162]], "FILEPATH: /var/tmp/implant.so": [[214, 233]], "IP_ADDRESS: 192.240.186.232": [[279, 294]], "DOMAIN: static-gateway.tech": [[299, 318]], "EMAIL: updates@mail-service.info": [[363, 388]], "FILEPATH: C:\\Users\\admin\\Downloads\\update.dll": [[395, 430]], "HASH: 8ec0f50de8338e23f1588118dfb0ac15320906f33c05fba1d2ec1c0436503220": [[440, 504]], "URL: http://securemail.org/admin/config": [[559, 593]], "IP_ADDRESS: 69.235.170.164": [[606, 620]], "HASH: c0ae70d62e54be47d125637c4244d155358bd8044cb9bea5b82fb48535a61b44": [[655, 719]]}, "info": {"id": "synth_v2_01275", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Seatbelt artifacts at /usr/local/bin/config.dat. Memory dump analysis confirmed execution of ADFind. Registry modifications pointed to persistence via C:\\Users\\admin\\AppData\\Local\\Temp\\agent.py. Network forensics identified connections to 200.108.225.75 and data-relay.dev. Email headers traced the initial vector to helpdesk@credential-check.site. File C:\\ProgramData\\lsass.dmp (MD5: 9595b07e1d9522843c026714fa478b93) was identified as the initial dropper. A staging URL http://portalcache.link/callback resolved to 192.187.47.231. Secondary artifact hash: SHA256: 699cdf257904e6fbae6ac3b6e19d536617e1fa1b16f60dd7c93b148ed5198aa3.", "spans": {"TOOL: Seatbelt": [[72, 80]], "FILEPATH: /usr/local/bin/config.dat": [[94, 119]], "TOOL: ADFind": [[165, 171]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\agent.py": [[223, 265]], "IP_ADDRESS: 200.108.225.75": [[311, 325]], "DOMAIN: data-relay.dev": [[330, 344]], "EMAIL: helpdesk@credential-check.site": [[389, 419]], "FILEPATH: C:\\ProgramData\\lsass.dmp": [[426, 450]], "HASH: 9595b07e1d9522843c026714fa478b93": [[457, 489]], "URL: http://portalcache.link/callback": [[544, 576]], "IP_ADDRESS: 192.187.47.231": [[589, 603]], "HASH: 699cdf257904e6fbae6ac3b6e19d536617e1fa1b16f60dd7c93b148ed5198aa3": [[638, 702]]}, "info": {"id": "synth_v2_01276", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed LaZagne artifacts at C:\\Users\\Public\\Documents\\lsass.dmp. Memory dump analysis confirmed execution of BloodHound. Registry modifications pointed to persistence via C:\\Windows\\Temp\\loader.exe. Network forensics identified connections to 78.23.185.134 and cachestatic.com. Email headers traced the initial vector to billing@auth-check.org. File /opt/app/bin/winlogon.exe (MD5: f362d54dd841312a2b29d73bbdb747f0) was identified as the initial dropper. A staging URL hxxps://securebackup.club/admin/config resolved to 158.200.40.71. Secondary artifact hash: SHA256: 388cdfe4dcd9a0d84c5a1a00300834105bf4aaa6505f1ecd68d075389848ff64.", "spans": {"TOOL: LaZagne": [[72, 79]], "FILEPATH: C:\\Users\\Public\\Documents\\lsass.dmp": [[93, 128]], "TOOL: BloodHound": [[174, 184]], "FILEPATH: C:\\Windows\\Temp\\loader.exe": [[236, 262]], "IP_ADDRESS: 78.23.185.134": [[308, 321]], "DOMAIN: cachestatic.com": [[326, 341]], "EMAIL: billing@auth-check.org": [[386, 408]], "FILEPATH: /opt/app/bin/winlogon.exe": [[415, 440]], "HASH: f362d54dd841312a2b29d73bbdb747f0": [[447, 479]], "URL: hxxps://securebackup.club/admin/config": [[534, 572]], "IP_ADDRESS: 158.200.40.71": [[585, 598]], "HASH: 388cdfe4dcd9a0d84c5a1a00300834105bf4aaa6505f1ecd68d075389848ff64": [[633, 697]]}, "info": {"id": "synth_v2_01277", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed WinPEAS artifacts at /etc/cron.d/sam.hive. Memory dump analysis confirmed execution of BloodHound. Registry modifications pointed to persistence via /usr/local/bin/backdoor.elf. Network forensics identified connections to 54.93.132.96 and auth-auth.net. Email headers traced the initial vector to account@auth-check.org. File /opt/app/bin/svchost.exe (SHA1: 679a6c910ba7933155ca273dccaa53a30fc66430) was identified as the initial dropper. A staging URL http://edge-sync.site/panel/index.html resolved to 172.74.225.189. Secondary artifact hash: SHA1: 0e8e4dcd64b1df215b5c3afe8829e1237d6cda63.", "spans": {"TOOL: WinPEAS": [[72, 79]], "FILEPATH: /etc/cron.d/sam.hive": [[93, 113]], "TOOL: BloodHound": [[159, 169]], "FILEPATH: /usr/local/bin/backdoor.elf": [[221, 248]], "IP_ADDRESS: 54.93.132.96": [[294, 306]], "DOMAIN: auth-auth.net": [[311, 324]], "EMAIL: account@auth-check.org": [[369, 391]], "FILEPATH: /opt/app/bin/svchost.exe": [[398, 422]], "HASH: 679a6c910ba7933155ca273dccaa53a30fc66430": [[430, 470]], "URL: http://edge-sync.site/panel/index.html": [[525, 563]], "IP_ADDRESS: 172.74.225.189": [[576, 590]], "HASH: 0e8e4dcd64b1df215b5c3afe8829e1237d6cda63": [[623, 663]]}, "info": {"id": "synth_v2_01278", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed PowerView artifacts at /opt/app/bin/implant.so. Memory dump analysis confirmed execution of Havoc. Registry modifications pointed to persistence via /var/tmp/config.dat. Network forensics identified connections to 31.107.26.210 and cdn-login.org. Email headers traced the initial vector to contact@mail-service.info. File C:\\ProgramData\\helper.sh (MD5: 29bf7c2cc699db507cc1328e51191d88) was identified as the initial dropper. A staging URL hxxp://mail-static.online/login resolved to 186.101.140.178. Secondary artifact hash: SHA1: 0422fe108e7f404a84f408a4dd90614cb92295e3.", "spans": {"TOOL: PowerView": [[72, 81]], "FILEPATH: /opt/app/bin/implant.so": [[95, 118]], "TOOL: Havoc": [[164, 169]], "FILEPATH: /var/tmp/config.dat": [[221, 240]], "IP_ADDRESS: 31.107.26.210": [[286, 299]], "DOMAIN: cdn-login.org": [[304, 317]], "EMAIL: contact@mail-service.info": [[362, 387]], "FILEPATH: C:\\ProgramData\\helper.sh": [[394, 418]], "HASH: 29bf7c2cc699db507cc1328e51191d88": [[425, 457]], "URL: hxxp://mail-static.online/login": [[512, 543]], "IP_ADDRESS: 186.101.140.178": [[556, 571]], "HASH: 0422fe108e7f404a84f408a4dd90614cb92295e3": [[604, 644]]}, "info": {"id": "synth_v2_01279", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Rubeus artifacts at /opt/app/bin/winlogon.exe. Memory dump analysis confirmed execution of BITSAdmin. Registry modifications pointed to persistence via /home/user/.config/dropper.ps1. Network forensics identified connections to 192.72.32.219 and portalupdate.info. Email headers traced the initial vector to helpdesk@credential-check.site. File C:\\Users\\admin\\Downloads\\shell.php (SHA1: 5e2b78f682cab0d52d50c7e8c8fdbe2177990631) was identified as the initial dropper. A staging URL https://proxy-edge.dev/admin/config resolved to 121.130.143.115. Secondary artifact hash: MD5: 248b6f59e35839343c2a2dd073fe69ee.", "spans": {"TOOL: Rubeus": [[72, 78]], "FILEPATH: /opt/app/bin/winlogon.exe": [[92, 117]], "TOOL: BITSAdmin": [[163, 172]], "FILEPATH: /home/user/.config/dropper.ps1": [[224, 254]], "IP_ADDRESS: 192.72.32.219": [[300, 313]], "DOMAIN: portalupdate.info": [[318, 335]], "EMAIL: helpdesk@credential-check.site": [[380, 410]], "FILEPATH: C:\\Users\\admin\\Downloads\\shell.php": [[417, 451]], "HASH: 5e2b78f682cab0d52d50c7e8c8fdbe2177990631": [[459, 499]], "URL: https://proxy-edge.dev/admin/config": [[554, 589]], "IP_ADDRESS: 121.130.143.115": [[602, 617]], "HASH: 248b6f59e35839343c2a2dd073fe69ee": [[649, 681]]}, "info": {"id": "synth_v2_01280", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Sharphound artifacts at /dev/shm/config.dat. Memory dump analysis confirmed execution of ADFind. Registry modifications pointed to persistence via C:\\ProgramData\\backdoor.elf. Network forensics identified connections to 87.24.138.89 and staticnode.io. Email headers traced the initial vector to updates@document-share.link. File C:\\Program Files\\Common Files\\chrome_helper.exe (MD5: ab1b1b64272fc4560cde7c7512e2c0ad) was identified as the initial dropper. A staging URL https://proxystorage.info/secure/token resolved to 192.92.216.115. Secondary artifact hash: SHA256: 3a5de3698032c715d5f1566beba62ed450050c60ceda324f5348e617930269fa.", "spans": {"TOOL: Sharphound": [[72, 82]], "FILEPATH: /dev/shm/config.dat": [[96, 115]], "TOOL: ADFind": [[161, 167]], "FILEPATH: C:\\ProgramData\\backdoor.elf": [[219, 246]], "IP_ADDRESS: 87.24.138.89": [[292, 304]], "DOMAIN: staticnode.io": [[309, 322]], "EMAIL: updates@document-share.link": [[367, 394]], "FILEPATH: C:\\Program Files\\Common Files\\chrome_helper.exe": [[401, 448]], "HASH: ab1b1b64272fc4560cde7c7512e2c0ad": [[455, 487]], "URL: https://proxystorage.info/secure/token": [[542, 580]], "IP_ADDRESS: 192.92.216.115": [[593, 607]], "HASH: 3a5de3698032c715d5f1566beba62ed450050c60ceda324f5348e617930269fa": [[642, 706]]}, "info": {"id": "synth_v2_01281", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed BITSAdmin artifacts at /usr/local/bin/sam.hive. Memory dump analysis confirmed execution of SharpHound. Registry modifications pointed to persistence via /home/user/.config/chrome_helper.exe. Network forensics identified connections to 192.109.212.228 and storageapi.club. Email headers traced the initial vector to hr@identity-verify.cc. File /var/tmp/backdoor.elf (SHA256: dca9efba1c0479f7560007ef5a46b360bd28e4560a1f0b9e0d3941a673a47fe4) was identified as the initial dropper. A staging URL hxxps://node-static.com/download/update.exe resolved to 192.168.222.47. Secondary artifact hash: SHA256: 7e8e1c188bbfb6bbd4d8c384a1695422fb50c9c3d2915a799b4ca1c35b620dc6.", "spans": {"TOOL: BITSAdmin": [[72, 81]], "FILEPATH: /usr/local/bin/sam.hive": [[95, 118]], "TOOL: SharpHound": [[164, 174]], "FILEPATH: /home/user/.config/chrome_helper.exe": [[226, 262]], "IP_ADDRESS: 192.109.212.228": [[308, 323]], "DOMAIN: storageapi.club": [[328, 343]], "EMAIL: hr@identity-verify.cc": [[388, 409]], "FILEPATH: /var/tmp/backdoor.elf": [[416, 437]], "HASH: dca9efba1c0479f7560007ef5a46b360bd28e4560a1f0b9e0d3941a673a47fe4": [[447, 511]], "URL: hxxps://node-static.com/download/update.exe": [[566, 609]], "IP_ADDRESS: 192.168.222.47": [[622, 636]], "HASH: 7e8e1c188bbfb6bbd4d8c384a1695422fb50c9c3d2915a799b4ca1c35b620dc6": [[671, 735]]}, "info": {"id": "synth_v2_01282", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Brute Ratel artifacts at /usr/local/bin/loader.exe. Memory dump analysis confirmed execution of Mimikatz. Registry modifications pointed to persistence via /home/user/.config/agent.py. Network forensics identified connections to 105.60.35.252 and data-cdn.link. Email headers traced the initial vector to contact@auth-check.org. File /dev/shm/implant.so (SHA256: 0e5e9d9bcd63d9d4d87a3ae4af3f60e27728aae3c479f49f9234779f6a93fad9) was identified as the initial dropper. A staging URL https://nodeupdate.live/wp-content/uploads/doc.php resolved to 105.205.69.181. Secondary artifact hash: MD5: c31d5928c73089c7bb35e241f3d7afe1.", "spans": {"TOOL: Brute Ratel": [[72, 83]], "FILEPATH: /usr/local/bin/loader.exe": [[97, 122]], "TOOL: Mimikatz": [[168, 176]], "FILEPATH: /home/user/.config/agent.py": [[228, 255]], "IP_ADDRESS: 105.60.35.252": [[301, 314]], "DOMAIN: data-cdn.link": [[319, 332]], "EMAIL: contact@auth-check.org": [[377, 399]], "FILEPATH: /dev/shm/implant.so": [[406, 425]], "HASH: 0e5e9d9bcd63d9d4d87a3ae4af3f60e27728aae3c479f49f9234779f6a93fad9": [[435, 499]], "URL: https://nodeupdate.live/wp-content/uploads/doc.php": [[554, 604]], "IP_ADDRESS: 105.205.69.181": [[617, 631]], "HASH: c31d5928c73089c7bb35e241f3d7afe1": [[663, 695]]}, "info": {"id": "synth_v2_01283", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Brute Ratel artifacts at C:\\Users\\Public\\Documents\\lsass.dmp. Memory dump analysis confirmed execution of Havoc. Registry modifications pointed to persistence via C:\\Users\\admin\\AppData\\Local\\Temp\\payload.bin. Network forensics identified connections to 10.27.109.215 and securebackup.info. Email headers traced the initial vector to it@identity-verify.cc. File C:\\Windows\\System32\\sam.hive (SHA1: f847f0475fed82c2a5d009f8a085124923436d4e) was identified as the initial dropper. A staging URL hxxps://api-auth.org/wp-content/uploads/doc.php resolved to 173.90.251.18. Secondary artifact hash: MD5: e07534afaa11fd0762aa8a8602f99fc2.", "spans": {"TOOL: Brute Ratel": [[72, 83]], "FILEPATH: C:\\Users\\Public\\Documents\\lsass.dmp": [[97, 132]], "TOOL: Havoc": [[178, 183]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\payload.bin": [[235, 280]], "IP_ADDRESS: 10.27.109.215": [[326, 339]], "DOMAIN: securebackup.info": [[344, 361]], "EMAIL: it@identity-verify.cc": [[406, 427]], "FILEPATH: C:\\Windows\\System32\\sam.hive": [[434, 462]], "HASH: f847f0475fed82c2a5d009f8a085124923436d4e": [[470, 510]], "URL: hxxps://api-auth.org/wp-content/uploads/doc.php": [[565, 612]], "IP_ADDRESS: 173.90.251.18": [[625, 638]], "HASH: e07534afaa11fd0762aa8a8602f99fc2": [[670, 702]]}, "info": {"id": "synth_v2_01284", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Covenant artifacts at C:\\Windows\\Temp\\beacon.dll. Memory dump analysis confirmed execution of Burp Suite. Registry modifications pointed to persistence via C:\\Users\\admin\\Downloads\\dropper.ps1. Network forensics identified connections to 20.163.152.89 and gatewaystorage.club. Email headers traced the initial vector to info@urgent-notice.online. File /dev/shm/dropper.ps1 (SHA256: 3e70333bda4ed225d3436e058178d17891dd3f2d3767da94da0ae29057afa9f4) was identified as the initial dropper. A staging URL hxxp://secure-edge.top/secure/token resolved to 132.205.192.60. Secondary artifact hash: MD5: 1cd7ea7cef512aa885225ce713cb8e36.", "spans": {"TOOL: Covenant": [[72, 80]], "FILEPATH: C:\\Windows\\Temp\\beacon.dll": [[94, 120]], "TOOL: Burp Suite": [[166, 176]], "FILEPATH: C:\\Users\\admin\\Downloads\\dropper.ps1": [[228, 264]], "IP_ADDRESS: 20.163.152.89": [[310, 323]], "DOMAIN: gatewaystorage.club": [[328, 347]], "EMAIL: info@urgent-notice.online": [[392, 417]], "FILEPATH: /dev/shm/dropper.ps1": [[424, 444]], "HASH: 3e70333bda4ed225d3436e058178d17891dd3f2d3767da94da0ae29057afa9f4": [[454, 518]], "URL: hxxp://secure-edge.top/secure/token": [[573, 608]], "IP_ADDRESS: 132.205.192.60": [[621, 635]], "HASH: 1cd7ea7cef512aa885225ce713cb8e36": [[667, 699]]}, "info": {"id": "synth_v2_01285", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed PsExec artifacts at C:\\Windows\\System32\\chrome_helper.exe. Memory dump analysis confirmed execution of Impacket. Registry modifications pointed to persistence via C:\\Users\\admin\\Downloads\\loader.exe. Network forensics identified connections to 214.139.199.151 and storage-login.com. Email headers traced the initial vector to helpdesk@account-update.xyz. File C:\\Users\\admin\\Desktop\\ntds.dit (SHA1: c49a06a2a408fbcd7708dff2a55eb4ed1d8fc24e) was identified as the initial dropper. A staging URL hxxp://apisecure.xyz/login resolved to 45.80.146.115. Secondary artifact hash: SHA256: e525bc87aa6336b01306ebdfba007402ecf548e3712fc6ada975dd02ecfa1af7.", "spans": {"TOOL: PsExec": [[72, 78]], "FILEPATH: C:\\Windows\\System32\\chrome_helper.exe": [[92, 129]], "TOOL: Impacket": [[175, 183]], "FILEPATH: C:\\Users\\admin\\Downloads\\loader.exe": [[235, 270]], "IP_ADDRESS: 214.139.199.151": [[316, 331]], "DOMAIN: storage-login.com": [[336, 353]], "EMAIL: helpdesk@account-update.xyz": [[398, 425]], "FILEPATH: C:\\Users\\admin\\Desktop\\ntds.dit": [[432, 463]], "HASH: c49a06a2a408fbcd7708dff2a55eb4ed1d8fc24e": [[471, 511]], "URL: hxxp://apisecure.xyz/login": [[566, 592]], "IP_ADDRESS: 45.80.146.115": [[605, 618]], "HASH: e525bc87aa6336b01306ebdfba007402ecf548e3712fc6ada975dd02ecfa1af7": [[653, 717]]}, "info": {"id": "synth_v2_01286", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed PsExec artifacts at /tmp/ntds.dit. Memory dump analysis confirmed execution of CrackMapExec. Registry modifications pointed to persistence via C:\\Users\\admin\\Desktop\\loader.exe. Network forensics identified connections to 140.199.69.110 and portalupdate.club. Email headers traced the initial vector to admin@urgent-notice.online. File C:\\Program Files\\Common Files\\agent.py (SHA256: 8d3c7506c0e222933be9175fc3ee0360a5b0adc6db9041d7ff78930b754f44d5) was identified as the initial dropper. A staging URL https://relayedge.xyz/gate.php resolved to 48.241.73.136. Secondary artifact hash: MD5: 726f8eccc060b7b557a8c4b4d96c5430.", "spans": {"TOOL: PsExec": [[72, 78]], "FILEPATH: /tmp/ntds.dit": [[92, 105]], "TOOL: CrackMapExec": [[151, 163]], "FILEPATH: C:\\Users\\admin\\Desktop\\loader.exe": [[215, 248]], "IP_ADDRESS: 140.199.69.110": [[294, 308]], "DOMAIN: portalupdate.club": [[313, 330]], "EMAIL: admin@urgent-notice.online": [[375, 401]], "FILEPATH: C:\\Program Files\\Common Files\\agent.py": [[408, 446]], "HASH: 8d3c7506c0e222933be9175fc3ee0360a5b0adc6db9041d7ff78930b754f44d5": [[456, 520]], "URL: https://relayedge.xyz/gate.php": [[575, 605]], "IP_ADDRESS: 48.241.73.136": [[618, 631]], "HASH: 726f8eccc060b7b557a8c4b4d96c5430": [[663, 695]]}, "info": {"id": "synth_v2_01287", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed WinPEAS artifacts at C:\\ProgramData\\svchost.exe. Memory dump analysis confirmed execution of Seatbelt. Registry modifications pointed to persistence via C:\\Program Files\\Common Files\\config.dat. Network forensics identified connections to 209.188.245.63 and relay-proxy.top. Email headers traced the initial vector to support@phishing-domain.com. File /var/tmp/helper.sh (MD5: 3ab618f17dfcd34f26277e24018c077f) was identified as the initial dropper. A staging URL https://storagecloud.tech/assets/js/payload.js resolved to 109.88.98.245. Secondary artifact hash: SHA1: fe99fd200cbf0f6e30b74776adaa6a06666115c7.", "spans": {"TOOL: WinPEAS": [[72, 79]], "FILEPATH: C:\\ProgramData\\svchost.exe": [[93, 119]], "TOOL: Seatbelt": [[165, 173]], "FILEPATH: C:\\Program Files\\Common Files\\config.dat": [[225, 265]], "IP_ADDRESS: 209.188.245.63": [[311, 325]], "DOMAIN: relay-proxy.top": [[330, 345]], "EMAIL: support@phishing-domain.com": [[390, 417]], "FILEPATH: /var/tmp/helper.sh": [[424, 442]], "HASH: 3ab618f17dfcd34f26277e24018c077f": [[449, 481]], "URL: https://storagecloud.tech/assets/js/payload.js": [[536, 582]], "IP_ADDRESS: 109.88.98.245": [[595, 608]], "HASH: fe99fd200cbf0f6e30b74776adaa6a06666115c7": [[641, 681]]}, "info": {"id": "synth_v2_01288", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Burp Suite artifacts at /dev/shm/runtime.dll. Memory dump analysis confirmed execution of Merlin. Registry modifications pointed to persistence via C:\\Users\\admin\\AppData\\Local\\Temp\\payload.bin. Network forensics identified connections to 10.176.229.237 and storage-storage.tech. Email headers traced the initial vector to contact@urgent-notice.online. File C:\\Windows\\Tasks\\helper.sh (SHA1: e680d2f92a72754dbbb2b8e70acb37a6051e8673) was identified as the initial dropper. A staging URL http://cache-relay.dev/admin/config resolved to 172.83.130.11. Secondary artifact hash: SHA1: 1be6db5741d6346e3f959fc3267e9cc1d2425728.", "spans": {"TOOL: Burp Suite": [[72, 82]], "FILEPATH: /dev/shm/runtime.dll": [[96, 116]], "TOOL: Merlin": [[162, 168]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\payload.bin": [[220, 265]], "IP_ADDRESS: 10.176.229.237": [[311, 325]], "DOMAIN: storage-storage.tech": [[330, 350]], "EMAIL: contact@urgent-notice.online": [[395, 423]], "FILEPATH: C:\\Windows\\Tasks\\helper.sh": [[430, 456]], "HASH: e680d2f92a72754dbbb2b8e70acb37a6051e8673": [[464, 504]], "URL: http://cache-relay.dev/admin/config": [[559, 594]], "IP_ADDRESS: 172.83.130.11": [[607, 620]], "HASH: 1be6db5741d6346e3f959fc3267e9cc1d2425728": [[653, 693]]}, "info": {"id": "synth_v2_01289", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed PowerView artifacts at C:\\Users\\admin\\AppData\\Local\\Temp\\agent.py. Memory dump analysis confirmed execution of Merlin. Registry modifications pointed to persistence via C:\\Users\\Public\\Documents\\taskhost.exe. Network forensics identified connections to 172.215.146.103 and backup-sync.io. Email headers traced the initial vector to hr@identity-verify.cc. File C:\\Program Files\\Common Files\\beacon.dll (SHA1: d4cfddc3707f93cd9943b40bef9a7904d87bdd54) was identified as the initial dropper. A staging URL hxxp://datacloud.org/collect resolved to 60.200.175.98. Secondary artifact hash: SHA1: 2e074bd8e65aa52f3c7e4590c7e0c7eb865cab7b.", "spans": {"TOOL: PowerView": [[72, 81]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\agent.py": [[95, 137]], "TOOL: Merlin": [[183, 189]], "FILEPATH: C:\\Users\\Public\\Documents\\taskhost.exe": [[241, 279]], "IP_ADDRESS: 172.215.146.103": [[325, 340]], "DOMAIN: backup-sync.io": [[345, 359]], "EMAIL: hr@identity-verify.cc": [[404, 425]], "FILEPATH: C:\\Program Files\\Common Files\\beacon.dll": [[432, 472]], "HASH: d4cfddc3707f93cd9943b40bef9a7904d87bdd54": [[480, 520]], "URL: hxxp://datacloud.org/collect": [[575, 603]], "IP_ADDRESS: 60.200.175.98": [[616, 629]], "HASH: 2e074bd8e65aa52f3c7e4590c7e0c7eb865cab7b": [[662, 702]]}, "info": {"id": "synth_v2_01290", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed BloodHound artifacts at C:\\ProgramData\\config.dat. Memory dump analysis confirmed execution of PowerShell Empire. Registry modifications pointed to persistence via /home/user/.config/dropper.ps1. Network forensics identified connections to 8.5.216.229 and securegateway.info. Email headers traced the initial vector to contact@phishing-domain.com. File /opt/app/bin/csrss.exe (SHA1: eff91261888b8d95c221e66dec42357649bd2caa) was identified as the initial dropper. A staging URL hxxp://cloudcdn.net/assets/js/payload.js resolved to 10.134.160.150. Secondary artifact hash: MD5: d12989d79c4e76695aad34fdc95e12a9.", "spans": {"TOOL: BloodHound": [[72, 82]], "FILEPATH: C:\\ProgramData\\config.dat": [[96, 121]], "TOOL: PowerShell Empire": [[167, 184]], "FILEPATH: /home/user/.config/dropper.ps1": [[236, 266]], "IP_ADDRESS: 8.5.216.229": [[312, 323]], "DOMAIN: securegateway.info": [[328, 346]], "EMAIL: contact@phishing-domain.com": [[391, 418]], "FILEPATH: /opt/app/bin/csrss.exe": [[425, 447]], "HASH: eff91261888b8d95c221e66dec42357649bd2caa": [[455, 495]], "URL: hxxp://cloudcdn.net/assets/js/payload.js": [[550, 590]], "IP_ADDRESS: 10.134.160.150": [[603, 617]], "HASH: d12989d79c4e76695aad34fdc95e12a9": [[649, 681]]}, "info": {"id": "synth_v2_01291", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Impacket artifacts at C:\\Users\\admin\\AppData\\Local\\Temp\\helper.sh. Memory dump analysis confirmed execution of BloodHound. Registry modifications pointed to persistence via /var/tmp/shell.php. Network forensics identified connections to 24.192.73.140 and storage-edge.link. Email headers traced the initial vector to confirm@phishing-domain.com. File C:\\Windows\\Temp\\taskhost.exe (SHA256: ea8593fa9318412fbb64aadce0ea3fc40ffb7c8452bd3f171658c5baa1fad900) was identified as the initial dropper. A staging URL http://mail-cloud.xyz/portal/verify resolved to 10.182.217.141. Secondary artifact hash: SHA1: e09a6757b02c1755a6dd614ce32e0e90a2792b36.", "spans": {"TOOL: Impacket": [[72, 80]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\helper.sh": [[94, 137]], "TOOL: BloodHound": [[183, 193]], "FILEPATH: /var/tmp/shell.php": [[245, 263]], "IP_ADDRESS: 24.192.73.140": [[309, 322]], "DOMAIN: storage-edge.link": [[327, 344]], "EMAIL: confirm@phishing-domain.com": [[389, 416]], "FILEPATH: C:\\Windows\\Temp\\taskhost.exe": [[423, 451]], "HASH: ea8593fa9318412fbb64aadce0ea3fc40ffb7c8452bd3f171658c5baa1fad900": [[461, 525]], "URL: http://mail-cloud.xyz/portal/verify": [[580, 615]], "IP_ADDRESS: 10.182.217.141": [[628, 642]], "HASH: e09a6757b02c1755a6dd614ce32e0e90a2792b36": [[675, 715]]}, "info": {"id": "synth_v2_01292", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Mythic artifacts at /tmp/winlogon.exe. Memory dump analysis confirmed execution of Burp Suite. Registry modifications pointed to persistence via C:\\Users\\admin\\Desktop\\sam.hive. Network forensics identified connections to 126.84.235.19 and relaycache.top. Email headers traced the initial vector to it@credential-check.site. File C:\\Windows\\Temp\\payload.bin (SHA1: 43fe5c7239850639a757575c290607e6b7714d37) was identified as the initial dropper. A staging URL https://cachestorage.cc/secure/token resolved to 98.187.220.169. Secondary artifact hash: SHA1: e29d84fa9e17b74a88566cf370a5da6bd206d8ef.", "spans": {"TOOL: Mythic": [[72, 78]], "FILEPATH: /tmp/winlogon.exe": [[92, 109]], "TOOL: Burp Suite": [[155, 165]], "FILEPATH: C:\\Users\\admin\\Desktop\\sam.hive": [[217, 248]], "IP_ADDRESS: 126.84.235.19": [[294, 307]], "DOMAIN: relaycache.top": [[312, 326]], "EMAIL: it@credential-check.site": [[371, 395]], "FILEPATH: C:\\Windows\\Temp\\payload.bin": [[402, 429]], "HASH: 43fe5c7239850639a757575c290607e6b7714d37": [[437, 477]], "URL: https://cachestorage.cc/secure/token": [[532, 568]], "IP_ADDRESS: 98.187.220.169": [[581, 595]], "HASH: e29d84fa9e17b74a88566cf370a5da6bd206d8ef": [[628, 668]]}, "info": {"id": "synth_v2_01293", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed WinPEAS artifacts at C:\\Windows\\Temp\\winlogon.exe. Memory dump analysis confirmed execution of Hashcat. Registry modifications pointed to persistence via /opt/app/bin/helper.sh. Network forensics identified connections to 172.58.153.132 and static-mail.org. Email headers traced the initial vector to noreply@auth-check.org. File C:\\Users\\admin\\Desktop\\payload.bin (SHA1: 89a5f605ce14cc94a306b53aa9c27bdbb6182b18) was identified as the initial dropper. A staging URL hxxp://cdn-relay.dev/api/v2/auth resolved to 215.146.38.144. Secondary artifact hash: SHA1: f4e54ac1e3ddcf763946d08d1c33bb5ebde8a911.", "spans": {"TOOL: WinPEAS": [[72, 79]], "FILEPATH: C:\\Windows\\Temp\\winlogon.exe": [[93, 121]], "TOOL: Hashcat": [[167, 174]], "FILEPATH: /opt/app/bin/helper.sh": [[226, 248]], "IP_ADDRESS: 172.58.153.132": [[294, 308]], "DOMAIN: static-mail.org": [[313, 328]], "EMAIL: noreply@auth-check.org": [[373, 395]], "FILEPATH: C:\\Users\\admin\\Desktop\\payload.bin": [[402, 436]], "HASH: 89a5f605ce14cc94a306b53aa9c27bdbb6182b18": [[444, 484]], "URL: hxxp://cdn-relay.dev/api/v2/auth": [[539, 571]], "IP_ADDRESS: 215.146.38.144": [[584, 598]], "HASH: f4e54ac1e3ddcf763946d08d1c33bb5ebde8a911": [[631, 671]]}, "info": {"id": "synth_v2_01294", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed SharpHound artifacts at C:\\Users\\admin\\Desktop\\winlogon.exe. Memory dump analysis confirmed execution of Mimikatz. Registry modifications pointed to persistence via C:\\Users\\Public\\Documents\\chrome_helper.exe. Network forensics identified connections to 76.151.163.39 and staticsync.online. Email headers traced the initial vector to account@urgent-notice.online. File C:\\Users\\admin\\Downloads\\chrome_helper.exe (MD5: 8c5fcb3c3b98536cdca8afe5b2fbc8d9) was identified as the initial dropper. A staging URL https://backup-cdn.xyz/admin/config resolved to 10.20.69.122. Secondary artifact hash: MD5: 2164b84440fd0744e7f008da17a4dbd4.", "spans": {"TOOL: SharpHound": [[72, 82]], "FILEPATH: C:\\Users\\admin\\Desktop\\winlogon.exe": [[96, 131]], "TOOL: Mimikatz": [[177, 185]], "FILEPATH: C:\\Users\\Public\\Documents\\chrome_helper.exe": [[237, 280]], "IP_ADDRESS: 76.151.163.39": [[326, 339]], "DOMAIN: staticsync.online": [[344, 361]], "EMAIL: account@urgent-notice.online": [[406, 434]], "FILEPATH: C:\\Users\\admin\\Downloads\\chrome_helper.exe": [[441, 483]], "HASH: 8c5fcb3c3b98536cdca8afe5b2fbc8d9": [[490, 522]], "URL: https://backup-cdn.xyz/admin/config": [[577, 612]], "IP_ADDRESS: 10.20.69.122": [[625, 637]], "HASH: 2164b84440fd0744e7f008da17a4dbd4": [[669, 701]]}, "info": {"id": "synth_v2_01295", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed BloodHound artifacts at /var/tmp/config.dat. Memory dump analysis confirmed execution of Chisel. Registry modifications pointed to persistence via C:\\ProgramData\\config.dat. Network forensics identified connections to 192.102.223.60 and api-edge.dev. Email headers traced the initial vector to security@auth-check.org. File /home/user/.config/agent.py (SHA256: 0db4e25ab6261020a90b47f8866da6e56b157a6c42a5d30f250229de2874a693) was identified as the initial dropper. A staging URL hxxps://cachestorage.cc/assets/js/payload.js resolved to 165.11.128.24. Secondary artifact hash: SHA1: 9b44b0196a748264807df2046678bf9b3a23f7df.", "spans": {"TOOL: BloodHound": [[72, 82]], "FILEPATH: /var/tmp/config.dat": [[96, 115]], "TOOL: Chisel": [[161, 167]], "FILEPATH: C:\\ProgramData\\config.dat": [[219, 244]], "IP_ADDRESS: 192.102.223.60": [[290, 304]], "DOMAIN: api-edge.dev": [[309, 321]], "EMAIL: security@auth-check.org": [[366, 389]], "FILEPATH: /home/user/.config/agent.py": [[396, 423]], "HASH: 0db4e25ab6261020a90b47f8866da6e56b157a6c42a5d30f250229de2874a693": [[433, 497]], "URL: hxxps://cachestorage.cc/assets/js/payload.js": [[552, 596]], "IP_ADDRESS: 165.11.128.24": [[609, 622]], "HASH: 9b44b0196a748264807df2046678bf9b3a23f7df": [[655, 695]]}, "info": {"id": "synth_v2_01296", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed LaZagne artifacts at C:\\Windows\\Temp\\agent.py. Memory dump analysis confirmed execution of WinPEAS. Registry modifications pointed to persistence via /dev/shm/implant.so. Network forensics identified connections to 10.166.154.105 and datasync.link. Email headers traced the initial vector to it@credential-check.site. File /usr/local/bin/chrome_helper.exe (SHA256: c2c067d6895af976c874f6bcfeec36f64594da1087d97a0ddd518c5e307ed1f0) was identified as the initial dropper. A staging URL http://cloud-cloud.cc/assets/js/payload.js resolved to 10.44.58.53. Secondary artifact hash: SHA1: 8ac7d9c5159cace54807c30a15eee75fa53d1864.", "spans": {"TOOL: LaZagne": [[72, 79]], "FILEPATH: C:\\Windows\\Temp\\agent.py": [[93, 117]], "TOOL: WinPEAS": [[163, 170]], "FILEPATH: /dev/shm/implant.so": [[222, 241]], "IP_ADDRESS: 10.166.154.105": [[287, 301]], "DOMAIN: datasync.link": [[306, 319]], "EMAIL: it@credential-check.site": [[364, 388]], "FILEPATH: /usr/local/bin/chrome_helper.exe": [[395, 427]], "HASH: c2c067d6895af976c874f6bcfeec36f64594da1087d97a0ddd518c5e307ed1f0": [[437, 501]], "URL: http://cloud-cloud.cc/assets/js/payload.js": [[556, 598]], "IP_ADDRESS: 10.44.58.53": [[611, 622]], "HASH: 8ac7d9c5159cace54807c30a15eee75fa53d1864": [[655, 695]]}, "info": {"id": "synth_v2_01297", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed PsExec artifacts at C:\\Users\\admin\\Downloads\\sam.hive. Memory dump analysis confirmed execution of BloodHound. Registry modifications pointed to persistence via C:\\Program Files\\Common Files\\dropper.ps1. Network forensics identified connections to 172.65.59.197 and cloud-node.net. Email headers traced the initial vector to info@mail-service.info. File C:\\Program Files\\Common Files\\chrome_helper.exe (SHA256: d44f9d5e62420726b53c9144a1cebb77a19f2e9e5cf1db3b89ad7c1a0c63a93a) was identified as the initial dropper. A staging URL hxxps://edgecdn.org/panel/index.html resolved to 10.13.84.159. Secondary artifact hash: MD5: 8b17c7815903259fcb02cf973f4bec8b.", "spans": {"TOOL: PsExec": [[72, 78]], "FILEPATH: C:\\Users\\admin\\Downloads\\sam.hive": [[92, 125]], "TOOL: BloodHound": [[171, 181]], "FILEPATH: C:\\Program Files\\Common Files\\dropper.ps1": [[233, 274]], "IP_ADDRESS: 172.65.59.197": [[320, 333]], "DOMAIN: cloud-node.net": [[338, 352]], "EMAIL: info@mail-service.info": [[397, 419]], "FILEPATH: C:\\Program Files\\Common Files\\chrome_helper.exe": [[426, 473]], "HASH: d44f9d5e62420726b53c9144a1cebb77a19f2e9e5cf1db3b89ad7c1a0c63a93a": [[483, 547]], "URL: hxxps://edgecdn.org/panel/index.html": [[602, 638]], "IP_ADDRESS: 10.13.84.159": [[651, 663]], "HASH: 8b17c7815903259fcb02cf973f4bec8b": [[695, 727]]}, "info": {"id": "synth_v2_01298", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Brute Ratel artifacts at C:\\ProgramData\\shell.php. Memory dump analysis confirmed execution of CrackMapExec. Registry modifications pointed to persistence via C:\\Users\\admin\\Desktop\\ntds.dit. Network forensics identified connections to 192.55.18.132 and edgecloud.net. Email headers traced the initial vector to helpdesk@identity-verify.cc. File /home/user/.config/csrss.exe (SHA256: 70a8aad9cc92ba43f1e2cedf481e13b2cfbd0c36ff993f276a2f458f7b023f3f) was identified as the initial dropper. A staging URL hxxps://proxycdn.info/gate.php resolved to 10.111.98.83. Secondary artifact hash: SHA256: 834ad02b3fcfeb4097f1129b9d8ccdd7bf1e7a830691222acc61096110cd55e9.", "spans": {"TOOL: Brute Ratel": [[72, 83]], "FILEPATH: C:\\ProgramData\\shell.php": [[97, 121]], "TOOL: CrackMapExec": [[167, 179]], "FILEPATH: C:\\Users\\admin\\Desktop\\ntds.dit": [[231, 262]], "IP_ADDRESS: 192.55.18.132": [[308, 321]], "DOMAIN: edgecloud.net": [[326, 339]], "EMAIL: helpdesk@identity-verify.cc": [[384, 411]], "FILEPATH: /home/user/.config/csrss.exe": [[418, 446]], "HASH: 70a8aad9cc92ba43f1e2cedf481e13b2cfbd0c36ff993f276a2f458f7b023f3f": [[456, 520]], "URL: hxxps://proxycdn.info/gate.php": [[575, 605]], "IP_ADDRESS: 10.111.98.83": [[618, 630]], "HASH: 834ad02b3fcfeb4097f1129b9d8ccdd7bf1e7a830691222acc61096110cd55e9": [[665, 729]]}, "info": {"id": "synth_v2_01299", "source": "synthetic_v2"}}
+{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed GhostPack artifacts at C:\\ProgramData\\svchost.exe. Memory dump analysis confirmed execution of Nmap. Registry modifications pointed to persistence via /tmp/dropper.ps1. Network forensics identified connections to 75.18.164.209 and update-data.info. Email headers traced the initial vector to notification@auth-check.org. File C:\\ProgramData\\implant.so (SHA256: 82057bc5a401bbae2a439d012ae3f0a03e9d57de965776cb4562038d54a6f0d5) was identified as the initial dropper. A staging URL https://updateproxy.net/panel/index.html resolved to 10.122.105.201. Secondary artifact hash: SHA1: 0dc5bbfa61527600858d4593732027980e8eb9ea.", "spans": {"TOOL: GhostPack": [[72, 81]], "FILEPATH: C:\\ProgramData\\svchost.exe": [[95, 121]], "TOOL: Nmap": [[167, 171]], "FILEPATH: /tmp/dropper.ps1": [[223, 239]], "IP_ADDRESS: 75.18.164.209": [[285, 298]], "DOMAIN: update-data.info": [[303, 319]], "EMAIL: notification@auth-check.org": [[364, 391]], "FILEPATH: C:\\ProgramData\\implant.so": [[398, 423]], "HASH: 82057bc5a401bbae2a439d012ae3f0a03e9d57de965776cb4562038d54a6f0d5": [[433, 497]], "URL: https://updateproxy.net/panel/index.html": [[552, 592]], "IP_ADDRESS: 10.122.105.201": [[605, 619]], "HASH: 0dc5bbfa61527600858d4593732027980e8eb9ea": [[652, 692]]}, "info": {"id": "synth_v2_01300", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - Amadey Campaign:\nNetwork Indicators:\n- 89.29.253.117\n- 193.78.183.182\n- 39.115.38.212\n- cloudauth.site\n- cloud-proxy.top\nURLs:\n- http://api-cdn.tech/login\n- hxxp://cache-static.site/login\nEmail Senders:\n- contact@identity-verify.cc\n- updates@phishing-domain.com\nFile Indicators:\n- SHA1: dd699d3c01bf1e467f4357d1ea15192a8a7c8417\n- SHA1: 8456e526dd911a33c387b1e2f38013816c1a76f0\n- Drop path: C:\\Windows\\Temp\\csrss.exe", "spans": {"MALWARE: Amadey": [[15, 21]], "IP_ADDRESS: 89.29.253.117": [[54, 67]], "IP_ADDRESS: 193.78.183.182": [[70, 84]], "IP_ADDRESS: 39.115.38.212": [[87, 100]], "DOMAIN: cloudauth.site": [[103, 117]], "DOMAIN: cloud-proxy.top": [[120, 135]], "URL: http://api-cdn.tech/login": [[144, 169]], "URL: hxxp://cache-static.site/login": [[172, 202]], "EMAIL: contact@identity-verify.cc": [[220, 246]], "EMAIL: updates@phishing-domain.com": [[249, 276]], "HASH: dd699d3c01bf1e467f4357d1ea15192a8a7c8417": [[302, 342]], "HASH: 8456e526dd911a33c387b1e2f38013816c1a76f0": [[351, 391]], "FILEPATH: C:\\Windows\\Temp\\csrss.exe": [[405, 430]]}, "info": {"id": "synth_v2_01301", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - StealC Campaign:\nNetwork Indicators:\n- 104.203.203.176\n- 192.70.126.56\n- 16.14.252.28\n- nodeupdate.link\n- cache-proxy.live\nURLs:\n- hxxp://edge-gateway.xyz/download/update.exe\n- hxxps://backup-cloud.live/callback\nEmail Senders:\n- ceo@urgent-notice.online\n- verify@mail-service.info\nFile Indicators:\n- SHA256: 584b4ae96367c9585e21a9e26d9ee98956160b913cfd5d17ef58e9badb71a095\n- MD5: 27279a1fc740ed107ae63fa0321982c7\n- Drop path: /home/user/.config/dropper.ps1", "spans": {"MALWARE: StealC": [[15, 21]], "IP_ADDRESS: 104.203.203.176": [[54, 69]], "IP_ADDRESS: 192.70.126.56": [[72, 85]], "IP_ADDRESS: 16.14.252.28": [[88, 100]], "DOMAIN: nodeupdate.link": [[103, 118]], "DOMAIN: cache-proxy.live": [[121, 137]], "URL: hxxp://edge-gateway.xyz/download/update.exe": [[146, 189]], "URL: hxxps://backup-cloud.live/callback": [[192, 226]], "EMAIL: ceo@urgent-notice.online": [[244, 268]], "EMAIL: verify@mail-service.info": [[271, 295]], "HASH: 584b4ae96367c9585e21a9e26d9ee98956160b913cfd5d17ef58e9badb71a095": [[323, 387]], "HASH: 27279a1fc740ed107ae63fa0321982c7": [[395, 427]], "FILEPATH: /home/user/.config/dropper.ps1": [[441, 471]]}, "info": {"id": "synth_v2_01302", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - PikaBot Campaign:\nNetwork Indicators:\n- 192.87.124.120\n- 154.2.252.48\n- 192.166.72.176\n- edgestorage.club\n- mailstorage.live\nURLs:\n- hxxps://cache-gateway.link/wp-content/uploads/doc.php\n- hxxp://nodesecure.link/callback\nEmail Senders:\n- verify@urgent-notice.online\n- confirm@login-portal.tech\nFile Indicators:\n- SHA256: 04c3b4a672ee8bcc2d96ccc520c4547b1f1aa8afc8ecd8cbb4cba94173557eb0\n- SHA256: 42c45825d21712960b61902d4959ae1ba1df16921db01eb617996c9ce1048657\n- Drop path: /dev/shm/runtime.dll", "spans": {"MALWARE: PikaBot": [[15, 22]], "IP_ADDRESS: 192.87.124.120": [[55, 69]], "IP_ADDRESS: 154.2.252.48": [[72, 84]], "IP_ADDRESS: 192.166.72.176": [[87, 101]], "DOMAIN: edgestorage.club": [[104, 120]], "DOMAIN: mailstorage.live": [[123, 139]], "URL: hxxps://cache-gateway.link/wp-content/uploads/doc.php": [[148, 201]], "URL: hxxp://nodesecure.link/callback": [[204, 235]], "EMAIL: verify@urgent-notice.online": [[253, 280]], "EMAIL: confirm@login-portal.tech": [[283, 308]], "HASH: 04c3b4a672ee8bcc2d96ccc520c4547b1f1aa8afc8ecd8cbb4cba94173557eb0": [[336, 400]], "HASH: 42c45825d21712960b61902d4959ae1ba1df16921db01eb617996c9ce1048657": [[411, 475]], "FILEPATH: /dev/shm/runtime.dll": [[489, 509]]}, "info": {"id": "synth_v2_01303", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - Vidar Campaign:\nNetwork Indicators:\n- 10.123.8.9\n- 178.120.210.66\n- 94.159.211.108\n- nodegateway.club\n- syncauth.site\nURLs:\n- hxxp://login-cdn.site/api/v2/auth\n- hxxp://storagemail.dev/collect\nEmail Senders:\n- updates@credential-check.site\n- service@phishing-domain.com\nFile Indicators:\n- SHA256: 132f594c182fe498251350d47734e7f1536b04a8ebd65a3eccfd1e33c663a444\n- MD5: fb9271d0cd918c48bc3991e0cb15e508\n- Drop path: C:\\Users\\Public\\Documents\\backdoor.elf", "spans": {"MALWARE: Vidar": [[15, 20]], "IP_ADDRESS: 10.123.8.9": [[53, 63]], "IP_ADDRESS: 178.120.210.66": [[66, 80]], "IP_ADDRESS: 94.159.211.108": [[83, 97]], "DOMAIN: nodegateway.club": [[100, 116]], "DOMAIN: syncauth.site": [[119, 132]], "URL: hxxp://login-cdn.site/api/v2/auth": [[141, 174]], "URL: hxxp://storagemail.dev/collect": [[177, 207]], "EMAIL: updates@credential-check.site": [[225, 254]], "EMAIL: service@phishing-domain.com": [[257, 284]], "HASH: 132f594c182fe498251350d47734e7f1536b04a8ebd65a3eccfd1e33c663a444": [[312, 376]], "HASH: fb9271d0cd918c48bc3991e0cb15e508": [[384, 416]], "FILEPATH: C:\\Users\\Public\\Documents\\backdoor.elf": [[430, 468]]}, "info": {"id": "synth_v2_01304", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - AgentTesla Campaign:\nNetwork Indicators:\n- 2.52.56.192\n- 65.40.189.113\n- 192.57.159.183\n- portal-api.net\n- edgeportal.net\nURLs:\n- http://updatecloud.dev/api/v2/auth\n- http://node-static.org/assets/js/payload.js\nEmail Senders:\n- admin@auth-check.org\n- ceo@auth-check.org\nFile Indicators:\n- SHA256: 090234806c2088615d508f24d58f19bf5d71ed0875c3c0ec1048b483dfd290e7\n- MD5: bf2748f94544ff55934713b9b2859834\n- Drop path: /usr/local/bin/lsass.dmp", "spans": {"MALWARE: AgentTesla": [[15, 25]], "IP_ADDRESS: 2.52.56.192": [[58, 69]], "IP_ADDRESS: 65.40.189.113": [[72, 85]], "IP_ADDRESS: 192.57.159.183": [[88, 102]], "DOMAIN: portal-api.net": [[105, 119]], "DOMAIN: edgeportal.net": [[122, 136]], "URL: http://updatecloud.dev/api/v2/auth": [[145, 179]], "URL: http://node-static.org/assets/js/payload.js": [[182, 225]], "EMAIL: admin@auth-check.org": [[243, 263]], "EMAIL: ceo@auth-check.org": [[266, 284]], "HASH: 090234806c2088615d508f24d58f19bf5d71ed0875c3c0ec1048b483dfd290e7": [[312, 376]], "HASH: bf2748f94544ff55934713b9b2859834": [[384, 416]], "FILEPATH: /usr/local/bin/lsass.dmp": [[430, 454]]}, "info": {"id": "synth_v2_01305", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - AgentTesla Campaign:\nNetwork Indicators:\n- 45.203.126.98\n- 218.118.255.116\n- 172.13.101.75\n- storagesync.tech\n- gatewaygateway.com\nURLs:\n- http://api-api.cc/admin/config\n- hxxp://login-proxy.link/wp-content/uploads/doc.php\nEmail Senders:\n- account@identity-verify.cc\n- notification@credential-check.site\nFile Indicators:\n- SHA256: 61e1ff2aeb28548fde8a079bc97f5483dd9243103ca7addb478bdf795801c94e\n- SHA256: 6b95cf9e398686c1bca42fd67e6e77fb07e704bb1d0947f54381bc5b1db628d4\n- Drop path: /usr/local/bin/payload.bin", "spans": {"MALWARE: AgentTesla": [[15, 25]], "IP_ADDRESS: 45.203.126.98": [[58, 71]], "IP_ADDRESS: 218.118.255.116": [[74, 89]], "IP_ADDRESS: 172.13.101.75": [[92, 105]], "DOMAIN: storagesync.tech": [[108, 124]], "DOMAIN: gatewaygateway.com": [[127, 145]], "URL: http://api-api.cc/admin/config": [[154, 184]], "URL: hxxp://login-proxy.link/wp-content/uploads/doc.php": [[187, 237]], "EMAIL: account@identity-verify.cc": [[255, 281]], "EMAIL: notification@credential-check.site": [[284, 318]], "HASH: 61e1ff2aeb28548fde8a079bc97f5483dd9243103ca7addb478bdf795801c94e": [[346, 410]], "HASH: 6b95cf9e398686c1bca42fd67e6e77fb07e704bb1d0947f54381bc5b1db628d4": [[421, 485]], "FILEPATH: /usr/local/bin/payload.bin": [[499, 525]]}, "info": {"id": "synth_v2_01306", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - Ryuk Campaign:\nNetwork Indicators:\n- 191.106.199.205\n- 192.188.28.242\n- 215.230.10.251\n- sync-update.link\n- gateway-mail.com\nURLs:\n- https://cloud-gateway.link/login\n- https://sync-node.top/panel/index.html\nEmail Senders:\n- hr@login-portal.tech\n- verify@credential-check.site\nFile Indicators:\n- SHA1: 7c52d67ef2ca07007c338c6f3aafce68ce0ae408\n- SHA256: 9273964c65942820d85b60fd1b2353018e0528faf9eb4a9e5a517799cc9939c4\n- Drop path: C:\\Users\\admin\\AppData\\Local\\Temp\\svchost.exe", "spans": {"MALWARE: Ryuk": [[15, 19]], "IP_ADDRESS: 191.106.199.205": [[52, 67]], "IP_ADDRESS: 192.188.28.242": [[70, 84]], "IP_ADDRESS: 215.230.10.251": [[87, 101]], "DOMAIN: sync-update.link": [[104, 120]], "DOMAIN: gateway-mail.com": [[123, 139]], "URL: https://cloud-gateway.link/login": [[148, 180]], "URL: https://sync-node.top/panel/index.html": [[183, 221]], "EMAIL: hr@login-portal.tech": [[239, 259]], "EMAIL: verify@credential-check.site": [[262, 290]], "HASH: 7c52d67ef2ca07007c338c6f3aafce68ce0ae408": [[316, 356]], "HASH: 9273964c65942820d85b60fd1b2353018e0528faf9eb4a9e5a517799cc9939c4": [[367, 431]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\svchost.exe": [[445, 490]]}, "info": {"id": "synth_v2_01307", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - FormBook Campaign:\nNetwork Indicators:\n- 172.169.171.225\n- 172.92.181.66\n- 157.198.219.148\n- backuplogin.live\n- proxy-mail.live\nURLs:\n- hxxps://storagesecure.io/login\n- http://gateway-api.top/wp-content/uploads/doc.php\nEmail Senders:\n- hr@mail-service.info\n- updates@document-share.link\nFile Indicators:\n- MD5: 050514a94200ee510d0c1043e79afc56\n- SHA256: a24cfda30a2856a6d96393cc729a64bd20494a606e8c63d6f7328abb36a0c7c3\n- Drop path: /home/user/.config/winlogon.exe", "spans": {"MALWARE: FormBook": [[15, 23]], "IP_ADDRESS: 172.169.171.225": [[56, 71]], "IP_ADDRESS: 172.92.181.66": [[74, 87]], "IP_ADDRESS: 157.198.219.148": [[90, 105]], "DOMAIN: backuplogin.live": [[108, 124]], "DOMAIN: proxy-mail.live": [[127, 142]], "URL: hxxps://storagesecure.io/login": [[151, 181]], "URL: http://gateway-api.top/wp-content/uploads/doc.php": [[184, 233]], "EMAIL: hr@mail-service.info": [[251, 271]], "EMAIL: updates@document-share.link": [[274, 301]], "HASH: 050514a94200ee510d0c1043e79afc56": [[326, 358]], "HASH: a24cfda30a2856a6d96393cc729a64bd20494a606e8c63d6f7328abb36a0c7c3": [[369, 433]], "FILEPATH: /home/user/.config/winlogon.exe": [[447, 478]]}, "info": {"id": "synth_v2_01308", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - Lumma Stealer Campaign:\nNetwork Indicators:\n- 10.160.60.209\n- 183.108.116.211\n- 172.142.249.184\n- cdn-cdn.net\n- updaterelay.io\nURLs:\n- hxxps://storagerelay.site/assets/js/payload.js\n- https://cdn-sync.live/panel/index.html\nEmail Senders:\n- finance@secure-verify.net\n- finance@account-update.xyz\nFile Indicators:\n- SHA256: 82772762bf4362dbf2888bc02012b312e8b866c9bb9f1e3654d27bb46a461b9b\n- SHA256: dfca7200b5a630870282e9c68cf37f5b3111aed25b313255008ca7c68262cb62\n- Drop path: /var/tmp/winlogon.exe", "spans": {"MALWARE: Lumma Stealer": [[15, 28]], "IP_ADDRESS: 10.160.60.209": [[61, 74]], "IP_ADDRESS: 183.108.116.211": [[77, 92]], "IP_ADDRESS: 172.142.249.184": [[95, 110]], "DOMAIN: cdn-cdn.net": [[113, 124]], "DOMAIN: updaterelay.io": [[127, 141]], "URL: hxxps://storagerelay.site/assets/js/payload.js": [[150, 196]], "URL: https://cdn-sync.live/panel/index.html": [[199, 237]], "EMAIL: finance@secure-verify.net": [[255, 280]], "EMAIL: finance@account-update.xyz": [[283, 309]], "HASH: 82772762bf4362dbf2888bc02012b312e8b866c9bb9f1e3654d27bb46a461b9b": [[337, 401]], "HASH: dfca7200b5a630870282e9c68cf37f5b3111aed25b313255008ca7c68262cb62": [[412, 476]], "FILEPATH: /var/tmp/winlogon.exe": [[490, 511]]}, "info": {"id": "synth_v2_01309", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - AgentTesla Campaign:\nNetwork Indicators:\n- 192.103.109.124\n- 192.241.183.221\n- 169.251.63.169\n- cdn-login.site\n- portalsync.top\nURLs:\n- hxxp://authapi.tech/assets/js/payload.js\n- https://node-relay.com/api/v2/auth\nEmail Senders:\n- admin@credential-check.site\n- notification@secure-verify.net\nFile Indicators:\n- MD5: eefc702db8e948bce4d4e3014752f0d3\n- SHA1: 3fb7e472b58fe46ee3ed0a995261d00d65e7628a\n- Drop path: C:\\Users\\Public\\Documents\\ntds.dit", "spans": {"MALWARE: AgentTesla": [[15, 25]], "IP_ADDRESS: 192.103.109.124": [[58, 73]], "IP_ADDRESS: 192.241.183.221": [[76, 91]], "IP_ADDRESS: 169.251.63.169": [[94, 108]], "DOMAIN: cdn-login.site": [[111, 125]], "DOMAIN: portalsync.top": [[128, 142]], "URL: hxxp://authapi.tech/assets/js/payload.js": [[151, 191]], "URL: https://node-relay.com/api/v2/auth": [[194, 228]], "EMAIL: admin@credential-check.site": [[246, 273]], "EMAIL: notification@secure-verify.net": [[276, 306]], "HASH: eefc702db8e948bce4d4e3014752f0d3": [[331, 363]], "HASH: 3fb7e472b58fe46ee3ed0a995261d00d65e7628a": [[372, 412]], "FILEPATH: C:\\Users\\Public\\Documents\\ntds.dit": [[426, 460]]}, "info": {"id": "synth_v2_01310", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - Conti Campaign:\nNetwork Indicators:\n- 172.205.131.66\n- 183.41.52.150\n- 10.234.185.205\n- securebackup.live\n- cloudnode.dev\nURLs:\n- http://securedata.online/portal/verify\n- http://relayupdate.com/panel/index.html\nEmail Senders:\n- confirm@secure-verify.net\n- noreply@auth-check.org\nFile Indicators:\n- SHA1: 078a05703f2f58f55f71a8bd7575d365514ce847\n- SHA1: 5464237536190a75354608cd92f87cc1a82ae2dc\n- Drop path: /var/tmp/config.dat", "spans": {"MALWARE: Conti": [[15, 20]], "IP_ADDRESS: 172.205.131.66": [[53, 67]], "IP_ADDRESS: 183.41.52.150": [[70, 83]], "IP_ADDRESS: 10.234.185.205": [[86, 100]], "DOMAIN: securebackup.live": [[103, 120]], "DOMAIN: cloudnode.dev": [[123, 136]], "URL: http://securedata.online/portal/verify": [[145, 183]], "URL: http://relayupdate.com/panel/index.html": [[186, 225]], "EMAIL: confirm@secure-verify.net": [[243, 268]], "EMAIL: noreply@auth-check.org": [[271, 293]], "HASH: 078a05703f2f58f55f71a8bd7575d365514ce847": [[319, 359]], "HASH: 5464237536190a75354608cd92f87cc1a82ae2dc": [[368, 408]], "FILEPATH: /var/tmp/config.dat": [[422, 441]]}, "info": {"id": "synth_v2_01311", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - NjRAT Campaign:\nNetwork Indicators:\n- 10.44.15.141\n- 10.207.247.147\n- 192.209.207.106\n- login-edge.site\n- cloudedge.xyz\nURLs:\n- https://relayapi.site/callback\n- hxxps://auth-update.live/wp-content/uploads/doc.php\nEmail Senders:\n- verify@phishing-domain.com\n- notification@phishing-domain.com\nFile Indicators:\n- SHA1: ac0ceec111f1f91dddd16c1400630dd2c5df291c\n- SHA1: 0637afd329e0590d739d162b9de909793ab5b62d\n- Drop path: C:\\Windows\\Tasks\\update.dll", "spans": {"MALWARE: NjRAT": [[15, 20]], "IP_ADDRESS: 10.44.15.141": [[53, 65]], "IP_ADDRESS: 10.207.247.147": [[68, 82]], "IP_ADDRESS: 192.209.207.106": [[85, 100]], "DOMAIN: login-edge.site": [[103, 118]], "DOMAIN: cloudedge.xyz": [[121, 134]], "URL: https://relayapi.site/callback": [[143, 173]], "URL: hxxps://auth-update.live/wp-content/uploads/doc.php": [[176, 227]], "EMAIL: verify@phishing-domain.com": [[245, 271]], "EMAIL: notification@phishing-domain.com": [[274, 306]], "HASH: ac0ceec111f1f91dddd16c1400630dd2c5df291c": [[332, 372]], "HASH: 0637afd329e0590d739d162b9de909793ab5b62d": [[381, 421]], "FILEPATH: C:\\Windows\\Tasks\\update.dll": [[435, 462]]}, "info": {"id": "synth_v2_01312", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - BumbleBee Campaign:\nNetwork Indicators:\n- 134.31.213.236\n- 193.115.84.10\n- 205.17.120.70\n- staticlogin.top\n- proxybackup.io\nURLs:\n- hxxps://static-gateway.tech/gate.php\n- https://syncstorage.site/gate.php\nEmail Senders:\n- noreply@identity-verify.cc\n- verify@identity-verify.cc\nFile Indicators:\n- MD5: 1a1db639d51c427e1dc15eb89b906986\n- MD5: cd1708d3cabeb215aac702f6e4054b8e\n- Drop path: /etc/cron.d/backdoor.elf", "spans": {"MALWARE: BumbleBee": [[15, 24]], "IP_ADDRESS: 134.31.213.236": [[57, 71]], "IP_ADDRESS: 193.115.84.10": [[74, 87]], "IP_ADDRESS: 205.17.120.70": [[90, 103]], "DOMAIN: staticlogin.top": [[106, 121]], "DOMAIN: proxybackup.io": [[124, 138]], "URL: hxxps://static-gateway.tech/gate.php": [[147, 183]], "URL: https://syncstorage.site/gate.php": [[186, 219]], "EMAIL: noreply@identity-verify.cc": [[237, 263]], "EMAIL: verify@identity-verify.cc": [[266, 291]], "HASH: 1a1db639d51c427e1dc15eb89b906986": [[316, 348]], "HASH: cd1708d3cabeb215aac702f6e4054b8e": [[356, 388]], "FILEPATH: /etc/cron.d/backdoor.elf": [[402, 426]]}, "info": {"id": "synth_v2_01313", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - Dridex Campaign:\nNetwork Indicators:\n- 192.52.228.151\n- 128.244.179.1\n- 10.157.170.196\n- login-cdn.org\n- secureportal.cc\nURLs:\n- https://login-portal.top/secure/token\n- hxxp://mail-relay.xyz/login\nEmail Senders:\n- report@phishing-domain.com\n- updates@mail-service.info\nFile Indicators:\n- SHA256: 292fcaf1a11abdc90430629e03a7fd64f0616b9981ee416f53f7e74725db5424\n- SHA256: 645c1b9c7d6964ce89b3536d0be0124095f8a47a7dfafb3c15d3ef11cec9afce\n- Drop path: C:\\Users\\admin\\AppData\\Local\\Temp\\lsass.dmp", "spans": {"MALWARE: Dridex": [[15, 21]], "IP_ADDRESS: 192.52.228.151": [[54, 68]], "IP_ADDRESS: 128.244.179.1": [[71, 84]], "IP_ADDRESS: 10.157.170.196": [[87, 101]], "DOMAIN: login-cdn.org": [[104, 117]], "DOMAIN: secureportal.cc": [[120, 135]], "URL: https://login-portal.top/secure/token": [[144, 181]], "URL: hxxp://mail-relay.xyz/login": [[184, 211]], "EMAIL: report@phishing-domain.com": [[229, 255]], "EMAIL: updates@mail-service.info": [[258, 283]], "HASH: 292fcaf1a11abdc90430629e03a7fd64f0616b9981ee416f53f7e74725db5424": [[311, 375]], "HASH: 645c1b9c7d6964ce89b3536d0be0124095f8a47a7dfafb3c15d3ef11cec9afce": [[386, 450]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\lsass.dmp": [[464, 507]]}, "info": {"id": "synth_v2_01314", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - Play Campaign:\nNetwork Indicators:\n- 23.221.175.38\n- 172.238.204.191\n- 95.62.64.88\n- proxy-cache.cc\n- cdn-mail.live\nURLs:\n- hxxp://staticcloud.xyz/gate.php\n- hxxp://datacloud.info/download/update.exe\nEmail Senders:\n- confirm@auth-check.org\n- service@account-update.xyz\nFile Indicators:\n- SHA256: 9ffdb41e404dfba9e90de799d5489cb0d5df5be35761f4b881ba7f5502283ac5\n- MD5: d9a1c0a8ea86fb3e0cc9a2f622a958fe\n- Drop path: /var/tmp/sam.hive", "spans": {"MALWARE: Play": [[15, 19]], "IP_ADDRESS: 23.221.175.38": [[52, 65]], "IP_ADDRESS: 172.238.204.191": [[68, 83]], "IP_ADDRESS: 95.62.64.88": [[86, 97]], "DOMAIN: proxy-cache.cc": [[100, 114]], "DOMAIN: cdn-mail.live": [[117, 130]], "URL: hxxp://staticcloud.xyz/gate.php": [[139, 170]], "URL: hxxp://datacloud.info/download/update.exe": [[173, 214]], "EMAIL: confirm@auth-check.org": [[232, 254]], "EMAIL: service@account-update.xyz": [[257, 283]], "HASH: 9ffdb41e404dfba9e90de799d5489cb0d5df5be35761f4b881ba7f5502283ac5": [[311, 375]], "HASH: d9a1c0a8ea86fb3e0cc9a2f622a958fe": [[383, 415]], "FILEPATH: /var/tmp/sam.hive": [[429, 446]]}, "info": {"id": "synth_v2_01315", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - BlackCat Campaign:\nNetwork Indicators:\n- 172.90.95.87\n- 10.18.119.208\n- 192.241.27.2\n- logincloud.info\n- cloud-relay.com\nURLs:\n- hxxps://data-cloud.top/admin/config\n- http://edge-sync.tech/admin/config\nEmail Senders:\n- info@account-update.xyz\n- it@credential-check.site\nFile Indicators:\n- MD5: 63728b6a41839a50d8456f7323158ef6\n- SHA256: f7012cdfc50e141d1e84183b4bb4cc582363745a62e1d3d5e533fa55c3abc5b2\n- Drop path: C:\\Windows\\Temp\\backdoor.elf", "spans": {"MALWARE: BlackCat": [[15, 23]], "IP_ADDRESS: 172.90.95.87": [[56, 68]], "IP_ADDRESS: 10.18.119.208": [[71, 84]], "IP_ADDRESS: 192.241.27.2": [[87, 99]], "DOMAIN: logincloud.info": [[102, 117]], "DOMAIN: cloud-relay.com": [[120, 135]], "URL: hxxps://data-cloud.top/admin/config": [[144, 179]], "URL: http://edge-sync.tech/admin/config": [[182, 216]], "EMAIL: info@account-update.xyz": [[234, 257]], "EMAIL: it@credential-check.site": [[260, 284]], "HASH: 63728b6a41839a50d8456f7323158ef6": [[309, 341]], "HASH: f7012cdfc50e141d1e84183b4bb4cc582363745a62e1d3d5e533fa55c3abc5b2": [[352, 416]], "FILEPATH: C:\\Windows\\Temp\\backdoor.elf": [[430, 458]]}, "info": {"id": "synth_v2_01316", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - ShadowPad Campaign:\nNetwork Indicators:\n- 172.51.190.193\n- 172.215.197.139\n- 192.197.151.95\n- backupbackup.club\n- auth-mail.online\nURLs:\n- hxxp://relay-static.top/callback\n- hxxp://updatestorage.xyz/admin/config\nEmail Senders:\n- updates@login-portal.tech\n- report@identity-verify.cc\nFile Indicators:\n- SHA1: 506ff57f73df7550d2beecae16c47d596c9d3841\n- SHA1: 3ff0d885e72fa1319ac4c2e88259755216b19f56\n- Drop path: /etc/cron.d/implant.so", "spans": {"MALWARE: ShadowPad": [[15, 24]], "IP_ADDRESS: 172.51.190.193": [[57, 71]], "IP_ADDRESS: 172.215.197.139": [[74, 89]], "IP_ADDRESS: 192.197.151.95": [[92, 106]], "DOMAIN: backupbackup.club": [[109, 126]], "DOMAIN: auth-mail.online": [[129, 145]], "URL: hxxp://relay-static.top/callback": [[154, 186]], "URL: hxxp://updatestorage.xyz/admin/config": [[189, 226]], "EMAIL: updates@login-portal.tech": [[244, 269]], "EMAIL: report@identity-verify.cc": [[272, 297]], "HASH: 506ff57f73df7550d2beecae16c47d596c9d3841": [[323, 363]], "HASH: 3ff0d885e72fa1319ac4c2e88259755216b19f56": [[372, 412]], "FILEPATH: /etc/cron.d/implant.so": [[426, 448]]}, "info": {"id": "synth_v2_01317", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - Royal Campaign:\nNetwork Indicators:\n- 186.67.109.163\n- 10.233.239.234\n- 192.108.41.178\n- updatedata.org\n- static-node.tech\nURLs:\n- hxxps://mailmail.link/admin/config\n- http://login-storage.com/callback\nEmail Senders:\n- contact@urgent-notice.online\n- service@phishing-domain.com\nFile Indicators:\n- SHA1: ab493ec8bdbe8bef1fedd8710562fbcca3edb003\n- SHA1: d19074c7a6fca1e8ec76514e502438aa2a2cedb3\n- Drop path: C:\\Users\\admin\\Desktop\\sam.hive", "spans": {"MALWARE: Royal": [[15, 20]], "IP_ADDRESS: 186.67.109.163": [[53, 67]], "IP_ADDRESS: 10.233.239.234": [[70, 84]], "IP_ADDRESS: 192.108.41.178": [[87, 101]], "DOMAIN: updatedata.org": [[104, 118]], "DOMAIN: static-node.tech": [[121, 137]], "URL: hxxps://mailmail.link/admin/config": [[146, 180]], "URL: http://login-storage.com/callback": [[183, 216]], "EMAIL: contact@urgent-notice.online": [[234, 262]], "EMAIL: service@phishing-domain.com": [[265, 292]], "HASH: ab493ec8bdbe8bef1fedd8710562fbcca3edb003": [[318, 358]], "HASH: d19074c7a6fca1e8ec76514e502438aa2a2cedb3": [[367, 407]], "FILEPATH: C:\\Users\\admin\\Desktop\\sam.hive": [[421, 452]]}, "info": {"id": "synth_v2_01318", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - Play Campaign:\nNetwork Indicators:\n- 127.213.241.24\n- 213.219.126.37\n- 186.45.0.60\n- securebackup.org\n- portalsecure.org\nURLs:\n- http://cacheportal.xyz/portal/verify\n- https://cache-gateway.xyz/collect\nEmail Senders:\n- ceo@document-share.link\n- finance@phishing-domain.com\nFile Indicators:\n- SHA256: 5b6bcfb201a5ea8dd2d4efd891748da2a3d7e577878dfe061638b0e6ea7d69d9\n- MD5: 2724e3292b419b807d1c70df0d51438e\n- Drop path: /tmp/dropper.ps1", "spans": {"MALWARE: Play": [[15, 19]], "IP_ADDRESS: 127.213.241.24": [[52, 66]], "IP_ADDRESS: 213.219.126.37": [[69, 83]], "IP_ADDRESS: 186.45.0.60": [[86, 97]], "DOMAIN: securebackup.org": [[100, 116]], "DOMAIN: portalsecure.org": [[119, 135]], "URL: http://cacheportal.xyz/portal/verify": [[144, 180]], "URL: https://cache-gateway.xyz/collect": [[183, 216]], "EMAIL: ceo@document-share.link": [[234, 257]], "EMAIL: finance@phishing-domain.com": [[260, 287]], "HASH: 5b6bcfb201a5ea8dd2d4efd891748da2a3d7e577878dfe061638b0e6ea7d69d9": [[315, 379]], "HASH: 2724e3292b419b807d1c70df0d51438e": [[387, 419]], "FILEPATH: /tmp/dropper.ps1": [[433, 449]]}, "info": {"id": "synth_v2_01319", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - DanaBot Campaign:\nNetwork Indicators:\n- 83.146.212.93\n- 200.188.101.20\n- 15.251.111.9\n- login-api.com\n- relay-cloud.site\nURLs:\n- http://secure-mail.club/admin/config\n- hxxp://cloudsecure.org/portal/verify\nEmail Senders:\n- account@credential-check.site\n- hr@document-share.link\nFile Indicators:\n- SHA1: da6bcf1d58327f2231fa80d67c628c1fe181ca4a\n- MD5: af1ec83fcaf9ebdd2d6c7b32090f7439\n- Drop path: /tmp/implant.so", "spans": {"MALWARE: DanaBot": [[15, 22]], "IP_ADDRESS: 83.146.212.93": [[55, 68]], "IP_ADDRESS: 200.188.101.20": [[71, 85]], "IP_ADDRESS: 15.251.111.9": [[88, 100]], "DOMAIN: login-api.com": [[103, 116]], "DOMAIN: relay-cloud.site": [[119, 135]], "URL: http://secure-mail.club/admin/config": [[144, 180]], "URL: hxxp://cloudsecure.org/portal/verify": [[183, 219]], "EMAIL: account@credential-check.site": [[237, 266]], "EMAIL: hr@document-share.link": [[269, 291]], "HASH: da6bcf1d58327f2231fa80d67c628c1fe181ca4a": [[317, 357]], "HASH: af1ec83fcaf9ebdd2d6c7b32090f7439": [[365, 397]], "FILEPATH: /tmp/implant.so": [[411, 426]]}, "info": {"id": "synth_v2_01320", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - IcedID Campaign:\nNetwork Indicators:\n- 171.200.2.205\n- 192.63.17.155\n- 172.220.202.185\n- relay-cloud.live\n- gateway-backup.info\nURLs:\n- https://proxy-node.tech/admin/config\n- hxxps://apiproxy.site/collect\nEmail Senders:\n- admin@document-share.link\n- billing@credential-check.site\nFile Indicators:\n- MD5: 14a8f88822db5d5a76aea22b348de98b\n- SHA1: 833e20df8f2607d755594e8b96f90eb5d32564fc\n- Drop path: C:\\Users\\Public\\Documents\\ntds.dit", "spans": {"MALWARE: IcedID": [[15, 21]], "IP_ADDRESS: 171.200.2.205": [[54, 67]], "IP_ADDRESS: 192.63.17.155": [[70, 83]], "IP_ADDRESS: 172.220.202.185": [[86, 101]], "DOMAIN: relay-cloud.live": [[104, 120]], "DOMAIN: gateway-backup.info": [[123, 142]], "URL: https://proxy-node.tech/admin/config": [[151, 187]], "URL: hxxps://apiproxy.site/collect": [[190, 219]], "EMAIL: admin@document-share.link": [[237, 262]], "EMAIL: billing@credential-check.site": [[265, 294]], "HASH: 14a8f88822db5d5a76aea22b348de98b": [[319, 351]], "HASH: 833e20df8f2607d755594e8b96f90eb5d32564fc": [[360, 400]], "FILEPATH: C:\\Users\\Public\\Documents\\ntds.dit": [[414, 448]]}, "info": {"id": "synth_v2_01321", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - Gootloader Campaign:\nNetwork Indicators:\n- 164.55.7.74\n- 193.251.126.184\n- 108.222.153.66\n- clouddata.io\n- edgecdn.club\nURLs:\n- https://node-cache.com/callback\n- hxxp://mailapi.io/gate.php\nEmail Senders:\n- confirm@mail-service.info\n- updates@credential-check.site\nFile Indicators:\n- SHA1: 72096980728e719a33d326425eb34856c89226c0\n- MD5: dcb49797c751598ca0edbdaccb3279cd\n- Drop path: C:\\ProgramData\\shell.php", "spans": {"MALWARE: Gootloader": [[15, 25]], "IP_ADDRESS: 164.55.7.74": [[58, 69]], "IP_ADDRESS: 193.251.126.184": [[72, 87]], "IP_ADDRESS: 108.222.153.66": [[90, 104]], "DOMAIN: clouddata.io": [[107, 119]], "DOMAIN: edgecdn.club": [[122, 134]], "URL: https://node-cache.com/callback": [[143, 174]], "URL: hxxp://mailapi.io/gate.php": [[177, 203]], "EMAIL: confirm@mail-service.info": [[221, 246]], "EMAIL: updates@credential-check.site": [[249, 278]], "HASH: 72096980728e719a33d326425eb34856c89226c0": [[304, 344]], "HASH: dcb49797c751598ca0edbdaccb3279cd": [[352, 384]], "FILEPATH: C:\\ProgramData\\shell.php": [[398, 422]]}, "info": {"id": "synth_v2_01322", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - PikaBot Campaign:\nNetwork Indicators:\n- 172.140.125.209\n- 91.22.206.131\n- 159.109.20.102\n- storage-cdn.org\n- cdn-node.live\nURLs:\n- hxxp://syncportal.link/portal/verify\n- https://backup-data.tech/panel/index.html\nEmail Senders:\n- service@document-share.link\n- ceo@account-update.xyz\nFile Indicators:\n- SHA1: a91a2f21a8af3f1c6e1f6eec23222de18c7c6052\n- SHA1: 67a53f441f03d4ad2754b1eb7ab3406b760997bc\n- Drop path: C:\\Users\\Public\\Documents\\config.dat", "spans": {"MALWARE: PikaBot": [[15, 22]], "IP_ADDRESS: 172.140.125.209": [[55, 70]], "IP_ADDRESS: 91.22.206.131": [[73, 86]], "IP_ADDRESS: 159.109.20.102": [[89, 103]], "DOMAIN: storage-cdn.org": [[106, 121]], "DOMAIN: cdn-node.live": [[124, 137]], "URL: hxxp://syncportal.link/portal/verify": [[146, 182]], "URL: https://backup-data.tech/panel/index.html": [[185, 226]], "EMAIL: service@document-share.link": [[244, 271]], "EMAIL: ceo@account-update.xyz": [[274, 296]], "HASH: a91a2f21a8af3f1c6e1f6eec23222de18c7c6052": [[322, 362]], "HASH: 67a53f441f03d4ad2754b1eb7ab3406b760997bc": [[371, 411]], "FILEPATH: C:\\Users\\Public\\Documents\\config.dat": [[425, 461]]}, "info": {"id": "synth_v2_01323", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - Ryuk Campaign:\nNetwork Indicators:\n- 100.16.120.130\n- 17.2.23.54\n- 223.158.214.160\n- portalgateway.com\n- cachecdn.xyz\nURLs:\n- http://relaysync.online/assets/js/payload.js\n- hxxp://api-gateway.net/download/update.exe\nEmail Senders:\n- alert@auth-check.org\n- support@login-portal.tech\nFile Indicators:\n- MD5: c4ed2471ed8f889af206c7bf9920dfc5\n- MD5: b771c79d473f9a8c5066ecdc69463651\n- Drop path: C:\\Users\\admin\\Desktop\\winlogon.exe", "spans": {"MALWARE: Ryuk": [[15, 19]], "IP_ADDRESS: 100.16.120.130": [[52, 66]], "IP_ADDRESS: 17.2.23.54": [[69, 79]], "IP_ADDRESS: 223.158.214.160": [[82, 97]], "DOMAIN: portalgateway.com": [[100, 117]], "DOMAIN: cachecdn.xyz": [[120, 132]], "URL: http://relaysync.online/assets/js/payload.js": [[141, 185]], "URL: hxxp://api-gateway.net/download/update.exe": [[188, 230]], "EMAIL: alert@auth-check.org": [[248, 268]], "EMAIL: support@login-portal.tech": [[271, 296]], "HASH: c4ed2471ed8f889af206c7bf9920dfc5": [[321, 353]], "HASH: b771c79d473f9a8c5066ecdc69463651": [[361, 393]], "FILEPATH: C:\\Users\\admin\\Desktop\\winlogon.exe": [[407, 442]]}, "info": {"id": "synth_v2_01324", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - AgentTesla Campaign:\nNetwork Indicators:\n- 182.35.22.11\n- 32.160.113.56\n- 172.67.212.183\n- updateauth.live\n- node-storage.tech\nURLs:\n- http://secure-cache.tech/wp-content/uploads/doc.php\n- hxxp://auth-update.net/portal/verify\nEmail Senders:\n- it@credential-check.site\n- alert@urgent-notice.online\nFile Indicators:\n- SHA1: 015f127e5f4f641dd23bd6ff1ba16fc5179fd2ed\n- SHA256: 1bd8543611670106984a7c957cc77ad9b63ff343436491e5c16070fffd160d8b\n- Drop path: C:\\ProgramData\\csrss.exe", "spans": {"MALWARE: AgentTesla": [[15, 25]], "IP_ADDRESS: 182.35.22.11": [[58, 70]], "IP_ADDRESS: 32.160.113.56": [[73, 86]], "IP_ADDRESS: 172.67.212.183": [[89, 103]], "DOMAIN: updateauth.live": [[106, 121]], "DOMAIN: node-storage.tech": [[124, 141]], "URL: http://secure-cache.tech/wp-content/uploads/doc.php": [[150, 201]], "URL: hxxp://auth-update.net/portal/verify": [[204, 240]], "EMAIL: it@credential-check.site": [[258, 282]], "EMAIL: alert@urgent-notice.online": [[285, 311]], "HASH: 015f127e5f4f641dd23bd6ff1ba16fc5179fd2ed": [[337, 377]], "HASH: 1bd8543611670106984a7c957cc77ad9b63ff343436491e5c16070fffd160d8b": [[388, 452]], "FILEPATH: C:\\ProgramData\\csrss.exe": [[466, 490]]}, "info": {"id": "synth_v2_01325", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - Latrodectus Campaign:\nNetwork Indicators:\n- 172.46.151.156\n- 10.205.191.10\n- 87.61.48.172\n- cache-gateway.io\n- apinode.site\nURLs:\n- hxxps://proxy-update.io/admin/config\n- hxxp://staticlogin.cc/assets/js/payload.js\nEmail Senders:\n- security@urgent-notice.online\n- it@phishing-domain.com\nFile Indicators:\n- SHA1: c049348df93216a45bffc40c7c8b55d51c15b207\n- MD5: 60d400dbc624adcd3ae0ee4eec3ac819\n- Drop path: /dev/shm/taskhost.exe", "spans": {"MALWARE: Latrodectus": [[15, 26]], "IP_ADDRESS: 172.46.151.156": [[59, 73]], "IP_ADDRESS: 10.205.191.10": [[76, 89]], "IP_ADDRESS: 87.61.48.172": [[92, 104]], "DOMAIN: cache-gateway.io": [[107, 123]], "DOMAIN: apinode.site": [[126, 138]], "URL: hxxps://proxy-update.io/admin/config": [[147, 183]], "URL: hxxp://staticlogin.cc/assets/js/payload.js": [[186, 228]], "EMAIL: security@urgent-notice.online": [[246, 275]], "EMAIL: it@phishing-domain.com": [[278, 300]], "HASH: c049348df93216a45bffc40c7c8b55d51c15b207": [[326, 366]], "HASH: 60d400dbc624adcd3ae0ee4eec3ac819": [[374, 406]], "FILEPATH: /dev/shm/taskhost.exe": [[420, 441]]}, "info": {"id": "synth_v2_01326", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - StealC Campaign:\nNetwork Indicators:\n- 22.78.112.54\n- 10.99.143.148\n- 42.69.21.145\n- cdncdn.live\n- proxy-api.dev\nURLs:\n- http://nodeedge.tech/download/update.exe\n- http://syncedge.com/callback\nEmail Senders:\n- alert@secure-verify.net\n- security@identity-verify.cc\nFile Indicators:\n- MD5: c2f2fec10d8f82684ff80963f660fb5a\n- MD5: d35cfbcc07920dd7badcbd84e640d348\n- Drop path: C:\\Windows\\System32\\update.dll", "spans": {"MALWARE: StealC": [[15, 21]], "IP_ADDRESS: 22.78.112.54": [[54, 66]], "IP_ADDRESS: 10.99.143.148": [[69, 82]], "IP_ADDRESS: 42.69.21.145": [[85, 97]], "DOMAIN: cdncdn.live": [[100, 111]], "DOMAIN: proxy-api.dev": [[114, 127]], "URL: http://nodeedge.tech/download/update.exe": [[136, 176]], "URL: http://syncedge.com/callback": [[179, 207]], "EMAIL: alert@secure-verify.net": [[225, 248]], "EMAIL: security@identity-verify.cc": [[251, 278]], "HASH: c2f2fec10d8f82684ff80963f660fb5a": [[303, 335]], "HASH: d35cfbcc07920dd7badcbd84e640d348": [[343, 375]], "FILEPATH: C:\\Windows\\System32\\update.dll": [[389, 419]]}, "info": {"id": "synth_v2_01327", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - Play Campaign:\nNetwork Indicators:\n- 172.189.37.110\n- 126.47.86.29\n- 192.220.24.213\n- edge-api.dev\n- login-data.live\nURLs:\n- https://cloud-cdn.org/secure/token\n- http://cachelogin.com/download/update.exe\nEmail Senders:\n- helpdesk@secure-verify.net\n- finance@auth-check.org\nFile Indicators:\n- SHA1: 58b25e5ee5b28145180a15449580a8bc454ce187\n- SHA1: 69d7c215099b56d8069ae1ed37fbcc426660d03b\n- Drop path: C:\\Program Files\\Common Files\\dropper.ps1", "spans": {"MALWARE: Play": [[15, 19]], "IP_ADDRESS: 172.189.37.110": [[52, 66]], "IP_ADDRESS: 126.47.86.29": [[69, 81]], "IP_ADDRESS: 192.220.24.213": [[84, 98]], "DOMAIN: edge-api.dev": [[101, 113]], "DOMAIN: login-data.live": [[116, 131]], "URL: https://cloud-cdn.org/secure/token": [[140, 174]], "URL: http://cachelogin.com/download/update.exe": [[177, 218]], "EMAIL: helpdesk@secure-verify.net": [[236, 262]], "EMAIL: finance@auth-check.org": [[265, 287]], "HASH: 58b25e5ee5b28145180a15449580a8bc454ce187": [[313, 353]], "HASH: 69d7c215099b56d8069ae1ed37fbcc426660d03b": [[362, 402]], "FILEPATH: C:\\Program Files\\Common Files\\dropper.ps1": [[416, 457]]}, "info": {"id": "synth_v2_01328", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - BatLoader Campaign:\nNetwork Indicators:\n- 10.198.55.147\n- 221.24.147.92\n- 172.83.45.17\n- cdn-cloud.link\n- updatenode.net\nURLs:\n- https://edge-update.info/assets/js/payload.js\n- hxxps://cdnedge.club/assets/js/payload.js\nEmail Senders:\n- report@credential-check.site\n- alert@mail-service.info\nFile Indicators:\n- MD5: ffe3d82091c8864c4dab82aba1866efd\n- MD5: 8e7bdfeea6cf9339a26edfe854771a08\n- Drop path: C:\\Users\\admin\\AppData\\Local\\Temp\\dropper.ps1", "spans": {"MALWARE: BatLoader": [[15, 24]], "IP_ADDRESS: 10.198.55.147": [[57, 70]], "IP_ADDRESS: 221.24.147.92": [[73, 86]], "IP_ADDRESS: 172.83.45.17": [[89, 101]], "DOMAIN: cdn-cloud.link": [[104, 118]], "DOMAIN: updatenode.net": [[121, 135]], "URL: https://edge-update.info/assets/js/payload.js": [[144, 189]], "URL: hxxps://cdnedge.club/assets/js/payload.js": [[192, 233]], "EMAIL: report@credential-check.site": [[251, 279]], "EMAIL: alert@mail-service.info": [[282, 305]], "HASH: ffe3d82091c8864c4dab82aba1866efd": [[330, 362]], "HASH: 8e7bdfeea6cf9339a26edfe854771a08": [[370, 402]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\dropper.ps1": [[416, 461]]}, "info": {"id": "synth_v2_01329", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - BumbleBee Campaign:\nNetwork Indicators:\n- 109.166.134.72\n- 8.206.5.152\n- 213.17.211.212\n- relay-sync.tech\n- gatewaystatic.io\nURLs:\n- https://cachecdn.online/download/update.exe\n- hxxps://apibackup.org/portal/verify\nEmail Senders:\n- report@auth-check.org\n- updates@credential-check.site\nFile Indicators:\n- SHA256: 493872deaa714d9dfc558185f69a8ffe029214c74b50f92a1685f5a27b5e6c47\n- SHA1: c688d0025837fa5518cc56b91c1933630dc9715d\n- Drop path: C:\\Program Files\\Common Files\\config.dat", "spans": {"MALWARE: BumbleBee": [[15, 24]], "IP_ADDRESS: 109.166.134.72": [[57, 71]], "IP_ADDRESS: 8.206.5.152": [[74, 85]], "IP_ADDRESS: 213.17.211.212": [[88, 102]], "DOMAIN: relay-sync.tech": [[105, 120]], "DOMAIN: gatewaystatic.io": [[123, 139]], "URL: https://cachecdn.online/download/update.exe": [[148, 191]], "URL: hxxps://apibackup.org/portal/verify": [[194, 229]], "EMAIL: report@auth-check.org": [[247, 268]], "EMAIL: updates@credential-check.site": [[271, 300]], "HASH: 493872deaa714d9dfc558185f69a8ffe029214c74b50f92a1685f5a27b5e6c47": [[328, 392]], "HASH: c688d0025837fa5518cc56b91c1933630dc9715d": [[401, 441]], "FILEPATH: C:\\Program Files\\Common Files\\config.dat": [[455, 495]]}, "info": {"id": "synth_v2_01330", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - RemcosRAT Campaign:\nNetwork Indicators:\n- 192.147.232.104\n- 155.43.176.50\n- 10.200.146.127\n- node-portal.net\n- backupportal.dev\nURLs:\n- http://login-portal.org/callback\n- hxxp://auth-portal.site/assets/js/payload.js\nEmail Senders:\n- confirm@identity-verify.cc\n- contact@phishing-domain.com\nFile Indicators:\n- SHA1: b6f1a61d1bad0b3bdd53c053a219e215141cf0e5\n- MD5: 9357ee9a87f0b3a5a52747827d193486\n- Drop path: /tmp/agent.py", "spans": {"MALWARE: RemcosRAT": [[15, 24]], "IP_ADDRESS: 192.147.232.104": [[57, 72]], "IP_ADDRESS: 155.43.176.50": [[75, 88]], "IP_ADDRESS: 10.200.146.127": [[91, 105]], "DOMAIN: node-portal.net": [[108, 123]], "DOMAIN: backupportal.dev": [[126, 142]], "URL: http://login-portal.org/callback": [[151, 183]], "URL: hxxp://auth-portal.site/assets/js/payload.js": [[186, 230]], "EMAIL: confirm@identity-verify.cc": [[248, 274]], "EMAIL: contact@phishing-domain.com": [[277, 304]], "HASH: b6f1a61d1bad0b3bdd53c053a219e215141cf0e5": [[330, 370]], "HASH: 9357ee9a87f0b3a5a52747827d193486": [[378, 410]], "FILEPATH: /tmp/agent.py": [[424, 437]]}, "info": {"id": "synth_v2_01331", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - StealC Campaign:\nNetwork Indicators:\n- 172.204.211.124\n- 10.202.189.97\n- 172.251.151.12\n- api-mail.live\n- logincloud.net\nURLs:\n- hxxp://loginsync.org/secure/token\n- hxxps://storage-portal.live/login\nEmail Senders:\n- account@auth-check.org\n- account@document-share.link\nFile Indicators:\n- SHA1: 29c080e6e2c2798392641c6437e701b8a21c8181\n- SHA256: 3abd5cd585d4c2d4a5bbfa4f2b49e18c0ac3304a5b5a2739a9a84badf402b9e4\n- Drop path: /home/user/.config/implant.so", "spans": {"MALWARE: StealC": [[15, 21]], "IP_ADDRESS: 172.204.211.124": [[54, 69]], "IP_ADDRESS: 10.202.189.97": [[72, 85]], "IP_ADDRESS: 172.251.151.12": [[88, 102]], "DOMAIN: api-mail.live": [[105, 118]], "DOMAIN: logincloud.net": [[121, 135]], "URL: hxxp://loginsync.org/secure/token": [[144, 177]], "URL: hxxps://storage-portal.live/login": [[180, 213]], "EMAIL: account@auth-check.org": [[231, 253]], "EMAIL: account@document-share.link": [[256, 283]], "HASH: 29c080e6e2c2798392641c6437e701b8a21c8181": [[309, 349]], "HASH: 3abd5cd585d4c2d4a5bbfa4f2b49e18c0ac3304a5b5a2739a9a84badf402b9e4": [[360, 424]], "FILEPATH: /home/user/.config/implant.so": [[438, 467]]}, "info": {"id": "synth_v2_01332", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - Raccoon Stealer Campaign:\nNetwork Indicators:\n- 172.92.55.93\n- 172.76.4.161\n- 188.116.169.51\n- cloud-auth.io\n- mailgateway.com\nURLs:\n- hxxp://backup-login.xyz/download/update.exe\n- hxxp://update-static.net/collect\nEmail Senders:\n- hr@mail-service.info\n- helpdesk@secure-verify.net\nFile Indicators:\n- MD5: 2f365784ec6f5d320082a74761791338\n- SHA1: 22174846629abdf897517a3bebef2e6fde2ad568\n- Drop path: /usr/local/bin/chrome_helper.exe", "spans": {"MALWARE: Raccoon Stealer": [[15, 30]], "IP_ADDRESS: 172.92.55.93": [[63, 75]], "IP_ADDRESS: 172.76.4.161": [[78, 90]], "IP_ADDRESS: 188.116.169.51": [[93, 107]], "DOMAIN: cloud-auth.io": [[110, 123]], "DOMAIN: mailgateway.com": [[126, 141]], "URL: hxxp://backup-login.xyz/download/update.exe": [[150, 193]], "URL: hxxp://update-static.net/collect": [[196, 228]], "EMAIL: hr@mail-service.info": [[246, 266]], "EMAIL: helpdesk@secure-verify.net": [[269, 295]], "HASH: 2f365784ec6f5d320082a74761791338": [[320, 352]], "HASH: 22174846629abdf897517a3bebef2e6fde2ad568": [[361, 401]], "FILEPATH: /usr/local/bin/chrome_helper.exe": [[415, 447]]}, "info": {"id": "synth_v2_01333", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - SystemBC Campaign:\nNetwork Indicators:\n- 192.248.113.68\n- 192.238.246.152\n- 192.155.23.194\n- auth-auth.site\n- data-api.xyz\nURLs:\n- hxxps://node-auth.top/login\n- http://loginbackup.org/secure/token\nEmail Senders:\n- updates@urgent-notice.online\n- report@identity-verify.cc\nFile Indicators:\n- MD5: b63ed2c1001be9af8a2740982568fd53\n- SHA1: 87f2280f48fc745c3441dc7d28cd80e559053291\n- Drop path: /tmp/winlogon.exe", "spans": {"MALWARE: SystemBC": [[15, 23]], "IP_ADDRESS: 192.248.113.68": [[56, 70]], "IP_ADDRESS: 192.238.246.152": [[73, 88]], "IP_ADDRESS: 192.155.23.194": [[91, 105]], "DOMAIN: auth-auth.site": [[108, 122]], "DOMAIN: data-api.xyz": [[125, 137]], "URL: hxxps://node-auth.top/login": [[146, 173]], "URL: http://loginbackup.org/secure/token": [[176, 211]], "EMAIL: updates@urgent-notice.online": [[229, 257]], "EMAIL: report@identity-verify.cc": [[260, 285]], "HASH: b63ed2c1001be9af8a2740982568fd53": [[310, 342]], "HASH: 87f2280f48fc745c3441dc7d28cd80e559053291": [[351, 391]], "FILEPATH: /tmp/winlogon.exe": [[405, 422]]}, "info": {"id": "synth_v2_01334", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - RedLine Stealer Campaign:\nNetwork Indicators:\n- 116.144.177.222\n- 172.109.153.129\n- 10.252.76.81\n- backupsecure.org\n- cloudstorage.net\nURLs:\n- hxxps://edge-update.tech/wp-content/uploads/doc.php\n- hxxp://storagemail.xyz/panel/index.html\nEmail Senders:\n- verify@account-update.xyz\n- admin@mail-service.info\nFile Indicators:\n- SHA256: 29bec2fad252ee8adb42da88f1696fef519e4a94d5f996f09ffbbff0eb0586dd\n- MD5: 13e5661eb6c32a4b8092fe447a422f9d\n- Drop path: C:\\Windows\\Tasks\\lsass.dmp", "spans": {"MALWARE: RedLine Stealer": [[15, 30]], "IP_ADDRESS: 116.144.177.222": [[63, 78]], "IP_ADDRESS: 172.109.153.129": [[81, 96]], "IP_ADDRESS: 10.252.76.81": [[99, 111]], "DOMAIN: backupsecure.org": [[114, 130]], "DOMAIN: cloudstorage.net": [[133, 149]], "URL: hxxps://edge-update.tech/wp-content/uploads/doc.php": [[158, 209]], "URL: hxxp://storagemail.xyz/panel/index.html": [[212, 251]], "EMAIL: verify@account-update.xyz": [[269, 294]], "EMAIL: admin@mail-service.info": [[297, 320]], "HASH: 29bec2fad252ee8adb42da88f1696fef519e4a94d5f996f09ffbbff0eb0586dd": [[348, 412]], "HASH: 13e5661eb6c32a4b8092fe447a422f9d": [[420, 452]], "FILEPATH: C:\\Windows\\Tasks\\lsass.dmp": [[466, 492]]}, "info": {"id": "synth_v2_01335", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - Amadey Campaign:\nNetwork Indicators:\n- 98.193.22.137\n- 192.253.153.83\n- 21.66.28.161\n- storagecloud.net\n- portal-edge.tech\nURLs:\n- hxxp://mail-login.site/api/v2/auth\n- hxxps://proxy-backup.club/portal/verify\nEmail Senders:\n- hr@login-portal.tech\n- admin@secure-verify.net\nFile Indicators:\n- SHA1: ffadb0941d0211f24c2f95355f6c8505de41b013\n- SHA256: 34490179d51a327e29c03215d34a70eb36b82667aaf0adc05d2d25ebb808e411\n- Drop path: C:\\Windows\\Temp\\lsass.dmp", "spans": {"MALWARE: Amadey": [[15, 21]], "IP_ADDRESS: 98.193.22.137": [[54, 67]], "IP_ADDRESS: 192.253.153.83": [[70, 84]], "IP_ADDRESS: 21.66.28.161": [[87, 99]], "DOMAIN: storagecloud.net": [[102, 118]], "DOMAIN: portal-edge.tech": [[121, 137]], "URL: hxxp://mail-login.site/api/v2/auth": [[146, 180]], "URL: hxxps://proxy-backup.club/portal/verify": [[183, 222]], "EMAIL: hr@login-portal.tech": [[240, 260]], "EMAIL: admin@secure-verify.net": [[263, 286]], "HASH: ffadb0941d0211f24c2f95355f6c8505de41b013": [[312, 352]], "HASH: 34490179d51a327e29c03215d34a70eb36b82667aaf0adc05d2d25ebb808e411": [[363, 427]], "FILEPATH: C:\\Windows\\Temp\\lsass.dmp": [[441, 466]]}, "info": {"id": "synth_v2_01336", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - Dridex Campaign:\nNetwork Indicators:\n- 74.182.72.152\n- 79.180.236.80\n- 53.109.35.153\n- authauth.top\n- datadata.live\nURLs:\n- http://securestatic.site/login\n- hxxp://update-cdn.club/admin/config\nEmail Senders:\n- finance@login-portal.tech\n- finance@mail-service.info\nFile Indicators:\n- SHA256: 085dadd662b2f8760e0932d7603454ba76f42575405585325038801141c4e708\n- MD5: 73472187b07ff9f4e69561e0b907e3e0\n- Drop path: /dev/shm/csrss.exe", "spans": {"MALWARE: Dridex": [[15, 21]], "IP_ADDRESS: 74.182.72.152": [[54, 67]], "IP_ADDRESS: 79.180.236.80": [[70, 83]], "IP_ADDRESS: 53.109.35.153": [[86, 99]], "DOMAIN: authauth.top": [[102, 114]], "DOMAIN: datadata.live": [[117, 130]], "URL: http://securestatic.site/login": [[139, 169]], "URL: hxxp://update-cdn.club/admin/config": [[172, 207]], "EMAIL: finance@login-portal.tech": [[225, 250]], "EMAIL: finance@mail-service.info": [[253, 278]], "HASH: 085dadd662b2f8760e0932d7603454ba76f42575405585325038801141c4e708": [[306, 370]], "HASH: 73472187b07ff9f4e69561e0b907e3e0": [[378, 410]], "FILEPATH: /dev/shm/csrss.exe": [[424, 442]]}, "info": {"id": "synth_v2_01337", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - WarmCookie Campaign:\nNetwork Indicators:\n- 209.211.35.188\n- 172.206.27.243\n- 10.187.78.128\n- cloudrelay.site\n- node-login.online\nURLs:\n- hxxp://cloud-cloud.net/download/update.exe\n- https://data-static.tech/panel/index.html\nEmail Senders:\n- support@credential-check.site\n- admin@mail-service.info\nFile Indicators:\n- MD5: bc0a36e2db133d9ff7ff24bf661253e7\n- SHA1: cd1e551591042e263da38c668ecc2f5233a6f874\n- Drop path: C:\\Windows\\Tasks\\runtime.dll", "spans": {"MALWARE: WarmCookie": [[15, 25]], "IP_ADDRESS: 209.211.35.188": [[58, 72]], "IP_ADDRESS: 172.206.27.243": [[75, 89]], "IP_ADDRESS: 10.187.78.128": [[92, 105]], "DOMAIN: cloudrelay.site": [[108, 123]], "DOMAIN: node-login.online": [[126, 143]], "URL: hxxp://cloud-cloud.net/download/update.exe": [[152, 194]], "URL: https://data-static.tech/panel/index.html": [[197, 238]], "EMAIL: support@credential-check.site": [[256, 285]], "EMAIL: admin@mail-service.info": [[288, 311]], "HASH: bc0a36e2db133d9ff7ff24bf661253e7": [[336, 368]], "HASH: cd1e551591042e263da38c668ecc2f5233a6f874": [[377, 417]], "FILEPATH: C:\\Windows\\Tasks\\runtime.dll": [[431, 459]]}, "info": {"id": "synth_v2_01338", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - Conti Campaign:\nNetwork Indicators:\n- 188.111.202.143\n- 80.235.241.186\n- 66.3.235.5\n- portal-portal.site\n- portalupdate.com\nURLs:\n- hxxp://loginsecure.live/api/v2/auth\n- hxxp://edge-login.net/panel/index.html\nEmail Senders:\n- contact@urgent-notice.online\n- security@credential-check.site\nFile Indicators:\n- SHA1: b88242febbe53aa57d3f9f9d17861df140d2faa4\n- MD5: 8f183ce4a25ccbad40407b1daba049a2\n- Drop path: /usr/local/bin/sam.hive", "spans": {"MALWARE: Conti": [[15, 20]], "IP_ADDRESS: 188.111.202.143": [[53, 68]], "IP_ADDRESS: 80.235.241.186": [[71, 85]], "IP_ADDRESS: 66.3.235.5": [[88, 98]], "DOMAIN: portal-portal.site": [[101, 119]], "DOMAIN: portalupdate.com": [[122, 138]], "URL: hxxp://loginsecure.live/api/v2/auth": [[147, 182]], "URL: hxxp://edge-login.net/panel/index.html": [[185, 223]], "EMAIL: contact@urgent-notice.online": [[241, 269]], "EMAIL: security@credential-check.site": [[272, 302]], "HASH: b88242febbe53aa57d3f9f9d17861df140d2faa4": [[328, 368]], "HASH: 8f183ce4a25ccbad40407b1daba049a2": [[376, 408]], "FILEPATH: /usr/local/bin/sam.hive": [[422, 445]]}, "info": {"id": "synth_v2_01339", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - BlackCat Campaign:\nNetwork Indicators:\n- 67.110.105.51\n- 172.184.220.146\n- 192.18.205.103\n- cdnsync.io\n- dataauth.org\nURLs:\n- https://cloudstorage.io/collect\n- https://auth-node.top/callback\nEmail Senders:\n- it@secure-verify.net\n- noreply@mail-service.info\nFile Indicators:\n- SHA256: 59e17639660c398276ebd6ee77804edf590f8a660040f317e59c60c3fbcf11ef\n- MD5: fff831dae3141dbd277bb4025a12a6e8\n- Drop path: C:\\Users\\admin\\Downloads\\taskhost.exe", "spans": {"MALWARE: BlackCat": [[15, 23]], "IP_ADDRESS: 67.110.105.51": [[56, 69]], "IP_ADDRESS: 172.184.220.146": [[72, 87]], "IP_ADDRESS: 192.18.205.103": [[90, 104]], "DOMAIN: cdnsync.io": [[107, 117]], "DOMAIN: dataauth.org": [[120, 132]], "URL: https://cloudstorage.io/collect": [[141, 172]], "URL: https://auth-node.top/callback": [[175, 205]], "EMAIL: it@secure-verify.net": [[223, 243]], "EMAIL: noreply@mail-service.info": [[246, 271]], "HASH: 59e17639660c398276ebd6ee77804edf590f8a660040f317e59c60c3fbcf11ef": [[299, 363]], "HASH: fff831dae3141dbd277bb4025a12a6e8": [[371, 403]], "FILEPATH: C:\\Users\\admin\\Downloads\\taskhost.exe": [[417, 454]]}, "info": {"id": "synth_v2_01340", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - TrickBot Campaign:\nNetwork Indicators:\n- 192.120.239.143\n- 172.9.157.144\n- 172.129.48.22\n- storagecache.tech\n- edgemail.cc\nURLs:\n- hxxp://static-data.online/api/v2/auth\n- http://gateway-cloud.dev/secure/token\nEmail Senders:\n- notification@credential-check.site\n- security@credential-check.site\nFile Indicators:\n- MD5: 47592911dc23d416384f0faee3f75c38\n- SHA256: fe3acbb4de4452553b29d041509b453814a483ee50ebf37e8b0b9f5475a9d188\n- Drop path: C:\\Users\\admin\\Desktop\\sam.hive", "spans": {"MALWARE: TrickBot": [[15, 23]], "IP_ADDRESS: 192.120.239.143": [[56, 71]], "IP_ADDRESS: 172.9.157.144": [[74, 87]], "IP_ADDRESS: 172.129.48.22": [[90, 103]], "DOMAIN: storagecache.tech": [[106, 123]], "DOMAIN: edgemail.cc": [[126, 137]], "URL: hxxp://static-data.online/api/v2/auth": [[146, 183]], "URL: http://gateway-cloud.dev/secure/token": [[186, 223]], "EMAIL: notification@credential-check.site": [[241, 275]], "EMAIL: security@credential-check.site": [[278, 308]], "HASH: 47592911dc23d416384f0faee3f75c38": [[333, 365]], "HASH: fe3acbb4de4452553b29d041509b453814a483ee50ebf37e8b0b9f5475a9d188": [[376, 440]], "FILEPATH: C:\\Users\\admin\\Desktop\\sam.hive": [[454, 485]]}, "info": {"id": "synth_v2_01341", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - XLoader Campaign:\nNetwork Indicators:\n- 122.249.187.146\n- 172.217.36.54\n- 23.248.131.153\n- cache-mail.xyz\n- edge-edge.link\nURLs:\n- hxxp://proxylogin.xyz/collect\n- https://proxy-portal.net/login\nEmail Senders:\n- support@secure-verify.net\n- info@secure-verify.net\nFile Indicators:\n- MD5: 80681d9ef0f016311bb9c7d7ca8ef498\n- SHA256: 1093a12c2354bae762b94a3ffdafbc42dff2daa7af6fc346bff3bd08b48e6512\n- Drop path: /var/tmp/implant.so", "spans": {"MALWARE: XLoader": [[15, 22]], "IP_ADDRESS: 122.249.187.146": [[55, 70]], "IP_ADDRESS: 172.217.36.54": [[73, 86]], "IP_ADDRESS: 23.248.131.153": [[89, 103]], "DOMAIN: cache-mail.xyz": [[106, 120]], "DOMAIN: edge-edge.link": [[123, 137]], "URL: hxxp://proxylogin.xyz/collect": [[146, 175]], "URL: https://proxy-portal.net/login": [[178, 208]], "EMAIL: support@secure-verify.net": [[226, 251]], "EMAIL: info@secure-verify.net": [[254, 276]], "HASH: 80681d9ef0f016311bb9c7d7ca8ef498": [[301, 333]], "HASH: 1093a12c2354bae762b94a3ffdafbc42dff2daa7af6fc346bff3bd08b48e6512": [[344, 408]], "FILEPATH: /var/tmp/implant.so": [[422, 441]]}, "info": {"id": "synth_v2_01342", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - Ryuk Campaign:\nNetwork Indicators:\n- 79.0.157.73\n- 192.101.211.249\n- 128.80.38.67\n- api-update.live\n- authportal.link\nURLs:\n- hxxps://backup-static.cc/secure/token\n- hxxps://datanode.top/callback\nEmail Senders:\n- updates@document-share.link\n- notification@identity-verify.cc\nFile Indicators:\n- MD5: 2dcab6a156bdc53f8a7c70981c17c164\n- MD5: c2717fdfad1798af562565d29d51f1e4\n- Drop path: C:\\Windows\\Tasks\\helper.sh", "spans": {"MALWARE: Ryuk": [[15, 19]], "IP_ADDRESS: 79.0.157.73": [[52, 63]], "IP_ADDRESS: 192.101.211.249": [[66, 81]], "IP_ADDRESS: 128.80.38.67": [[84, 96]], "DOMAIN: api-update.live": [[99, 114]], "DOMAIN: authportal.link": [[117, 132]], "URL: hxxps://backup-static.cc/secure/token": [[141, 178]], "URL: hxxps://datanode.top/callback": [[181, 210]], "EMAIL: updates@document-share.link": [[228, 255]], "EMAIL: notification@identity-verify.cc": [[258, 289]], "HASH: 2dcab6a156bdc53f8a7c70981c17c164": [[314, 346]], "HASH: c2717fdfad1798af562565d29d51f1e4": [[354, 386]], "FILEPATH: C:\\Windows\\Tasks\\helper.sh": [[400, 426]]}, "info": {"id": "synth_v2_01343", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - Raccoon Stealer Campaign:\nNetwork Indicators:\n- 47.18.201.31\n- 10.99.234.47\n- 79.114.88.15\n- nodeportal.cc\n- securesync.dev\nURLs:\n- http://authmail.tech/collect\n- hxxps://secure-proxy.online/api/v2/auth\nEmail Senders:\n- alert@auth-check.org\n- finance@document-share.link\nFile Indicators:\n- MD5: 1c2787bcd06726f8c84efd405053b2cd\n- SHA1: 546b8a39a58d63ba9c07d935a334bfdffca390df\n- Drop path: C:\\Users\\Public\\Documents\\sam.hive", "spans": {"MALWARE: Raccoon Stealer": [[15, 30]], "IP_ADDRESS: 47.18.201.31": [[63, 75]], "IP_ADDRESS: 10.99.234.47": [[78, 90]], "IP_ADDRESS: 79.114.88.15": [[93, 105]], "DOMAIN: nodeportal.cc": [[108, 121]], "DOMAIN: securesync.dev": [[124, 138]], "URL: http://authmail.tech/collect": [[147, 175]], "URL: hxxps://secure-proxy.online/api/v2/auth": [[178, 217]], "EMAIL: alert@auth-check.org": [[235, 255]], "EMAIL: finance@document-share.link": [[258, 285]], "HASH: 1c2787bcd06726f8c84efd405053b2cd": [[310, 342]], "HASH: 546b8a39a58d63ba9c07d935a334bfdffca390df": [[351, 391]], "FILEPATH: C:\\Users\\Public\\Documents\\sam.hive": [[405, 439]]}, "info": {"id": "synth_v2_01344", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - Qbot Campaign:\nNetwork Indicators:\n- 192.93.211.2\n- 131.174.208.131\n- 194.32.17.238\n- staticproxy.xyz\n- nodeportal.online\nURLs:\n- https://cloud-gateway.info/gate.php\n- hxxp://secure-portal.xyz/gate.php\nEmail Senders:\n- service@credential-check.site\n- contact@auth-check.org\nFile Indicators:\n- SHA1: 6af97bd5bd69ac3b6e762751ee1614a25874c0e3\n- MD5: 5dd1826e1f625be055df39dabdf52aee\n- Drop path: C:\\Users\\admin\\Desktop\\backdoor.elf", "spans": {"MALWARE: Qbot": [[15, 19]], "IP_ADDRESS: 192.93.211.2": [[52, 64]], "IP_ADDRESS: 131.174.208.131": [[67, 82]], "IP_ADDRESS: 194.32.17.238": [[85, 98]], "DOMAIN: staticproxy.xyz": [[101, 116]], "DOMAIN: nodeportal.online": [[119, 136]], "URL: https://cloud-gateway.info/gate.php": [[145, 180]], "URL: hxxp://secure-portal.xyz/gate.php": [[183, 216]], "EMAIL: service@credential-check.site": [[234, 263]], "EMAIL: contact@auth-check.org": [[266, 288]], "HASH: 6af97bd5bd69ac3b6e762751ee1614a25874c0e3": [[314, 354]], "HASH: 5dd1826e1f625be055df39dabdf52aee": [[362, 394]], "FILEPATH: C:\\Users\\admin\\Desktop\\backdoor.elf": [[408, 443]]}, "info": {"id": "synth_v2_01345", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - NjRAT Campaign:\nNetwork Indicators:\n- 168.198.197.159\n- 210.135.226.191\n- 172.181.122.71\n- syncstorage.top\n- login-sync.com\nURLs:\n- hxxps://proxysecure.cc/panel/index.html\n- https://nodestatic.site/wp-content/uploads/doc.php\nEmail Senders:\n- report@mail-service.info\n- ceo@phishing-domain.com\nFile Indicators:\n- MD5: 0ebd7020e3a6195d650ab82a25eff750\n- SHA256: d63a9845502610f57557667604ca1985e4b6d7625fab6b216ac0a7c51b2db00c\n- Drop path: /var/tmp/sam.hive", "spans": {"MALWARE: NjRAT": [[15, 20]], "IP_ADDRESS: 168.198.197.159": [[53, 68]], "IP_ADDRESS: 210.135.226.191": [[71, 86]], "IP_ADDRESS: 172.181.122.71": [[89, 103]], "DOMAIN: syncstorage.top": [[106, 121]], "DOMAIN: login-sync.com": [[124, 138]], "URL: hxxps://proxysecure.cc/panel/index.html": [[147, 186]], "URL: https://nodestatic.site/wp-content/uploads/doc.php": [[189, 239]], "EMAIL: report@mail-service.info": [[257, 281]], "EMAIL: ceo@phishing-domain.com": [[284, 307]], "HASH: 0ebd7020e3a6195d650ab82a25eff750": [[332, 364]], "HASH: d63a9845502610f57557667604ca1985e4b6d7625fab6b216ac0a7c51b2db00c": [[375, 439]], "FILEPATH: /var/tmp/sam.hive": [[453, 470]]}, "info": {"id": "synth_v2_01346", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - AgentTesla Campaign:\nNetwork Indicators:\n- 142.16.246.135\n- 172.117.110.51\n- 104.96.95.185\n- data-gateway.cc\n- backupnode.com\nURLs:\n- hxxp://proxy-data.online/login\n- http://apimail.com/wp-content/uploads/doc.php\nEmail Senders:\n- security@mail-service.info\n- admin@auth-check.org\nFile Indicators:\n- SHA1: 150da725e4b372a7c2e568e91ed4abcb8b1c750d\n- MD5: 4660a5a4a779b6ee7e76fd35019d6309\n- Drop path: C:\\Users\\Public\\Documents\\update.dll", "spans": {"MALWARE: AgentTesla": [[15, 25]], "IP_ADDRESS: 142.16.246.135": [[58, 72]], "IP_ADDRESS: 172.117.110.51": [[75, 89]], "IP_ADDRESS: 104.96.95.185": [[92, 105]], "DOMAIN: data-gateway.cc": [[108, 123]], "DOMAIN: backupnode.com": [[126, 140]], "URL: hxxp://proxy-data.online/login": [[149, 179]], "URL: http://apimail.com/wp-content/uploads/doc.php": [[182, 227]], "EMAIL: security@mail-service.info": [[245, 271]], "EMAIL: admin@auth-check.org": [[274, 294]], "HASH: 150da725e4b372a7c2e568e91ed4abcb8b1c750d": [[320, 360]], "HASH: 4660a5a4a779b6ee7e76fd35019d6309": [[368, 400]], "FILEPATH: C:\\Users\\Public\\Documents\\update.dll": [[414, 450]]}, "info": {"id": "synth_v2_01347", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - LockBit Campaign:\nNetwork Indicators:\n- 93.117.231.162\n- 53.103.149.237\n- 120.143.218.69\n- gatewaycdn.xyz\n- login-proxy.xyz\nURLs:\n- hxxp://syncauth.tech/login\n- hxxps://apicdn.dev/login\nEmail Senders:\n- security@credential-check.site\n- contact@phishing-domain.com\nFile Indicators:\n- SHA1: 7993218c4a5b649ec929e23876e824739b74a967\n- SHA1: 87856958bb9e7609ae34961071c4d0f5e4627c05\n- Drop path: /dev/shm/dropper.ps1", "spans": {"MALWARE: LockBit": [[15, 22]], "IP_ADDRESS: 93.117.231.162": [[55, 69]], "IP_ADDRESS: 53.103.149.237": [[72, 86]], "IP_ADDRESS: 120.143.218.69": [[89, 103]], "DOMAIN: gatewaycdn.xyz": [[106, 120]], "DOMAIN: login-proxy.xyz": [[123, 138]], "URL: hxxp://syncauth.tech/login": [[147, 173]], "URL: hxxps://apicdn.dev/login": [[176, 200]], "EMAIL: security@credential-check.site": [[218, 248]], "EMAIL: contact@phishing-domain.com": [[251, 278]], "HASH: 7993218c4a5b649ec929e23876e824739b74a967": [[304, 344]], "HASH: 87856958bb9e7609ae34961071c4d0f5e4627c05": [[353, 393]], "FILEPATH: /dev/shm/dropper.ps1": [[407, 427]]}, "info": {"id": "synth_v2_01348", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - Conti Campaign:\nNetwork Indicators:\n- 30.200.153.251\n- 152.236.243.145\n- 52.100.120.221\n- gateway-api.info\n- cloudstorage.online\nURLs:\n- hxxp://proxynode.cc/secure/token\n- hxxps://mail-secure.site/download/update.exe\nEmail Senders:\n- updates@phishing-domain.com\n- service@urgent-notice.online\nFile Indicators:\n- SHA1: 9db55880aa016840458f668b5dcb1498115c62a5\n- MD5: 670f6ce6c6954c12a5c86dab633c4f65\n- Drop path: /dev/shm/winlogon.exe", "spans": {"MALWARE: Conti": [[15, 20]], "IP_ADDRESS: 30.200.153.251": [[53, 67]], "IP_ADDRESS: 152.236.243.145": [[70, 85]], "IP_ADDRESS: 52.100.120.221": [[88, 102]], "DOMAIN: gateway-api.info": [[105, 121]], "DOMAIN: cloudstorage.online": [[124, 143]], "URL: hxxp://proxynode.cc/secure/token": [[152, 184]], "URL: hxxps://mail-secure.site/download/update.exe": [[187, 231]], "EMAIL: updates@phishing-domain.com": [[249, 276]], "EMAIL: service@urgent-notice.online": [[279, 307]], "HASH: 9db55880aa016840458f668b5dcb1498115c62a5": [[333, 373]], "HASH: 670f6ce6c6954c12a5c86dab633c4f65": [[381, 413]], "FILEPATH: /dev/shm/winlogon.exe": [[427, 448]]}, "info": {"id": "synth_v2_01349", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - XLoader Campaign:\nNetwork Indicators:\n- 16.246.43.163\n- 10.93.122.227\n- 25.111.56.33\n- proxy-relay.info\n- staticcache.io\nURLs:\n- http://cloud-data.online/panel/index.html\n- hxxps://updatestorage.dev/gate.php\nEmail Senders:\n- notification@secure-verify.net\n- support@identity-verify.cc\nFile Indicators:\n- MD5: 551a9ceb44c2a1c984ecca7c5bc6fc28\n- SHA1: b702e4af56af109e2797b7d1a03a3a775bc4e5cb\n- Drop path: /etc/cron.d/taskhost.exe", "spans": {"MALWARE: XLoader": [[15, 22]], "IP_ADDRESS: 16.246.43.163": [[55, 68]], "IP_ADDRESS: 10.93.122.227": [[71, 84]], "IP_ADDRESS: 25.111.56.33": [[87, 99]], "DOMAIN: proxy-relay.info": [[102, 118]], "DOMAIN: staticcache.io": [[121, 135]], "URL: http://cloud-data.online/panel/index.html": [[144, 185]], "URL: hxxps://updatestorage.dev/gate.php": [[188, 222]], "EMAIL: notification@secure-verify.net": [[240, 270]], "EMAIL: support@identity-verify.cc": [[273, 299]], "HASH: 551a9ceb44c2a1c984ecca7c5bc6fc28": [[324, 356]], "HASH: b702e4af56af109e2797b7d1a03a3a775bc4e5cb": [[365, 405]], "FILEPATH: /etc/cron.d/taskhost.exe": [[419, 443]]}, "info": {"id": "synth_v2_01350", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - TrickBot Campaign:\nNetwork Indicators:\n- 69.20.253.10\n- 136.104.154.113\n- 132.100.5.59\n- nodemail.online\n- gateway-storage.top\nURLs:\n- hxxp://backup-sync.cc/gate.php\n- hxxps://node-cdn.cc/wp-content/uploads/doc.php\nEmail Senders:\n- alert@credential-check.site\n- confirm@urgent-notice.online\nFile Indicators:\n- MD5: 7acf962add48b6963a05c270c99c0e89\n- SHA1: c8298e91e3b748b68edaffd6722a627bd7a41460\n- Drop path: /var/tmp/lsass.dmp", "spans": {"MALWARE: TrickBot": [[15, 23]], "IP_ADDRESS: 69.20.253.10": [[56, 68]], "IP_ADDRESS: 136.104.154.113": [[71, 86]], "IP_ADDRESS: 132.100.5.59": [[89, 101]], "DOMAIN: nodemail.online": [[104, 119]], "DOMAIN: gateway-storage.top": [[122, 141]], "URL: hxxp://backup-sync.cc/gate.php": [[150, 180]], "URL: hxxps://node-cdn.cc/wp-content/uploads/doc.php": [[183, 229]], "EMAIL: alert@credential-check.site": [[247, 274]], "EMAIL: confirm@urgent-notice.online": [[277, 305]], "HASH: 7acf962add48b6963a05c270c99c0e89": [[330, 362]], "HASH: c8298e91e3b748b68edaffd6722a627bd7a41460": [[371, 411]], "FILEPATH: /var/tmp/lsass.dmp": [[425, 443]]}, "info": {"id": "synth_v2_01351", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - SmokeLoader Campaign:\nNetwork Indicators:\n- 192.42.219.127\n- 192.136.133.69\n- 192.161.110.7\n- secure-cdn.online\n- gatewayupdate.live\nURLs:\n- hxxps://gateway-static.cc/api/v2/auth\n- hxxps://securecloud.live/download/update.exe\nEmail Senders:\n- report@document-share.link\n- report@identity-verify.cc\nFile Indicators:\n- SHA1: 740a3f12f091c77f4e641c405a55b087e0ccffc6\n- MD5: 181b790f57196eebf47471ddb550957d\n- Drop path: C:\\Users\\admin\\Desktop\\runtime.dll", "spans": {"MALWARE: SmokeLoader": [[15, 26]], "IP_ADDRESS: 192.42.219.127": [[59, 73]], "IP_ADDRESS: 192.136.133.69": [[76, 90]], "IP_ADDRESS: 192.161.110.7": [[93, 106]], "DOMAIN: secure-cdn.online": [[109, 126]], "DOMAIN: gatewayupdate.live": [[129, 147]], "URL: hxxps://gateway-static.cc/api/v2/auth": [[156, 193]], "URL: hxxps://securecloud.live/download/update.exe": [[196, 240]], "EMAIL: report@document-share.link": [[258, 284]], "EMAIL: report@identity-verify.cc": [[287, 312]], "HASH: 740a3f12f091c77f4e641c405a55b087e0ccffc6": [[338, 378]], "HASH: 181b790f57196eebf47471ddb550957d": [[386, 418]], "FILEPATH: C:\\Users\\admin\\Desktop\\runtime.dll": [[432, 466]]}, "info": {"id": "synth_v2_01352", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - Play Campaign:\nNetwork Indicators:\n- 192.84.125.92\n- 91.135.1.251\n- 10.225.60.206\n- synccdn.link\n- relay-cloud.dev\nURLs:\n- hxxp://login-static.tech/api/v2/auth\n- hxxp://updateupdate.info/wp-content/uploads/doc.php\nEmail Senders:\n- info@urgent-notice.online\n- noreply@phishing-domain.com\nFile Indicators:\n- SHA256: c456870798580685444a5b5a5147f1807e83b9cf459f517d394e0876c6af6cc9\n- SHA256: 3721dc73ad2e32f6b13ade08e5f7544f875ecffaefbed1731dfdbfd49bcee89c\n- Drop path: C:\\Users\\admin\\Desktop\\loader.exe", "spans": {"MALWARE: Play": [[15, 19]], "IP_ADDRESS: 192.84.125.92": [[52, 65]], "IP_ADDRESS: 91.135.1.251": [[68, 80]], "IP_ADDRESS: 10.225.60.206": [[83, 96]], "DOMAIN: synccdn.link": [[99, 111]], "DOMAIN: relay-cloud.dev": [[114, 129]], "URL: hxxp://login-static.tech/api/v2/auth": [[138, 174]], "URL: hxxp://updateupdate.info/wp-content/uploads/doc.php": [[177, 228]], "EMAIL: info@urgent-notice.online": [[246, 271]], "EMAIL: noreply@phishing-domain.com": [[274, 301]], "HASH: c456870798580685444a5b5a5147f1807e83b9cf459f517d394e0876c6af6cc9": [[329, 393]], "HASH: 3721dc73ad2e32f6b13ade08e5f7544f875ecffaefbed1731dfdbfd49bcee89c": [[404, 468]], "FILEPATH: C:\\Users\\admin\\Desktop\\loader.exe": [[482, 515]]}, "info": {"id": "synth_v2_01353", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - BlackCat Campaign:\nNetwork Indicators:\n- 172.63.16.146\n- 10.177.152.136\n- 182.229.111.235\n- relayproxy.cc\n- cloudcache.link\nURLs:\n- https://sync-storage.top/wp-content/uploads/doc.php\n- hxxp://mail-api.io/gate.php\nEmail Senders:\n- noreply@login-portal.tech\n- account@account-update.xyz\nFile Indicators:\n- SHA1: b565ee4b18d6ae432adbc4a3beb7a995a14568b6\n- SHA1: 70bedfaf1bba22f050f537e73ef6af12c4410ee3\n- Drop path: C:\\Program Files\\Common Files\\backdoor.elf", "spans": {"MALWARE: BlackCat": [[15, 23]], "IP_ADDRESS: 172.63.16.146": [[56, 69]], "IP_ADDRESS: 10.177.152.136": [[72, 86]], "IP_ADDRESS: 182.229.111.235": [[89, 104]], "DOMAIN: relayproxy.cc": [[107, 120]], "DOMAIN: cloudcache.link": [[123, 138]], "URL: https://sync-storage.top/wp-content/uploads/doc.php": [[147, 198]], "URL: hxxp://mail-api.io/gate.php": [[201, 228]], "EMAIL: noreply@login-portal.tech": [[246, 271]], "EMAIL: account@account-update.xyz": [[274, 300]], "HASH: b565ee4b18d6ae432adbc4a3beb7a995a14568b6": [[326, 366]], "HASH: 70bedfaf1bba22f050f537e73ef6af12c4410ee3": [[375, 415]], "FILEPATH: C:\\Program Files\\Common Files\\backdoor.elf": [[429, 471]]}, "info": {"id": "synth_v2_01354", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - BlackCat Campaign:\nNetwork Indicators:\n- 223.50.175.48\n- 94.239.214.199\n- 172.173.21.63\n- node-auth.cc\n- staticstorage.live\nURLs:\n- https://portalauth.top/login\n- hxxps://nodeedge.info/assets/js/payload.js\nEmail Senders:\n- ceo@phishing-domain.com\n- account@document-share.link\nFile Indicators:\n- MD5: 258fab9e2529229c6de3dfaef1e88dde\n- MD5: d59cb1311361570914bb7413bffa607c\n- Drop path: C:\\Windows\\System32\\backdoor.elf", "spans": {"MALWARE: BlackCat": [[15, 23]], "IP_ADDRESS: 223.50.175.48": [[56, 69]], "IP_ADDRESS: 94.239.214.199": [[72, 86]], "IP_ADDRESS: 172.173.21.63": [[89, 102]], "DOMAIN: node-auth.cc": [[105, 117]], "DOMAIN: staticstorage.live": [[120, 138]], "URL: https://portalauth.top/login": [[147, 175]], "URL: hxxps://nodeedge.info/assets/js/payload.js": [[178, 220]], "EMAIL: ceo@phishing-domain.com": [[238, 261]], "EMAIL: account@document-share.link": [[264, 291]], "HASH: 258fab9e2529229c6de3dfaef1e88dde": [[316, 348]], "HASH: d59cb1311361570914bb7413bffa607c": [[356, 388]], "FILEPATH: C:\\Windows\\System32\\backdoor.elf": [[402, 434]]}, "info": {"id": "synth_v2_01355", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - Gootloader Campaign:\nNetwork Indicators:\n- 183.148.21.61\n- 7.227.211.153\n- 89.180.107.95\n- nodenode.net\n- node-login.top\nURLs:\n- http://storagebackup.online/admin/config\n- hxxp://proxysync.tech/secure/token\nEmail Senders:\n- finance@secure-verify.net\n- noreply@login-portal.tech\nFile Indicators:\n- SHA256: c6a1a61ccf9355019618d9098e7293a52705eb1970671a17610cb5cbbde47463\n- MD5: cd3c9442c3b22cf36a91fa3c2528dfb1\n- Drop path: C:\\Windows\\Tasks\\payload.bin", "spans": {"MALWARE: Gootloader": [[15, 25]], "IP_ADDRESS: 183.148.21.61": [[58, 71]], "IP_ADDRESS: 7.227.211.153": [[74, 87]], "IP_ADDRESS: 89.180.107.95": [[90, 103]], "DOMAIN: nodenode.net": [[106, 118]], "DOMAIN: node-login.top": [[121, 135]], "URL: http://storagebackup.online/admin/config": [[144, 184]], "URL: hxxp://proxysync.tech/secure/token": [[187, 221]], "EMAIL: finance@secure-verify.net": [[239, 264]], "EMAIL: noreply@login-portal.tech": [[267, 292]], "HASH: c6a1a61ccf9355019618d9098e7293a52705eb1970671a17610cb5cbbde47463": [[320, 384]], "HASH: cd3c9442c3b22cf36a91fa3c2528dfb1": [[392, 424]], "FILEPATH: C:\\Windows\\Tasks\\payload.bin": [[438, 466]]}, "info": {"id": "synth_v2_01356", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - Gootloader Campaign:\nNetwork Indicators:\n- 172.240.19.5\n- 16.145.169.229\n- 154.145.158.146\n- relaysync.dev\n- gateway-gateway.org\nURLs:\n- hxxp://gatewayproxy.net/secure/token\n- hxxps://cachedata.tech/download/update.exe\nEmail Senders:\n- updates@identity-verify.cc\n- updates@mail-service.info\nFile Indicators:\n- SHA256: b102ef9a844d13d0780b335718c900eb509c1053fcc7492419ef1b587847ba64\n- SHA1: e5fe2c191add2147fac52f868b5633d009c832dc\n- Drop path: C:\\Windows\\Temp\\lsass.dmp", "spans": {"MALWARE: Gootloader": [[15, 25]], "IP_ADDRESS: 172.240.19.5": [[58, 70]], "IP_ADDRESS: 16.145.169.229": [[73, 87]], "IP_ADDRESS: 154.145.158.146": [[90, 105]], "DOMAIN: relaysync.dev": [[108, 121]], "DOMAIN: gateway-gateway.org": [[124, 143]], "URL: hxxp://gatewayproxy.net/secure/token": [[152, 188]], "URL: hxxps://cachedata.tech/download/update.exe": [[191, 233]], "EMAIL: updates@identity-verify.cc": [[251, 277]], "EMAIL: updates@mail-service.info": [[280, 305]], "HASH: b102ef9a844d13d0780b335718c900eb509c1053fcc7492419ef1b587847ba64": [[333, 397]], "HASH: e5fe2c191add2147fac52f868b5633d009c832dc": [[406, 446]], "FILEPATH: C:\\Windows\\Temp\\lsass.dmp": [[460, 485]]}, "info": {"id": "synth_v2_01357", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - AsyncRAT Campaign:\nNetwork Indicators:\n- 10.78.251.38\n- 102.184.101.207\n- 172.188.57.178\n- sync-auth.online\n- cdn-storage.info\nURLs:\n- https://backup-mail.tech/secure/token\n- hxxp://secureauth.site/wp-content/uploads/doc.php\nEmail Senders:\n- it@credential-check.site\n- contact@identity-verify.cc\nFile Indicators:\n- MD5: 5a379577ed538e85d6937eaf93624e64\n- MD5: 65a7513e39ca007ffe47222540750fb5\n- Drop path: C:\\Users\\admin\\AppData\\Local\\Temp\\dropper.ps1", "spans": {"MALWARE: AsyncRAT": [[15, 23]], "IP_ADDRESS: 10.78.251.38": [[56, 68]], "IP_ADDRESS: 102.184.101.207": [[71, 86]], "IP_ADDRESS: 172.188.57.178": [[89, 103]], "DOMAIN: sync-auth.online": [[106, 122]], "DOMAIN: cdn-storage.info": [[125, 141]], "URL: https://backup-mail.tech/secure/token": [[150, 187]], "URL: hxxp://secureauth.site/wp-content/uploads/doc.php": [[190, 239]], "EMAIL: it@credential-check.site": [[257, 281]], "EMAIL: contact@identity-verify.cc": [[284, 310]], "HASH: 5a379577ed538e85d6937eaf93624e64": [[335, 367]], "HASH: 65a7513e39ca007ffe47222540750fb5": [[375, 407]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\dropper.ps1": [[421, 466]]}, "info": {"id": "synth_v2_01358", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - Meduza Stealer Campaign:\nNetwork Indicators:\n- 195.3.154.254\n- 10.213.26.76\n- 10.242.45.95\n- proxyedge.tech\n- api-cache.online\nURLs:\n- hxxps://portal-edge.site/collect\n- https://api-gateway.com/admin/config\nEmail Senders:\n- admin@secure-verify.net\n- support@auth-check.org\nFile Indicators:\n- SHA1: 5a1ba9639e0aca120d7058eccbb078f1c04207e7\n- SHA256: ccc24be92f4312adb74e854f2efe2f66b9b8e983dd4bb852805e0d29aa2eedd6\n- Drop path: /etc/cron.d/dropper.ps1", "spans": {"MALWARE: Meduza Stealer": [[15, 29]], "IP_ADDRESS: 195.3.154.254": [[62, 75]], "IP_ADDRESS: 10.213.26.76": [[78, 90]], "IP_ADDRESS: 10.242.45.95": [[93, 105]], "DOMAIN: proxyedge.tech": [[108, 122]], "DOMAIN: api-cache.online": [[125, 141]], "URL: hxxps://portal-edge.site/collect": [[150, 182]], "URL: https://api-gateway.com/admin/config": [[185, 221]], "EMAIL: admin@secure-verify.net": [[239, 262]], "EMAIL: support@auth-check.org": [[265, 287]], "HASH: 5a1ba9639e0aca120d7058eccbb078f1c04207e7": [[313, 353]], "HASH: ccc24be92f4312adb74e854f2efe2f66b9b8e983dd4bb852805e0d29aa2eedd6": [[364, 428]], "FILEPATH: /etc/cron.d/dropper.ps1": [[442, 465]]}, "info": {"id": "synth_v2_01359", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - Hive Campaign:\nNetwork Indicators:\n- 10.55.189.216\n- 10.22.82.104\n- 13.16.97.176\n- cloud-cache.site\n- proxy-cache.com\nURLs:\n- http://edge-edge.top/panel/index.html\n- hxxp://api-edge.io/panel/index.html\nEmail Senders:\n- finance@mail-service.info\n- updates@urgent-notice.online\nFile Indicators:\n- SHA256: d1fa2600fc7ace70a495a7f756c4e31cb6e5357b92462192f8c6670d5a9f9235\n- SHA256: 532af15d397f559d27aa6b830ace1e0f7acfeb9c37539868a33c5770720f933a\n- Drop path: C:\\Users\\Public\\Documents\\ntds.dit", "spans": {"MALWARE: Hive": [[15, 19]], "IP_ADDRESS: 10.55.189.216": [[52, 65]], "IP_ADDRESS: 10.22.82.104": [[68, 80]], "IP_ADDRESS: 13.16.97.176": [[83, 95]], "DOMAIN: cloud-cache.site": [[98, 114]], "DOMAIN: proxy-cache.com": [[117, 132]], "URL: http://edge-edge.top/panel/index.html": [[141, 178]], "URL: hxxp://api-edge.io/panel/index.html": [[181, 216]], "EMAIL: finance@mail-service.info": [[234, 259]], "EMAIL: updates@urgent-notice.online": [[262, 290]], "HASH: d1fa2600fc7ace70a495a7f756c4e31cb6e5357b92462192f8c6670d5a9f9235": [[318, 382]], "HASH: 532af15d397f559d27aa6b830ace1e0f7acfeb9c37539868a33c5770720f933a": [[393, 457]], "FILEPATH: C:\\Users\\Public\\Documents\\ntds.dit": [[471, 505]]}, "info": {"id": "synth_v2_01360", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - PlugX Campaign:\nNetwork Indicators:\n- 104.127.139.226\n- 192.4.119.77\n- 10.150.95.191\n- gatewaybackup.online\n- logingateway.info\nURLs:\n- hxxp://relayedge.xyz/gate.php\n- https://gatewaydata.online/panel/index.html\nEmail Senders:\n- info@urgent-notice.online\n- verify@credential-check.site\nFile Indicators:\n- MD5: b75b92c87205bc8287536ac5373d60ee\n- SHA256: 1d765e1b60be7905b5c7428f97204644bcdbf19a837fbed7fdaf58f7e2425c28\n- Drop path: /home/user/.config/backdoor.elf", "spans": {"MALWARE: PlugX": [[15, 20]], "IP_ADDRESS: 104.127.139.226": [[53, 68]], "IP_ADDRESS: 192.4.119.77": [[71, 83]], "IP_ADDRESS: 10.150.95.191": [[86, 99]], "DOMAIN: gatewaybackup.online": [[102, 122]], "DOMAIN: logingateway.info": [[125, 142]], "URL: hxxp://relayedge.xyz/gate.php": [[151, 180]], "URL: https://gatewaydata.online/panel/index.html": [[183, 226]], "EMAIL: info@urgent-notice.online": [[244, 269]], "EMAIL: verify@credential-check.site": [[272, 300]], "HASH: b75b92c87205bc8287536ac5373d60ee": [[325, 357]], "HASH: 1d765e1b60be7905b5c7428f97204644bcdbf19a837fbed7fdaf58f7e2425c28": [[368, 432]], "FILEPATH: /home/user/.config/backdoor.elf": [[446, 477]]}, "info": {"id": "synth_v2_01361", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - Meduza Stealer Campaign:\nNetwork Indicators:\n- 172.198.228.170\n- 172.131.196.209\n- 192.171.127.24\n- storagegateway.site\n- logincloud.cc\nURLs:\n- hxxps://portal-cache.link/panel/index.html\n- http://synccache.site/callback\nEmail Senders:\n- account@secure-verify.net\n- alert@urgent-notice.online\nFile Indicators:\n- MD5: 29a013da185ffed3cdc81f49d9f45281\n- SHA256: 8c48ea123505cf95c2dd8af118eda22c1957924148290661245a10abbbc56c65\n- Drop path: C:\\Users\\admin\\Downloads\\payload.bin", "spans": {"MALWARE: Meduza Stealer": [[15, 29]], "IP_ADDRESS: 172.198.228.170": [[62, 77]], "IP_ADDRESS: 172.131.196.209": [[80, 95]], "IP_ADDRESS: 192.171.127.24": [[98, 112]], "DOMAIN: storagegateway.site": [[115, 134]], "DOMAIN: logincloud.cc": [[137, 150]], "URL: hxxps://portal-cache.link/panel/index.html": [[159, 201]], "URL: http://synccache.site/callback": [[204, 234]], "EMAIL: account@secure-verify.net": [[252, 277]], "EMAIL: alert@urgent-notice.online": [[280, 306]], "HASH: 29a013da185ffed3cdc81f49d9f45281": [[331, 363]], "HASH: 8c48ea123505cf95c2dd8af118eda22c1957924148290661245a10abbbc56c65": [[374, 438]], "FILEPATH: C:\\Users\\admin\\Downloads\\payload.bin": [[452, 488]]}, "info": {"id": "synth_v2_01362", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - DanaBot Campaign:\nNetwork Indicators:\n- 10.69.136.99\n- 36.95.26.58\n- 54.117.248.181\n- cdnportal.top\n- cloud-node.site\nURLs:\n- hxxps://proxynode.xyz/portal/verify\n- https://storagecache.site/admin/config\nEmail Senders:\n- updates@identity-verify.cc\n- it@credential-check.site\nFile Indicators:\n- MD5: 77ca40681e9cefb7f89774df2a0f9a67\n- MD5: 5290c75b26f5f51e8dd06fdb4de55b1f\n- Drop path: C:\\Users\\admin\\Desktop\\dropper.ps1", "spans": {"MALWARE: DanaBot": [[15, 22]], "IP_ADDRESS: 10.69.136.99": [[55, 67]], "IP_ADDRESS: 36.95.26.58": [[70, 81]], "IP_ADDRESS: 54.117.248.181": [[84, 98]], "DOMAIN: cdnportal.top": [[101, 114]], "DOMAIN: cloud-node.site": [[117, 132]], "URL: hxxps://proxynode.xyz/portal/verify": [[141, 176]], "URL: https://storagecache.site/admin/config": [[179, 217]], "EMAIL: updates@identity-verify.cc": [[235, 261]], "EMAIL: it@credential-check.site": [[264, 288]], "HASH: 77ca40681e9cefb7f89774df2a0f9a67": [[313, 345]], "HASH: 5290c75b26f5f51e8dd06fdb4de55b1f": [[353, 385]], "FILEPATH: C:\\Users\\admin\\Desktop\\dropper.ps1": [[399, 433]]}, "info": {"id": "synth_v2_01363", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - Emotet Campaign:\nNetwork Indicators:\n- 172.172.34.218\n- 172.245.217.67\n- 155.135.109.248\n- datasecure.online\n- mail-gateway.net\nURLs:\n- https://cloudsync.link/download/update.exe\n- hxxps://cdn-backup.org/admin/config\nEmail Senders:\n- account@identity-verify.cc\n- updates@mail-service.info\nFile Indicators:\n- MD5: 46a4569873d889049a1d753e4dabd081\n- MD5: 1d48627ad9803a9483bb2f35dc07ff08\n- Drop path: C:\\Windows\\Tasks\\taskhost.exe", "spans": {"MALWARE: Emotet": [[15, 21]], "IP_ADDRESS: 172.172.34.218": [[54, 68]], "IP_ADDRESS: 172.245.217.67": [[71, 85]], "IP_ADDRESS: 155.135.109.248": [[88, 103]], "DOMAIN: datasecure.online": [[106, 123]], "DOMAIN: mail-gateway.net": [[126, 142]], "URL: https://cloudsync.link/download/update.exe": [[151, 193]], "URL: hxxps://cdn-backup.org/admin/config": [[196, 231]], "EMAIL: account@identity-verify.cc": [[249, 275]], "EMAIL: updates@mail-service.info": [[278, 303]], "HASH: 46a4569873d889049a1d753e4dabd081": [[328, 360]], "HASH: 1d48627ad9803a9483bb2f35dc07ff08": [[368, 400]], "FILEPATH: C:\\Windows\\Tasks\\taskhost.exe": [[414, 443]]}, "info": {"id": "synth_v2_01364", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - RedLine Stealer Campaign:\nNetwork Indicators:\n- 10.127.166.22\n- 192.177.11.206\n- 105.191.51.61\n- storage-edge.tech\n- edge-api.top\nURLs:\n- http://secure-cache.io/callback\n- http://cloudsecure.live/admin/config\nEmail Senders:\n- notification@phishing-domain.com\n- hr@account-update.xyz\nFile Indicators:\n- MD5: e2efa864227154296272868b00ecc8e0\n- SHA256: 1db8887e9c0c2a4026bc2ff479ac10e131765e5f503d95fbe7a9d8a2902dd980\n- Drop path: /tmp/runtime.dll", "spans": {"MALWARE: RedLine Stealer": [[15, 30]], "IP_ADDRESS: 10.127.166.22": [[63, 76]], "IP_ADDRESS: 192.177.11.206": [[79, 93]], "IP_ADDRESS: 105.191.51.61": [[96, 109]], "DOMAIN: storage-edge.tech": [[112, 129]], "DOMAIN: edge-api.top": [[132, 144]], "URL: http://secure-cache.io/callback": [[153, 184]], "URL: http://cloudsecure.live/admin/config": [[187, 223]], "EMAIL: notification@phishing-domain.com": [[241, 273]], "EMAIL: hr@account-update.xyz": [[276, 297]], "HASH: e2efa864227154296272868b00ecc8e0": [[322, 354]], "HASH: 1db8887e9c0c2a4026bc2ff479ac10e131765e5f503d95fbe7a9d8a2902dd980": [[365, 429]], "FILEPATH: /tmp/runtime.dll": [[443, 459]]}, "info": {"id": "synth_v2_01365", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - Latrodectus Campaign:\nNetwork Indicators:\n- 10.205.20.236\n- 192.251.22.10\n- 39.64.41.136\n- mailrelay.dev\n- cachegateway.tech\nURLs:\n- hxxps://storage-login.online/assets/js/payload.js\n- http://mail-static.cc/api/v2/auth\nEmail Senders:\n- alert@mail-service.info\n- billing@auth-check.org\nFile Indicators:\n- SHA1: c071fbae3550fb7e50e7d112a7f0d450f3ae2ad5\n- SHA1: fefcc6e631c1ef450715220f048b04f50993f717\n- Drop path: /tmp/update.dll", "spans": {"MALWARE: Latrodectus": [[15, 26]], "IP_ADDRESS: 10.205.20.236": [[59, 72]], "IP_ADDRESS: 192.251.22.10": [[75, 88]], "IP_ADDRESS: 39.64.41.136": [[91, 103]], "DOMAIN: mailrelay.dev": [[106, 119]], "DOMAIN: cachegateway.tech": [[122, 139]], "URL: hxxps://storage-login.online/assets/js/payload.js": [[148, 197]], "URL: http://mail-static.cc/api/v2/auth": [[200, 233]], "EMAIL: alert@mail-service.info": [[251, 274]], "EMAIL: billing@auth-check.org": [[277, 299]], "HASH: c071fbae3550fb7e50e7d112a7f0d450f3ae2ad5": [[325, 365]], "HASH: fefcc6e631c1ef450715220f048b04f50993f717": [[374, 414]], "FILEPATH: /tmp/update.dll": [[428, 443]]}, "info": {"id": "synth_v2_01366", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - AsyncRAT Campaign:\nNetwork Indicators:\n- 192.247.245.188\n- 32.113.20.110\n- 10.78.71.28\n- edgecache.online\n- storagecloud.live\nURLs:\n- hxxp://relaydata.live/login\n- hxxp://dataapi.cc/gate.php\nEmail Senders:\n- finance@login-portal.tech\n- info@account-update.xyz\nFile Indicators:\n- MD5: e6c8135ce1e60577dd0b360d2bc3a567\n- SHA256: fe12a6b81f4a91e94fc6c7b02cc4ea66eb5e158925669fa7dfe4b243209513d3\n- Drop path: C:\\Program Files\\Common Files\\ntds.dit", "spans": {"MALWARE: AsyncRAT": [[15, 23]], "IP_ADDRESS: 192.247.245.188": [[56, 71]], "IP_ADDRESS: 32.113.20.110": [[74, 87]], "IP_ADDRESS: 10.78.71.28": [[90, 101]], "DOMAIN: edgecache.online": [[104, 120]], "DOMAIN: storagecloud.live": [[123, 140]], "URL: hxxp://relaydata.live/login": [[149, 176]], "URL: hxxp://dataapi.cc/gate.php": [[179, 205]], "EMAIL: finance@login-portal.tech": [[223, 248]], "EMAIL: info@account-update.xyz": [[251, 274]], "HASH: e6c8135ce1e60577dd0b360d2bc3a567": [[299, 331]], "HASH: fe12a6b81f4a91e94fc6c7b02cc4ea66eb5e158925669fa7dfe4b243209513d3": [[342, 406]], "FILEPATH: C:\\Program Files\\Common Files\\ntds.dit": [[420, 458]]}, "info": {"id": "synth_v2_01367", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - FormBook Campaign:\nNetwork Indicators:\n- 102.22.89.57\n- 172.44.211.248\n- 87.11.214.196\n- sync-relay.tech\n- storagelogin.site\nURLs:\n- http://data-portal.top/assets/js/payload.js\n- https://login-relay.club/api/v2/auth\nEmail Senders:\n- admin@phishing-domain.com\n- it@identity-verify.cc\nFile Indicators:\n- MD5: 42dc4c381a108d36af9abc0ca1d81fdb\n- SHA256: 2c5ffb2bf5b6595d8385c5811c5bf4a41fadafbe0b1b3d9ff09bbb09e67a7c6c\n- Drop path: /dev/shm/update.dll", "spans": {"MALWARE: FormBook": [[15, 23]], "IP_ADDRESS: 102.22.89.57": [[56, 68]], "IP_ADDRESS: 172.44.211.248": [[71, 85]], "IP_ADDRESS: 87.11.214.196": [[88, 101]], "DOMAIN: sync-relay.tech": [[104, 119]], "DOMAIN: storagelogin.site": [[122, 139]], "URL: http://data-portal.top/assets/js/payload.js": [[148, 191]], "URL: https://login-relay.club/api/v2/auth": [[194, 230]], "EMAIL: admin@phishing-domain.com": [[248, 273]], "EMAIL: it@identity-verify.cc": [[276, 297]], "HASH: 42dc4c381a108d36af9abc0ca1d81fdb": [[322, 354]], "HASH: 2c5ffb2bf5b6595d8385c5811c5bf4a41fadafbe0b1b3d9ff09bbb09e67a7c6c": [[365, 429]], "FILEPATH: /dev/shm/update.dll": [[443, 462]]}, "info": {"id": "synth_v2_01368", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - XLoader Campaign:\nNetwork Indicators:\n- 172.236.38.198\n- 10.42.46.218\n- 117.103.92.249\n- mail-cloud.cc\n- data-update.top\nURLs:\n- http://cachestorage.net/secure/token\n- https://cdnrelay.cc/wp-content/uploads/doc.php\nEmail Senders:\n- noreply@secure-verify.net\n- account@login-portal.tech\nFile Indicators:\n- MD5: f1b0808326dd9956e90722f48a34d3d3\n- MD5: 15c1c1faf54bef327d3f60ea6848a960\n- Drop path: C:\\Users\\admin\\AppData\\Local\\Temp\\payload.bin", "spans": {"MALWARE: XLoader": [[15, 22]], "IP_ADDRESS: 172.236.38.198": [[55, 69]], "IP_ADDRESS: 10.42.46.218": [[72, 84]], "IP_ADDRESS: 117.103.92.249": [[87, 101]], "DOMAIN: mail-cloud.cc": [[104, 117]], "DOMAIN: data-update.top": [[120, 135]], "URL: http://cachestorage.net/secure/token": [[144, 180]], "URL: https://cdnrelay.cc/wp-content/uploads/doc.php": [[183, 229]], "EMAIL: noreply@secure-verify.net": [[247, 272]], "EMAIL: account@login-portal.tech": [[275, 300]], "HASH: f1b0808326dd9956e90722f48a34d3d3": [[325, 357]], "HASH: 15c1c1faf54bef327d3f60ea6848a960": [[365, 397]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\payload.bin": [[411, 456]]}, "info": {"id": "synth_v2_01369", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - SystemBC Campaign:\nNetwork Indicators:\n- 172.135.211.192\n- 161.169.56.147\n- 10.17.155.18\n- storage-backup.io\n- storage-auth.com\nURLs:\n- https://backup-portal.link/assets/js/payload.js\n- hxxp://data-gateway.xyz/login\nEmail Senders:\n- ceo@credential-check.site\n- it@mail-service.info\nFile Indicators:\n- SHA1: 9c8023e2644212672bb29ef26762b48684527ded\n- SHA256: fd90035a8114371fac5438db33c8033a0c3d6e92633d779e95292fe733d6650c\n- Drop path: /tmp/sam.hive", "spans": {"MALWARE: SystemBC": [[15, 23]], "IP_ADDRESS: 172.135.211.192": [[56, 71]], "IP_ADDRESS: 161.169.56.147": [[74, 88]], "IP_ADDRESS: 10.17.155.18": [[91, 103]], "DOMAIN: storage-backup.io": [[106, 123]], "DOMAIN: storage-auth.com": [[126, 142]], "URL: https://backup-portal.link/assets/js/payload.js": [[151, 198]], "URL: hxxp://data-gateway.xyz/login": [[201, 230]], "EMAIL: ceo@credential-check.site": [[248, 273]], "EMAIL: it@mail-service.info": [[276, 296]], "HASH: 9c8023e2644212672bb29ef26762b48684527ded": [[322, 362]], "HASH: fd90035a8114371fac5438db33c8033a0c3d6e92633d779e95292fe733d6650c": [[373, 437]], "FILEPATH: /tmp/sam.hive": [[451, 464]]}, "info": {"id": "synth_v2_01370", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - QakBot Campaign:\nNetwork Indicators:\n- 192.144.61.104\n- 60.230.229.9\n- 10.236.5.213\n- relaycdn.net\n- storage-static.org\nURLs:\n- http://cloud-cache.club/api/v2/auth\n- hxxps://edgemail.site/gate.php\nEmail Senders:\n- service@document-share.link\n- updates@auth-check.org\nFile Indicators:\n- SHA1: 30b6d46ae0ac298a350af087c07fe4b56170f12c\n- SHA1: f1501bbf40d1f2220f9909f88a8de237705be150\n- Drop path: C:\\Users\\admin\\AppData\\Local\\Temp\\csrss.exe", "spans": {"MALWARE: QakBot": [[15, 21]], "IP_ADDRESS: 192.144.61.104": [[54, 68]], "IP_ADDRESS: 60.230.229.9": [[71, 83]], "IP_ADDRESS: 10.236.5.213": [[86, 98]], "DOMAIN: relaycdn.net": [[101, 113]], "DOMAIN: storage-static.org": [[116, 134]], "URL: http://cloud-cache.club/api/v2/auth": [[143, 178]], "URL: hxxps://edgemail.site/gate.php": [[181, 211]], "EMAIL: service@document-share.link": [[229, 256]], "EMAIL: updates@auth-check.org": [[259, 281]], "HASH: 30b6d46ae0ac298a350af087c07fe4b56170f12c": [[307, 347]], "HASH: f1501bbf40d1f2220f9909f88a8de237705be150": [[356, 396]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\csrss.exe": [[410, 453]]}, "info": {"id": "synth_v2_01371", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - StealC Campaign:\nNetwork Indicators:\n- 172.121.122.8\n- 10.177.185.229\n- 172.96.126.184\n- proxy-cache.xyz\n- backupproxy.com\nURLs:\n- https://backupcdn.site/assets/js/payload.js\n- https://maillogin.club/collect\nEmail Senders:\n- billing@auth-check.org\n- updates@phishing-domain.com\nFile Indicators:\n- SHA1: 8724051af97f3d6d63f6d2c1ed3fa0fb28fe4ec6\n- SHA1: 9d213cb5591ab0708751609d18e20eefc97a35be\n- Drop path: /dev/shm/lsass.dmp", "spans": {"MALWARE: StealC": [[15, 21]], "IP_ADDRESS: 172.121.122.8": [[54, 67]], "IP_ADDRESS: 10.177.185.229": [[70, 84]], "IP_ADDRESS: 172.96.126.184": [[87, 101]], "DOMAIN: proxy-cache.xyz": [[104, 119]], "DOMAIN: backupproxy.com": [[122, 137]], "URL: https://backupcdn.site/assets/js/payload.js": [[146, 189]], "URL: https://maillogin.club/collect": [[192, 222]], "EMAIL: billing@auth-check.org": [[240, 262]], "EMAIL: updates@phishing-domain.com": [[265, 292]], "HASH: 8724051af97f3d6d63f6d2c1ed3fa0fb28fe4ec6": [[318, 358]], "HASH: 9d213cb5591ab0708751609d18e20eefc97a35be": [[367, 407]], "FILEPATH: /dev/shm/lsass.dmp": [[421, 439]]}, "info": {"id": "synth_v2_01372", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - RedLine Stealer Campaign:\nNetwork Indicators:\n- 192.133.200.47\n- 172.164.217.38\n- 172.56.81.106\n- login-portal.link\n- auth-edge.site\nURLs:\n- hxxp://update-static.dev/callback\n- https://cache-api.cc/collect\nEmail Senders:\n- admin@urgent-notice.online\n- info@credential-check.site\nFile Indicators:\n- SHA1: d2bf09f886129b6fca988b8f2f7cf43950e9a613\n- SHA256: 2546eb6d93eb3abfea5139a395dba6467d4c751dcf7b8f32cf4a57e556cd7a34\n- Drop path: C:\\Users\\admin\\AppData\\Local\\Temp\\update.dll", "spans": {"MALWARE: RedLine Stealer": [[15, 30]], "IP_ADDRESS: 192.133.200.47": [[63, 77]], "IP_ADDRESS: 172.164.217.38": [[80, 94]], "IP_ADDRESS: 172.56.81.106": [[97, 110]], "DOMAIN: login-portal.link": [[113, 130]], "DOMAIN: auth-edge.site": [[133, 147]], "URL: hxxp://update-static.dev/callback": [[156, 189]], "URL: https://cache-api.cc/collect": [[192, 220]], "EMAIL: admin@urgent-notice.online": [[238, 264]], "EMAIL: info@credential-check.site": [[267, 293]], "HASH: d2bf09f886129b6fca988b8f2f7cf43950e9a613": [[319, 359]], "HASH: 2546eb6d93eb3abfea5139a395dba6467d4c751dcf7b8f32cf4a57e556cd7a34": [[370, 434]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\update.dll": [[448, 492]]}, "info": {"id": "synth_v2_01373", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - Hive Campaign:\nNetwork Indicators:\n- 172.207.86.136\n- 172.236.238.211\n- 218.253.25.22\n- cacherelay.org\n- nodelogin.dev\nURLs:\n- http://gatewaystatic.dev/portal/verify\n- hxxp://updateproxy.online/admin/config\nEmail Senders:\n- ceo@document-share.link\n- it@identity-verify.cc\nFile Indicators:\n- SHA256: b2e8b42d7488ffc3ed65fe94f7748b7df0227c8c5e05d74360f5400c35490242\n- SHA256: 9dc3b4790af4f3e8359a4fc0a5aa0f948b1d62fa37d5ebe7fdc379644ce29eea\n- Drop path: C:\\Users\\Public\\Documents\\shell.php", "spans": {"MALWARE: Hive": [[15, 19]], "IP_ADDRESS: 172.207.86.136": [[52, 66]], "IP_ADDRESS: 172.236.238.211": [[69, 84]], "IP_ADDRESS: 218.253.25.22": [[87, 100]], "DOMAIN: cacherelay.org": [[103, 117]], "DOMAIN: nodelogin.dev": [[120, 133]], "URL: http://gatewaystatic.dev/portal/verify": [[142, 180]], "URL: hxxp://updateproxy.online/admin/config": [[183, 221]], "EMAIL: ceo@document-share.link": [[239, 262]], "EMAIL: it@identity-verify.cc": [[265, 286]], "HASH: b2e8b42d7488ffc3ed65fe94f7748b7df0227c8c5e05d74360f5400c35490242": [[314, 378]], "HASH: 9dc3b4790af4f3e8359a4fc0a5aa0f948b1d62fa37d5ebe7fdc379644ce29eea": [[389, 453]], "FILEPATH: C:\\Users\\Public\\Documents\\shell.php": [[467, 502]]}, "info": {"id": "synth_v2_01374", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - REvil Campaign:\nNetwork Indicators:\n- 10.181.61.249\n- 172.205.122.220\n- 205.144.89.91\n- cdn-proxy.tech\n- gateway-relay.club\nURLs:\n- hxxps://proxycloud.tech/panel/index.html\n- http://auth-proxy.club/portal/verify\nEmail Senders:\n- account@credential-check.site\n- finance@credential-check.site\nFile Indicators:\n- MD5: 2fb4d37efb6cb6b1134e4043cc2cdf1c\n- SHA1: 01989520b665a5deaa9f597b31944d7a7cb1a6fe\n- Drop path: C:\\Windows\\Tasks\\implant.so", "spans": {"MALWARE: REvil": [[15, 20]], "IP_ADDRESS: 10.181.61.249": [[53, 66]], "IP_ADDRESS: 172.205.122.220": [[69, 84]], "IP_ADDRESS: 205.144.89.91": [[87, 100]], "DOMAIN: cdn-proxy.tech": [[103, 117]], "DOMAIN: gateway-relay.club": [[120, 138]], "URL: hxxps://proxycloud.tech/panel/index.html": [[147, 187]], "URL: http://auth-proxy.club/portal/verify": [[190, 226]], "EMAIL: account@credential-check.site": [[244, 273]], "EMAIL: finance@credential-check.site": [[276, 305]], "HASH: 2fb4d37efb6cb6b1134e4043cc2cdf1c": [[330, 362]], "HASH: 01989520b665a5deaa9f597b31944d7a7cb1a6fe": [[371, 411]], "FILEPATH: C:\\Windows\\Tasks\\implant.so": [[425, 452]]}, "info": {"id": "synth_v2_01375", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - BumbleBee Campaign:\nNetwork Indicators:\n- 222.170.157.56\n- 172.197.240.193\n- 10.179.74.198\n- api-static.xyz\n- portal-sync.site\nURLs:\n- http://login-portal.link/api/v2/auth\n- hxxp://cache-gateway.cc/wp-content/uploads/doc.php\nEmail Senders:\n- it@login-portal.tech\n- support@login-portal.tech\nFile Indicators:\n- SHA1: d21112cc09fb276c0ac65249eb78f74c3ccc91e6\n- SHA1: afb469fa3c6f2d88609c6900667bd475d10ae3c1\n- Drop path: C:\\ProgramData\\helper.sh", "spans": {"MALWARE: BumbleBee": [[15, 24]], "IP_ADDRESS: 222.170.157.56": [[57, 71]], "IP_ADDRESS: 172.197.240.193": [[74, 89]], "IP_ADDRESS: 10.179.74.198": [[92, 105]], "DOMAIN: api-static.xyz": [[108, 122]], "DOMAIN: portal-sync.site": [[125, 141]], "URL: http://login-portal.link/api/v2/auth": [[150, 186]], "URL: hxxp://cache-gateway.cc/wp-content/uploads/doc.php": [[189, 239]], "EMAIL: it@login-portal.tech": [[257, 277]], "EMAIL: support@login-portal.tech": [[280, 305]], "HASH: d21112cc09fb276c0ac65249eb78f74c3ccc91e6": [[331, 371]], "HASH: afb469fa3c6f2d88609c6900667bd475d10ae3c1": [[380, 420]], "FILEPATH: C:\\ProgramData\\helper.sh": [[434, 458]]}, "info": {"id": "synth_v2_01376", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - Latrodectus Campaign:\nNetwork Indicators:\n- 143.110.20.83\n- 136.67.244.96\n- 10.168.169.46\n- securecdn.org\n- edgeproxy.info\nURLs:\n- hxxp://auth-secure.io/callback\n- http://backup-mail.net/wp-content/uploads/doc.php\nEmail Senders:\n- notification@account-update.xyz\n- noreply@account-update.xyz\nFile Indicators:\n- MD5: f8f4a9f8cd0bce5f739bf7c1734a0cd9\n- SHA1: ab027155201dffb8805995d9f24f221e36de5f6e\n- Drop path: /var/tmp/chrome_helper.exe", "spans": {"MALWARE: Latrodectus": [[15, 26]], "IP_ADDRESS: 143.110.20.83": [[59, 72]], "IP_ADDRESS: 136.67.244.96": [[75, 88]], "IP_ADDRESS: 10.168.169.46": [[91, 104]], "DOMAIN: securecdn.org": [[107, 120]], "DOMAIN: edgeproxy.info": [[123, 137]], "URL: hxxp://auth-secure.io/callback": [[146, 176]], "URL: http://backup-mail.net/wp-content/uploads/doc.php": [[179, 228]], "EMAIL: notification@account-update.xyz": [[246, 277]], "EMAIL: noreply@account-update.xyz": [[280, 306]], "HASH: f8f4a9f8cd0bce5f739bf7c1734a0cd9": [[331, 363]], "HASH: ab027155201dffb8805995d9f24f221e36de5f6e": [[372, 412]], "FILEPATH: /var/tmp/chrome_helper.exe": [[426, 452]]}, "info": {"id": "synth_v2_01377", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - PlugX Campaign:\nNetwork Indicators:\n- 131.220.171.232\n- 10.141.224.96\n- 172.166.246.178\n- proxycache.net\n- backupcloud.net\nURLs:\n- https://cloudbackup.top/wp-content/uploads/doc.php\n- hxxps://datanode.dev/api/v2/auth\nEmail Senders:\n- ceo@credential-check.site\n- it@phishing-domain.com\nFile Indicators:\n- SHA256: 6b3976ae2bb5eb11e49b438e0cf23d67aa6d0feb32a4b389d63258bdfd0dc788\n- SHA1: 30dbcb1368696fc98e1cd5c9f61db9bfb535954e\n- Drop path: C:\\Windows\\System32\\sam.hive", "spans": {"MALWARE: PlugX": [[15, 20]], "IP_ADDRESS: 131.220.171.232": [[53, 68]], "IP_ADDRESS: 10.141.224.96": [[71, 84]], "IP_ADDRESS: 172.166.246.178": [[87, 102]], "DOMAIN: proxycache.net": [[105, 119]], "DOMAIN: backupcloud.net": [[122, 137]], "URL: https://cloudbackup.top/wp-content/uploads/doc.php": [[146, 196]], "URL: hxxps://datanode.dev/api/v2/auth": [[199, 231]], "EMAIL: ceo@credential-check.site": [[249, 274]], "EMAIL: it@phishing-domain.com": [[277, 299]], "HASH: 6b3976ae2bb5eb11e49b438e0cf23d67aa6d0feb32a4b389d63258bdfd0dc788": [[327, 391]], "HASH: 30dbcb1368696fc98e1cd5c9f61db9bfb535954e": [[400, 440]], "FILEPATH: C:\\Windows\\System32\\sam.hive": [[454, 482]]}, "info": {"id": "synth_v2_01378", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - REvil Campaign:\nNetwork Indicators:\n- 192.139.17.188\n- 172.191.230.165\n- 107.95.131.51\n- cache-auth.site\n- relayupdate.link\nURLs:\n- https://storageupdate.site/wp-content/uploads/doc.php\n- hxxps://syncauth.com/login\nEmail Senders:\n- finance@account-update.xyz\n- verify@document-share.link\nFile Indicators:\n- SHA1: 535cacb075ae5ff93be664cdcb3045ddeb64d382\n- SHA1: 7527583a489e65afa72c2c84aaed5c4cbb5c55ae\n- Drop path: /dev/shm/backdoor.elf", "spans": {"MALWARE: REvil": [[15, 20]], "IP_ADDRESS: 192.139.17.188": [[53, 67]], "IP_ADDRESS: 172.191.230.165": [[70, 85]], "IP_ADDRESS: 107.95.131.51": [[88, 101]], "DOMAIN: cache-auth.site": [[104, 119]], "DOMAIN: relayupdate.link": [[122, 138]], "URL: https://storageupdate.site/wp-content/uploads/doc.php": [[147, 200]], "URL: hxxps://syncauth.com/login": [[203, 229]], "EMAIL: finance@account-update.xyz": [[247, 273]], "EMAIL: verify@document-share.link": [[276, 302]], "HASH: 535cacb075ae5ff93be664cdcb3045ddeb64d382": [[328, 368]], "HASH: 7527583a489e65afa72c2c84aaed5c4cbb5c55ae": [[377, 417]], "FILEPATH: /dev/shm/backdoor.elf": [[431, 452]]}, "info": {"id": "synth_v2_01379", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - Meduza Stealer Campaign:\nNetwork Indicators:\n- 172.142.76.30\n- 10.36.212.157\n- 10.79.125.95\n- storagecloud.io\n- nodeapi.net\nURLs:\n- http://cdncloud.info/secure/token\n- http://cdnapi.live/portal/verify\nEmail Senders:\n- security@identity-verify.cc\n- security@mail-service.info\nFile Indicators:\n- SHA256: c768ebead88bc1fc725f32f88e2ee16d1ffc177c9efd0a34419b248bd9fe57e3\n- MD5: 8cad8d6e822753feb198d9d017d98a28\n- Drop path: /opt/app/bin/winlogon.exe", "spans": {"MALWARE: Meduza Stealer": [[15, 29]], "IP_ADDRESS: 172.142.76.30": [[62, 75]], "IP_ADDRESS: 10.36.212.157": [[78, 91]], "IP_ADDRESS: 10.79.125.95": [[94, 106]], "DOMAIN: storagecloud.io": [[109, 124]], "DOMAIN: nodeapi.net": [[127, 138]], "URL: http://cdncloud.info/secure/token": [[147, 180]], "URL: http://cdnapi.live/portal/verify": [[183, 215]], "EMAIL: security@identity-verify.cc": [[233, 260]], "EMAIL: security@mail-service.info": [[263, 289]], "HASH: c768ebead88bc1fc725f32f88e2ee16d1ffc177c9efd0a34419b248bd9fe57e3": [[317, 381]], "HASH: 8cad8d6e822753feb198d9d017d98a28": [[389, 421]], "FILEPATH: /opt/app/bin/winlogon.exe": [[435, 460]]}, "info": {"id": "synth_v2_01380", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - Gootloader Campaign:\nNetwork Indicators:\n- 42.1.91.247\n- 10.174.128.204\n- 160.86.73.170\n- cache-backup.com\n- apirelay.xyz\nURLs:\n- hxxps://sync-portal.site/collect\n- hxxps://syncproxy.top/assets/js/payload.js\nEmail Senders:\n- support@identity-verify.cc\n- support@login-portal.tech\nFile Indicators:\n- SHA1: 751b79ae82450f56c962eac2ae2732cd0d95c518\n- MD5: f54b855e55ce7753af383510fbe503af\n- Drop path: C:\\ProgramData\\update.dll", "spans": {"MALWARE: Gootloader": [[15, 25]], "IP_ADDRESS: 42.1.91.247": [[58, 69]], "IP_ADDRESS: 10.174.128.204": [[72, 86]], "IP_ADDRESS: 160.86.73.170": [[89, 102]], "DOMAIN: cache-backup.com": [[105, 121]], "DOMAIN: apirelay.xyz": [[124, 136]], "URL: hxxps://sync-portal.site/collect": [[145, 177]], "URL: hxxps://syncproxy.top/assets/js/payload.js": [[180, 222]], "EMAIL: support@identity-verify.cc": [[240, 266]], "EMAIL: support@login-portal.tech": [[269, 294]], "HASH: 751b79ae82450f56c962eac2ae2732cd0d95c518": [[320, 360]], "HASH: f54b855e55ce7753af383510fbe503af": [[368, 400]], "FILEPATH: C:\\ProgramData\\update.dll": [[414, 439]]}, "info": {"id": "synth_v2_01381", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - PlugX Campaign:\nNetwork Indicators:\n- 28.200.97.87\n- 10.132.43.190\n- 10.87.84.75\n- proxy-storage.site\n- portal-node.com\nURLs:\n- https://syncapi.io/portal/verify\n- hxxp://cloud-cloud.top/callback\nEmail Senders:\n- service@auth-check.org\n- admin@account-update.xyz\nFile Indicators:\n- SHA1: 58bcc19729a6e439f467349f68fc0de82cef1ec6\n- MD5: 41f10d290cdd6416c245cc2e13f9d1f7\n- Drop path: /opt/app/bin/implant.so", "spans": {"MALWARE: PlugX": [[15, 20]], "IP_ADDRESS: 28.200.97.87": [[53, 65]], "IP_ADDRESS: 10.132.43.190": [[68, 81]], "IP_ADDRESS: 10.87.84.75": [[84, 95]], "DOMAIN: proxy-storage.site": [[98, 116]], "DOMAIN: portal-node.com": [[119, 134]], "URL: https://syncapi.io/portal/verify": [[143, 175]], "URL: hxxp://cloud-cloud.top/callback": [[178, 209]], "EMAIL: service@auth-check.org": [[227, 249]], "EMAIL: admin@account-update.xyz": [[252, 276]], "HASH: 58bcc19729a6e439f467349f68fc0de82cef1ec6": [[302, 342]], "HASH: 41f10d290cdd6416c245cc2e13f9d1f7": [[350, 382]], "FILEPATH: /opt/app/bin/implant.so": [[396, 419]]}, "info": {"id": "synth_v2_01382", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - IcedID Campaign:\nNetwork Indicators:\n- 111.163.59.113\n- 192.191.242.141\n- 192.30.168.46\n- cachesecure.org\n- cache-auth.top\nURLs:\n- https://securecache.cc/panel/index.html\n- hxxps://backup-auth.info/api/v2/auth\nEmail Senders:\n- billing@urgent-notice.online\n- it@identity-verify.cc\nFile Indicators:\n- SHA1: ae1d3b54e606016c4a1bda14cedb4f45413c4802\n- SHA256: ccbe86dcfa48a704d9a594efacfadf3998dace67d0cfed13075d82a612fede70\n- Drop path: /tmp/shell.php", "spans": {"MALWARE: IcedID": [[15, 21]], "IP_ADDRESS: 111.163.59.113": [[54, 68]], "IP_ADDRESS: 192.191.242.141": [[71, 86]], "IP_ADDRESS: 192.30.168.46": [[89, 102]], "DOMAIN: cachesecure.org": [[105, 120]], "DOMAIN: cache-auth.top": [[123, 137]], "URL: https://securecache.cc/panel/index.html": [[146, 185]], "URL: hxxps://backup-auth.info/api/v2/auth": [[188, 224]], "EMAIL: billing@urgent-notice.online": [[242, 270]], "EMAIL: it@identity-verify.cc": [[273, 294]], "HASH: ae1d3b54e606016c4a1bda14cedb4f45413c4802": [[320, 360]], "HASH: ccbe86dcfa48a704d9a594efacfadf3998dace67d0cfed13075d82a612fede70": [[371, 435]], "FILEPATH: /tmp/shell.php": [[449, 463]]}, "info": {"id": "synth_v2_01383", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - Conti Campaign:\nNetwork Indicators:\n- 219.86.211.83\n- 10.61.83.211\n- 10.230.154.228\n- login-cdn.cc\n- backupgateway.cc\nURLs:\n- https://portalmail.cc/panel/index.html\n- hxxp://edge-login.online/collect\nEmail Senders:\n- alert@login-portal.tech\n- service@credential-check.site\nFile Indicators:\n- SHA1: 0a20dfe27d403aac12a96c9771d20007e7523f32\n- SHA1: 283e083c89cab46de63576a9e3406199eec989ed\n- Drop path: /opt/app/bin/implant.so", "spans": {"MALWARE: Conti": [[15, 20]], "IP_ADDRESS: 219.86.211.83": [[53, 66]], "IP_ADDRESS: 10.61.83.211": [[69, 81]], "IP_ADDRESS: 10.230.154.228": [[84, 98]], "DOMAIN: login-cdn.cc": [[101, 113]], "DOMAIN: backupgateway.cc": [[116, 132]], "URL: https://portalmail.cc/panel/index.html": [[141, 179]], "URL: hxxp://edge-login.online/collect": [[182, 214]], "EMAIL: alert@login-portal.tech": [[232, 255]], "EMAIL: service@credential-check.site": [[258, 287]], "HASH: 0a20dfe27d403aac12a96c9771d20007e7523f32": [[313, 353]], "HASH: 283e083c89cab46de63576a9e3406199eec989ed": [[362, 402]], "FILEPATH: /opt/app/bin/implant.so": [[416, 439]]}, "info": {"id": "synth_v2_01384", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - Ryuk Campaign:\nNetwork Indicators:\n- 80.139.63.233\n- 49.76.58.144\n- 10.50.97.16\n- logincloud.net\n- portaledge.link\nURLs:\n- hxxps://secureedge.info/assets/js/payload.js\n- hxxp://login-sync.site/callback\nEmail Senders:\n- verify@secure-verify.net\n- helpdesk@account-update.xyz\nFile Indicators:\n- SHA256: 4efef8c783080b1d48bc26637d282d95d7e796320663415c17798dac571110f3\n- SHA256: e45642690d6cc199bb7adfe05baf0c86e974102fc575858650a98c609d4036a3\n- Drop path: C:\\Windows\\Temp\\payload.bin", "spans": {"MALWARE: Ryuk": [[15, 19]], "IP_ADDRESS: 80.139.63.233": [[52, 65]], "IP_ADDRESS: 49.76.58.144": [[68, 80]], "IP_ADDRESS: 10.50.97.16": [[83, 94]], "DOMAIN: logincloud.net": [[97, 111]], "DOMAIN: portaledge.link": [[114, 129]], "URL: hxxps://secureedge.info/assets/js/payload.js": [[138, 182]], "URL: hxxp://login-sync.site/callback": [[185, 216]], "EMAIL: verify@secure-verify.net": [[234, 258]], "EMAIL: helpdesk@account-update.xyz": [[261, 288]], "HASH: 4efef8c783080b1d48bc26637d282d95d7e796320663415c17798dac571110f3": [[316, 380]], "HASH: e45642690d6cc199bb7adfe05baf0c86e974102fc575858650a98c609d4036a3": [[391, 455]], "FILEPATH: C:\\Windows\\Temp\\payload.bin": [[469, 496]]}, "info": {"id": "synth_v2_01385", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - RemcosRAT Campaign:\nNetwork Indicators:\n- 172.81.123.138\n- 113.20.229.122\n- 8.159.68.159\n- cache-edge.online\n- portalproxy.info\nURLs:\n- hxxps://proxylogin.net/gate.php\n- hxxps://securebackup.live/login\nEmail Senders:\n- helpdesk@login-portal.tech\n- support@auth-check.org\nFile Indicators:\n- SHA256: 18ff31339c0767bbd46143ab220a001d80e8ef13227497f0fe398b287f8f0d0e\n- SHA1: ed720403a79fd13a0e5cbf7c6d2bbf8668a20b50\n- Drop path: C:\\ProgramData\\svchost.exe", "spans": {"MALWARE: RemcosRAT": [[15, 24]], "IP_ADDRESS: 172.81.123.138": [[57, 71]], "IP_ADDRESS: 113.20.229.122": [[74, 88]], "IP_ADDRESS: 8.159.68.159": [[91, 103]], "DOMAIN: cache-edge.online": [[106, 123]], "DOMAIN: portalproxy.info": [[126, 142]], "URL: hxxps://proxylogin.net/gate.php": [[151, 182]], "URL: hxxps://securebackup.live/login": [[185, 216]], "EMAIL: helpdesk@login-portal.tech": [[234, 260]], "EMAIL: support@auth-check.org": [[263, 285]], "HASH: 18ff31339c0767bbd46143ab220a001d80e8ef13227497f0fe398b287f8f0d0e": [[313, 377]], "HASH: ed720403a79fd13a0e5cbf7c6d2bbf8668a20b50": [[386, 426]], "FILEPATH: C:\\ProgramData\\svchost.exe": [[440, 466]]}, "info": {"id": "synth_v2_01386", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - StealC Campaign:\nNetwork Indicators:\n- 38.145.236.206\n- 172.141.93.111\n- 75.33.223.191\n- cache-secure.online\n- datacache.io\nURLs:\n- hxxps://data-edge.top/panel/index.html\n- http://node-cache.xyz/admin/config\nEmail Senders:\n- billing@account-update.xyz\n- updates@urgent-notice.online\nFile Indicators:\n- MD5: f2bddb5fd30d982ec2b98b230e87bb56\n- SHA1: 0b474236969f06e0c5c7a46c6a42d3546978e89c\n- Drop path: C:\\Program Files\\Common Files\\loader.exe", "spans": {"MALWARE: StealC": [[15, 21]], "IP_ADDRESS: 38.145.236.206": [[54, 68]], "IP_ADDRESS: 172.141.93.111": [[71, 85]], "IP_ADDRESS: 75.33.223.191": [[88, 101]], "DOMAIN: cache-secure.online": [[104, 123]], "DOMAIN: datacache.io": [[126, 138]], "URL: hxxps://data-edge.top/panel/index.html": [[147, 185]], "URL: http://node-cache.xyz/admin/config": [[188, 222]], "EMAIL: billing@account-update.xyz": [[240, 266]], "EMAIL: updates@urgent-notice.online": [[269, 297]], "HASH: f2bddb5fd30d982ec2b98b230e87bb56": [[322, 354]], "HASH: 0b474236969f06e0c5c7a46c6a42d3546978e89c": [[363, 403]], "FILEPATH: C:\\Program Files\\Common Files\\loader.exe": [[417, 457]]}, "info": {"id": "synth_v2_01387", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - TrickBot Campaign:\nNetwork Indicators:\n- 189.20.140.47\n- 172.233.118.21\n- 149.120.36.211\n- gateway-cache.cc\n- api-cloud.tech\nURLs:\n- http://cdnmail.com/admin/config\n- hxxps://proxy-proxy.tech/assets/js/payload.js\nEmail Senders:\n- confirm@urgent-notice.online\n- finance@document-share.link\nFile Indicators:\n- SHA256: c56b2e36380cae82c502e5d90aa507371ce18875bdf7888c29986b2272a4b659\n- MD5: 864b1842b032c055f64f4c939efe2f1f\n- Drop path: /home/user/.config/shell.php", "spans": {"MALWARE: TrickBot": [[15, 23]], "IP_ADDRESS: 189.20.140.47": [[56, 69]], "IP_ADDRESS: 172.233.118.21": [[72, 86]], "IP_ADDRESS: 149.120.36.211": [[89, 103]], "DOMAIN: gateway-cache.cc": [[106, 122]], "DOMAIN: api-cloud.tech": [[125, 139]], "URL: http://cdnmail.com/admin/config": [[148, 179]], "URL: hxxps://proxy-proxy.tech/assets/js/payload.js": [[182, 227]], "EMAIL: confirm@urgent-notice.online": [[245, 273]], "EMAIL: finance@document-share.link": [[276, 303]], "HASH: c56b2e36380cae82c502e5d90aa507371ce18875bdf7888c29986b2272a4b659": [[331, 395]], "HASH: 864b1842b032c055f64f4c939efe2f1f": [[403, 435]], "FILEPATH: /home/user/.config/shell.php": [[449, 477]]}, "info": {"id": "synth_v2_01388", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - Meduza Stealer Campaign:\nNetwork Indicators:\n- 51.177.233.97\n- 181.212.64.197\n- 10.5.166.234\n- apistatic.link\n- edgesync.club\nURLs:\n- https://secure-mail.cc/secure/token\n- hxxps://cloud-cloud.club/assets/js/payload.js\nEmail Senders:\n- ceo@document-share.link\n- info@auth-check.org\nFile Indicators:\n- MD5: 952fd940db90f7ccee531958c2c5b3de\n- MD5: f10143cfc3df60a922ef1430b39fe223\n- Drop path: /home/user/.config/taskhost.exe", "spans": {"MALWARE: Meduza Stealer": [[15, 29]], "IP_ADDRESS: 51.177.233.97": [[62, 75]], "IP_ADDRESS: 181.212.64.197": [[78, 92]], "IP_ADDRESS: 10.5.166.234": [[95, 107]], "DOMAIN: apistatic.link": [[110, 124]], "DOMAIN: edgesync.club": [[127, 140]], "URL: https://secure-mail.cc/secure/token": [[149, 184]], "URL: hxxps://cloud-cloud.club/assets/js/payload.js": [[187, 232]], "EMAIL: ceo@document-share.link": [[250, 273]], "EMAIL: info@auth-check.org": [[276, 295]], "HASH: 952fd940db90f7ccee531958c2c5b3de": [[320, 352]], "HASH: f10143cfc3df60a922ef1430b39fe223": [[360, 392]], "FILEPATH: /home/user/.config/taskhost.exe": [[406, 437]]}, "info": {"id": "synth_v2_01389", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - Lumma Stealer Campaign:\nNetwork Indicators:\n- 54.181.56.236\n- 10.210.254.80\n- 28.117.219.59\n- mailstatic.com\n- updatesync.net\nURLs:\n- https://loginlogin.xyz/download/update.exe\n- http://proxynode.link/login\nEmail Senders:\n- billing@account-update.xyz\n- billing@urgent-notice.online\nFile Indicators:\n- MD5: 99030999623790fce84dc5fd55382d0e\n- SHA256: f63586a5751edf100a3839f82e5cb2fcb8e070e2d1a21fc0f63d1be9d1dbc0f8\n- Drop path: C:\\Users\\Public\\Documents\\payload.bin", "spans": {"MALWARE: Lumma Stealer": [[15, 28]], "IP_ADDRESS: 54.181.56.236": [[61, 74]], "IP_ADDRESS: 10.210.254.80": [[77, 90]], "IP_ADDRESS: 28.117.219.59": [[93, 106]], "DOMAIN: mailstatic.com": [[109, 123]], "DOMAIN: updatesync.net": [[126, 140]], "URL: https://loginlogin.xyz/download/update.exe": [[149, 191]], "URL: http://proxynode.link/login": [[194, 221]], "EMAIL: billing@account-update.xyz": [[239, 265]], "EMAIL: billing@urgent-notice.online": [[268, 296]], "HASH: 99030999623790fce84dc5fd55382d0e": [[321, 353]], "HASH: f63586a5751edf100a3839f82e5cb2fcb8e070e2d1a21fc0f63d1be9d1dbc0f8": [[364, 428]], "FILEPATH: C:\\Users\\Public\\Documents\\payload.bin": [[442, 479]]}, "info": {"id": "synth_v2_01390", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - PikaBot Campaign:\nNetwork Indicators:\n- 172.32.117.91\n- 173.226.163.225\n- 10.36.82.113\n- cachegateway.xyz\n- cloudapi.net\nURLs:\n- hxxps://data-auth.dev/panel/index.html\n- http://securedata.com/assets/js/payload.js\nEmail Senders:\n- ceo@document-share.link\n- hr@phishing-domain.com\nFile Indicators:\n- MD5: 7689dbff6ea326d45b4274538f6aa027\n- SHA1: 9a6fd1b12dce59812cc6359974b847ca60068dfc\n- Drop path: C:\\Windows\\Temp\\helper.sh", "spans": {"MALWARE: PikaBot": [[15, 22]], "IP_ADDRESS: 172.32.117.91": [[55, 68]], "IP_ADDRESS: 173.226.163.225": [[71, 86]], "IP_ADDRESS: 10.36.82.113": [[89, 101]], "DOMAIN: cachegateway.xyz": [[104, 120]], "DOMAIN: cloudapi.net": [[123, 135]], "URL: hxxps://data-auth.dev/panel/index.html": [[144, 182]], "URL: http://securedata.com/assets/js/payload.js": [[185, 227]], "EMAIL: ceo@document-share.link": [[245, 268]], "EMAIL: hr@phishing-domain.com": [[271, 293]], "HASH: 7689dbff6ea326d45b4274538f6aa027": [[318, 350]], "HASH: 9a6fd1b12dce59812cc6359974b847ca60068dfc": [[359, 399]], "FILEPATH: C:\\Windows\\Temp\\helper.sh": [[413, 438]]}, "info": {"id": "synth_v2_01391", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - WarmCookie Campaign:\nNetwork Indicators:\n- 192.9.124.181\n- 77.190.47.174\n- 10.66.34.129\n- backup-api.club\n- updateedge.net\nURLs:\n- hxxps://node-sync.site/callback\n- hxxp://edgerelay.top/download/update.exe\nEmail Senders:\n- info@mail-service.info\n- notification@document-share.link\nFile Indicators:\n- MD5: 3537472cde9c058d3b4761b657dbaa8e\n- SHA256: 31956d16434ce5cd80e1605222a3043f19877cb51bc18b41c644ad0269c0dfa4\n- Drop path: /dev/shm/svchost.exe", "spans": {"MALWARE: WarmCookie": [[15, 25]], "IP_ADDRESS: 192.9.124.181": [[58, 71]], "IP_ADDRESS: 77.190.47.174": [[74, 87]], "IP_ADDRESS: 10.66.34.129": [[90, 102]], "DOMAIN: backup-api.club": [[105, 120]], "DOMAIN: updateedge.net": [[123, 137]], "URL: hxxps://node-sync.site/callback": [[146, 177]], "URL: hxxp://edgerelay.top/download/update.exe": [[180, 220]], "EMAIL: info@mail-service.info": [[238, 260]], "EMAIL: notification@document-share.link": [[263, 295]], "HASH: 3537472cde9c058d3b4761b657dbaa8e": [[320, 352]], "HASH: 31956d16434ce5cd80e1605222a3043f19877cb51bc18b41c644ad0269c0dfa4": [[363, 427]], "FILEPATH: /dev/shm/svchost.exe": [[441, 461]]}, "info": {"id": "synth_v2_01392", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - Royal Campaign:\nNetwork Indicators:\n- 10.143.96.165\n- 171.253.130.55\n- 172.156.66.27\n- gateway-mail.net\n- update-backup.live\nURLs:\n- hxxp://update-backup.net/api/v2/auth\n- http://storage-mail.tech/collect\nEmail Senders:\n- finance@account-update.xyz\n- support@credential-check.site\nFile Indicators:\n- MD5: 7459af85610e6d6e32fe5bbcf35ae21e\n- SHA256: 77fa1b138754bdb3cd00e41599faa4b903e442c3434e70940197b44d39ece83a\n- Drop path: C:\\Windows\\System32\\payload.bin", "spans": {"MALWARE: Royal": [[15, 20]], "IP_ADDRESS: 10.143.96.165": [[53, 66]], "IP_ADDRESS: 171.253.130.55": [[69, 83]], "IP_ADDRESS: 172.156.66.27": [[86, 99]], "DOMAIN: gateway-mail.net": [[102, 118]], "DOMAIN: update-backup.live": [[121, 139]], "URL: hxxp://update-backup.net/api/v2/auth": [[148, 184]], "URL: http://storage-mail.tech/collect": [[187, 219]], "EMAIL: finance@account-update.xyz": [[237, 263]], "EMAIL: support@credential-check.site": [[266, 295]], "HASH: 7459af85610e6d6e32fe5bbcf35ae21e": [[320, 352]], "HASH: 77fa1b138754bdb3cd00e41599faa4b903e442c3434e70940197b44d39ece83a": [[363, 427]], "FILEPATH: C:\\Windows\\System32\\payload.bin": [[441, 472]]}, "info": {"id": "synth_v2_01393", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - Play Campaign:\nNetwork Indicators:\n- 109.237.66.169\n- 172.193.39.182\n- 184.232.251.109\n- relaymail.live\n- cloud-node.online\nURLs:\n- hxxps://login-cloud.cc/panel/index.html\n- hxxp://static-relay.top/login\nEmail Senders:\n- hr@urgent-notice.online\n- verify@login-portal.tech\nFile Indicators:\n- MD5: 0344579397f84c2b50ea34d4e491bc5f\n- SHA1: b3d98c8fe7b6f4d6279598c1a007ccb5a8dd9675\n- Drop path: C:\\Users\\admin\\AppData\\Local\\Temp\\backdoor.elf", "spans": {"MALWARE: Play": [[15, 19]], "IP_ADDRESS: 109.237.66.169": [[52, 66]], "IP_ADDRESS: 172.193.39.182": [[69, 83]], "IP_ADDRESS: 184.232.251.109": [[86, 101]], "DOMAIN: relaymail.live": [[104, 118]], "DOMAIN: cloud-node.online": [[121, 138]], "URL: hxxps://login-cloud.cc/panel/index.html": [[147, 186]], "URL: hxxp://static-relay.top/login": [[189, 218]], "EMAIL: hr@urgent-notice.online": [[236, 259]], "EMAIL: verify@login-portal.tech": [[262, 286]], "HASH: 0344579397f84c2b50ea34d4e491bc5f": [[311, 343]], "HASH: b3d98c8fe7b6f4d6279598c1a007ccb5a8dd9675": [[352, 392]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\backdoor.elf": [[406, 452]]}, "info": {"id": "synth_v2_01394", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - RedLine Stealer Campaign:\nNetwork Indicators:\n- 192.129.163.88\n- 131.43.233.213\n- 172.58.15.128\n- backupcdn.xyz\n- mail-proxy.link\nURLs:\n- hxxps://staticcloud.dev/panel/index.html\n- hxxp://dataportal.club/login\nEmail Senders:\n- it@mail-service.info\n- finance@document-share.link\nFile Indicators:\n- MD5: 47f428bbbeaad49062f5142c1b57a573\n- SHA1: 75b25d3af7e32c767f96e8ea76d9d0647c712fa4\n- Drop path: /tmp/helper.sh", "spans": {"MALWARE: RedLine Stealer": [[15, 30]], "IP_ADDRESS: 192.129.163.88": [[63, 77]], "IP_ADDRESS: 131.43.233.213": [[80, 94]], "IP_ADDRESS: 172.58.15.128": [[97, 110]], "DOMAIN: backupcdn.xyz": [[113, 126]], "DOMAIN: mail-proxy.link": [[129, 144]], "URL: hxxps://staticcloud.dev/panel/index.html": [[153, 193]], "URL: hxxp://dataportal.club/login": [[196, 224]], "EMAIL: it@mail-service.info": [[242, 262]], "EMAIL: finance@document-share.link": [[265, 292]], "HASH: 47f428bbbeaad49062f5142c1b57a573": [[317, 349]], "HASH: 75b25d3af7e32c767f96e8ea76d9d0647c712fa4": [[358, 398]], "FILEPATH: /tmp/helper.sh": [[412, 426]]}, "info": {"id": "synth_v2_01395", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - Lumma Stealer Campaign:\nNetwork Indicators:\n- 172.41.161.65\n- 172.116.160.217\n- 117.4.71.251\n- relay-api.link\n- cloudrelay.io\nURLs:\n- https://cdn-mail.tech/assets/js/payload.js\n- https://datastorage.info/login\nEmail Senders:\n- updates@urgent-notice.online\n- notification@identity-verify.cc\nFile Indicators:\n- SHA1: a35abed217fac1305b27c8d4cc3ebc06651d119c\n- MD5: 58b0379eaf2f10c53a6a0a03e3c54991\n- Drop path: C:\\Windows\\Tasks\\sam.hive", "spans": {"MALWARE: Lumma Stealer": [[15, 28]], "IP_ADDRESS: 172.41.161.65": [[61, 74]], "IP_ADDRESS: 172.116.160.217": [[77, 92]], "IP_ADDRESS: 117.4.71.251": [[95, 107]], "DOMAIN: relay-api.link": [[110, 124]], "DOMAIN: cloudrelay.io": [[127, 140]], "URL: https://cdn-mail.tech/assets/js/payload.js": [[149, 191]], "URL: https://datastorage.info/login": [[194, 224]], "EMAIL: updates@urgent-notice.online": [[242, 270]], "EMAIL: notification@identity-verify.cc": [[273, 304]], "HASH: a35abed217fac1305b27c8d4cc3ebc06651d119c": [[330, 370]], "HASH: 58b0379eaf2f10c53a6a0a03e3c54991": [[378, 410]], "FILEPATH: C:\\Windows\\Tasks\\sam.hive": [[424, 449]]}, "info": {"id": "synth_v2_01396", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - BatLoader Campaign:\nNetwork Indicators:\n- 192.69.54.196\n- 192.19.233.200\n- 192.4.141.6\n- proxyapi.net\n- backup-portal.net\nURLs:\n- hxxps://proxyedge.club/portal/verify\n- http://update-backup.io/callback\nEmail Senders:\n- verify@secure-verify.net\n- account@identity-verify.cc\nFile Indicators:\n- SHA1: 82be1a4ef6b085d0e7e8d361dff55cf69f730583\n- MD5: 66fff5c9a170f0e2cd25314e9565841c\n- Drop path: /usr/local/bin/backdoor.elf", "spans": {"MALWARE: BatLoader": [[15, 24]], "IP_ADDRESS: 192.69.54.196": [[57, 70]], "IP_ADDRESS: 192.19.233.200": [[73, 87]], "IP_ADDRESS: 192.4.141.6": [[90, 101]], "DOMAIN: proxyapi.net": [[104, 116]], "DOMAIN: backup-portal.net": [[119, 136]], "URL: hxxps://proxyedge.club/portal/verify": [[145, 181]], "URL: http://update-backup.io/callback": [[184, 216]], "EMAIL: verify@secure-verify.net": [[234, 258]], "EMAIL: account@identity-verify.cc": [[261, 287]], "HASH: 82be1a4ef6b085d0e7e8d361dff55cf69f730583": [[313, 353]], "HASH: 66fff5c9a170f0e2cd25314e9565841c": [[361, 393]], "FILEPATH: /usr/local/bin/backdoor.elf": [[407, 434]]}, "info": {"id": "synth_v2_01397", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - LockBit Campaign:\nNetwork Indicators:\n- 33.149.153.211\n- 16.132.212.121\n- 10.8.60.129\n- relayupdate.xyz\n- secure-storage.online\nURLs:\n- hxxps://backupdata.link/gate.php\n- http://login-backup.live/admin/config\nEmail Senders:\n- contact@urgent-notice.online\n- notification@document-share.link\nFile Indicators:\n- SHA256: 6a949ce435791653d58146f959984172afb00280760a38a19321db5579b29275\n- SHA1: c7cdc7e47776e9897909aa0d47b7b746561ddef1\n- Drop path: /dev/shm/backdoor.elf", "spans": {"MALWARE: LockBit": [[15, 22]], "IP_ADDRESS: 33.149.153.211": [[55, 69]], "IP_ADDRESS: 16.132.212.121": [[72, 86]], "IP_ADDRESS: 10.8.60.129": [[89, 100]], "DOMAIN: relayupdate.xyz": [[103, 118]], "DOMAIN: secure-storage.online": [[121, 142]], "URL: hxxps://backupdata.link/gate.php": [[151, 183]], "URL: http://login-backup.live/admin/config": [[186, 223]], "EMAIL: contact@urgent-notice.online": [[241, 269]], "EMAIL: notification@document-share.link": [[272, 304]], "HASH: 6a949ce435791653d58146f959984172afb00280760a38a19321db5579b29275": [[332, 396]], "HASH: c7cdc7e47776e9897909aa0d47b7b746561ddef1": [[405, 445]], "FILEPATH: /dev/shm/backdoor.elf": [[459, 480]]}, "info": {"id": "synth_v2_01398", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - StealC Campaign:\nNetwork Indicators:\n- 10.29.133.205\n- 192.51.237.114\n- 172.206.82.73\n- updatebackup.live\n- auth-cloud.com\nURLs:\n- hxxp://backupdata.org/api/v2/auth\n- https://mailportal.live/api/v2/auth\nEmail Senders:\n- account@secure-verify.net\n- security@credential-check.site\nFile Indicators:\n- SHA256: 2cd488bb63a988ae9c8c029834e01204e97499b657da48bc01dd61a44aab7683\n- SHA1: 0fdaa964028c5ef9893258ca8e6687d66245a61b\n- Drop path: /etc/cron.d/implant.so", "spans": {"MALWARE: StealC": [[15, 21]], "IP_ADDRESS: 10.29.133.205": [[54, 67]], "IP_ADDRESS: 192.51.237.114": [[70, 84]], "IP_ADDRESS: 172.206.82.73": [[87, 100]], "DOMAIN: updatebackup.live": [[103, 120]], "DOMAIN: auth-cloud.com": [[123, 137]], "URL: hxxp://backupdata.org/api/v2/auth": [[146, 179]], "URL: https://mailportal.live/api/v2/auth": [[182, 217]], "EMAIL: account@secure-verify.net": [[235, 260]], "EMAIL: security@credential-check.site": [[263, 293]], "HASH: 2cd488bb63a988ae9c8c029834e01204e97499b657da48bc01dd61a44aab7683": [[321, 385]], "HASH: 0fdaa964028c5ef9893258ca8e6687d66245a61b": [[394, 434]], "FILEPATH: /etc/cron.d/implant.so": [[448, 470]]}, "info": {"id": "synth_v2_01399", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - Dridex Campaign:\nNetwork Indicators:\n- 15.11.125.70\n- 172.138.101.187\n- 172.195.240.76\n- storage-cloud.site\n- storage-api.dev\nURLs:\n- https://cloud-auth.net/portal/verify\n- hxxps://api-auth.cc/admin/config\nEmail Senders:\n- noreply@phishing-domain.com\n- service@phishing-domain.com\nFile Indicators:\n- SHA1: ec8f50f73d21959c7c1d802044c6b3c44a05e6bf\n- SHA1: 0ed895e221c456b294ec10d904863c084d885ff4\n- Drop path: /dev/shm/taskhost.exe", "spans": {"MALWARE: Dridex": [[15, 21]], "IP_ADDRESS: 15.11.125.70": [[54, 66]], "IP_ADDRESS: 172.138.101.187": [[69, 84]], "IP_ADDRESS: 172.195.240.76": [[87, 101]], "DOMAIN: storage-cloud.site": [[104, 122]], "DOMAIN: storage-api.dev": [[125, 140]], "URL: https://cloud-auth.net/portal/verify": [[149, 185]], "URL: hxxps://api-auth.cc/admin/config": [[188, 220]], "EMAIL: noreply@phishing-domain.com": [[238, 265]], "EMAIL: service@phishing-domain.com": [[268, 295]], "HASH: ec8f50f73d21959c7c1d802044c6b3c44a05e6bf": [[321, 361]], "HASH: 0ed895e221c456b294ec10d904863c084d885ff4": [[370, 410]], "FILEPATH: /dev/shm/taskhost.exe": [[424, 445]]}, "info": {"id": "synth_v2_01400", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - BumbleBee Campaign:\nNetwork Indicators:\n- 167.104.27.201\n- 172.65.90.20\n- 68.83.217.201\n- datamail.live\n- edge-sync.top\nURLs:\n- http://authauth.live/api/v2/auth\n- https://staticcache.club/portal/verify\nEmail Senders:\n- noreply@identity-verify.cc\n- info@urgent-notice.online\nFile Indicators:\n- SHA256: 96f2e45988e93519918863358d3185ffbc7562bf16fb8acfbcbb4a8e02aca8f1\n- MD5: 9645c5e0d11f3dc6b4212e052815cf95\n- Drop path: /usr/local/bin/winlogon.exe", "spans": {"MALWARE: BumbleBee": [[15, 24]], "IP_ADDRESS: 167.104.27.201": [[57, 71]], "IP_ADDRESS: 172.65.90.20": [[74, 86]], "IP_ADDRESS: 68.83.217.201": [[89, 102]], "DOMAIN: datamail.live": [[105, 118]], "DOMAIN: edge-sync.top": [[121, 134]], "URL: http://authauth.live/api/v2/auth": [[143, 175]], "URL: https://staticcache.club/portal/verify": [[178, 216]], "EMAIL: noreply@identity-verify.cc": [[234, 260]], "EMAIL: info@urgent-notice.online": [[263, 288]], "HASH: 96f2e45988e93519918863358d3185ffbc7562bf16fb8acfbcbb4a8e02aca8f1": [[316, 380]], "HASH: 9645c5e0d11f3dc6b4212e052815cf95": [[388, 420]], "FILEPATH: /usr/local/bin/winlogon.exe": [[434, 461]]}, "info": {"id": "synth_v2_01401", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - RemcosRAT Campaign:\nNetwork Indicators:\n- 172.162.78.103\n- 192.188.30.137\n- 172.159.16.47\n- login-cloud.tech\n- cachedata.live\nURLs:\n- hxxp://cloud-storage.dev/panel/index.html\n- http://storage-update.dev/secure/token\nEmail Senders:\n- support@credential-check.site\n- account@secure-verify.net\nFile Indicators:\n- MD5: 051a99b2523d33b2f09c8f908c5f1df6\n- SHA1: 6a5e08da90dbe4fdc09e1a16fcee1198b8780dbc\n- Drop path: C:\\Windows\\Tasks\\runtime.dll", "spans": {"MALWARE: RemcosRAT": [[15, 24]], "IP_ADDRESS: 172.162.78.103": [[57, 71]], "IP_ADDRESS: 192.188.30.137": [[74, 88]], "IP_ADDRESS: 172.159.16.47": [[91, 104]], "DOMAIN: login-cloud.tech": [[107, 123]], "DOMAIN: cachedata.live": [[126, 140]], "URL: hxxp://cloud-storage.dev/panel/index.html": [[149, 190]], "URL: http://storage-update.dev/secure/token": [[193, 231]], "EMAIL: support@credential-check.site": [[249, 278]], "EMAIL: account@secure-verify.net": [[281, 306]], "HASH: 051a99b2523d33b2f09c8f908c5f1df6": [[331, 363]], "HASH: 6a5e08da90dbe4fdc09e1a16fcee1198b8780dbc": [[372, 412]], "FILEPATH: C:\\Windows\\Tasks\\runtime.dll": [[426, 454]]}, "info": {"id": "synth_v2_01402", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - RedLine Stealer Campaign:\nNetwork Indicators:\n- 202.150.67.92\n- 172.242.252.126\n- 65.146.140.145\n- synccache.xyz\n- backup-gateway.info\nURLs:\n- hxxp://updateportal.cc/callback\n- http://edgegateway.org/secure/token\nEmail Senders:\n- it@login-portal.tech\n- verify@credential-check.site\nFile Indicators:\n- SHA256: 0a4aa16f727d7fa4c357f6ed7230738c723cae0bbfb91fa895f878e768cbdf40\n- SHA256: 308615cb4494e967db13a67299fe83f77b8a6dc4aa54c56b8d1d4f2d34155676\n- Drop path: /var/tmp/dropper.ps1", "spans": {"MALWARE: RedLine Stealer": [[15, 30]], "IP_ADDRESS: 202.150.67.92": [[63, 76]], "IP_ADDRESS: 172.242.252.126": [[79, 94]], "IP_ADDRESS: 65.146.140.145": [[97, 111]], "DOMAIN: synccache.xyz": [[114, 127]], "DOMAIN: backup-gateway.info": [[130, 149]], "URL: hxxp://updateportal.cc/callback": [[158, 189]], "URL: http://edgegateway.org/secure/token": [[192, 227]], "EMAIL: it@login-portal.tech": [[245, 265]], "EMAIL: verify@credential-check.site": [[268, 296]], "HASH: 0a4aa16f727d7fa4c357f6ed7230738c723cae0bbfb91fa895f878e768cbdf40": [[324, 388]], "HASH: 308615cb4494e967db13a67299fe83f77b8a6dc4aa54c56b8d1d4f2d34155676": [[399, 463]], "FILEPATH: /var/tmp/dropper.ps1": [[477, 497]]}, "info": {"id": "synth_v2_01403", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - AgentTesla Campaign:\nNetwork Indicators:\n- 168.194.10.150\n- 10.62.11.227\n- 7.239.80.221\n- syncmail.club\n- static-gateway.com\nURLs:\n- hxxp://cache-static.live/download/update.exe\n- hxxp://relayupdate.online/callback\nEmail Senders:\n- noreply@auth-check.org\n- alert@credential-check.site\nFile Indicators:\n- SHA256: 6c6fecbbba8e40f6d71068ccdd6ee1871b5cb5b4615fe9c612372c9a8e9ea663\n- MD5: 0c93c16d3a70c1cc806203890d0c4385\n- Drop path: /home/user/.config/runtime.dll", "spans": {"MALWARE: AgentTesla": [[15, 25]], "IP_ADDRESS: 168.194.10.150": [[58, 72]], "IP_ADDRESS: 10.62.11.227": [[75, 87]], "IP_ADDRESS: 7.239.80.221": [[90, 102]], "DOMAIN: syncmail.club": [[105, 118]], "DOMAIN: static-gateway.com": [[121, 139]], "URL: hxxp://cache-static.live/download/update.exe": [[148, 192]], "URL: hxxp://relayupdate.online/callback": [[195, 229]], "EMAIL: noreply@auth-check.org": [[247, 269]], "EMAIL: alert@credential-check.site": [[272, 299]], "HASH: 6c6fecbbba8e40f6d71068ccdd6ee1871b5cb5b4615fe9c612372c9a8e9ea663": [[327, 391]], "HASH: 0c93c16d3a70c1cc806203890d0c4385": [[399, 431]], "FILEPATH: /home/user/.config/runtime.dll": [[445, 475]]}, "info": {"id": "synth_v2_01404", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - Conti Campaign:\nNetwork Indicators:\n- 199.29.111.34\n- 16.118.152.64\n- 69.79.235.143\n- logindata.site\n- proxy-cache.dev\nURLs:\n- https://syncstorage.dev/collect\n- http://staticmail.live/assets/js/payload.js\nEmail Senders:\n- account@secure-verify.net\n- security@credential-check.site\nFile Indicators:\n- MD5: 9e0067f7297246fdc5f3fbd7ebae8a96\n- SHA1: fbde1d680f9c15e1a0425fa6709f14d41f3b07ae\n- Drop path: /tmp/taskhost.exe", "spans": {"MALWARE: Conti": [[15, 20]], "IP_ADDRESS: 199.29.111.34": [[53, 66]], "IP_ADDRESS: 16.118.152.64": [[69, 82]], "IP_ADDRESS: 69.79.235.143": [[85, 98]], "DOMAIN: logindata.site": [[101, 115]], "DOMAIN: proxy-cache.dev": [[118, 133]], "URL: https://syncstorage.dev/collect": [[142, 173]], "URL: http://staticmail.live/assets/js/payload.js": [[176, 219]], "EMAIL: account@secure-verify.net": [[237, 262]], "EMAIL: security@credential-check.site": [[265, 295]], "HASH: 9e0067f7297246fdc5f3fbd7ebae8a96": [[320, 352]], "HASH: fbde1d680f9c15e1a0425fa6709f14d41f3b07ae": [[361, 401]], "FILEPATH: /tmp/taskhost.exe": [[415, 432]]}, "info": {"id": "synth_v2_01405", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - Qbot Campaign:\nNetwork Indicators:\n- 175.73.224.187\n- 192.117.67.218\n- 192.143.12.42\n- static-cloud.site\n- proxy-portal.net\nURLs:\n- https://updatesync.com/assets/js/payload.js\n- hxxps://storagemail.net/download/update.exe\nEmail Senders:\n- confirm@identity-verify.cc\n- helpdesk@urgent-notice.online\nFile Indicators:\n- MD5: 5cb18d679a4bf76b5a1e7a2f30dcb15a\n- MD5: 7f4f4c47383272809dca376dcf235946\n- Drop path: C:\\ProgramData\\taskhost.exe", "spans": {"MALWARE: Qbot": [[15, 19]], "IP_ADDRESS: 175.73.224.187": [[52, 66]], "IP_ADDRESS: 192.117.67.218": [[69, 83]], "IP_ADDRESS: 192.143.12.42": [[86, 99]], "DOMAIN: static-cloud.site": [[102, 119]], "DOMAIN: proxy-portal.net": [[122, 138]], "URL: https://updatesync.com/assets/js/payload.js": [[147, 190]], "URL: hxxps://storagemail.net/download/update.exe": [[193, 236]], "EMAIL: confirm@identity-verify.cc": [[254, 280]], "EMAIL: helpdesk@urgent-notice.online": [[283, 312]], "HASH: 5cb18d679a4bf76b5a1e7a2f30dcb15a": [[337, 369]], "HASH: 7f4f4c47383272809dca376dcf235946": [[377, 409]], "FILEPATH: C:\\ProgramData\\taskhost.exe": [[423, 450]]}, "info": {"id": "synth_v2_01406", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - TrickBot Campaign:\nNetwork Indicators:\n- 2.69.67.137\n- 10.244.149.174\n- 151.182.86.204\n- relay-gateway.online\n- syncsecure.xyz\nURLs:\n- hxxp://synccloud.dev/admin/config\n- http://cloudlogin.club/panel/index.html\nEmail Senders:\n- billing@document-share.link\n- contact@document-share.link\nFile Indicators:\n- SHA1: fe68e8b07c51a1e79b5992a28abeb51620eb030e\n- SHA256: 26232a6d33f117767ee0d2b066b2f550ddbb28cf0097ad2ead2e778a0bfa815f\n- Drop path: C:\\Users\\admin\\Downloads\\chrome_helper.exe", "spans": {"MALWARE: TrickBot": [[15, 23]], "IP_ADDRESS: 2.69.67.137": [[56, 67]], "IP_ADDRESS: 10.244.149.174": [[70, 84]], "IP_ADDRESS: 151.182.86.204": [[87, 101]], "DOMAIN: relay-gateway.online": [[104, 124]], "DOMAIN: syncsecure.xyz": [[127, 141]], "URL: hxxp://synccloud.dev/admin/config": [[150, 183]], "URL: http://cloudlogin.club/panel/index.html": [[186, 225]], "EMAIL: billing@document-share.link": [[243, 270]], "EMAIL: contact@document-share.link": [[273, 300]], "HASH: fe68e8b07c51a1e79b5992a28abeb51620eb030e": [[326, 366]], "HASH: 26232a6d33f117767ee0d2b066b2f550ddbb28cf0097ad2ead2e778a0bfa815f": [[377, 441]], "FILEPATH: C:\\Users\\admin\\Downloads\\chrome_helper.exe": [[455, 497]]}, "info": {"id": "synth_v2_01407", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - AgentTesla Campaign:\nNetwork Indicators:\n- 10.6.70.98\n- 172.225.84.18\n- 50.128.197.245\n- storagecloud.live\n- apimail.dev\nURLs:\n- hxxp://auth-update.tech/login\n- hxxp://api-edge.online/login\nEmail Senders:\n- notification@auth-check.org\n- support@credential-check.site\nFile Indicators:\n- MD5: 55bf2caa24753bb78545a256d07f7df6\n- MD5: 823c55e38fb689af79d69524ac7a97e2\n- Drop path: /tmp/helper.sh", "spans": {"MALWARE: AgentTesla": [[15, 25]], "IP_ADDRESS: 10.6.70.98": [[58, 68]], "IP_ADDRESS: 172.225.84.18": [[71, 84]], "IP_ADDRESS: 50.128.197.245": [[87, 101]], "DOMAIN: storagecloud.live": [[104, 121]], "DOMAIN: apimail.dev": [[124, 135]], "URL: hxxp://auth-update.tech/login": [[144, 173]], "URL: hxxp://api-edge.online/login": [[176, 204]], "EMAIL: notification@auth-check.org": [[222, 249]], "EMAIL: support@credential-check.site": [[252, 281]], "HASH: 55bf2caa24753bb78545a256d07f7df6": [[306, 338]], "HASH: 823c55e38fb689af79d69524ac7a97e2": [[346, 378]], "FILEPATH: /tmp/helper.sh": [[392, 406]]}, "info": {"id": "synth_v2_01408", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - ShadowPad Campaign:\nNetwork Indicators:\n- 218.116.53.252\n- 192.243.98.228\n- 22.159.174.14\n- relay-mail.cc\n- node-login.site\nURLs:\n- http://update-static.com/download/update.exe\n- http://update-edge.top/api/v2/auth\nEmail Senders:\n- security@secure-verify.net\n- account@document-share.link\nFile Indicators:\n- SHA1: deb54670cc483f3519b249a1e1e31f3c92152dc4\n- SHA1: ec816554fef3b2ff7e8b8073aabaacb22c856483\n- Drop path: /usr/local/bin/csrss.exe", "spans": {"MALWARE: ShadowPad": [[15, 24]], "IP_ADDRESS: 218.116.53.252": [[57, 71]], "IP_ADDRESS: 192.243.98.228": [[74, 88]], "IP_ADDRESS: 22.159.174.14": [[91, 104]], "DOMAIN: relay-mail.cc": [[107, 120]], "DOMAIN: node-login.site": [[123, 138]], "URL: http://update-static.com/download/update.exe": [[147, 191]], "URL: http://update-edge.top/api/v2/auth": [[194, 228]], "EMAIL: security@secure-verify.net": [[246, 272]], "EMAIL: account@document-share.link": [[275, 302]], "HASH: deb54670cc483f3519b249a1e1e31f3c92152dc4": [[328, 368]], "HASH: ec816554fef3b2ff7e8b8073aabaacb22c856483": [[377, 417]], "FILEPATH: /usr/local/bin/csrss.exe": [[431, 455]]}, "info": {"id": "synth_v2_01409", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - DarkSide Campaign:\nNetwork Indicators:\n- 192.165.211.198\n- 10.120.107.20\n- 208.237.179.30\n- mailrelay.link\n- cloud-secure.xyz\nURLs:\n- https://gateway-update.dev/api/v2/auth\n- https://storageupdate.org/api/v2/auth\nEmail Senders:\n- helpdesk@phishing-domain.com\n- support@credential-check.site\nFile Indicators:\n- SHA256: dfb1915e383c3ff3b8ff043e0869d55f397a9fac03ecb6963c95f9cbb9da1d11\n- SHA1: 632b5fcc182fe43e9621d3fcb46d85b4136d101e\n- Drop path: C:\\Program Files\\Common Files\\beacon.dll", "spans": {"MALWARE: DarkSide": [[15, 23]], "IP_ADDRESS: 192.165.211.198": [[56, 71]], "IP_ADDRESS: 10.120.107.20": [[74, 87]], "IP_ADDRESS: 208.237.179.30": [[90, 104]], "DOMAIN: mailrelay.link": [[107, 121]], "DOMAIN: cloud-secure.xyz": [[124, 140]], "URL: https://gateway-update.dev/api/v2/auth": [[149, 187]], "URL: https://storageupdate.org/api/v2/auth": [[190, 227]], "EMAIL: helpdesk@phishing-domain.com": [[245, 273]], "EMAIL: support@credential-check.site": [[276, 305]], "HASH: dfb1915e383c3ff3b8ff043e0869d55f397a9fac03ecb6963c95f9cbb9da1d11": [[333, 397]], "HASH: 632b5fcc182fe43e9621d3fcb46d85b4136d101e": [[406, 446]], "FILEPATH: C:\\Program Files\\Common Files\\beacon.dll": [[460, 500]]}, "info": {"id": "synth_v2_01410", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - AgentTesla Campaign:\nNetwork Indicators:\n- 84.174.173.244\n- 192.173.49.78\n- 12.151.224.46\n- portal-gateway.cc\n- portallogin.online\nURLs:\n- hxxps://storageauth.io/portal/verify\n- hxxp://cdn-backup.link/admin/config\nEmail Senders:\n- confirm@mail-service.info\n- ceo@phishing-domain.com\nFile Indicators:\n- SHA256: 9440ba3edf5b3390613c179299461272f259412aeab57ee8ba8f101b69cf9d84\n- SHA1: 6e3179959ea843208ac96e8fbee9db114307df65\n- Drop path: /usr/local/bin/lsass.dmp", "spans": {"MALWARE: AgentTesla": [[15, 25]], "IP_ADDRESS: 84.174.173.244": [[58, 72]], "IP_ADDRESS: 192.173.49.78": [[75, 88]], "IP_ADDRESS: 12.151.224.46": [[91, 104]], "DOMAIN: portal-gateway.cc": [[107, 124]], "DOMAIN: portallogin.online": [[127, 145]], "URL: hxxps://storageauth.io/portal/verify": [[154, 190]], "URL: hxxp://cdn-backup.link/admin/config": [[193, 228]], "EMAIL: confirm@mail-service.info": [[246, 271]], "EMAIL: ceo@phishing-domain.com": [[274, 297]], "HASH: 9440ba3edf5b3390613c179299461272f259412aeab57ee8ba8f101b69cf9d84": [[325, 389]], "HASH: 6e3179959ea843208ac96e8fbee9db114307df65": [[398, 438]], "FILEPATH: /usr/local/bin/lsass.dmp": [[452, 476]]}, "info": {"id": "synth_v2_01411", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - LockBit Campaign:\nNetwork Indicators:\n- 172.197.133.170\n- 172.103.146.28\n- 201.193.229.66\n- relay-edge.dev\n- cachenode.club\nURLs:\n- hxxps://relaysync.cc/api/v2/auth\n- hxxp://portal-gateway.online/callback\nEmail Senders:\n- finance@secure-verify.net\n- account@credential-check.site\nFile Indicators:\n- SHA1: 69d5106c76d9e5adcb1642f7f64fd98eb2d6ca3f\n- MD5: 6c882e4fb7d3a25b8f7d63ce3afc95b6\n- Drop path: /var/tmp/shell.php", "spans": {"MALWARE: LockBit": [[15, 22]], "IP_ADDRESS: 172.197.133.170": [[55, 70]], "IP_ADDRESS: 172.103.146.28": [[73, 87]], "IP_ADDRESS: 201.193.229.66": [[90, 104]], "DOMAIN: relay-edge.dev": [[107, 121]], "DOMAIN: cachenode.club": [[124, 138]], "URL: hxxps://relaysync.cc/api/v2/auth": [[147, 179]], "URL: hxxp://portal-gateway.online/callback": [[182, 219]], "EMAIL: finance@secure-verify.net": [[237, 262]], "EMAIL: account@credential-check.site": [[265, 294]], "HASH: 69d5106c76d9e5adcb1642f7f64fd98eb2d6ca3f": [[320, 360]], "HASH: 6c882e4fb7d3a25b8f7d63ce3afc95b6": [[368, 400]], "FILEPATH: /var/tmp/shell.php": [[414, 432]]}, "info": {"id": "synth_v2_01412", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - PlugX Campaign:\nNetwork Indicators:\n- 56.232.242.14\n- 10.142.108.225\n- 172.136.182.174\n- sync-data.dev\n- edgeupdate.info\nURLs:\n- hxxp://cdnproxy.top/callback\n- http://apinode.live/secure/token\nEmail Senders:\n- service@document-share.link\n- security@identity-verify.cc\nFile Indicators:\n- MD5: bc24f36c03e01f9f80578817e81957e3\n- SHA256: d5acfa97c7acb53dcc1b0ab551b5f133e2b575284dafcbd81613d084608d11ad\n- Drop path: C:\\Windows\\System32\\update.dll", "spans": {"MALWARE: PlugX": [[15, 20]], "IP_ADDRESS: 56.232.242.14": [[53, 66]], "IP_ADDRESS: 10.142.108.225": [[69, 83]], "IP_ADDRESS: 172.136.182.174": [[86, 101]], "DOMAIN: sync-data.dev": [[104, 117]], "DOMAIN: edgeupdate.info": [[120, 135]], "URL: hxxp://cdnproxy.top/callback": [[144, 172]], "URL: http://apinode.live/secure/token": [[175, 207]], "EMAIL: service@document-share.link": [[225, 252]], "EMAIL: security@identity-verify.cc": [[255, 282]], "HASH: bc24f36c03e01f9f80578817e81957e3": [[307, 339]], "HASH: d5acfa97c7acb53dcc1b0ab551b5f133e2b575284dafcbd81613d084608d11ad": [[350, 414]], "FILEPATH: C:\\Windows\\System32\\update.dll": [[428, 458]]}, "info": {"id": "synth_v2_01413", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - Play Campaign:\nNetwork Indicators:\n- 172.106.175.199\n- 31.72.186.100\n- 48.37.79.219\n- update-update.io\n- relaynode.live\nURLs:\n- https://mail-data.org/download/update.exe\n- hxxps://portalportal.com/collect\nEmail Senders:\n- confirm@phishing-domain.com\n- ceo@credential-check.site\nFile Indicators:\n- SHA1: b84fe35e65346699b2f5359604602bbeecb06fe7\n- MD5: 99661b1b8e3d254323eb0c86d886d658\n- Drop path: /tmp/ntds.dit", "spans": {"MALWARE: Play": [[15, 19]], "IP_ADDRESS: 172.106.175.199": [[52, 67]], "IP_ADDRESS: 31.72.186.100": [[70, 83]], "IP_ADDRESS: 48.37.79.219": [[86, 98]], "DOMAIN: update-update.io": [[101, 117]], "DOMAIN: relaynode.live": [[120, 134]], "URL: https://mail-data.org/download/update.exe": [[143, 184]], "URL: hxxps://portalportal.com/collect": [[187, 219]], "EMAIL: confirm@phishing-domain.com": [[237, 264]], "EMAIL: ceo@credential-check.site": [[267, 292]], "HASH: b84fe35e65346699b2f5359604602bbeecb06fe7": [[318, 358]], "HASH: 99661b1b8e3d254323eb0c86d886d658": [[366, 398]], "FILEPATH: /tmp/ntds.dit": [[412, 425]]}, "info": {"id": "synth_v2_01414", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - StealC Campaign:\nNetwork Indicators:\n- 192.105.15.52\n- 19.125.207.87\n- 10.165.222.188\n- staticstatic.live\n- relayupdate.club\nURLs:\n- https://cdnupdate.online/callback\n- http://sync-data.xyz/login\nEmail Senders:\n- support@mail-service.info\n- notification@secure-verify.net\nFile Indicators:\n- MD5: 28f8f6f55196d13d79552700a9a2959a\n- SHA256: f6847a0dbed71b6c728a3eb3fcbb9112a58131cf6dc4ed99296c03166e27f4f3\n- Drop path: /dev/shm/agent.py", "spans": {"MALWARE: StealC": [[15, 21]], "IP_ADDRESS: 192.105.15.52": [[54, 67]], "IP_ADDRESS: 19.125.207.87": [[70, 83]], "IP_ADDRESS: 10.165.222.188": [[86, 100]], "DOMAIN: staticstatic.live": [[103, 120]], "DOMAIN: relayupdate.club": [[123, 139]], "URL: https://cdnupdate.online/callback": [[148, 181]], "URL: http://sync-data.xyz/login": [[184, 210]], "EMAIL: support@mail-service.info": [[228, 253]], "EMAIL: notification@secure-verify.net": [[256, 286]], "HASH: 28f8f6f55196d13d79552700a9a2959a": [[311, 343]], "HASH: f6847a0dbed71b6c728a3eb3fcbb9112a58131cf6dc4ed99296c03166e27f4f3": [[354, 418]], "FILEPATH: /dev/shm/agent.py": [[432, 449]]}, "info": {"id": "synth_v2_01415", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - Gootloader Campaign:\nNetwork Indicators:\n- 172.224.42.170\n- 62.234.223.48\n- 172.244.250.205\n- updatestorage.info\n- nodegateway.site\nURLs:\n- http://backup-edge.club/portal/verify\n- https://sync-secure.online/wp-content/uploads/doc.php\nEmail Senders:\n- info@mail-service.info\n- alert@document-share.link\nFile Indicators:\n- SHA256: 6f0eec3b56e615ce6c2c3b2e641ae5c508b67bd12ba90a503ab2ab2d91a145d5\n- SHA1: face70133b9a466129224ca195fa53c9e3f4c8a1\n- Drop path: /dev/shm/config.dat", "spans": {"MALWARE: Gootloader": [[15, 25]], "IP_ADDRESS: 172.224.42.170": [[58, 72]], "IP_ADDRESS: 62.234.223.48": [[75, 88]], "IP_ADDRESS: 172.244.250.205": [[91, 106]], "DOMAIN: updatestorage.info": [[109, 127]], "DOMAIN: nodegateway.site": [[130, 146]], "URL: http://backup-edge.club/portal/verify": [[155, 192]], "URL: https://sync-secure.online/wp-content/uploads/doc.php": [[195, 248]], "EMAIL: info@mail-service.info": [[266, 288]], "EMAIL: alert@document-share.link": [[291, 316]], "HASH: 6f0eec3b56e615ce6c2c3b2e641ae5c508b67bd12ba90a503ab2ab2d91a145d5": [[344, 408]], "HASH: face70133b9a466129224ca195fa53c9e3f4c8a1": [[417, 457]], "FILEPATH: /dev/shm/config.dat": [[471, 490]]}, "info": {"id": "synth_v2_01416", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - FormBook Campaign:\nNetwork Indicators:\n- 192.132.88.22\n- 10.104.112.148\n- 10.160.12.4\n- authcloud.live\n- update-backup.club\nURLs:\n- http://mailgateway.online/api/v2/auth\n- http://syncauth.club/admin/config\nEmail Senders:\n- service@identity-verify.cc\n- admin@mail-service.info\nFile Indicators:\n- MD5: 5c77fb3c6ffa667e66e610c7eee271a4\n- SHA1: 2c292a41f640b16c4934e115a8493109dcc83cfe\n- Drop path: /opt/app/bin/ntds.dit", "spans": {"MALWARE: FormBook": [[15, 23]], "IP_ADDRESS: 192.132.88.22": [[56, 69]], "IP_ADDRESS: 10.104.112.148": [[72, 86]], "IP_ADDRESS: 10.160.12.4": [[89, 100]], "DOMAIN: authcloud.live": [[103, 117]], "DOMAIN: update-backup.club": [[120, 138]], "URL: http://mailgateway.online/api/v2/auth": [[147, 184]], "URL: http://syncauth.club/admin/config": [[187, 220]], "EMAIL: service@identity-verify.cc": [[238, 264]], "EMAIL: admin@mail-service.info": [[267, 290]], "HASH: 5c77fb3c6ffa667e66e610c7eee271a4": [[315, 347]], "HASH: 2c292a41f640b16c4934e115a8493109dcc83cfe": [[356, 396]], "FILEPATH: /opt/app/bin/ntds.dit": [[410, 431]]}, "info": {"id": "synth_v2_01417", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - Latrodectus Campaign:\nNetwork Indicators:\n- 192.43.50.103\n- 95.225.205.126\n- 193.204.190.210\n- gatewayportal.site\n- proxyportal.com\nURLs:\n- https://update-node.top/admin/config\n- https://cache-gateway.info/secure/token\nEmail Senders:\n- security@secure-verify.net\n- verify@auth-check.org\nFile Indicators:\n- SHA1: 1a69fa1df9c84cd5c8854e75f7b92a8da68083da\n- MD5: 2ef6bc7ac3d5b6d1862ed6a1320e4b96\n- Drop path: C:\\Users\\admin\\AppData\\Local\\Temp\\agent.py", "spans": {"MALWARE: Latrodectus": [[15, 26]], "IP_ADDRESS: 192.43.50.103": [[59, 72]], "IP_ADDRESS: 95.225.205.126": [[75, 89]], "IP_ADDRESS: 193.204.190.210": [[92, 107]], "DOMAIN: gatewayportal.site": [[110, 128]], "DOMAIN: proxyportal.com": [[131, 146]], "URL: https://update-node.top/admin/config": [[155, 191]], "URL: https://cache-gateway.info/secure/token": [[194, 233]], "EMAIL: security@secure-verify.net": [[251, 277]], "EMAIL: verify@auth-check.org": [[280, 301]], "HASH: 1a69fa1df9c84cd5c8854e75f7b92a8da68083da": [[327, 367]], "HASH: 2ef6bc7ac3d5b6d1862ed6a1320e4b96": [[375, 407]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\agent.py": [[421, 463]]}, "info": {"id": "synth_v2_01418", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - DanaBot Campaign:\nNetwork Indicators:\n- 136.68.249.37\n- 93.153.141.37\n- 10.220.39.176\n- cdngateway.dev\n- static-edge.online\nURLs:\n- http://synccdn.com/gate.php\n- http://backup-gateway.live/wp-content/uploads/doc.php\nEmail Senders:\n- notification@phishing-domain.com\n- helpdesk@account-update.xyz\nFile Indicators:\n- SHA1: a775d55e113fbf45d0c1c23024b33e1b8d311a62\n- SHA256: 29840b734af86993d19545d75a2a799d62e27c2eebba15a8ca0b8eb4d599822a\n- Drop path: C:\\ProgramData\\backdoor.elf", "spans": {"MALWARE: DanaBot": [[15, 22]], "IP_ADDRESS: 136.68.249.37": [[55, 68]], "IP_ADDRESS: 93.153.141.37": [[71, 84]], "IP_ADDRESS: 10.220.39.176": [[87, 100]], "DOMAIN: cdngateway.dev": [[103, 117]], "DOMAIN: static-edge.online": [[120, 138]], "URL: http://synccdn.com/gate.php": [[147, 174]], "URL: http://backup-gateway.live/wp-content/uploads/doc.php": [[177, 230]], "EMAIL: notification@phishing-domain.com": [[248, 280]], "EMAIL: helpdesk@account-update.xyz": [[283, 310]], "HASH: a775d55e113fbf45d0c1c23024b33e1b8d311a62": [[336, 376]], "HASH: 29840b734af86993d19545d75a2a799d62e27c2eebba15a8ca0b8eb4d599822a": [[387, 451]], "FILEPATH: C:\\ProgramData\\backdoor.elf": [[465, 492]]}, "info": {"id": "synth_v2_01419", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - BumbleBee Campaign:\nNetwork Indicators:\n- 10.45.97.146\n- 10.10.40.28\n- 192.134.10.103\n- syncnode.io\n- storagenode.online\nURLs:\n- http://backup-mail.org/api/v2/auth\n- http://apisync.xyz/collect\nEmail Senders:\n- updates@mail-service.info\n- it@credential-check.site\nFile Indicators:\n- MD5: fff247031ec7bd8e09b2bdfeed816ee2\n- MD5: 58fffedd9d9f1a954694d4d13470f228\n- Drop path: /tmp/winlogon.exe", "spans": {"MALWARE: BumbleBee": [[15, 24]], "IP_ADDRESS: 10.45.97.146": [[57, 69]], "IP_ADDRESS: 10.10.40.28": [[72, 83]], "IP_ADDRESS: 192.134.10.103": [[86, 100]], "DOMAIN: syncnode.io": [[103, 114]], "DOMAIN: storagenode.online": [[117, 135]], "URL: http://backup-mail.org/api/v2/auth": [[144, 178]], "URL: http://apisync.xyz/collect": [[181, 207]], "EMAIL: updates@mail-service.info": [[225, 250]], "EMAIL: it@credential-check.site": [[253, 277]], "HASH: fff247031ec7bd8e09b2bdfeed816ee2": [[302, 334]], "HASH: 58fffedd9d9f1a954694d4d13470f228": [[342, 374]], "FILEPATH: /tmp/winlogon.exe": [[388, 405]]}, "info": {"id": "synth_v2_01420", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - IcedID Campaign:\nNetwork Indicators:\n- 147.102.233.183\n- 192.123.168.90\n- 109.221.126.169\n- edge-cache.tech\n- syncapi.online\nURLs:\n- hxxps://storage-portal.dev/assets/js/payload.js\n- hxxps://static-static.club/assets/js/payload.js\nEmail Senders:\n- contact@account-update.xyz\n- hr@identity-verify.cc\nFile Indicators:\n- SHA1: c1f5adb3899ea694523d44b79e7bf6787a8dd5e3\n- SHA1: de427e1805919c3cb7968b63461be6a6d3368e89\n- Drop path: /home/user/.config/beacon.dll", "spans": {"MALWARE: IcedID": [[15, 21]], "IP_ADDRESS: 147.102.233.183": [[54, 69]], "IP_ADDRESS: 192.123.168.90": [[72, 86]], "IP_ADDRESS: 109.221.126.169": [[89, 104]], "DOMAIN: edge-cache.tech": [[107, 122]], "DOMAIN: syncapi.online": [[125, 139]], "URL: hxxps://storage-portal.dev/assets/js/payload.js": [[148, 195]], "URL: hxxps://static-static.club/assets/js/payload.js": [[198, 245]], "EMAIL: contact@account-update.xyz": [[263, 289]], "EMAIL: hr@identity-verify.cc": [[292, 313]], "HASH: c1f5adb3899ea694523d44b79e7bf6787a8dd5e3": [[339, 379]], "HASH: de427e1805919c3cb7968b63461be6a6d3368e89": [[388, 428]], "FILEPATH: /home/user/.config/beacon.dll": [[442, 471]]}, "info": {"id": "synth_v2_01421", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - FormBook Campaign:\nNetwork Indicators:\n- 192.100.201.206\n- 36.220.185.215\n- 172.234.97.112\n- cachestatic.dev\n- api-update.org\nURLs:\n- https://static-cdn.top/assets/js/payload.js\n- http://update-cloud.io/download/update.exe\nEmail Senders:\n- alert@account-update.xyz\n- alert@auth-check.org\nFile Indicators:\n- SHA1: 23dc382b600a69f4ef7bcb10b99a5ac3b6e8a490\n- MD5: c3318098c6d5d76e6febb40abef2dc59\n- Drop path: C:\\ProgramData\\shell.php", "spans": {"MALWARE: FormBook": [[15, 23]], "IP_ADDRESS: 192.100.201.206": [[56, 71]], "IP_ADDRESS: 36.220.185.215": [[74, 88]], "IP_ADDRESS: 172.234.97.112": [[91, 105]], "DOMAIN: cachestatic.dev": [[108, 123]], "DOMAIN: api-update.org": [[126, 140]], "URL: https://static-cdn.top/assets/js/payload.js": [[149, 192]], "URL: http://update-cloud.io/download/update.exe": [[195, 237]], "EMAIL: alert@account-update.xyz": [[255, 279]], "EMAIL: alert@auth-check.org": [[282, 302]], "HASH: 23dc382b600a69f4ef7bcb10b99a5ac3b6e8a490": [[328, 368]], "HASH: c3318098c6d5d76e6febb40abef2dc59": [[376, 408]], "FILEPATH: C:\\ProgramData\\shell.php": [[422, 446]]}, "info": {"id": "synth_v2_01422", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - Cobalt Strike Campaign:\nNetwork Indicators:\n- 91.195.87.212\n- 209.138.213.177\n- 10.18.48.101\n- gatewaygateway.xyz\n- static-cloud.top\nURLs:\n- hxxp://backup-cloud.club/callback\n- hxxps://storage-data.top/portal/verify\nEmail Senders:\n- admin@login-portal.tech\n- support@credential-check.site\nFile Indicators:\n- MD5: 279c48cae6018507b8e5ecb11bfaad97\n- SHA256: 6f8f4d12afc7289095d1e60ddd0a81879c035579ac89e0d3bd33181892fe944f\n- Drop path: /opt/app/bin/winlogon.exe", "spans": {"MALWARE: Cobalt Strike": [[15, 28]], "IP_ADDRESS: 91.195.87.212": [[61, 74]], "IP_ADDRESS: 209.138.213.177": [[77, 92]], "IP_ADDRESS: 10.18.48.101": [[95, 107]], "DOMAIN: gatewaygateway.xyz": [[110, 128]], "DOMAIN: static-cloud.top": [[131, 147]], "URL: hxxp://backup-cloud.club/callback": [[156, 189]], "URL: hxxps://storage-data.top/portal/verify": [[192, 230]], "EMAIL: admin@login-portal.tech": [[248, 271]], "EMAIL: support@credential-check.site": [[274, 303]], "HASH: 279c48cae6018507b8e5ecb11bfaad97": [[328, 360]], "HASH: 6f8f4d12afc7289095d1e60ddd0a81879c035579ac89e0d3bd33181892fe944f": [[371, 435]], "FILEPATH: /opt/app/bin/winlogon.exe": [[449, 474]]}, "info": {"id": "synth_v2_01423", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - StealC Campaign:\nNetwork Indicators:\n- 17.140.81.16\n- 172.152.97.193\n- 13.249.143.95\n- static-cloud.club\n- secure-node.com\nURLs:\n- https://updatelogin.info/login\n- hxxps://cloudapi.com/gate.php\nEmail Senders:\n- verify@secure-verify.net\n- confirm@account-update.xyz\nFile Indicators:\n- SHA1: e1949bd3ca1e16e2a6775a72f4314eef026229f9\n- SHA1: c6cb01fffb5ed69a480cef383a7a25570ef39aa8\n- Drop path: /var/tmp/winlogon.exe", "spans": {"MALWARE: StealC": [[15, 21]], "IP_ADDRESS: 17.140.81.16": [[54, 66]], "IP_ADDRESS: 172.152.97.193": [[69, 83]], "IP_ADDRESS: 13.249.143.95": [[86, 99]], "DOMAIN: static-cloud.club": [[102, 119]], "DOMAIN: secure-node.com": [[122, 137]], "URL: https://updatelogin.info/login": [[146, 176]], "URL: hxxps://cloudapi.com/gate.php": [[179, 208]], "EMAIL: verify@secure-verify.net": [[226, 250]], "EMAIL: confirm@account-update.xyz": [[253, 279]], "HASH: e1949bd3ca1e16e2a6775a72f4314eef026229f9": [[305, 345]], "HASH: c6cb01fffb5ed69a480cef383a7a25570ef39aa8": [[354, 394]], "FILEPATH: /var/tmp/winlogon.exe": [[408, 429]]}, "info": {"id": "synth_v2_01424", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - BumbleBee Campaign:\nNetwork Indicators:\n- 172.243.112.126\n- 91.175.131.113\n- 17.224.65.114\n- proxydata.tech\n- backupedge.dev\nURLs:\n- http://authsecure.dev/callback\n- hxxp://authstorage.dev/collect\nEmail Senders:\n- billing@document-share.link\n- noreply@document-share.link\nFile Indicators:\n- SHA256: 67778e4a7cc0aa37fc999dcd453d3acc97e4263a659a45f4536a2dc088581cb5\n- MD5: 0957fcf13fb365823854fec6542ee5b4\n- Drop path: /usr/local/bin/config.dat", "spans": {"MALWARE: BumbleBee": [[15, 24]], "IP_ADDRESS: 172.243.112.126": [[57, 72]], "IP_ADDRESS: 91.175.131.113": [[75, 89]], "IP_ADDRESS: 17.224.65.114": [[92, 105]], "DOMAIN: proxydata.tech": [[108, 122]], "DOMAIN: backupedge.dev": [[125, 139]], "URL: http://authsecure.dev/callback": [[148, 178]], "URL: hxxp://authstorage.dev/collect": [[181, 211]], "EMAIL: billing@document-share.link": [[229, 256]], "EMAIL: noreply@document-share.link": [[259, 286]], "HASH: 67778e4a7cc0aa37fc999dcd453d3acc97e4263a659a45f4536a2dc088581cb5": [[314, 378]], "HASH: 0957fcf13fb365823854fec6542ee5b4": [[386, 418]], "FILEPATH: /usr/local/bin/config.dat": [[432, 457]]}, "info": {"id": "synth_v2_01425", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - ShadowPad Campaign:\nNetwork Indicators:\n- 10.35.177.16\n- 10.130.113.163\n- 192.25.223.41\n- staticedge.cc\n- nodesecure.dev\nURLs:\n- hxxps://cloudcloud.club/download/update.exe\n- hxxps://data-relay.dev/assets/js/payload.js\nEmail Senders:\n- report@secure-verify.net\n- noreply@credential-check.site\nFile Indicators:\n- MD5: 49d14e4d50023123f0c4b8306a759d39\n- MD5: 98d302927c57a256df6cd7d7d6a49cc3\n- Drop path: /etc/cron.d/implant.so", "spans": {"MALWARE: ShadowPad": [[15, 24]], "IP_ADDRESS: 10.35.177.16": [[57, 69]], "IP_ADDRESS: 10.130.113.163": [[72, 86]], "IP_ADDRESS: 192.25.223.41": [[89, 102]], "DOMAIN: staticedge.cc": [[105, 118]], "DOMAIN: nodesecure.dev": [[121, 135]], "URL: hxxps://cloudcloud.club/download/update.exe": [[144, 187]], "URL: hxxps://data-relay.dev/assets/js/payload.js": [[190, 233]], "EMAIL: report@secure-verify.net": [[251, 275]], "EMAIL: noreply@credential-check.site": [[278, 307]], "HASH: 49d14e4d50023123f0c4b8306a759d39": [[332, 364]], "HASH: 98d302927c57a256df6cd7d7d6a49cc3": [[372, 404]], "FILEPATH: /etc/cron.d/implant.so": [[418, 440]]}, "info": {"id": "synth_v2_01426", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - BumbleBee Campaign:\nNetwork Indicators:\n- 81.236.44.243\n- 206.92.43.203\n- 172.95.90.9\n- storagestatic.net\n- update-sync.live\nURLs:\n- https://synccloud.site/portal/verify\n- http://cloudsecure.club/collect\nEmail Senders:\n- info@mail-service.info\n- noreply@account-update.xyz\nFile Indicators:\n- MD5: df51b52f73b1801c9eba8bb2be452606\n- SHA256: 69a0dd5abe8c25ba6ce737f39bbbcf61cac216ceffe1582f6c7beb586a0d22a9\n- Drop path: C:\\Windows\\Temp\\update.dll", "spans": {"MALWARE: BumbleBee": [[15, 24]], "IP_ADDRESS: 81.236.44.243": [[57, 70]], "IP_ADDRESS: 206.92.43.203": [[73, 86]], "IP_ADDRESS: 172.95.90.9": [[89, 100]], "DOMAIN: storagestatic.net": [[103, 120]], "DOMAIN: update-sync.live": [[123, 139]], "URL: https://synccloud.site/portal/verify": [[148, 184]], "URL: http://cloudsecure.club/collect": [[187, 218]], "EMAIL: info@mail-service.info": [[236, 258]], "EMAIL: noreply@account-update.xyz": [[261, 287]], "HASH: df51b52f73b1801c9eba8bb2be452606": [[312, 344]], "HASH: 69a0dd5abe8c25ba6ce737f39bbbcf61cac216ceffe1582f6c7beb586a0d22a9": [[355, 419]], "FILEPATH: C:\\Windows\\Temp\\update.dll": [[433, 459]]}, "info": {"id": "synth_v2_01427", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - ShadowPad Campaign:\nNetwork Indicators:\n- 10.226.203.184\n- 172.80.236.131\n- 192.228.163.172\n- authcdn.cc\n- cloud-edge.link\nURLs:\n- hxxps://update-cdn.cc/login\n- http://cloudlogin.tech/admin/config\nEmail Senders:\n- verify@credential-check.site\n- ceo@mail-service.info\nFile Indicators:\n- MD5: 60c186c997456d0731f863b38a7d49df\n- SHA256: 04193e805bde2c1493840fc7ee018e5a1dd4dd47d395b1b0cf6746b27c9ed327\n- Drop path: C:\\Users\\admin\\Desktop\\csrss.exe", "spans": {"MALWARE: ShadowPad": [[15, 24]], "IP_ADDRESS: 10.226.203.184": [[57, 71]], "IP_ADDRESS: 172.80.236.131": [[74, 88]], "IP_ADDRESS: 192.228.163.172": [[91, 106]], "DOMAIN: authcdn.cc": [[109, 119]], "DOMAIN: cloud-edge.link": [[122, 137]], "URL: hxxps://update-cdn.cc/login": [[146, 173]], "URL: http://cloudlogin.tech/admin/config": [[176, 211]], "EMAIL: verify@credential-check.site": [[229, 257]], "EMAIL: ceo@mail-service.info": [[260, 281]], "HASH: 60c186c997456d0731f863b38a7d49df": [[306, 338]], "HASH: 04193e805bde2c1493840fc7ee018e5a1dd4dd47d395b1b0cf6746b27c9ed327": [[349, 413]], "FILEPATH: C:\\Users\\admin\\Desktop\\csrss.exe": [[427, 459]]}, "info": {"id": "synth_v2_01428", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - Latrodectus Campaign:\nNetwork Indicators:\n- 31.245.84.142\n- 119.14.123.75\n- 206.215.110.57\n- backup-portal.tech\n- nodebackup.live\nURLs:\n- hxxps://gatewaycloud.tech/gate.php\n- hxxps://proxycloud.tech/panel/index.html\nEmail Senders:\n- it@secure-verify.net\n- verify@identity-verify.cc\nFile Indicators:\n- SHA256: d063c90e7ef193b8c61289d09a0ee89e4b43cf96445f2d3acc1ef13622274e2c\n- MD5: aa0a99368152f0ad455c2ffcbd4b3a6f\n- Drop path: C:\\Users\\admin\\Desktop\\csrss.exe", "spans": {"MALWARE: Latrodectus": [[15, 26]], "IP_ADDRESS: 31.245.84.142": [[59, 72]], "IP_ADDRESS: 119.14.123.75": [[75, 88]], "IP_ADDRESS: 206.215.110.57": [[91, 105]], "DOMAIN: backup-portal.tech": [[108, 126]], "DOMAIN: nodebackup.live": [[129, 144]], "URL: hxxps://gatewaycloud.tech/gate.php": [[153, 187]], "URL: hxxps://proxycloud.tech/panel/index.html": [[190, 230]], "EMAIL: it@secure-verify.net": [[248, 268]], "EMAIL: verify@identity-verify.cc": [[271, 296]], "HASH: d063c90e7ef193b8c61289d09a0ee89e4b43cf96445f2d3acc1ef13622274e2c": [[324, 388]], "HASH: aa0a99368152f0ad455c2ffcbd4b3a6f": [[396, 428]], "FILEPATH: C:\\Users\\admin\\Desktop\\csrss.exe": [[442, 474]]}, "info": {"id": "synth_v2_01429", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - DanaBot Campaign:\nNetwork Indicators:\n- 149.209.167.203\n- 4.21.117.181\n- 172.161.78.47\n- syncnode.info\n- api-update.cc\nURLs:\n- https://storage-api.club/secure/token\n- https://proxycache.top/assets/js/payload.js\nEmail Senders:\n- billing@credential-check.site\n- noreply@login-portal.tech\nFile Indicators:\n- SHA256: 1a2830e238308a60105a18eb6044adf951b50b0d26a502e1a30346d10cf28ba0\n- SHA256: b09fb144eaa11e697fd61317e005b2f773f8f9d16b327d844ecbc0a147dc8586\n- Drop path: /dev/shm/lsass.dmp", "spans": {"MALWARE: DanaBot": [[15, 22]], "IP_ADDRESS: 149.209.167.203": [[55, 70]], "IP_ADDRESS: 4.21.117.181": [[73, 85]], "IP_ADDRESS: 172.161.78.47": [[88, 101]], "DOMAIN: syncnode.info": [[104, 117]], "DOMAIN: api-update.cc": [[120, 133]], "URL: https://storage-api.club/secure/token": [[142, 179]], "URL: https://proxycache.top/assets/js/payload.js": [[182, 225]], "EMAIL: billing@credential-check.site": [[243, 272]], "EMAIL: noreply@login-portal.tech": [[275, 300]], "HASH: 1a2830e238308a60105a18eb6044adf951b50b0d26a502e1a30346d10cf28ba0": [[328, 392]], "HASH: b09fb144eaa11e697fd61317e005b2f773f8f9d16b327d844ecbc0a147dc8586": [[403, 467]], "FILEPATH: /dev/shm/lsass.dmp": [[481, 499]]}, "info": {"id": "synth_v2_01430", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - FormBook Campaign:\nNetwork Indicators:\n- 172.35.145.37\n- 79.109.29.48\n- 12.39.112.203\n- loginsecure.cc\n- auth-update.cc\nURLs:\n- hxxp://backup-cloud.cc/download/update.exe\n- https://cdnapi.club/collect\nEmail Senders:\n- service@account-update.xyz\n- confirm@mail-service.info\nFile Indicators:\n- SHA256: 3b6acba67c49e178c68b1ec790613042c3d4bc9933ffa4870c1751586af1e2d0\n- MD5: 0f079b049ef800e02a67fc222cb36ee5\n- Drop path: C:\\Windows\\Temp\\sam.hive", "spans": {"MALWARE: FormBook": [[15, 23]], "IP_ADDRESS: 172.35.145.37": [[56, 69]], "IP_ADDRESS: 79.109.29.48": [[72, 84]], "IP_ADDRESS: 12.39.112.203": [[87, 100]], "DOMAIN: loginsecure.cc": [[103, 117]], "DOMAIN: auth-update.cc": [[120, 134]], "URL: hxxp://backup-cloud.cc/download/update.exe": [[143, 185]], "URL: https://cdnapi.club/collect": [[188, 215]], "EMAIL: service@account-update.xyz": [[233, 259]], "EMAIL: confirm@mail-service.info": [[262, 287]], "HASH: 3b6acba67c49e178c68b1ec790613042c3d4bc9933ffa4870c1751586af1e2d0": [[315, 379]], "HASH: 0f079b049ef800e02a67fc222cb36ee5": [[387, 419]], "FILEPATH: C:\\Windows\\Temp\\sam.hive": [[433, 457]]}, "info": {"id": "synth_v2_01431", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - XLoader Campaign:\nNetwork Indicators:\n- 51.27.239.138\n- 192.150.255.104\n- 176.12.25.244\n- nodelogin.info\n- portalgateway.site\nURLs:\n- hxxps://edgedata.site/admin/config\n- hxxp://cloudnode.site/admin/config\nEmail Senders:\n- it@phishing-domain.com\n- account@auth-check.org\nFile Indicators:\n- MD5: c58850cc770528f4fa883b59e8cfda55\n- SHA1: 07ea732840713e55a5462ce05861a31b264090ef\n- Drop path: /opt/app/bin/shell.php", "spans": {"MALWARE: XLoader": [[15, 22]], "IP_ADDRESS: 51.27.239.138": [[55, 68]], "IP_ADDRESS: 192.150.255.104": [[71, 86]], "IP_ADDRESS: 176.12.25.244": [[89, 102]], "DOMAIN: nodelogin.info": [[105, 119]], "DOMAIN: portalgateway.site": [[122, 140]], "URL: hxxps://edgedata.site/admin/config": [[149, 183]], "URL: hxxp://cloudnode.site/admin/config": [[186, 220]], "EMAIL: it@phishing-domain.com": [[238, 260]], "EMAIL: account@auth-check.org": [[263, 285]], "HASH: c58850cc770528f4fa883b59e8cfda55": [[310, 342]], "HASH: 07ea732840713e55a5462ce05861a31b264090ef": [[351, 391]], "FILEPATH: /opt/app/bin/shell.php": [[405, 427]]}, "info": {"id": "synth_v2_01432", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - DarkSide Campaign:\nNetwork Indicators:\n- 202.218.84.147\n- 203.94.193.98\n- 10.73.167.115\n- proxy-data.top\n- gatewayedge.live\nURLs:\n- https://proxy-cdn.club/gate.php\n- https://cloud-data.info/callback\nEmail Senders:\n- contact@identity-verify.cc\n- alert@phishing-domain.com\nFile Indicators:\n- SHA1: c60b0b49fa71b2818e9895b6561c4d5aee6f3c67\n- SHA1: 6aae40c1d8adc5d1c55382a063af98350c61fa1e\n- Drop path: /etc/cron.d/taskhost.exe", "spans": {"MALWARE: DarkSide": [[15, 23]], "IP_ADDRESS: 202.218.84.147": [[56, 70]], "IP_ADDRESS: 203.94.193.98": [[73, 86]], "IP_ADDRESS: 10.73.167.115": [[89, 102]], "DOMAIN: proxy-data.top": [[105, 119]], "DOMAIN: gatewayedge.live": [[122, 138]], "URL: https://proxy-cdn.club/gate.php": [[147, 178]], "URL: https://cloud-data.info/callback": [[181, 213]], "EMAIL: contact@identity-verify.cc": [[231, 257]], "EMAIL: alert@phishing-domain.com": [[260, 285]], "HASH: c60b0b49fa71b2818e9895b6561c4d5aee6f3c67": [[311, 351]], "HASH: 6aae40c1d8adc5d1c55382a063af98350c61fa1e": [[360, 400]], "FILEPATH: /etc/cron.d/taskhost.exe": [[414, 438]]}, "info": {"id": "synth_v2_01433", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - AsyncRAT Campaign:\nNetwork Indicators:\n- 23.24.193.223\n- 44.197.241.242\n- 172.128.130.228\n- data-static.tech\n- node-gateway.cc\nURLs:\n- https://apidata.top/portal/verify\n- hxxp://edge-edge.xyz/api/v2/auth\nEmail Senders:\n- confirm@login-portal.tech\n- confirm@phishing-domain.com\nFile Indicators:\n- SHA1: cc438674a980b1c2667a930be4caea0bd75d4bd2\n- MD5: aac50b087c533fa0444c58229edba82e\n- Drop path: C:\\Users\\Public\\Documents\\lsass.dmp", "spans": {"MALWARE: AsyncRAT": [[15, 23]], "IP_ADDRESS: 23.24.193.223": [[56, 69]], "IP_ADDRESS: 44.197.241.242": [[72, 86]], "IP_ADDRESS: 172.128.130.228": [[89, 104]], "DOMAIN: data-static.tech": [[107, 123]], "DOMAIN: node-gateway.cc": [[126, 141]], "URL: https://apidata.top/portal/verify": [[150, 183]], "URL: hxxp://edge-edge.xyz/api/v2/auth": [[186, 218]], "EMAIL: confirm@login-portal.tech": [[236, 261]], "EMAIL: confirm@phishing-domain.com": [[264, 291]], "HASH: cc438674a980b1c2667a930be4caea0bd75d4bd2": [[317, 357]], "HASH: aac50b087c533fa0444c58229edba82e": [[365, 397]], "FILEPATH: C:\\Users\\Public\\Documents\\lsass.dmp": [[411, 446]]}, "info": {"id": "synth_v2_01434", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - Lumma Stealer Campaign:\nNetwork Indicators:\n- 172.240.215.150\n- 10.104.252.248\n- 155.126.1.24\n- secure-update.net\n- cloudauth.io\nURLs:\n- hxxps://update-login.xyz/secure/token\n- hxxp://cloud-api.dev/wp-content/uploads/doc.php\nEmail Senders:\n- service@login-portal.tech\n- info@mail-service.info\nFile Indicators:\n- MD5: 40e0d120d6e188c5c0d9ea83a23b5e6a\n- SHA256: 2c9d196410573193e1d369fc6ed96f2b9fcc512066a63ffac0e293df05becce1\n- Drop path: C:\\Windows\\Temp\\shell.php", "spans": {"MALWARE: Lumma Stealer": [[15, 28]], "IP_ADDRESS: 172.240.215.150": [[61, 76]], "IP_ADDRESS: 10.104.252.248": [[79, 93]], "IP_ADDRESS: 155.126.1.24": [[96, 108]], "DOMAIN: secure-update.net": [[111, 128]], "DOMAIN: cloudauth.io": [[131, 143]], "URL: hxxps://update-login.xyz/secure/token": [[152, 189]], "URL: hxxp://cloud-api.dev/wp-content/uploads/doc.php": [[192, 239]], "EMAIL: service@login-portal.tech": [[257, 282]], "EMAIL: info@mail-service.info": [[285, 307]], "HASH: 40e0d120d6e188c5c0d9ea83a23b5e6a": [[332, 364]], "HASH: 2c9d196410573193e1d369fc6ed96f2b9fcc512066a63ffac0e293df05becce1": [[375, 439]], "FILEPATH: C:\\Windows\\Temp\\shell.php": [[453, 478]]}, "info": {"id": "synth_v2_01435", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - Latrodectus Campaign:\nNetwork Indicators:\n- 10.85.248.12\n- 10.62.218.124\n- 10.57.93.160\n- staticupdate.dev\n- auth-relay.online\nURLs:\n- hxxps://cacheupdate.com/assets/js/payload.js\n- http://cache-api.online/secure/token\nEmail Senders:\n- billing@account-update.xyz\n- finance@mail-service.info\nFile Indicators:\n- SHA1: 3af38fa6956c4e65d18a6827eafa577ea98a2013\n- MD5: c9571d12f4364371cd624c01015611c7\n- Drop path: /var/tmp/backdoor.elf", "spans": {"MALWARE: Latrodectus": [[15, 26]], "IP_ADDRESS: 10.85.248.12": [[59, 71]], "IP_ADDRESS: 10.62.218.124": [[74, 87]], "IP_ADDRESS: 10.57.93.160": [[90, 102]], "DOMAIN: staticupdate.dev": [[105, 121]], "DOMAIN: auth-relay.online": [[124, 141]], "URL: hxxps://cacheupdate.com/assets/js/payload.js": [[150, 194]], "URL: http://cache-api.online/secure/token": [[197, 233]], "EMAIL: billing@account-update.xyz": [[251, 277]], "EMAIL: finance@mail-service.info": [[280, 305]], "HASH: 3af38fa6956c4e65d18a6827eafa577ea98a2013": [[331, 371]], "HASH: c9571d12f4364371cd624c01015611c7": [[379, 411]], "FILEPATH: /var/tmp/backdoor.elf": [[425, 446]]}, "info": {"id": "synth_v2_01436", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - Royal Campaign:\nNetwork Indicators:\n- 30.190.37.81\n- 185.252.155.112\n- 10.238.29.230\n- updatelogin.online\n- edge-secure.dev\nURLs:\n- hxxps://cdn-static.xyz/panel/index.html\n- hxxps://backup-cache.top/download/update.exe\nEmail Senders:\n- billing@account-update.xyz\n- alert@identity-verify.cc\nFile Indicators:\n- SHA256: 1e99f50449c41e61bf3df4650bd7bdd3a117cbc353206190587a06f1715d389a\n- MD5: 8a3f8060a00ae84c88535c25fcdcc9a8\n- Drop path: C:\\Windows\\Temp\\svchost.exe", "spans": {"MALWARE: Royal": [[15, 20]], "IP_ADDRESS: 30.190.37.81": [[53, 65]], "IP_ADDRESS: 185.252.155.112": [[68, 83]], "IP_ADDRESS: 10.238.29.230": [[86, 99]], "DOMAIN: updatelogin.online": [[102, 120]], "DOMAIN: edge-secure.dev": [[123, 138]], "URL: hxxps://cdn-static.xyz/panel/index.html": [[147, 186]], "URL: hxxps://backup-cache.top/download/update.exe": [[189, 233]], "EMAIL: billing@account-update.xyz": [[251, 277]], "EMAIL: alert@identity-verify.cc": [[280, 304]], "HASH: 1e99f50449c41e61bf3df4650bd7bdd3a117cbc353206190587a06f1715d389a": [[332, 396]], "HASH: 8a3f8060a00ae84c88535c25fcdcc9a8": [[404, 436]], "FILEPATH: C:\\Windows\\Temp\\svchost.exe": [[450, 477]]}, "info": {"id": "synth_v2_01437", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - RedLine Stealer Campaign:\nNetwork Indicators:\n- 10.135.38.140\n- 10.179.95.183\n- 99.82.184.38\n- secure-api.xyz\n- auth-gateway.online\nURLs:\n- hxxp://securenode.dev/download/update.exe\n- hxxps://proxyupdate.net/callback\nEmail Senders:\n- updates@urgent-notice.online\n- alert@secure-verify.net\nFile Indicators:\n- SHA1: b4bbff27cbeef0ca0ca2637799972820e3572c06\n- MD5: 606bb0202afe86276cb24369610ec191\n- Drop path: C:\\Program Files\\Common Files\\sam.hive", "spans": {"MALWARE: RedLine Stealer": [[15, 30]], "IP_ADDRESS: 10.135.38.140": [[63, 76]], "IP_ADDRESS: 10.179.95.183": [[79, 92]], "IP_ADDRESS: 99.82.184.38": [[95, 107]], "DOMAIN: secure-api.xyz": [[110, 124]], "DOMAIN: auth-gateway.online": [[127, 146]], "URL: hxxp://securenode.dev/download/update.exe": [[155, 196]], "URL: hxxps://proxyupdate.net/callback": [[199, 231]], "EMAIL: updates@urgent-notice.online": [[249, 277]], "EMAIL: alert@secure-verify.net": [[280, 303]], "HASH: b4bbff27cbeef0ca0ca2637799972820e3572c06": [[329, 369]], "HASH: 606bb0202afe86276cb24369610ec191": [[377, 409]], "FILEPATH: C:\\Program Files\\Common Files\\sam.hive": [[423, 461]]}, "info": {"id": "synth_v2_01438", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - WarmCookie Campaign:\nNetwork Indicators:\n- 189.69.3.46\n- 25.170.96.130\n- 66.86.221.114\n- update-secure.org\n- static-cache.info\nURLs:\n- hxxps://cloudupdate.info/secure/token\n- https://api-static.io/api/v2/auth\nEmail Senders:\n- support@auth-check.org\n- admin@credential-check.site\nFile Indicators:\n- SHA256: 22d153d3c1bc2cef017f4210f70b21b5e73c891d565aaf2ea05f346a2bfdaf16\n- MD5: fbb667b197451022c562843de98b9f5d\n- Drop path: /opt/app/bin/winlogon.exe", "spans": {"MALWARE: WarmCookie": [[15, 25]], "IP_ADDRESS: 189.69.3.46": [[58, 69]], "IP_ADDRESS: 25.170.96.130": [[72, 85]], "IP_ADDRESS: 66.86.221.114": [[88, 101]], "DOMAIN: update-secure.org": [[104, 121]], "DOMAIN: static-cache.info": [[124, 141]], "URL: hxxps://cloudupdate.info/secure/token": [[150, 187]], "URL: https://api-static.io/api/v2/auth": [[190, 223]], "EMAIL: support@auth-check.org": [[241, 263]], "EMAIL: admin@credential-check.site": [[266, 293]], "HASH: 22d153d3c1bc2cef017f4210f70b21b5e73c891d565aaf2ea05f346a2bfdaf16": [[321, 385]], "HASH: fbb667b197451022c562843de98b9f5d": [[393, 425]], "FILEPATH: /opt/app/bin/winlogon.exe": [[439, 464]]}, "info": {"id": "synth_v2_01439", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - Emotet Campaign:\nNetwork Indicators:\n- 129.163.83.141\n- 106.250.228.16\n- 172.128.223.116\n- cdnupdate.io\n- update-relay.site\nURLs:\n- hxxp://cdnstorage.dev/secure/token\n- hxxp://updateapi.online/gate.php\nEmail Senders:\n- security@credential-check.site\n- report@credential-check.site\nFile Indicators:\n- MD5: 2cc4a6023a3b1083daeb0706d763b66b\n- SHA1: 0125658267cb1a9b9c25e4075994d42383dba0d9\n- Drop path: /var/tmp/payload.bin", "spans": {"MALWARE: Emotet": [[15, 21]], "IP_ADDRESS: 129.163.83.141": [[54, 68]], "IP_ADDRESS: 106.250.228.16": [[71, 85]], "IP_ADDRESS: 172.128.223.116": [[88, 103]], "DOMAIN: cdnupdate.io": [[106, 118]], "DOMAIN: update-relay.site": [[121, 138]], "URL: hxxp://cdnstorage.dev/secure/token": [[147, 181]], "URL: hxxp://updateapi.online/gate.php": [[184, 216]], "EMAIL: security@credential-check.site": [[234, 264]], "EMAIL: report@credential-check.site": [[267, 295]], "HASH: 2cc4a6023a3b1083daeb0706d763b66b": [[320, 352]], "HASH: 0125658267cb1a9b9c25e4075994d42383dba0d9": [[361, 401]], "FILEPATH: /var/tmp/payload.bin": [[415, 435]]}, "info": {"id": "synth_v2_01440", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - Latrodectus Campaign:\nNetwork Indicators:\n- 192.13.60.217\n- 10.5.184.28\n- 10.32.98.66\n- gateway-cloud.live\n- edgeupdate.net\nURLs:\n- https://mail-update.org/login\n- http://storageapi.net/admin/config\nEmail Senders:\n- hr@credential-check.site\n- info@secure-verify.net\nFile Indicators:\n- SHA1: f92e0166e87c9064bdefb5c7eb357fc6fcc4867b\n- SHA1: da33a7648a5e1b694edcd890b52c7bdb9be3dc4e\n- Drop path: C:\\Windows\\Tasks\\update.dll", "spans": {"MALWARE: Latrodectus": [[15, 26]], "IP_ADDRESS: 192.13.60.217": [[59, 72]], "IP_ADDRESS: 10.5.184.28": [[75, 86]], "IP_ADDRESS: 10.32.98.66": [[89, 100]], "DOMAIN: gateway-cloud.live": [[103, 121]], "DOMAIN: edgeupdate.net": [[124, 138]], "URL: https://mail-update.org/login": [[147, 176]], "URL: http://storageapi.net/admin/config": [[179, 213]], "EMAIL: hr@credential-check.site": [[231, 255]], "EMAIL: info@secure-verify.net": [[258, 280]], "HASH: f92e0166e87c9064bdefb5c7eb357fc6fcc4867b": [[306, 346]], "HASH: da33a7648a5e1b694edcd890b52c7bdb9be3dc4e": [[355, 395]], "FILEPATH: C:\\Windows\\Tasks\\update.dll": [[409, 436]]}, "info": {"id": "synth_v2_01441", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - Vidar Campaign:\nNetwork Indicators:\n- 139.180.225.146\n- 131.207.99.162\n- 10.130.28.115\n- backup-backup.io\n- data-edge.top\nURLs:\n- https://auth-auth.link/secure/token\n- http://proxyportal.online/callback\nEmail Senders:\n- info@document-share.link\n- ceo@account-update.xyz\nFile Indicators:\n- SHA1: 9ac06ce6d73407ad1bf6bc321fe5998e13a076ac\n- SHA256: e667d610d13e603d571e1bdb31395c30fbd308a95dce909716b1f31555881036\n- Drop path: /usr/local/bin/shell.php", "spans": {"MALWARE: Vidar": [[15, 20]], "IP_ADDRESS: 139.180.225.146": [[53, 68]], "IP_ADDRESS: 131.207.99.162": [[71, 85]], "IP_ADDRESS: 10.130.28.115": [[88, 101]], "DOMAIN: backup-backup.io": [[104, 120]], "DOMAIN: data-edge.top": [[123, 136]], "URL: https://auth-auth.link/secure/token": [[145, 180]], "URL: http://proxyportal.online/callback": [[183, 217]], "EMAIL: info@document-share.link": [[235, 259]], "EMAIL: ceo@account-update.xyz": [[262, 284]], "HASH: 9ac06ce6d73407ad1bf6bc321fe5998e13a076ac": [[310, 350]], "HASH: e667d610d13e603d571e1bdb31395c30fbd308a95dce909716b1f31555881036": [[361, 425]], "FILEPATH: /usr/local/bin/shell.php": [[439, 463]]}, "info": {"id": "synth_v2_01442", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - Vidar Campaign:\nNetwork Indicators:\n- 10.247.19.146\n- 10.230.216.79\n- 20.247.238.195\n- login-login.top\n- edge-update.info\nURLs:\n- hxxp://backup-relay.io/gate.php\n- hxxp://loginstorage.live/assets/js/payload.js\nEmail Senders:\n- noreply@phishing-domain.com\n- report@auth-check.org\nFile Indicators:\n- SHA1: 988831c8980abdf6e5fe8c0421575ffdba5a5893\n- MD5: 7d59ef93027fadaa5f6407ea17cc3db5\n- Drop path: C:\\Users\\admin\\Downloads\\dropper.ps1", "spans": {"MALWARE: Vidar": [[15, 20]], "IP_ADDRESS: 10.247.19.146": [[53, 66]], "IP_ADDRESS: 10.230.216.79": [[69, 82]], "IP_ADDRESS: 20.247.238.195": [[85, 99]], "DOMAIN: login-login.top": [[102, 117]], "DOMAIN: edge-update.info": [[120, 136]], "URL: hxxp://backup-relay.io/gate.php": [[145, 176]], "URL: hxxp://loginstorage.live/assets/js/payload.js": [[179, 224]], "EMAIL: noreply@phishing-domain.com": [[242, 269]], "EMAIL: report@auth-check.org": [[272, 293]], "HASH: 988831c8980abdf6e5fe8c0421575ffdba5a5893": [[319, 359]], "HASH: 7d59ef93027fadaa5f6407ea17cc3db5": [[367, 399]], "FILEPATH: C:\\Users\\admin\\Downloads\\dropper.ps1": [[413, 449]]}, "info": {"id": "synth_v2_01443", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - SystemBC Campaign:\nNetwork Indicators:\n- 201.120.184.182\n- 45.234.87.159\n- 10.173.241.229\n- secure-sync.com\n- cache-node.site\nURLs:\n- http://static-node.info/portal/verify\n- http://synclogin.top/wp-content/uploads/doc.php\nEmail Senders:\n- notification@urgent-notice.online\n- helpdesk@auth-check.org\nFile Indicators:\n- SHA1: f0fbf39e7c2e6911cafb7689ddde128ebb075953\n- MD5: 7aec4ec51ae460a3260d45f1915d37b6\n- Drop path: C:\\Users\\admin\\Desktop\\csrss.exe", "spans": {"MALWARE: SystemBC": [[15, 23]], "IP_ADDRESS: 201.120.184.182": [[56, 71]], "IP_ADDRESS: 45.234.87.159": [[74, 87]], "IP_ADDRESS: 10.173.241.229": [[90, 104]], "DOMAIN: secure-sync.com": [[107, 122]], "DOMAIN: cache-node.site": [[125, 140]], "URL: http://static-node.info/portal/verify": [[149, 186]], "URL: http://synclogin.top/wp-content/uploads/doc.php": [[189, 236]], "EMAIL: notification@urgent-notice.online": [[254, 287]], "EMAIL: helpdesk@auth-check.org": [[290, 313]], "HASH: f0fbf39e7c2e6911cafb7689ddde128ebb075953": [[339, 379]], "HASH: 7aec4ec51ae460a3260d45f1915d37b6": [[387, 419]], "FILEPATH: C:\\Users\\admin\\Desktop\\csrss.exe": [[433, 465]]}, "info": {"id": "synth_v2_01444", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - BlackCat Campaign:\nNetwork Indicators:\n- 192.39.213.170\n- 104.85.79.122\n- 172.115.120.220\n- updateportal.top\n- cdn-auth.site\nURLs:\n- https://sync-cdn.net/assets/js/payload.js\n- hxxp://api-mail.site/portal/verify\nEmail Senders:\n- ceo@account-update.xyz\n- contact@login-portal.tech\nFile Indicators:\n- MD5: a684c5433c11d14954d4738083f4b211\n- SHA256: 7323c26776121d940e08f91469b64175c8ab98803e0a3fd3b9fbfc3f073502d4\n- Drop path: C:\\Users\\admin\\Desktop\\config.dat", "spans": {"MALWARE: BlackCat": [[15, 23]], "IP_ADDRESS: 192.39.213.170": [[56, 70]], "IP_ADDRESS: 104.85.79.122": [[73, 86]], "IP_ADDRESS: 172.115.120.220": [[89, 104]], "DOMAIN: updateportal.top": [[107, 123]], "DOMAIN: cdn-auth.site": [[126, 139]], "URL: https://sync-cdn.net/assets/js/payload.js": [[148, 189]], "URL: hxxp://api-mail.site/portal/verify": [[192, 226]], "EMAIL: ceo@account-update.xyz": [[244, 266]], "EMAIL: contact@login-portal.tech": [[269, 294]], "HASH: a684c5433c11d14954d4738083f4b211": [[319, 351]], "HASH: 7323c26776121d940e08f91469b64175c8ab98803e0a3fd3b9fbfc3f073502d4": [[362, 426]], "FILEPATH: C:\\Users\\admin\\Desktop\\config.dat": [[440, 473]]}, "info": {"id": "synth_v2_01445", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - PikaBot Campaign:\nNetwork Indicators:\n- 47.111.99.94\n- 9.145.141.69\n- 93.60.156.53\n- backuplogin.net\n- auth-relay.tech\nURLs:\n- http://backupcache.tech/admin/config\n- https://secureapi.top/download/update.exe\nEmail Senders:\n- finance@identity-verify.cc\n- helpdesk@urgent-notice.online\nFile Indicators:\n- MD5: 7340e50df65a8e311be839b32ccad3ce\n- SHA1: cda5963b28aecea57a6ead9900f3590cb44505b8\n- Drop path: C:\\Users\\Public\\Documents\\csrss.exe", "spans": {"MALWARE: PikaBot": [[15, 22]], "IP_ADDRESS: 47.111.99.94": [[55, 67]], "IP_ADDRESS: 9.145.141.69": [[70, 82]], "IP_ADDRESS: 93.60.156.53": [[85, 97]], "DOMAIN: backuplogin.net": [[100, 115]], "DOMAIN: auth-relay.tech": [[118, 133]], "URL: http://backupcache.tech/admin/config": [[142, 178]], "URL: https://secureapi.top/download/update.exe": [[181, 222]], "EMAIL: finance@identity-verify.cc": [[240, 266]], "EMAIL: helpdesk@urgent-notice.online": [[269, 298]], "HASH: 7340e50df65a8e311be839b32ccad3ce": [[323, 355]], "HASH: cda5963b28aecea57a6ead9900f3590cb44505b8": [[364, 404]], "FILEPATH: C:\\Users\\Public\\Documents\\csrss.exe": [[418, 453]]}, "info": {"id": "synth_v2_01446", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - IcedID Campaign:\nNetwork Indicators:\n- 192.56.62.251\n- 70.251.88.231\n- 170.198.147.46\n- securesync.online\n- storage-cloud.top\nURLs:\n- hxxps://mailcache.link/secure/token\n- https://update-cdn.online/api/v2/auth\nEmail Senders:\n- hr@auth-check.org\n- info@urgent-notice.online\nFile Indicators:\n- SHA1: 64c42dce271af80efb79ad71bd787fbb1939b16d\n- SHA1: c8304404a396ad1cb9347181599ef02186411074\n- Drop path: /var/tmp/backdoor.elf", "spans": {"MALWARE: IcedID": [[15, 21]], "IP_ADDRESS: 192.56.62.251": [[54, 67]], "IP_ADDRESS: 70.251.88.231": [[70, 83]], "IP_ADDRESS: 170.198.147.46": [[86, 100]], "DOMAIN: securesync.online": [[103, 120]], "DOMAIN: storage-cloud.top": [[123, 140]], "URL: hxxps://mailcache.link/secure/token": [[149, 184]], "URL: https://update-cdn.online/api/v2/auth": [[187, 224]], "EMAIL: hr@auth-check.org": [[242, 259]], "EMAIL: info@urgent-notice.online": [[262, 287]], "HASH: 64c42dce271af80efb79ad71bd787fbb1939b16d": [[313, 353]], "HASH: c8304404a396ad1cb9347181599ef02186411074": [[362, 402]], "FILEPATH: /var/tmp/backdoor.elf": [[416, 437]]}, "info": {"id": "synth_v2_01447", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - Amadey Campaign:\nNetwork Indicators:\n- 192.120.24.87\n- 209.87.133.84\n- 10.13.46.36\n- portalbackup.dev\n- proxy-edge.top\nURLs:\n- hxxps://backup-cloud.club/admin/config\n- http://sync-gateway.com/callback\nEmail Senders:\n- notification@identity-verify.cc\n- alert@phishing-domain.com\nFile Indicators:\n- SHA1: 16a5dda976f7d1ec45c5fbab15c47ea8c9a32ea9\n- MD5: 6b16b202e24b1f53b19d58211fa3b529\n- Drop path: C:\\Users\\admin\\Desktop\\implant.so", "spans": {"MALWARE: Amadey": [[15, 21]], "IP_ADDRESS: 192.120.24.87": [[54, 67]], "IP_ADDRESS: 209.87.133.84": [[70, 83]], "IP_ADDRESS: 10.13.46.36": [[86, 97]], "DOMAIN: portalbackup.dev": [[100, 116]], "DOMAIN: proxy-edge.top": [[119, 133]], "URL: hxxps://backup-cloud.club/admin/config": [[142, 180]], "URL: http://sync-gateway.com/callback": [[183, 215]], "EMAIL: notification@identity-verify.cc": [[233, 264]], "EMAIL: alert@phishing-domain.com": [[267, 292]], "HASH: 16a5dda976f7d1ec45c5fbab15c47ea8c9a32ea9": [[318, 358]], "HASH: 6b16b202e24b1f53b19d58211fa3b529": [[366, 398]], "FILEPATH: C:\\Users\\admin\\Desktop\\implant.so": [[412, 445]]}, "info": {"id": "synth_v2_01448", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - FormBook Campaign:\nNetwork Indicators:\n- 192.228.158.156\n- 10.32.251.154\n- 172.173.4.109\n- sync-relay.net\n- cacheupdate.net\nURLs:\n- hxxp://updatelogin.club/api/v2/auth\n- https://cdnupdate.dev/login\nEmail Senders:\n- security@credential-check.site\n- security@urgent-notice.online\nFile Indicators:\n- SHA256: 2cf3367a5509d881aa6bc8ba5dfda4470e4826255f7edfac34abd382ea8e862a\n- SHA256: 98d066c45682520c9fb75ade51c7f5d635371c31443e12ef26b79bf95fa4c20f\n- Drop path: C:\\Program Files\\Common Files\\loader.exe", "spans": {"MALWARE: FormBook": [[15, 23]], "IP_ADDRESS: 192.228.158.156": [[56, 71]], "IP_ADDRESS: 10.32.251.154": [[74, 87]], "IP_ADDRESS: 172.173.4.109": [[90, 103]], "DOMAIN: sync-relay.net": [[106, 120]], "DOMAIN: cacheupdate.net": [[123, 138]], "URL: hxxp://updatelogin.club/api/v2/auth": [[147, 182]], "URL: https://cdnupdate.dev/login": [[185, 212]], "EMAIL: security@credential-check.site": [[230, 260]], "EMAIL: security@urgent-notice.online": [[263, 292]], "HASH: 2cf3367a5509d881aa6bc8ba5dfda4470e4826255f7edfac34abd382ea8e862a": [[320, 384]], "HASH: 98d066c45682520c9fb75ade51c7f5d635371c31443e12ef26b79bf95fa4c20f": [[395, 459]], "FILEPATH: C:\\Program Files\\Common Files\\loader.exe": [[473, 513]]}, "info": {"id": "synth_v2_01449", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - Play Campaign:\nNetwork Indicators:\n- 10.88.30.142\n- 21.135.151.37\n- 10.236.202.196\n- staticstatic.live\n- nodesync.org\nURLs:\n- https://backup-api.info/download/update.exe\n- http://portalupdate.top/wp-content/uploads/doc.php\nEmail Senders:\n- verify@account-update.xyz\n- helpdesk@urgent-notice.online\nFile Indicators:\n- SHA256: 98cabf56849253fd02c371721e26a682bcbf43ef5b2dc030647918a9a3ad3fc4\n- SHA256: 1938c214fc8694b8c5d96a5a719dc48524c4f229cbe0b239844c7bf809a145ab\n- Drop path: C:\\Program Files\\Common Files\\chrome_helper.exe", "spans": {"MALWARE: Play": [[15, 19]], "IP_ADDRESS: 10.88.30.142": [[52, 64]], "IP_ADDRESS: 21.135.151.37": [[67, 80]], "IP_ADDRESS: 10.236.202.196": [[83, 97]], "DOMAIN: staticstatic.live": [[100, 117]], "DOMAIN: nodesync.org": [[120, 132]], "URL: https://backup-api.info/download/update.exe": [[141, 184]], "URL: http://portalupdate.top/wp-content/uploads/doc.php": [[187, 237]], "EMAIL: verify@account-update.xyz": [[255, 280]], "EMAIL: helpdesk@urgent-notice.online": [[283, 312]], "HASH: 98cabf56849253fd02c371721e26a682bcbf43ef5b2dc030647918a9a3ad3fc4": [[340, 404]], "HASH: 1938c214fc8694b8c5d96a5a719dc48524c4f229cbe0b239844c7bf809a145ab": [[415, 479]], "FILEPATH: C:\\Program Files\\Common Files\\chrome_helper.exe": [[493, 540]]}, "info": {"id": "synth_v2_01450", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - AgentTesla Campaign:\nNetwork Indicators:\n- 44.164.139.117\n- 169.240.223.55\n- 180.87.117.8\n- storageproxy.online\n- staticedge.live\nURLs:\n- https://gatewayupdate.online/assets/js/payload.js\n- hxxp://cdn-mail.cc/collect\nEmail Senders:\n- hr@urgent-notice.online\n- alert@auth-check.org\nFile Indicators:\n- SHA256: a49f1f0aaaf90902f06fe9ed8c026ba75825b82a96e345478dc899845a47d5d5\n- MD5: 8c7e26c5c1a52d2d98da90cc292fea46\n- Drop path: C:\\Windows\\Temp\\backdoor.elf", "spans": {"MALWARE: AgentTesla": [[15, 25]], "IP_ADDRESS: 44.164.139.117": [[58, 72]], "IP_ADDRESS: 169.240.223.55": [[75, 89]], "IP_ADDRESS: 180.87.117.8": [[92, 104]], "DOMAIN: storageproxy.online": [[107, 126]], "DOMAIN: staticedge.live": [[129, 144]], "URL: https://gatewayupdate.online/assets/js/payload.js": [[153, 202]], "URL: hxxp://cdn-mail.cc/collect": [[205, 231]], "EMAIL: hr@urgent-notice.online": [[249, 272]], "EMAIL: alert@auth-check.org": [[275, 295]], "HASH: a49f1f0aaaf90902f06fe9ed8c026ba75825b82a96e345478dc899845a47d5d5": [[323, 387]], "HASH: 8c7e26c5c1a52d2d98da90cc292fea46": [[395, 427]], "FILEPATH: C:\\Windows\\Temp\\backdoor.elf": [[441, 469]]}, "info": {"id": "synth_v2_01451", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - Play Campaign:\nNetwork Indicators:\n- 10.174.222.190\n- 10.182.209.159\n- 109.7.214.55\n- backuprelay.dev\n- updateproxy.tech\nURLs:\n- https://cdn-api.io/download/update.exe\n- https://securelogin.site/admin/config\nEmail Senders:\n- finance@secure-verify.net\n- account@phishing-domain.com\nFile Indicators:\n- SHA256: 989f8db33b493973b4143a9847f8f1feaa9feb2aa844d64c98e02b8460e45ce2\n- SHA256: 1f79b6c475a8b6264c38419a0b5047b1a74bd54abc60da3dabde317b09f3b527\n- Drop path: C:\\Windows\\System32\\backdoor.elf", "spans": {"MALWARE: Play": [[15, 19]], "IP_ADDRESS: 10.174.222.190": [[52, 66]], "IP_ADDRESS: 10.182.209.159": [[69, 83]], "IP_ADDRESS: 109.7.214.55": [[86, 98]], "DOMAIN: backuprelay.dev": [[101, 116]], "DOMAIN: updateproxy.tech": [[119, 135]], "URL: https://cdn-api.io/download/update.exe": [[144, 182]], "URL: https://securelogin.site/admin/config": [[185, 222]], "EMAIL: finance@secure-verify.net": [[240, 265]], "EMAIL: account@phishing-domain.com": [[268, 295]], "HASH: 989f8db33b493973b4143a9847f8f1feaa9feb2aa844d64c98e02b8460e45ce2": [[323, 387]], "HASH: 1f79b6c475a8b6264c38419a0b5047b1a74bd54abc60da3dabde317b09f3b527": [[398, 462]], "FILEPATH: C:\\Windows\\System32\\backdoor.elf": [[476, 508]]}, "info": {"id": "synth_v2_01452", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - AgentTesla Campaign:\nNetwork Indicators:\n- 16.178.119.83\n- 96.123.172.41\n- 165.125.240.198\n- cachestorage.com\n- gatewaymail.link\nURLs:\n- https://proxy-sync.io/assets/js/payload.js\n- hxxp://storage-api.org/secure/token\nEmail Senders:\n- confirm@mail-service.info\n- contact@credential-check.site\nFile Indicators:\n- MD5: 841eace060d62ecc8481450275c640cc\n- MD5: d90fed3c2ae0c3c1ad0bc46d552c5ba0\n- Drop path: C:\\Users\\admin\\AppData\\Local\\Temp\\chrome_helper.exe", "spans": {"MALWARE: AgentTesla": [[15, 25]], "IP_ADDRESS: 16.178.119.83": [[58, 71]], "IP_ADDRESS: 96.123.172.41": [[74, 87]], "IP_ADDRESS: 165.125.240.198": [[90, 105]], "DOMAIN: cachestorage.com": [[108, 124]], "DOMAIN: gatewaymail.link": [[127, 143]], "URL: https://proxy-sync.io/assets/js/payload.js": [[152, 194]], "URL: hxxp://storage-api.org/secure/token": [[197, 232]], "EMAIL: confirm@mail-service.info": [[250, 275]], "EMAIL: contact@credential-check.site": [[278, 307]], "HASH: 841eace060d62ecc8481450275c640cc": [[332, 364]], "HASH: d90fed3c2ae0c3c1ad0bc46d552c5ba0": [[372, 404]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\chrome_helper.exe": [[418, 469]]}, "info": {"id": "synth_v2_01453", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - Qbot Campaign:\nNetwork Indicators:\n- 198.86.80.219\n- 151.89.140.145\n- 84.82.107.202\n- proxysync.top\n- login-cdn.live\nURLs:\n- hxxps://synccdn.online/login\n- hxxps://apistorage.cc/download/update.exe\nEmail Senders:\n- finance@account-update.xyz\n- contact@document-share.link\nFile Indicators:\n- SHA256: 6f3229bcedc97881aedb5e037f951f137189732eb7d4e559ef7ccc558e158f85\n- SHA1: 273b7b83f3593d2c35b90c9c6c451e51c981ef61\n- Drop path: /opt/app/bin/beacon.dll", "spans": {"MALWARE: Qbot": [[15, 19]], "IP_ADDRESS: 198.86.80.219": [[52, 65]], "IP_ADDRESS: 151.89.140.145": [[68, 82]], "IP_ADDRESS: 84.82.107.202": [[85, 98]], "DOMAIN: proxysync.top": [[101, 114]], "DOMAIN: login-cdn.live": [[117, 131]], "URL: hxxps://synccdn.online/login": [[140, 168]], "URL: hxxps://apistorage.cc/download/update.exe": [[171, 212]], "EMAIL: finance@account-update.xyz": [[230, 256]], "EMAIL: contact@document-share.link": [[259, 286]], "HASH: 6f3229bcedc97881aedb5e037f951f137189732eb7d4e559ef7ccc558e158f85": [[314, 378]], "HASH: 273b7b83f3593d2c35b90c9c6c451e51c981ef61": [[387, 427]], "FILEPATH: /opt/app/bin/beacon.dll": [[441, 464]]}, "info": {"id": "synth_v2_01454", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - RemcosRAT Campaign:\nNetwork Indicators:\n- 192.174.35.182\n- 192.246.192.181\n- 172.82.145.107\n- backup-login.club\n- secureupdate.info\nURLs:\n- hxxp://loginupdate.site/wp-content/uploads/doc.php\n- http://gatewayapi.net/panel/index.html\nEmail Senders:\n- verify@login-portal.tech\n- updates@account-update.xyz\nFile Indicators:\n- SHA256: 358c3b3fdb9b39b987052c0916bce1e09d32012ba9cca92ad694a80bd24f87e2\n- SHA1: 8d1e8918e2c323b9814ea59555065674e74267e0\n- Drop path: C:\\Users\\admin\\Downloads\\lsass.dmp", "spans": {"MALWARE: RemcosRAT": [[15, 24]], "IP_ADDRESS: 192.174.35.182": [[57, 71]], "IP_ADDRESS: 192.246.192.181": [[74, 89]], "IP_ADDRESS: 172.82.145.107": [[92, 106]], "DOMAIN: backup-login.club": [[109, 126]], "DOMAIN: secureupdate.info": [[129, 146]], "URL: hxxp://loginupdate.site/wp-content/uploads/doc.php": [[155, 205]], "URL: http://gatewayapi.net/panel/index.html": [[208, 246]], "EMAIL: verify@login-portal.tech": [[264, 288]], "EMAIL: updates@account-update.xyz": [[291, 317]], "HASH: 358c3b3fdb9b39b987052c0916bce1e09d32012ba9cca92ad694a80bd24f87e2": [[345, 409]], "HASH: 8d1e8918e2c323b9814ea59555065674e74267e0": [[418, 458]], "FILEPATH: C:\\Users\\admin\\Downloads\\lsass.dmp": [[472, 506]]}, "info": {"id": "synth_v2_01455", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - AgentTesla Campaign:\nNetwork Indicators:\n- 192.111.21.74\n- 192.33.246.22\n- 13.125.103.253\n- cdn-node.live\n- backupbackup.net\nURLs:\n- http://datagateway.top/login\n- hxxp://update-static.dev/api/v2/auth\nEmail Senders:\n- helpdesk@credential-check.site\n- confirm@urgent-notice.online\nFile Indicators:\n- SHA1: a34df86b79e3d5ec2224784e6b919ae3d30b41f2\n- SHA1: 6bf5878fe08df0b69c68cb7f085524568d1041bd\n- Drop path: C:\\Users\\admin\\AppData\\Local\\Temp\\config.dat", "spans": {"MALWARE: AgentTesla": [[15, 25]], "IP_ADDRESS: 192.111.21.74": [[58, 71]], "IP_ADDRESS: 192.33.246.22": [[74, 87]], "IP_ADDRESS: 13.125.103.253": [[90, 104]], "DOMAIN: cdn-node.live": [[107, 120]], "DOMAIN: backupbackup.net": [[123, 139]], "URL: http://datagateway.top/login": [[148, 176]], "URL: hxxp://update-static.dev/api/v2/auth": [[179, 215]], "EMAIL: helpdesk@credential-check.site": [[233, 263]], "EMAIL: confirm@urgent-notice.online": [[266, 294]], "HASH: a34df86b79e3d5ec2224784e6b919ae3d30b41f2": [[320, 360]], "HASH: 6bf5878fe08df0b69c68cb7f085524568d1041bd": [[369, 409]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\config.dat": [[423, 467]]}, "info": {"id": "synth_v2_01456", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - IcedID Campaign:\nNetwork Indicators:\n- 192.123.212.125\n- 128.234.237.117\n- 172.175.233.97\n- mailmail.info\n- staticcdn.xyz\nURLs:\n- https://static-storage.link/wp-content/uploads/doc.php\n- hxxps://authauth.dev/download/update.exe\nEmail Senders:\n- service@document-share.link\n- billing@document-share.link\nFile Indicators:\n- MD5: c20ee49afe74aa2ff060cebbabbaca7a\n- SHA1: 8a85ee193e4a86f9675425d2670695d602a1691a\n- Drop path: /opt/app/bin/csrss.exe", "spans": {"MALWARE: IcedID": [[15, 21]], "IP_ADDRESS: 192.123.212.125": [[54, 69]], "IP_ADDRESS: 128.234.237.117": [[72, 87]], "IP_ADDRESS: 172.175.233.97": [[90, 104]], "DOMAIN: mailmail.info": [[107, 120]], "DOMAIN: staticcdn.xyz": [[123, 136]], "URL: https://static-storage.link/wp-content/uploads/doc.php": [[145, 199]], "URL: hxxps://authauth.dev/download/update.exe": [[202, 242]], "EMAIL: service@document-share.link": [[260, 287]], "EMAIL: billing@document-share.link": [[290, 317]], "HASH: c20ee49afe74aa2ff060cebbabbaca7a": [[342, 374]], "HASH: 8a85ee193e4a86f9675425d2670695d602a1691a": [[383, 423]], "FILEPATH: /opt/app/bin/csrss.exe": [[437, 459]]}, "info": {"id": "synth_v2_01457", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - Royal Campaign:\nNetwork Indicators:\n- 10.69.98.177\n- 10.42.105.94\n- 172.161.172.192\n- relay-update.org\n- syncupdate.site\nURLs:\n- hxxps://portal-relay.info/secure/token\n- http://backup-backup.live/callback\nEmail Senders:\n- security@secure-verify.net\n- contact@mail-service.info\nFile Indicators:\n- SHA256: fc62c55f7ad83e2f5b06a2cc3682f846045ded0a0f8bd5f5f4de5d4925eae59d\n- MD5: 3d3e964f0cd79892221cddf1a11bdc0a\n- Drop path: /var/tmp/backdoor.elf", "spans": {"MALWARE: Royal": [[15, 20]], "IP_ADDRESS: 10.69.98.177": [[53, 65]], "IP_ADDRESS: 10.42.105.94": [[68, 80]], "IP_ADDRESS: 172.161.172.192": [[83, 98]], "DOMAIN: relay-update.org": [[101, 117]], "DOMAIN: syncupdate.site": [[120, 135]], "URL: hxxps://portal-relay.info/secure/token": [[144, 182]], "URL: http://backup-backup.live/callback": [[185, 219]], "EMAIL: security@secure-verify.net": [[237, 263]], "EMAIL: contact@mail-service.info": [[266, 291]], "HASH: fc62c55f7ad83e2f5b06a2cc3682f846045ded0a0f8bd5f5f4de5d4925eae59d": [[319, 383]], "HASH: 3d3e964f0cd79892221cddf1a11bdc0a": [[391, 423]], "FILEPATH: /var/tmp/backdoor.elf": [[437, 458]]}, "info": {"id": "synth_v2_01458", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - BlackCat Campaign:\nNetwork Indicators:\n- 179.232.127.14\n- 192.144.27.112\n- 212.244.86.89\n- cdn-secure.xyz\n- nodestatic.xyz\nURLs:\n- hxxp://secure-mail.io/panel/index.html\n- hxxps://nodeedge.cc/collect\nEmail Senders:\n- notification@mail-service.info\n- report@auth-check.org\nFile Indicators:\n- MD5: b6f6e2a4c50c814e4d64bdc23fa2908d\n- MD5: d81ebbc9a775b05466d3c3604ac0b4dd\n- Drop path: C:\\ProgramData\\lsass.dmp", "spans": {"MALWARE: BlackCat": [[15, 23]], "IP_ADDRESS: 179.232.127.14": [[56, 70]], "IP_ADDRESS: 192.144.27.112": [[73, 87]], "IP_ADDRESS: 212.244.86.89": [[90, 103]], "DOMAIN: cdn-secure.xyz": [[106, 120]], "DOMAIN: nodestatic.xyz": [[123, 137]], "URL: hxxp://secure-mail.io/panel/index.html": [[146, 184]], "URL: hxxps://nodeedge.cc/collect": [[187, 214]], "EMAIL: notification@mail-service.info": [[232, 262]], "EMAIL: report@auth-check.org": [[265, 286]], "HASH: b6f6e2a4c50c814e4d64bdc23fa2908d": [[311, 343]], "HASH: d81ebbc9a775b05466d3c3604ac0b4dd": [[351, 383]], "FILEPATH: C:\\ProgramData\\lsass.dmp": [[397, 421]]}, "info": {"id": "synth_v2_01459", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - NjRAT Campaign:\nNetwork Indicators:\n- 192.141.160.215\n- 169.150.152.111\n- 197.164.73.61\n- update-sync.net\n- securebackup.live\nURLs:\n- https://proxyedge.tech/portal/verify\n- http://updateapi.io/gate.php\nEmail Senders:\n- report@auth-check.org\n- support@secure-verify.net\nFile Indicators:\n- SHA256: 07d74d8ab071f8be242bc15510b1edb860eb63b7a8426caceaad63213336f6df\n- SHA1: 7ca699f631f3ccebf72fe1da8c479403d7ed80c4\n- Drop path: /home/user/.config/lsass.dmp", "spans": {"MALWARE: NjRAT": [[15, 20]], "IP_ADDRESS: 192.141.160.215": [[53, 68]], "IP_ADDRESS: 169.150.152.111": [[71, 86]], "IP_ADDRESS: 197.164.73.61": [[89, 102]], "DOMAIN: update-sync.net": [[105, 120]], "DOMAIN: securebackup.live": [[123, 140]], "URL: https://proxyedge.tech/portal/verify": [[149, 185]], "URL: http://updateapi.io/gate.php": [[188, 216]], "EMAIL: report@auth-check.org": [[234, 255]], "EMAIL: support@secure-verify.net": [[258, 283]], "HASH: 07d74d8ab071f8be242bc15510b1edb860eb63b7a8426caceaad63213336f6df": [[311, 375]], "HASH: 7ca699f631f3ccebf72fe1da8c479403d7ed80c4": [[384, 424]], "FILEPATH: /home/user/.config/lsass.dmp": [[438, 466]]}, "info": {"id": "synth_v2_01460", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - PlugX Campaign:\nNetwork Indicators:\n- 192.116.216.126\n- 192.175.22.191\n- 192.14.29.205\n- apirelay.online\n- proxy-data.info\nURLs:\n- hxxps://data-auth.site/wp-content/uploads/doc.php\n- hxxp://updateproxy.cc/admin/config\nEmail Senders:\n- info@identity-verify.cc\n- hr@auth-check.org\nFile Indicators:\n- SHA1: c03ad1fe88229f2bde29b0577713874c177bd07f\n- MD5: fa45535aa698876cae96006e99947e11\n- Drop path: /dev/shm/winlogon.exe", "spans": {"MALWARE: PlugX": [[15, 20]], "IP_ADDRESS: 192.116.216.126": [[53, 68]], "IP_ADDRESS: 192.175.22.191": [[71, 85]], "IP_ADDRESS: 192.14.29.205": [[88, 101]], "DOMAIN: apirelay.online": [[104, 119]], "DOMAIN: proxy-data.info": [[122, 137]], "URL: hxxps://data-auth.site/wp-content/uploads/doc.php": [[146, 195]], "URL: hxxp://updateproxy.cc/admin/config": [[198, 232]], "EMAIL: info@identity-verify.cc": [[250, 273]], "EMAIL: hr@auth-check.org": [[276, 293]], "HASH: c03ad1fe88229f2bde29b0577713874c177bd07f": [[319, 359]], "HASH: fa45535aa698876cae96006e99947e11": [[367, 399]], "FILEPATH: /dev/shm/winlogon.exe": [[413, 434]]}, "info": {"id": "synth_v2_01461", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - DarkSide Campaign:\nNetwork Indicators:\n- 89.147.91.184\n- 10.204.250.176\n- 24.181.26.109\n- nodenode.net\n- mailrelay.net\nURLs:\n- http://gatewaygateway.net/callback\n- http://cdncache.xyz/assets/js/payload.js\nEmail Senders:\n- helpdesk@identity-verify.cc\n- hr@identity-verify.cc\nFile Indicators:\n- SHA1: 3c5a9c622974d3604c85d43e996fc689512fb447\n- MD5: a10d04413df69b1e1f0577dfac9609ea\n- Drop path: C:\\Windows\\Temp\\winlogon.exe", "spans": {"MALWARE: DarkSide": [[15, 23]], "IP_ADDRESS: 89.147.91.184": [[56, 69]], "IP_ADDRESS: 10.204.250.176": [[72, 86]], "IP_ADDRESS: 24.181.26.109": [[89, 102]], "DOMAIN: nodenode.net": [[105, 117]], "DOMAIN: mailrelay.net": [[120, 133]], "URL: http://gatewaygateway.net/callback": [[142, 176]], "URL: http://cdncache.xyz/assets/js/payload.js": [[179, 219]], "EMAIL: helpdesk@identity-verify.cc": [[237, 264]], "EMAIL: hr@identity-verify.cc": [[267, 288]], "HASH: 3c5a9c622974d3604c85d43e996fc689512fb447": [[314, 354]], "HASH: a10d04413df69b1e1f0577dfac9609ea": [[362, 394]], "FILEPATH: C:\\Windows\\Temp\\winlogon.exe": [[408, 436]]}, "info": {"id": "synth_v2_01462", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - DanaBot Campaign:\nNetwork Indicators:\n- 81.61.211.30\n- 10.106.171.107\n- 10.67.133.233\n- apinode.org\n- portalstatic.site\nURLs:\n- http://api-login.top/collect\n- http://backupedge.live/collect\nEmail Senders:\n- verify@urgent-notice.online\n- finance@urgent-notice.online\nFile Indicators:\n- SHA256: b762fce4b63247a949d78d30c345c0419ae2f419a7bdbc5b5577b5e67cd3f873\n- SHA1: 178385680f70cd7240be13c3aeb796b8002faa3e\n- Drop path: /dev/shm/shell.php", "spans": {"MALWARE: DanaBot": [[15, 22]], "IP_ADDRESS: 81.61.211.30": [[55, 67]], "IP_ADDRESS: 10.106.171.107": [[70, 84]], "IP_ADDRESS: 10.67.133.233": [[87, 100]], "DOMAIN: apinode.org": [[103, 114]], "DOMAIN: portalstatic.site": [[117, 134]], "URL: http://api-login.top/collect": [[143, 171]], "URL: http://backupedge.live/collect": [[174, 204]], "EMAIL: verify@urgent-notice.online": [[222, 249]], "EMAIL: finance@urgent-notice.online": [[252, 280]], "HASH: b762fce4b63247a949d78d30c345c0419ae2f419a7bdbc5b5577b5e67cd3f873": [[308, 372]], "HASH: 178385680f70cd7240be13c3aeb796b8002faa3e": [[381, 421]], "FILEPATH: /dev/shm/shell.php": [[435, 453]]}, "info": {"id": "synth_v2_01463", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - BatLoader Campaign:\nNetwork Indicators:\n- 190.101.43.147\n- 58.29.177.42\n- 161.26.133.182\n- portal-cache.dev\n- secure-mail.live\nURLs:\n- hxxp://gateway-sync.org/login\n- http://login-proxy.info/collect\nEmail Senders:\n- admin@secure-verify.net\n- verify@identity-verify.cc\nFile Indicators:\n- SHA1: 74806f38495308385f63bda18588e6bf028a278e\n- SHA1: 775c91a65ca47896e2c25c41b2732bcd3cf6022c\n- Drop path: /tmp/taskhost.exe", "spans": {"MALWARE: BatLoader": [[15, 24]], "IP_ADDRESS: 190.101.43.147": [[57, 71]], "IP_ADDRESS: 58.29.177.42": [[74, 86]], "IP_ADDRESS: 161.26.133.182": [[89, 103]], "DOMAIN: portal-cache.dev": [[106, 122]], "DOMAIN: secure-mail.live": [[125, 141]], "URL: hxxp://gateway-sync.org/login": [[150, 179]], "URL: http://login-proxy.info/collect": [[182, 213]], "EMAIL: admin@secure-verify.net": [[231, 254]], "EMAIL: verify@identity-verify.cc": [[257, 282]], "HASH: 74806f38495308385f63bda18588e6bf028a278e": [[308, 348]], "HASH: 775c91a65ca47896e2c25c41b2732bcd3cf6022c": [[357, 397]], "FILEPATH: /tmp/taskhost.exe": [[411, 428]]}, "info": {"id": "synth_v2_01464", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - StealC Campaign:\nNetwork Indicators:\n- 192.217.124.120\n- 192.185.177.58\n- 2.215.76.45\n- update-gateway.xyz\n- gatewayproxy.xyz\nURLs:\n- http://proxyrelay.tech/collect\n- https://securestatic.io/api/v2/auth\nEmail Senders:\n- admin@mail-service.info\n- admin@phishing-domain.com\nFile Indicators:\n- SHA1: 3023345a555c0278bc9f32850cb8ce3f88b0c9f4\n- SHA1: 48bbf93c83908fd0cdc5297a756a6afe03fbd956\n- Drop path: /tmp/config.dat", "spans": {"MALWARE: StealC": [[15, 21]], "IP_ADDRESS: 192.217.124.120": [[54, 69]], "IP_ADDRESS: 192.185.177.58": [[72, 86]], "IP_ADDRESS: 2.215.76.45": [[89, 100]], "DOMAIN: update-gateway.xyz": [[103, 121]], "DOMAIN: gatewayproxy.xyz": [[124, 140]], "URL: http://proxyrelay.tech/collect": [[149, 179]], "URL: https://securestatic.io/api/v2/auth": [[182, 217]], "EMAIL: admin@mail-service.info": [[235, 258]], "EMAIL: admin@phishing-domain.com": [[261, 286]], "HASH: 3023345a555c0278bc9f32850cb8ce3f88b0c9f4": [[312, 352]], "HASH: 48bbf93c83908fd0cdc5297a756a6afe03fbd956": [[361, 401]], "FILEPATH: /tmp/config.dat": [[415, 430]]}, "info": {"id": "synth_v2_01465", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - Amadey Campaign:\nNetwork Indicators:\n- 10.111.65.79\n- 192.227.155.222\n- 53.166.65.175\n- storage-gateway.net\n- edge-node.club\nURLs:\n- http://edge-update.top/admin/config\n- hxxps://nodegateway.org/panel/index.html\nEmail Senders:\n- ceo@login-portal.tech\n- info@secure-verify.net\nFile Indicators:\n- SHA256: acfb7cb7d5bc258dc599f52c0044cc504b6b0b08a343592643d73dd2aa56bb99\n- SHA256: 6f3d80fa8331de8fdb519eb67ebc29e88ca7b092bba7dc74ccd4d4ae5a62530c\n- Drop path: C:\\Users\\Public\\Documents\\config.dat", "spans": {"MALWARE: Amadey": [[15, 21]], "IP_ADDRESS: 10.111.65.79": [[54, 66]], "IP_ADDRESS: 192.227.155.222": [[69, 84]], "IP_ADDRESS: 53.166.65.175": [[87, 100]], "DOMAIN: storage-gateway.net": [[103, 122]], "DOMAIN: edge-node.club": [[125, 139]], "URL: http://edge-update.top/admin/config": [[148, 183]], "URL: hxxps://nodegateway.org/panel/index.html": [[186, 226]], "EMAIL: ceo@login-portal.tech": [[244, 265]], "EMAIL: info@secure-verify.net": [[268, 290]], "HASH: acfb7cb7d5bc258dc599f52c0044cc504b6b0b08a343592643d73dd2aa56bb99": [[318, 382]], "HASH: 6f3d80fa8331de8fdb519eb67ebc29e88ca7b092bba7dc74ccd4d4ae5a62530c": [[393, 457]], "FILEPATH: C:\\Users\\Public\\Documents\\config.dat": [[471, 507]]}, "info": {"id": "synth_v2_01466", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - BatLoader Campaign:\nNetwork Indicators:\n- 172.248.15.208\n- 192.200.217.99\n- 59.200.155.123\n- node-api.top\n- secure-gateway.live\nURLs:\n- hxxp://storageupdate.xyz/admin/config\n- hxxp://staticcdn.club/admin/config\nEmail Senders:\n- report@mail-service.info\n- admin@login-portal.tech\nFile Indicators:\n- MD5: c1222654d6632cc35d6fea6d6b7a0a7a\n- SHA1: bd3d87b90c40eddafb119c004ab378ca6a2b96f1\n- Drop path: /dev/shm/csrss.exe", "spans": {"MALWARE: BatLoader": [[15, 24]], "IP_ADDRESS: 172.248.15.208": [[57, 71]], "IP_ADDRESS: 192.200.217.99": [[74, 88]], "IP_ADDRESS: 59.200.155.123": [[91, 105]], "DOMAIN: node-api.top": [[108, 120]], "DOMAIN: secure-gateway.live": [[123, 142]], "URL: hxxp://storageupdate.xyz/admin/config": [[151, 188]], "URL: hxxp://staticcdn.club/admin/config": [[191, 225]], "EMAIL: report@mail-service.info": [[243, 267]], "EMAIL: admin@login-portal.tech": [[270, 293]], "HASH: c1222654d6632cc35d6fea6d6b7a0a7a": [[318, 350]], "HASH: bd3d87b90c40eddafb119c004ab378ca6a2b96f1": [[359, 399]], "FILEPATH: /dev/shm/csrss.exe": [[413, 431]]}, "info": {"id": "synth_v2_01467", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - Royal Campaign:\nNetwork Indicators:\n- 163.101.55.169\n- 10.128.175.33\n- 177.168.212.116\n- cache-storage.com\n- cdn-mail.site\nURLs:\n- http://relay-api.org/secure/token\n- hxxps://backup-static.info/panel/index.html\nEmail Senders:\n- it@account-update.xyz\n- report@urgent-notice.online\nFile Indicators:\n- SHA1: ca3ff41f5d258f837c84eb0c2f474993d2c667a8\n- MD5: d1df35e334d24bab4e10c12bc5d57bbd\n- Drop path: /var/tmp/loader.exe", "spans": {"MALWARE: Royal": [[15, 20]], "IP_ADDRESS: 163.101.55.169": [[53, 67]], "IP_ADDRESS: 10.128.175.33": [[70, 83]], "IP_ADDRESS: 177.168.212.116": [[86, 101]], "DOMAIN: cache-storage.com": [[104, 121]], "DOMAIN: cdn-mail.site": [[124, 137]], "URL: http://relay-api.org/secure/token": [[146, 179]], "URL: hxxps://backup-static.info/panel/index.html": [[182, 225]], "EMAIL: it@account-update.xyz": [[243, 264]], "EMAIL: report@urgent-notice.online": [[267, 294]], "HASH: ca3ff41f5d258f837c84eb0c2f474993d2c667a8": [[320, 360]], "HASH: d1df35e334d24bab4e10c12bc5d57bbd": [[368, 400]], "FILEPATH: /var/tmp/loader.exe": [[414, 433]]}, "info": {"id": "synth_v2_01468", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - BatLoader Campaign:\nNetwork Indicators:\n- 10.37.167.31\n- 151.239.226.128\n- 69.45.125.103\n- gateway-mail.online\n- maillogin.io\nURLs:\n- https://authcache.top/admin/config\n- hxxp://cacheupdate.dev/collect\nEmail Senders:\n- finance@urgent-notice.online\n- hr@document-share.link\nFile Indicators:\n- SHA256: f17dfb325aae3769ed6d97fdf16a808076b29ad99fcaaa2261b081bd9ba92791\n- SHA256: de77c2714cf083bd3342baab540941779740c8a1f122eb26a729bec54f23b419\n- Drop path: /home/user/.config/runtime.dll", "spans": {"MALWARE: BatLoader": [[15, 24]], "IP_ADDRESS: 10.37.167.31": [[57, 69]], "IP_ADDRESS: 151.239.226.128": [[72, 87]], "IP_ADDRESS: 69.45.125.103": [[90, 103]], "DOMAIN: gateway-mail.online": [[106, 125]], "DOMAIN: maillogin.io": [[128, 140]], "URL: https://authcache.top/admin/config": [[149, 183]], "URL: hxxp://cacheupdate.dev/collect": [[186, 216]], "EMAIL: finance@urgent-notice.online": [[234, 262]], "EMAIL: hr@document-share.link": [[265, 287]], "HASH: f17dfb325aae3769ed6d97fdf16a808076b29ad99fcaaa2261b081bd9ba92791": [[315, 379]], "HASH: de77c2714cf083bd3342baab540941779740c8a1f122eb26a729bec54f23b419": [[390, 454]], "FILEPATH: /home/user/.config/runtime.dll": [[468, 498]]}, "info": {"id": "synth_v2_01469", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - SmokeLoader Campaign:\nNetwork Indicators:\n- 118.245.209.222\n- 20.121.223.88\n- 5.17.46.179\n- staticmail.club\n- relaynode.xyz\nURLs:\n- hxxps://cachecloud.site/api/v2/auth\n- http://apilogin.top/login\nEmail Senders:\n- contact@identity-verify.cc\n- alert@urgent-notice.online\nFile Indicators:\n- SHA256: 0a15bd5951703f091bd9efc7ca0720d1173973a627624c704fe12d231461e0f4\n- SHA256: 0e0aa25ec710d059739c30dd0662252817cd8f33c114157c66830f53b70a5b9f\n- Drop path: /opt/app/bin/helper.sh", "spans": {"MALWARE: SmokeLoader": [[15, 26]], "IP_ADDRESS: 118.245.209.222": [[59, 74]], "IP_ADDRESS: 20.121.223.88": [[77, 90]], "IP_ADDRESS: 5.17.46.179": [[93, 104]], "DOMAIN: staticmail.club": [[107, 122]], "DOMAIN: relaynode.xyz": [[125, 138]], "URL: hxxps://cachecloud.site/api/v2/auth": [[147, 182]], "URL: http://apilogin.top/login": [[185, 210]], "EMAIL: contact@identity-verify.cc": [[228, 254]], "EMAIL: alert@urgent-notice.online": [[257, 283]], "HASH: 0a15bd5951703f091bd9efc7ca0720d1173973a627624c704fe12d231461e0f4": [[311, 375]], "HASH: 0e0aa25ec710d059739c30dd0662252817cd8f33c114157c66830f53b70a5b9f": [[386, 450]], "FILEPATH: /opt/app/bin/helper.sh": [[464, 486]]}, "info": {"id": "synth_v2_01470", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - FormBook Campaign:\nNetwork Indicators:\n- 192.252.21.240\n- 35.0.71.8\n- 192.109.51.242\n- secure-update.link\n- portalproxy.site\nURLs:\n- http://update-cloud.top/wp-content/uploads/doc.php\n- http://syncnode.xyz/secure/token\nEmail Senders:\n- contact@credential-check.site\n- admin@credential-check.site\nFile Indicators:\n- SHA256: 71e4258394d11ecf266d00340c8207d2d8ad1a753309fb535a8af2142642cb81\n- MD5: a1e81665e736adbb608c59112090304a\n- Drop path: C:\\Users\\Public\\Documents\\shell.php", "spans": {"MALWARE: FormBook": [[15, 23]], "IP_ADDRESS: 192.252.21.240": [[56, 70]], "IP_ADDRESS: 35.0.71.8": [[73, 82]], "IP_ADDRESS: 192.109.51.242": [[85, 99]], "DOMAIN: secure-update.link": [[102, 120]], "DOMAIN: portalproxy.site": [[123, 139]], "URL: http://update-cloud.top/wp-content/uploads/doc.php": [[148, 198]], "URL: http://syncnode.xyz/secure/token": [[201, 233]], "EMAIL: contact@credential-check.site": [[251, 280]], "EMAIL: admin@credential-check.site": [[283, 310]], "HASH: 71e4258394d11ecf266d00340c8207d2d8ad1a753309fb535a8af2142642cb81": [[338, 402]], "HASH: a1e81665e736adbb608c59112090304a": [[410, 442]], "FILEPATH: C:\\Users\\Public\\Documents\\shell.php": [[456, 491]]}, "info": {"id": "synth_v2_01471", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - Emotet Campaign:\nNetwork Indicators:\n- 104.166.251.207\n- 215.99.208.126\n- 9.162.133.101\n- cloudstatic.xyz\n- portal-sync.club\nURLs:\n- http://syncgateway.dev/assets/js/payload.js\n- http://cdn-mail.io/panel/index.html\nEmail Senders:\n- alert@phishing-domain.com\n- security@auth-check.org\nFile Indicators:\n- SHA1: 563506088a916cef4a3020830e27f4e26813564f\n- SHA256: 47351e55946b8ddb7f9e007a1d48ad8a9ffaf214ee5df590ec7b7c4c79ce8dc0\n- Drop path: /tmp/taskhost.exe", "spans": {"MALWARE: Emotet": [[15, 21]], "IP_ADDRESS: 104.166.251.207": [[54, 69]], "IP_ADDRESS: 215.99.208.126": [[72, 86]], "IP_ADDRESS: 9.162.133.101": [[89, 102]], "DOMAIN: cloudstatic.xyz": [[105, 120]], "DOMAIN: portal-sync.club": [[123, 139]], "URL: http://syncgateway.dev/assets/js/payload.js": [[148, 191]], "URL: http://cdn-mail.io/panel/index.html": [[194, 229]], "EMAIL: alert@phishing-domain.com": [[247, 272]], "EMAIL: security@auth-check.org": [[275, 298]], "HASH: 563506088a916cef4a3020830e27f4e26813564f": [[324, 364]], "HASH: 47351e55946b8ddb7f9e007a1d48ad8a9ffaf214ee5df590ec7b7c4c79ce8dc0": [[375, 439]], "FILEPATH: /tmp/taskhost.exe": [[453, 470]]}, "info": {"id": "synth_v2_01472", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - BlackCat Campaign:\nNetwork Indicators:\n- 172.214.65.81\n- 127.24.16.145\n- 133.26.156.4\n- backup-portal.net\n- staticrelay.link\nURLs:\n- hxxps://update-api.dev/login\n- https://cloudnode.io/portal/verify\nEmail Senders:\n- service@credential-check.site\n- helpdesk@mail-service.info\nFile Indicators:\n- SHA1: 3154292e94d84d66d2ac9363f8ad862292f78b17\n- SHA256: c651925518198642a56e46608a9e6a8c6884c5b4d81c8f30f9989019bb06c65a\n- Drop path: /dev/shm/agent.py", "spans": {"MALWARE: BlackCat": [[15, 23]], "IP_ADDRESS: 172.214.65.81": [[56, 69]], "IP_ADDRESS: 127.24.16.145": [[72, 85]], "IP_ADDRESS: 133.26.156.4": [[88, 100]], "DOMAIN: backup-portal.net": [[103, 120]], "DOMAIN: staticrelay.link": [[123, 139]], "URL: hxxps://update-api.dev/login": [[148, 176]], "URL: https://cloudnode.io/portal/verify": [[179, 213]], "EMAIL: service@credential-check.site": [[231, 260]], "EMAIL: helpdesk@mail-service.info": [[263, 289]], "HASH: 3154292e94d84d66d2ac9363f8ad862292f78b17": [[315, 355]], "HASH: c651925518198642a56e46608a9e6a8c6884c5b4d81c8f30f9989019bb06c65a": [[366, 430]], "FILEPATH: /dev/shm/agent.py": [[444, 461]]}, "info": {"id": "synth_v2_01473", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - BumbleBee Campaign:\nNetwork Indicators:\n- 193.118.16.142\n- 27.107.54.148\n- 148.193.254.18\n- login-auth.xyz\n- mail-backup.org\nURLs:\n- hxxps://securemail.top/api/v2/auth\n- https://cache-cdn.xyz/collect\nEmail Senders:\n- finance@phishing-domain.com\n- notification@mail-service.info\nFile Indicators:\n- SHA1: 783cc21132fb7b32668322156eb608431693f540\n- SHA1: f3d579b1abaca1884c1d0d7f5253ed18094bdc6e\n- Drop path: C:\\Users\\admin\\Downloads\\shell.php", "spans": {"MALWARE: BumbleBee": [[15, 24]], "IP_ADDRESS: 193.118.16.142": [[57, 71]], "IP_ADDRESS: 27.107.54.148": [[74, 87]], "IP_ADDRESS: 148.193.254.18": [[90, 104]], "DOMAIN: login-auth.xyz": [[107, 121]], "DOMAIN: mail-backup.org": [[124, 139]], "URL: hxxps://securemail.top/api/v2/auth": [[148, 182]], "URL: https://cache-cdn.xyz/collect": [[185, 214]], "EMAIL: finance@phishing-domain.com": [[232, 259]], "EMAIL: notification@mail-service.info": [[262, 292]], "HASH: 783cc21132fb7b32668322156eb608431693f540": [[318, 358]], "HASH: f3d579b1abaca1884c1d0d7f5253ed18094bdc6e": [[367, 407]], "FILEPATH: C:\\Users\\admin\\Downloads\\shell.php": [[421, 455]]}, "info": {"id": "synth_v2_01474", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - Gootloader Campaign:\nNetwork Indicators:\n- 10.160.229.160\n- 192.116.71.64\n- 174.214.239.100\n- cdnportal.live\n- node-cache.tech\nURLs:\n- http://updatecloud.cc/panel/index.html\n- https://edge-relay.info/admin/config\nEmail Senders:\n- billing@phishing-domain.com\n- account@secure-verify.net\nFile Indicators:\n- SHA256: d4b17d947dfb22e79432077e7099cf1396d0797839ae1d5a1898db079a86ced8\n- SHA256: ada1cc909fea52c64ffae371cc0fc78a0828307c9cd7ad662bcccb92cd297781\n- Drop path: /tmp/ntds.dit", "spans": {"MALWARE: Gootloader": [[15, 25]], "IP_ADDRESS: 10.160.229.160": [[58, 72]], "IP_ADDRESS: 192.116.71.64": [[75, 88]], "IP_ADDRESS: 174.214.239.100": [[91, 106]], "DOMAIN: cdnportal.live": [[109, 123]], "DOMAIN: node-cache.tech": [[126, 141]], "URL: http://updatecloud.cc/panel/index.html": [[150, 188]], "URL: https://edge-relay.info/admin/config": [[191, 227]], "EMAIL: billing@phishing-domain.com": [[245, 272]], "EMAIL: account@secure-verify.net": [[275, 300]], "HASH: d4b17d947dfb22e79432077e7099cf1396d0797839ae1d5a1898db079a86ced8": [[328, 392]], "HASH: ada1cc909fea52c64ffae371cc0fc78a0828307c9cd7ad662bcccb92cd297781": [[403, 467]], "FILEPATH: /tmp/ntds.dit": [[481, 494]]}, "info": {"id": "synth_v2_01475", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - BumbleBee Campaign:\nNetwork Indicators:\n- 192.104.229.181\n- 10.197.195.63\n- 10.241.62.90\n- edgeapi.io\n- authdata.xyz\nURLs:\n- https://nodegateway.com/gate.php\n- hxxps://portalrelay.online/collect\nEmail Senders:\n- noreply@urgent-notice.online\n- confirm@document-share.link\nFile Indicators:\n- SHA256: f5d1bc9b876af8dc58341783c1fdc9e966c8dfb00fe823e4f72491fbbbbca166\n- SHA256: 057d39b05f1838fd299857f78b68eb2f6d1ff895720cbbabea08b9ee424399e7\n- Drop path: C:\\Windows\\System32\\update.dll", "spans": {"MALWARE: BumbleBee": [[15, 24]], "IP_ADDRESS: 192.104.229.181": [[57, 72]], "IP_ADDRESS: 10.197.195.63": [[75, 88]], "IP_ADDRESS: 10.241.62.90": [[91, 103]], "DOMAIN: edgeapi.io": [[106, 116]], "DOMAIN: authdata.xyz": [[119, 131]], "URL: https://nodegateway.com/gate.php": [[140, 172]], "URL: hxxps://portalrelay.online/collect": [[175, 209]], "EMAIL: noreply@urgent-notice.online": [[227, 255]], "EMAIL: confirm@document-share.link": [[258, 285]], "HASH: f5d1bc9b876af8dc58341783c1fdc9e966c8dfb00fe823e4f72491fbbbbca166": [[313, 377]], "HASH: 057d39b05f1838fd299857f78b68eb2f6d1ff895720cbbabea08b9ee424399e7": [[388, 452]], "FILEPATH: C:\\Windows\\System32\\update.dll": [[466, 496]]}, "info": {"id": "synth_v2_01476", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - Play Campaign:\nNetwork Indicators:\n- 10.227.163.206\n- 70.17.183.129\n- 10.6.107.107\n- portal-relay.online\n- authstatic.live\nURLs:\n- hxxp://staticproxy.top/callback\n- hxxp://storagerelay.net/callback\nEmail Senders:\n- finance@document-share.link\n- contact@credential-check.site\nFile Indicators:\n- SHA1: ea83709aed3daf1b2259b01c7fb883fc644aaa7e\n- SHA256: 567c69a7bb8ee27e156680a7d2a0b283a87474ad95fb811a1ad912e91ca4d261\n- Drop path: /usr/local/bin/csrss.exe", "spans": {"MALWARE: Play": [[15, 19]], "IP_ADDRESS: 10.227.163.206": [[52, 66]], "IP_ADDRESS: 70.17.183.129": [[69, 82]], "IP_ADDRESS: 10.6.107.107": [[85, 97]], "DOMAIN: portal-relay.online": [[100, 119]], "DOMAIN: authstatic.live": [[122, 137]], "URL: hxxp://staticproxy.top/callback": [[146, 177]], "URL: hxxp://storagerelay.net/callback": [[180, 212]], "EMAIL: finance@document-share.link": [[230, 257]], "EMAIL: contact@credential-check.site": [[260, 289]], "HASH: ea83709aed3daf1b2259b01c7fb883fc644aaa7e": [[315, 355]], "HASH: 567c69a7bb8ee27e156680a7d2a0b283a87474ad95fb811a1ad912e91ca4d261": [[366, 430]], "FILEPATH: /usr/local/bin/csrss.exe": [[444, 468]]}, "info": {"id": "synth_v2_01477", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - Ryuk Campaign:\nNetwork Indicators:\n- 81.117.231.92\n- 172.227.153.249\n- 174.74.165.36\n- staticcache.com\n- node-mail.net\nURLs:\n- hxxp://gatewayproxy.dev/wp-content/uploads/doc.php\n- http://apistorage.online/portal/verify\nEmail Senders:\n- contact@credential-check.site\n- support@auth-check.org\nFile Indicators:\n- SHA256: ccc0856d69fde79776a992ae1835e87aa1e8fb2a6acc95ab977174a0b9c7d204\n- SHA256: 73e198a2f6af79570fcd71fdc641927a2c8ad7d1b1f5144db7c6f4d9e0c05cf6\n- Drop path: C:\\Users\\admin\\AppData\\Local\\Temp\\ntds.dit", "spans": {"MALWARE: Ryuk": [[15, 19]], "IP_ADDRESS: 81.117.231.92": [[52, 65]], "IP_ADDRESS: 172.227.153.249": [[68, 83]], "IP_ADDRESS: 174.74.165.36": [[86, 99]], "DOMAIN: staticcache.com": [[102, 117]], "DOMAIN: node-mail.net": [[120, 133]], "URL: hxxp://gatewayproxy.dev/wp-content/uploads/doc.php": [[142, 192]], "URL: http://apistorage.online/portal/verify": [[195, 233]], "EMAIL: contact@credential-check.site": [[251, 280]], "EMAIL: support@auth-check.org": [[283, 305]], "HASH: ccc0856d69fde79776a992ae1835e87aa1e8fb2a6acc95ab977174a0b9c7d204": [[333, 397]], "HASH: 73e198a2f6af79570fcd71fdc641927a2c8ad7d1b1f5144db7c6f4d9e0c05cf6": [[408, 472]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\ntds.dit": [[486, 528]]}, "info": {"id": "synth_v2_01478", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - WarmCookie Campaign:\nNetwork Indicators:\n- 192.103.107.18\n- 172.222.165.180\n- 10.248.163.131\n- cdndata.dev\n- mailportal.xyz\nURLs:\n- hxxp://edge-cache.org/portal/verify\n- https://loginsync.link/gate.php\nEmail Senders:\n- support@auth-check.org\n- info@auth-check.org\nFile Indicators:\n- SHA1: 9527a08241233b00932bd2d56ff598560a29418d\n- SHA256: b1a9d2bab11c6b2d2a02dca337e54190d0b7b45533cf75584b12b6b3420972e7\n- Drop path: /opt/app/bin/beacon.dll", "spans": {"MALWARE: WarmCookie": [[15, 25]], "IP_ADDRESS: 192.103.107.18": [[58, 72]], "IP_ADDRESS: 172.222.165.180": [[75, 90]], "IP_ADDRESS: 10.248.163.131": [[93, 107]], "DOMAIN: cdndata.dev": [[110, 121]], "DOMAIN: mailportal.xyz": [[124, 138]], "URL: hxxp://edge-cache.org/portal/verify": [[147, 182]], "URL: https://loginsync.link/gate.php": [[185, 216]], "EMAIL: support@auth-check.org": [[234, 256]], "EMAIL: info@auth-check.org": [[259, 278]], "HASH: 9527a08241233b00932bd2d56ff598560a29418d": [[304, 344]], "HASH: b1a9d2bab11c6b2d2a02dca337e54190d0b7b45533cf75584b12b6b3420972e7": [[355, 419]], "FILEPATH: /opt/app/bin/beacon.dll": [[433, 456]]}, "info": {"id": "synth_v2_01479", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - PikaBot Campaign:\nNetwork Indicators:\n- 172.98.3.211\n- 10.137.74.119\n- 172.56.199.198\n- node-portal.cc\n- syncproxy.site\nURLs:\n- https://proxy-update.xyz/admin/config\n- http://proxyedge.link/assets/js/payload.js\nEmail Senders:\n- security@identity-verify.cc\n- account@secure-verify.net\nFile Indicators:\n- SHA1: e5c68534cf17919dff8a2be68465a2d73f0e7fac\n- SHA256: e71c55a1c5a20a0a33d4471352ee73d1bc47db64764fc7ee43fea23d4cb86773\n- Drop path: /tmp/taskhost.exe", "spans": {"MALWARE: PikaBot": [[15, 22]], "IP_ADDRESS: 172.98.3.211": [[55, 67]], "IP_ADDRESS: 10.137.74.119": [[70, 83]], "IP_ADDRESS: 172.56.199.198": [[86, 100]], "DOMAIN: node-portal.cc": [[103, 117]], "DOMAIN: syncproxy.site": [[120, 134]], "URL: https://proxy-update.xyz/admin/config": [[143, 180]], "URL: http://proxyedge.link/assets/js/payload.js": [[183, 225]], "EMAIL: security@identity-verify.cc": [[243, 270]], "EMAIL: account@secure-verify.net": [[273, 298]], "HASH: e5c68534cf17919dff8a2be68465a2d73f0e7fac": [[324, 364]], "HASH: e71c55a1c5a20a0a33d4471352ee73d1bc47db64764fc7ee43fea23d4cb86773": [[375, 439]], "FILEPATH: /tmp/taskhost.exe": [[453, 470]]}, "info": {"id": "synth_v2_01480", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - Meduza Stealer Campaign:\nNetwork Indicators:\n- 10.143.46.198\n- 192.114.71.131\n- 172.94.178.62\n- authnode.tech\n- storagemail.info\nURLs:\n- hxxp://storage-edge.dev/api/v2/auth\n- hxxp://updatecdn.dev/secure/token\nEmail Senders:\n- service@login-portal.tech\n- admin@login-portal.tech\nFile Indicators:\n- SHA256: 13bc7078d254063e5d45ba0580bc85f008076b67c6dc5556a84e35cf2917687c\n- SHA1: f56ecda5823de4a73e2bb579c2a2d0be6f3b6125\n- Drop path: C:\\Users\\admin\\Downloads\\loader.exe", "spans": {"MALWARE: Meduza Stealer": [[15, 29]], "IP_ADDRESS: 10.143.46.198": [[62, 75]], "IP_ADDRESS: 192.114.71.131": [[78, 92]], "IP_ADDRESS: 172.94.178.62": [[95, 108]], "DOMAIN: authnode.tech": [[111, 124]], "DOMAIN: storagemail.info": [[127, 143]], "URL: hxxp://storage-edge.dev/api/v2/auth": [[152, 187]], "URL: hxxp://updatecdn.dev/secure/token": [[190, 223]], "EMAIL: service@login-portal.tech": [[241, 266]], "EMAIL: admin@login-portal.tech": [[269, 292]], "HASH: 13bc7078d254063e5d45ba0580bc85f008076b67c6dc5556a84e35cf2917687c": [[320, 384]], "HASH: f56ecda5823de4a73e2bb579c2a2d0be6f3b6125": [[393, 433]], "FILEPATH: C:\\Users\\admin\\Downloads\\loader.exe": [[447, 482]]}, "info": {"id": "synth_v2_01481", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - LockBit Campaign:\nNetwork Indicators:\n- 122.97.167.171\n- 223.4.157.252\n- 149.194.184.114\n- gateway-node.cc\n- loginapi.xyz\nURLs:\n- hxxp://cdnnode.site/panel/index.html\n- https://edgestorage.site/admin/config\nEmail Senders:\n- billing@mail-service.info\n- updates@identity-verify.cc\nFile Indicators:\n- SHA256: 0860b888ff4fa3932219c787d878766e3e86bc1510fdd857dde29b5f54a199a0\n- SHA1: 587d422fa4c94f583158eb6a0c744e8f0f063855\n- Drop path: C:\\Users\\admin\\AppData\\Local\\Temp\\loader.exe", "spans": {"MALWARE: LockBit": [[15, 22]], "IP_ADDRESS: 122.97.167.171": [[55, 69]], "IP_ADDRESS: 223.4.157.252": [[72, 85]], "IP_ADDRESS: 149.194.184.114": [[88, 103]], "DOMAIN: gateway-node.cc": [[106, 121]], "DOMAIN: loginapi.xyz": [[124, 136]], "URL: hxxp://cdnnode.site/panel/index.html": [[145, 181]], "URL: https://edgestorage.site/admin/config": [[184, 221]], "EMAIL: billing@mail-service.info": [[239, 264]], "EMAIL: updates@identity-verify.cc": [[267, 293]], "HASH: 0860b888ff4fa3932219c787d878766e3e86bc1510fdd857dde29b5f54a199a0": [[321, 385]], "HASH: 587d422fa4c94f583158eb6a0c744e8f0f063855": [[394, 434]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\loader.exe": [[448, 492]]}, "info": {"id": "synth_v2_01482", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - WarmCookie Campaign:\nNetwork Indicators:\n- 10.10.87.218\n- 140.224.90.134\n- 102.239.109.101\n- api-portal.xyz\n- update-edge.info\nURLs:\n- http://proxy-secure.club/download/update.exe\n- http://data-cloud.club/portal/verify\nEmail Senders:\n- report@phishing-domain.com\n- account@mail-service.info\nFile Indicators:\n- MD5: 156af39be9b520c4c110258bbfab84c6\n- SHA256: 6f2935cf8ab114370f34a59ea6a628c5afe4e5234d9627f368b5792b1bf83fa8\n- Drop path: /dev/shm/agent.py", "spans": {"MALWARE: WarmCookie": [[15, 25]], "IP_ADDRESS: 10.10.87.218": [[58, 70]], "IP_ADDRESS: 140.224.90.134": [[73, 87]], "IP_ADDRESS: 102.239.109.101": [[90, 105]], "DOMAIN: api-portal.xyz": [[108, 122]], "DOMAIN: update-edge.info": [[125, 141]], "URL: http://proxy-secure.club/download/update.exe": [[150, 194]], "URL: http://data-cloud.club/portal/verify": [[197, 233]], "EMAIL: report@phishing-domain.com": [[251, 277]], "EMAIL: account@mail-service.info": [[280, 305]], "HASH: 156af39be9b520c4c110258bbfab84c6": [[330, 362]], "HASH: 6f2935cf8ab114370f34a59ea6a628c5afe4e5234d9627f368b5792b1bf83fa8": [[373, 437]], "FILEPATH: /dev/shm/agent.py": [[451, 468]]}, "info": {"id": "synth_v2_01483", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - DanaBot Campaign:\nNetwork Indicators:\n- 192.46.221.207\n- 172.113.17.59\n- 10.50.198.106\n- portal-gateway.org\n- node-sync.tech\nURLs:\n- https://backup-update.io/gate.php\n- https://loginsecure.dev/api/v2/auth\nEmail Senders:\n- alert@phishing-domain.com\n- account@mail-service.info\nFile Indicators:\n- MD5: aeb5f673bfd75b9d889918d4e8826b9e\n- MD5: 3a1cb75272e164c3cf001bb2480764d7\n- Drop path: C:\\Program Files\\Common Files\\chrome_helper.exe", "spans": {"MALWARE: DanaBot": [[15, 22]], "IP_ADDRESS: 192.46.221.207": [[55, 69]], "IP_ADDRESS: 172.113.17.59": [[72, 85]], "IP_ADDRESS: 10.50.198.106": [[88, 101]], "DOMAIN: portal-gateway.org": [[104, 122]], "DOMAIN: node-sync.tech": [[125, 139]], "URL: https://backup-update.io/gate.php": [[148, 181]], "URL: https://loginsecure.dev/api/v2/auth": [[184, 219]], "EMAIL: alert@phishing-domain.com": [[237, 262]], "EMAIL: account@mail-service.info": [[265, 290]], "HASH: aeb5f673bfd75b9d889918d4e8826b9e": [[315, 347]], "HASH: 3a1cb75272e164c3cf001bb2480764d7": [[355, 387]], "FILEPATH: C:\\Program Files\\Common Files\\chrome_helper.exe": [[401, 448]]}, "info": {"id": "synth_v2_01484", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - Cobalt Strike Campaign:\nNetwork Indicators:\n- 188.212.22.190\n- 10.199.3.76\n- 152.9.53.114\n- staticstorage.xyz\n- portal-login.dev\nURLs:\n- http://update-gateway.site/panel/index.html\n- hxxp://storageproxy.live/download/update.exe\nEmail Senders:\n- info@identity-verify.cc\n- it@phishing-domain.com\nFile Indicators:\n- MD5: efc36db0e1a50b4e1562fa6618ab16c9\n- MD5: 8e8221ecabc23f07673d6c7fd53587dc\n- Drop path: C:\\Users\\admin\\Downloads\\backdoor.elf", "spans": {"MALWARE: Cobalt Strike": [[15, 28]], "IP_ADDRESS: 188.212.22.190": [[61, 75]], "IP_ADDRESS: 10.199.3.76": [[78, 89]], "IP_ADDRESS: 152.9.53.114": [[92, 104]], "DOMAIN: staticstorage.xyz": [[107, 124]], "DOMAIN: portal-login.dev": [[127, 143]], "URL: http://update-gateway.site/panel/index.html": [[152, 195]], "URL: hxxp://storageproxy.live/download/update.exe": [[198, 242]], "EMAIL: info@identity-verify.cc": [[260, 283]], "EMAIL: it@phishing-domain.com": [[286, 308]], "HASH: efc36db0e1a50b4e1562fa6618ab16c9": [[333, 365]], "HASH: 8e8221ecabc23f07673d6c7fd53587dc": [[373, 405]], "FILEPATH: C:\\Users\\admin\\Downloads\\backdoor.elf": [[419, 456]]}, "info": {"id": "synth_v2_01485", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - LockBit Campaign:\nNetwork Indicators:\n- 192.99.177.69\n- 217.7.235.20\n- 192.7.237.194\n- static-node.tech\n- secure-data.top\nURLs:\n- http://updategateway.site/api/v2/auth\n- hxxp://edgestorage.xyz/admin/config\nEmail Senders:\n- billing@secure-verify.net\n- verify@secure-verify.net\nFile Indicators:\n- SHA1: 3981d9dfc054681a987485a28356baf4d23c469e\n- SHA256: a646338b2a209096e6fbda18dddade1247d3ca8fd938b0a2aa398b3afd7dfea1\n- Drop path: /usr/local/bin/sam.hive", "spans": {"MALWARE: LockBit": [[15, 22]], "IP_ADDRESS: 192.99.177.69": [[55, 68]], "IP_ADDRESS: 217.7.235.20": [[71, 83]], "IP_ADDRESS: 192.7.237.194": [[86, 99]], "DOMAIN: static-node.tech": [[102, 118]], "DOMAIN: secure-data.top": [[121, 136]], "URL: http://updategateway.site/api/v2/auth": [[145, 182]], "URL: hxxp://edgestorage.xyz/admin/config": [[185, 220]], "EMAIL: billing@secure-verify.net": [[238, 263]], "EMAIL: verify@secure-verify.net": [[266, 290]], "HASH: 3981d9dfc054681a987485a28356baf4d23c469e": [[316, 356]], "HASH: a646338b2a209096e6fbda18dddade1247d3ca8fd938b0a2aa398b3afd7dfea1": [[367, 431]], "FILEPATH: /usr/local/bin/sam.hive": [[445, 468]]}, "info": {"id": "synth_v2_01486", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - DanaBot Campaign:\nNetwork Indicators:\n- 92.130.33.44\n- 172.91.80.2\n- 192.36.182.202\n- cdn-node.cc\n- loginauth.live\nURLs:\n- http://auth-secure.site/download/update.exe\n- hxxps://cdnstorage.link/gate.php\nEmail Senders:\n- helpdesk@account-update.xyz\n- hr@document-share.link\nFile Indicators:\n- MD5: 07811ed598441dbf7348e798e53533ff\n- MD5: f2b334df58cfeebc0281f98bed20ab85\n- Drop path: C:\\ProgramData\\helper.sh", "spans": {"MALWARE: DanaBot": [[15, 22]], "IP_ADDRESS: 92.130.33.44": [[55, 67]], "IP_ADDRESS: 172.91.80.2": [[70, 81]], "IP_ADDRESS: 192.36.182.202": [[84, 98]], "DOMAIN: cdn-node.cc": [[101, 112]], "DOMAIN: loginauth.live": [[115, 129]], "URL: http://auth-secure.site/download/update.exe": [[138, 181]], "URL: hxxps://cdnstorage.link/gate.php": [[184, 216]], "EMAIL: helpdesk@account-update.xyz": [[234, 261]], "EMAIL: hr@document-share.link": [[264, 286]], "HASH: 07811ed598441dbf7348e798e53533ff": [[311, 343]], "HASH: f2b334df58cfeebc0281f98bed20ab85": [[351, 383]], "FILEPATH: C:\\ProgramData\\helper.sh": [[397, 421]]}, "info": {"id": "synth_v2_01487", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - StealC Campaign:\nNetwork Indicators:\n- 62.27.126.210\n- 172.23.86.125\n- 154.203.77.202\n- edge-data.io\n- backupcdn.link\nURLs:\n- hxxp://portalmail.info/collect\n- https://loginedge.link/assets/js/payload.js\nEmail Senders:\n- account@phishing-domain.com\n- billing@login-portal.tech\nFile Indicators:\n- SHA1: 2ae72ca5c277630c3b23cc2924be7053716f92b2\n- SHA256: 3d4dddc282508d0530106908be184b41c142e40067db3be634e852f6db3193f6\n- Drop path: C:\\Windows\\Temp\\loader.exe", "spans": {"MALWARE: StealC": [[15, 21]], "IP_ADDRESS: 62.27.126.210": [[54, 67]], "IP_ADDRESS: 172.23.86.125": [[70, 83]], "IP_ADDRESS: 154.203.77.202": [[86, 100]], "DOMAIN: edge-data.io": [[103, 115]], "DOMAIN: backupcdn.link": [[118, 132]], "URL: hxxp://portalmail.info/collect": [[141, 171]], "URL: https://loginedge.link/assets/js/payload.js": [[174, 217]], "EMAIL: account@phishing-domain.com": [[235, 262]], "EMAIL: billing@login-portal.tech": [[265, 290]], "HASH: 2ae72ca5c277630c3b23cc2924be7053716f92b2": [[316, 356]], "HASH: 3d4dddc282508d0530106908be184b41c142e40067db3be634e852f6db3193f6": [[367, 431]], "FILEPATH: C:\\Windows\\Temp\\loader.exe": [[445, 471]]}, "info": {"id": "synth_v2_01488", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - FormBook Campaign:\nNetwork Indicators:\n- 211.49.147.143\n- 168.125.65.152\n- 192.163.10.86\n- sync-node.live\n- authstorage.cc\nURLs:\n- hxxp://edge-login.dev/gate.php\n- hxxps://secureauth.com/gate.php\nEmail Senders:\n- hr@mail-service.info\n- hr@credential-check.site\nFile Indicators:\n- SHA256: aa5f4f4a25f513b13273810758a5e631648ea6340d84e33ce745261f333d4eb2\n- MD5: 51805cb55b7c7818060a98af6f4d1d1c\n- Drop path: /var/tmp/shell.php", "spans": {"MALWARE: FormBook": [[15, 23]], "IP_ADDRESS: 211.49.147.143": [[56, 70]], "IP_ADDRESS: 168.125.65.152": [[73, 87]], "IP_ADDRESS: 192.163.10.86": [[90, 103]], "DOMAIN: sync-node.live": [[106, 120]], "DOMAIN: authstorage.cc": [[123, 137]], "URL: hxxp://edge-login.dev/gate.php": [[146, 176]], "URL: hxxps://secureauth.com/gate.php": [[179, 210]], "EMAIL: hr@mail-service.info": [[228, 248]], "EMAIL: hr@credential-check.site": [[251, 275]], "HASH: aa5f4f4a25f513b13273810758a5e631648ea6340d84e33ce745261f333d4eb2": [[303, 367]], "HASH: 51805cb55b7c7818060a98af6f4d1d1c": [[375, 407]], "FILEPATH: /var/tmp/shell.php": [[421, 439]]}, "info": {"id": "synth_v2_01489", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - Ryuk Campaign:\nNetwork Indicators:\n- 172.63.248.241\n- 219.5.15.52\n- 92.201.141.235\n- storageproxy.link\n- proxy-backup.link\nURLs:\n- http://portalportal.com/download/update.exe\n- hxxps://portal-portal.club/portal/verify\nEmail Senders:\n- verify@mail-service.info\n- alert@account-update.xyz\nFile Indicators:\n- MD5: 358de74077e360f643efce8b9904214d\n- SHA1: 58f8c74e2e01b9c0b063f4972b29620253fba227\n- Drop path: C:\\Windows\\Temp\\dropper.ps1", "spans": {"MALWARE: Ryuk": [[15, 19]], "IP_ADDRESS: 172.63.248.241": [[52, 66]], "IP_ADDRESS: 219.5.15.52": [[69, 80]], "IP_ADDRESS: 92.201.141.235": [[83, 97]], "DOMAIN: storageproxy.link": [[100, 117]], "DOMAIN: proxy-backup.link": [[120, 137]], "URL: http://portalportal.com/download/update.exe": [[146, 189]], "URL: hxxps://portal-portal.club/portal/verify": [[192, 232]], "EMAIL: verify@mail-service.info": [[250, 274]], "EMAIL: alert@account-update.xyz": [[277, 301]], "HASH: 358de74077e360f643efce8b9904214d": [[326, 358]], "HASH: 58f8c74e2e01b9c0b063f4972b29620253fba227": [[367, 407]], "FILEPATH: C:\\Windows\\Temp\\dropper.ps1": [[421, 448]]}, "info": {"id": "synth_v2_01490", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - Ryuk Campaign:\nNetwork Indicators:\n- 10.223.107.129\n- 172.67.144.2\n- 56.126.186.30\n- updatelogin.site\n- proxyrelay.tech\nURLs:\n- hxxps://gatewayedge.info/wp-content/uploads/doc.php\n- http://gateway-cloud.site/panel/index.html\nEmail Senders:\n- info@credential-check.site\n- ceo@account-update.xyz\nFile Indicators:\n- SHA256: d20891da2b69f0e944d0073524e00d9793600df2cedbd895ed5e5e97c57c8b25\n- SHA1: 6984833a22fc2cd198bd346e4d15264a924e7de2\n- Drop path: /usr/local/bin/dropper.ps1", "spans": {"MALWARE: Ryuk": [[15, 19]], "IP_ADDRESS: 10.223.107.129": [[52, 66]], "IP_ADDRESS: 172.67.144.2": [[69, 81]], "IP_ADDRESS: 56.126.186.30": [[84, 97]], "DOMAIN: updatelogin.site": [[100, 116]], "DOMAIN: proxyrelay.tech": [[119, 134]], "URL: hxxps://gatewayedge.info/wp-content/uploads/doc.php": [[143, 194]], "URL: http://gateway-cloud.site/panel/index.html": [[197, 239]], "EMAIL: info@credential-check.site": [[257, 283]], "EMAIL: ceo@account-update.xyz": [[286, 308]], "HASH: d20891da2b69f0e944d0073524e00d9793600df2cedbd895ed5e5e97c57c8b25": [[336, 400]], "HASH: 6984833a22fc2cd198bd346e4d15264a924e7de2": [[409, 449]], "FILEPATH: /usr/local/bin/dropper.ps1": [[463, 489]]}, "info": {"id": "synth_v2_01491", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - IcedID Campaign:\nNetwork Indicators:\n- 172.124.249.99\n- 41.117.112.3\n- 192.183.123.154\n- loginportal.com\n- cloudsecure.cc\nURLs:\n- hxxps://backup-update.net/portal/verify\n- https://backuprelay.tech/assets/js/payload.js\nEmail Senders:\n- verify@login-portal.tech\n- updates@credential-check.site\nFile Indicators:\n- SHA1: 54319f215964cedf6475e53b0a57f8279d07544e\n- MD5: b871a38cd83c9274c97d9fb44f071535\n- Drop path: C:\\Users\\admin\\AppData\\Local\\Temp\\backdoor.elf", "spans": {"MALWARE: IcedID": [[15, 21]], "IP_ADDRESS: 172.124.249.99": [[54, 68]], "IP_ADDRESS: 41.117.112.3": [[71, 83]], "IP_ADDRESS: 192.183.123.154": [[86, 101]], "DOMAIN: loginportal.com": [[104, 119]], "DOMAIN: cloudsecure.cc": [[122, 136]], "URL: hxxps://backup-update.net/portal/verify": [[145, 184]], "URL: https://backuprelay.tech/assets/js/payload.js": [[187, 232]], "EMAIL: verify@login-portal.tech": [[250, 274]], "EMAIL: updates@credential-check.site": [[277, 306]], "HASH: 54319f215964cedf6475e53b0a57f8279d07544e": [[332, 372]], "HASH: b871a38cd83c9274c97d9fb44f071535": [[380, 412]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\backdoor.elf": [[426, 472]]}, "info": {"id": "synth_v2_01492", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - Lumma Stealer Campaign:\nNetwork Indicators:\n- 192.213.234.137\n- 192.158.186.211\n- 221.172.245.243\n- datastatic.site\n- cdn-cloud.link\nURLs:\n- http://storage-proxy.xyz/panel/index.html\n- hxxps://cdn-node.live/portal/verify\nEmail Senders:\n- alert@credential-check.site\n- ceo@identity-verify.cc\nFile Indicators:\n- SHA1: 10d233a5dc3750ff6348c2564c023341cdaef7f0\n- MD5: 52834916cf40440e0a44dc9955918f5c\n- Drop path: /usr/local/bin/runtime.dll", "spans": {"MALWARE: Lumma Stealer": [[15, 28]], "IP_ADDRESS: 192.213.234.137": [[61, 76]], "IP_ADDRESS: 192.158.186.211": [[79, 94]], "IP_ADDRESS: 221.172.245.243": [[97, 112]], "DOMAIN: datastatic.site": [[115, 130]], "DOMAIN: cdn-cloud.link": [[133, 147]], "URL: http://storage-proxy.xyz/panel/index.html": [[156, 197]], "URL: hxxps://cdn-node.live/portal/verify": [[200, 235]], "EMAIL: alert@credential-check.site": [[253, 280]], "EMAIL: ceo@identity-verify.cc": [[283, 305]], "HASH: 10d233a5dc3750ff6348c2564c023341cdaef7f0": [[331, 371]], "HASH: 52834916cf40440e0a44dc9955918f5c": [[379, 411]], "FILEPATH: /usr/local/bin/runtime.dll": [[425, 451]]}, "info": {"id": "synth_v2_01493", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - Cobalt Strike Campaign:\nNetwork Indicators:\n- 220.82.53.230\n- 170.232.34.174\n- 148.51.198.82\n- securedata.site\n- backup-api.net\nURLs:\n- http://relayedge.dev/gate.php\n- http://login-portal.tech/assets/js/payload.js\nEmail Senders:\n- security@urgent-notice.online\n- info@urgent-notice.online\nFile Indicators:\n- SHA256: 21900a03ad8cc29e4a2a4e644610ea041285817be606566ed36c64c14968e5ec\n- MD5: 45ef1fc452d01dc9d39fe6e2a0e6e7ff\n- Drop path: C:\\Windows\\System32\\shell.php", "spans": {"MALWARE: Cobalt Strike": [[15, 28]], "IP_ADDRESS: 220.82.53.230": [[61, 74]], "IP_ADDRESS: 170.232.34.174": [[77, 91]], "IP_ADDRESS: 148.51.198.82": [[94, 107]], "DOMAIN: securedata.site": [[110, 125]], "DOMAIN: backup-api.net": [[128, 142]], "URL: http://relayedge.dev/gate.php": [[151, 180]], "URL: http://login-portal.tech/assets/js/payload.js": [[183, 228]], "EMAIL: security@urgent-notice.online": [[246, 275]], "EMAIL: info@urgent-notice.online": [[278, 303]], "HASH: 21900a03ad8cc29e4a2a4e644610ea041285817be606566ed36c64c14968e5ec": [[331, 395]], "HASH: 45ef1fc452d01dc9d39fe6e2a0e6e7ff": [[403, 435]], "FILEPATH: C:\\Windows\\System32\\shell.php": [[449, 478]]}, "info": {"id": "synth_v2_01494", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - Conti Campaign:\nNetwork Indicators:\n- 172.187.84.67\n- 192.207.13.164\n- 26.178.171.225\n- cloudrelay.club\n- cdn-sync.xyz\nURLs:\n- https://auth-node.tech/collect\n- hxxps://proxyupdate.online/callback\nEmail Senders:\n- report@mail-service.info\n- hr@urgent-notice.online\nFile Indicators:\n- MD5: 97c93758fc7466a7abf30c63e55c47c1\n- MD5: 34ea6ded5f50ffba8d3a1048de5f949f\n- Drop path: C:\\Users\\Public\\Documents\\backdoor.elf", "spans": {"MALWARE: Conti": [[15, 20]], "IP_ADDRESS: 172.187.84.67": [[53, 66]], "IP_ADDRESS: 192.207.13.164": [[69, 83]], "IP_ADDRESS: 26.178.171.225": [[86, 100]], "DOMAIN: cloudrelay.club": [[103, 118]], "DOMAIN: cdn-sync.xyz": [[121, 133]], "URL: https://auth-node.tech/collect": [[142, 172]], "URL: hxxps://proxyupdate.online/callback": [[175, 210]], "EMAIL: report@mail-service.info": [[228, 252]], "EMAIL: hr@urgent-notice.online": [[255, 278]], "HASH: 97c93758fc7466a7abf30c63e55c47c1": [[303, 335]], "HASH: 34ea6ded5f50ffba8d3a1048de5f949f": [[343, 375]], "FILEPATH: C:\\Users\\Public\\Documents\\backdoor.elf": [[389, 427]]}, "info": {"id": "synth_v2_01495", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - AsyncRAT Campaign:\nNetwork Indicators:\n- 10.30.139.10\n- 95.210.23.39\n- 10.26.216.80\n- relay-static.online\n- cache-gateway.io\nURLs:\n- https://edge-node.top/assets/js/payload.js\n- hxxp://loginrelay.dev/assets/js/payload.js\nEmail Senders:\n- hr@mail-service.info\n- notification@credential-check.site\nFile Indicators:\n- SHA1: 4df2eabd3c8c4d7ca15d3159dd53cd1a2d4a961d\n- SHA256: 2119069d976ef7df11ffbb979165cb57f582982a0ca359b257ff7a3cb3c426fb\n- Drop path: C:\\Windows\\System32\\csrss.exe", "spans": {"MALWARE: AsyncRAT": [[15, 23]], "IP_ADDRESS: 10.30.139.10": [[56, 68]], "IP_ADDRESS: 95.210.23.39": [[71, 83]], "IP_ADDRESS: 10.26.216.80": [[86, 98]], "DOMAIN: relay-static.online": [[101, 120]], "DOMAIN: cache-gateway.io": [[123, 139]], "URL: https://edge-node.top/assets/js/payload.js": [[148, 190]], "URL: hxxp://loginrelay.dev/assets/js/payload.js": [[193, 235]], "EMAIL: hr@mail-service.info": [[253, 273]], "EMAIL: notification@credential-check.site": [[276, 310]], "HASH: 4df2eabd3c8c4d7ca15d3159dd53cd1a2d4a961d": [[336, 376]], "HASH: 2119069d976ef7df11ffbb979165cb57f582982a0ca359b257ff7a3cb3c426fb": [[387, 451]], "FILEPATH: C:\\Windows\\System32\\csrss.exe": [[465, 494]]}, "info": {"id": "synth_v2_01496", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - Conti Campaign:\nNetwork Indicators:\n- 177.99.210.105\n- 71.228.187.131\n- 215.124.247.233\n- cdn-storage.xyz\n- mail-cache.com\nURLs:\n- https://relayauth.io/wp-content/uploads/doc.php\n- https://updateauth.online/wp-content/uploads/doc.php\nEmail Senders:\n- admin@mail-service.info\n- support@account-update.xyz\nFile Indicators:\n- MD5: 976f74083a5780dcf563e00751c44406\n- SHA1: 992a1bc84be507c4dfe69046188f1880b8214bca\n- Drop path: /etc/cron.d/lsass.dmp", "spans": {"MALWARE: Conti": [[15, 20]], "IP_ADDRESS: 177.99.210.105": [[53, 67]], "IP_ADDRESS: 71.228.187.131": [[70, 84]], "IP_ADDRESS: 215.124.247.233": [[87, 102]], "DOMAIN: cdn-storage.xyz": [[105, 120]], "DOMAIN: mail-cache.com": [[123, 137]], "URL: https://relayauth.io/wp-content/uploads/doc.php": [[146, 193]], "URL: https://updateauth.online/wp-content/uploads/doc.php": [[196, 248]], "EMAIL: admin@mail-service.info": [[266, 289]], "EMAIL: support@account-update.xyz": [[292, 318]], "HASH: 976f74083a5780dcf563e00751c44406": [[343, 375]], "HASH: 992a1bc84be507c4dfe69046188f1880b8214bca": [[384, 424]], "FILEPATH: /etc/cron.d/lsass.dmp": [[438, 459]]}, "info": {"id": "synth_v2_01497", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - QakBot Campaign:\nNetwork Indicators:\n- 172.61.102.231\n- 172.203.253.120\n- 38.245.0.113\n- login-relay.cc\n- authrelay.site\nURLs:\n- https://updategateway.live/download/update.exe\n- hxxps://securecache.club/assets/js/payload.js\nEmail Senders:\n- finance@login-portal.tech\n- account@urgent-notice.online\nFile Indicators:\n- SHA256: 03caf3fd49f1d75b471964453f6bf461967c9d578fdd9fa2479336d30a57248a\n- SHA1: c439fc2bef4506ab8a1a09bdd4610aa91823629b\n- Drop path: C:\\Users\\Public\\Documents\\beacon.dll", "spans": {"MALWARE: QakBot": [[15, 21]], "IP_ADDRESS: 172.61.102.231": [[54, 68]], "IP_ADDRESS: 172.203.253.120": [[71, 86]], "IP_ADDRESS: 38.245.0.113": [[89, 101]], "DOMAIN: login-relay.cc": [[104, 118]], "DOMAIN: authrelay.site": [[121, 135]], "URL: https://updategateway.live/download/update.exe": [[144, 190]], "URL: hxxps://securecache.club/assets/js/payload.js": [[193, 238]], "EMAIL: finance@login-portal.tech": [[256, 281]], "EMAIL: account@urgent-notice.online": [[284, 312]], "HASH: 03caf3fd49f1d75b471964453f6bf461967c9d578fdd9fa2479336d30a57248a": [[340, 404]], "HASH: c439fc2bef4506ab8a1a09bdd4610aa91823629b": [[413, 453]], "FILEPATH: C:\\Users\\Public\\Documents\\beacon.dll": [[467, 503]]}, "info": {"id": "synth_v2_01498", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - FormBook Campaign:\nNetwork Indicators:\n- 102.69.85.218\n- 9.73.178.80\n- 10.202.118.148\n- storage-node.info\n- syncproxy.org\nURLs:\n- http://backup-portal.link/panel/index.html\n- hxxps://cdn-cloud.site/callback\nEmail Senders:\n- alert@auth-check.org\n- it@phishing-domain.com\nFile Indicators:\n- MD5: 9b6385424b9f081d046178570cb90641\n- MD5: e8f93b9c1049d6be248e593dd035864a\n- Drop path: C:\\Users\\admin\\Downloads\\lsass.dmp", "spans": {"MALWARE: FormBook": [[15, 23]], "IP_ADDRESS: 102.69.85.218": [[56, 69]], "IP_ADDRESS: 9.73.178.80": [[72, 83]], "IP_ADDRESS: 10.202.118.148": [[86, 100]], "DOMAIN: storage-node.info": [[103, 120]], "DOMAIN: syncproxy.org": [[123, 136]], "URL: http://backup-portal.link/panel/index.html": [[145, 187]], "URL: hxxps://cdn-cloud.site/callback": [[190, 221]], "EMAIL: alert@auth-check.org": [[239, 259]], "EMAIL: it@phishing-domain.com": [[262, 284]], "HASH: 9b6385424b9f081d046178570cb90641": [[309, 341]], "HASH: e8f93b9c1049d6be248e593dd035864a": [[349, 381]], "FILEPATH: C:\\Users\\admin\\Downloads\\lsass.dmp": [[395, 429]]}, "info": {"id": "synth_v2_01499", "source": "synthetic_v2"}}
+{"text": "IOC Bulletin - IcedID Campaign:\nNetwork Indicators:\n- 172.15.241.58\n- 10.79.28.209\n- 99.224.222.104\n- backupupdate.tech\n- secure-sync.org\nURLs:\n- hxxp://gateway-cache.info/secure/token\n- http://secure-node.club/api/v2/auth\nEmail Senders:\n- updates@urgent-notice.online\n- admin@auth-check.org\nFile Indicators:\n- SHA1: af3927f6fcab3290177351a4ad04408c0596b7ee\n- SHA1: 104137e6b283615d57085631a535fec195bc3d92\n- Drop path: C:\\ProgramData\\helper.sh", "spans": {"MALWARE: IcedID": [[15, 21]], "IP_ADDRESS: 172.15.241.58": [[54, 67]], "IP_ADDRESS: 10.79.28.209": [[70, 82]], "IP_ADDRESS: 99.224.222.104": [[85, 99]], "DOMAIN: backupupdate.tech": [[102, 119]], "DOMAIN: secure-sync.org": [[122, 137]], "URL: hxxp://gateway-cache.info/secure/token": [[146, 184]], "URL: http://secure-node.club/api/v2/auth": [[187, 222]], "EMAIL: updates@urgent-notice.online": [[240, 268]], "EMAIL: admin@auth-check.org": [[271, 291]], "HASH: af3927f6fcab3290177351a4ad04408c0596b7ee": [[317, 357]], "HASH: 104137e6b283615d57085631a535fec195bc3d92": [[366, 406]], "FILEPATH: C:\\ProgramData\\helper.sh": [[420, 444]]}, "info": {"id": "synth_v2_01500", "source": "synthetic_v2"}}
+{"text": "Blog Post by NSA: Tracking APT29's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2022-34807 against VMware ESXi deployments. The initial access vector involves spear-phishing emails from it@auth-check.org delivering NjRAT. Post-compromise, the attackers deploy PlugX and use PsExec for reconnaissance. C2 infrastructure includes 172.227.197.76 and storagemail.org. A staging server at hxxps://authstorage.net/gate.php hosts additional tooling. Key artifact: /dev/shm/svchost.exe (SHA256: accaa4f886ffd011384debbaab4c2630059aed2e5ec0ce20c86c9508ad72be0d).", "spans": {"ORGANIZATION: NSA": [[13, 16]], "THREAT_ACTOR: APT29": [[27, 32]], "CVE_ID: CVE-2022-34807": [[112, 126]], "SYSTEM: VMware ESXi": [[135, 146]], "EMAIL: it@auth-check.org": [[222, 239]], "MALWARE: NjRAT": [[251, 256]], "MALWARE: PlugX": [[296, 301]], "TOOL: PsExec": [[310, 316]], "IP_ADDRESS: 172.227.197.76": [[364, 378]], "DOMAIN: storagemail.org": [[383, 398]], "URL: hxxps://authstorage.net/gate.php": [[420, 452]], "FILEPATH: /dev/shm/svchost.exe": [[493, 513]], "HASH: accaa4f886ffd011384debbaab4c2630059aed2e5ec0ce20c86c9508ad72be0d": [[523, 587]]}, "info": {"id": "synth_v2_01501", "source": "synthetic_v2"}}
+{"text": "Blog Post by SentinelOne: Tracking Turla's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2025-27219 against Barracuda ESG deployments. The initial access vector involves spear-phishing emails from service@login-portal.tech delivering Meduza Stealer. Post-compromise, the attackers deploy RedLine Stealer and use BloodHound for reconnaissance. C2 infrastructure includes 205.136.148.24 and cloud-storage.dev. A staging server at http://securestorage.io/collect hosts additional tooling. Key artifact: /opt/app/bin/ntds.dit (SHA256: 62f46c0faa720a9f297447d48fbc1dff5f4f4d726763d38ffd9f7fdf6d2ff6f6).", "spans": {"ORGANIZATION: SentinelOne": [[13, 24]], "THREAT_ACTOR: Turla": [[35, 40]], "CVE_ID: CVE-2025-27219": [[120, 134]], "SYSTEM: Barracuda ESG": [[143, 156]], "EMAIL: service@login-portal.tech": [[232, 257]], "MALWARE: Meduza Stealer": [[269, 283]], "MALWARE: RedLine Stealer": [[323, 338]], "TOOL: BloodHound": [[347, 357]], "IP_ADDRESS: 205.136.148.24": [[405, 419]], "DOMAIN: cloud-storage.dev": [[424, 441]], "URL: http://securestorage.io/collect": [[463, 494]], "FILEPATH: /opt/app/bin/ntds.dit": [[535, 556]], "HASH: 62f46c0faa720a9f297447d48fbc1dff5f4f4d726763d38ffd9f7fdf6d2ff6f6": [[566, 630]]}, "info": {"id": "synth_v2_01502", "source": "synthetic_v2"}}
+{"text": "Blog Post by CrowdStrike: Tracking APT29's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2024-14337 against Ubuntu 22.04 deployments. The initial access vector involves spear-phishing emails from security@credential-check.site delivering Raccoon Stealer. Post-compromise, the attackers deploy DarkSide and use Hashcat for reconnaissance. C2 infrastructure includes 23.247.228.178 and apicache.xyz. A staging server at https://nodesync.cc/wp-content/uploads/doc.php hosts additional tooling. Key artifact: /tmp/backdoor.elf (SHA256: 2a79b51534d78604dba5d95d396d2bd3d6f72bf87c752461b3af635fb53c4b4e).", "spans": {"ORGANIZATION: CrowdStrike": [[13, 24]], "THREAT_ACTOR: APT29": [[35, 40]], "CVE_ID: CVE-2024-14337": [[120, 134]], "SYSTEM: Ubuntu 22.04": [[143, 155]], "EMAIL: security@credential-check.site": [[231, 261]], "MALWARE: Raccoon Stealer": [[273, 288]], "MALWARE: DarkSide": [[328, 336]], "TOOL: Hashcat": [[345, 352]], "IP_ADDRESS: 23.247.228.178": [[400, 414]], "DOMAIN: apicache.xyz": [[419, 431]], "URL: https://nodesync.cc/wp-content/uploads/doc.php": [[453, 499]], "FILEPATH: /tmp/backdoor.elf": [[540, 557]], "HASH: 2a79b51534d78604dba5d95d396d2bd3d6f72bf87c752461b3af635fb53c4b4e": [[567, 631]]}, "info": {"id": "synth_v2_01503", "source": "synthetic_v2"}}
+{"text": "Blog Post by Huntress: Tracking Salt Typhoon's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2020-19144 against Ubuntu 22.04 deployments. The initial access vector involves spear-phishing emails from ceo@login-portal.tech delivering SmokeLoader. Post-compromise, the attackers deploy NjRAT and use LaZagne for reconnaissance. C2 infrastructure includes 109.81.57.51 and gatewayapi.site. A staging server at hxxp://portalapi.tech/assets/js/payload.js hosts additional tooling. Key artifact: C:\\Windows\\System32\\payload.bin (MD5: da530bbbb0018619e5581fe65b72dc5a).", "spans": {"ORGANIZATION: Huntress": [[13, 21]], "THREAT_ACTOR: Salt Typhoon": [[32, 44]], "CVE_ID: CVE-2020-19144": [[124, 138]], "SYSTEM: Ubuntu 22.04": [[147, 159]], "EMAIL: ceo@login-portal.tech": [[235, 256]], "MALWARE: SmokeLoader": [[268, 279]], "MALWARE: NjRAT": [[319, 324]], "TOOL: LaZagne": [[333, 340]], "IP_ADDRESS: 109.81.57.51": [[388, 400]], "DOMAIN: gatewayapi.site": [[405, 420]], "URL: hxxp://portalapi.tech/assets/js/payload.js": [[442, 484]], "FILEPATH: C:\\Windows\\System32\\payload.bin": [[525, 556]], "HASH: da530bbbb0018619e5581fe65b72dc5a": [[563, 595]]}, "info": {"id": "synth_v2_01504", "source": "synthetic_v2"}}
+{"text": "Blog Post by Microsoft MSRC: Tracking Salt Typhoon's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2026-27486 against VMware ESXi deployments. The initial access vector involves spear-phishing emails from finance@urgent-notice.online delivering SmokeLoader. Post-compromise, the attackers deploy PlugX and use BloodHound for reconnaissance. C2 infrastructure includes 10.138.55.43 and apistatic.io. A staging server at https://cdnedge.cc/wp-content/uploads/doc.php hosts additional tooling. Key artifact: C:\\Users\\Public\\Documents\\payload.bin (MD5: 4cef9e6649d9b6590b197a296edc4359).", "spans": {"ORGANIZATION: Microsoft MSRC": [[13, 27]], "THREAT_ACTOR: Salt Typhoon": [[38, 50]], "CVE_ID: CVE-2026-27486": [[130, 144]], "SYSTEM: VMware ESXi": [[153, 164]], "EMAIL: finance@urgent-notice.online": [[240, 268]], "MALWARE: SmokeLoader": [[280, 291]], "MALWARE: PlugX": [[331, 336]], "TOOL: BloodHound": [[345, 355]], "IP_ADDRESS: 10.138.55.43": [[403, 415]], "DOMAIN: apistatic.io": [[420, 432]], "URL: https://cdnedge.cc/wp-content/uploads/doc.php": [[454, 499]], "FILEPATH: C:\\Users\\Public\\Documents\\payload.bin": [[540, 577]], "HASH: 4cef9e6649d9b6590b197a296edc4359": [[584, 616]]}, "info": {"id": "synth_v2_01505", "source": "synthetic_v2"}}
+{"text": "Blog Post by Symantec: Tracking Volt Typhoon's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2023-39714 against Windows Server 2019 deployments. The initial access vector involves spear-phishing emails from admin@auth-check.org delivering BatLoader. Post-compromise, the attackers deploy Conti and use PowerShell Empire for reconnaissance. C2 infrastructure includes 192.9.165.132 and storage-node.com. A staging server at hxxp://sync-update.xyz/portal/verify hosts additional tooling. Key artifact: C:\\Users\\admin\\AppData\\Local\\Temp\\dropper.ps1 (SHA1: 8f1cc2fbb5a96127ac01c81b6a2e5ebbd91f1987).", "spans": {"ORGANIZATION: Symantec": [[13, 21]], "THREAT_ACTOR: Volt Typhoon": [[32, 44]], "CVE_ID: CVE-2023-39714": [[124, 138]], "SYSTEM: Windows Server 2019": [[147, 166]], "EMAIL: admin@auth-check.org": [[242, 262]], "MALWARE: BatLoader": [[274, 283]], "MALWARE: Conti": [[323, 328]], "TOOL: PowerShell Empire": [[337, 354]], "IP_ADDRESS: 192.9.165.132": [[402, 415]], "DOMAIN: storage-node.com": [[420, 436]], "URL: hxxp://sync-update.xyz/portal/verify": [[458, 494]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\dropper.ps1": [[535, 580]], "HASH: 8f1cc2fbb5a96127ac01c81b6a2e5ebbd91f1987": [[588, 628]]}, "info": {"id": "synth_v2_01506", "source": "synthetic_v2"}}
+{"text": "Blog Post by Tenable: Tracking Aqua Blizzard's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2024-19363 against Microsoft Exchange deployments. The initial access vector involves spear-phishing emails from noreply@secure-verify.net delivering Conti. Post-compromise, the attackers deploy QakBot and use Hashcat for reconnaissance. C2 infrastructure includes 165.221.19.163 and auth-data.net. A staging server at https://gateway-gateway.cc/callback hosts additional tooling. Key artifact: C:\\Users\\admin\\Downloads\\agent.py (SHA256: d8af6d83bde0ff03c5ed2671f598fa20dd0ac3a3b72d4c8c12bb3df461d4fd1d).", "spans": {"ORGANIZATION: Tenable": [[13, 20]], "THREAT_ACTOR: Aqua Blizzard": [[31, 44]], "CVE_ID: CVE-2024-19363": [[124, 138]], "SYSTEM: Microsoft Exchange": [[147, 165]], "EMAIL: noreply@secure-verify.net": [[241, 266]], "MALWARE: Conti": [[278, 283]], "MALWARE: QakBot": [[323, 329]], "TOOL: Hashcat": [[338, 345]], "IP_ADDRESS: 165.221.19.163": [[393, 407]], "DOMAIN: auth-data.net": [[412, 425]], "URL: https://gateway-gateway.cc/callback": [[447, 482]], "FILEPATH: C:\\Users\\admin\\Downloads\\agent.py": [[523, 556]], "HASH: d8af6d83bde0ff03c5ed2671f598fa20dd0ac3a3b72d4c8c12bb3df461d4fd1d": [[566, 630]]}, "info": {"id": "synth_v2_01507", "source": "synthetic_v2"}}
+{"text": "Blog Post by Symantec: Tracking Storm-0558's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2023-34260 against Citrix NetScaler deployments. The initial access vector involves spear-phishing emails from ceo@document-share.link delivering PlugX. Post-compromise, the attackers deploy XLoader and use Seatbelt for reconnaissance. C2 infrastructure includes 10.177.97.102 and cdn-relay.live. A staging server at https://staticnode.live/collect hosts additional tooling. Key artifact: C:\\ProgramData\\config.dat (SHA1: 4dcbb7a75dd7862d404fdeaed3beb59323b1d3a5).", "spans": {"ORGANIZATION: Symantec": [[13, 21]], "THREAT_ACTOR: Storm-0558": [[32, 42]], "CVE_ID: CVE-2023-34260": [[122, 136]], "SYSTEM: Citrix NetScaler": [[145, 161]], "EMAIL: ceo@document-share.link": [[237, 260]], "MALWARE: PlugX": [[272, 277]], "MALWARE: XLoader": [[317, 324]], "TOOL: Seatbelt": [[333, 341]], "IP_ADDRESS: 10.177.97.102": [[389, 402]], "DOMAIN: cdn-relay.live": [[407, 421]], "URL: https://staticnode.live/collect": [[443, 474]], "FILEPATH: C:\\ProgramData\\config.dat": [[515, 540]], "HASH: 4dcbb7a75dd7862d404fdeaed3beb59323b1d3a5": [[548, 588]]}, "info": {"id": "synth_v2_01508", "source": "synthetic_v2"}}
+{"text": "Blog Post by Proofpoint: Tracking APT28's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2023-28217 against Microsoft Exchange deployments. The initial access vector involves spear-phishing emails from alert@login-portal.tech delivering Lumma Stealer. Post-compromise, the attackers deploy LockBit and use Mimikatz for reconnaissance. C2 infrastructure includes 192.132.221.95 and mailproxy.club. A staging server at http://gateway-portal.tech/panel/index.html hosts additional tooling. Key artifact: C:\\Windows\\Temp\\agent.py (SHA1: 143eca93862194e53b2ba58f5d79b3c3249c64ae).", "spans": {"ORGANIZATION: Proofpoint": [[13, 23]], "THREAT_ACTOR: APT28": [[34, 39]], "CVE_ID: CVE-2023-28217": [[119, 133]], "SYSTEM: Microsoft Exchange": [[142, 160]], "EMAIL: alert@login-portal.tech": [[236, 259]], "MALWARE: Lumma Stealer": [[271, 284]], "MALWARE: LockBit": [[324, 331]], "TOOL: Mimikatz": [[340, 348]], "IP_ADDRESS: 192.132.221.95": [[396, 410]], "DOMAIN: mailproxy.club": [[415, 429]], "URL: http://gateway-portal.tech/panel/index.html": [[451, 494]], "FILEPATH: C:\\Windows\\Temp\\agent.py": [[535, 559]], "HASH: 143eca93862194e53b2ba58f5d79b3c3249c64ae": [[567, 607]]}, "info": {"id": "synth_v2_01509", "source": "synthetic_v2"}}
+{"text": "Blog Post by Europol: Tracking Gamaredon's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2023-16619 against Juniper SRX deployments. The initial access vector involves spear-phishing emails from admin@credential-check.site delivering AgentTesla. Post-compromise, the attackers deploy QakBot and use Burp Suite for reconnaissance. C2 infrastructure includes 75.51.203.70 and cdnnode.site. A staging server at hxxp://cache-storage.xyz/download/update.exe hosts additional tooling. Key artifact: C:\\Windows\\System32\\backdoor.elf (SHA256: ca75918ba9553a2d2b86a1b6adcf61e66715933cff2a596a896dfa3d404837ab).", "spans": {"ORGANIZATION: Europol": [[13, 20]], "THREAT_ACTOR: Gamaredon": [[31, 40]], "CVE_ID: CVE-2023-16619": [[120, 134]], "SYSTEM: Juniper SRX": [[143, 154]], "EMAIL: admin@credential-check.site": [[230, 257]], "MALWARE: AgentTesla": [[269, 279]], "MALWARE: QakBot": [[319, 325]], "TOOL: Burp Suite": [[334, 344]], "IP_ADDRESS: 75.51.203.70": [[392, 404]], "DOMAIN: cdnnode.site": [[409, 421]], "URL: hxxp://cache-storage.xyz/download/update.exe": [[443, 487]], "FILEPATH: C:\\Windows\\System32\\backdoor.elf": [[528, 560]], "HASH: ca75918ba9553a2d2b86a1b6adcf61e66715933cff2a596a896dfa3d404837ab": [[570, 634]]}, "info": {"id": "synth_v2_01510", "source": "synthetic_v2"}}
+{"text": "Blog Post by Symantec: Tracking Aqua Blizzard's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2023-20659 against VMware ESXi deployments. The initial access vector involves spear-phishing emails from account@login-portal.tech delivering Latrodectus. Post-compromise, the attackers deploy Qbot and use Ligolo for reconnaissance. C2 infrastructure includes 172.50.111.172 and mailproxy.info. A staging server at hxxps://edgeportal.net/assets/js/payload.js hosts additional tooling. Key artifact: /var/tmp/agent.py (MD5: d18dd20df96d1fdff92806c64bddbf48).", "spans": {"ORGANIZATION: Symantec": [[13, 21]], "THREAT_ACTOR: Aqua Blizzard": [[32, 45]], "CVE_ID: CVE-2023-20659": [[125, 139]], "SYSTEM: VMware ESXi": [[148, 159]], "EMAIL: account@login-portal.tech": [[235, 260]], "MALWARE: Latrodectus": [[272, 283]], "MALWARE: Qbot": [[323, 327]], "TOOL: Ligolo": [[336, 342]], "IP_ADDRESS: 172.50.111.172": [[390, 404]], "DOMAIN: mailproxy.info": [[409, 423]], "URL: hxxps://edgeportal.net/assets/js/payload.js": [[445, 488]], "FILEPATH: /var/tmp/agent.py": [[529, 546]], "HASH: d18dd20df96d1fdff92806c64bddbf48": [[553, 585]]}, "info": {"id": "synth_v2_01511", "source": "synthetic_v2"}}
+{"text": "Blog Post by Symantec: Tracking APT29's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2023-27496 against Active Directory deployments. The initial access vector involves spear-phishing emails from security@auth-check.org delivering PikaBot. Post-compromise, the attackers deploy Play and use Chisel for reconnaissance. C2 infrastructure includes 192.242.180.145 and cache-secure.com. A staging server at http://staticportal.tech/collect hosts additional tooling. Key artifact: C:\\Program Files\\Common Files\\payload.bin (SHA256: 70ec50ea641eac1378e81a87214f0beb39ea05ea05c386fee7171ec31c902a25).", "spans": {"ORGANIZATION: Symantec": [[13, 21]], "THREAT_ACTOR: APT29": [[32, 37]], "CVE_ID: CVE-2023-27496": [[117, 131]], "SYSTEM: Active Directory": [[140, 156]], "EMAIL: security@auth-check.org": [[232, 255]], "MALWARE: PikaBot": [[267, 274]], "MALWARE: Play": [[314, 318]], "TOOL: Chisel": [[327, 333]], "IP_ADDRESS: 192.242.180.145": [[381, 396]], "DOMAIN: cache-secure.com": [[401, 417]], "URL: http://staticportal.tech/collect": [[439, 471]], "FILEPATH: C:\\Program Files\\Common Files\\payload.bin": [[512, 553]], "HASH: 70ec50ea641eac1378e81a87214f0beb39ea05ea05c386fee7171ec31c902a25": [[563, 627]]}, "info": {"id": "synth_v2_01512", "source": "synthetic_v2"}}
+{"text": "Blog Post by CISA: Tracking Storm-0558's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2025-36175 against Barracuda ESG deployments. The initial access vector involves spear-phishing emails from verify@urgent-notice.online delivering REvil. Post-compromise, the attackers deploy BlackCat and use PsExec for reconnaissance. C2 infrastructure includes 10.89.240.88 and sync-auth.io. A staging server at https://static-static.club/secure/token hosts additional tooling. Key artifact: C:\\Users\\admin\\AppData\\Local\\Temp\\config.dat (SHA1: 84cead1be1bb20babc7bd427d844ff0481f8dab2).", "spans": {"ORGANIZATION: CISA": [[13, 17]], "THREAT_ACTOR: Storm-0558": [[28, 38]], "CVE_ID: CVE-2025-36175": [[118, 132]], "SYSTEM: Barracuda ESG": [[141, 154]], "EMAIL: verify@urgent-notice.online": [[230, 257]], "MALWARE: REvil": [[269, 274]], "MALWARE: BlackCat": [[314, 322]], "TOOL: PsExec": [[331, 337]], "IP_ADDRESS: 10.89.240.88": [[385, 397]], "DOMAIN: sync-auth.io": [[402, 414]], "URL: https://static-static.club/secure/token": [[436, 475]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\config.dat": [[516, 560]], "HASH: 84cead1be1bb20babc7bd427d844ff0481f8dab2": [[568, 608]]}, "info": {"id": "synth_v2_01513", "source": "synthetic_v2"}}
+{"text": "Blog Post by Symantec: Tracking Granite Typhoon's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2021-37493 against Zyxel USG deployments. The initial access vector involves spear-phishing emails from billing@mail-service.info delivering BlackCat. Post-compromise, the attackers deploy BatLoader and use Mimikatz for reconnaissance. C2 infrastructure includes 21.13.215.34 and mailupdate.org. A staging server at http://cachebackup.info/wp-content/uploads/doc.php hosts additional tooling. Key artifact: C:\\Users\\Public\\Documents\\agent.py (MD5: c728f362cf186320f8cd5513eaf0e6dd).", "spans": {"ORGANIZATION: Symantec": [[13, 21]], "THREAT_ACTOR: Granite Typhoon": [[32, 47]], "CVE_ID: CVE-2021-37493": [[127, 141]], "SYSTEM: Zyxel USG": [[150, 159]], "EMAIL: billing@mail-service.info": [[235, 260]], "MALWARE: BlackCat": [[272, 280]], "MALWARE: BatLoader": [[320, 329]], "TOOL: Mimikatz": [[338, 346]], "IP_ADDRESS: 21.13.215.34": [[394, 406]], "DOMAIN: mailupdate.org": [[411, 425]], "URL: http://cachebackup.info/wp-content/uploads/doc.php": [[447, 497]], "FILEPATH: C:\\Users\\Public\\Documents\\agent.py": [[538, 572]], "HASH: c728f362cf186320f8cd5513eaf0e6dd": [[579, 611]]}, "info": {"id": "synth_v2_01514", "source": "synthetic_v2"}}
+{"text": "Blog Post by Secureworks: Tracking FIN7's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2022-13003 against Fortinet FortiGate deployments. The initial access vector involves spear-phishing emails from verify@credential-check.site delivering Meduza Stealer. Post-compromise, the attackers deploy IcedID and use Mimikatz for reconnaissance. C2 infrastructure includes 192.63.220.215 and relaycache.top. A staging server at http://gateway-gateway.top/assets/js/payload.js hosts additional tooling. Key artifact: C:\\Windows\\System32\\update.dll (MD5: 945453f42f7d49a82106cc31badabcee).", "spans": {"ORGANIZATION: Secureworks": [[13, 24]], "THREAT_ACTOR: FIN7": [[35, 39]], "CVE_ID: CVE-2022-13003": [[119, 133]], "SYSTEM: Fortinet FortiGate": [[142, 160]], "EMAIL: verify@credential-check.site": [[236, 264]], "MALWARE: Meduza Stealer": [[276, 290]], "MALWARE: IcedID": [[330, 336]], "TOOL: Mimikatz": [[345, 353]], "IP_ADDRESS: 192.63.220.215": [[401, 415]], "DOMAIN: relaycache.top": [[420, 434]], "URL: http://gateway-gateway.top/assets/js/payload.js": [[456, 503]], "FILEPATH: C:\\Windows\\System32\\update.dll": [[544, 574]], "HASH: 945453f42f7d49a82106cc31badabcee": [[581, 613]]}, "info": {"id": "synth_v2_01515", "source": "synthetic_v2"}}
+{"text": "Blog Post by Secureworks: Tracking Diamond Sleet's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2020-25247 against Apache Struts deployments. The initial access vector involves spear-phishing emails from report@auth-check.org delivering Ryuk. Post-compromise, the attackers deploy Dridex and use PowerView for reconnaissance. C2 infrastructure includes 192.117.128.64 and edgesecure.site. A staging server at http://api-edge.online/assets/js/payload.js hosts additional tooling. Key artifact: /var/tmp/runtime.dll (MD5: 1ed83de6a245f96cab5945a143f35fe1).", "spans": {"ORGANIZATION: Secureworks": [[13, 24]], "THREAT_ACTOR: Diamond Sleet": [[35, 48]], "CVE_ID: CVE-2020-25247": [[128, 142]], "SYSTEM: Apache Struts": [[151, 164]], "EMAIL: report@auth-check.org": [[240, 261]], "MALWARE: Ryuk": [[273, 277]], "MALWARE: Dridex": [[317, 323]], "TOOL: PowerView": [[332, 341]], "IP_ADDRESS: 192.117.128.64": [[389, 403]], "DOMAIN: edgesecure.site": [[408, 423]], "URL: http://api-edge.online/assets/js/payload.js": [[445, 488]], "FILEPATH: /var/tmp/runtime.dll": [[529, 549]], "HASH: 1ed83de6a245f96cab5945a143f35fe1": [[556, 588]]}, "info": {"id": "synth_v2_01516", "source": "synthetic_v2"}}
+{"text": "Blog Post by Qualys: Tracking Diamond Sleet's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2024-25010 against Palo Alto PAN-OS deployments. The initial access vector involves spear-phishing emails from ceo@phishing-domain.com delivering Gootloader. Post-compromise, the attackers deploy LockBit and use CrackMapExec for reconnaissance. C2 infrastructure includes 192.66.68.68 and mail-proxy.online. A staging server at https://securerelay.online/secure/token hosts additional tooling. Key artifact: C:\\Users\\admin\\Downloads\\taskhost.exe (MD5: 91a2bb161097d0e547fddd7907f2cbb6).", "spans": {"ORGANIZATION: Qualys": [[13, 19]], "THREAT_ACTOR: Diamond Sleet": [[30, 43]], "CVE_ID: CVE-2024-25010": [[123, 137]], "SYSTEM: Palo Alto PAN-OS": [[146, 162]], "EMAIL: ceo@phishing-domain.com": [[238, 261]], "MALWARE: Gootloader": [[273, 283]], "MALWARE: LockBit": [[323, 330]], "TOOL: CrackMapExec": [[339, 351]], "IP_ADDRESS: 192.66.68.68": [[399, 411]], "DOMAIN: mail-proxy.online": [[416, 433]], "URL: https://securerelay.online/secure/token": [[455, 494]], "FILEPATH: C:\\Users\\admin\\Downloads\\taskhost.exe": [[535, 572]], "HASH: 91a2bb161097d0e547fddd7907f2cbb6": [[579, 611]]}, "info": {"id": "synth_v2_01517", "source": "synthetic_v2"}}
+{"text": "Blog Post by Zscaler ThreatLabz: Tracking Granite Typhoon's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2021-24446 against VMware ESXi deployments. The initial access vector involves spear-phishing emails from finance@account-update.xyz delivering PikaBot. Post-compromise, the attackers deploy AgentTesla and use Rubeus for reconnaissance. C2 infrastructure includes 135.158.221.9 and portal-cloud.io. A staging server at http://cache-portal.club/panel/index.html hosts additional tooling. Key artifact: C:\\Windows\\Temp\\agent.py (SHA1: 32ad0456a4bb79c0707c23630c427901e8e2bca7).", "spans": {"ORGANIZATION: Zscaler ThreatLabz": [[13, 31]], "THREAT_ACTOR: Granite Typhoon": [[42, 57]], "CVE_ID: CVE-2021-24446": [[137, 151]], "SYSTEM: VMware ESXi": [[160, 171]], "EMAIL: finance@account-update.xyz": [[247, 273]], "MALWARE: PikaBot": [[285, 292]], "MALWARE: AgentTesla": [[332, 342]], "TOOL: Rubeus": [[351, 357]], "IP_ADDRESS: 135.158.221.9": [[405, 418]], "DOMAIN: portal-cloud.io": [[423, 438]], "URL: http://cache-portal.club/panel/index.html": [[460, 501]], "FILEPATH: C:\\Windows\\Temp\\agent.py": [[542, 566]], "HASH: 32ad0456a4bb79c0707c23630c427901e8e2bca7": [[574, 614]]}, "info": {"id": "synth_v2_01518", "source": "synthetic_v2"}}
+{"text": "Blog Post by CISA: Tracking Scattered Spider's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2024-35928 against Juniper SRX deployments. The initial access vector involves spear-phishing emails from support@account-update.xyz delivering Lumma Stealer. Post-compromise, the attackers deploy Latrodectus and use PsExec for reconnaissance. C2 infrastructure includes 115.243.28.226 and cachedata.top. A staging server at hxxp://node-storage.xyz/admin/config hosts additional tooling. Key artifact: /opt/app/bin/agent.py (SHA1: dca2b64bda8ee69bddc9a871f5aa78c4f4eda0fb).", "spans": {"ORGANIZATION: CISA": [[13, 17]], "THREAT_ACTOR: Scattered Spider": [[28, 44]], "CVE_ID: CVE-2024-35928": [[124, 138]], "SYSTEM: Juniper SRX": [[147, 158]], "EMAIL: support@account-update.xyz": [[234, 260]], "MALWARE: Lumma Stealer": [[272, 285]], "MALWARE: Latrodectus": [[325, 336]], "TOOL: PsExec": [[345, 351]], "IP_ADDRESS: 115.243.28.226": [[399, 413]], "DOMAIN: cachedata.top": [[418, 431]], "URL: hxxp://node-storage.xyz/admin/config": [[453, 489]], "FILEPATH: /opt/app/bin/agent.py": [[530, 551]], "HASH: dca2b64bda8ee69bddc9a871f5aa78c4f4eda0fb": [[559, 599]]}, "info": {"id": "synth_v2_01519", "source": "synthetic_v2"}}
+{"text": "Blog Post by Dragos: Tracking Lazarus Group's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2023-26043 against SonicWall SMA deployments. The initial access vector involves spear-phishing emails from notification@account-update.xyz delivering FormBook. Post-compromise, the attackers deploy Amadey and use BITSAdmin for reconnaissance. C2 infrastructure includes 166.231.34.134 and cloudgateway.club. A staging server at https://data-cache.tech/admin/config hosts additional tooling. Key artifact: C:\\ProgramData\\taskhost.exe (MD5: cdd631f6fdd06f878cc0e3f28162e4b3).", "spans": {"ORGANIZATION: Dragos": [[13, 19]], "THREAT_ACTOR: Lazarus Group": [[30, 43]], "CVE_ID: CVE-2023-26043": [[123, 137]], "SYSTEM: SonicWall SMA": [[146, 159]], "EMAIL: notification@account-update.xyz": [[235, 266]], "MALWARE: FormBook": [[278, 286]], "MALWARE: Amadey": [[326, 332]], "TOOL: BITSAdmin": [[341, 350]], "IP_ADDRESS: 166.231.34.134": [[398, 412]], "DOMAIN: cloudgateway.club": [[417, 434]], "URL: https://data-cache.tech/admin/config": [[456, 492]], "FILEPATH: C:\\ProgramData\\taskhost.exe": [[533, 560]], "HASH: cdd631f6fdd06f878cc0e3f28162e4b3": [[567, 599]]}, "info": {"id": "synth_v2_01520", "source": "synthetic_v2"}}
+{"text": "Blog Post by Secureworks: Tracking MuddyWater's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2022-15229 against Atlassian Confluence deployments. The initial access vector involves spear-phishing emails from notification@document-share.link delivering NjRAT. Post-compromise, the attackers deploy PlugX and use Rubeus for reconnaissance. C2 infrastructure includes 10.143.235.55 and proxycache.site. A staging server at http://portal-cloud.io/secure/token hosts additional tooling. Key artifact: /dev/shm/sam.hive (MD5: 32efe474d2b81c0e116158b281fc6cee).", "spans": {"ORGANIZATION: Secureworks": [[13, 24]], "THREAT_ACTOR: MuddyWater": [[35, 45]], "CVE_ID: CVE-2022-15229": [[125, 139]], "SYSTEM: Atlassian Confluence": [[148, 168]], "EMAIL: notification@document-share.link": [[244, 276]], "MALWARE: NjRAT": [[288, 293]], "MALWARE: PlugX": [[333, 338]], "TOOL: Rubeus": [[347, 353]], "IP_ADDRESS: 10.143.235.55": [[401, 414]], "DOMAIN: proxycache.site": [[419, 434]], "URL: http://portal-cloud.io/secure/token": [[456, 491]], "FILEPATH: /dev/shm/sam.hive": [[532, 549]], "HASH: 32efe474d2b81c0e116158b281fc6cee": [[556, 588]]}, "info": {"id": "synth_v2_01521", "source": "synthetic_v2"}}
+{"text": "Blog Post by Europol: Tracking Lazarus Group's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2021-33526 against Citrix NetScaler deployments. The initial access vector involves spear-phishing emails from info@auth-check.org delivering Amadey. Post-compromise, the attackers deploy Latrodectus and use Sharphound for reconnaissance. C2 infrastructure includes 10.63.11.202 and auth-sync.org. A staging server at http://gatewaystatic.com/download/update.exe hosts additional tooling. Key artifact: /dev/shm/winlogon.exe (MD5: 946c0c961fe129f536e958f3e3bca12e).", "spans": {"ORGANIZATION: Europol": [[13, 20]], "THREAT_ACTOR: Lazarus Group": [[31, 44]], "CVE_ID: CVE-2021-33526": [[124, 138]], "SYSTEM: Citrix NetScaler": [[147, 163]], "EMAIL: info@auth-check.org": [[239, 258]], "MALWARE: Amadey": [[270, 276]], "MALWARE: Latrodectus": [[316, 327]], "TOOL: Sharphound": [[336, 346]], "IP_ADDRESS: 10.63.11.202": [[394, 406]], "DOMAIN: auth-sync.org": [[411, 424]], "URL: http://gatewaystatic.com/download/update.exe": [[446, 490]], "FILEPATH: /dev/shm/winlogon.exe": [[531, 552]], "HASH: 946c0c961fe129f536e958f3e3bca12e": [[559, 591]]}, "info": {"id": "synth_v2_01522", "source": "synthetic_v2"}}
+{"text": "Blog Post by Europol: Tracking Scattered Spider's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2020-37651 against MOVEit Transfer deployments. The initial access vector involves spear-phishing emails from security@credential-check.site delivering Ryuk. Post-compromise, the attackers deploy SmokeLoader and use Havoc for reconnaissance. C2 infrastructure includes 114.50.7.170 and update-sync.top. A staging server at hxxp://nodeproxy.dev/portal/verify hosts additional tooling. Key artifact: /home/user/.config/shell.php (SHA256: 48543e3f2e319fbaaf263854e8b40567843b8858b0e07684f183e7166d1c66ce).", "spans": {"ORGANIZATION: Europol": [[13, 20]], "THREAT_ACTOR: Scattered Spider": [[31, 47]], "CVE_ID: CVE-2020-37651": [[127, 141]], "SYSTEM: MOVEit Transfer": [[150, 165]], "EMAIL: security@credential-check.site": [[241, 271]], "MALWARE: Ryuk": [[283, 287]], "MALWARE: SmokeLoader": [[327, 338]], "TOOL: Havoc": [[347, 352]], "IP_ADDRESS: 114.50.7.170": [[400, 412]], "DOMAIN: update-sync.top": [[417, 432]], "URL: hxxp://nodeproxy.dev/portal/verify": [[454, 488]], "FILEPATH: /home/user/.config/shell.php": [[529, 557]], "HASH: 48543e3f2e319fbaaf263854e8b40567843b8858b0e07684f183e7166d1c66ce": [[567, 631]]}, "info": {"id": "synth_v2_01523", "source": "synthetic_v2"}}
+{"text": "Blog Post by Proofpoint: Tracking Storm-0558's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2023-40294 against Juniper SRX deployments. The initial access vector involves spear-phishing emails from helpdesk@auth-check.org delivering AgentTesla. Post-compromise, the attackers deploy BlackCat and use ADFind for reconnaissance. C2 infrastructure includes 10.176.58.117 and cache-relay.org. A staging server at hxxp://apisecure.top/portal/verify hosts additional tooling. Key artifact: /var/tmp/ntds.dit (SHA256: 445a6f831271be20694121e613dff1e0da10559ab3fc3e83e8fd159f13a289ef).", "spans": {"ORGANIZATION: Proofpoint": [[13, 23]], "THREAT_ACTOR: Storm-0558": [[34, 44]], "CVE_ID: CVE-2023-40294": [[124, 138]], "SYSTEM: Juniper SRX": [[147, 158]], "EMAIL: helpdesk@auth-check.org": [[234, 257]], "MALWARE: AgentTesla": [[269, 279]], "MALWARE: BlackCat": [[319, 327]], "TOOL: ADFind": [[336, 342]], "IP_ADDRESS: 10.176.58.117": [[390, 403]], "DOMAIN: cache-relay.org": [[408, 423]], "URL: hxxp://apisecure.top/portal/verify": [[445, 479]], "FILEPATH: /var/tmp/ntds.dit": [[520, 537]], "HASH: 445a6f831271be20694121e613dff1e0da10559ab3fc3e83e8fd159f13a289ef": [[547, 611]]}, "info": {"id": "synth_v2_01524", "source": "synthetic_v2"}}
+{"text": "Blog Post by CISA: Tracking BlackTech's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2025-13087 against Palo Alto PAN-OS deployments. The initial access vector involves spear-phishing emails from notification@credential-check.site delivering PlugX. Post-compromise, the attackers deploy Amadey and use PowerShell Empire for reconnaissance. C2 infrastructure includes 185.66.198.205 and edgeproxy.tech. A staging server at https://cloud-api.com/assets/js/payload.js hosts additional tooling. Key artifact: C:\\ProgramData\\backdoor.elf (SHA1: 9fed3db381c16e81ef3ec24c22be8d33a1bd50a7).", "spans": {"ORGANIZATION: CISA": [[13, 17]], "THREAT_ACTOR: BlackTech": [[28, 37]], "CVE_ID: CVE-2025-13087": [[117, 131]], "SYSTEM: Palo Alto PAN-OS": [[140, 156]], "EMAIL: notification@credential-check.site": [[232, 266]], "MALWARE: PlugX": [[278, 283]], "MALWARE: Amadey": [[323, 329]], "TOOL: PowerShell Empire": [[338, 355]], "IP_ADDRESS: 185.66.198.205": [[403, 417]], "DOMAIN: edgeproxy.tech": [[422, 436]], "URL: https://cloud-api.com/assets/js/payload.js": [[458, 500]], "FILEPATH: C:\\ProgramData\\backdoor.elf": [[541, 568]], "HASH: 9fed3db381c16e81ef3ec24c22be8d33a1bd50a7": [[576, 616]]}, "info": {"id": "synth_v2_01525", "source": "synthetic_v2"}}
+{"text": "Blog Post by CrowdStrike: Tracking Ember Bear's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2022-18180 against Juniper SRX deployments. The initial access vector involves spear-phishing emails from info@credential-check.site delivering Amadey. Post-compromise, the attackers deploy IcedID and use Sharphound for reconnaissance. C2 infrastructure includes 172.43.18.124 and portalportal.dev. A staging server at https://staticproxy.live/gate.php hosts additional tooling. Key artifact: C:\\Users\\Public\\Documents\\config.dat (SHA256: 0e6dc43d30db1a09c7283ba4164bc8b0d9346ace54b160310e40ffd9562189f6).", "spans": {"ORGANIZATION: CrowdStrike": [[13, 24]], "THREAT_ACTOR: Ember Bear": [[35, 45]], "CVE_ID: CVE-2022-18180": [[125, 139]], "SYSTEM: Juniper SRX": [[148, 159]], "EMAIL: info@credential-check.site": [[235, 261]], "MALWARE: Amadey": [[273, 279]], "MALWARE: IcedID": [[319, 325]], "TOOL: Sharphound": [[334, 344]], "IP_ADDRESS: 172.43.18.124": [[392, 405]], "DOMAIN: portalportal.dev": [[410, 426]], "URL: https://staticproxy.live/gate.php": [[448, 481]], "FILEPATH: C:\\Users\\Public\\Documents\\config.dat": [[522, 558]], "HASH: 0e6dc43d30db1a09c7283ba4164bc8b0d9346ace54b160310e40ffd9562189f6": [[568, 632]]}, "info": {"id": "synth_v2_01526", "source": "synthetic_v2"}}
+{"text": "Blog Post by Trend Micro: Tracking Velvet Tempest's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2025-24373 against Juniper SRX deployments. The initial access vector involves spear-phishing emails from service@credential-check.site delivering Play. Post-compromise, the attackers deploy RedLine Stealer and use Ligolo for reconnaissance. C2 infrastructure includes 192.25.111.40 and cloudportal.dev. A staging server at http://loginmail.tech/assets/js/payload.js hosts additional tooling. Key artifact: /tmp/winlogon.exe (SHA1: c3c144f4a5f181fa96281a4b9f2270359e502683).", "spans": {"ORGANIZATION: Trend Micro": [[13, 24]], "THREAT_ACTOR: Velvet Tempest": [[35, 49]], "CVE_ID: CVE-2025-24373": [[129, 143]], "SYSTEM: Juniper SRX": [[152, 163]], "EMAIL: service@credential-check.site": [[239, 268]], "MALWARE: Play": [[280, 284]], "MALWARE: RedLine Stealer": [[324, 339]], "TOOL: Ligolo": [[348, 354]], "IP_ADDRESS: 192.25.111.40": [[402, 415]], "DOMAIN: cloudportal.dev": [[420, 435]], "URL: http://loginmail.tech/assets/js/payload.js": [[457, 499]], "FILEPATH: /tmp/winlogon.exe": [[540, 557]], "HASH: c3c144f4a5f181fa96281a4b9f2270359e502683": [[565, 605]]}, "info": {"id": "synth_v2_01527", "source": "synthetic_v2"}}
+{"text": "Blog Post by Volexity: Tracking APT28's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2021-24446 against Windows 11 deployments. The initial access vector involves spear-phishing emails from report@document-share.link delivering Amadey. Post-compromise, the attackers deploy Latrodectus and use Seatbelt for reconnaissance. C2 infrastructure includes 46.114.152.208 and portalsync.club. A staging server at http://apisecure.top/api/v2/auth hosts additional tooling. Key artifact: /tmp/lsass.dmp (MD5: c7e92aff25d00347cea3efa7cfa826bc).", "spans": {"ORGANIZATION: Volexity": [[13, 21]], "THREAT_ACTOR: APT28": [[32, 37]], "CVE_ID: CVE-2021-24446": [[117, 131]], "SYSTEM: Windows 11": [[140, 150]], "EMAIL: report@document-share.link": [[226, 252]], "MALWARE: Amadey": [[264, 270]], "MALWARE: Latrodectus": [[310, 321]], "TOOL: Seatbelt": [[330, 338]], "IP_ADDRESS: 46.114.152.208": [[386, 400]], "DOMAIN: portalsync.club": [[405, 420]], "URL: http://apisecure.top/api/v2/auth": [[442, 474]], "FILEPATH: /tmp/lsass.dmp": [[515, 529]], "HASH: c7e92aff25d00347cea3efa7cfa826bc": [[536, 568]]}, "info": {"id": "synth_v2_01528", "source": "synthetic_v2"}}
+{"text": "Blog Post by Zscaler ThreatLabz: Tracking Diamond Sleet's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2025-45322 against Fortinet FortiGate deployments. The initial access vector involves spear-phishing emails from billing@phishing-domain.com delivering BumbleBee. Post-compromise, the attackers deploy Ryuk and use Seatbelt for reconnaissance. C2 infrastructure includes 86.201.152.66 and cache-cdn.cc. A staging server at https://apistatic.live/callback hosts additional tooling. Key artifact: C:\\Users\\admin\\AppData\\Local\\Temp\\lsass.dmp (MD5: 1e4dff910efdd3118affa0a49b1e992d).", "spans": {"ORGANIZATION: Zscaler ThreatLabz": [[13, 31]], "THREAT_ACTOR: Diamond Sleet": [[42, 55]], "CVE_ID: CVE-2025-45322": [[135, 149]], "SYSTEM: Fortinet FortiGate": [[158, 176]], "EMAIL: billing@phishing-domain.com": [[252, 279]], "MALWARE: BumbleBee": [[291, 300]], "MALWARE: Ryuk": [[340, 344]], "TOOL: Seatbelt": [[353, 361]], "IP_ADDRESS: 86.201.152.66": [[409, 422]], "DOMAIN: cache-cdn.cc": [[427, 439]], "URL: https://apistatic.live/callback": [[461, 492]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\lsass.dmp": [[533, 576]], "HASH: 1e4dff910efdd3118affa0a49b1e992d": [[583, 615]]}, "info": {"id": "synth_v2_01529", "source": "synthetic_v2"}}
+{"text": "Blog Post by Cisco Talos: Tracking Volt Typhoon's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2020-16140 against Ivanti Connect Secure deployments. The initial access vector involves spear-phishing emails from verify@login-portal.tech delivering LockBit. Post-compromise, the attackers deploy Conti and use GhostPack for reconnaissance. C2 infrastructure includes 172.132.28.115 and cdnbackup.live. A staging server at https://api-cloud.club/wp-content/uploads/doc.php hosts additional tooling. Key artifact: C:\\Program Files\\Common Files\\csrss.exe (SHA1: 17dce84c6bdbe6c3ef264e47f1a1213b10ba04c0).", "spans": {"ORGANIZATION: Cisco Talos": [[13, 24]], "THREAT_ACTOR: Volt Typhoon": [[35, 47]], "CVE_ID: CVE-2020-16140": [[127, 141]], "SYSTEM: Ivanti Connect Secure": [[150, 171]], "EMAIL: verify@login-portal.tech": [[247, 271]], "MALWARE: LockBit": [[283, 290]], "MALWARE: Conti": [[330, 335]], "TOOL: GhostPack": [[344, 353]], "IP_ADDRESS: 172.132.28.115": [[401, 415]], "DOMAIN: cdnbackup.live": [[420, 434]], "URL: https://api-cloud.club/wp-content/uploads/doc.php": [[456, 505]], "FILEPATH: C:\\Program Files\\Common Files\\csrss.exe": [[546, 585]], "HASH: 17dce84c6bdbe6c3ef264e47f1a1213b10ba04c0": [[593, 633]]}, "info": {"id": "synth_v2_01530", "source": "synthetic_v2"}}
+{"text": "Blog Post by FireEye: Tracking Turla's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2024-31252 against MOVEit Transfer deployments. The initial access vector involves spear-phishing emails from alert@auth-check.org delivering Amadey. Post-compromise, the attackers deploy REvil and use Seatbelt for reconnaissance. C2 infrastructure includes 113.235.240.179 and storage-mail.info. A staging server at http://proxy-api.org/collect hosts additional tooling. Key artifact: /home/user/.config/dropper.ps1 (SHA1: 421073df09c6f7ac94c0a7340f91c85710acb5bf).", "spans": {"ORGANIZATION: FireEye": [[13, 20]], "THREAT_ACTOR: Turla": [[31, 36]], "CVE_ID: CVE-2024-31252": [[116, 130]], "SYSTEM: MOVEit Transfer": [[139, 154]], "EMAIL: alert@auth-check.org": [[230, 250]], "MALWARE: Amadey": [[262, 268]], "MALWARE: REvil": [[308, 313]], "TOOL: Seatbelt": [[322, 330]], "IP_ADDRESS: 113.235.240.179": [[378, 393]], "DOMAIN: storage-mail.info": [[398, 415]], "URL: http://proxy-api.org/collect": [[437, 465]], "FILEPATH: /home/user/.config/dropper.ps1": [[506, 536]], "HASH: 421073df09c6f7ac94c0a7340f91c85710acb5bf": [[544, 584]]}, "info": {"id": "synth_v2_01531", "source": "synthetic_v2"}}
+{"text": "Blog Post by Google TAG: Tracking Flax Typhoon's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2021-20189 against MOVEit Transfer deployments. The initial access vector involves spear-phishing emails from helpdesk@identity-verify.cc delivering Amadey. Post-compromise, the attackers deploy Emotet and use BloodHound for reconnaissance. C2 infrastructure includes 10.53.108.252 and portal-node.cc. A staging server at hxxps://proxy-sync.site/download/update.exe hosts additional tooling. Key artifact: /home/user/.config/chrome_helper.exe (SHA256: 730d166bdb838914131532255df933f0f7915497dc3612c9d42cb84622d1dc62).", "spans": {"ORGANIZATION: Google TAG": [[13, 23]], "THREAT_ACTOR: Flax Typhoon": [[34, 46]], "CVE_ID: CVE-2021-20189": [[126, 140]], "SYSTEM: MOVEit Transfer": [[149, 164]], "EMAIL: helpdesk@identity-verify.cc": [[240, 267]], "MALWARE: Amadey": [[279, 285]], "MALWARE: Emotet": [[325, 331]], "TOOL: BloodHound": [[340, 350]], "IP_ADDRESS: 10.53.108.252": [[398, 411]], "DOMAIN: portal-node.cc": [[416, 430]], "URL: hxxps://proxy-sync.site/download/update.exe": [[452, 495]], "FILEPATH: /home/user/.config/chrome_helper.exe": [[536, 572]], "HASH: 730d166bdb838914131532255df933f0f7915497dc3612c9d42cb84622d1dc62": [[582, 646]]}, "info": {"id": "synth_v2_01532", "source": "synthetic_v2"}}
+{"text": "Blog Post by SentinelOne: Tracking Ember Bear's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2021-32059 against Progress Telerik deployments. The initial access vector involves spear-phishing emails from report@account-update.xyz delivering Amadey. Post-compromise, the attackers deploy Dridex and use WinPEAS for reconnaissance. C2 infrastructure includes 192.136.88.180 and apicache.tech. A staging server at https://apiproxy.site/secure/token hosts additional tooling. Key artifact: C:\\Windows\\System32\\helper.sh (SHA1: 16553bc830aba4b230b857739f34a41115e03529).", "spans": {"ORGANIZATION: SentinelOne": [[13, 24]], "THREAT_ACTOR: Ember Bear": [[35, 45]], "CVE_ID: CVE-2021-32059": [[125, 139]], "SYSTEM: Progress Telerik": [[148, 164]], "EMAIL: report@account-update.xyz": [[240, 265]], "MALWARE: Amadey": [[277, 283]], "MALWARE: Dridex": [[323, 329]], "TOOL: WinPEAS": [[338, 345]], "IP_ADDRESS: 192.136.88.180": [[393, 407]], "DOMAIN: apicache.tech": [[412, 425]], "URL: https://apiproxy.site/secure/token": [[447, 481]], "FILEPATH: C:\\Windows\\System32\\helper.sh": [[522, 551]], "HASH: 16553bc830aba4b230b857739f34a41115e03529": [[559, 599]]}, "info": {"id": "synth_v2_01533", "source": "synthetic_v2"}}
+{"text": "Blog Post by Secureworks: Tracking BlackTech's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2026-42806 against Atlassian Confluence deployments. The initial access vector involves spear-phishing emails from confirm@credential-check.site delivering RedLine Stealer. Post-compromise, the attackers deploy BlackCat and use WinPEAS for reconnaissance. C2 infrastructure includes 172.13.223.50 and login-login.io. A staging server at hxxp://static-data.link/secure/token hosts additional tooling. Key artifact: /dev/shm/taskhost.exe (SHA256: fe8f2afae71ef804fbf2a01faacc6981208fb45574a41c539bcc1d1e33d46d45).", "spans": {"ORGANIZATION: Secureworks": [[13, 24]], "THREAT_ACTOR: BlackTech": [[35, 44]], "CVE_ID: CVE-2026-42806": [[124, 138]], "SYSTEM: Atlassian Confluence": [[147, 167]], "EMAIL: confirm@credential-check.site": [[243, 272]], "MALWARE: RedLine Stealer": [[284, 299]], "MALWARE: BlackCat": [[339, 347]], "TOOL: WinPEAS": [[356, 363]], "IP_ADDRESS: 172.13.223.50": [[411, 424]], "DOMAIN: login-login.io": [[429, 443]], "URL: hxxp://static-data.link/secure/token": [[465, 501]], "FILEPATH: /dev/shm/taskhost.exe": [[542, 563]], "HASH: fe8f2afae71ef804fbf2a01faacc6981208fb45574a41c539bcc1d1e33d46d45": [[573, 637]]}, "info": {"id": "synth_v2_01534", "source": "synthetic_v2"}}
+{"text": "Blog Post by SentinelOne: Tracking Aqua Blizzard's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2025-38077 against Apache Struts deployments. The initial access vector involves spear-phishing emails from alert@phishing-domain.com delivering Hive. Post-compromise, the attackers deploy AgentTesla and use GhostPack for reconnaissance. C2 infrastructure includes 41.210.158.218 and syncgateway.info. A staging server at hxxp://storagecdn.online/panel/index.html hosts additional tooling. Key artifact: C:\\Users\\Public\\Documents\\dropper.ps1 (SHA256: c667b59102c406431aa25cd1a577ce4e6104683c9af1ff23fa277aa9198b344b).", "spans": {"ORGANIZATION: SentinelOne": [[13, 24]], "THREAT_ACTOR: Aqua Blizzard": [[35, 48]], "CVE_ID: CVE-2025-38077": [[128, 142]], "SYSTEM: Apache Struts": [[151, 164]], "EMAIL: alert@phishing-domain.com": [[240, 265]], "MALWARE: Hive": [[277, 281]], "MALWARE: AgentTesla": [[321, 331]], "TOOL: GhostPack": [[340, 349]], "IP_ADDRESS: 41.210.158.218": [[397, 411]], "DOMAIN: syncgateway.info": [[416, 432]], "URL: hxxp://storagecdn.online/panel/index.html": [[454, 495]], "FILEPATH: C:\\Users\\Public\\Documents\\dropper.ps1": [[536, 573]], "HASH: c667b59102c406431aa25cd1a577ce4e6104683c9af1ff23fa277aa9198b344b": [[583, 647]]}, "info": {"id": "synth_v2_01535", "source": "synthetic_v2"}}
+{"text": "Blog Post by SentinelOne: Tracking Aqua Blizzard's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2020-11952 against Barracuda ESG deployments. The initial access vector involves spear-phishing emails from confirm@urgent-notice.online delivering QakBot. Post-compromise, the attackers deploy PikaBot and use Certutil for reconnaissance. C2 infrastructure includes 81.206.158.210 and updatestorage.io. A staging server at hxxps://update-storage.io/api/v2/auth hosts additional tooling. Key artifact: C:\\Program Files\\Common Files\\beacon.dll (SHA256: a91a9088dc61dfa074cc496bf630cae738dd44967ad31a4e96a210cd616dbeb2).", "spans": {"ORGANIZATION: SentinelOne": [[13, 24]], "THREAT_ACTOR: Aqua Blizzard": [[35, 48]], "CVE_ID: CVE-2020-11952": [[128, 142]], "SYSTEM: Barracuda ESG": [[151, 164]], "EMAIL: confirm@urgent-notice.online": [[240, 268]], "MALWARE: QakBot": [[280, 286]], "MALWARE: PikaBot": [[326, 333]], "TOOL: Certutil": [[342, 350]], "IP_ADDRESS: 81.206.158.210": [[398, 412]], "DOMAIN: updatestorage.io": [[417, 433]], "URL: hxxps://update-storage.io/api/v2/auth": [[455, 492]], "FILEPATH: C:\\Program Files\\Common Files\\beacon.dll": [[533, 573]], "HASH: a91a9088dc61dfa074cc496bf630cae738dd44967ad31a4e96a210cd616dbeb2": [[583, 647]]}, "info": {"id": "synth_v2_01536", "source": "synthetic_v2"}}
+{"text": "Blog Post by INTERPOL: Tracking Ember Bear's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2021-23031 against MOVEit Transfer deployments. The initial access vector involves spear-phishing emails from hr@document-share.link delivering SmokeLoader. Post-compromise, the attackers deploy Qbot and use Sliver for reconnaissance. C2 infrastructure includes 172.218.192.50 and backupportal.link. A staging server at https://datadata.xyz/gate.php hosts additional tooling. Key artifact: C:\\Program Files\\Common Files\\helper.sh (MD5: 0eeb77513d93383a1d309b5599e37af6).", "spans": {"ORGANIZATION: INTERPOL": [[13, 21]], "THREAT_ACTOR: Ember Bear": [[32, 42]], "CVE_ID: CVE-2021-23031": [[122, 136]], "SYSTEM: MOVEit Transfer": [[145, 160]], "EMAIL: hr@document-share.link": [[236, 258]], "MALWARE: SmokeLoader": [[270, 281]], "MALWARE: Qbot": [[321, 325]], "TOOL: Sliver": [[334, 340]], "IP_ADDRESS: 172.218.192.50": [[388, 402]], "DOMAIN: backupportal.link": [[407, 424]], "URL: https://datadata.xyz/gate.php": [[446, 475]], "FILEPATH: C:\\Program Files\\Common Files\\helper.sh": [[516, 555]], "HASH: 0eeb77513d93383a1d309b5599e37af6": [[562, 594]]}, "info": {"id": "synth_v2_01537", "source": "synthetic_v2"}}
+{"text": "Blog Post by Cisco Talos: Tracking Ember Bear's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2025-43392 against Fortinet FortiGate deployments. The initial access vector involves spear-phishing emails from ceo@account-update.xyz delivering DanaBot. Post-compromise, the attackers deploy LockBit and use CrackMapExec for reconnaissance. C2 infrastructure includes 192.38.176.1 and cloud-proxy.info. A staging server at https://edge-proxy.xyz/secure/token hosts additional tooling. Key artifact: C:\\Users\\Public\\Documents\\implant.so (SHA256: 9383b1f64be5d04e8eef7cb896bcede2d784adb71536e8d74e4038d4629c2ed3).", "spans": {"ORGANIZATION: Cisco Talos": [[13, 24]], "THREAT_ACTOR: Ember Bear": [[35, 45]], "CVE_ID: CVE-2025-43392": [[125, 139]], "SYSTEM: Fortinet FortiGate": [[148, 166]], "EMAIL: ceo@account-update.xyz": [[242, 264]], "MALWARE: DanaBot": [[276, 283]], "MALWARE: LockBit": [[323, 330]], "TOOL: CrackMapExec": [[339, 351]], "IP_ADDRESS: 192.38.176.1": [[399, 411]], "DOMAIN: cloud-proxy.info": [[416, 432]], "URL: https://edge-proxy.xyz/secure/token": [[454, 489]], "FILEPATH: C:\\Users\\Public\\Documents\\implant.so": [[530, 566]], "HASH: 9383b1f64be5d04e8eef7cb896bcede2d784adb71536e8d74e4038d4629c2ed3": [[576, 640]]}, "info": {"id": "synth_v2_01538", "source": "synthetic_v2"}}
+{"text": "Blog Post by Trend Micro: Tracking APT28's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2026-35009 against Citrix NetScaler deployments. The initial access vector involves spear-phishing emails from confirm@auth-check.org delivering RemcosRAT. Post-compromise, the attackers deploy Emotet and use Nmap for reconnaissance. C2 infrastructure includes 7.244.218.42 and sync-mail.cc. A staging server at http://relaydata.site/login hosts additional tooling. Key artifact: C:\\Users\\Public\\Documents\\implant.so (SHA1: fa5956a7d8611623d4d1033b0aef96c346caf9de).", "spans": {"ORGANIZATION: Trend Micro": [[13, 24]], "THREAT_ACTOR: APT28": [[35, 40]], "CVE_ID: CVE-2026-35009": [[120, 134]], "SYSTEM: Citrix NetScaler": [[143, 159]], "EMAIL: confirm@auth-check.org": [[235, 257]], "MALWARE: RemcosRAT": [[269, 278]], "MALWARE: Emotet": [[318, 324]], "TOOL: Nmap": [[333, 337]], "IP_ADDRESS: 7.244.218.42": [[385, 397]], "DOMAIN: sync-mail.cc": [[402, 414]], "URL: http://relaydata.site/login": [[436, 463]], "FILEPATH: C:\\Users\\Public\\Documents\\implant.so": [[504, 540]], "HASH: fa5956a7d8611623d4d1033b0aef96c346caf9de": [[548, 588]]}, "info": {"id": "synth_v2_01539", "source": "synthetic_v2"}}
+{"text": "Blog Post by NCSC: Tracking Lazarus Group's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2022-25256 against Cisco ASA deployments. The initial access vector involves spear-phishing emails from updates@secure-verify.net delivering PlugX. Post-compromise, the attackers deploy AsyncRAT and use PowerShell Empire for reconnaissance. C2 infrastructure includes 94.104.225.166 and noderelay.link. A staging server at https://nodestatic.top/admin/config hosts additional tooling. Key artifact: /var/tmp/taskhost.exe (MD5: e43ad5c1bb92065f33714edb50954a2e).", "spans": {"ORGANIZATION: NCSC": [[13, 17]], "THREAT_ACTOR: Lazarus Group": [[28, 41]], "CVE_ID: CVE-2022-25256": [[121, 135]], "SYSTEM: Cisco ASA": [[144, 153]], "EMAIL: updates@secure-verify.net": [[229, 254]], "MALWARE: PlugX": [[266, 271]], "MALWARE: AsyncRAT": [[311, 319]], "TOOL: PowerShell Empire": [[328, 345]], "IP_ADDRESS: 94.104.225.166": [[393, 407]], "DOMAIN: noderelay.link": [[412, 426]], "URL: https://nodestatic.top/admin/config": [[448, 483]], "FILEPATH: /var/tmp/taskhost.exe": [[524, 545]], "HASH: e43ad5c1bb92065f33714edb50954a2e": [[552, 584]]}, "info": {"id": "synth_v2_01540", "source": "synthetic_v2"}}
+{"text": "Blog Post by Rapid7: Tracking UNC2452's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2023-33283 against Active Directory deployments. The initial access vector involves spear-phishing emails from security@secure-verify.net delivering Meduza Stealer. Post-compromise, the attackers deploy WarmCookie and use Nmap for reconnaissance. C2 infrastructure includes 17.222.124.217 and securestorage.online. A staging server at https://proxyproxy.online/wp-content/uploads/doc.php hosts additional tooling. Key artifact: C:\\Windows\\System32\\helper.sh (MD5: 9232bfa04385a15de7c2c5d84f6f0132).", "spans": {"ORGANIZATION: Rapid7": [[13, 19]], "THREAT_ACTOR: UNC2452": [[30, 37]], "CVE_ID: CVE-2023-33283": [[117, 131]], "SYSTEM: Active Directory": [[140, 156]], "EMAIL: security@secure-verify.net": [[232, 258]], "MALWARE: Meduza Stealer": [[270, 284]], "MALWARE: WarmCookie": [[324, 334]], "TOOL: Nmap": [[343, 347]], "IP_ADDRESS: 17.222.124.217": [[395, 409]], "DOMAIN: securestorage.online": [[414, 434]], "URL: https://proxyproxy.online/wp-content/uploads/doc.php": [[456, 508]], "FILEPATH: C:\\Windows\\System32\\helper.sh": [[549, 578]], "HASH: 9232bfa04385a15de7c2c5d84f6f0132": [[585, 617]]}, "info": {"id": "synth_v2_01541", "source": "synthetic_v2"}}
+{"text": "Blog Post by NSA: Tracking FIN11's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2024-35928 against Cisco ASA deployments. The initial access vector involves spear-phishing emails from support@auth-check.org delivering BatLoader. Post-compromise, the attackers deploy ShadowPad and use Brute Ratel for reconnaissance. C2 infrastructure includes 192.41.240.86 and proxycache.live. A staging server at hxxps://login-secure.live/admin/config hosts additional tooling. Key artifact: C:\\Windows\\Temp\\winlogon.exe (SHA256: babdb4bd3156a7ba713973ecc41eb38e029b52603a0bcfea19674e7e5598dab5).", "spans": {"ORGANIZATION: NSA": [[13, 16]], "THREAT_ACTOR: FIN11": [[27, 32]], "CVE_ID: CVE-2024-35928": [[112, 126]], "SYSTEM: Cisco ASA": [[135, 144]], "EMAIL: support@auth-check.org": [[220, 242]], "MALWARE: BatLoader": [[254, 263]], "MALWARE: ShadowPad": [[303, 312]], "TOOL: Brute Ratel": [[321, 332]], "IP_ADDRESS: 192.41.240.86": [[380, 393]], "DOMAIN: proxycache.live": [[398, 413]], "URL: hxxps://login-secure.live/admin/config": [[435, 473]], "FILEPATH: C:\\Windows\\Temp\\winlogon.exe": [[514, 542]], "HASH: babdb4bd3156a7ba713973ecc41eb38e029b52603a0bcfea19674e7e5598dab5": [[552, 616]]}, "info": {"id": "synth_v2_01542", "source": "synthetic_v2"}}
+{"text": "Blog Post by Trend Micro: Tracking BlackTech's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2024-27359 against Atlassian Confluence deployments. The initial access vector involves spear-phishing emails from verify@secure-verify.net delivering Conti. Post-compromise, the attackers deploy PlugX and use PsExec for reconnaissance. C2 infrastructure includes 73.16.165.187 and cache-data.info. A staging server at hxxp://securebackup.site/admin/config hosts additional tooling. Key artifact: C:\\Windows\\System32\\runtime.dll (SHA1: 0b462a466b69be91392bd2f0a7caa06e5145bb13).", "spans": {"ORGANIZATION: Trend Micro": [[13, 24]], "THREAT_ACTOR: BlackTech": [[35, 44]], "CVE_ID: CVE-2024-27359": [[124, 138]], "SYSTEM: Atlassian Confluence": [[147, 167]], "EMAIL: verify@secure-verify.net": [[243, 267]], "MALWARE: Conti": [[279, 284]], "MALWARE: PlugX": [[324, 329]], "TOOL: PsExec": [[338, 344]], "IP_ADDRESS: 73.16.165.187": [[392, 405]], "DOMAIN: cache-data.info": [[410, 425]], "URL: hxxp://securebackup.site/admin/config": [[447, 484]], "FILEPATH: C:\\Windows\\System32\\runtime.dll": [[525, 556]], "HASH: 0b462a466b69be91392bd2f0a7caa06e5145bb13": [[564, 604]]}, "info": {"id": "synth_v2_01543", "source": "synthetic_v2"}}
+{"text": "Blog Post by INTERPOL: Tracking FIN7's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2025-38077 against Atlassian Confluence deployments. The initial access vector involves spear-phishing emails from alert@document-share.link delivering BumbleBee. Post-compromise, the attackers deploy QakBot and use Seatbelt for reconnaissance. C2 infrastructure includes 10.190.99.225 and staticproxy.tech. A staging server at hxxp://cache-portal.link/panel/index.html hosts additional tooling. Key artifact: C:\\Users\\admin\\Desktop\\svchost.exe (SHA256: 7c438a6638a18b87b6145c9a3bdbf0395687ba6e0f234ec9418a7b3dfa27d9a8).", "spans": {"ORGANIZATION: INTERPOL": [[13, 21]], "THREAT_ACTOR: FIN7": [[32, 36]], "CVE_ID: CVE-2025-38077": [[116, 130]], "SYSTEM: Atlassian Confluence": [[139, 159]], "EMAIL: alert@document-share.link": [[235, 260]], "MALWARE: BumbleBee": [[272, 281]], "MALWARE: QakBot": [[321, 327]], "TOOL: Seatbelt": [[336, 344]], "IP_ADDRESS: 10.190.99.225": [[392, 405]], "DOMAIN: staticproxy.tech": [[410, 426]], "URL: hxxp://cache-portal.link/panel/index.html": [[448, 489]], "FILEPATH: C:\\Users\\admin\\Desktop\\svchost.exe": [[530, 564]], "HASH: 7c438a6638a18b87b6145c9a3bdbf0395687ba6e0f234ec9418a7b3dfa27d9a8": [[574, 638]]}, "info": {"id": "synth_v2_01544", "source": "synthetic_v2"}}
+{"text": "Blog Post by NSA: Tracking Ember Bear's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2024-25010 against F5 BIG-IP deployments. The initial access vector involves spear-phishing emails from contact@phishing-domain.com delivering Latrodectus. Post-compromise, the attackers deploy Qbot and use Seatbelt for reconnaissance. C2 infrastructure includes 192.243.97.120 and datacdn.cc. A staging server at hxxp://relaydata.cc/callback hosts additional tooling. Key artifact: /dev/shm/shell.php (MD5: 7e302aee93139d9f3aaf9a363fe1eba1).", "spans": {"ORGANIZATION: NSA": [[13, 16]], "THREAT_ACTOR: Ember Bear": [[27, 37]], "CVE_ID: CVE-2024-25010": [[117, 131]], "SYSTEM: F5 BIG-IP": [[140, 149]], "EMAIL: contact@phishing-domain.com": [[225, 252]], "MALWARE: Latrodectus": [[264, 275]], "MALWARE: Qbot": [[315, 319]], "TOOL: Seatbelt": [[328, 336]], "IP_ADDRESS: 192.243.97.120": [[384, 398]], "DOMAIN: datacdn.cc": [[403, 413]], "URL: hxxp://relaydata.cc/callback": [[435, 463]], "FILEPATH: /dev/shm/shell.php": [[504, 522]], "HASH: 7e302aee93139d9f3aaf9a363fe1eba1": [[529, 561]]}, "info": {"id": "synth_v2_01545", "source": "synthetic_v2"}}
+{"text": "Blog Post by FBI: Tracking Charming Kitten's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2020-24328 against Apache Struts deployments. The initial access vector involves spear-phishing emails from security@account-update.xyz delivering RemcosRAT. Post-compromise, the attackers deploy NjRAT and use Mimikatz for reconnaissance. C2 infrastructure includes 94.23.227.181 and static-portal.org. A staging server at http://api-update.dev/collect hosts additional tooling. Key artifact: C:\\Users\\admin\\Desktop\\csrss.exe (SHA256: 9739e7ee2596811e3a8b997e0c7dba2c3595da01467962c343640b24164a72c6).", "spans": {"ORGANIZATION: FBI": [[13, 16]], "THREAT_ACTOR: Charming Kitten": [[27, 42]], "CVE_ID: CVE-2020-24328": [[122, 136]], "SYSTEM: Apache Struts": [[145, 158]], "EMAIL: security@account-update.xyz": [[234, 261]], "MALWARE: RemcosRAT": [[273, 282]], "MALWARE: NjRAT": [[322, 327]], "TOOL: Mimikatz": [[336, 344]], "IP_ADDRESS: 94.23.227.181": [[392, 405]], "DOMAIN: static-portal.org": [[410, 427]], "URL: http://api-update.dev/collect": [[449, 478]], "FILEPATH: C:\\Users\\admin\\Desktop\\csrss.exe": [[519, 551]], "HASH: 9739e7ee2596811e3a8b997e0c7dba2c3595da01467962c343640b24164a72c6": [[561, 625]]}, "info": {"id": "synth_v2_01546", "source": "synthetic_v2"}}
+{"text": "Blog Post by Microsoft MSRC: Tracking Midnight Blizzard's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2023-26043 against Cisco ASA deployments. The initial access vector involves spear-phishing emails from confirm@credential-check.site delivering PikaBot. Post-compromise, the attackers deploy REvil and use Chisel for reconnaissance. C2 infrastructure includes 10.170.155.172 and mail-gateway.online. A staging server at https://api-relay.online/wp-content/uploads/doc.php hosts additional tooling. Key artifact: C:\\Users\\admin\\Downloads\\backdoor.elf (SHA1: 10f4fe817ab1e1efab56f2cb7805e98cc6a3caf3).", "spans": {"ORGANIZATION: Microsoft MSRC": [[13, 27]], "THREAT_ACTOR: Midnight Blizzard": [[38, 55]], "CVE_ID: CVE-2023-26043": [[135, 149]], "SYSTEM: Cisco ASA": [[158, 167]], "EMAIL: confirm@credential-check.site": [[243, 272]], "MALWARE: PikaBot": [[284, 291]], "MALWARE: REvil": [[331, 336]], "TOOL: Chisel": [[345, 351]], "IP_ADDRESS: 10.170.155.172": [[399, 413]], "DOMAIN: mail-gateway.online": [[418, 437]], "URL: https://api-relay.online/wp-content/uploads/doc.php": [[459, 510]], "FILEPATH: C:\\Users\\admin\\Downloads\\backdoor.elf": [[551, 588]], "HASH: 10f4fe817ab1e1efab56f2cb7805e98cc6a3caf3": [[596, 636]]}, "info": {"id": "synth_v2_01547", "source": "synthetic_v2"}}
+{"text": "Blog Post by Rapid7: Tracking UNC2452's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2025-37666 against Windows 11 deployments. The initial access vector involves spear-phishing emails from verify@account-update.xyz delivering RemcosRAT. Post-compromise, the attackers deploy Latrodectus and use Impacket for reconnaissance. C2 infrastructure includes 2.253.168.183 and cloudedge.link. A staging server at http://mail-cloud.club/secure/token hosts additional tooling. Key artifact: C:\\Program Files\\Common Files\\loader.exe (SHA1: 7152a2dd386c6afb2d701303f4ed9e5f933540e5).", "spans": {"ORGANIZATION: Rapid7": [[13, 19]], "THREAT_ACTOR: UNC2452": [[30, 37]], "CVE_ID: CVE-2025-37666": [[117, 131]], "SYSTEM: Windows 11": [[140, 150]], "EMAIL: verify@account-update.xyz": [[226, 251]], "MALWARE: RemcosRAT": [[263, 272]], "MALWARE: Latrodectus": [[312, 323]], "TOOL: Impacket": [[332, 340]], "IP_ADDRESS: 2.253.168.183": [[388, 401]], "DOMAIN: cloudedge.link": [[406, 420]], "URL: http://mail-cloud.club/secure/token": [[442, 477]], "FILEPATH: C:\\Program Files\\Common Files\\loader.exe": [[518, 558]], "HASH: 7152a2dd386c6afb2d701303f4ed9e5f933540e5": [[566, 606]]}, "info": {"id": "synth_v2_01548", "source": "synthetic_v2"}}
+{"text": "Blog Post by Cisco Talos: Tracking Salt Typhoon's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2025-20484 against Windows Server 2019 deployments. The initial access vector involves spear-phishing emails from confirm@credential-check.site delivering Meduza Stealer. Post-compromise, the attackers deploy RedLine Stealer and use BloodHound for reconnaissance. C2 infrastructure includes 22.97.23.105 and relaysecure.net. A staging server at http://edge-auth.tech/panel/index.html hosts additional tooling. Key artifact: C:\\Windows\\Temp\\config.dat (SHA256: fc536cd5fbaeb7819a4cee31a137e680f7cb9e0491bcda395ec5b99312d319f3).", "spans": {"ORGANIZATION: Cisco Talos": [[13, 24]], "THREAT_ACTOR: Salt Typhoon": [[35, 47]], "CVE_ID: CVE-2025-20484": [[127, 141]], "SYSTEM: Windows Server 2019": [[150, 169]], "EMAIL: confirm@credential-check.site": [[245, 274]], "MALWARE: Meduza Stealer": [[286, 300]], "MALWARE: RedLine Stealer": [[340, 355]], "TOOL: BloodHound": [[364, 374]], "IP_ADDRESS: 22.97.23.105": [[422, 434]], "DOMAIN: relaysecure.net": [[439, 454]], "URL: http://edge-auth.tech/panel/index.html": [[476, 514]], "FILEPATH: C:\\Windows\\Temp\\config.dat": [[555, 581]], "HASH: fc536cd5fbaeb7819a4cee31a137e680f7cb9e0491bcda395ec5b99312d319f3": [[591, 655]]}, "info": {"id": "synth_v2_01549", "source": "synthetic_v2"}}
+{"text": "Blog Post by FBI: Tracking Salt Typhoon's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2025-20016 against MOVEit Transfer deployments. The initial access vector involves spear-phishing emails from notification@phishing-domain.com delivering PikaBot. Post-compromise, the attackers deploy NjRAT and use PsExec for reconnaissance. C2 infrastructure includes 10.147.87.80 and data-proxy.net. A staging server at http://dataupdate.live/assets/js/payload.js hosts additional tooling. Key artifact: /etc/cron.d/loader.exe (SHA256: 2f19f8492457076d00340766316fd4ddacf8fe7136b1136c73f39eb00b0f9314).", "spans": {"ORGANIZATION: FBI": [[13, 16]], "THREAT_ACTOR: Salt Typhoon": [[27, 39]], "CVE_ID: CVE-2025-20016": [[119, 133]], "SYSTEM: MOVEit Transfer": [[142, 157]], "EMAIL: notification@phishing-domain.com": [[233, 265]], "MALWARE: PikaBot": [[277, 284]], "MALWARE: NjRAT": [[324, 329]], "TOOL: PsExec": [[338, 344]], "IP_ADDRESS: 10.147.87.80": [[392, 404]], "DOMAIN: data-proxy.net": [[409, 423]], "URL: http://dataupdate.live/assets/js/payload.js": [[445, 488]], "FILEPATH: /etc/cron.d/loader.exe": [[529, 551]], "HASH: 2f19f8492457076d00340766316fd4ddacf8fe7136b1136c73f39eb00b0f9314": [[561, 625]]}, "info": {"id": "synth_v2_01550", "source": "synthetic_v2"}}
+{"text": "Blog Post by Cisco Talos: Tracking APT29's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2026-17507 against Palo Alto PAN-OS deployments. The initial access vector involves spear-phishing emails from it@auth-check.org delivering FormBook. Post-compromise, the attackers deploy Latrodectus and use Nmap for reconnaissance. C2 infrastructure includes 200.63.216.114 and cloud-edge.site. A staging server at http://storagegateway.com/gate.php hosts additional tooling. Key artifact: /etc/cron.d/sam.hive (MD5: 3ff7213f45bf0e819c0752d43de0f75d).", "spans": {"ORGANIZATION: Cisco Talos": [[13, 24]], "THREAT_ACTOR: APT29": [[35, 40]], "CVE_ID: CVE-2026-17507": [[120, 134]], "SYSTEM: Palo Alto PAN-OS": [[143, 159]], "EMAIL: it@auth-check.org": [[235, 252]], "MALWARE: FormBook": [[264, 272]], "MALWARE: Latrodectus": [[312, 323]], "TOOL: Nmap": [[332, 336]], "IP_ADDRESS: 200.63.216.114": [[384, 398]], "DOMAIN: cloud-edge.site": [[403, 418]], "URL: http://storagegateway.com/gate.php": [[440, 474]], "FILEPATH: /etc/cron.d/sam.hive": [[515, 535]], "HASH: 3ff7213f45bf0e819c0752d43de0f75d": [[542, 574]]}, "info": {"id": "synth_v2_01551", "source": "synthetic_v2"}}
+{"text": "Blog Post by Rapid7: Tracking FIN7's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2020-17296 against Atlassian Confluence deployments. The initial access vector involves spear-phishing emails from confirm@auth-check.org delivering RemcosRAT. Post-compromise, the attackers deploy Gootloader and use Metasploit for reconnaissance. C2 infrastructure includes 124.66.181.251 and backup-cdn.org. A staging server at hxxps://edgestatic.club/login hosts additional tooling. Key artifact: /opt/app/bin/loader.exe (SHA1: 79c08e77f2ee94783432e33d9eb054e7e67d7960).", "spans": {"ORGANIZATION: Rapid7": [[13, 19]], "THREAT_ACTOR: FIN7": [[30, 34]], "CVE_ID: CVE-2020-17296": [[114, 128]], "SYSTEM: Atlassian Confluence": [[137, 157]], "EMAIL: confirm@auth-check.org": [[233, 255]], "MALWARE: RemcosRAT": [[267, 276]], "MALWARE: Gootloader": [[316, 326]], "TOOL: Metasploit": [[335, 345]], "IP_ADDRESS: 124.66.181.251": [[393, 407]], "DOMAIN: backup-cdn.org": [[412, 426]], "URL: hxxps://edgestatic.club/login": [[448, 477]], "FILEPATH: /opt/app/bin/loader.exe": [[518, 541]], "HASH: 79c08e77f2ee94783432e33d9eb054e7e67d7960": [[549, 589]]}, "info": {"id": "synth_v2_01552", "source": "synthetic_v2"}}
+{"text": "Blog Post by CISA: Tracking Mustang Panda's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2026-17507 against Apache Struts deployments. The initial access vector involves spear-phishing emails from finance@document-share.link delivering Royal. Post-compromise, the attackers deploy NjRAT and use PowerShell Empire for reconnaissance. C2 infrastructure includes 201.241.76.12 and login-backup.net. A staging server at hxxps://backup-api.tech/gate.php hosts additional tooling. Key artifact: /var/tmp/taskhost.exe (SHA1: 83f9f90e2439e89e30ca90486e0c9b146586b992).", "spans": {"ORGANIZATION: CISA": [[13, 17]], "THREAT_ACTOR: Mustang Panda": [[28, 41]], "CVE_ID: CVE-2026-17507": [[121, 135]], "SYSTEM: Apache Struts": [[144, 157]], "EMAIL: finance@document-share.link": [[233, 260]], "MALWARE: Royal": [[272, 277]], "MALWARE: NjRAT": [[317, 322]], "TOOL: PowerShell Empire": [[331, 348]], "IP_ADDRESS: 201.241.76.12": [[396, 409]], "DOMAIN: login-backup.net": [[414, 430]], "URL: hxxps://backup-api.tech/gate.php": [[452, 484]], "FILEPATH: /var/tmp/taskhost.exe": [[525, 546]], "HASH: 83f9f90e2439e89e30ca90486e0c9b146586b992": [[554, 594]]}, "info": {"id": "synth_v2_01553", "source": "synthetic_v2"}}
+{"text": "Blog Post by Proofpoint: Tracking Volt Typhoon's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2021-32298 against SonicWall SMA deployments. The initial access vector involves spear-phishing emails from support@mail-service.info delivering Emotet. Post-compromise, the attackers deploy PikaBot and use PowerView for reconnaissance. C2 infrastructure includes 10.175.187.162 and gatewayapi.xyz. A staging server at https://updatesync.online/login hosts additional tooling. Key artifact: /opt/app/bin/dropper.ps1 (SHA256: d836f74d29aa07470b6cf68c09ea5d33405a0c73ec69b3bf84822ac1fc297343).", "spans": {"ORGANIZATION: Proofpoint": [[13, 23]], "THREAT_ACTOR: Volt Typhoon": [[34, 46]], "CVE_ID: CVE-2021-32298": [[126, 140]], "SYSTEM: SonicWall SMA": [[149, 162]], "EMAIL: support@mail-service.info": [[238, 263]], "MALWARE: Emotet": [[275, 281]], "MALWARE: PikaBot": [[321, 328]], "TOOL: PowerView": [[337, 346]], "IP_ADDRESS: 10.175.187.162": [[394, 408]], "DOMAIN: gatewayapi.xyz": [[413, 427]], "URL: https://updatesync.online/login": [[449, 480]], "FILEPATH: /opt/app/bin/dropper.ps1": [[521, 545]], "HASH: d836f74d29aa07470b6cf68c09ea5d33405a0c73ec69b3bf84822ac1fc297343": [[555, 619]]}, "info": {"id": "synth_v2_01554", "source": "synthetic_v2"}}
+{"text": "Blog Post by Trend Micro: Tracking APT29's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2021-24110 against F5 BIG-IP deployments. The initial access vector involves spear-phishing emails from billing@urgent-notice.online delivering Latrodectus. Post-compromise, the attackers deploy Lumma Stealer and use CrackMapExec for reconnaissance. C2 infrastructure includes 172.19.196.80 and staticdata.tech. A staging server at hxxp://mailnode.com/admin/config hosts additional tooling. Key artifact: /tmp/lsass.dmp (MD5: bbb1185956f9f0adf771cf433842c869).", "spans": {"ORGANIZATION: Trend Micro": [[13, 24]], "THREAT_ACTOR: APT29": [[35, 40]], "CVE_ID: CVE-2021-24110": [[120, 134]], "SYSTEM: F5 BIG-IP": [[143, 152]], "EMAIL: billing@urgent-notice.online": [[228, 256]], "MALWARE: Latrodectus": [[268, 279]], "MALWARE: Lumma Stealer": [[319, 332]], "TOOL: CrackMapExec": [[341, 353]], "IP_ADDRESS: 172.19.196.80": [[401, 414]], "DOMAIN: staticdata.tech": [[419, 434]], "URL: hxxp://mailnode.com/admin/config": [[456, 488]], "FILEPATH: /tmp/lsass.dmp": [[529, 543]], "HASH: bbb1185956f9f0adf771cf433842c869": [[550, 582]]}, "info": {"id": "synth_v2_01555", "source": "synthetic_v2"}}
+{"text": "Blog Post by Trend Micro: Tracking Ember Bear's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2024-23934 against Atlassian Confluence deployments. The initial access vector involves spear-phishing emails from helpdesk@document-share.link delivering BlackCat. Post-compromise, the attackers deploy REvil and use Burp Suite for reconnaissance. C2 infrastructure includes 172.19.113.61 and apibackup.live. A staging server at http://sync-sync.top/callback hosts additional tooling. Key artifact: C:\\Users\\admin\\AppData\\Local\\Temp\\update.dll (SHA1: dcd96c0aac828c800d24d08d2704332046d832be).", "spans": {"ORGANIZATION: Trend Micro": [[13, 24]], "THREAT_ACTOR: Ember Bear": [[35, 45]], "CVE_ID: CVE-2024-23934": [[125, 139]], "SYSTEM: Atlassian Confluence": [[148, 168]], "EMAIL: helpdesk@document-share.link": [[244, 272]], "MALWARE: BlackCat": [[284, 292]], "MALWARE: REvil": [[332, 337]], "TOOL: Burp Suite": [[346, 356]], "IP_ADDRESS: 172.19.113.61": [[404, 417]], "DOMAIN: apibackup.live": [[422, 436]], "URL: http://sync-sync.top/callback": [[458, 487]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\update.dll": [[528, 572]], "HASH: dcd96c0aac828c800d24d08d2704332046d832be": [[580, 620]]}, "info": {"id": "synth_v2_01556", "source": "synthetic_v2"}}
+{"text": "Blog Post by Volexity: Tracking APT29's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2020-24628 against Active Directory deployments. The initial access vector involves spear-phishing emails from verify@phishing-domain.com delivering SmokeLoader. Post-compromise, the attackers deploy AgentTesla and use SharpHound for reconnaissance. C2 infrastructure includes 127.84.161.27 and updatecache.site. A staging server at http://relay-cdn.cc/wp-content/uploads/doc.php hosts additional tooling. Key artifact: C:\\Users\\Public\\Documents\\lsass.dmp (SHA256: eefcdddac4d795c844e61cda7c36a1a9f36c063c111b779e2e4ed7e2e761816d).", "spans": {"ORGANIZATION: Volexity": [[13, 21]], "THREAT_ACTOR: APT29": [[32, 37]], "CVE_ID: CVE-2020-24628": [[117, 131]], "SYSTEM: Active Directory": [[140, 156]], "EMAIL: verify@phishing-domain.com": [[232, 258]], "MALWARE: SmokeLoader": [[270, 281]], "MALWARE: AgentTesla": [[321, 331]], "TOOL: SharpHound": [[340, 350]], "IP_ADDRESS: 127.84.161.27": [[398, 411]], "DOMAIN: updatecache.site": [[416, 432]], "URL: http://relay-cdn.cc/wp-content/uploads/doc.php": [[454, 500]], "FILEPATH: C:\\Users\\Public\\Documents\\lsass.dmp": [[541, 576]], "HASH: eefcdddac4d795c844e61cda7c36a1a9f36c063c111b779e2e4ed7e2e761816d": [[586, 650]]}, "info": {"id": "synth_v2_01557", "source": "synthetic_v2"}}
+{"text": "Blog Post by Dragos: Tracking MuddyWater's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2020-24628 against Microsoft Exchange deployments. The initial access vector involves spear-phishing emails from it@credential-check.site delivering Latrodectus. Post-compromise, the attackers deploy Ryuk and use PsExec for reconnaissance. C2 infrastructure includes 98.55.92.141 and mail-cdn.net. A staging server at http://syncstorage.info/callback hosts additional tooling. Key artifact: /var/tmp/taskhost.exe (SHA256: 46af085ad0580bc51aad8c02bc7b54a5071b9eb2e5dc43dae80e5b690ffc74b8).", "spans": {"ORGANIZATION: Dragos": [[13, 19]], "THREAT_ACTOR: MuddyWater": [[30, 40]], "CVE_ID: CVE-2020-24628": [[120, 134]], "SYSTEM: Microsoft Exchange": [[143, 161]], "EMAIL: it@credential-check.site": [[237, 261]], "MALWARE: Latrodectus": [[273, 284]], "MALWARE: Ryuk": [[324, 328]], "TOOL: PsExec": [[337, 343]], "IP_ADDRESS: 98.55.92.141": [[391, 403]], "DOMAIN: mail-cdn.net": [[408, 420]], "URL: http://syncstorage.info/callback": [[442, 474]], "FILEPATH: /var/tmp/taskhost.exe": [[515, 536]], "HASH: 46af085ad0580bc51aad8c02bc7b54a5071b9eb2e5dc43dae80e5b690ffc74b8": [[546, 610]]}, "info": {"id": "synth_v2_01558", "source": "synthetic_v2"}}
+{"text": "Blog Post by Microsoft MSRC: Tracking Salt Typhoon's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2021-10425 against Citrix NetScaler deployments. The initial access vector involves spear-phishing emails from confirm@phishing-domain.com delivering AgentTesla. Post-compromise, the attackers deploy Play and use Sliver for reconnaissance. C2 infrastructure includes 104.231.202.45 and cache-mail.dev. A staging server at https://cachebackup.online/secure/token hosts additional tooling. Key artifact: C:\\Windows\\Tasks\\taskhost.exe (SHA256: d8dd15f178b09d732cce8ffbaa8d97fc5e55f6cd49389827c69445eaf91d7579).", "spans": {"ORGANIZATION: Microsoft MSRC": [[13, 27]], "THREAT_ACTOR: Salt Typhoon": [[38, 50]], "CVE_ID: CVE-2021-10425": [[130, 144]], "SYSTEM: Citrix NetScaler": [[153, 169]], "EMAIL: confirm@phishing-domain.com": [[245, 272]], "MALWARE: AgentTesla": [[284, 294]], "MALWARE: Play": [[334, 338]], "TOOL: Sliver": [[347, 353]], "IP_ADDRESS: 104.231.202.45": [[401, 415]], "DOMAIN: cache-mail.dev": [[420, 434]], "URL: https://cachebackup.online/secure/token": [[456, 495]], "FILEPATH: C:\\Windows\\Tasks\\taskhost.exe": [[536, 565]], "HASH: d8dd15f178b09d732cce8ffbaa8d97fc5e55f6cd49389827c69445eaf91d7579": [[575, 639]]}, "info": {"id": "synth_v2_01559", "source": "synthetic_v2"}}
+{"text": "Blog Post by CISA: Tracking Silk Typhoon's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2024-36290 against F5 BIG-IP deployments. The initial access vector involves spear-phishing emails from hr@mail-service.info delivering Play. Post-compromise, the attackers deploy Dridex and use Seatbelt for reconnaissance. C2 infrastructure includes 172.18.142.45 and apisync.live. A staging server at http://relayapi.dev/secure/token hosts additional tooling. Key artifact: C:\\Users\\Public\\Documents\\csrss.exe (SHA256: 226a86d3d459837bae7b43f9d0d98af3f0b81d6cfa2d0d8d5967158f10523cd9).", "spans": {"ORGANIZATION: CISA": [[13, 17]], "THREAT_ACTOR: Silk Typhoon": [[28, 40]], "CVE_ID: CVE-2024-36290": [[120, 134]], "SYSTEM: F5 BIG-IP": [[143, 152]], "EMAIL: hr@mail-service.info": [[228, 248]], "MALWARE: Play": [[260, 264]], "MALWARE: Dridex": [[304, 310]], "TOOL: Seatbelt": [[319, 327]], "IP_ADDRESS: 172.18.142.45": [[375, 388]], "DOMAIN: apisync.live": [[393, 405]], "URL: http://relayapi.dev/secure/token": [[427, 459]], "FILEPATH: C:\\Users\\Public\\Documents\\csrss.exe": [[500, 535]], "HASH: 226a86d3d459837bae7b43f9d0d98af3f0b81d6cfa2d0d8d5967158f10523cd9": [[545, 609]]}, "info": {"id": "synth_v2_01560", "source": "synthetic_v2"}}
+{"text": "Blog Post by Google TAG: Tracking Storm-0558's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2026-17507 against Citrix NetScaler deployments. The initial access vector involves spear-phishing emails from verify@identity-verify.cc delivering SmokeLoader. Post-compromise, the attackers deploy Gootloader and use Chisel for reconnaissance. C2 infrastructure includes 190.146.188.66 and cache-auth.live. A staging server at https://relay-edge.com/collect hosts additional tooling. Key artifact: C:\\Windows\\System32\\svchost.exe (SHA1: f6f23dcef0c2ac3e493599b0f8333e310bed15f3).", "spans": {"ORGANIZATION: Google TAG": [[13, 23]], "THREAT_ACTOR: Storm-0558": [[34, 44]], "CVE_ID: CVE-2026-17507": [[124, 138]], "SYSTEM: Citrix NetScaler": [[147, 163]], "EMAIL: verify@identity-verify.cc": [[239, 264]], "MALWARE: SmokeLoader": [[276, 287]], "MALWARE: Gootloader": [[327, 337]], "TOOL: Chisel": [[346, 352]], "IP_ADDRESS: 190.146.188.66": [[400, 414]], "DOMAIN: cache-auth.live": [[419, 434]], "URL: https://relay-edge.com/collect": [[456, 486]], "FILEPATH: C:\\Windows\\System32\\svchost.exe": [[527, 558]], "HASH: f6f23dcef0c2ac3e493599b0f8333e310bed15f3": [[566, 606]]}, "info": {"id": "synth_v2_01561", "source": "synthetic_v2"}}
+{"text": "Blog Post by INTERPOL: Tracking Sandworm's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2023-39714 against Progress Telerik deployments. The initial access vector involves spear-phishing emails from admin@account-update.xyz delivering Latrodectus. Post-compromise, the attackers deploy Hive and use Brute Ratel for reconnaissance. C2 infrastructure includes 84.84.159.231 and proxy-gateway.com. A staging server at http://backupauth.info/portal/verify hosts additional tooling. Key artifact: C:\\Program Files\\Common Files\\taskhost.exe (MD5: 6db6d55057415dfc296f7704db422d73).", "spans": {"ORGANIZATION: INTERPOL": [[13, 21]], "THREAT_ACTOR: Sandworm": [[32, 40]], "CVE_ID: CVE-2023-39714": [[120, 134]], "SYSTEM: Progress Telerik": [[143, 159]], "EMAIL: admin@account-update.xyz": [[235, 259]], "MALWARE: Latrodectus": [[271, 282]], "MALWARE: Hive": [[322, 326]], "TOOL: Brute Ratel": [[335, 346]], "IP_ADDRESS: 84.84.159.231": [[394, 407]], "DOMAIN: proxy-gateway.com": [[412, 429]], "URL: http://backupauth.info/portal/verify": [[451, 487]], "FILEPATH: C:\\Program Files\\Common Files\\taskhost.exe": [[528, 570]], "HASH: 6db6d55057415dfc296f7704db422d73": [[577, 609]]}, "info": {"id": "synth_v2_01562", "source": "synthetic_v2"}}
+{"text": "Blog Post by Cisco Talos: Tracking BlackTech's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2024-25010 against Ivanti Connect Secure deployments. The initial access vector involves spear-phishing emails from it@mail-service.info delivering Hive. Post-compromise, the attackers deploy Gootloader and use CrackMapExec for reconnaissance. C2 infrastructure includes 99.44.101.37 and loginapi.xyz. A staging server at hxxps://authmail.tech/login hosts additional tooling. Key artifact: C:\\Windows\\System32\\csrss.exe (SHA1: 9c3c41038693c84cdcdaf6a402bc7f351473e57a).", "spans": {"ORGANIZATION: Cisco Talos": [[13, 24]], "THREAT_ACTOR: BlackTech": [[35, 44]], "CVE_ID: CVE-2024-25010": [[124, 138]], "SYSTEM: Ivanti Connect Secure": [[147, 168]], "EMAIL: it@mail-service.info": [[244, 264]], "MALWARE: Hive": [[276, 280]], "MALWARE: Gootloader": [[320, 330]], "TOOL: CrackMapExec": [[339, 351]], "IP_ADDRESS: 99.44.101.37": [[399, 411]], "DOMAIN: loginapi.xyz": [[416, 428]], "URL: hxxps://authmail.tech/login": [[450, 477]], "FILEPATH: C:\\Windows\\System32\\csrss.exe": [[518, 547]], "HASH: 9c3c41038693c84cdcdaf6a402bc7f351473e57a": [[555, 595]]}, "info": {"id": "synth_v2_01563", "source": "synthetic_v2"}}
+{"text": "Blog Post by Huntress: Tracking Mustang Panda's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2024-35928 against Cisco ASA deployments. The initial access vector involves spear-phishing emails from security@document-share.link delivering Amadey. Post-compromise, the attackers deploy NjRAT and use Mimikatz for reconnaissance. C2 infrastructure includes 192.140.88.179 and relay-secure.online. A staging server at hxxp://login-portal.xyz/portal/verify hosts additional tooling. Key artifact: /tmp/beacon.dll (SHA256: 40edeaaf535ba54e0182d5a36ed9cf10d78e89f6d03b1390525c01a23f169bc5).", "spans": {"ORGANIZATION: Huntress": [[13, 21]], "THREAT_ACTOR: Mustang Panda": [[32, 45]], "CVE_ID: CVE-2024-35928": [[125, 139]], "SYSTEM: Cisco ASA": [[148, 157]], "EMAIL: security@document-share.link": [[233, 261]], "MALWARE: Amadey": [[273, 279]], "MALWARE: NjRAT": [[319, 324]], "TOOL: Mimikatz": [[333, 341]], "IP_ADDRESS: 192.140.88.179": [[389, 403]], "DOMAIN: relay-secure.online": [[408, 427]], "URL: hxxp://login-portal.xyz/portal/verify": [[449, 486]], "FILEPATH: /tmp/beacon.dll": [[527, 542]], "HASH: 40edeaaf535ba54e0182d5a36ed9cf10d78e89f6d03b1390525c01a23f169bc5": [[552, 616]]}, "info": {"id": "synth_v2_01564", "source": "synthetic_v2"}}
+{"text": "Blog Post by NSA: Tracking Diamond Sleet's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2025-38077 against F5 BIG-IP deployments. The initial access vector involves spear-phishing emails from alert@document-share.link delivering Ryuk. Post-compromise, the attackers deploy BumbleBee and use CrackMapExec for reconnaissance. C2 infrastructure includes 172.126.124.40 and loginrelay.online. A staging server at https://relaybackup.site/panel/index.html hosts additional tooling. Key artifact: /home/user/.config/lsass.dmp (SHA1: b28ef6a1283f2db3bfc21a24982664a865f2b1bc).", "spans": {"ORGANIZATION: NSA": [[13, 16]], "THREAT_ACTOR: Diamond Sleet": [[27, 40]], "CVE_ID: CVE-2025-38077": [[120, 134]], "SYSTEM: F5 BIG-IP": [[143, 152]], "EMAIL: alert@document-share.link": [[228, 253]], "MALWARE: Ryuk": [[265, 269]], "MALWARE: BumbleBee": [[309, 318]], "TOOL: CrackMapExec": [[327, 339]], "IP_ADDRESS: 172.126.124.40": [[387, 401]], "DOMAIN: loginrelay.online": [[406, 423]], "URL: https://relaybackup.site/panel/index.html": [[445, 486]], "FILEPATH: /home/user/.config/lsass.dmp": [[527, 555]], "HASH: b28ef6a1283f2db3bfc21a24982664a865f2b1bc": [[563, 603]]}, "info": {"id": "synth_v2_01565", "source": "synthetic_v2"}}
+{"text": "Blog Post by NCSC: Tracking Midnight Blizzard's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2021-16338 against MOVEit Transfer deployments. The initial access vector involves spear-phishing emails from admin@auth-check.org delivering ShadowPad. Post-compromise, the attackers deploy Gootloader and use BITSAdmin for reconnaissance. C2 infrastructure includes 69.99.37.52 and proxymail.top. A staging server at https://secureportal.site/assets/js/payload.js hosts additional tooling. Key artifact: /var/tmp/lsass.dmp (SHA1: 5d176d92465695888d1639974a3adb706d9ef024).", "spans": {"ORGANIZATION: NCSC": [[13, 17]], "THREAT_ACTOR: Midnight Blizzard": [[28, 45]], "CVE_ID: CVE-2021-16338": [[125, 139]], "SYSTEM: MOVEit Transfer": [[148, 163]], "EMAIL: admin@auth-check.org": [[239, 259]], "MALWARE: ShadowPad": [[271, 280]], "MALWARE: Gootloader": [[320, 330]], "TOOL: BITSAdmin": [[339, 348]], "IP_ADDRESS: 69.99.37.52": [[396, 407]], "DOMAIN: proxymail.top": [[412, 425]], "URL: https://secureportal.site/assets/js/payload.js": [[447, 493]], "FILEPATH: /var/tmp/lsass.dmp": [[534, 552]], "HASH: 5d176d92465695888d1639974a3adb706d9ef024": [[560, 600]]}, "info": {"id": "synth_v2_01566", "source": "synthetic_v2"}}
+{"text": "Blog Post by Check Point Research: Tracking Storm-0558's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2022-34807 against Windows 11 deployments. The initial access vector involves spear-phishing emails from confirm@login-portal.tech delivering PlugX. Post-compromise, the attackers deploy BatLoader and use SharpHound for reconnaissance. C2 infrastructure includes 10.203.63.231 and auth-proxy.online. A staging server at hxxps://storage-data.info/wp-content/uploads/doc.php hosts additional tooling. Key artifact: /tmp/runtime.dll (SHA1: 13ab2b97f6851cfedf113f3bcf87502e1136d94a).", "spans": {"ORGANIZATION: Check Point Research": [[13, 33]], "THREAT_ACTOR: Storm-0558": [[44, 54]], "CVE_ID: CVE-2022-34807": [[134, 148]], "SYSTEM: Windows 11": [[157, 167]], "EMAIL: confirm@login-portal.tech": [[243, 268]], "MALWARE: PlugX": [[280, 285]], "MALWARE: BatLoader": [[325, 334]], "TOOL: SharpHound": [[343, 353]], "IP_ADDRESS: 10.203.63.231": [[401, 414]], "DOMAIN: auth-proxy.online": [[419, 436]], "URL: hxxps://storage-data.info/wp-content/uploads/doc.php": [[458, 510]], "FILEPATH: /tmp/runtime.dll": [[551, 567]], "HASH: 13ab2b97f6851cfedf113f3bcf87502e1136d94a": [[575, 615]]}, "info": {"id": "synth_v2_01567", "source": "synthetic_v2"}}
+{"text": "Blog Post by Palo Alto Unit 42: Tracking UNC2452's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2020-24628 against VMware ESXi deployments. The initial access vector involves spear-phishing emails from alert@auth-check.org delivering RemcosRAT. Post-compromise, the attackers deploy Ryuk and use LaZagne for reconnaissance. C2 infrastructure includes 104.143.5.41 and gateway-login.io. A staging server at https://auth-static.xyz/wp-content/uploads/doc.php hosts additional tooling. Key artifact: /usr/local/bin/helper.sh (SHA256: 4605af2baca54892eb0e528de909c882e832bbb79835d920b82ccec650ad7829).", "spans": {"ORGANIZATION: Palo Alto Unit 42": [[13, 30]], "THREAT_ACTOR: UNC2452": [[41, 48]], "CVE_ID: CVE-2020-24628": [[128, 142]], "SYSTEM: VMware ESXi": [[151, 162]], "EMAIL: alert@auth-check.org": [[238, 258]], "MALWARE: RemcosRAT": [[270, 279]], "MALWARE: Ryuk": [[319, 323]], "TOOL: LaZagne": [[332, 339]], "IP_ADDRESS: 104.143.5.41": [[387, 399]], "DOMAIN: gateway-login.io": [[404, 420]], "URL: https://auth-static.xyz/wp-content/uploads/doc.php": [[442, 492]], "FILEPATH: /usr/local/bin/helper.sh": [[533, 557]], "HASH: 4605af2baca54892eb0e528de909c882e832bbb79835d920b82ccec650ad7829": [[567, 631]]}, "info": {"id": "synth_v2_01568", "source": "synthetic_v2"}}
+{"text": "Blog Post by Europol: Tracking Ember Bear's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2026-44676 against Microsoft Exchange deployments. The initial access vector involves spear-phishing emails from service@auth-check.org delivering WarmCookie. Post-compromise, the attackers deploy Ryuk and use Chisel for reconnaissance. C2 infrastructure includes 208.44.162.149 and update-portal.link. A staging server at hxxp://updatenode.site/wp-content/uploads/doc.php hosts additional tooling. Key artifact: C:\\Users\\admin\\AppData\\Local\\Temp\\agent.py (SHA1: 7c76e0e435d5769753e9ef14e3382297f2afdb68).", "spans": {"ORGANIZATION: Europol": [[13, 20]], "THREAT_ACTOR: Ember Bear": [[31, 41]], "CVE_ID: CVE-2026-44676": [[121, 135]], "SYSTEM: Microsoft Exchange": [[144, 162]], "EMAIL: service@auth-check.org": [[238, 260]], "MALWARE: WarmCookie": [[272, 282]], "MALWARE: Ryuk": [[322, 326]], "TOOL: Chisel": [[335, 341]], "IP_ADDRESS: 208.44.162.149": [[389, 403]], "DOMAIN: update-portal.link": [[408, 426]], "URL: hxxp://updatenode.site/wp-content/uploads/doc.php": [[448, 497]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\agent.py": [[538, 580]], "HASH: 7c76e0e435d5769753e9ef14e3382297f2afdb68": [[588, 628]]}, "info": {"id": "synth_v2_01569", "source": "synthetic_v2"}}
+{"text": "Blog Post by Proofpoint: Tracking APT29's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2022-40108 against Citrix NetScaler deployments. The initial access vector involves spear-phishing emails from contact@account-update.xyz delivering LockBit. Post-compromise, the attackers deploy FormBook and use Merlin for reconnaissance. C2 infrastructure includes 221.253.67.38 and authedge.club. A staging server at hxxp://gateway-auth.link/secure/token hosts additional tooling. Key artifact: C:\\ProgramData\\update.dll (SHA256: dcb75c1482b5488b1f4c10758a22d0df145208752ae302b55d9140ab262e16b5).", "spans": {"ORGANIZATION: Proofpoint": [[13, 23]], "THREAT_ACTOR: APT29": [[34, 39]], "CVE_ID: CVE-2022-40108": [[119, 133]], "SYSTEM: Citrix NetScaler": [[142, 158]], "EMAIL: contact@account-update.xyz": [[234, 260]], "MALWARE: LockBit": [[272, 279]], "MALWARE: FormBook": [[319, 327]], "TOOL: Merlin": [[336, 342]], "IP_ADDRESS: 221.253.67.38": [[390, 403]], "DOMAIN: authedge.club": [[408, 421]], "URL: hxxp://gateway-auth.link/secure/token": [[443, 480]], "FILEPATH: C:\\ProgramData\\update.dll": [[521, 546]], "HASH: dcb75c1482b5488b1f4c10758a22d0df145208752ae302b55d9140ab262e16b5": [[556, 620]]}, "info": {"id": "synth_v2_01570", "source": "synthetic_v2"}}
+{"text": "Blog Post by NSA: Tracking TA505's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2026-49052 against Progress Telerik deployments. The initial access vector involves spear-phishing emails from contact@auth-check.org delivering Cobalt Strike. Post-compromise, the attackers deploy IcedID and use Hashcat for reconnaissance. C2 infrastructure includes 167.9.202.35 and cdn-cache.cc. A staging server at http://mailsecure.live/panel/index.html hosts additional tooling. Key artifact: C:\\Users\\admin\\AppData\\Local\\Temp\\dropper.ps1 (MD5: 2f5a4aa81fc5b23b4f455355bf057e75).", "spans": {"ORGANIZATION: NSA": [[13, 16]], "THREAT_ACTOR: TA505": [[27, 32]], "CVE_ID: CVE-2026-49052": [[112, 126]], "SYSTEM: Progress Telerik": [[135, 151]], "EMAIL: contact@auth-check.org": [[227, 249]], "MALWARE: Cobalt Strike": [[261, 274]], "MALWARE: IcedID": [[314, 320]], "TOOL: Hashcat": [[329, 336]], "IP_ADDRESS: 167.9.202.35": [[384, 396]], "DOMAIN: cdn-cache.cc": [[401, 413]], "URL: http://mailsecure.live/panel/index.html": [[435, 474]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\dropper.ps1": [[515, 560]], "HASH: 2f5a4aa81fc5b23b4f455355bf057e75": [[567, 599]]}, "info": {"id": "synth_v2_01571", "source": "synthetic_v2"}}
+{"text": "Blog Post by Cisco Talos: Tracking Storm-0558's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2025-46789 against Barracuda ESG deployments. The initial access vector involves spear-phishing emails from billing@document-share.link delivering Latrodectus. Post-compromise, the attackers deploy Dridex and use Seatbelt for reconnaissance. C2 infrastructure includes 10.148.21.114 and proxy-cloud.com. A staging server at hxxp://apisync.link/collect hosts additional tooling. Key artifact: C:\\Windows\\Temp\\implant.so (SHA256: 475242e819fcd357b0b5d78c9b6e6f410039cd4d3d5695019321bbe14316c093).", "spans": {"ORGANIZATION: Cisco Talos": [[13, 24]], "THREAT_ACTOR: Storm-0558": [[35, 45]], "CVE_ID: CVE-2025-46789": [[125, 139]], "SYSTEM: Barracuda ESG": [[148, 161]], "EMAIL: billing@document-share.link": [[237, 264]], "MALWARE: Latrodectus": [[276, 287]], "MALWARE: Dridex": [[327, 333]], "TOOL: Seatbelt": [[342, 350]], "IP_ADDRESS: 10.148.21.114": [[398, 411]], "DOMAIN: proxy-cloud.com": [[416, 431]], "URL: hxxp://apisync.link/collect": [[453, 480]], "FILEPATH: C:\\Windows\\Temp\\implant.so": [[521, 547]], "HASH: 475242e819fcd357b0b5d78c9b6e6f410039cd4d3d5695019321bbe14316c093": [[557, 621]]}, "info": {"id": "synth_v2_01572", "source": "synthetic_v2"}}
+{"text": "Blog Post by Symantec: Tracking Mustang Panda's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2025-46789 against Fortinet FortiGate deployments. The initial access vector involves spear-phishing emails from security@credential-check.site delivering TrickBot. Post-compromise, the attackers deploy QakBot and use Hashcat for reconnaissance. C2 infrastructure includes 204.20.246.2 and backup-proxy.info. A staging server at hxxp://relaystatic.io/api/v2/auth hosts additional tooling. Key artifact: /var/tmp/dropper.ps1 (SHA256: f6e609251a8e96d7b5f3ea9745bafb71a701e32093b066d0b750769f66a7fa7a).", "spans": {"ORGANIZATION: Symantec": [[13, 21]], "THREAT_ACTOR: Mustang Panda": [[32, 45]], "CVE_ID: CVE-2025-46789": [[125, 139]], "SYSTEM: Fortinet FortiGate": [[148, 166]], "EMAIL: security@credential-check.site": [[242, 272]], "MALWARE: TrickBot": [[284, 292]], "MALWARE: QakBot": [[332, 338]], "TOOL: Hashcat": [[347, 354]], "IP_ADDRESS: 204.20.246.2": [[402, 414]], "DOMAIN: backup-proxy.info": [[419, 436]], "URL: hxxp://relaystatic.io/api/v2/auth": [[458, 491]], "FILEPATH: /var/tmp/dropper.ps1": [[532, 552]], "HASH: f6e609251a8e96d7b5f3ea9745bafb71a701e32093b066d0b750769f66a7fa7a": [[562, 626]]}, "info": {"id": "synth_v2_01573", "source": "synthetic_v2"}}
+{"text": "Blog Post by Palo Alto Unit 42: Tracking Silk Typhoon's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2022-22601 against Fortinet FortiGate deployments. The initial access vector involves spear-phishing emails from finance@login-portal.tech delivering NjRAT. Post-compromise, the attackers deploy DarkSide and use CrackMapExec for reconnaissance. C2 infrastructure includes 192.232.89.247 and synccdn.net. A staging server at https://cachedata.io/gate.php hosts additional tooling. Key artifact: C:\\ProgramData\\loader.exe (MD5: 7a20372900beaae2a906634d904ca020).", "spans": {"ORGANIZATION: Palo Alto Unit 42": [[13, 30]], "THREAT_ACTOR: Silk Typhoon": [[41, 53]], "CVE_ID: CVE-2022-22601": [[133, 147]], "SYSTEM: Fortinet FortiGate": [[156, 174]], "EMAIL: finance@login-portal.tech": [[250, 275]], "MALWARE: NjRAT": [[287, 292]], "MALWARE: DarkSide": [[332, 340]], "TOOL: CrackMapExec": [[349, 361]], "IP_ADDRESS: 192.232.89.247": [[409, 423]], "DOMAIN: synccdn.net": [[428, 439]], "URL: https://cachedata.io/gate.php": [[461, 490]], "FILEPATH: C:\\ProgramData\\loader.exe": [[531, 556]], "HASH: 7a20372900beaae2a906634d904ca020": [[563, 595]]}, "info": {"id": "synth_v2_01574", "source": "synthetic_v2"}}
+{"text": "Blog Post by NCSC: Tracking Volt Typhoon's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2023-23730 against Zyxel USG deployments. The initial access vector involves spear-phishing emails from it@phishing-domain.com delivering AsyncRAT. Post-compromise, the attackers deploy RedLine Stealer and use ADFind for reconnaissance. C2 infrastructure includes 10.243.88.189 and gatewaycloud.site. A staging server at http://staticnode.xyz/secure/token hosts additional tooling. Key artifact: /usr/local/bin/winlogon.exe (MD5: 29ea80e8d5037c463e08a207acf116c4).", "spans": {"ORGANIZATION: NCSC": [[13, 17]], "THREAT_ACTOR: Volt Typhoon": [[28, 40]], "CVE_ID: CVE-2023-23730": [[120, 134]], "SYSTEM: Zyxel USG": [[143, 152]], "EMAIL: it@phishing-domain.com": [[228, 250]], "MALWARE: AsyncRAT": [[262, 270]], "MALWARE: RedLine Stealer": [[310, 325]], "TOOL: ADFind": [[334, 340]], "IP_ADDRESS: 10.243.88.189": [[388, 401]], "DOMAIN: gatewaycloud.site": [[406, 423]], "URL: http://staticnode.xyz/secure/token": [[445, 479]], "FILEPATH: /usr/local/bin/winlogon.exe": [[520, 547]], "HASH: 29ea80e8d5037c463e08a207acf116c4": [[554, 586]]}, "info": {"id": "synth_v2_01575", "source": "synthetic_v2"}}
+{"text": "Blog Post by NCSC: Tracking FIN7's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2020-48698 against Windows Server 2019 deployments. The initial access vector involves spear-phishing emails from account@phishing-domain.com delivering WarmCookie. Post-compromise, the attackers deploy Qbot and use Chisel for reconnaissance. C2 infrastructure includes 192.237.16.158 and cloud-auth.online. A staging server at hxxp://auth-api.link/secure/token hosts additional tooling. Key artifact: /home/user/.config/runtime.dll (SHA1: 809e6d4042bada9bccb9acfff618ee5c6f943c9f).", "spans": {"ORGANIZATION: NCSC": [[13, 17]], "THREAT_ACTOR: FIN7": [[28, 32]], "CVE_ID: CVE-2020-48698": [[112, 126]], "SYSTEM: Windows Server 2019": [[135, 154]], "EMAIL: account@phishing-domain.com": [[230, 257]], "MALWARE: WarmCookie": [[269, 279]], "MALWARE: Qbot": [[319, 323]], "TOOL: Chisel": [[332, 338]], "IP_ADDRESS: 192.237.16.158": [[386, 400]], "DOMAIN: cloud-auth.online": [[405, 422]], "URL: hxxp://auth-api.link/secure/token": [[444, 477]], "FILEPATH: /home/user/.config/runtime.dll": [[518, 548]], "HASH: 809e6d4042bada9bccb9acfff618ee5c6f943c9f": [[556, 596]]}, "info": {"id": "synth_v2_01576", "source": "synthetic_v2"}}
+{"text": "Blog Post by Cisco Talos: Tracking FIN7's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2025-33723 against MOVEit Transfer deployments. The initial access vector involves spear-phishing emails from admin@identity-verify.cc delivering Conti. Post-compromise, the attackers deploy RedLine Stealer and use PowerView for reconnaissance. C2 infrastructure includes 68.9.59.13 and backup-portal.com. A staging server at hxxp://static-cloud.dev/secure/token hosts additional tooling. Key artifact: C:\\Users\\admin\\Downloads\\config.dat (SHA256: 1563c768f146f70543dc95a83e36c0623fd9de6607697482fd8521b0849f0232).", "spans": {"ORGANIZATION: Cisco Talos": [[13, 24]], "THREAT_ACTOR: FIN7": [[35, 39]], "CVE_ID: CVE-2025-33723": [[119, 133]], "SYSTEM: MOVEit Transfer": [[142, 157]], "EMAIL: admin@identity-verify.cc": [[233, 257]], "MALWARE: Conti": [[269, 274]], "MALWARE: RedLine Stealer": [[314, 329]], "TOOL: PowerView": [[338, 347]], "IP_ADDRESS: 68.9.59.13": [[395, 405]], "DOMAIN: backup-portal.com": [[410, 427]], "URL: hxxp://static-cloud.dev/secure/token": [[449, 485]], "FILEPATH: C:\\Users\\admin\\Downloads\\config.dat": [[526, 561]], "HASH: 1563c768f146f70543dc95a83e36c0623fd9de6607697482fd8521b0849f0232": [[571, 635]]}, "info": {"id": "synth_v2_01577", "source": "synthetic_v2"}}
+{"text": "Blog Post by Rapid7: Tracking Volt Typhoon's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2020-46781 against Cisco ASA deployments. The initial access vector involves spear-phishing emails from admin@secure-verify.net delivering QakBot. Post-compromise, the attackers deploy DanaBot and use SharpHound for reconnaissance. C2 infrastructure includes 34.197.204.215 and data-auth.site. A staging server at hxxp://backup-cdn.dev/wp-content/uploads/doc.php hosts additional tooling. Key artifact: /dev/shm/chrome_helper.exe (SHA256: 8a7790351e3a349454b62034b153635b13f6bcd13923e54cbd5432af1eaa804f).", "spans": {"ORGANIZATION: Rapid7": [[13, 19]], "THREAT_ACTOR: Volt Typhoon": [[30, 42]], "CVE_ID: CVE-2020-46781": [[122, 136]], "SYSTEM: Cisco ASA": [[145, 154]], "EMAIL: admin@secure-verify.net": [[230, 253]], "MALWARE: QakBot": [[265, 271]], "MALWARE: DanaBot": [[311, 318]], "TOOL: SharpHound": [[327, 337]], "IP_ADDRESS: 34.197.204.215": [[385, 399]], "DOMAIN: data-auth.site": [[404, 418]], "URL: hxxp://backup-cdn.dev/wp-content/uploads/doc.php": [[440, 488]], "FILEPATH: /dev/shm/chrome_helper.exe": [[529, 555]], "HASH: 8a7790351e3a349454b62034b153635b13f6bcd13923e54cbd5432af1eaa804f": [[565, 629]]}, "info": {"id": "synth_v2_01578", "source": "synthetic_v2"}}
+{"text": "Blog Post by Secureworks: Tracking Midnight Blizzard's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2023-20708 against Atlassian Confluence deployments. The initial access vector involves spear-phishing emails from contact@credential-check.site delivering Conti. Post-compromise, the attackers deploy StealC and use GhostPack for reconnaissance. C2 infrastructure includes 190.128.23.86 and static-cache.tech. A staging server at hxxps://edge-api.cc/login hosts additional tooling. Key artifact: /var/tmp/csrss.exe (MD5: 4c7917741f20b5f84af8cf17ae2e2999).", "spans": {"ORGANIZATION: Secureworks": [[13, 24]], "THREAT_ACTOR: Midnight Blizzard": [[35, 52]], "CVE_ID: CVE-2023-20708": [[132, 146]], "SYSTEM: Atlassian Confluence": [[155, 175]], "EMAIL: contact@credential-check.site": [[251, 280]], "MALWARE: Conti": [[292, 297]], "MALWARE: StealC": [[337, 343]], "TOOL: GhostPack": [[352, 361]], "IP_ADDRESS: 190.128.23.86": [[409, 422]], "DOMAIN: static-cache.tech": [[427, 444]], "URL: hxxps://edge-api.cc/login": [[466, 491]], "FILEPATH: /var/tmp/csrss.exe": [[532, 550]], "HASH: 4c7917741f20b5f84af8cf17ae2e2999": [[557, 589]]}, "info": {"id": "synth_v2_01579", "source": "synthetic_v2"}}
+{"text": "Blog Post by Google TAG: Tracking Granite Typhoon's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2024-35928 against Ubuntu 22.04 deployments. The initial access vector involves spear-phishing emails from support@identity-verify.cc delivering FormBook. Post-compromise, the attackers deploy Play and use Chisel for reconnaissance. C2 infrastructure includes 205.221.122.93 and sync-auth.xyz. A staging server at http://login-secure.link/gate.php hosts additional tooling. Key artifact: C:\\Program Files\\Common Files\\winlogon.exe (SHA256: ce0bc6bbfd7c953197f2fde2e94b49f22d4d166845f73127deb5ed6c76585d5b).", "spans": {"ORGANIZATION: Google TAG": [[13, 23]], "THREAT_ACTOR: Granite Typhoon": [[34, 49]], "CVE_ID: CVE-2024-35928": [[129, 143]], "SYSTEM: Ubuntu 22.04": [[152, 164]], "EMAIL: support@identity-verify.cc": [[240, 266]], "MALWARE: FormBook": [[278, 286]], "MALWARE: Play": [[326, 330]], "TOOL: Chisel": [[339, 345]], "IP_ADDRESS: 205.221.122.93": [[393, 407]], "DOMAIN: sync-auth.xyz": [[412, 425]], "URL: http://login-secure.link/gate.php": [[447, 480]], "FILEPATH: C:\\Program Files\\Common Files\\winlogon.exe": [[521, 563]], "HASH: ce0bc6bbfd7c953197f2fde2e94b49f22d4d166845f73127deb5ed6c76585d5b": [[573, 637]]}, "info": {"id": "synth_v2_01580", "source": "synthetic_v2"}}
+{"text": "Blog Post by Volexity: Tracking Storm-0558's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2022-27335 against Palo Alto PAN-OS deployments. The initial access vector involves spear-phishing emails from noreply@credential-check.site delivering TrickBot. Post-compromise, the attackers deploy REvil and use Burp Suite for reconnaissance. C2 infrastructure includes 115.225.227.74 and backup-cache.com. A staging server at https://proxyapi.online/wp-content/uploads/doc.php hosts additional tooling. Key artifact: /dev/shm/csrss.exe (SHA256: 108e15a4b95f2ef2b4f6cfa92d9fc771d41780eebac192d3f2330c9a1472098f).", "spans": {"ORGANIZATION: Volexity": [[13, 21]], "THREAT_ACTOR: Storm-0558": [[32, 42]], "CVE_ID: CVE-2022-27335": [[122, 136]], "SYSTEM: Palo Alto PAN-OS": [[145, 161]], "EMAIL: noreply@credential-check.site": [[237, 266]], "MALWARE: TrickBot": [[278, 286]], "MALWARE: REvil": [[326, 331]], "TOOL: Burp Suite": [[340, 350]], "IP_ADDRESS: 115.225.227.74": [[398, 412]], "DOMAIN: backup-cache.com": [[417, 433]], "URL: https://proxyapi.online/wp-content/uploads/doc.php": [[455, 505]], "FILEPATH: /dev/shm/csrss.exe": [[546, 564]], "HASH: 108e15a4b95f2ef2b4f6cfa92d9fc771d41780eebac192d3f2330c9a1472098f": [[574, 638]]}, "info": {"id": "synth_v2_01581", "source": "synthetic_v2"}}
+{"text": "Blog Post by Google TAG: Tracking Volt Typhoon's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2025-49086 against Juniper SRX deployments. The initial access vector involves spear-phishing emails from finance@urgent-notice.online delivering Conti. Post-compromise, the attackers deploy RemcosRAT and use LaZagne for reconnaissance. C2 infrastructure includes 172.127.50.123 and storage-auth.net. A staging server at https://sync-secure.club/api/v2/auth hosts additional tooling. Key artifact: /home/user/.config/csrss.exe (SHA256: 14797e8e9fefc0f7e9532123098f1004724058d4b04c540e678ded969aa38825).", "spans": {"ORGANIZATION: Google TAG": [[13, 23]], "THREAT_ACTOR: Volt Typhoon": [[34, 46]], "CVE_ID: CVE-2025-49086": [[126, 140]], "SYSTEM: Juniper SRX": [[149, 160]], "EMAIL: finance@urgent-notice.online": [[236, 264]], "MALWARE: Conti": [[276, 281]], "MALWARE: RemcosRAT": [[321, 330]], "TOOL: LaZagne": [[339, 346]], "IP_ADDRESS: 172.127.50.123": [[394, 408]], "DOMAIN: storage-auth.net": [[413, 429]], "URL: https://sync-secure.club/api/v2/auth": [[451, 487]], "FILEPATH: /home/user/.config/csrss.exe": [[528, 556]], "HASH: 14797e8e9fefc0f7e9532123098f1004724058d4b04c540e678ded969aa38825": [[566, 630]]}, "info": {"id": "synth_v2_01582", "source": "synthetic_v2"}}
+{"text": "Blog Post by Symantec: Tracking TA505's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2020-46781 against Palo Alto PAN-OS deployments. The initial access vector involves spear-phishing emails from verify@phishing-domain.com delivering FormBook. Post-compromise, the attackers deploy PlugX and use SharpHound for reconnaissance. C2 infrastructure includes 20.240.135.24 and gateway-portal.cc. A staging server at hxxps://backupstorage.top/panel/index.html hosts additional tooling. Key artifact: /tmp/backdoor.elf (MD5: 56453130dc7b949fbbbe2172f0b21ef9).", "spans": {"ORGANIZATION: Symantec": [[13, 21]], "THREAT_ACTOR: TA505": [[32, 37]], "CVE_ID: CVE-2020-46781": [[117, 131]], "SYSTEM: Palo Alto PAN-OS": [[140, 156]], "EMAIL: verify@phishing-domain.com": [[232, 258]], "MALWARE: FormBook": [[270, 278]], "MALWARE: PlugX": [[318, 323]], "TOOL: SharpHound": [[332, 342]], "IP_ADDRESS: 20.240.135.24": [[390, 403]], "DOMAIN: gateway-portal.cc": [[408, 425]], "URL: hxxps://backupstorage.top/panel/index.html": [[447, 489]], "FILEPATH: /tmp/backdoor.elf": [[530, 547]], "HASH: 56453130dc7b949fbbbe2172f0b21ef9": [[554, 586]]}, "info": {"id": "synth_v2_01583", "source": "synthetic_v2"}}
+{"text": "Blog Post by CrowdStrike: Tracking Silk Typhoon's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2026-46256 against Cisco ASA deployments. The initial access vector involves spear-phishing emails from account@secure-verify.net delivering Conti. Post-compromise, the attackers deploy Dridex and use Merlin for reconnaissance. C2 infrastructure includes 172.14.198.27 and cdn-auth.net. A staging server at hxxp://relay-cloud.io/api/v2/auth hosts additional tooling. Key artifact: C:\\Windows\\Tasks\\config.dat (SHA1: 72d9accf70316f50e473b0cf5e8b14b57ab6c44b).", "spans": {"ORGANIZATION: CrowdStrike": [[13, 24]], "THREAT_ACTOR: Silk Typhoon": [[35, 47]], "CVE_ID: CVE-2026-46256": [[127, 141]], "SYSTEM: Cisco ASA": [[150, 159]], "EMAIL: account@secure-verify.net": [[235, 260]], "MALWARE: Conti": [[272, 277]], "MALWARE: Dridex": [[317, 323]], "TOOL: Merlin": [[332, 338]], "IP_ADDRESS: 172.14.198.27": [[386, 399]], "DOMAIN: cdn-auth.net": [[404, 416]], "URL: hxxp://relay-cloud.io/api/v2/auth": [[438, 471]], "FILEPATH: C:\\Windows\\Tasks\\config.dat": [[512, 539]], "HASH: 72d9accf70316f50e473b0cf5e8b14b57ab6c44b": [[547, 587]]}, "info": {"id": "synth_v2_01584", "source": "synthetic_v2"}}
+{"text": "Blog Post by CrowdStrike: Tracking FIN7's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2024-27359 against Ivanti Connect Secure deployments. The initial access vector involves spear-phishing emails from finance@secure-verify.net delivering RemcosRAT. Post-compromise, the attackers deploy Amadey and use BITSAdmin for reconnaissance. C2 infrastructure includes 67.6.15.17 and storage-backup.live. A staging server at http://portal-cdn.club/panel/index.html hosts additional tooling. Key artifact: C:\\Users\\Public\\Documents\\ntds.dit (SHA256: c9ad87adeb44641dea3e88702c42da0d8fcad6e2a5fc25b0046477f5bdf44457).", "spans": {"ORGANIZATION: CrowdStrike": [[13, 24]], "THREAT_ACTOR: FIN7": [[35, 39]], "CVE_ID: CVE-2024-27359": [[119, 133]], "SYSTEM: Ivanti Connect Secure": [[142, 163]], "EMAIL: finance@secure-verify.net": [[239, 264]], "MALWARE: RemcosRAT": [[276, 285]], "MALWARE: Amadey": [[325, 331]], "TOOL: BITSAdmin": [[340, 349]], "IP_ADDRESS: 67.6.15.17": [[397, 407]], "DOMAIN: storage-backup.live": [[412, 431]], "URL: http://portal-cdn.club/panel/index.html": [[453, 492]], "FILEPATH: C:\\Users\\Public\\Documents\\ntds.dit": [[533, 567]], "HASH: c9ad87adeb44641dea3e88702c42da0d8fcad6e2a5fc25b0046477f5bdf44457": [[577, 641]]}, "info": {"id": "synth_v2_01585", "source": "synthetic_v2"}}
+{"text": "Blog Post by Qualys: Tracking FIN11's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2022-40108 against Apache Struts deployments. The initial access vector involves spear-phishing emails from contact@mail-service.info delivering Royal. Post-compromise, the attackers deploy SystemBC and use Seatbelt for reconnaissance. C2 infrastructure includes 10.129.242.82 and portalgateway.org. A staging server at hxxp://nodelogin.org/login hosts additional tooling. Key artifact: C:\\Windows\\System32\\chrome_helper.exe (SHA1: a8979b5fdbc61c0d00087022fc18632cf895becd).", "spans": {"ORGANIZATION: Qualys": [[13, 19]], "THREAT_ACTOR: FIN11": [[30, 35]], "CVE_ID: CVE-2022-40108": [[115, 129]], "SYSTEM: Apache Struts": [[138, 151]], "EMAIL: contact@mail-service.info": [[227, 252]], "MALWARE: Royal": [[264, 269]], "MALWARE: SystemBC": [[309, 317]], "TOOL: Seatbelt": [[326, 334]], "IP_ADDRESS: 10.129.242.82": [[382, 395]], "DOMAIN: portalgateway.org": [[400, 417]], "URL: hxxp://nodelogin.org/login": [[439, 465]], "FILEPATH: C:\\Windows\\System32\\chrome_helper.exe": [[506, 543]], "HASH: a8979b5fdbc61c0d00087022fc18632cf895becd": [[551, 591]]}, "info": {"id": "synth_v2_01586", "source": "synthetic_v2"}}
+{"text": "Blog Post by Rapid7: Tracking Lazarus Group's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2025-27219 against Windows 11 deployments. The initial access vector involves spear-phishing emails from finance@identity-verify.cc delivering XLoader. Post-compromise, the attackers deploy BatLoader and use Nmap for reconnaissance. C2 infrastructure includes 192.178.50.161 and staticlogin.xyz. A staging server at hxxp://gatewayportal.tech/api/v2/auth hosts additional tooling. Key artifact: /usr/local/bin/winlogon.exe (MD5: e3668e49da0ee6ca77b6d75b5c433e4f).", "spans": {"ORGANIZATION: Rapid7": [[13, 19]], "THREAT_ACTOR: Lazarus Group": [[30, 43]], "CVE_ID: CVE-2025-27219": [[123, 137]], "SYSTEM: Windows 11": [[146, 156]], "EMAIL: finance@identity-verify.cc": [[232, 258]], "MALWARE: XLoader": [[270, 277]], "MALWARE: BatLoader": [[317, 326]], "TOOL: Nmap": [[335, 339]], "IP_ADDRESS: 192.178.50.161": [[387, 401]], "DOMAIN: staticlogin.xyz": [[406, 421]], "URL: hxxp://gatewayportal.tech/api/v2/auth": [[443, 480]], "FILEPATH: /usr/local/bin/winlogon.exe": [[521, 548]], "HASH: e3668e49da0ee6ca77b6d75b5c433e4f": [[555, 587]]}, "info": {"id": "synth_v2_01587", "source": "synthetic_v2"}}
+{"text": "Blog Post by Cisco Talos: Tracking Velvet Tempest's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2023-27496 against MOVEit Transfer deployments. The initial access vector involves spear-phishing emails from finance@identity-verify.cc delivering Play. Post-compromise, the attackers deploy Ryuk and use Sliver for reconnaissance. C2 infrastructure includes 3.220.17.200 and backupauth.net. A staging server at hxxp://proxy-auth.dev/admin/config hosts additional tooling. Key artifact: /var/tmp/taskhost.exe (SHA1: 2d007e7c1e33565f80d3c49ab463efa4367ba1b3).", "spans": {"ORGANIZATION: Cisco Talos": [[13, 24]], "THREAT_ACTOR: Velvet Tempest": [[35, 49]], "CVE_ID: CVE-2023-27496": [[129, 143]], "SYSTEM: MOVEit Transfer": [[152, 167]], "EMAIL: finance@identity-verify.cc": [[243, 269]], "MALWARE: Play": [[281, 285]], "MALWARE: Ryuk": [[325, 329]], "TOOL: Sliver": [[338, 344]], "IP_ADDRESS: 3.220.17.200": [[392, 404]], "DOMAIN: backupauth.net": [[409, 423]], "URL: hxxp://proxy-auth.dev/admin/config": [[445, 479]], "FILEPATH: /var/tmp/taskhost.exe": [[520, 541]], "HASH: 2d007e7c1e33565f80d3c49ab463efa4367ba1b3": [[549, 589]]}, "info": {"id": "synth_v2_01588", "source": "synthetic_v2"}}
+{"text": "Blog Post by Huntress: Tracking Star Blizzard's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2020-12082 against F5 BIG-IP deployments. The initial access vector involves spear-phishing emails from finance@credential-check.site delivering Emotet. Post-compromise, the attackers deploy Qbot and use Certutil for reconnaissance. C2 infrastructure includes 148.164.231.192 and cdnauth.io. A staging server at https://update-sync.net/admin/config hosts additional tooling. Key artifact: /home/user/.config/beacon.dll (MD5: deb94b484cffb043cd2a1ac8af0e12c6).", "spans": {"ORGANIZATION: Huntress": [[13, 21]], "THREAT_ACTOR: Star Blizzard": [[32, 45]], "CVE_ID: CVE-2020-12082": [[125, 139]], "SYSTEM: F5 BIG-IP": [[148, 157]], "EMAIL: finance@credential-check.site": [[233, 262]], "MALWARE: Emotet": [[274, 280]], "MALWARE: Qbot": [[320, 324]], "TOOL: Certutil": [[333, 341]], "IP_ADDRESS: 148.164.231.192": [[389, 404]], "DOMAIN: cdnauth.io": [[409, 419]], "URL: https://update-sync.net/admin/config": [[441, 477]], "FILEPATH: /home/user/.config/beacon.dll": [[518, 547]], "HASH: deb94b484cffb043cd2a1ac8af0e12c6": [[554, 586]]}, "info": {"id": "synth_v2_01589", "source": "synthetic_v2"}}
+{"text": "Blog Post by ESET Research: Tracking FIN7's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2026-35216 against Microsoft Exchange deployments. The initial access vector involves spear-phishing emails from hr@phishing-domain.com delivering SystemBC. Post-compromise, the attackers deploy Play and use Chisel for reconnaissance. C2 infrastructure includes 195.244.17.25 and nodemail.org. A staging server at http://dataapi.top/secure/token hosts additional tooling. Key artifact: /tmp/beacon.dll (SHA256: 099dbd3ad43882f07caa6a921144ecdf799a1f8014e9556082ef91ff94fb59e1).", "spans": {"ORGANIZATION: ESET Research": [[13, 26]], "THREAT_ACTOR: FIN7": [[37, 41]], "CVE_ID: CVE-2026-35216": [[121, 135]], "SYSTEM: Microsoft Exchange": [[144, 162]], "EMAIL: hr@phishing-domain.com": [[238, 260]], "MALWARE: SystemBC": [[272, 280]], "MALWARE: Play": [[320, 324]], "TOOL: Chisel": [[333, 339]], "IP_ADDRESS: 195.244.17.25": [[387, 400]], "DOMAIN: nodemail.org": [[405, 417]], "URL: http://dataapi.top/secure/token": [[439, 470]], "FILEPATH: /tmp/beacon.dll": [[511, 526]], "HASH: 099dbd3ad43882f07caa6a921144ecdf799a1f8014e9556082ef91ff94fb59e1": [[536, 600]]}, "info": {"id": "synth_v2_01590", "source": "synthetic_v2"}}
+{"text": "Blog Post by CrowdStrike: Tracking Lazarus Group's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2025-45322 against Barracuda ESG deployments. The initial access vector involves spear-phishing emails from updates@account-update.xyz delivering Conti. Post-compromise, the attackers deploy PikaBot and use Hashcat for reconnaissance. C2 infrastructure includes 69.9.183.44 and storage-mail.com. A staging server at hxxps://proxycache.org/panel/index.html hosts additional tooling. Key artifact: C:\\Users\\admin\\Desktop\\lsass.dmp (MD5: e9e689604677074b8b40aca1db8d0536).", "spans": {"ORGANIZATION: CrowdStrike": [[13, 24]], "THREAT_ACTOR: Lazarus Group": [[35, 48]], "CVE_ID: CVE-2025-45322": [[128, 142]], "SYSTEM: Barracuda ESG": [[151, 164]], "EMAIL: updates@account-update.xyz": [[240, 266]], "MALWARE: Conti": [[278, 283]], "MALWARE: PikaBot": [[323, 330]], "TOOL: Hashcat": [[339, 346]], "IP_ADDRESS: 69.9.183.44": [[394, 405]], "DOMAIN: storage-mail.com": [[410, 426]], "URL: hxxps://proxycache.org/panel/index.html": [[448, 487]], "FILEPATH: C:\\Users\\admin\\Desktop\\lsass.dmp": [[528, 560]], "HASH: e9e689604677074b8b40aca1db8d0536": [[567, 599]]}, "info": {"id": "synth_v2_01591", "source": "synthetic_v2"}}
+{"text": "Blog Post by NSA: Tracking APT29's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2022-40108 against Apache Struts deployments. The initial access vector involves spear-phishing emails from support@identity-verify.cc delivering Vidar. Post-compromise, the attackers deploy Royal and use LinPEAS for reconnaissance. C2 infrastructure includes 172.48.46.153 and synccdn.link. A staging server at hxxps://secureproxy.io/panel/index.html hosts additional tooling. Key artifact: /tmp/chrome_helper.exe (SHA1: ef454b124e0163623f8223e1014c400250e8147d).", "spans": {"ORGANIZATION: NSA": [[13, 16]], "THREAT_ACTOR: APT29": [[27, 32]], "CVE_ID: CVE-2022-40108": [[112, 126]], "SYSTEM: Apache Struts": [[135, 148]], "EMAIL: support@identity-verify.cc": [[224, 250]], "MALWARE: Vidar": [[262, 267]], "MALWARE: Royal": [[307, 312]], "TOOL: LinPEAS": [[321, 328]], "IP_ADDRESS: 172.48.46.153": [[376, 389]], "DOMAIN: synccdn.link": [[394, 406]], "URL: hxxps://secureproxy.io/panel/index.html": [[428, 467]], "FILEPATH: /tmp/chrome_helper.exe": [[508, 530]], "HASH: ef454b124e0163623f8223e1014c400250e8147d": [[538, 578]]}, "info": {"id": "synth_v2_01592", "source": "synthetic_v2"}}
+{"text": "Blog Post by Huntress: Tracking Kimsuky's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2024-30673 against Progress Telerik deployments. The initial access vector involves spear-phishing emails from billing@urgent-notice.online delivering LockBit. Post-compromise, the attackers deploy Conti and use Brute Ratel for reconnaissance. C2 infrastructure includes 192.76.82.54 and api-secure.tech. A staging server at https://proxyproxy.org/login hosts additional tooling. Key artifact: /etc/cron.d/ntds.dit (SHA1: d9218ab7e99297e3288418aa3f93ef809a7ac4c6).", "spans": {"ORGANIZATION: Huntress": [[13, 21]], "THREAT_ACTOR: Kimsuky": [[32, 39]], "CVE_ID: CVE-2024-30673": [[119, 133]], "SYSTEM: Progress Telerik": [[142, 158]], "EMAIL: billing@urgent-notice.online": [[234, 262]], "MALWARE: LockBit": [[274, 281]], "MALWARE: Conti": [[321, 326]], "TOOL: Brute Ratel": [[335, 346]], "IP_ADDRESS: 192.76.82.54": [[394, 406]], "DOMAIN: api-secure.tech": [[411, 426]], "URL: https://proxyproxy.org/login": [[448, 476]], "FILEPATH: /etc/cron.d/ntds.dit": [[517, 537]], "HASH: d9218ab7e99297e3288418aa3f93ef809a7ac4c6": [[545, 585]]}, "info": {"id": "synth_v2_01593", "source": "synthetic_v2"}}
+{"text": "Blog Post by Palo Alto Unit 42: Tracking Storm-0558's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2021-37696 against Active Directory deployments. The initial access vector involves spear-phishing emails from alert@mail-service.info delivering DarkSide. Post-compromise, the attackers deploy ShadowPad and use WinPEAS for reconnaissance. C2 infrastructure includes 10.142.89.128 and cloudlogin.xyz. A staging server at http://proxydata.club/portal/verify hosts additional tooling. Key artifact: C:\\Windows\\System32\\svchost.exe (SHA256: 229b3e7cdfddff1b1d98a27c7e46e7e80d2441d80aa86aed506f8bc1fc6cae17).", "spans": {"ORGANIZATION: Palo Alto Unit 42": [[13, 30]], "THREAT_ACTOR: Storm-0558": [[41, 51]], "CVE_ID: CVE-2021-37696": [[131, 145]], "SYSTEM: Active Directory": [[154, 170]], "EMAIL: alert@mail-service.info": [[246, 269]], "MALWARE: DarkSide": [[281, 289]], "MALWARE: ShadowPad": [[329, 338]], "TOOL: WinPEAS": [[347, 354]], "IP_ADDRESS: 10.142.89.128": [[402, 415]], "DOMAIN: cloudlogin.xyz": [[420, 434]], "URL: http://proxydata.club/portal/verify": [[456, 491]], "FILEPATH: C:\\Windows\\System32\\svchost.exe": [[532, 563]], "HASH: 229b3e7cdfddff1b1d98a27c7e46e7e80d2441d80aa86aed506f8bc1fc6cae17": [[573, 637]]}, "info": {"id": "synth_v2_01594", "source": "synthetic_v2"}}
+{"text": "Blog Post by INTERPOL: Tracking FIN11's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2023-34911 against F5 BIG-IP deployments. The initial access vector involves spear-phishing emails from admin@document-share.link delivering DarkSide. Post-compromise, the attackers deploy Cobalt Strike and use Brute Ratel for reconnaissance. C2 infrastructure includes 29.189.233.17 and loginstorage.com. A staging server at https://cachelogin.top/wp-content/uploads/doc.php hosts additional tooling. Key artifact: /etc/cron.d/csrss.exe (SHA1: e1b2fddd034c57fe746d514b09fc9dfce7993274).", "spans": {"ORGANIZATION: INTERPOL": [[13, 21]], "THREAT_ACTOR: FIN11": [[32, 37]], "CVE_ID: CVE-2023-34911": [[117, 131]], "SYSTEM: F5 BIG-IP": [[140, 149]], "EMAIL: admin@document-share.link": [[225, 250]], "MALWARE: DarkSide": [[262, 270]], "MALWARE: Cobalt Strike": [[310, 323]], "TOOL: Brute Ratel": [[332, 343]], "IP_ADDRESS: 29.189.233.17": [[391, 404]], "DOMAIN: loginstorage.com": [[409, 425]], "URL: https://cachelogin.top/wp-content/uploads/doc.php": [[447, 496]], "FILEPATH: /etc/cron.d/csrss.exe": [[537, 558]], "HASH: e1b2fddd034c57fe746d514b09fc9dfce7993274": [[566, 606]]}, "info": {"id": "synth_v2_01595", "source": "synthetic_v2"}}
+{"text": "Blog Post by Secureworks: Tracking Salt Typhoon's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2022-28965 against Cisco ASA deployments. The initial access vector involves spear-phishing emails from info@account-update.xyz delivering Latrodectus. Post-compromise, the attackers deploy Qbot and use PowerShell Empire for reconnaissance. C2 infrastructure includes 172.93.250.54 and cachemail.online. A staging server at hxxps://data-node.club/callback hosts additional tooling. Key artifact: C:\\Windows\\System32\\chrome_helper.exe (SHA1: 3f45cf9f31e618ea1d4e6fcaf875a48b0b8ff6da).", "spans": {"ORGANIZATION: Secureworks": [[13, 24]], "THREAT_ACTOR: Salt Typhoon": [[35, 47]], "CVE_ID: CVE-2022-28965": [[127, 141]], "SYSTEM: Cisco ASA": [[150, 159]], "EMAIL: info@account-update.xyz": [[235, 258]], "MALWARE: Latrodectus": [[270, 281]], "MALWARE: Qbot": [[321, 325]], "TOOL: PowerShell Empire": [[334, 351]], "IP_ADDRESS: 172.93.250.54": [[399, 412]], "DOMAIN: cachemail.online": [[417, 433]], "URL: hxxps://data-node.club/callback": [[455, 486]], "FILEPATH: C:\\Windows\\System32\\chrome_helper.exe": [[527, 564]], "HASH: 3f45cf9f31e618ea1d4e6fcaf875a48b0b8ff6da": [[572, 612]]}, "info": {"id": "synth_v2_01596", "source": "synthetic_v2"}}
+{"text": "Blog Post by ESET Research: Tracking Scattered Spider's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2022-22601 against Windows 11 deployments. The initial access vector involves spear-phishing emails from alert@account-update.xyz delivering Ryuk. Post-compromise, the attackers deploy IcedID and use PsExec for reconnaissance. C2 infrastructure includes 10.243.168.49 and cdnsecure.live. A staging server at https://portalcache.info/assets/js/payload.js hosts additional tooling. Key artifact: /tmp/payload.bin (SHA1: 3dc28f2fd02408ac40c9aa5d3c1c44aa207aa25d).", "spans": {"ORGANIZATION: ESET Research": [[13, 26]], "THREAT_ACTOR: Scattered Spider": [[37, 53]], "CVE_ID: CVE-2022-22601": [[133, 147]], "SYSTEM: Windows 11": [[156, 166]], "EMAIL: alert@account-update.xyz": [[242, 266]], "MALWARE: Ryuk": [[278, 282]], "MALWARE: IcedID": [[322, 328]], "TOOL: PsExec": [[337, 343]], "IP_ADDRESS: 10.243.168.49": [[391, 404]], "DOMAIN: cdnsecure.live": [[409, 423]], "URL: https://portalcache.info/assets/js/payload.js": [[445, 490]], "FILEPATH: /tmp/payload.bin": [[531, 547]], "HASH: 3dc28f2fd02408ac40c9aa5d3c1c44aa207aa25d": [[555, 595]]}, "info": {"id": "synth_v2_01597", "source": "synthetic_v2"}}
+{"text": "Blog Post by Tenable: Tracking Aqua Blizzard's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2022-12847 against Windows 11 deployments. The initial access vector involves spear-phishing emails from it@urgent-notice.online delivering BlackCat. Post-compromise, the attackers deploy DarkSide and use PsExec for reconnaissance. C2 infrastructure includes 202.127.164.227 and cdncache.info. A staging server at http://cache-auth.xyz/login hosts additional tooling. Key artifact: C:\\Windows\\Tasks\\loader.exe (SHA1: 77bcd6fd2d32302da2c7d904848df78b5fe9ca47).", "spans": {"ORGANIZATION: Tenable": [[13, 20]], "THREAT_ACTOR: Aqua Blizzard": [[31, 44]], "CVE_ID: CVE-2022-12847": [[124, 138]], "SYSTEM: Windows 11": [[147, 157]], "EMAIL: it@urgent-notice.online": [[233, 256]], "MALWARE: BlackCat": [[268, 276]], "MALWARE: DarkSide": [[316, 324]], "TOOL: PsExec": [[333, 339]], "IP_ADDRESS: 202.127.164.227": [[387, 402]], "DOMAIN: cdncache.info": [[407, 420]], "URL: http://cache-auth.xyz/login": [[442, 469]], "FILEPATH: C:\\Windows\\Tasks\\loader.exe": [[510, 537]], "HASH: 77bcd6fd2d32302da2c7d904848df78b5fe9ca47": [[545, 585]]}, "info": {"id": "synth_v2_01598", "source": "synthetic_v2"}}
+{"text": "Blog Post by Cisco Talos: Tracking Ember Bear's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2022-28965 against VMware ESXi deployments. The initial access vector involves spear-phishing emails from info@credential-check.site delivering Meduza Stealer. Post-compromise, the attackers deploy REvil and use Metasploit for reconnaissance. C2 infrastructure includes 209.95.71.97 and node-update.cc. A staging server at hxxps://relay-api.tech/collect hosts additional tooling. Key artifact: /home/user/.config/backdoor.elf (SHA256: 6e24dbce81d1e70d1a18fc4c43bbccb71c4a9c6c1c2fa6f0bb93c85f84a8221a).", "spans": {"ORGANIZATION: Cisco Talos": [[13, 24]], "THREAT_ACTOR: Ember Bear": [[35, 45]], "CVE_ID: CVE-2022-28965": [[125, 139]], "SYSTEM: VMware ESXi": [[148, 159]], "EMAIL: info@credential-check.site": [[235, 261]], "MALWARE: Meduza Stealer": [[273, 287]], "MALWARE: REvil": [[327, 332]], "TOOL: Metasploit": [[341, 351]], "IP_ADDRESS: 209.95.71.97": [[399, 411]], "DOMAIN: node-update.cc": [[416, 430]], "URL: hxxps://relay-api.tech/collect": [[452, 482]], "FILEPATH: /home/user/.config/backdoor.elf": [[523, 554]], "HASH: 6e24dbce81d1e70d1a18fc4c43bbccb71c4a9c6c1c2fa6f0bb93c85f84a8221a": [[564, 628]]}, "info": {"id": "synth_v2_01599", "source": "synthetic_v2"}}
+{"text": "Blog Post by Secureworks: Tracking Gamaredon's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2023-39714 against Barracuda ESG deployments. The initial access vector involves spear-phishing emails from notification@mail-service.info delivering WarmCookie. Post-compromise, the attackers deploy Latrodectus and use GhostPack for reconnaissance. C2 infrastructure includes 10.227.142.253 and dataedge.net. A staging server at hxxps://data-cloud.online/admin/config hosts additional tooling. Key artifact: C:\\Users\\admin\\Desktop\\config.dat (MD5: 7564e8797215c4d90b8c07b5b289eb1f).", "spans": {"ORGANIZATION: Secureworks": [[13, 24]], "THREAT_ACTOR: Gamaredon": [[35, 44]], "CVE_ID: CVE-2023-39714": [[124, 138]], "SYSTEM: Barracuda ESG": [[147, 160]], "EMAIL: notification@mail-service.info": [[236, 266]], "MALWARE: WarmCookie": [[278, 288]], "MALWARE: Latrodectus": [[328, 339]], "TOOL: GhostPack": [[348, 357]], "IP_ADDRESS: 10.227.142.253": [[405, 419]], "DOMAIN: dataedge.net": [[424, 436]], "URL: hxxps://data-cloud.online/admin/config": [[458, 496]], "FILEPATH: C:\\Users\\admin\\Desktop\\config.dat": [[537, 570]], "HASH: 7564e8797215c4d90b8c07b5b289eb1f": [[577, 609]]}, "info": {"id": "synth_v2_01600", "source": "synthetic_v2"}}
+{"text": "Blog Post by Trend Micro: Tracking Flax Typhoon's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2020-45741 against Zyxel USG deployments. The initial access vector involves spear-phishing emails from account@phishing-domain.com delivering RedLine Stealer. Post-compromise, the attackers deploy RemcosRAT and use Burp Suite for reconnaissance. C2 infrastructure includes 4.7.164.234 and mail-storage.top. A staging server at hxxps://cloud-sync.io/admin/config hosts additional tooling. Key artifact: C:\\Users\\admin\\Downloads\\shell.php (SHA256: 6ccecba87cb8cc3951c642ae3ab41d79a10bf5022e6db0cf79943af3f72de5b7).", "spans": {"ORGANIZATION: Trend Micro": [[13, 24]], "THREAT_ACTOR: Flax Typhoon": [[35, 47]], "CVE_ID: CVE-2020-45741": [[127, 141]], "SYSTEM: Zyxel USG": [[150, 159]], "EMAIL: account@phishing-domain.com": [[235, 262]], "MALWARE: RedLine Stealer": [[274, 289]], "MALWARE: RemcosRAT": [[329, 338]], "TOOL: Burp Suite": [[347, 357]], "IP_ADDRESS: 4.7.164.234": [[405, 416]], "DOMAIN: mail-storage.top": [[421, 437]], "URL: hxxps://cloud-sync.io/admin/config": [[459, 493]], "FILEPATH: C:\\Users\\admin\\Downloads\\shell.php": [[534, 568]], "HASH: 6ccecba87cb8cc3951c642ae3ab41d79a10bf5022e6db0cf79943af3f72de5b7": [[578, 642]]}, "info": {"id": "synth_v2_01601", "source": "synthetic_v2"}}
+{"text": "Blog Post by Check Point Research: Tracking Aqua Blizzard's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2020-24328 against Citrix NetScaler deployments. The initial access vector involves spear-phishing emails from alert@auth-check.org delivering Play. Post-compromise, the attackers deploy PikaBot and use Hashcat for reconnaissance. C2 infrastructure includes 126.246.84.247 and nodeproxy.club. A staging server at https://datarelay.net/callback hosts additional tooling. Key artifact: /var/tmp/runtime.dll (MD5: c8378e7f469fc81b131edebeb8a63602).", "spans": {"ORGANIZATION: Check Point Research": [[13, 33]], "THREAT_ACTOR: Aqua Blizzard": [[44, 57]], "CVE_ID: CVE-2020-24328": [[137, 151]], "SYSTEM: Citrix NetScaler": [[160, 176]], "EMAIL: alert@auth-check.org": [[252, 272]], "MALWARE: Play": [[284, 288]], "MALWARE: PikaBot": [[328, 335]], "TOOL: Hashcat": [[344, 351]], "IP_ADDRESS: 126.246.84.247": [[399, 413]], "DOMAIN: nodeproxy.club": [[418, 432]], "URL: https://datarelay.net/callback": [[454, 484]], "FILEPATH: /var/tmp/runtime.dll": [[525, 545]], "HASH: c8378e7f469fc81b131edebeb8a63602": [[552, 584]]}, "info": {"id": "synth_v2_01602", "source": "synthetic_v2"}}
+{"text": "Blog Post by Volexity: Tracking APT29's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2025-48242 against SonicWall SMA deployments. The initial access vector involves spear-phishing emails from helpdesk@phishing-domain.com delivering PlugX. Post-compromise, the attackers deploy TrickBot and use Ligolo for reconnaissance. C2 infrastructure includes 16.205.109.196 and api-auth.cc. A staging server at https://gateway-api.net/secure/token hosts additional tooling. Key artifact: /var/tmp/beacon.dll (SHA1: 769a5d8ca2c330b27258e22d4ef1c75099eeb1c9).", "spans": {"ORGANIZATION: Volexity": [[13, 21]], "THREAT_ACTOR: APT29": [[32, 37]], "CVE_ID: CVE-2025-48242": [[117, 131]], "SYSTEM: SonicWall SMA": [[140, 153]], "EMAIL: helpdesk@phishing-domain.com": [[229, 257]], "MALWARE: PlugX": [[269, 274]], "MALWARE: TrickBot": [[314, 322]], "TOOL: Ligolo": [[331, 337]], "IP_ADDRESS: 16.205.109.196": [[385, 399]], "DOMAIN: api-auth.cc": [[404, 415]], "URL: https://gateway-api.net/secure/token": [[437, 473]], "FILEPATH: /var/tmp/beacon.dll": [[514, 533]], "HASH: 769a5d8ca2c330b27258e22d4ef1c75099eeb1c9": [[541, 581]]}, "info": {"id": "synth_v2_01603", "source": "synthetic_v2"}}
+{"text": "Blog Post by Cisco Talos: Tracking Aqua Blizzard's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2020-24328 against Microsoft Exchange deployments. The initial access vector involves spear-phishing emails from finance@auth-check.org delivering Conti. Post-compromise, the attackers deploy Hive and use Nmap for reconnaissance. C2 infrastructure includes 127.39.238.3 and proxy-cache.top. A staging server at hxxp://update-gateway.net/login hosts additional tooling. Key artifact: C:\\Windows\\System32\\update.dll (SHA256: 2787c9cc2a0e8a5bd5d753c78b4033124deec11e928c4fa6236d7e4f44e95bda).", "spans": {"ORGANIZATION: Cisco Talos": [[13, 24]], "THREAT_ACTOR: Aqua Blizzard": [[35, 48]], "CVE_ID: CVE-2020-24328": [[128, 142]], "SYSTEM: Microsoft Exchange": [[151, 169]], "EMAIL: finance@auth-check.org": [[245, 267]], "MALWARE: Conti": [[279, 284]], "MALWARE: Hive": [[324, 328]], "TOOL: Nmap": [[337, 341]], "IP_ADDRESS: 127.39.238.3": [[389, 401]], "DOMAIN: proxy-cache.top": [[406, 421]], "URL: hxxp://update-gateway.net/login": [[443, 474]], "FILEPATH: C:\\Windows\\System32\\update.dll": [[515, 545]], "HASH: 2787c9cc2a0e8a5bd5d753c78b4033124deec11e928c4fa6236d7e4f44e95bda": [[555, 619]]}, "info": {"id": "synth_v2_01604", "source": "synthetic_v2"}}
+{"text": "Blog Post by FBI: Tracking Mustang Panda's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2023-27496 against Zyxel USG deployments. The initial access vector involves spear-phishing emails from notification@document-share.link delivering Ryuk. Post-compromise, the attackers deploy Vidar and use Rubeus for reconnaissance. C2 infrastructure includes 33.152.220.144 and proxydata.org. A staging server at http://storagecdn.link/secure/token hosts additional tooling. Key artifact: C:\\Windows\\Temp\\winlogon.exe (SHA256: a455c00d8318a8ebbb0967c4a38fccb68f67dc19ff43b38e8b1f933af87dd256).", "spans": {"ORGANIZATION: FBI": [[13, 16]], "THREAT_ACTOR: Mustang Panda": [[27, 40]], "CVE_ID: CVE-2023-27496": [[120, 134]], "SYSTEM: Zyxel USG": [[143, 152]], "EMAIL: notification@document-share.link": [[228, 260]], "MALWARE: Ryuk": [[272, 276]], "MALWARE: Vidar": [[316, 321]], "TOOL: Rubeus": [[330, 336]], "IP_ADDRESS: 33.152.220.144": [[384, 398]], "DOMAIN: proxydata.org": [[403, 416]], "URL: http://storagecdn.link/secure/token": [[438, 473]], "FILEPATH: C:\\Windows\\Temp\\winlogon.exe": [[514, 542]], "HASH: a455c00d8318a8ebbb0967c4a38fccb68f67dc19ff43b38e8b1f933af87dd256": [[552, 616]]}, "info": {"id": "synth_v2_01605", "source": "synthetic_v2"}}
+{"text": "Blog Post by Secureworks: Tracking Silk Typhoon's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2025-15957 against Progress Telerik deployments. The initial access vector involves spear-phishing emails from ceo@phishing-domain.com delivering Play. Post-compromise, the attackers deploy Raccoon Stealer and use GhostPack for reconnaissance. C2 infrastructure includes 10.12.230.253 and cdn-static.tech. A staging server at hxxp://edgestatic.com/secure/token hosts additional tooling. Key artifact: C:\\Users\\Public\\Documents\\shell.php (SHA1: 3cac576fad6183b3efd9439c0ee9a7fc1a40becf).", "spans": {"ORGANIZATION: Secureworks": [[13, 24]], "THREAT_ACTOR: Silk Typhoon": [[35, 47]], "CVE_ID: CVE-2025-15957": [[127, 141]], "SYSTEM: Progress Telerik": [[150, 166]], "EMAIL: ceo@phishing-domain.com": [[242, 265]], "MALWARE: Play": [[277, 281]], "MALWARE: Raccoon Stealer": [[321, 336]], "TOOL: GhostPack": [[345, 354]], "IP_ADDRESS: 10.12.230.253": [[402, 415]], "DOMAIN: cdn-static.tech": [[420, 435]], "URL: hxxp://edgestatic.com/secure/token": [[457, 491]], "FILEPATH: C:\\Users\\Public\\Documents\\shell.php": [[532, 567]], "HASH: 3cac576fad6183b3efd9439c0ee9a7fc1a40becf": [[575, 615]]}, "info": {"id": "synth_v2_01606", "source": "synthetic_v2"}}
+{"text": "Blog Post by INTERPOL: Tracking Velvet Tempest's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2023-33283 against Active Directory deployments. The initial access vector involves spear-phishing emails from info@auth-check.org delivering FormBook. Post-compromise, the attackers deploy WarmCookie and use Havoc for reconnaissance. C2 infrastructure includes 112.167.228.191 and relay-sync.info. A staging server at hxxps://cdn-storage.info/admin/config hosts additional tooling. Key artifact: /opt/app/bin/ntds.dit (MD5: 431c16d3539a75624e8c1a83920d18a4).", "spans": {"ORGANIZATION: INTERPOL": [[13, 21]], "THREAT_ACTOR: Velvet Tempest": [[32, 46]], "CVE_ID: CVE-2023-33283": [[126, 140]], "SYSTEM: Active Directory": [[149, 165]], "EMAIL: info@auth-check.org": [[241, 260]], "MALWARE: FormBook": [[272, 280]], "MALWARE: WarmCookie": [[320, 330]], "TOOL: Havoc": [[339, 344]], "IP_ADDRESS: 112.167.228.191": [[392, 407]], "DOMAIN: relay-sync.info": [[412, 427]], "URL: hxxps://cdn-storage.info/admin/config": [[449, 486]], "FILEPATH: /opt/app/bin/ntds.dit": [[527, 548]], "HASH: 431c16d3539a75624e8c1a83920d18a4": [[555, 587]]}, "info": {"id": "synth_v2_01607", "source": "synthetic_v2"}}
+{"text": "Blog Post by FBI: Tracking Granite Typhoon's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2022-40108 against Windows 11 deployments. The initial access vector involves spear-phishing emails from info@mail-service.info delivering SystemBC. Post-compromise, the attackers deploy Emotet and use BITSAdmin for reconnaissance. C2 infrastructure includes 192.201.255.205 and staticstatic.top. A staging server at hxxp://cdn-update.net/portal/verify hosts additional tooling. Key artifact: C:\\Users\\admin\\AppData\\Local\\Temp\\csrss.exe (SHA1: 70d6aa985369b6d1b7b54e335a49efee890e1d2a).", "spans": {"ORGANIZATION: FBI": [[13, 16]], "THREAT_ACTOR: Granite Typhoon": [[27, 42]], "CVE_ID: CVE-2022-40108": [[122, 136]], "SYSTEM: Windows 11": [[145, 155]], "EMAIL: info@mail-service.info": [[231, 253]], "MALWARE: SystemBC": [[265, 273]], "MALWARE: Emotet": [[313, 319]], "TOOL: BITSAdmin": [[328, 337]], "IP_ADDRESS: 192.201.255.205": [[385, 400]], "DOMAIN: staticstatic.top": [[405, 421]], "URL: hxxp://cdn-update.net/portal/verify": [[443, 478]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\csrss.exe": [[519, 562]], "HASH: 70d6aa985369b6d1b7b54e335a49efee890e1d2a": [[570, 610]]}, "info": {"id": "synth_v2_01608", "source": "synthetic_v2"}}
+{"text": "Blog Post by Volexity: Tracking UNC2452's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2026-49052 against Windows Server 2019 deployments. The initial access vector involves spear-phishing emails from finance@identity-verify.cc delivering WarmCookie. Post-compromise, the attackers deploy QakBot and use Ligolo for reconnaissance. C2 infrastructure includes 172.139.221.92 and nodesync.com. A staging server at https://update-cdn.dev/login hosts additional tooling. Key artifact: /usr/local/bin/csrss.exe (SHA256: 0e6f53961d85d03760ada02405930682acb37f9a439daa55ebb99ed194f8d8f7).", "spans": {"ORGANIZATION: Volexity": [[13, 21]], "THREAT_ACTOR: UNC2452": [[32, 39]], "CVE_ID: CVE-2026-49052": [[119, 133]], "SYSTEM: Windows Server 2019": [[142, 161]], "EMAIL: finance@identity-verify.cc": [[237, 263]], "MALWARE: WarmCookie": [[275, 285]], "MALWARE: QakBot": [[325, 331]], "TOOL: Ligolo": [[340, 346]], "IP_ADDRESS: 172.139.221.92": [[394, 408]], "DOMAIN: nodesync.com": [[413, 425]], "URL: https://update-cdn.dev/login": [[447, 475]], "FILEPATH: /usr/local/bin/csrss.exe": [[516, 540]], "HASH: 0e6f53961d85d03760ada02405930682acb37f9a439daa55ebb99ed194f8d8f7": [[550, 614]]}, "info": {"id": "synth_v2_01609", "source": "synthetic_v2"}}
+{"text": "Blog Post by Kaspersky GReAT: Tracking Gamaredon's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2022-14558 against Apache Struts deployments. The initial access vector involves spear-phishing emails from contact@phishing-domain.com delivering ShadowPad. Post-compromise, the attackers deploy Raccoon Stealer and use LaZagne for reconnaissance. C2 infrastructure includes 90.87.184.105 and backup-edge.cc. A staging server at hxxp://backup-portal.site/secure/token hosts additional tooling. Key artifact: C:\\ProgramData\\runtime.dll (MD5: 1f83ffe9c071dad78a93b049c78d218e).", "spans": {"ORGANIZATION: Kaspersky GReAT": [[13, 28]], "THREAT_ACTOR: Gamaredon": [[39, 48]], "CVE_ID: CVE-2022-14558": [[128, 142]], "SYSTEM: Apache Struts": [[151, 164]], "EMAIL: contact@phishing-domain.com": [[240, 267]], "MALWARE: ShadowPad": [[279, 288]], "MALWARE: Raccoon Stealer": [[328, 343]], "TOOL: LaZagne": [[352, 359]], "IP_ADDRESS: 90.87.184.105": [[407, 420]], "DOMAIN: backup-edge.cc": [[425, 439]], "URL: hxxp://backup-portal.site/secure/token": [[461, 499]], "FILEPATH: C:\\ProgramData\\runtime.dll": [[540, 566]], "HASH: 1f83ffe9c071dad78a93b049c78d218e": [[573, 605]]}, "info": {"id": "synth_v2_01610", "source": "synthetic_v2"}}
+{"text": "Blog Post by NSA: Tracking APT29's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2021-23031 against Ubuntu 22.04 deployments. The initial access vector involves spear-phishing emails from alert@auth-check.org delivering Amadey. Post-compromise, the attackers deploy StealC and use Hashcat for reconnaissance. C2 infrastructure includes 10.54.196.91 and mail-cdn.io. A staging server at hxxps://mail-cache.tech/portal/verify hosts additional tooling. Key artifact: C:\\Windows\\Temp\\sam.hive (SHA256: dd72b5d26dfb6da6527fccac226d9acc8294987f9a80aab77c9ffaf400bb22da).", "spans": {"ORGANIZATION: NSA": [[13, 16]], "THREAT_ACTOR: APT29": [[27, 32]], "CVE_ID: CVE-2021-23031": [[112, 126]], "SYSTEM: Ubuntu 22.04": [[135, 147]], "EMAIL: alert@auth-check.org": [[223, 243]], "MALWARE: Amadey": [[255, 261]], "MALWARE: StealC": [[301, 307]], "TOOL: Hashcat": [[316, 323]], "IP_ADDRESS: 10.54.196.91": [[371, 383]], "DOMAIN: mail-cdn.io": [[388, 399]], "URL: hxxps://mail-cache.tech/portal/verify": [[421, 458]], "FILEPATH: C:\\Windows\\Temp\\sam.hive": [[499, 523]], "HASH: dd72b5d26dfb6da6527fccac226d9acc8294987f9a80aab77c9ffaf400bb22da": [[533, 597]]}, "info": {"id": "synth_v2_01611", "source": "synthetic_v2"}}
+{"text": "Blog Post by Qualys: Tracking Flax Typhoon's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2020-11739 against SonicWall SMA deployments. The initial access vector involves spear-phishing emails from support@account-update.xyz delivering IcedID. Post-compromise, the attackers deploy Qbot and use Nmap for reconnaissance. C2 infrastructure includes 124.247.198.225 and auth-cdn.club. A staging server at http://secure-data.net/callback hosts additional tooling. Key artifact: /etc/cron.d/agent.py (MD5: 7aee183dbf14f7d53e1e34402a8c244d).", "spans": {"ORGANIZATION: Qualys": [[13, 19]], "THREAT_ACTOR: Flax Typhoon": [[30, 42]], "CVE_ID: CVE-2020-11739": [[122, 136]], "SYSTEM: SonicWall SMA": [[145, 158]], "EMAIL: support@account-update.xyz": [[234, 260]], "MALWARE: IcedID": [[272, 278]], "MALWARE: Qbot": [[318, 322]], "TOOL: Nmap": [[331, 335]], "IP_ADDRESS: 124.247.198.225": [[383, 398]], "DOMAIN: auth-cdn.club": [[403, 416]], "URL: http://secure-data.net/callback": [[438, 469]], "FILEPATH: /etc/cron.d/agent.py": [[510, 530]], "HASH: 7aee183dbf14f7d53e1e34402a8c244d": [[537, 569]]}, "info": {"id": "synth_v2_01612", "source": "synthetic_v2"}}
+{"text": "Blog Post by Proofpoint: Tracking Kimsuky's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2023-26043 against Active Directory deployments. The initial access vector involves spear-phishing emails from updates@account-update.xyz delivering FormBook. Post-compromise, the attackers deploy BatLoader and use Nmap for reconnaissance. C2 infrastructure includes 152.214.144.94 and sync-backup.net. A staging server at hxxps://secure-node.dev/api/v2/auth hosts additional tooling. Key artifact: /usr/local/bin/backdoor.elf (SHA256: 4297e10d3eb510192ad6cbd31213d4dcde9d0d0578ae29c7441598ee6c470991).", "spans": {"ORGANIZATION: Proofpoint": [[13, 23]], "THREAT_ACTOR: Kimsuky": [[34, 41]], "CVE_ID: CVE-2023-26043": [[121, 135]], "SYSTEM: Active Directory": [[144, 160]], "EMAIL: updates@account-update.xyz": [[236, 262]], "MALWARE: FormBook": [[274, 282]], "MALWARE: BatLoader": [[322, 331]], "TOOL: Nmap": [[340, 344]], "IP_ADDRESS: 152.214.144.94": [[392, 406]], "DOMAIN: sync-backup.net": [[411, 426]], "URL: hxxps://secure-node.dev/api/v2/auth": [[448, 483]], "FILEPATH: /usr/local/bin/backdoor.elf": [[524, 551]], "HASH: 4297e10d3eb510192ad6cbd31213d4dcde9d0d0578ae29c7441598ee6c470991": [[561, 625]]}, "info": {"id": "synth_v2_01613", "source": "synthetic_v2"}}
+{"text": "Blog Post by Huntress: Tracking Ember Bear's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2025-37666 against Atlassian Confluence deployments. The initial access vector involves spear-phishing emails from notification@account-update.xyz delivering StealC. Post-compromise, the attackers deploy REvil and use Seatbelt for reconnaissance. C2 infrastructure includes 192.136.153.249 and updateupdate.cc. A staging server at https://portalstorage.live/callback hosts additional tooling. Key artifact: /home/user/.config/dropper.ps1 (SHA256: 419f7d6ee6da01357af16f5198fc13f4907e4760ed83e99184208bd777a68e42).", "spans": {"ORGANIZATION: Huntress": [[13, 21]], "THREAT_ACTOR: Ember Bear": [[32, 42]], "CVE_ID: CVE-2025-37666": [[122, 136]], "SYSTEM: Atlassian Confluence": [[145, 165]], "EMAIL: notification@account-update.xyz": [[241, 272]], "MALWARE: StealC": [[284, 290]], "MALWARE: REvil": [[330, 335]], "TOOL: Seatbelt": [[344, 352]], "IP_ADDRESS: 192.136.153.249": [[400, 415]], "DOMAIN: updateupdate.cc": [[420, 435]], "URL: https://portalstorage.live/callback": [[457, 492]], "FILEPATH: /home/user/.config/dropper.ps1": [[533, 563]], "HASH: 419f7d6ee6da01357af16f5198fc13f4907e4760ed83e99184208bd777a68e42": [[573, 637]]}, "info": {"id": "synth_v2_01614", "source": "synthetic_v2"}}
+{"text": "Blog Post by Volexity: Tracking Flax Typhoon's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2020-24628 against F5 BIG-IP deployments. The initial access vector involves spear-phishing emails from noreply@auth-check.org delivering BatLoader. Post-compromise, the attackers deploy Qbot and use Certutil for reconnaissance. C2 infrastructure includes 172.203.244.108 and cacheproxy.dev. A staging server at https://relay-node.com/wp-content/uploads/doc.php hosts additional tooling. Key artifact: C:\\Users\\Public\\Documents\\shell.php (MD5: ff7db5eeadfae91a09a64659eb7107ad).", "spans": {"ORGANIZATION: Volexity": [[13, 21]], "THREAT_ACTOR: Flax Typhoon": [[32, 44]], "CVE_ID: CVE-2020-24628": [[124, 138]], "SYSTEM: F5 BIG-IP": [[147, 156]], "EMAIL: noreply@auth-check.org": [[232, 254]], "MALWARE: BatLoader": [[266, 275]], "MALWARE: Qbot": [[315, 319]], "TOOL: Certutil": [[328, 336]], "IP_ADDRESS: 172.203.244.108": [[384, 399]], "DOMAIN: cacheproxy.dev": [[404, 418]], "URL: https://relay-node.com/wp-content/uploads/doc.php": [[440, 489]], "FILEPATH: C:\\Users\\Public\\Documents\\shell.php": [[530, 565]], "HASH: ff7db5eeadfae91a09a64659eb7107ad": [[572, 604]]}, "info": {"id": "synth_v2_01615", "source": "synthetic_v2"}}
+{"text": "Blog Post by Palo Alto Unit 42: Tracking Salt Typhoon's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2025-24373 against Citrix NetScaler deployments. The initial access vector involves spear-phishing emails from it@account-update.xyz delivering WarmCookie. Post-compromise, the attackers deploy ShadowPad and use Metasploit for reconnaissance. C2 infrastructure includes 79.226.222.207 and gatewaygateway.club. A staging server at hxxps://cdnstatic.net/collect hosts additional tooling. Key artifact: C:\\Users\\admin\\Desktop\\backdoor.elf (SHA256: 644973ad069594c6d8868b36867458802ce4a5cda1cf3999583fe3df7c0e5bd0).", "spans": {"ORGANIZATION: Palo Alto Unit 42": [[13, 30]], "THREAT_ACTOR: Salt Typhoon": [[41, 53]], "CVE_ID: CVE-2025-24373": [[133, 147]], "SYSTEM: Citrix NetScaler": [[156, 172]], "EMAIL: it@account-update.xyz": [[248, 269]], "MALWARE: WarmCookie": [[281, 291]], "MALWARE: ShadowPad": [[331, 340]], "TOOL: Metasploit": [[349, 359]], "IP_ADDRESS: 79.226.222.207": [[407, 421]], "DOMAIN: gatewaygateway.club": [[426, 445]], "URL: hxxps://cdnstatic.net/collect": [[467, 496]], "FILEPATH: C:\\Users\\admin\\Desktop\\backdoor.elf": [[537, 572]], "HASH: 644973ad069594c6d8868b36867458802ce4a5cda1cf3999583fe3df7c0e5bd0": [[582, 646]]}, "info": {"id": "synth_v2_01616", "source": "synthetic_v2"}}
+{"text": "Blog Post by Microsoft MSRC: Tracking Scattered Spider's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2021-20463 against Zyxel USG deployments. The initial access vector involves spear-phishing emails from notification@identity-verify.cc delivering DanaBot. Post-compromise, the attackers deploy Meduza Stealer and use SharpHound for reconnaissance. C2 infrastructure includes 222.254.7.136 and gatewayrelay.tech. A staging server at http://update-mail.live/assets/js/payload.js hosts additional tooling. Key artifact: /dev/shm/update.dll (SHA256: 615657959884cd350ee3b767ed1cbcced1ce83b64d7ac74c788d8ecbd2f278b4).", "spans": {"ORGANIZATION: Microsoft MSRC": [[13, 27]], "THREAT_ACTOR: Scattered Spider": [[38, 54]], "CVE_ID: CVE-2021-20463": [[134, 148]], "SYSTEM: Zyxel USG": [[157, 166]], "EMAIL: notification@identity-verify.cc": [[242, 273]], "MALWARE: DanaBot": [[285, 292]], "MALWARE: Meduza Stealer": [[332, 346]], "TOOL: SharpHound": [[355, 365]], "IP_ADDRESS: 222.254.7.136": [[413, 426]], "DOMAIN: gatewayrelay.tech": [[431, 448]], "URL: http://update-mail.live/assets/js/payload.js": [[470, 514]], "FILEPATH: /dev/shm/update.dll": [[555, 574]], "HASH: 615657959884cd350ee3b767ed1cbcced1ce83b64d7ac74c788d8ecbd2f278b4": [[584, 648]]}, "info": {"id": "synth_v2_01617", "source": "synthetic_v2"}}
+{"text": "Blog Post by Zscaler ThreatLabz: Tracking TA505's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2026-40674 against VMware ESXi deployments. The initial access vector involves spear-phishing emails from finance@phishing-domain.com delivering SystemBC. Post-compromise, the attackers deploy PlugX and use PowerShell Empire for reconnaissance. C2 infrastructure includes 9.181.230.217 and cdnlogin.tech. A staging server at https://api-mail.tech/portal/verify hosts additional tooling. Key artifact: /opt/app/bin/sam.hive (SHA1: 71912c98ab9d60911825d5bf4cfc58d66a2da943).", "spans": {"ORGANIZATION: Zscaler ThreatLabz": [[13, 31]], "THREAT_ACTOR: TA505": [[42, 47]], "CVE_ID: CVE-2026-40674": [[127, 141]], "SYSTEM: VMware ESXi": [[150, 161]], "EMAIL: finance@phishing-domain.com": [[237, 264]], "MALWARE: SystemBC": [[276, 284]], "MALWARE: PlugX": [[324, 329]], "TOOL: PowerShell Empire": [[338, 355]], "IP_ADDRESS: 9.181.230.217": [[403, 416]], "DOMAIN: cdnlogin.tech": [[421, 434]], "URL: https://api-mail.tech/portal/verify": [[456, 491]], "FILEPATH: /opt/app/bin/sam.hive": [[532, 553]], "HASH: 71912c98ab9d60911825d5bf4cfc58d66a2da943": [[561, 601]]}, "info": {"id": "synth_v2_01618", "source": "synthetic_v2"}}
+{"text": "Blog Post by Rapid7: Tracking Scattered Spider's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2022-13003 against F5 BIG-IP deployments. The initial access vector involves spear-phishing emails from security@phishing-domain.com delivering BlackCat. Post-compromise, the attackers deploy RedLine Stealer and use Ligolo for reconnaissance. C2 infrastructure includes 69.137.182.87 and proxyportal.live. A staging server at https://clouddata.live/assets/js/payload.js hosts additional tooling. Key artifact: /opt/app/bin/svchost.exe (MD5: b6727a0c5c74e576c9a925426bc83fd8).", "spans": {"ORGANIZATION: Rapid7": [[13, 19]], "THREAT_ACTOR: Scattered Spider": [[30, 46]], "CVE_ID: CVE-2022-13003": [[126, 140]], "SYSTEM: F5 BIG-IP": [[149, 158]], "EMAIL: security@phishing-domain.com": [[234, 262]], "MALWARE: BlackCat": [[274, 282]], "MALWARE: RedLine Stealer": [[322, 337]], "TOOL: Ligolo": [[346, 352]], "IP_ADDRESS: 69.137.182.87": [[400, 413]], "DOMAIN: proxyportal.live": [[418, 434]], "URL: https://clouddata.live/assets/js/payload.js": [[456, 499]], "FILEPATH: /opt/app/bin/svchost.exe": [[540, 564]], "HASH: b6727a0c5c74e576c9a925426bc83fd8": [[571, 603]]}, "info": {"id": "synth_v2_01619", "source": "synthetic_v2"}}
+{"text": "Blog Post by Europol: Tracking Silk Typhoon's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2020-28024 against Zyxel USG deployments. The initial access vector involves spear-phishing emails from notification@mail-service.info delivering NjRAT. Post-compromise, the attackers deploy Royal and use Seatbelt for reconnaissance. C2 infrastructure includes 172.240.66.136 and proxy-portal.cc. A staging server at hxxps://nodeedge.online/assets/js/payload.js hosts additional tooling. Key artifact: C:\\Users\\admin\\Downloads\\ntds.dit (SHA1: 4d92f7738420608e3cd35b0db81271b8c71a6f36).", "spans": {"ORGANIZATION: Europol": [[13, 20]], "THREAT_ACTOR: Silk Typhoon": [[31, 43]], "CVE_ID: CVE-2020-28024": [[123, 137]], "SYSTEM: Zyxel USG": [[146, 155]], "EMAIL: notification@mail-service.info": [[231, 261]], "MALWARE: NjRAT": [[273, 278]], "MALWARE: Royal": [[318, 323]], "TOOL: Seatbelt": [[332, 340]], "IP_ADDRESS: 172.240.66.136": [[388, 402]], "DOMAIN: proxy-portal.cc": [[407, 422]], "URL: hxxps://nodeedge.online/assets/js/payload.js": [[444, 488]], "FILEPATH: C:\\Users\\admin\\Downloads\\ntds.dit": [[529, 562]], "HASH: 4d92f7738420608e3cd35b0db81271b8c71a6f36": [[570, 610]]}, "info": {"id": "synth_v2_01620", "source": "synthetic_v2"}}
+{"text": "Blog Post by Tenable: Tracking Volt Typhoon's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2025-24373 against Progress Telerik deployments. The initial access vector involves spear-phishing emails from service@secure-verify.net delivering TrickBot. Post-compromise, the attackers deploy BumbleBee and use Sliver for reconnaissance. C2 infrastructure includes 192.95.237.112 and syncedge.org. A staging server at hxxps://cloudmail.com/gate.php hosts additional tooling. Key artifact: C:\\Program Files\\Common Files\\csrss.exe (SHA1: d9b08c98352efc57e7a6bfeccf68f795c452f86f).", "spans": {"ORGANIZATION: Tenable": [[13, 20]], "THREAT_ACTOR: Volt Typhoon": [[31, 43]], "CVE_ID: CVE-2025-24373": [[123, 137]], "SYSTEM: Progress Telerik": [[146, 162]], "EMAIL: service@secure-verify.net": [[238, 263]], "MALWARE: TrickBot": [[275, 283]], "MALWARE: BumbleBee": [[323, 332]], "TOOL: Sliver": [[341, 347]], "IP_ADDRESS: 192.95.237.112": [[395, 409]], "DOMAIN: syncedge.org": [[414, 426]], "URL: hxxps://cloudmail.com/gate.php": [[448, 478]], "FILEPATH: C:\\Program Files\\Common Files\\csrss.exe": [[519, 558]], "HASH: d9b08c98352efc57e7a6bfeccf68f795c452f86f": [[566, 606]]}, "info": {"id": "synth_v2_01621", "source": "synthetic_v2"}}
+{"text": "Blog Post by ESET Research: Tracking Ember Bear's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2026-38492 against Active Directory deployments. The initial access vector involves spear-phishing emails from admin@credential-check.site delivering Qbot. Post-compromise, the attackers deploy ShadowPad and use PowerView for reconnaissance. C2 infrastructure includes 172.251.54.108 and cacheapi.cc. A staging server at http://portal-cloud.top/collect hosts additional tooling. Key artifact: C:\\Users\\admin\\Downloads\\winlogon.exe (MD5: 932e9f88d6a8d2dc3860327816e9e235).", "spans": {"ORGANIZATION: ESET Research": [[13, 26]], "THREAT_ACTOR: Ember Bear": [[37, 47]], "CVE_ID: CVE-2026-38492": [[127, 141]], "SYSTEM: Active Directory": [[150, 166]], "EMAIL: admin@credential-check.site": [[242, 269]], "MALWARE: Qbot": [[281, 285]], "MALWARE: ShadowPad": [[325, 334]], "TOOL: PowerView": [[343, 352]], "IP_ADDRESS: 172.251.54.108": [[400, 414]], "DOMAIN: cacheapi.cc": [[419, 430]], "URL: http://portal-cloud.top/collect": [[452, 483]], "FILEPATH: C:\\Users\\admin\\Downloads\\winlogon.exe": [[524, 561]], "HASH: 932e9f88d6a8d2dc3860327816e9e235": [[568, 600]]}, "info": {"id": "synth_v2_01622", "source": "synthetic_v2"}}
+{"text": "Blog Post by INTERPOL: Tracking Turla's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2024-26162 against Progress Telerik deployments. The initial access vector involves spear-phishing emails from info@login-portal.tech delivering AgentTesla. Post-compromise, the attackers deploy Cobalt Strike and use Metasploit for reconnaissance. C2 infrastructure includes 172.218.243.136 and proxy-static.io. A staging server at hxxps://cloud-cdn.online/login hosts additional tooling. Key artifact: /tmp/agent.py (SHA1: 43255ba3ce131f44acfdeb9cc6fbee5e317afcd9).", "spans": {"ORGANIZATION: INTERPOL": [[13, 21]], "THREAT_ACTOR: Turla": [[32, 37]], "CVE_ID: CVE-2024-26162": [[117, 131]], "SYSTEM: Progress Telerik": [[140, 156]], "EMAIL: info@login-portal.tech": [[232, 254]], "MALWARE: AgentTesla": [[266, 276]], "MALWARE: Cobalt Strike": [[316, 329]], "TOOL: Metasploit": [[338, 348]], "IP_ADDRESS: 172.218.243.136": [[396, 411]], "DOMAIN: proxy-static.io": [[416, 431]], "URL: hxxps://cloud-cdn.online/login": [[453, 483]], "FILEPATH: /tmp/agent.py": [[524, 537]], "HASH: 43255ba3ce131f44acfdeb9cc6fbee5e317afcd9": [[545, 585]]}, "info": {"id": "synth_v2_01623", "source": "synthetic_v2"}}
+{"text": "Blog Post by Tenable: Tracking Aqua Blizzard's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2022-22601 against F5 BIG-IP deployments. The initial access vector involves spear-phishing emails from it@document-share.link delivering Lumma Stealer. Post-compromise, the attackers deploy TrickBot and use CrackMapExec for reconnaissance. C2 infrastructure includes 60.91.221.147 and sync-static.info. A staging server at http://edge-update.net/admin/config hosts additional tooling. Key artifact: C:\\Users\\Public\\Documents\\taskhost.exe (SHA1: 5b858d4f94709a3ad09b168e422d9e927c1639e3).", "spans": {"ORGANIZATION: Tenable": [[13, 20]], "THREAT_ACTOR: Aqua Blizzard": [[31, 44]], "CVE_ID: CVE-2022-22601": [[124, 138]], "SYSTEM: F5 BIG-IP": [[147, 156]], "EMAIL: it@document-share.link": [[232, 254]], "MALWARE: Lumma Stealer": [[266, 279]], "MALWARE: TrickBot": [[319, 327]], "TOOL: CrackMapExec": [[336, 348]], "IP_ADDRESS: 60.91.221.147": [[396, 409]], "DOMAIN: sync-static.info": [[414, 430]], "URL: http://edge-update.net/admin/config": [[452, 487]], "FILEPATH: C:\\Users\\Public\\Documents\\taskhost.exe": [[528, 566]], "HASH: 5b858d4f94709a3ad09b168e422d9e927c1639e3": [[574, 614]]}, "info": {"id": "synth_v2_01624", "source": "synthetic_v2"}}
+{"text": "Blog Post by Check Point Research: Tracking Forest Blizzard's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2023-40294 against SonicWall SMA deployments. The initial access vector involves spear-phishing emails from it@secure-verify.net delivering DarkSide. Post-compromise, the attackers deploy DanaBot and use Havoc for reconnaissance. C2 infrastructure includes 11.126.34.254 and edge-login.io. A staging server at http://staticauth.info/secure/token hosts additional tooling. Key artifact: C:\\ProgramData\\payload.bin (SHA1: 0387cf36079f91a74afbeab967080297424a32f4).", "spans": {"ORGANIZATION: Check Point Research": [[13, 33]], "THREAT_ACTOR: Forest Blizzard": [[44, 59]], "CVE_ID: CVE-2023-40294": [[139, 153]], "SYSTEM: SonicWall SMA": [[162, 175]], "EMAIL: it@secure-verify.net": [[251, 271]], "MALWARE: DarkSide": [[283, 291]], "MALWARE: DanaBot": [[331, 338]], "TOOL: Havoc": [[347, 352]], "IP_ADDRESS: 11.126.34.254": [[400, 413]], "DOMAIN: edge-login.io": [[418, 431]], "URL: http://staticauth.info/secure/token": [[453, 488]], "FILEPATH: C:\\ProgramData\\payload.bin": [[529, 555]], "HASH: 0387cf36079f91a74afbeab967080297424a32f4": [[563, 603]]}, "info": {"id": "synth_v2_01625", "source": "synthetic_v2"}}
+{"text": "Blog Post by CrowdStrike: Tracking Granite Typhoon's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2020-25247 against Ivanti Connect Secure deployments. The initial access vector involves spear-phishing emails from finance@account-update.xyz delivering Hive. Post-compromise, the attackers deploy Play and use BITSAdmin for reconnaissance. C2 infrastructure includes 111.221.129.40 and cache-backup.live. A staging server at http://edge-cloud.club/secure/token hosts additional tooling. Key artifact: /home/user/.config/lsass.dmp (SHA1: e4bca234efbc03c03263c4fcbb05b7fe7f7eda10).", "spans": {"ORGANIZATION: CrowdStrike": [[13, 24]], "THREAT_ACTOR: Granite Typhoon": [[35, 50]], "CVE_ID: CVE-2020-25247": [[130, 144]], "SYSTEM: Ivanti Connect Secure": [[153, 174]], "EMAIL: finance@account-update.xyz": [[250, 276]], "MALWARE: Hive": [[288, 292]], "MALWARE: Play": [[332, 336]], "TOOL: BITSAdmin": [[345, 354]], "IP_ADDRESS: 111.221.129.40": [[402, 416]], "DOMAIN: cache-backup.live": [[421, 438]], "URL: http://edge-cloud.club/secure/token": [[460, 495]], "FILEPATH: /home/user/.config/lsass.dmp": [[536, 564]], "HASH: e4bca234efbc03c03263c4fcbb05b7fe7f7eda10": [[572, 612]]}, "info": {"id": "synth_v2_01626", "source": "synthetic_v2"}}
+{"text": "Blog Post by ESET Research: Tracking Ember Bear's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2024-25010 against Windows 11 deployments. The initial access vector involves spear-phishing emails from it@login-portal.tech delivering Amadey. Post-compromise, the attackers deploy BumbleBee and use Burp Suite for reconnaissance. C2 infrastructure includes 10.91.229.122 and api-relay.cc. A staging server at https://api-portal.org/login hosts additional tooling. Key artifact: C:\\Users\\admin\\Downloads\\ntds.dit (MD5: 7577d9dfef3bb3d3851e96c0e3d3941a).", "spans": {"ORGANIZATION: ESET Research": [[13, 26]], "THREAT_ACTOR: Ember Bear": [[37, 47]], "CVE_ID: CVE-2024-25010": [[127, 141]], "SYSTEM: Windows 11": [[150, 160]], "EMAIL: it@login-portal.tech": [[236, 256]], "MALWARE: Amadey": [[268, 274]], "MALWARE: BumbleBee": [[314, 323]], "TOOL: Burp Suite": [[332, 342]], "IP_ADDRESS: 10.91.229.122": [[390, 403]], "DOMAIN: api-relay.cc": [[408, 420]], "URL: https://api-portal.org/login": [[442, 470]], "FILEPATH: C:\\Users\\admin\\Downloads\\ntds.dit": [[511, 544]], "HASH: 7577d9dfef3bb3d3851e96c0e3d3941a": [[551, 583]]}, "info": {"id": "synth_v2_01627", "source": "synthetic_v2"}}
+{"text": "Blog Post by CISA: Tracking Gamaredon's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2023-27691 against Juniper SRX deployments. The initial access vector involves spear-phishing emails from security@urgent-notice.online delivering StealC. Post-compromise, the attackers deploy LockBit and use Nmap for reconnaissance. C2 infrastructure includes 192.238.73.102 and proxycache.dev. A staging server at https://node-node.cc/collect hosts additional tooling. Key artifact: C:\\Program Files\\Common Files\\sam.hive (SHA256: 0dff9e9fd94081f8a7ce6ecf70e5d0e1f50d86af595957e309b5eff4b58f151d).", "spans": {"ORGANIZATION: CISA": [[13, 17]], "THREAT_ACTOR: Gamaredon": [[28, 37]], "CVE_ID: CVE-2023-27691": [[117, 131]], "SYSTEM: Juniper SRX": [[140, 151]], "EMAIL: security@urgent-notice.online": [[227, 256]], "MALWARE: StealC": [[268, 274]], "MALWARE: LockBit": [[314, 321]], "TOOL: Nmap": [[330, 334]], "IP_ADDRESS: 192.238.73.102": [[382, 396]], "DOMAIN: proxycache.dev": [[401, 415]], "URL: https://node-node.cc/collect": [[437, 465]], "FILEPATH: C:\\Program Files\\Common Files\\sam.hive": [[506, 544]], "HASH: 0dff9e9fd94081f8a7ce6ecf70e5d0e1f50d86af595957e309b5eff4b58f151d": [[554, 618]]}, "info": {"id": "synth_v2_01628", "source": "synthetic_v2"}}
+{"text": "Blog Post by Google TAG: Tracking Charming Kitten's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2026-10752 against Barracuda ESG deployments. The initial access vector involves spear-phishing emails from finance@secure-verify.net delivering Qbot. Post-compromise, the attackers deploy Amadey and use Nmap for reconnaissance. C2 infrastructure includes 158.42.26.76 and relay-portal.club. A staging server at http://static-portal.live/secure/token hosts additional tooling. Key artifact: /opt/app/bin/beacon.dll (SHA256: 7429ce36fb0bd86693b089fcf4b923f74c7e4a38d5449198d3fce477f50d62ba).", "spans": {"ORGANIZATION: Google TAG": [[13, 23]], "THREAT_ACTOR: Charming Kitten": [[34, 49]], "CVE_ID: CVE-2026-10752": [[129, 143]], "SYSTEM: Barracuda ESG": [[152, 165]], "EMAIL: finance@secure-verify.net": [[241, 266]], "MALWARE: Qbot": [[278, 282]], "MALWARE: Amadey": [[322, 328]], "TOOL: Nmap": [[337, 341]], "IP_ADDRESS: 158.42.26.76": [[389, 401]], "DOMAIN: relay-portal.club": [[406, 423]], "URL: http://static-portal.live/secure/token": [[445, 483]], "FILEPATH: /opt/app/bin/beacon.dll": [[524, 547]], "HASH: 7429ce36fb0bd86693b089fcf4b923f74c7e4a38d5449198d3fce477f50d62ba": [[557, 621]]}, "info": {"id": "synth_v2_01629", "source": "synthetic_v2"}}
+{"text": "Blog Post by ESET Research: Tracking Lazarus Group's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2020-24628 against Apache Struts deployments. The initial access vector involves spear-phishing emails from it@credential-check.site delivering BatLoader. Post-compromise, the attackers deploy QakBot and use CrackMapExec for reconnaissance. C2 infrastructure includes 172.39.4.118 and cache-api.org. A staging server at hxxps://datadata.online/download/update.exe hosts additional tooling. Key artifact: C:\\Users\\Public\\Documents\\agent.py (MD5: a1ebfcac112d4eb9c509c4755348418a).", "spans": {"ORGANIZATION: ESET Research": [[13, 26]], "THREAT_ACTOR: Lazarus Group": [[37, 50]], "CVE_ID: CVE-2020-24628": [[130, 144]], "SYSTEM: Apache Struts": [[153, 166]], "EMAIL: it@credential-check.site": [[242, 266]], "MALWARE: BatLoader": [[278, 287]], "MALWARE: QakBot": [[327, 333]], "TOOL: CrackMapExec": [[342, 354]], "IP_ADDRESS: 172.39.4.118": [[402, 414]], "DOMAIN: cache-api.org": [[419, 432]], "URL: hxxps://datadata.online/download/update.exe": [[454, 497]], "FILEPATH: C:\\Users\\Public\\Documents\\agent.py": [[538, 572]], "HASH: a1ebfcac112d4eb9c509c4755348418a": [[579, 611]]}, "info": {"id": "synth_v2_01630", "source": "synthetic_v2"}}
+{"text": "Blog Post by INTERPOL: Tracking Volt Typhoon's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2020-45741 against Ubuntu 22.04 deployments. The initial access vector involves spear-phishing emails from info@login-portal.tech delivering Play. Post-compromise, the attackers deploy AgentTesla and use Hashcat for reconnaissance. C2 infrastructure includes 172.107.32.170 and update-auth.club. A staging server at http://nodebackup.tech/gate.php hosts additional tooling. Key artifact: /dev/shm/update.dll (SHA256: 81ab3f6274a20195597a8884d8247b0a76d782999465bb16a413f3d332bf513a).", "spans": {"ORGANIZATION: INTERPOL": [[13, 21]], "THREAT_ACTOR: Volt Typhoon": [[32, 44]], "CVE_ID: CVE-2020-45741": [[124, 138]], "SYSTEM: Ubuntu 22.04": [[147, 159]], "EMAIL: info@login-portal.tech": [[235, 257]], "MALWARE: Play": [[269, 273]], "MALWARE: AgentTesla": [[313, 323]], "TOOL: Hashcat": [[332, 339]], "IP_ADDRESS: 172.107.32.170": [[387, 401]], "DOMAIN: update-auth.club": [[406, 422]], "URL: http://nodebackup.tech/gate.php": [[444, 475]], "FILEPATH: /dev/shm/update.dll": [[516, 535]], "HASH: 81ab3f6274a20195597a8884d8247b0a76d782999465bb16a413f3d332bf513a": [[545, 609]]}, "info": {"id": "synth_v2_01631", "source": "synthetic_v2"}}
+{"text": "Blog Post by Secureworks: Tracking APT29's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2022-15164 against Ubuntu 22.04 deployments. The initial access vector involves spear-phishing emails from verify@phishing-domain.com delivering IcedID. Post-compromise, the attackers deploy ShadowPad and use Nmap for reconnaissance. C2 infrastructure includes 93.212.14.206 and dataupdate.org. A staging server at hxxp://relay-cloud.online/wp-content/uploads/doc.php hosts additional tooling. Key artifact: C:\\ProgramData\\svchost.exe (SHA1: 30ea025d606091cac5172d89f3ddecf655013635).", "spans": {"ORGANIZATION: Secureworks": [[13, 24]], "THREAT_ACTOR: APT29": [[35, 40]], "CVE_ID: CVE-2022-15164": [[120, 134]], "SYSTEM: Ubuntu 22.04": [[143, 155]], "EMAIL: verify@phishing-domain.com": [[231, 257]], "MALWARE: IcedID": [[269, 275]], "MALWARE: ShadowPad": [[315, 324]], "TOOL: Nmap": [[333, 337]], "IP_ADDRESS: 93.212.14.206": [[385, 398]], "DOMAIN: dataupdate.org": [[403, 417]], "URL: hxxp://relay-cloud.online/wp-content/uploads/doc.php": [[439, 491]], "FILEPATH: C:\\ProgramData\\svchost.exe": [[532, 558]], "HASH: 30ea025d606091cac5172d89f3ddecf655013635": [[566, 606]]}, "info": {"id": "synth_v2_01632", "source": "synthetic_v2"}}
+{"text": "Blog Post by Palo Alto Unit 42: Tracking Star Blizzard's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2025-48242 against Fortinet FortiGate deployments. The initial access vector involves spear-phishing emails from notification@identity-verify.cc delivering Gootloader. Post-compromise, the attackers deploy DanaBot and use Rubeus for reconnaissance. C2 infrastructure includes 192.80.81.244 and updateupdate.site. A staging server at https://cloud-node.site/portal/verify hosts additional tooling. Key artifact: C:\\Users\\admin\\Desktop\\update.dll (SHA1: bf22362ee422b99f1c0a39a8a385755a8d66c6ac).", "spans": {"ORGANIZATION: Palo Alto Unit 42": [[13, 30]], "THREAT_ACTOR: Star Blizzard": [[41, 54]], "CVE_ID: CVE-2025-48242": [[134, 148]], "SYSTEM: Fortinet FortiGate": [[157, 175]], "EMAIL: notification@identity-verify.cc": [[251, 282]], "MALWARE: Gootloader": [[294, 304]], "MALWARE: DanaBot": [[344, 351]], "TOOL: Rubeus": [[360, 366]], "IP_ADDRESS: 192.80.81.244": [[414, 427]], "DOMAIN: updateupdate.site": [[432, 449]], "URL: https://cloud-node.site/portal/verify": [[471, 508]], "FILEPATH: C:\\Users\\admin\\Desktop\\update.dll": [[549, 582]], "HASH: bf22362ee422b99f1c0a39a8a385755a8d66c6ac": [[590, 630]]}, "info": {"id": "synth_v2_01633", "source": "synthetic_v2"}}
+{"text": "Blog Post by Google TAG: Tracking Diamond Sleet's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2023-39714 against Atlassian Confluence deployments. The initial access vector involves spear-phishing emails from alert@document-share.link delivering RemcosRAT. Post-compromise, the attackers deploy Dridex and use Nmap for reconnaissance. C2 infrastructure includes 172.241.42.17 and cdn-backup.tech. A staging server at hxxp://api-storage.club/api/v2/auth hosts additional tooling. Key artifact: /opt/app/bin/implant.so (SHA1: acfae72999fd8451e4e3fb038e884698cd8a4107).", "spans": {"ORGANIZATION: Google TAG": [[13, 23]], "THREAT_ACTOR: Diamond Sleet": [[34, 47]], "CVE_ID: CVE-2023-39714": [[127, 141]], "SYSTEM: Atlassian Confluence": [[150, 170]], "EMAIL: alert@document-share.link": [[246, 271]], "MALWARE: RemcosRAT": [[283, 292]], "MALWARE: Dridex": [[332, 338]], "TOOL: Nmap": [[347, 351]], "IP_ADDRESS: 172.241.42.17": [[399, 412]], "DOMAIN: cdn-backup.tech": [[417, 432]], "URL: hxxp://api-storage.club/api/v2/auth": [[454, 489]], "FILEPATH: /opt/app/bin/implant.so": [[530, 553]], "HASH: acfae72999fd8451e4e3fb038e884698cd8a4107": [[561, 601]]}, "info": {"id": "synth_v2_01634", "source": "synthetic_v2"}}
+{"text": "Blog Post by FireEye: Tracking Silk Typhoon's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2021-16338 against F5 BIG-IP deployments. The initial access vector involves spear-phishing emails from ceo@credential-check.site delivering FormBook. Post-compromise, the attackers deploy QakBot and use Covenant for reconnaissance. C2 infrastructure includes 154.97.140.204 and proxystatic.site. A staging server at https://cdnstorage.info/callback hosts additional tooling. Key artifact: /etc/cron.d/svchost.exe (SHA256: 97c6265d2d62d922824ca22c70e17801806ce1664ae9728f25497e1c0068c1e4).", "spans": {"ORGANIZATION: FireEye": [[13, 20]], "THREAT_ACTOR: Silk Typhoon": [[31, 43]], "CVE_ID: CVE-2021-16338": [[123, 137]], "SYSTEM: F5 BIG-IP": [[146, 155]], "EMAIL: ceo@credential-check.site": [[231, 256]], "MALWARE: FormBook": [[268, 276]], "MALWARE: QakBot": [[316, 322]], "TOOL: Covenant": [[331, 339]], "IP_ADDRESS: 154.97.140.204": [[387, 401]], "DOMAIN: proxystatic.site": [[406, 422]], "URL: https://cdnstorage.info/callback": [[444, 476]], "FILEPATH: /etc/cron.d/svchost.exe": [[517, 540]], "HASH: 97c6265d2d62d922824ca22c70e17801806ce1664ae9728f25497e1c0068c1e4": [[550, 614]]}, "info": {"id": "synth_v2_01635", "source": "synthetic_v2"}}
+{"text": "Blog Post by Tenable: Tracking FIN11's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2025-27219 against Active Directory deployments. The initial access vector involves spear-phishing emails from alert@mail-service.info delivering REvil. Post-compromise, the attackers deploy DarkSide and use Burp Suite for reconnaissance. C2 infrastructure includes 172.134.212.194 and proxy-storage.live. A staging server at http://authnode.org/gate.php hosts additional tooling. Key artifact: C:\\Users\\Public\\Documents\\lsass.dmp (SHA256: 2b538183d300a85f00ba385c4965ee7bb5229b45d2ffc820a5c31b9994fb5899).", "spans": {"ORGANIZATION: Tenable": [[13, 20]], "THREAT_ACTOR: FIN11": [[31, 36]], "CVE_ID: CVE-2025-27219": [[116, 130]], "SYSTEM: Active Directory": [[139, 155]], "EMAIL: alert@mail-service.info": [[231, 254]], "MALWARE: REvil": [[266, 271]], "MALWARE: DarkSide": [[311, 319]], "TOOL: Burp Suite": [[328, 338]], "IP_ADDRESS: 172.134.212.194": [[386, 401]], "DOMAIN: proxy-storage.live": [[406, 424]], "URL: http://authnode.org/gate.php": [[446, 474]], "FILEPATH: C:\\Users\\Public\\Documents\\lsass.dmp": [[515, 550]], "HASH: 2b538183d300a85f00ba385c4965ee7bb5229b45d2ffc820a5c31b9994fb5899": [[560, 624]]}, "info": {"id": "synth_v2_01636", "source": "synthetic_v2"}}
+{"text": "Blog Post by Mandiant: Tracking BlackTech's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2026-10752 against Atlassian Confluence deployments. The initial access vector involves spear-phishing emails from hr@account-update.xyz delivering Latrodectus. Post-compromise, the attackers deploy TrickBot and use Impacket for reconnaissance. C2 infrastructure includes 126.21.87.103 and edgeportal.live. A staging server at https://cdnsync.info/api/v2/auth hosts additional tooling. Key artifact: /usr/local/bin/payload.bin (MD5: ccab949c2f8d2f57b2e0033abed3fd1e).", "spans": {"ORGANIZATION: Mandiant": [[13, 21]], "THREAT_ACTOR: BlackTech": [[32, 41]], "CVE_ID: CVE-2026-10752": [[121, 135]], "SYSTEM: Atlassian Confluence": [[144, 164]], "EMAIL: hr@account-update.xyz": [[240, 261]], "MALWARE: Latrodectus": [[273, 284]], "MALWARE: TrickBot": [[324, 332]], "TOOL: Impacket": [[341, 349]], "IP_ADDRESS: 126.21.87.103": [[397, 410]], "DOMAIN: edgeportal.live": [[415, 430]], "URL: https://cdnsync.info/api/v2/auth": [[452, 484]], "FILEPATH: /usr/local/bin/payload.bin": [[525, 551]], "HASH: ccab949c2f8d2f57b2e0033abed3fd1e": [[558, 590]]}, "info": {"id": "synth_v2_01637", "source": "synthetic_v2"}}
+{"text": "Blog Post by Volexity: Tracking Volt Typhoon's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2026-10212 against Windows 11 deployments. The initial access vector involves spear-phishing emails from support@mail-service.info delivering Qbot. Post-compromise, the attackers deploy TrickBot and use LaZagne for reconnaissance. C2 infrastructure includes 218.22.33.85 and data-relay.top. A staging server at https://securegateway.io/collect hosts additional tooling. Key artifact: C:\\Windows\\System32\\backdoor.elf (MD5: 61cf8b20b132216a0308d730d389c1f1).", "spans": {"ORGANIZATION: Volexity": [[13, 21]], "THREAT_ACTOR: Volt Typhoon": [[32, 44]], "CVE_ID: CVE-2026-10212": [[124, 138]], "SYSTEM: Windows 11": [[147, 157]], "EMAIL: support@mail-service.info": [[233, 258]], "MALWARE: Qbot": [[270, 274]], "MALWARE: TrickBot": [[314, 322]], "TOOL: LaZagne": [[331, 338]], "IP_ADDRESS: 218.22.33.85": [[386, 398]], "DOMAIN: data-relay.top": [[403, 417]], "URL: https://securegateway.io/collect": [[439, 471]], "FILEPATH: C:\\Windows\\System32\\backdoor.elf": [[512, 544]], "HASH: 61cf8b20b132216a0308d730d389c1f1": [[551, 583]]}, "info": {"id": "synth_v2_01638", "source": "synthetic_v2"}}
+{"text": "Blog Post by Recorded Future: Tracking Storm-0558's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2023-20708 against Citrix NetScaler deployments. The initial access vector involves spear-phishing emails from noreply@login-portal.tech delivering DanaBot. Post-compromise, the attackers deploy BatLoader and use Metasploit for reconnaissance. C2 infrastructure includes 172.195.40.113 and cdn-gateway.io. A staging server at https://sync-data.site/collect hosts additional tooling. Key artifact: C:\\Windows\\Tasks\\lsass.dmp (MD5: 16a0ae8147d399ce869e098442d6b37a).", "spans": {"ORGANIZATION: Recorded Future": [[13, 28]], "THREAT_ACTOR: Storm-0558": [[39, 49]], "CVE_ID: CVE-2023-20708": [[129, 143]], "SYSTEM: Citrix NetScaler": [[152, 168]], "EMAIL: noreply@login-portal.tech": [[244, 269]], "MALWARE: DanaBot": [[281, 288]], "MALWARE: BatLoader": [[328, 337]], "TOOL: Metasploit": [[346, 356]], "IP_ADDRESS: 172.195.40.113": [[404, 418]], "DOMAIN: cdn-gateway.io": [[423, 437]], "URL: https://sync-data.site/collect": [[459, 489]], "FILEPATH: C:\\Windows\\Tasks\\lsass.dmp": [[530, 556]], "HASH: 16a0ae8147d399ce869e098442d6b37a": [[563, 595]]}, "info": {"id": "synth_v2_01639", "source": "synthetic_v2"}}
+{"text": "Blog Post by Dragos: Tracking Aqua Blizzard's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2023-33909 against VMware ESXi deployments. The initial access vector involves spear-phishing emails from confirm@phishing-domain.com delivering Ryuk. Post-compromise, the attackers deploy QakBot and use Hashcat for reconnaissance. C2 infrastructure includes 201.42.165.10 and proxy-gateway.com. A staging server at hxxps://relay-mail.link/assets/js/payload.js hosts additional tooling. Key artifact: C:\\Windows\\Temp\\sam.hive (SHA1: 0fb3f0602c4bc7c46714c894a273176327abb8f3).", "spans": {"ORGANIZATION: Dragos": [[13, 19]], "THREAT_ACTOR: Aqua Blizzard": [[30, 43]], "CVE_ID: CVE-2023-33909": [[123, 137]], "SYSTEM: VMware ESXi": [[146, 157]], "EMAIL: confirm@phishing-domain.com": [[233, 260]], "MALWARE: Ryuk": [[272, 276]], "MALWARE: QakBot": [[316, 322]], "TOOL: Hashcat": [[331, 338]], "IP_ADDRESS: 201.42.165.10": [[386, 399]], "DOMAIN: proxy-gateway.com": [[404, 421]], "URL: hxxps://relay-mail.link/assets/js/payload.js": [[443, 487]], "FILEPATH: C:\\Windows\\Temp\\sam.hive": [[528, 552]], "HASH: 0fb3f0602c4bc7c46714c894a273176327abb8f3": [[560, 600]]}, "info": {"id": "synth_v2_01640", "source": "synthetic_v2"}}
+{"text": "Blog Post by FireEye: Tracking Ember Bear's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2026-45190 against Apache Struts deployments. The initial access vector involves spear-phishing emails from report@account-update.xyz delivering Latrodectus. Post-compromise, the attackers deploy SmokeLoader and use Rubeus for reconnaissance. C2 infrastructure includes 93.233.223.27 and proxyproxy.link. A staging server at hxxp://gateway-gateway.online/assets/js/payload.js hosts additional tooling. Key artifact: C:\\Users\\admin\\Downloads\\dropper.ps1 (SHA256: 0bc0c53828ef61a17d910939e551c74a2f0ac05e124be24f88a7c8840ff91efe).", "spans": {"ORGANIZATION: FireEye": [[13, 20]], "THREAT_ACTOR: Ember Bear": [[31, 41]], "CVE_ID: CVE-2026-45190": [[121, 135]], "SYSTEM: Apache Struts": [[144, 157]], "EMAIL: report@account-update.xyz": [[233, 258]], "MALWARE: Latrodectus": [[270, 281]], "MALWARE: SmokeLoader": [[321, 332]], "TOOL: Rubeus": [[341, 347]], "IP_ADDRESS: 93.233.223.27": [[395, 408]], "DOMAIN: proxyproxy.link": [[413, 428]], "URL: hxxp://gateway-gateway.online/assets/js/payload.js": [[450, 500]], "FILEPATH: C:\\Users\\admin\\Downloads\\dropper.ps1": [[541, 577]], "HASH: 0bc0c53828ef61a17d910939e551c74a2f0ac05e124be24f88a7c8840ff91efe": [[587, 651]]}, "info": {"id": "synth_v2_01641", "source": "synthetic_v2"}}
+{"text": "Blog Post by Huntress: Tracking FIN7's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2021-32298 against Active Directory deployments. The initial access vector involves spear-phishing emails from updates@mail-service.info delivering AsyncRAT. Post-compromise, the attackers deploy Lumma Stealer and use Havoc for reconnaissance. C2 infrastructure includes 10.77.56.93 and relay-secure.club. A staging server at hxxp://staticproxy.io/wp-content/uploads/doc.php hosts additional tooling. Key artifact: C:\\Users\\admin\\AppData\\Local\\Temp\\loader.exe (MD5: cf95507ae7b49d19f49246869307ed1d).", "spans": {"ORGANIZATION: Huntress": [[13, 21]], "THREAT_ACTOR: FIN7": [[32, 36]], "CVE_ID: CVE-2021-32298": [[116, 130]], "SYSTEM: Active Directory": [[139, 155]], "EMAIL: updates@mail-service.info": [[231, 256]], "MALWARE: AsyncRAT": [[268, 276]], "MALWARE: Lumma Stealer": [[316, 329]], "TOOL: Havoc": [[338, 343]], "IP_ADDRESS: 10.77.56.93": [[391, 402]], "DOMAIN: relay-secure.club": [[407, 424]], "URL: hxxp://staticproxy.io/wp-content/uploads/doc.php": [[446, 494]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\loader.exe": [[535, 579]], "HASH: cf95507ae7b49d19f49246869307ed1d": [[586, 618]]}, "info": {"id": "synth_v2_01642", "source": "synthetic_v2"}}
+{"text": "Blog Post by Zscaler ThreatLabz: Tracking OilRig's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2020-12082 against Ivanti Connect Secure deployments. The initial access vector involves spear-phishing emails from noreply@phishing-domain.com delivering Ryuk. Post-compromise, the attackers deploy REvil and use PowerView for reconnaissance. C2 infrastructure includes 207.146.238.161 and cacheedge.live. A staging server at hxxp://api-secure.top/secure/token hosts additional tooling. Key artifact: /tmp/ntds.dit (MD5: 77f8047b4efaf0437a24e23dccfe02b1).", "spans": {"ORGANIZATION: Zscaler ThreatLabz": [[13, 31]], "THREAT_ACTOR: OilRig": [[42, 48]], "CVE_ID: CVE-2020-12082": [[128, 142]], "SYSTEM: Ivanti Connect Secure": [[151, 172]], "EMAIL: noreply@phishing-domain.com": [[248, 275]], "MALWARE: Ryuk": [[287, 291]], "MALWARE: REvil": [[331, 336]], "TOOL: PowerView": [[345, 354]], "IP_ADDRESS: 207.146.238.161": [[402, 417]], "DOMAIN: cacheedge.live": [[422, 436]], "URL: hxxp://api-secure.top/secure/token": [[458, 492]], "FILEPATH: /tmp/ntds.dit": [[533, 546]], "HASH: 77f8047b4efaf0437a24e23dccfe02b1": [[553, 585]]}, "info": {"id": "synth_v2_01643", "source": "synthetic_v2"}}
+{"text": "Blog Post by Palo Alto Unit 42: Tracking Aqua Blizzard's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2020-48698 against Citrix NetScaler deployments. The initial access vector involves spear-phishing emails from report@auth-check.org delivering Emotet. Post-compromise, the attackers deploy Latrodectus and use Certutil for reconnaissance. C2 infrastructure includes 126.19.35.218 and securecdn.club. A staging server at hxxp://datarelay.com/secure/token hosts additional tooling. Key artifact: C:\\Users\\Public\\Documents\\winlogon.exe (MD5: e4ab6d844e384d979ee909f3404b2793).", "spans": {"ORGANIZATION: Palo Alto Unit 42": [[13, 30]], "THREAT_ACTOR: Aqua Blizzard": [[41, 54]], "CVE_ID: CVE-2020-48698": [[134, 148]], "SYSTEM: Citrix NetScaler": [[157, 173]], "EMAIL: report@auth-check.org": [[249, 270]], "MALWARE: Emotet": [[282, 288]], "MALWARE: Latrodectus": [[328, 339]], "TOOL: Certutil": [[348, 356]], "IP_ADDRESS: 126.19.35.218": [[404, 417]], "DOMAIN: securecdn.club": [[422, 436]], "URL: hxxp://datarelay.com/secure/token": [[458, 491]], "FILEPATH: C:\\Users\\Public\\Documents\\winlogon.exe": [[532, 570]], "HASH: e4ab6d844e384d979ee909f3404b2793": [[577, 609]]}, "info": {"id": "synth_v2_01644", "source": "synthetic_v2"}}
+{"text": "Blog Post by Palo Alto Unit 42: Tracking Volt Typhoon's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2020-46781 against SonicWall SMA deployments. The initial access vector involves spear-phishing emails from billing@account-update.xyz delivering PlugX. Post-compromise, the attackers deploy Raccoon Stealer and use Seatbelt for reconnaissance. C2 infrastructure includes 39.207.177.139 and cloudportal.live. A staging server at http://login-mail.xyz/panel/index.html hosts additional tooling. Key artifact: C:\\Users\\admin\\AppData\\Local\\Temp\\implant.so (MD5: 171dd901e782e4020d65d365798562b6).", "spans": {"ORGANIZATION: Palo Alto Unit 42": [[13, 30]], "THREAT_ACTOR: Volt Typhoon": [[41, 53]], "CVE_ID: CVE-2020-46781": [[133, 147]], "SYSTEM: SonicWall SMA": [[156, 169]], "EMAIL: billing@account-update.xyz": [[245, 271]], "MALWARE: PlugX": [[283, 288]], "MALWARE: Raccoon Stealer": [[328, 343]], "TOOL: Seatbelt": [[352, 360]], "IP_ADDRESS: 39.207.177.139": [[408, 422]], "DOMAIN: cloudportal.live": [[427, 443]], "URL: http://login-mail.xyz/panel/index.html": [[465, 503]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\implant.so": [[544, 588]], "HASH: 171dd901e782e4020d65d365798562b6": [[595, 627]]}, "info": {"id": "synth_v2_01645", "source": "synthetic_v2"}}
+{"text": "Blog Post by Microsoft MSRC: Tracking Turla's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2020-12082 against Barracuda ESG deployments. The initial access vector involves spear-phishing emails from finance@secure-verify.net delivering RemcosRAT. Post-compromise, the attackers deploy SystemBC and use Chisel for reconnaissance. C2 infrastructure includes 172.137.9.157 and edgerelay.live. A staging server at hxxps://edge-proxy.dev/panel/index.html hosts additional tooling. Key artifact: C:\\Users\\admin\\AppData\\Local\\Temp\\update.dll (SHA256: e4ab9121a66e99979e9de02f743313edf9e3d938561aa8f803b4afe58fc0db4a).", "spans": {"ORGANIZATION: Microsoft MSRC": [[13, 27]], "THREAT_ACTOR: Turla": [[38, 43]], "CVE_ID: CVE-2020-12082": [[123, 137]], "SYSTEM: Barracuda ESG": [[146, 159]], "EMAIL: finance@secure-verify.net": [[235, 260]], "MALWARE: RemcosRAT": [[272, 281]], "MALWARE: SystemBC": [[321, 329]], "TOOL: Chisel": [[338, 344]], "IP_ADDRESS: 172.137.9.157": [[392, 405]], "DOMAIN: edgerelay.live": [[410, 424]], "URL: hxxps://edge-proxy.dev/panel/index.html": [[446, 485]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\update.dll": [[526, 570]], "HASH: e4ab9121a66e99979e9de02f743313edf9e3d938561aa8f803b4afe58fc0db4a": [[580, 644]]}, "info": {"id": "synth_v2_01646", "source": "synthetic_v2"}}
+{"text": "Blog Post by Check Point Research: Tracking APT28's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2026-27261 against Apache Struts deployments. The initial access vector involves spear-phishing emails from hr@document-share.link delivering XLoader. Post-compromise, the attackers deploy Raccoon Stealer and use Hashcat for reconnaissance. C2 infrastructure includes 62.118.13.194 and sync-gateway.com. A staging server at http://storage-gateway.com/login hosts additional tooling. Key artifact: /var/tmp/beacon.dll (MD5: 2e55192c2b35e09859640a224c0eb8da).", "spans": {"ORGANIZATION: Check Point Research": [[13, 33]], "THREAT_ACTOR: APT28": [[44, 49]], "CVE_ID: CVE-2026-27261": [[129, 143]], "SYSTEM: Apache Struts": [[152, 165]], "EMAIL: hr@document-share.link": [[241, 263]], "MALWARE: XLoader": [[275, 282]], "MALWARE: Raccoon Stealer": [[322, 337]], "TOOL: Hashcat": [[346, 353]], "IP_ADDRESS: 62.118.13.194": [[401, 414]], "DOMAIN: sync-gateway.com": [[419, 435]], "URL: http://storage-gateway.com/login": [[457, 489]], "FILEPATH: /var/tmp/beacon.dll": [[530, 549]], "HASH: 2e55192c2b35e09859640a224c0eb8da": [[556, 588]]}, "info": {"id": "synth_v2_01647", "source": "synthetic_v2"}}
+{"text": "Blog Post by SentinelOne: Tracking Gamaredon's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2025-14163 against Progress Telerik deployments. The initial access vector involves spear-phishing emails from hr@auth-check.org delivering Emotet. Post-compromise, the attackers deploy Gootloader and use Burp Suite for reconnaissance. C2 infrastructure includes 192.161.124.15 and proxyupdate.org. A staging server at hxxp://nodecache.com/gate.php hosts additional tooling. Key artifact: C:\\Users\\Public\\Documents\\runtime.dll (MD5: 82cf5d7144770c29843e405e95a25bfb).", "spans": {"ORGANIZATION: SentinelOne": [[13, 24]], "THREAT_ACTOR: Gamaredon": [[35, 44]], "CVE_ID: CVE-2025-14163": [[124, 138]], "SYSTEM: Progress Telerik": [[147, 163]], "EMAIL: hr@auth-check.org": [[239, 256]], "MALWARE: Emotet": [[268, 274]], "MALWARE: Gootloader": [[314, 324]], "TOOL: Burp Suite": [[333, 343]], "IP_ADDRESS: 192.161.124.15": [[391, 405]], "DOMAIN: proxyupdate.org": [[410, 425]], "URL: hxxp://nodecache.com/gate.php": [[447, 476]], "FILEPATH: C:\\Users\\Public\\Documents\\runtime.dll": [[517, 554]], "HASH: 82cf5d7144770c29843e405e95a25bfb": [[561, 593]]}, "info": {"id": "synth_v2_01648", "source": "synthetic_v2"}}
+{"text": "Blog Post by CrowdStrike: Tracking Star Blizzard's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2020-11952 against VMware ESXi deployments. The initial access vector involves spear-phishing emails from service@account-update.xyz delivering QakBot. Post-compromise, the attackers deploy RemcosRAT and use Merlin for reconnaissance. C2 infrastructure includes 126.168.152.124 and edge-node.link. A staging server at http://edge-backup.org/portal/verify hosts additional tooling. Key artifact: C:\\Users\\admin\\Downloads\\loader.exe (SHA256: 88b08fc9b39779bd7f7cb378f8b0cf39734f5b1cdea146c6e0d7455d939ccfa2).", "spans": {"ORGANIZATION: CrowdStrike": [[13, 24]], "THREAT_ACTOR: Star Blizzard": [[35, 48]], "CVE_ID: CVE-2020-11952": [[128, 142]], "SYSTEM: VMware ESXi": [[151, 162]], "EMAIL: service@account-update.xyz": [[238, 264]], "MALWARE: QakBot": [[276, 282]], "MALWARE: RemcosRAT": [[322, 331]], "TOOL: Merlin": [[340, 346]], "IP_ADDRESS: 126.168.152.124": [[394, 409]], "DOMAIN: edge-node.link": [[414, 428]], "URL: http://edge-backup.org/portal/verify": [[450, 486]], "FILEPATH: C:\\Users\\admin\\Downloads\\loader.exe": [[527, 562]], "HASH: 88b08fc9b39779bd7f7cb378f8b0cf39734f5b1cdea146c6e0d7455d939ccfa2": [[572, 636]]}, "info": {"id": "synth_v2_01649", "source": "synthetic_v2"}}
+{"text": "Blog Post by Sophos X-Ops: Tracking Granite Typhoon's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2024-14337 against Atlassian Confluence deployments. The initial access vector involves spear-phishing emails from hr@credential-check.site delivering Emotet. Post-compromise, the attackers deploy PlugX and use Rubeus for reconnaissance. C2 infrastructure includes 10.6.189.178 and edge-mail.net. A staging server at hxxp://mailcdn.net/secure/token hosts additional tooling. Key artifact: C:\\ProgramData\\chrome_helper.exe (SHA256: 9f3c67e8216e20e5a048e38c4e0cbaf517d8c22dac2e2cb1d9461a05ffb2daf3).", "spans": {"ORGANIZATION: Sophos X-Ops": [[13, 25]], "THREAT_ACTOR: Granite Typhoon": [[36, 51]], "CVE_ID: CVE-2024-14337": [[131, 145]], "SYSTEM: Atlassian Confluence": [[154, 174]], "EMAIL: hr@credential-check.site": [[250, 274]], "MALWARE: Emotet": [[286, 292]], "MALWARE: PlugX": [[332, 337]], "TOOL: Rubeus": [[346, 352]], "IP_ADDRESS: 10.6.189.178": [[400, 412]], "DOMAIN: edge-mail.net": [[417, 430]], "URL: hxxp://mailcdn.net/secure/token": [[452, 483]], "FILEPATH: C:\\ProgramData\\chrome_helper.exe": [[524, 556]], "HASH: 9f3c67e8216e20e5a048e38c4e0cbaf517d8c22dac2e2cb1d9461a05ffb2daf3": [[566, 630]]}, "info": {"id": "synth_v2_01650", "source": "synthetic_v2"}}
+{"text": "Blog Post by Rapid7: Tracking Midnight Blizzard's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2024-14337 against Windows Server 2019 deployments. The initial access vector involves spear-phishing emails from admin@credential-check.site delivering Latrodectus. Post-compromise, the attackers deploy BatLoader and use PowerShell Empire for reconnaissance. C2 infrastructure includes 32.106.61.225 and apinode.com. A staging server at hxxp://apibackup.net/login hosts additional tooling. Key artifact: /usr/local/bin/update.dll (SHA1: 976318ee97a069a1328559d7aa70f9a09499d155).", "spans": {"ORGANIZATION: Rapid7": [[13, 19]], "THREAT_ACTOR: Midnight Blizzard": [[30, 47]], "CVE_ID: CVE-2024-14337": [[127, 141]], "SYSTEM: Windows Server 2019": [[150, 169]], "EMAIL: admin@credential-check.site": [[245, 272]], "MALWARE: Latrodectus": [[284, 295]], "MALWARE: BatLoader": [[335, 344]], "TOOL: PowerShell Empire": [[353, 370]], "IP_ADDRESS: 32.106.61.225": [[418, 431]], "DOMAIN: apinode.com": [[436, 447]], "URL: hxxp://apibackup.net/login": [[469, 495]], "FILEPATH: /usr/local/bin/update.dll": [[536, 561]], "HASH: 976318ee97a069a1328559d7aa70f9a09499d155": [[569, 609]]}, "info": {"id": "synth_v2_01651", "source": "synthetic_v2"}}
+{"text": "Blog Post by Kaspersky GReAT: Tracking Aqua Blizzard's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2025-19065 against MOVEit Transfer deployments. The initial access vector involves spear-phishing emails from support@document-share.link delivering RedLine Stealer. Post-compromise, the attackers deploy IcedID and use Hashcat for reconnaissance. C2 infrastructure includes 10.78.242.105 and portal-edge.cc. A staging server at http://relaydata.io/collect hosts additional tooling. Key artifact: C:\\Windows\\System32\\csrss.exe (SHA256: 21b1afd43645efe4e5eb322c5ffe88cc4b18270351ecd47c80f7c75bd84b1c34).", "spans": {"ORGANIZATION: Kaspersky GReAT": [[13, 28]], "THREAT_ACTOR: Aqua Blizzard": [[39, 52]], "CVE_ID: CVE-2025-19065": [[132, 146]], "SYSTEM: MOVEit Transfer": [[155, 170]], "EMAIL: support@document-share.link": [[246, 273]], "MALWARE: RedLine Stealer": [[285, 300]], "MALWARE: IcedID": [[340, 346]], "TOOL: Hashcat": [[355, 362]], "IP_ADDRESS: 10.78.242.105": [[410, 423]], "DOMAIN: portal-edge.cc": [[428, 442]], "URL: http://relaydata.io/collect": [[464, 491]], "FILEPATH: C:\\Windows\\System32\\csrss.exe": [[532, 561]], "HASH: 21b1afd43645efe4e5eb322c5ffe88cc4b18270351ecd47c80f7c75bd84b1c34": [[571, 635]]}, "info": {"id": "synth_v2_01652", "source": "synthetic_v2"}}
+{"text": "Blog Post by Google TAG: Tracking Salt Typhoon's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2024-19363 against Windows 11 deployments. The initial access vector involves spear-phishing emails from report@secure-verify.net delivering Royal. Post-compromise, the attackers deploy StealC and use BloodHound for reconnaissance. C2 infrastructure includes 106.101.210.208 and relay-api.org. A staging server at hxxp://authcloud.online/collect hosts additional tooling. Key artifact: C:\\Windows\\System32\\winlogon.exe (MD5: 9640e15acecc0716856a9b2267514350).", "spans": {"ORGANIZATION: Google TAG": [[13, 23]], "THREAT_ACTOR: Salt Typhoon": [[34, 46]], "CVE_ID: CVE-2024-19363": [[126, 140]], "SYSTEM: Windows 11": [[149, 159]], "EMAIL: report@secure-verify.net": [[235, 259]], "MALWARE: Royal": [[271, 276]], "MALWARE: StealC": [[316, 322]], "TOOL: BloodHound": [[331, 341]], "IP_ADDRESS: 106.101.210.208": [[389, 404]], "DOMAIN: relay-api.org": [[409, 422]], "URL: hxxp://authcloud.online/collect": [[444, 475]], "FILEPATH: C:\\Windows\\System32\\winlogon.exe": [[516, 548]], "HASH: 9640e15acecc0716856a9b2267514350": [[555, 587]]}, "info": {"id": "synth_v2_01653", "source": "synthetic_v2"}}
+{"text": "Blog Post by NCSC: Tracking Flax Typhoon's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2025-43392 against Cisco ASA deployments. The initial access vector involves spear-phishing emails from hr@auth-check.org delivering IcedID. Post-compromise, the attackers deploy DanaBot and use PsExec for reconnaissance. C2 infrastructure includes 223.97.220.77 and gateway-mail.top. A staging server at https://api-backup.dev/assets/js/payload.js hosts additional tooling. Key artifact: C:\\Program Files\\Common Files\\dropper.ps1 (SHA1: 6a9b2cb15b813f4f2918472338338c180e2cd52d).", "spans": {"ORGANIZATION: NCSC": [[13, 17]], "THREAT_ACTOR: Flax Typhoon": [[28, 40]], "CVE_ID: CVE-2025-43392": [[120, 134]], "SYSTEM: Cisco ASA": [[143, 152]], "EMAIL: hr@auth-check.org": [[228, 245]], "MALWARE: IcedID": [[257, 263]], "MALWARE: DanaBot": [[303, 310]], "TOOL: PsExec": [[319, 325]], "IP_ADDRESS: 223.97.220.77": [[373, 386]], "DOMAIN: gateway-mail.top": [[391, 407]], "URL: https://api-backup.dev/assets/js/payload.js": [[429, 472]], "FILEPATH: C:\\Program Files\\Common Files\\dropper.ps1": [[513, 554]], "HASH: 6a9b2cb15b813f4f2918472338338c180e2cd52d": [[562, 602]]}, "info": {"id": "synth_v2_01654", "source": "synthetic_v2"}}
+{"text": "Blog Post by Huntress: Tracking Kimsuky's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2026-42806 against MOVEit Transfer deployments. The initial access vector involves spear-phishing emails from admin@mail-service.info delivering RedLine Stealer. Post-compromise, the attackers deploy Cobalt Strike and use Seatbelt for reconnaissance. C2 infrastructure includes 28.150.195.180 and auth-edge.online. A staging server at hxxps://gatewaydata.xyz/download/update.exe hosts additional tooling. Key artifact: C:\\Windows\\System32\\runtime.dll (SHA256: a02415f070c6e8dca82c4410c2377545e5e6d0389d29d1693260631ba1bded96).", "spans": {"ORGANIZATION: Huntress": [[13, 21]], "THREAT_ACTOR: Kimsuky": [[32, 39]], "CVE_ID: CVE-2026-42806": [[119, 133]], "SYSTEM: MOVEit Transfer": [[142, 157]], "EMAIL: admin@mail-service.info": [[233, 256]], "MALWARE: RedLine Stealer": [[268, 283]], "MALWARE: Cobalt Strike": [[323, 336]], "TOOL: Seatbelt": [[345, 353]], "IP_ADDRESS: 28.150.195.180": [[401, 415]], "DOMAIN: auth-edge.online": [[420, 436]], "URL: hxxps://gatewaydata.xyz/download/update.exe": [[458, 501]], "FILEPATH: C:\\Windows\\System32\\runtime.dll": [[542, 573]], "HASH: a02415f070c6e8dca82c4410c2377545e5e6d0389d29d1693260631ba1bded96": [[583, 647]]}, "info": {"id": "synth_v2_01655", "source": "synthetic_v2"}}
+{"text": "Blog Post by ESET Research: Tracking Flax Typhoon's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2023-34911 against VMware ESXi deployments. The initial access vector involves spear-phishing emails from account@mail-service.info delivering Play. Post-compromise, the attackers deploy PikaBot and use LaZagne for reconnaissance. C2 infrastructure includes 2.74.166.7 and proxy-update.info. A staging server at http://update-backup.xyz/callback hosts additional tooling. Key artifact: C:\\Windows\\Tasks\\update.dll (MD5: 928d6be78a973cb0b4627fdbb5b14b15).", "spans": {"ORGANIZATION: ESET Research": [[13, 26]], "THREAT_ACTOR: Flax Typhoon": [[37, 49]], "CVE_ID: CVE-2023-34911": [[129, 143]], "SYSTEM: VMware ESXi": [[152, 163]], "EMAIL: account@mail-service.info": [[239, 264]], "MALWARE: Play": [[276, 280]], "MALWARE: PikaBot": [[320, 327]], "TOOL: LaZagne": [[336, 343]], "IP_ADDRESS: 2.74.166.7": [[391, 401]], "DOMAIN: proxy-update.info": [[406, 423]], "URL: http://update-backup.xyz/callback": [[445, 478]], "FILEPATH: C:\\Windows\\Tasks\\update.dll": [[519, 546]], "HASH: 928d6be78a973cb0b4627fdbb5b14b15": [[553, 585]]}, "info": {"id": "synth_v2_01656", "source": "synthetic_v2"}}
+{"text": "Blog Post by Rapid7: Tracking Ember Bear's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2022-49565 against Zyxel USG deployments. The initial access vector involves spear-phishing emails from noreply@login-portal.tech delivering LockBit. Post-compromise, the attackers deploy Raccoon Stealer and use BloodHound for reconnaissance. C2 infrastructure includes 123.214.218.52 and nodeupdate.tech. A staging server at hxxps://proxy-cloud.io/panel/index.html hosts additional tooling. Key artifact: /tmp/update.dll (SHA1: 3de920d693cac31d9765a7d78b1c0758aeb8d7d2).", "spans": {"ORGANIZATION: Rapid7": [[13, 19]], "THREAT_ACTOR: Ember Bear": [[30, 40]], "CVE_ID: CVE-2022-49565": [[120, 134]], "SYSTEM: Zyxel USG": [[143, 152]], "EMAIL: noreply@login-portal.tech": [[228, 253]], "MALWARE: LockBit": [[265, 272]], "MALWARE: Raccoon Stealer": [[312, 327]], "TOOL: BloodHound": [[336, 346]], "IP_ADDRESS: 123.214.218.52": [[394, 408]], "DOMAIN: nodeupdate.tech": [[413, 428]], "URL: hxxps://proxy-cloud.io/panel/index.html": [[450, 489]], "FILEPATH: /tmp/update.dll": [[530, 545]], "HASH: 3de920d693cac31d9765a7d78b1c0758aeb8d7d2": [[553, 593]]}, "info": {"id": "synth_v2_01657", "source": "synthetic_v2"}}
+{"text": "Blog Post by Europol: Tracking Midnight Blizzard's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2026-27261 against Fortinet FortiGate deployments. The initial access vector involves spear-phishing emails from updates@urgent-notice.online delivering TrickBot. Post-compromise, the attackers deploy Dridex and use ADFind for reconnaissance. C2 infrastructure includes 119.255.25.162 and mailauth.io. A staging server at http://loginauth.com/wp-content/uploads/doc.php hosts additional tooling. Key artifact: C:\\Users\\admin\\Downloads\\loader.exe (MD5: 0a01b8cdf8a6b9e0b3b5bce0746e6df4).", "spans": {"ORGANIZATION: Europol": [[13, 20]], "THREAT_ACTOR: Midnight Blizzard": [[31, 48]], "CVE_ID: CVE-2026-27261": [[128, 142]], "SYSTEM: Fortinet FortiGate": [[151, 169]], "EMAIL: updates@urgent-notice.online": [[245, 273]], "MALWARE: TrickBot": [[285, 293]], "MALWARE: Dridex": [[333, 339]], "TOOL: ADFind": [[348, 354]], "IP_ADDRESS: 119.255.25.162": [[402, 416]], "DOMAIN: mailauth.io": [[421, 432]], "URL: http://loginauth.com/wp-content/uploads/doc.php": [[454, 501]], "FILEPATH: C:\\Users\\admin\\Downloads\\loader.exe": [[542, 577]], "HASH: 0a01b8cdf8a6b9e0b3b5bce0746e6df4": [[584, 616]]}, "info": {"id": "synth_v2_01658", "source": "synthetic_v2"}}
+{"text": "Blog Post by Check Point Research: Tracking UNC2452's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2024-26162 against Windows Server 2019 deployments. The initial access vector involves spear-phishing emails from account@phishing-domain.com delivering IcedID. Post-compromise, the attackers deploy XLoader and use Certutil for reconnaissance. C2 infrastructure includes 172.204.32.225 and proxy-cache.com. A staging server at https://securemail.org/callback hosts additional tooling. Key artifact: C:\\Program Files\\Common Files\\dropper.ps1 (MD5: 7dd06682833ede7f4f1b4e2fe2552a80).", "spans": {"ORGANIZATION: Check Point Research": [[13, 33]], "THREAT_ACTOR: UNC2452": [[44, 51]], "CVE_ID: CVE-2024-26162": [[131, 145]], "SYSTEM: Windows Server 2019": [[154, 173]], "EMAIL: account@phishing-domain.com": [[249, 276]], "MALWARE: IcedID": [[288, 294]], "MALWARE: XLoader": [[334, 341]], "TOOL: Certutil": [[350, 358]], "IP_ADDRESS: 172.204.32.225": [[406, 420]], "DOMAIN: proxy-cache.com": [[425, 440]], "URL: https://securemail.org/callback": [[462, 493]], "FILEPATH: C:\\Program Files\\Common Files\\dropper.ps1": [[534, 575]], "HASH: 7dd06682833ede7f4f1b4e2fe2552a80": [[582, 614]]}, "info": {"id": "synth_v2_01659", "source": "synthetic_v2"}}
+{"text": "Blog Post by Huntress: Tracking Lazarus Group's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2022-32541 against Apache Struts deployments. The initial access vector involves spear-phishing emails from it@mail-service.info delivering PlugX. Post-compromise, the attackers deploy StealC and use CrackMapExec for reconnaissance. C2 infrastructure includes 192.233.226.3 and auth-cdn.io. A staging server at hxxps://node-cloud.info/collect hosts additional tooling. Key artifact: /usr/local/bin/loader.exe (SHA1: bbe8da709c7e8f7d9645102700c38c71222dc623).", "spans": {"ORGANIZATION: Huntress": [[13, 21]], "THREAT_ACTOR: Lazarus Group": [[32, 45]], "CVE_ID: CVE-2022-32541": [[125, 139]], "SYSTEM: Apache Struts": [[148, 161]], "EMAIL: it@mail-service.info": [[237, 257]], "MALWARE: PlugX": [[269, 274]], "MALWARE: StealC": [[314, 320]], "TOOL: CrackMapExec": [[329, 341]], "IP_ADDRESS: 192.233.226.3": [[389, 402]], "DOMAIN: auth-cdn.io": [[407, 418]], "URL: hxxps://node-cloud.info/collect": [[440, 471]], "FILEPATH: /usr/local/bin/loader.exe": [[512, 537]], "HASH: bbe8da709c7e8f7d9645102700c38c71222dc623": [[545, 585]]}, "info": {"id": "synth_v2_01660", "source": "synthetic_v2"}}
+{"text": "Blog Post by CISA: Tracking MuddyWater's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2023-27496 against Barracuda ESG deployments. The initial access vector involves spear-phishing emails from info@urgent-notice.online delivering DanaBot. Post-compromise, the attackers deploy Cobalt Strike and use Covenant for reconnaissance. C2 infrastructure includes 10.130.213.231 and edgeportal.dev. A staging server at hxxp://loginportal.com/api/v2/auth hosts additional tooling. Key artifact: C:\\Windows\\Temp\\ntds.dit (SHA256: 9b84fa28e6e1933be1c2aa5dd53c75eda6eb351200fe2c6f49d509946b34b00e).", "spans": {"ORGANIZATION: CISA": [[13, 17]], "THREAT_ACTOR: MuddyWater": [[28, 38]], "CVE_ID: CVE-2023-27496": [[118, 132]], "SYSTEM: Barracuda ESG": [[141, 154]], "EMAIL: info@urgent-notice.online": [[230, 255]], "MALWARE: DanaBot": [[267, 274]], "MALWARE: Cobalt Strike": [[314, 327]], "TOOL: Covenant": [[336, 344]], "IP_ADDRESS: 10.130.213.231": [[392, 406]], "DOMAIN: edgeportal.dev": [[411, 425]], "URL: hxxp://loginportal.com/api/v2/auth": [[447, 481]], "FILEPATH: C:\\Windows\\Temp\\ntds.dit": [[522, 546]], "HASH: 9b84fa28e6e1933be1c2aa5dd53c75eda6eb351200fe2c6f49d509946b34b00e": [[556, 620]]}, "info": {"id": "synth_v2_01661", "source": "synthetic_v2"}}
+{"text": "Blog Post by Secureworks: Tracking Storm-0558's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2024-31252 against Progress Telerik deployments. The initial access vector involves spear-phishing emails from helpdesk@credential-check.site delivering FormBook. Post-compromise, the attackers deploy AsyncRAT and use BloodHound for reconnaissance. C2 infrastructure includes 163.155.113.164 and node-proxy.club. A staging server at hxxp://cloud-relay.io/admin/config hosts additional tooling. Key artifact: C:\\Users\\Public\\Documents\\payload.bin (MD5: 7ae11bd590017511b65fafcfe666864a).", "spans": {"ORGANIZATION: Secureworks": [[13, 24]], "THREAT_ACTOR: Storm-0558": [[35, 45]], "CVE_ID: CVE-2024-31252": [[125, 139]], "SYSTEM: Progress Telerik": [[148, 164]], "EMAIL: helpdesk@credential-check.site": [[240, 270]], "MALWARE: FormBook": [[282, 290]], "MALWARE: AsyncRAT": [[330, 338]], "TOOL: BloodHound": [[347, 357]], "IP_ADDRESS: 163.155.113.164": [[405, 420]], "DOMAIN: node-proxy.club": [[425, 440]], "URL: hxxp://cloud-relay.io/admin/config": [[462, 496]], "FILEPATH: C:\\Users\\Public\\Documents\\payload.bin": [[537, 574]], "HASH: 7ae11bd590017511b65fafcfe666864a": [[581, 613]]}, "info": {"id": "synth_v2_01662", "source": "synthetic_v2"}}
+{"text": "Blog Post by Dragos: Tracking Aqua Blizzard's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2023-45005 against Ubuntu 22.04 deployments. The initial access vector involves spear-phishing emails from service@account-update.xyz delivering PikaBot. Post-compromise, the attackers deploy Qbot and use Mimikatz for reconnaissance. C2 infrastructure includes 202.163.249.139 and data-relay.xyz. A staging server at http://backup-secure.net/admin/config hosts additional tooling. Key artifact: /usr/local/bin/beacon.dll (MD5: 15cc660ae2c71df3dad5530a440cd9ec).", "spans": {"ORGANIZATION: Dragos": [[13, 19]], "THREAT_ACTOR: Aqua Blizzard": [[30, 43]], "CVE_ID: CVE-2023-45005": [[123, 137]], "SYSTEM: Ubuntu 22.04": [[146, 158]], "EMAIL: service@account-update.xyz": [[234, 260]], "MALWARE: PikaBot": [[272, 279]], "MALWARE: Qbot": [[319, 323]], "TOOL: Mimikatz": [[332, 340]], "IP_ADDRESS: 202.163.249.139": [[388, 403]], "DOMAIN: data-relay.xyz": [[408, 422]], "URL: http://backup-secure.net/admin/config": [[444, 481]], "FILEPATH: /usr/local/bin/beacon.dll": [[522, 547]], "HASH: 15cc660ae2c71df3dad5530a440cd9ec": [[554, 586]]}, "info": {"id": "synth_v2_01663", "source": "synthetic_v2"}}
+{"text": "Blog Post by INTERPOL: Tracking Gamaredon's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2022-29213 against VMware ESXi deployments. The initial access vector involves spear-phishing emails from account@mail-service.info delivering SystemBC. Post-compromise, the attackers deploy SmokeLoader and use PsExec for reconnaissance. C2 infrastructure includes 140.81.230.58 and mail-static.online. A staging server at https://gatewaylogin.com/login hosts additional tooling. Key artifact: C:\\Users\\admin\\Desktop\\backdoor.elf (MD5: aa702e8872edff1b78f3331d13251604).", "spans": {"ORGANIZATION: INTERPOL": [[13, 21]], "THREAT_ACTOR: Gamaredon": [[32, 41]], "CVE_ID: CVE-2022-29213": [[121, 135]], "SYSTEM: VMware ESXi": [[144, 155]], "EMAIL: account@mail-service.info": [[231, 256]], "MALWARE: SystemBC": [[268, 276]], "MALWARE: SmokeLoader": [[316, 327]], "TOOL: PsExec": [[336, 342]], "IP_ADDRESS: 140.81.230.58": [[390, 403]], "DOMAIN: mail-static.online": [[408, 426]], "URL: https://gatewaylogin.com/login": [[448, 478]], "FILEPATH: C:\\Users\\admin\\Desktop\\backdoor.elf": [[519, 554]], "HASH: aa702e8872edff1b78f3331d13251604": [[561, 593]]}, "info": {"id": "synth_v2_01664", "source": "synthetic_v2"}}
+{"text": "Blog Post by Symantec: Tracking APT28's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2025-17185 against Apache Struts deployments. The initial access vector involves spear-phishing emails from noreply@mail-service.info delivering Conti. Post-compromise, the attackers deploy NjRAT and use Brute Ratel for reconnaissance. C2 infrastructure includes 99.71.59.154 and nodestorage.live. A staging server at https://storagelogin.tech/admin/config hosts additional tooling. Key artifact: /opt/app/bin/dropper.ps1 (MD5: 1545c161fa46dd8181186e0f61b1112d).", "spans": {"ORGANIZATION: Symantec": [[13, 21]], "THREAT_ACTOR: APT28": [[32, 37]], "CVE_ID: CVE-2025-17185": [[117, 131]], "SYSTEM: Apache Struts": [[140, 153]], "EMAIL: noreply@mail-service.info": [[229, 254]], "MALWARE: Conti": [[266, 271]], "MALWARE: NjRAT": [[311, 316]], "TOOL: Brute Ratel": [[325, 336]], "IP_ADDRESS: 99.71.59.154": [[384, 396]], "DOMAIN: nodestorage.live": [[401, 417]], "URL: https://storagelogin.tech/admin/config": [[439, 477]], "FILEPATH: /opt/app/bin/dropper.ps1": [[518, 542]], "HASH: 1545c161fa46dd8181186e0f61b1112d": [[549, 581]]}, "info": {"id": "synth_v2_01665", "source": "synthetic_v2"}}
+{"text": "Blog Post by Rapid7: Tracking Storm-0558's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2022-45142 against MOVEit Transfer deployments. The initial access vector involves spear-phishing emails from helpdesk@urgent-notice.online delivering Vidar. Post-compromise, the attackers deploy ShadowPad and use Rubeus for reconnaissance. C2 infrastructure includes 172.82.69.252 and proxystatic.info. A staging server at https://gateway-update.net/portal/verify hosts additional tooling. Key artifact: C:\\Users\\admin\\Downloads\\sam.hive (SHA256: 66290d703ce432d8e09127f776785a7b2eef2509eee6571b0eb6de4ca9d860cc).", "spans": {"ORGANIZATION: Rapid7": [[13, 19]], "THREAT_ACTOR: Storm-0558": [[30, 40]], "CVE_ID: CVE-2022-45142": [[120, 134]], "SYSTEM: MOVEit Transfer": [[143, 158]], "EMAIL: helpdesk@urgent-notice.online": [[234, 263]], "MALWARE: Vidar": [[275, 280]], "MALWARE: ShadowPad": [[320, 329]], "TOOL: Rubeus": [[338, 344]], "IP_ADDRESS: 172.82.69.252": [[392, 405]], "DOMAIN: proxystatic.info": [[410, 426]], "URL: https://gateway-update.net/portal/verify": [[448, 488]], "FILEPATH: C:\\Users\\admin\\Downloads\\sam.hive": [[529, 562]], "HASH: 66290d703ce432d8e09127f776785a7b2eef2509eee6571b0eb6de4ca9d860cc": [[572, 636]]}, "info": {"id": "synth_v2_01666", "source": "synthetic_v2"}}
+{"text": "Blog Post by Secureworks: Tracking Diamond Sleet's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2026-10212 against Juniper SRX deployments. The initial access vector involves spear-phishing emails from contact@identity-verify.cc delivering Play. Post-compromise, the attackers deploy Latrodectus and use Sliver for reconnaissance. C2 infrastructure includes 10.69.103.214 and loginlogin.tech. A staging server at http://gatewaynode.club/download/update.exe hosts additional tooling. Key artifact: C:\\ProgramData\\update.dll (SHA1: ad955bffc3942a45a495a5f120d47cb13ad86d0f).", "spans": {"ORGANIZATION: Secureworks": [[13, 24]], "THREAT_ACTOR: Diamond Sleet": [[35, 48]], "CVE_ID: CVE-2026-10212": [[128, 142]], "SYSTEM: Juniper SRX": [[151, 162]], "EMAIL: contact@identity-verify.cc": [[238, 264]], "MALWARE: Play": [[276, 280]], "MALWARE: Latrodectus": [[320, 331]], "TOOL: Sliver": [[340, 346]], "IP_ADDRESS: 10.69.103.214": [[394, 407]], "DOMAIN: loginlogin.tech": [[412, 427]], "URL: http://gatewaynode.club/download/update.exe": [[449, 492]], "FILEPATH: C:\\ProgramData\\update.dll": [[533, 558]], "HASH: ad955bffc3942a45a495a5f120d47cb13ad86d0f": [[566, 606]]}, "info": {"id": "synth_v2_01667", "source": "synthetic_v2"}}
+{"text": "Blog Post by ESET Research: Tracking BlackTech's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2023-23730 against Barracuda ESG deployments. The initial access vector involves spear-phishing emails from service@phishing-domain.com delivering Vidar. Post-compromise, the attackers deploy RedLine Stealer and use PowerShell Empire for reconnaissance. C2 infrastructure includes 192.159.102.126 and backup-cache.org. A staging server at https://loginproxy.xyz/login hosts additional tooling. Key artifact: C:\\Users\\admin\\AppData\\Local\\Temp\\chrome_helper.exe (SHA1: fedf31578a8db5a0151d6dcecc2750666288adf5).", "spans": {"ORGANIZATION: ESET Research": [[13, 26]], "THREAT_ACTOR: BlackTech": [[37, 46]], "CVE_ID: CVE-2023-23730": [[126, 140]], "SYSTEM: Barracuda ESG": [[149, 162]], "EMAIL: service@phishing-domain.com": [[238, 265]], "MALWARE: Vidar": [[277, 282]], "MALWARE: RedLine Stealer": [[322, 337]], "TOOL: PowerShell Empire": [[346, 363]], "IP_ADDRESS: 192.159.102.126": [[411, 426]], "DOMAIN: backup-cache.org": [[431, 447]], "URL: https://loginproxy.xyz/login": [[469, 497]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\chrome_helper.exe": [[538, 589]], "HASH: fedf31578a8db5a0151d6dcecc2750666288adf5": [[597, 637]]}, "info": {"id": "synth_v2_01668", "source": "synthetic_v2"}}
+{"text": "Blog Post by Microsoft MSRC: Tracking Flax Typhoon's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2023-45005 against Cisco ASA deployments. The initial access vector involves spear-phishing emails from notification@auth-check.org delivering XLoader. Post-compromise, the attackers deploy FormBook and use Havoc for reconnaissance. C2 infrastructure includes 192.222.38.73 and cache-api.com. A staging server at http://static-auth.site/secure/token hosts additional tooling. Key artifact: /home/user/.config/winlogon.exe (SHA1: c8ee49b14aa6babfe4d8798ff8a3f7adb0029989).", "spans": {"ORGANIZATION: Microsoft MSRC": [[13, 27]], "THREAT_ACTOR: Flax Typhoon": [[38, 50]], "CVE_ID: CVE-2023-45005": [[130, 144]], "SYSTEM: Cisco ASA": [[153, 162]], "EMAIL: notification@auth-check.org": [[238, 265]], "MALWARE: XLoader": [[277, 284]], "MALWARE: FormBook": [[324, 332]], "TOOL: Havoc": [[341, 346]], "IP_ADDRESS: 192.222.38.73": [[394, 407]], "DOMAIN: cache-api.com": [[412, 425]], "URL: http://static-auth.site/secure/token": [[447, 483]], "FILEPATH: /home/user/.config/winlogon.exe": [[524, 555]], "HASH: c8ee49b14aa6babfe4d8798ff8a3f7adb0029989": [[563, 603]]}, "info": {"id": "synth_v2_01669", "source": "synthetic_v2"}}
+{"text": "Blog Post by Trend Micro: Tracking Diamond Sleet's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2021-39439 against F5 BIG-IP deployments. The initial access vector involves spear-phishing emails from confirm@document-share.link delivering BumbleBee. Post-compromise, the attackers deploy Cobalt Strike and use BloodHound for reconnaissance. C2 infrastructure includes 219.204.66.168 and backupsecure.link. A staging server at hxxp://storage-secure.live/secure/token hosts additional tooling. Key artifact: C:\\Windows\\Tasks\\runtime.dll (SHA1: ed4c6da0cf4152d9984c870e854a576211a58938).", "spans": {"ORGANIZATION: Trend Micro": [[13, 24]], "THREAT_ACTOR: Diamond Sleet": [[35, 48]], "CVE_ID: CVE-2021-39439": [[128, 142]], "SYSTEM: F5 BIG-IP": [[151, 160]], "EMAIL: confirm@document-share.link": [[236, 263]], "MALWARE: BumbleBee": [[275, 284]], "MALWARE: Cobalt Strike": [[324, 337]], "TOOL: BloodHound": [[346, 356]], "IP_ADDRESS: 219.204.66.168": [[404, 418]], "DOMAIN: backupsecure.link": [[423, 440]], "URL: hxxp://storage-secure.live/secure/token": [[462, 501]], "FILEPATH: C:\\Windows\\Tasks\\runtime.dll": [[542, 570]], "HASH: ed4c6da0cf4152d9984c870e854a576211a58938": [[578, 618]]}, "info": {"id": "synth_v2_01670", "source": "synthetic_v2"}}
+{"text": "Blog Post by Mandiant: Tracking Ember Bear's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2025-48242 against Cisco ASA deployments. The initial access vector involves spear-phishing emails from hr@phishing-domain.com delivering Hive. Post-compromise, the attackers deploy REvil and use Metasploit for reconnaissance. C2 infrastructure includes 211.204.54.12 and cdnedge.top. A staging server at http://apiauth.live/api/v2/auth hosts additional tooling. Key artifact: C:\\Windows\\System32\\csrss.exe (SHA256: 3c77f5e758d8062eb1157cf5a76ef188c085461c0c1d720767877870c38cbde0).", "spans": {"ORGANIZATION: Mandiant": [[13, 21]], "THREAT_ACTOR: Ember Bear": [[32, 42]], "CVE_ID: CVE-2025-48242": [[122, 136]], "SYSTEM: Cisco ASA": [[145, 154]], "EMAIL: hr@phishing-domain.com": [[230, 252]], "MALWARE: Hive": [[264, 268]], "MALWARE: REvil": [[308, 313]], "TOOL: Metasploit": [[322, 332]], "IP_ADDRESS: 211.204.54.12": [[380, 393]], "DOMAIN: cdnedge.top": [[398, 409]], "URL: http://apiauth.live/api/v2/auth": [[431, 462]], "FILEPATH: C:\\Windows\\System32\\csrss.exe": [[503, 532]], "HASH: 3c77f5e758d8062eb1157cf5a76ef188c085461c0c1d720767877870c38cbde0": [[542, 606]]}, "info": {"id": "synth_v2_01671", "source": "synthetic_v2"}}
+{"text": "Blog Post by Mandiant: Tracking APT28's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2021-34898 against Zyxel USG deployments. The initial access vector involves spear-phishing emails from verify@credential-check.site delivering FormBook. Post-compromise, the attackers deploy SystemBC and use Rubeus for reconnaissance. C2 infrastructure includes 202.131.125.80 and gatewaystorage.org. A staging server at https://mailcdn.live/wp-content/uploads/doc.php hosts additional tooling. Key artifact: /usr/local/bin/chrome_helper.exe (MD5: f65a6e30cfb9c60f7facb378b0987004).", "spans": {"ORGANIZATION: Mandiant": [[13, 21]], "THREAT_ACTOR: APT28": [[32, 37]], "CVE_ID: CVE-2021-34898": [[117, 131]], "SYSTEM: Zyxel USG": [[140, 149]], "EMAIL: verify@credential-check.site": [[225, 253]], "MALWARE: FormBook": [[265, 273]], "MALWARE: SystemBC": [[313, 321]], "TOOL: Rubeus": [[330, 336]], "IP_ADDRESS: 202.131.125.80": [[384, 398]], "DOMAIN: gatewaystorage.org": [[403, 421]], "URL: https://mailcdn.live/wp-content/uploads/doc.php": [[443, 490]], "FILEPATH: /usr/local/bin/chrome_helper.exe": [[531, 563]], "HASH: f65a6e30cfb9c60f7facb378b0987004": [[570, 602]]}, "info": {"id": "synth_v2_01672", "source": "synthetic_v2"}}
+{"text": "Blog Post by Recorded Future: Tracking Storm-0558's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2024-40071 against MOVEit Transfer deployments. The initial access vector involves spear-phishing emails from ceo@account-update.xyz delivering Emotet. Post-compromise, the attackers deploy REvil and use LaZagne for reconnaissance. C2 infrastructure includes 50.255.175.92 and storagecache.dev. A staging server at hxxps://cdn-sync.club/admin/config hosts additional tooling. Key artifact: C:\\Users\\admin\\Downloads\\helper.sh (MD5: 65122039aee6350f3fdeea834e0c3fee).", "spans": {"ORGANIZATION: Recorded Future": [[13, 28]], "THREAT_ACTOR: Storm-0558": [[39, 49]], "CVE_ID: CVE-2024-40071": [[129, 143]], "SYSTEM: MOVEit Transfer": [[152, 167]], "EMAIL: ceo@account-update.xyz": [[243, 265]], "MALWARE: Emotet": [[277, 283]], "MALWARE: REvil": [[323, 328]], "TOOL: LaZagne": [[337, 344]], "IP_ADDRESS: 50.255.175.92": [[392, 405]], "DOMAIN: storagecache.dev": [[410, 426]], "URL: hxxps://cdn-sync.club/admin/config": [[448, 482]], "FILEPATH: C:\\Users\\admin\\Downloads\\helper.sh": [[523, 557]], "HASH: 65122039aee6350f3fdeea834e0c3fee": [[564, 596]]}, "info": {"id": "synth_v2_01673", "source": "synthetic_v2"}}
+{"text": "Blog Post by Mandiant: Tracking Granite Typhoon's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2023-14679 against Microsoft Exchange deployments. The initial access vector involves spear-phishing emails from finance@auth-check.org delivering Ryuk. Post-compromise, the attackers deploy Vidar and use Merlin for reconnaissance. C2 infrastructure includes 192.126.68.155 and relaysync.info. A staging server at hxxp://datadata.link/collect hosts additional tooling. Key artifact: C:\\Windows\\Tasks\\loader.exe (SHA1: f69f98fb65d36fd0522ccb3423b014eadd93443f).", "spans": {"ORGANIZATION: Mandiant": [[13, 21]], "THREAT_ACTOR: Granite Typhoon": [[32, 47]], "CVE_ID: CVE-2023-14679": [[127, 141]], "SYSTEM: Microsoft Exchange": [[150, 168]], "EMAIL: finance@auth-check.org": [[244, 266]], "MALWARE: Ryuk": [[278, 282]], "MALWARE: Vidar": [[322, 327]], "TOOL: Merlin": [[336, 342]], "IP_ADDRESS: 192.126.68.155": [[390, 404]], "DOMAIN: relaysync.info": [[409, 423]], "URL: hxxp://datadata.link/collect": [[445, 473]], "FILEPATH: C:\\Windows\\Tasks\\loader.exe": [[514, 541]], "HASH: f69f98fb65d36fd0522ccb3423b014eadd93443f": [[549, 589]]}, "info": {"id": "synth_v2_01674", "source": "synthetic_v2"}}
+{"text": "Blog Post by Dragos: Tracking Diamond Sleet's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2020-16140 against Apache Struts deployments. The initial access vector involves spear-phishing emails from admin@identity-verify.cc delivering Qbot. Post-compromise, the attackers deploy Gootloader and use Mythic for reconnaissance. C2 infrastructure includes 117.66.134.163 and syncstatic.online. A staging server at https://node-cloud.top/api/v2/auth hosts additional tooling. Key artifact: C:\\Windows\\Tasks\\chrome_helper.exe (SHA1: fc50811066b2f355af4c6ae549069673388a2a44).", "spans": {"ORGANIZATION: Dragos": [[13, 19]], "THREAT_ACTOR: Diamond Sleet": [[30, 43]], "CVE_ID: CVE-2020-16140": [[123, 137]], "SYSTEM: Apache Struts": [[146, 159]], "EMAIL: admin@identity-verify.cc": [[235, 259]], "MALWARE: Qbot": [[271, 275]], "MALWARE: Gootloader": [[315, 325]], "TOOL: Mythic": [[334, 340]], "IP_ADDRESS: 117.66.134.163": [[388, 402]], "DOMAIN: syncstatic.online": [[407, 424]], "URL: https://node-cloud.top/api/v2/auth": [[446, 480]], "FILEPATH: C:\\Windows\\Tasks\\chrome_helper.exe": [[521, 555]], "HASH: fc50811066b2f355af4c6ae549069673388a2a44": [[563, 603]]}, "info": {"id": "synth_v2_01675", "source": "synthetic_v2"}}
+{"text": "Blog Post by CrowdStrike: Tracking APT29's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2023-26043 against Apache Struts deployments. The initial access vector involves spear-phishing emails from report@credential-check.site delivering StealC. Post-compromise, the attackers deploy DanaBot and use Brute Ratel for reconnaissance. C2 infrastructure includes 192.84.126.17 and synclogin.net. A staging server at https://node-login.site/panel/index.html hosts additional tooling. Key artifact: C:\\Users\\admin\\AppData\\Local\\Temp\\config.dat (MD5: 3d37895893ef3073f50b7b10cf034470).", "spans": {"ORGANIZATION: CrowdStrike": [[13, 24]], "THREAT_ACTOR: APT29": [[35, 40]], "CVE_ID: CVE-2023-26043": [[120, 134]], "SYSTEM: Apache Struts": [[143, 156]], "EMAIL: report@credential-check.site": [[232, 260]], "MALWARE: StealC": [[272, 278]], "MALWARE: DanaBot": [[318, 325]], "TOOL: Brute Ratel": [[334, 345]], "IP_ADDRESS: 192.84.126.17": [[393, 406]], "DOMAIN: synclogin.net": [[411, 424]], "URL: https://node-login.site/panel/index.html": [[446, 486]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\config.dat": [[527, 571]], "HASH: 3d37895893ef3073f50b7b10cf034470": [[578, 610]]}, "info": {"id": "synth_v2_01676", "source": "synthetic_v2"}}
+{"text": "Blog Post by Trend Micro: Tracking Charming Kitten's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2024-27546 against Ivanti Connect Secure deployments. The initial access vector involves spear-phishing emails from billing@mail-service.info delivering Lumma Stealer. Post-compromise, the attackers deploy IcedID and use Mimikatz for reconnaissance. C2 infrastructure includes 145.45.185.197 and datasync.top. A staging server at hxxp://portalmail.net/wp-content/uploads/doc.php hosts additional tooling. Key artifact: /usr/local/bin/update.dll (MD5: 74c2735811bcfaee412e6e4287e94239).", "spans": {"ORGANIZATION: Trend Micro": [[13, 24]], "THREAT_ACTOR: Charming Kitten": [[35, 50]], "CVE_ID: CVE-2024-27546": [[130, 144]], "SYSTEM: Ivanti Connect Secure": [[153, 174]], "EMAIL: billing@mail-service.info": [[250, 275]], "MALWARE: Lumma Stealer": [[287, 300]], "MALWARE: IcedID": [[340, 346]], "TOOL: Mimikatz": [[355, 363]], "IP_ADDRESS: 145.45.185.197": [[411, 425]], "DOMAIN: datasync.top": [[430, 442]], "URL: hxxp://portalmail.net/wp-content/uploads/doc.php": [[464, 512]], "FILEPATH: /usr/local/bin/update.dll": [[553, 578]], "HASH: 74c2735811bcfaee412e6e4287e94239": [[585, 617]]}, "info": {"id": "synth_v2_01677", "source": "synthetic_v2"}}
+{"text": "Blog Post by Secureworks: Tracking Salt Typhoon's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2020-19144 against SonicWall SMA deployments. The initial access vector involves spear-phishing emails from verify@login-portal.tech delivering ShadowPad. Post-compromise, the attackers deploy TrickBot and use LaZagne for reconnaissance. C2 infrastructure includes 10.122.168.157 and datastorage.dev. A staging server at https://edgesync.live/collect hosts additional tooling. Key artifact: C:\\Users\\Public\\Documents\\payload.bin (SHA256: f21e2efc94a9585f7160f4482c09ad8392a664e33b64dc12abf13035cbd7be85).", "spans": {"ORGANIZATION: Secureworks": [[13, 24]], "THREAT_ACTOR: Salt Typhoon": [[35, 47]], "CVE_ID: CVE-2020-19144": [[127, 141]], "SYSTEM: SonicWall SMA": [[150, 163]], "EMAIL: verify@login-portal.tech": [[239, 263]], "MALWARE: ShadowPad": [[275, 284]], "MALWARE: TrickBot": [[324, 332]], "TOOL: LaZagne": [[341, 348]], "IP_ADDRESS: 10.122.168.157": [[396, 410]], "DOMAIN: datastorage.dev": [[415, 430]], "URL: https://edgesync.live/collect": [[452, 481]], "FILEPATH: C:\\Users\\Public\\Documents\\payload.bin": [[522, 559]], "HASH: f21e2efc94a9585f7160f4482c09ad8392a664e33b64dc12abf13035cbd7be85": [[569, 633]]}, "info": {"id": "synth_v2_01678", "source": "synthetic_v2"}}
+{"text": "Blog Post by NSA: Tracking Turla's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2020-11739 against Fortinet FortiGate deployments. The initial access vector involves spear-phishing emails from updates@phishing-domain.com delivering IcedID. Post-compromise, the attackers deploy Ryuk and use GhostPack for reconnaissance. C2 infrastructure includes 79.77.48.249 and storage-sync.info. A staging server at hxxp://edgenode.cc/gate.php hosts additional tooling. Key artifact: /dev/shm/update.dll (SHA1: b6072cb9c6ef921e4560795c34f2bd35ef7ae5ab).", "spans": {"ORGANIZATION: NSA": [[13, 16]], "THREAT_ACTOR: Turla": [[27, 32]], "CVE_ID: CVE-2020-11739": [[112, 126]], "SYSTEM: Fortinet FortiGate": [[135, 153]], "EMAIL: updates@phishing-domain.com": [[229, 256]], "MALWARE: IcedID": [[268, 274]], "MALWARE: Ryuk": [[314, 318]], "TOOL: GhostPack": [[327, 336]], "IP_ADDRESS: 79.77.48.249": [[384, 396]], "DOMAIN: storage-sync.info": [[401, 418]], "URL: hxxp://edgenode.cc/gate.php": [[440, 467]], "FILEPATH: /dev/shm/update.dll": [[508, 527]], "HASH: b6072cb9c6ef921e4560795c34f2bd35ef7ae5ab": [[535, 575]]}, "info": {"id": "synth_v2_01679", "source": "synthetic_v2"}}
+{"text": "Blog Post by SentinelOne: Tracking Salt Typhoon's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2024-35928 against Windows Server 2019 deployments. The initial access vector involves spear-phishing emails from admin@credential-check.site delivering TrickBot. Post-compromise, the attackers deploy PlugX and use Mimikatz for reconnaissance. C2 infrastructure includes 34.197.111.48 and portalsecure.dev. A staging server at https://cloudlogin.site/gate.php hosts additional tooling. Key artifact: C:\\Users\\admin\\AppData\\Local\\Temp\\backdoor.elf (SHA256: 21c6009812e29c0115d91c20b55be492cab84bd4484dd4a121ea75b03b1f8563).", "spans": {"ORGANIZATION: SentinelOne": [[13, 24]], "THREAT_ACTOR: Salt Typhoon": [[35, 47]], "CVE_ID: CVE-2024-35928": [[127, 141]], "SYSTEM: Windows Server 2019": [[150, 169]], "EMAIL: admin@credential-check.site": [[245, 272]], "MALWARE: TrickBot": [[284, 292]], "MALWARE: PlugX": [[332, 337]], "TOOL: Mimikatz": [[346, 354]], "IP_ADDRESS: 34.197.111.48": [[402, 415]], "DOMAIN: portalsecure.dev": [[420, 436]], "URL: https://cloudlogin.site/gate.php": [[458, 490]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\backdoor.elf": [[531, 577]], "HASH: 21c6009812e29c0115d91c20b55be492cab84bd4484dd4a121ea75b03b1f8563": [[587, 651]]}, "info": {"id": "synth_v2_01680", "source": "synthetic_v2"}}
+{"text": "Blog Post by Volexity: Tracking Ember Bear's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2023-34911 against Zyxel USG deployments. The initial access vector involves spear-phishing emails from it@mail-service.info delivering Cobalt Strike. Post-compromise, the attackers deploy Amadey and use LaZagne for reconnaissance. C2 infrastructure includes 127.168.83.180 and static-cache.cc. A staging server at hxxps://cloudportal.cc/panel/index.html hosts additional tooling. Key artifact: /usr/local/bin/taskhost.exe (MD5: a7f5198a88f102acbd79016294f39965).", "spans": {"ORGANIZATION: Volexity": [[13, 21]], "THREAT_ACTOR: Ember Bear": [[32, 42]], "CVE_ID: CVE-2023-34911": [[122, 136]], "SYSTEM: Zyxel USG": [[145, 154]], "EMAIL: it@mail-service.info": [[230, 250]], "MALWARE: Cobalt Strike": [[262, 275]], "MALWARE: Amadey": [[315, 321]], "TOOL: LaZagne": [[330, 337]], "IP_ADDRESS: 127.168.83.180": [[385, 399]], "DOMAIN: static-cache.cc": [[404, 419]], "URL: hxxps://cloudportal.cc/panel/index.html": [[441, 480]], "FILEPATH: /usr/local/bin/taskhost.exe": [[521, 548]], "HASH: a7f5198a88f102acbd79016294f39965": [[555, 587]]}, "info": {"id": "synth_v2_01681", "source": "synthetic_v2"}}
+{"text": "Blog Post by Qualys: Tracking Star Blizzard's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2022-28965 against Juniper SRX deployments. The initial access vector involves spear-phishing emails from finance@credential-check.site delivering Lumma Stealer. Post-compromise, the attackers deploy WarmCookie and use PowerView for reconnaissance. C2 infrastructure includes 116.78.84.103 and static-update.net. A staging server at https://mailauth.tech/download/update.exe hosts additional tooling. Key artifact: /dev/shm/taskhost.exe (MD5: 70dd20910ea8ca618bbab1a21f2bfc6b).", "spans": {"ORGANIZATION: Qualys": [[13, 19]], "THREAT_ACTOR: Star Blizzard": [[30, 43]], "CVE_ID: CVE-2022-28965": [[123, 137]], "SYSTEM: Juniper SRX": [[146, 157]], "EMAIL: finance@credential-check.site": [[233, 262]], "MALWARE: Lumma Stealer": [[274, 287]], "MALWARE: WarmCookie": [[327, 337]], "TOOL: PowerView": [[346, 355]], "IP_ADDRESS: 116.78.84.103": [[403, 416]], "DOMAIN: static-update.net": [[421, 438]], "URL: https://mailauth.tech/download/update.exe": [[460, 501]], "FILEPATH: /dev/shm/taskhost.exe": [[542, 563]], "HASH: 70dd20910ea8ca618bbab1a21f2bfc6b": [[570, 602]]}, "info": {"id": "synth_v2_01682", "source": "synthetic_v2"}}
+{"text": "Blog Post by SentinelOne: Tracking UNC2452's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2022-47837 against Ubuntu 22.04 deployments. The initial access vector involves spear-phishing emails from updates@identity-verify.cc delivering NjRAT. Post-compromise, the attackers deploy Play and use SharpHound for reconnaissance. C2 infrastructure includes 147.116.36.204 and backup-proxy.tech. A staging server at http://apistatic.live/assets/js/payload.js hosts additional tooling. Key artifact: /etc/cron.d/update.dll (SHA256: e73933255becf68ad00ae575b3d1faca7fd7cee34dce962e9599d2116ca8af14).", "spans": {"ORGANIZATION: SentinelOne": [[13, 24]], "THREAT_ACTOR: UNC2452": [[35, 42]], "CVE_ID: CVE-2022-47837": [[122, 136]], "SYSTEM: Ubuntu 22.04": [[145, 157]], "EMAIL: updates@identity-verify.cc": [[233, 259]], "MALWARE: NjRAT": [[271, 276]], "MALWARE: Play": [[316, 320]], "TOOL: SharpHound": [[329, 339]], "IP_ADDRESS: 147.116.36.204": [[387, 401]], "DOMAIN: backup-proxy.tech": [[406, 423]], "URL: http://apistatic.live/assets/js/payload.js": [[445, 487]], "FILEPATH: /etc/cron.d/update.dll": [[528, 550]], "HASH: e73933255becf68ad00ae575b3d1faca7fd7cee34dce962e9599d2116ca8af14": [[560, 624]]}, "info": {"id": "synth_v2_01683", "source": "synthetic_v2"}}
+{"text": "Blog Post by Microsoft MSRC: Tracking Kimsuky's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2026-10752 against Juniper SRX deployments. The initial access vector involves spear-phishing emails from billing@secure-verify.net delivering TrickBot. Post-compromise, the attackers deploy Cobalt Strike and use Rubeus for reconnaissance. C2 infrastructure includes 79.182.237.15 and mail-auth.top. A staging server at hxxps://storage-data.io/admin/config hosts additional tooling. Key artifact: C:\\Windows\\Temp\\winlogon.exe (MD5: 27afbab1489189858e21ef5430071707).", "spans": {"ORGANIZATION: Microsoft MSRC": [[13, 27]], "THREAT_ACTOR: Kimsuky": [[38, 45]], "CVE_ID: CVE-2026-10752": [[125, 139]], "SYSTEM: Juniper SRX": [[148, 159]], "EMAIL: billing@secure-verify.net": [[235, 260]], "MALWARE: TrickBot": [[272, 280]], "MALWARE: Cobalt Strike": [[320, 333]], "TOOL: Rubeus": [[342, 348]], "IP_ADDRESS: 79.182.237.15": [[396, 409]], "DOMAIN: mail-auth.top": [[414, 427]], "URL: hxxps://storage-data.io/admin/config": [[449, 485]], "FILEPATH: C:\\Windows\\Temp\\winlogon.exe": [[526, 554]], "HASH: 27afbab1489189858e21ef5430071707": [[561, 593]]}, "info": {"id": "synth_v2_01684", "source": "synthetic_v2"}}
+{"text": "Blog Post by Symantec: Tracking Sandworm's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2022-22601 against Fortinet FortiGate deployments. The initial access vector involves spear-phishing emails from security@mail-service.info delivering Qbot. Post-compromise, the attackers deploy Raccoon Stealer and use ADFind for reconnaissance. C2 infrastructure includes 163.85.254.74 and securesecure.site. A staging server at hxxps://storagecloud.net/assets/js/payload.js hosts additional tooling. Key artifact: /tmp/dropper.ps1 (MD5: 3e8d2c9daa7ba7756b00bb39e9ef4793).", "spans": {"ORGANIZATION: Symantec": [[13, 21]], "THREAT_ACTOR: Sandworm": [[32, 40]], "CVE_ID: CVE-2022-22601": [[120, 134]], "SYSTEM: Fortinet FortiGate": [[143, 161]], "EMAIL: security@mail-service.info": [[237, 263]], "MALWARE: Qbot": [[275, 279]], "MALWARE: Raccoon Stealer": [[319, 334]], "TOOL: ADFind": [[343, 349]], "IP_ADDRESS: 163.85.254.74": [[397, 410]], "DOMAIN: securesecure.site": [[415, 432]], "URL: hxxps://storagecloud.net/assets/js/payload.js": [[454, 499]], "FILEPATH: /tmp/dropper.ps1": [[540, 556]], "HASH: 3e8d2c9daa7ba7756b00bb39e9ef4793": [[563, 595]]}, "info": {"id": "synth_v2_01685", "source": "synthetic_v2"}}
+{"text": "Blog Post by FBI: Tracking Mustang Panda's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2025-17185 against Progress Telerik deployments. The initial access vector involves spear-phishing emails from notification@identity-verify.cc delivering TrickBot. Post-compromise, the attackers deploy PlugX and use Hashcat for reconnaissance. C2 infrastructure includes 192.49.158.221 and syncstatic.info. A staging server at https://cache-cache.site/secure/token hosts additional tooling. Key artifact: C:\\Users\\admin\\Downloads\\backdoor.elf (SHA1: b8dff9a2b96073d6395542613017755c30e37bc6).", "spans": {"ORGANIZATION: FBI": [[13, 16]], "THREAT_ACTOR: Mustang Panda": [[27, 40]], "CVE_ID: CVE-2025-17185": [[120, 134]], "SYSTEM: Progress Telerik": [[143, 159]], "EMAIL: notification@identity-verify.cc": [[235, 266]], "MALWARE: TrickBot": [[278, 286]], "MALWARE: PlugX": [[326, 331]], "TOOL: Hashcat": [[340, 347]], "IP_ADDRESS: 192.49.158.221": [[395, 409]], "DOMAIN: syncstatic.info": [[414, 429]], "URL: https://cache-cache.site/secure/token": [[451, 488]], "FILEPATH: C:\\Users\\admin\\Downloads\\backdoor.elf": [[529, 566]], "HASH: b8dff9a2b96073d6395542613017755c30e37bc6": [[574, 614]]}, "info": {"id": "synth_v2_01686", "source": "synthetic_v2"}}
+{"text": "Blog Post by Zscaler ThreatLabz: Tracking Sandworm's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2021-16078 against F5 BIG-IP deployments. The initial access vector involves spear-phishing emails from it@secure-verify.net delivering Latrodectus. Post-compromise, the attackers deploy SystemBC and use Mimikatz for reconnaissance. C2 infrastructure includes 171.38.181.116 and gateway-node.tech. A staging server at hxxps://relay-cdn.tech/panel/index.html hosts additional tooling. Key artifact: C:\\Users\\Public\\Documents\\svchost.exe (SHA256: bb4efe2e12bf7505f7f91edadc0d27aae5e82ba1d209eba49a4f548545869d2f).", "spans": {"ORGANIZATION: Zscaler ThreatLabz": [[13, 31]], "THREAT_ACTOR: Sandworm": [[42, 50]], "CVE_ID: CVE-2021-16078": [[130, 144]], "SYSTEM: F5 BIG-IP": [[153, 162]], "EMAIL: it@secure-verify.net": [[238, 258]], "MALWARE: Latrodectus": [[270, 281]], "MALWARE: SystemBC": [[321, 329]], "TOOL: Mimikatz": [[338, 346]], "IP_ADDRESS: 171.38.181.116": [[394, 408]], "DOMAIN: gateway-node.tech": [[413, 430]], "URL: hxxps://relay-cdn.tech/panel/index.html": [[452, 491]], "FILEPATH: C:\\Users\\Public\\Documents\\svchost.exe": [[532, 569]], "HASH: bb4efe2e12bf7505f7f91edadc0d27aae5e82ba1d209eba49a4f548545869d2f": [[579, 643]]}, "info": {"id": "synth_v2_01687", "source": "synthetic_v2"}}
+{"text": "Blog Post by Cisco Talos: Tracking Lazarus Group's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2021-24110 against Windows Server 2019 deployments. The initial access vector involves spear-phishing emails from service@phishing-domain.com delivering WarmCookie. Post-compromise, the attackers deploy XLoader and use Brute Ratel for reconnaissance. C2 infrastructure includes 91.53.140.72 and gatewaygateway.dev. A staging server at http://static-gateway.link/assets/js/payload.js hosts additional tooling. Key artifact: C:\\ProgramData\\winlogon.exe (MD5: b47838070e7f78158b7f031cc072dcdf).", "spans": {"ORGANIZATION: Cisco Talos": [[13, 24]], "THREAT_ACTOR: Lazarus Group": [[35, 48]], "CVE_ID: CVE-2021-24110": [[128, 142]], "SYSTEM: Windows Server 2019": [[151, 170]], "EMAIL: service@phishing-domain.com": [[246, 273]], "MALWARE: WarmCookie": [[285, 295]], "MALWARE: XLoader": [[335, 342]], "TOOL: Brute Ratel": [[351, 362]], "IP_ADDRESS: 91.53.140.72": [[410, 422]], "DOMAIN: gatewaygateway.dev": [[427, 445]], "URL: http://static-gateway.link/assets/js/payload.js": [[467, 514]], "FILEPATH: C:\\ProgramData\\winlogon.exe": [[555, 582]], "HASH: b47838070e7f78158b7f031cc072dcdf": [[589, 621]]}, "info": {"id": "synth_v2_01688", "source": "synthetic_v2"}}
+{"text": "Blog Post by Mandiant: Tracking Forest Blizzard's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2020-17296 against Ubuntu 22.04 deployments. The initial access vector involves spear-phishing emails from noreply@document-share.link delivering SystemBC. Post-compromise, the attackers deploy BumbleBee and use Nmap for reconnaissance. C2 infrastructure includes 10.200.190.88 and portalbackup.online. A staging server at http://gatewayportal.tech/wp-content/uploads/doc.php hosts additional tooling. Key artifact: /dev/shm/beacon.dll (SHA1: 846df4951162758077eac1d0119b39dfdb40c0ae).", "spans": {"ORGANIZATION: Mandiant": [[13, 21]], "THREAT_ACTOR: Forest Blizzard": [[32, 47]], "CVE_ID: CVE-2020-17296": [[127, 141]], "SYSTEM: Ubuntu 22.04": [[150, 162]], "EMAIL: noreply@document-share.link": [[238, 265]], "MALWARE: SystemBC": [[277, 285]], "MALWARE: BumbleBee": [[325, 334]], "TOOL: Nmap": [[343, 347]], "IP_ADDRESS: 10.200.190.88": [[395, 408]], "DOMAIN: portalbackup.online": [[413, 432]], "URL: http://gatewayportal.tech/wp-content/uploads/doc.php": [[454, 506]], "FILEPATH: /dev/shm/beacon.dll": [[547, 566]], "HASH: 846df4951162758077eac1d0119b39dfdb40c0ae": [[574, 614]]}, "info": {"id": "synth_v2_01689", "source": "synthetic_v2"}}
+{"text": "Blog Post by Trend Micro: Tracking Lazarus Group's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2025-43392 against Juniper SRX deployments. The initial access vector involves spear-phishing emails from admin@identity-verify.cc delivering QakBot. Post-compromise, the attackers deploy NjRAT and use Mimikatz for reconnaissance. C2 infrastructure includes 158.10.77.62 and cdn-static.link. A staging server at https://gatewaysecure.net/assets/js/payload.js hosts additional tooling. Key artifact: C:\\Users\\Public\\Documents\\lsass.dmp (MD5: 0e3aa6691ef076ee77a8deb95b559e6e).", "spans": {"ORGANIZATION: Trend Micro": [[13, 24]], "THREAT_ACTOR: Lazarus Group": [[35, 48]], "CVE_ID: CVE-2025-43392": [[128, 142]], "SYSTEM: Juniper SRX": [[151, 162]], "EMAIL: admin@identity-verify.cc": [[238, 262]], "MALWARE: QakBot": [[274, 280]], "MALWARE: NjRAT": [[320, 325]], "TOOL: Mimikatz": [[334, 342]], "IP_ADDRESS: 158.10.77.62": [[390, 402]], "DOMAIN: cdn-static.link": [[407, 422]], "URL: https://gatewaysecure.net/assets/js/payload.js": [[444, 490]], "FILEPATH: C:\\Users\\Public\\Documents\\lsass.dmp": [[531, 566]], "HASH: 0e3aa6691ef076ee77a8deb95b559e6e": [[573, 605]]}, "info": {"id": "synth_v2_01690", "source": "synthetic_v2"}}
+{"text": "Blog Post by Tenable: Tracking Scattered Spider's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2020-26049 against Atlassian Confluence deployments. The initial access vector involves spear-phishing emails from service@secure-verify.net delivering Play. Post-compromise, the attackers deploy ShadowPad and use PsExec for reconnaissance. C2 infrastructure includes 172.84.0.244 and nodeapi.top. A staging server at hxxps://logincache.xyz/collect hosts additional tooling. Key artifact: /etc/cron.d/update.dll (SHA1: 62f7316c6465a4675d457101dd9a70c5db65c6df).", "spans": {"ORGANIZATION: Tenable": [[13, 20]], "THREAT_ACTOR: Scattered Spider": [[31, 47]], "CVE_ID: CVE-2020-26049": [[127, 141]], "SYSTEM: Atlassian Confluence": [[150, 170]], "EMAIL: service@secure-verify.net": [[246, 271]], "MALWARE: Play": [[283, 287]], "MALWARE: ShadowPad": [[327, 336]], "TOOL: PsExec": [[345, 351]], "IP_ADDRESS: 172.84.0.244": [[399, 411]], "DOMAIN: nodeapi.top": [[416, 427]], "URL: hxxps://logincache.xyz/collect": [[449, 479]], "FILEPATH: /etc/cron.d/update.dll": [[520, 542]], "HASH: 62f7316c6465a4675d457101dd9a70c5db65c6df": [[550, 590]]}, "info": {"id": "synth_v2_01691", "source": "synthetic_v2"}}
+{"text": "Blog Post by FBI: Tracking Kimsuky's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2021-28210 against Cisco ASA deployments. The initial access vector involves spear-phishing emails from contact@login-portal.tech delivering QakBot. Post-compromise, the attackers deploy XLoader and use Ligolo for reconnaissance. C2 infrastructure includes 10.221.235.15 and cachecdn.info. A staging server at http://auth-relay.top/gate.php hosts additional tooling. Key artifact: C:\\Users\\Public\\Documents\\implant.so (SHA1: d13190cb27fde58318b4ccafeae44ea90538f4bc).", "spans": {"ORGANIZATION: FBI": [[13, 16]], "THREAT_ACTOR: Kimsuky": [[27, 34]], "CVE_ID: CVE-2021-28210": [[114, 128]], "SYSTEM: Cisco ASA": [[137, 146]], "EMAIL: contact@login-portal.tech": [[222, 247]], "MALWARE: QakBot": [[259, 265]], "MALWARE: XLoader": [[305, 312]], "TOOL: Ligolo": [[321, 327]], "IP_ADDRESS: 10.221.235.15": [[375, 388]], "DOMAIN: cachecdn.info": [[393, 406]], "URL: http://auth-relay.top/gate.php": [[428, 458]], "FILEPATH: C:\\Users\\Public\\Documents\\implant.so": [[499, 535]], "HASH: d13190cb27fde58318b4ccafeae44ea90538f4bc": [[543, 583]]}, "info": {"id": "synth_v2_01692", "source": "synthetic_v2"}}
+{"text": "Blog Post by Europol: Tracking TA505's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2024-26162 against Windows 11 deployments. The initial access vector involves spear-phishing emails from finance@credential-check.site delivering FormBook. Post-compromise, the attackers deploy PlugX and use BloodHound for reconnaissance. C2 infrastructure includes 70.215.35.221 and login-static.live. A staging server at http://update-node.top/panel/index.html hosts additional tooling. Key artifact: C:\\Windows\\Tasks\\shell.php (SHA1: 41d31268b85e7e1e9c57dd4dd2f79111ffdc26d4).", "spans": {"ORGANIZATION: Europol": [[13, 20]], "THREAT_ACTOR: TA505": [[31, 36]], "CVE_ID: CVE-2024-26162": [[116, 130]], "SYSTEM: Windows 11": [[139, 149]], "EMAIL: finance@credential-check.site": [[225, 254]], "MALWARE: FormBook": [[266, 274]], "MALWARE: PlugX": [[314, 319]], "TOOL: BloodHound": [[328, 338]], "IP_ADDRESS: 70.215.35.221": [[386, 399]], "DOMAIN: login-static.live": [[404, 421]], "URL: http://update-node.top/panel/index.html": [[443, 482]], "FILEPATH: C:\\Windows\\Tasks\\shell.php": [[523, 549]], "HASH: 41d31268b85e7e1e9c57dd4dd2f79111ffdc26d4": [[557, 597]]}, "info": {"id": "synth_v2_01693", "source": "synthetic_v2"}}
+{"text": "Blog Post by NCSC: Tracking Charming Kitten's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2022-13003 against Zyxel USG deployments. The initial access vector involves spear-phishing emails from updates@secure-verify.net delivering BatLoader. Post-compromise, the attackers deploy LockBit and use Nmap for reconnaissance. C2 infrastructure includes 160.206.200.138 and securerelay.info. A staging server at hxxps://data-update.live/collect hosts additional tooling. Key artifact: /opt/app/bin/backdoor.elf (SHA1: 315478fbf0054e6539d6286bb4ca81ff0da02243).", "spans": {"ORGANIZATION: NCSC": [[13, 17]], "THREAT_ACTOR: Charming Kitten": [[28, 43]], "CVE_ID: CVE-2022-13003": [[123, 137]], "SYSTEM: Zyxel USG": [[146, 155]], "EMAIL: updates@secure-verify.net": [[231, 256]], "MALWARE: BatLoader": [[268, 277]], "MALWARE: LockBit": [[317, 324]], "TOOL: Nmap": [[333, 337]], "IP_ADDRESS: 160.206.200.138": [[385, 400]], "DOMAIN: securerelay.info": [[405, 421]], "URL: hxxps://data-update.live/collect": [[443, 475]], "FILEPATH: /opt/app/bin/backdoor.elf": [[516, 541]], "HASH: 315478fbf0054e6539d6286bb4ca81ff0da02243": [[549, 589]]}, "info": {"id": "synth_v2_01694", "source": "synthetic_v2"}}
+{"text": "Blog Post by FBI: Tracking Flax Typhoon's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2020-24628 against VMware ESXi deployments. The initial access vector involves spear-phishing emails from confirm@account-update.xyz delivering NjRAT. Post-compromise, the attackers deploy Lumma Stealer and use Chisel for reconnaissance. C2 infrastructure includes 10.196.231.220 and api-api.live. A staging server at hxxps://portalrelay.link/portal/verify hosts additional tooling. Key artifact: C:\\Users\\admin\\Downloads\\agent.py (SHA256: 3c3deb7e338cea435e350ca3325a518989350d5dcba27d6935fdd1b24d499102).", "spans": {"ORGANIZATION: FBI": [[13, 16]], "THREAT_ACTOR: Flax Typhoon": [[27, 39]], "CVE_ID: CVE-2020-24628": [[119, 133]], "SYSTEM: VMware ESXi": [[142, 153]], "EMAIL: confirm@account-update.xyz": [[229, 255]], "MALWARE: NjRAT": [[267, 272]], "MALWARE: Lumma Stealer": [[312, 325]], "TOOL: Chisel": [[334, 340]], "IP_ADDRESS: 10.196.231.220": [[388, 402]], "DOMAIN: api-api.live": [[407, 419]], "URL: hxxps://portalrelay.link/portal/verify": [[441, 479]], "FILEPATH: C:\\Users\\admin\\Downloads\\agent.py": [[520, 553]], "HASH: 3c3deb7e338cea435e350ca3325a518989350d5dcba27d6935fdd1b24d499102": [[563, 627]]}, "info": {"id": "synth_v2_01695", "source": "synthetic_v2"}}
+{"text": "Blog Post by Huntress: Tracking Flax Typhoon's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2021-32298 against Microsoft Exchange deployments. The initial access vector involves spear-phishing emails from info@login-portal.tech delivering Vidar. Post-compromise, the attackers deploy AsyncRAT and use ADFind for reconnaissance. C2 infrastructure includes 21.215.166.15 and securecloud.top. A staging server at hxxp://mail-cache.site/gate.php hosts additional tooling. Key artifact: C:\\Users\\Public\\Documents\\implant.so (SHA1: 81030b00adeb025115d1d899224d623d16e4eda8).", "spans": {"ORGANIZATION: Huntress": [[13, 21]], "THREAT_ACTOR: Flax Typhoon": [[32, 44]], "CVE_ID: CVE-2021-32298": [[124, 138]], "SYSTEM: Microsoft Exchange": [[147, 165]], "EMAIL: info@login-portal.tech": [[241, 263]], "MALWARE: Vidar": [[275, 280]], "MALWARE: AsyncRAT": [[320, 328]], "TOOL: ADFind": [[337, 343]], "IP_ADDRESS: 21.215.166.15": [[391, 404]], "DOMAIN: securecloud.top": [[409, 424]], "URL: hxxp://mail-cache.site/gate.php": [[446, 477]], "FILEPATH: C:\\Users\\Public\\Documents\\implant.so": [[518, 554]], "HASH: 81030b00adeb025115d1d899224d623d16e4eda8": [[562, 602]]}, "info": {"id": "synth_v2_01696", "source": "synthetic_v2"}}
+{"text": "Blog Post by Recorded Future: Tracking BlackTech's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2020-46781 against Microsoft Exchange deployments. The initial access vector involves spear-phishing emails from confirm@secure-verify.net delivering Ryuk. Post-compromise, the attackers deploy BatLoader and use LinPEAS for reconnaissance. C2 infrastructure includes 207.11.13.71 and staticcdn.info. A staging server at https://backupbackup.cc/login hosts additional tooling. Key artifact: /opt/app/bin/taskhost.exe (MD5: bc3271d17871dbb1587a76ec7ab97d36).", "spans": {"ORGANIZATION: Recorded Future": [[13, 28]], "THREAT_ACTOR: BlackTech": [[39, 48]], "CVE_ID: CVE-2020-46781": [[128, 142]], "SYSTEM: Microsoft Exchange": [[151, 169]], "EMAIL: confirm@secure-verify.net": [[245, 270]], "MALWARE: Ryuk": [[282, 286]], "MALWARE: BatLoader": [[326, 335]], "TOOL: LinPEAS": [[344, 351]], "IP_ADDRESS: 207.11.13.71": [[399, 411]], "DOMAIN: staticcdn.info": [[416, 430]], "URL: https://backupbackup.cc/login": [[452, 481]], "FILEPATH: /opt/app/bin/taskhost.exe": [[522, 547]], "HASH: bc3271d17871dbb1587a76ec7ab97d36": [[554, 586]]}, "info": {"id": "synth_v2_01697", "source": "synthetic_v2"}}
+{"text": "Blog Post by INTERPOL: Tracking Velvet Tempest's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2021-33526 against F5 BIG-IP deployments. The initial access vector involves spear-phishing emails from info@identity-verify.cc delivering Play. Post-compromise, the attackers deploy Meduza Stealer and use Nmap for reconnaissance. C2 infrastructure includes 192.37.82.112 and update-static.io. A staging server at hxxps://cdngateway.live/portal/verify hosts additional tooling. Key artifact: C:\\Program Files\\Common Files\\lsass.dmp (MD5: c7394f095e8d98f6c5f6dac12a7134a4).", "spans": {"ORGANIZATION: INTERPOL": [[13, 21]], "THREAT_ACTOR: Velvet Tempest": [[32, 46]], "CVE_ID: CVE-2021-33526": [[126, 140]], "SYSTEM: F5 BIG-IP": [[149, 158]], "EMAIL: info@identity-verify.cc": [[234, 257]], "MALWARE: Play": [[269, 273]], "MALWARE: Meduza Stealer": [[313, 327]], "TOOL: Nmap": [[336, 340]], "IP_ADDRESS: 192.37.82.112": [[388, 401]], "DOMAIN: update-static.io": [[406, 422]], "URL: hxxps://cdngateway.live/portal/verify": [[444, 481]], "FILEPATH: C:\\Program Files\\Common Files\\lsass.dmp": [[522, 561]], "HASH: c7394f095e8d98f6c5f6dac12a7134a4": [[568, 600]]}, "info": {"id": "synth_v2_01698", "source": "synthetic_v2"}}
+{"text": "Blog Post by Palo Alto Unit 42: Tracking Kimsuky's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2021-16338 against Progress Telerik deployments. The initial access vector involves spear-phishing emails from admin@mail-service.info delivering Amadey. Post-compromise, the attackers deploy ShadowPad and use PowerView for reconnaissance. C2 infrastructure includes 42.1.209.228 and cdnedge.com. A staging server at hxxp://nodemail.io/portal/verify hosts additional tooling. Key artifact: /dev/shm/beacon.dll (SHA1: 4f76f72f17af773f611f913c7ebdd606f37363a9).", "spans": {"ORGANIZATION: Palo Alto Unit 42": [[13, 30]], "THREAT_ACTOR: Kimsuky": [[41, 48]], "CVE_ID: CVE-2021-16338": [[128, 142]], "SYSTEM: Progress Telerik": [[151, 167]], "EMAIL: admin@mail-service.info": [[243, 266]], "MALWARE: Amadey": [[278, 284]], "MALWARE: ShadowPad": [[324, 333]], "TOOL: PowerView": [[342, 351]], "IP_ADDRESS: 42.1.209.228": [[399, 411]], "DOMAIN: cdnedge.com": [[416, 427]], "URL: hxxp://nodemail.io/portal/verify": [[449, 481]], "FILEPATH: /dev/shm/beacon.dll": [[522, 541]], "HASH: 4f76f72f17af773f611f913c7ebdd606f37363a9": [[549, 589]]}, "info": {"id": "synth_v2_01699", "source": "synthetic_v2"}}
+{"text": "Blog Post by Secureworks: Tracking Star Blizzard's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2026-40674 against Fortinet FortiGate deployments. The initial access vector involves spear-phishing emails from finance@document-share.link delivering Lumma Stealer. Post-compromise, the attackers deploy RemcosRAT and use WinPEAS for reconnaissance. C2 infrastructure includes 2.17.118.16 and api-mail.net. A staging server at http://apirelay.tech/download/update.exe hosts additional tooling. Key artifact: /home/user/.config/sam.hive (SHA256: 914fc1ac0b6232ab3a7ab85bb620ac518ad417b057fa6d8cbb753ea5098a57dd).", "spans": {"ORGANIZATION: Secureworks": [[13, 24]], "THREAT_ACTOR: Star Blizzard": [[35, 48]], "CVE_ID: CVE-2026-40674": [[128, 142]], "SYSTEM: Fortinet FortiGate": [[151, 169]], "EMAIL: finance@document-share.link": [[245, 272]], "MALWARE: Lumma Stealer": [[284, 297]], "MALWARE: RemcosRAT": [[337, 346]], "TOOL: WinPEAS": [[355, 362]], "IP_ADDRESS: 2.17.118.16": [[410, 421]], "DOMAIN: api-mail.net": [[426, 438]], "URL: http://apirelay.tech/download/update.exe": [[460, 500]], "FILEPATH: /home/user/.config/sam.hive": [[541, 568]], "HASH: 914fc1ac0b6232ab3a7ab85bb620ac518ad417b057fa6d8cbb753ea5098a57dd": [[578, 642]]}, "info": {"id": "synth_v2_01700", "source": "synthetic_v2"}}
+{"text": "Secureworks detected a multi-stage attack chain. The initial phishing email from security@identity-verify.cc contained a link to https://syncauth.cc/collect. This redirected to https://nodecloud.org/api/v2/auth on proxyproxy.com. A secondary email from account@account-update.xyz pointed to http://api-update.org/wp-content/uploads/doc.php which delivered Hive. The final payload callback was hxxp://sync-static.live/download/update.exe resolving to 192.184.189.68 via cachebackup.live.", "spans": {"ORGANIZATION: Secureworks": [[0, 11]], "EMAIL: security@identity-verify.cc": [[81, 108]], "URL: https://syncauth.cc/collect": [[129, 156]], "URL: https://nodecloud.org/api/v2/auth": [[177, 210]], "DOMAIN: proxyproxy.com": [[214, 228]], "EMAIL: account@account-update.xyz": [[253, 279]], "URL: http://api-update.org/wp-content/uploads/doc.php": [[291, 339]], "MALWARE: Hive": [[356, 360]], "URL: hxxp://sync-static.live/download/update.exe": [[393, 436]], "IP_ADDRESS: 192.184.189.68": [[450, 464]], "DOMAIN: cachebackup.live": [[469, 485]]}, "info": {"id": "synth_v2_01701", "source": "synthetic_v2"}}
+{"text": "Microsoft MSRC detected a multi-stage attack chain. The initial phishing email from billing@document-share.link contained a link to hxxp://syncedge.link/api/v2/auth. This redirected to hxxps://node-update.net/secure/token on secure-cloud.online. A secondary email from verify@login-portal.tech pointed to https://proxyportal.cc/api/v2/auth which delivered RemcosRAT. The final payload callback was https://authcloud.cc/secure/token resolving to 172.163.85.209 via updatenode.link.", "spans": {"ORGANIZATION: Microsoft MSRC": [[0, 14]], "EMAIL: billing@document-share.link": [[84, 111]], "URL: hxxp://syncedge.link/api/v2/auth": [[132, 164]], "URL: hxxps://node-update.net/secure/token": [[185, 221]], "DOMAIN: secure-cloud.online": [[225, 244]], "EMAIL: verify@login-portal.tech": [[269, 293]], "URL: https://proxyportal.cc/api/v2/auth": [[305, 339]], "MALWARE: RemcosRAT": [[356, 365]], "URL: https://authcloud.cc/secure/token": [[398, 431]], "IP_ADDRESS: 172.163.85.209": [[445, 459]], "DOMAIN: updatenode.link": [[464, 479]]}, "info": {"id": "synth_v2_01702", "source": "synthetic_v2"}}
+{"text": "Google TAG detected a multi-stage attack chain. The initial phishing email from account@phishing-domain.com contained a link to https://login-sync.xyz/assets/js/payload.js. This redirected to https://auth-cloud.cc/assets/js/payload.js on update-gateway.club. A secondary email from finance@urgent-notice.online pointed to http://cachegateway.tech/download/update.exe which delivered WarmCookie. The final payload callback was hxxp://proxy-cloud.dev/secure/token resolving to 192.149.21.122 via storagestorage.club.", "spans": {"ORGANIZATION: Google TAG": [[0, 10]], "EMAIL: account@phishing-domain.com": [[80, 107]], "URL: https://login-sync.xyz/assets/js/payload.js": [[128, 171]], "URL: https://auth-cloud.cc/assets/js/payload.js": [[192, 234]], "DOMAIN: update-gateway.club": [[238, 257]], "EMAIL: finance@urgent-notice.online": [[282, 310]], "URL: http://cachegateway.tech/download/update.exe": [[322, 366]], "MALWARE: WarmCookie": [[383, 393]], "URL: hxxp://proxy-cloud.dev/secure/token": [[426, 461]], "IP_ADDRESS: 192.149.21.122": [[475, 489]], "DOMAIN: storagestorage.club": [[494, 513]]}, "info": {"id": "synth_v2_01703", "source": "synthetic_v2"}}
+{"text": "Cisco Talos detected a multi-stage attack chain. The initial phishing email from billing@secure-verify.net contained a link to https://securemail.club/panel/index.html. This redirected to http://securecache.xyz/login on edgelogin.live. A secondary email from contact@credential-check.site pointed to http://securemail.live/assets/js/payload.js which delivered RedLine Stealer. The final payload callback was hxxps://portal-update.io/secure/token resolving to 218.10.32.22 via gateway-login.link.", "spans": {"ORGANIZATION: Cisco Talos": [[0, 11]], "EMAIL: billing@secure-verify.net": [[81, 106]], "URL: https://securemail.club/panel/index.html": [[127, 167]], "URL: http://securecache.xyz/login": [[188, 216]], "DOMAIN: edgelogin.live": [[220, 234]], "EMAIL: contact@credential-check.site": [[259, 288]], "URL: http://securemail.live/assets/js/payload.js": [[300, 343]], "MALWARE: RedLine Stealer": [[360, 375]], "URL: hxxps://portal-update.io/secure/token": [[408, 445]], "IP_ADDRESS: 218.10.32.22": [[459, 471]], "DOMAIN: gateway-login.link": [[476, 494]]}, "info": {"id": "synth_v2_01704", "source": "synthetic_v2"}}
+{"text": "Rapid7 detected a multi-stage attack chain. The initial phishing email from helpdesk@document-share.link contained a link to hxxp://relay-update.link/portal/verify. This redirected to https://backup-relay.online/callback on edge-cache.io. A secondary email from service@auth-check.org pointed to hxxp://cloudproxy.net/gate.php which delivered Qbot. The final payload callback was https://updatenode.com/wp-content/uploads/doc.php resolving to 177.186.99.195 via secure-login.top.", "spans": {"ORGANIZATION: Rapid7": [[0, 6]], "EMAIL: helpdesk@document-share.link": [[76, 104]], "URL: hxxp://relay-update.link/portal/verify": [[125, 163]], "URL: https://backup-relay.online/callback": [[184, 220]], "DOMAIN: edge-cache.io": [[224, 237]], "EMAIL: service@auth-check.org": [[262, 284]], "URL: hxxp://cloudproxy.net/gate.php": [[296, 326]], "MALWARE: Qbot": [[343, 347]], "URL: https://updatenode.com/wp-content/uploads/doc.php": [[380, 429]], "IP_ADDRESS: 177.186.99.195": [[443, 457]], "DOMAIN: secure-login.top": [[462, 478]]}, "info": {"id": "synth_v2_01705", "source": "synthetic_v2"}}
+{"text": "Zscaler ThreatLabz detected a multi-stage attack chain. The initial phishing email from contact@document-share.link contained a link to hxxps://syncbackup.tech/download/update.exe. This redirected to hxxp://portallogin.org/login on node-cdn.online. A secondary email from notification@login-portal.tech pointed to https://sync-gateway.live/admin/config which delivered Raccoon Stealer. The final payload callback was http://logincache.cc/api/v2/auth resolving to 88.38.18.244 via edge-portal.com.", "spans": {"ORGANIZATION: Zscaler ThreatLabz": [[0, 18]], "EMAIL: contact@document-share.link": [[88, 115]], "URL: hxxps://syncbackup.tech/download/update.exe": [[136, 179]], "URL: hxxp://portallogin.org/login": [[200, 228]], "DOMAIN: node-cdn.online": [[232, 247]], "EMAIL: notification@login-portal.tech": [[272, 302]], "URL: https://sync-gateway.live/admin/config": [[314, 352]], "MALWARE: Raccoon Stealer": [[369, 384]], "URL: http://logincache.cc/api/v2/auth": [[417, 449]], "IP_ADDRESS: 88.38.18.244": [[463, 475]], "DOMAIN: edge-portal.com": [[480, 495]]}, "info": {"id": "synth_v2_01706", "source": "synthetic_v2"}}
+{"text": "NCSC detected a multi-stage attack chain. The initial phishing email from support@document-share.link contained a link to hxxp://node-login.cc/api/v2/auth. This redirected to http://logincache.io/login on update-mail.site. A secondary email from service@document-share.link pointed to https://secureproxy.io/assets/js/payload.js which delivered REvil. The final payload callback was http://authcdn.xyz/admin/config resolving to 19.71.109.82 via gatewaysecure.tech.", "spans": {"ORGANIZATION: NCSC": [[0, 4]], "EMAIL: support@document-share.link": [[74, 101]], "URL: hxxp://node-login.cc/api/v2/auth": [[122, 154]], "URL: http://logincache.io/login": [[175, 201]], "DOMAIN: update-mail.site": [[205, 221]], "EMAIL: service@document-share.link": [[246, 273]], "URL: https://secureproxy.io/assets/js/payload.js": [[285, 328]], "MALWARE: REvil": [[345, 350]], "URL: http://authcdn.xyz/admin/config": [[383, 414]], "IP_ADDRESS: 19.71.109.82": [[428, 440]], "DOMAIN: gatewaysecure.tech": [[445, 463]]}, "info": {"id": "synth_v2_01707", "source": "synthetic_v2"}}
+{"text": "ESET Research detected a multi-stage attack chain. The initial phishing email from verify@credential-check.site contained a link to http://edge-node.link/login. This redirected to hxxps://api-update.online/portal/verify on cloudproxy.org. A secondary email from contact@login-portal.tech pointed to hxxp://cloud-portal.com/callback which delivered AsyncRAT. The final payload callback was https://node-storage.io/portal/verify resolving to 10.38.28.206 via cloud-secure.site.", "spans": {"ORGANIZATION: ESET Research": [[0, 13]], "EMAIL: verify@credential-check.site": [[83, 111]], "URL: http://edge-node.link/login": [[132, 159]], "URL: hxxps://api-update.online/portal/verify": [[180, 219]], "DOMAIN: cloudproxy.org": [[223, 237]], "EMAIL: contact@login-portal.tech": [[262, 287]], "URL: hxxp://cloud-portal.com/callback": [[299, 331]], "MALWARE: AsyncRAT": [[348, 356]], "URL: https://node-storage.io/portal/verify": [[389, 426]], "IP_ADDRESS: 10.38.28.206": [[440, 452]], "DOMAIN: cloud-secure.site": [[457, 474]]}, "info": {"id": "synth_v2_01708", "source": "synthetic_v2"}}
+{"text": "Recorded Future detected a multi-stage attack chain. The initial phishing email from updates@mail-service.info contained a link to http://datacdn.link/collect. This redirected to https://storageportal.io/download/update.exe on auth-auth.org. A secondary email from service@phishing-domain.com pointed to hxxps://edge-auth.io/api/v2/auth which delivered BlackCat. The final payload callback was hxxps://syncrelay.org/assets/js/payload.js resolving to 10.67.108.28 via mailstatic.club.", "spans": {"ORGANIZATION: Recorded Future": [[0, 15]], "EMAIL: updates@mail-service.info": [[85, 110]], "URL: http://datacdn.link/collect": [[131, 158]], "URL: https://storageportal.io/download/update.exe": [[179, 223]], "DOMAIN: auth-auth.org": [[227, 240]], "EMAIL: service@phishing-domain.com": [[265, 292]], "URL: hxxps://edge-auth.io/api/v2/auth": [[304, 336]], "MALWARE: BlackCat": [[353, 361]], "URL: hxxps://syncrelay.org/assets/js/payload.js": [[394, 436]], "IP_ADDRESS: 10.67.108.28": [[450, 462]], "DOMAIN: mailstatic.club": [[467, 482]]}, "info": {"id": "synth_v2_01709", "source": "synthetic_v2"}}
+{"text": "CISA detected a multi-stage attack chain. The initial phishing email from confirm@document-share.link contained a link to hxxps://nodeauth.online/portal/verify. This redirected to https://data-login.online/panel/index.html on maillogin.live. A secondary email from alert@phishing-domain.com pointed to hxxp://api-edge.tech/login which delivered IcedID. The final payload callback was https://cloudupdate.live/api/v2/auth resolving to 58.49.21.5 via secureportal.net.", "spans": {"ORGANIZATION: CISA": [[0, 4]], "EMAIL: confirm@document-share.link": [[74, 101]], "URL: hxxps://nodeauth.online/portal/verify": [[122, 159]], "URL: https://data-login.online/panel/index.html": [[180, 222]], "DOMAIN: maillogin.live": [[226, 240]], "EMAIL: alert@phishing-domain.com": [[265, 290]], "URL: hxxp://api-edge.tech/login": [[302, 328]], "MALWARE: IcedID": [[345, 351]], "URL: https://cloudupdate.live/api/v2/auth": [[384, 420]], "IP_ADDRESS: 58.49.21.5": [[434, 444]], "DOMAIN: secureportal.net": [[449, 465]]}, "info": {"id": "synth_v2_01710", "source": "synthetic_v2"}}
+{"text": "NCSC detected a multi-stage attack chain. The initial phishing email from updates@credential-check.site contained a link to http://storage-api.xyz/admin/config. This redirected to hxxps://login-cloud.io/api/v2/auth on staticportal.net. A secondary email from noreply@credential-check.site pointed to hxxps://relay-cdn.org/collect which delivered DanaBot. The final payload callback was hxxps://static-backup.com/portal/verify resolving to 10.144.186.13 via portal-cdn.dev.", "spans": {"ORGANIZATION: NCSC": [[0, 4]], "EMAIL: updates@credential-check.site": [[74, 103]], "URL: http://storage-api.xyz/admin/config": [[124, 159]], "URL: hxxps://login-cloud.io/api/v2/auth": [[180, 214]], "DOMAIN: staticportal.net": [[218, 234]], "EMAIL: noreply@credential-check.site": [[259, 288]], "URL: hxxps://relay-cdn.org/collect": [[300, 329]], "MALWARE: DanaBot": [[346, 353]], "URL: hxxps://static-backup.com/portal/verify": [[386, 425]], "IP_ADDRESS: 10.144.186.13": [[439, 452]], "DOMAIN: portal-cdn.dev": [[457, 471]]}, "info": {"id": "synth_v2_01711", "source": "synthetic_v2"}}
+{"text": "Tenable detected a multi-stage attack chain. The initial phishing email from helpdesk@account-update.xyz contained a link to https://gateway-cloud.club/wp-content/uploads/doc.php. This redirected to hxxps://cloud-mail.com/callback on cdn-mail.top. A secondary email from admin@document-share.link pointed to hxxps://gateway-login.tech/login which delivered Lumma Stealer. The final payload callback was hxxps://cachesync.site/gate.php resolving to 114.103.28.222 via storage-auth.xyz.", "spans": {"ORGANIZATION: Tenable": [[0, 7]], "EMAIL: helpdesk@account-update.xyz": [[77, 104]], "URL: https://gateway-cloud.club/wp-content/uploads/doc.php": [[125, 178]], "URL: hxxps://cloud-mail.com/callback": [[199, 230]], "DOMAIN: cdn-mail.top": [[234, 246]], "EMAIL: admin@document-share.link": [[271, 296]], "URL: hxxps://gateway-login.tech/login": [[308, 340]], "MALWARE: Lumma Stealer": [[357, 370]], "URL: hxxps://cachesync.site/gate.php": [[403, 434]], "IP_ADDRESS: 114.103.28.222": [[448, 462]], "DOMAIN: storage-auth.xyz": [[467, 483]]}, "info": {"id": "synth_v2_01712", "source": "synthetic_v2"}}
+{"text": "Mandiant detected a multi-stage attack chain. The initial phishing email from admin@phishing-domain.com contained a link to https://backup-update.online/api/v2/auth. This redirected to http://storage-cache.top/callback on data-static.net. A secondary email from confirm@mail-service.info pointed to hxxps://datadata.cc/wp-content/uploads/doc.php which delivered RedLine Stealer. The final payload callback was http://datanode.tech/portal/verify resolving to 172.72.193.125 via nodeupdate.club.", "spans": {"ORGANIZATION: Mandiant": [[0, 8]], "EMAIL: admin@phishing-domain.com": [[78, 103]], "URL: https://backup-update.online/api/v2/auth": [[124, 164]], "URL: http://storage-cache.top/callback": [[185, 218]], "DOMAIN: data-static.net": [[222, 237]], "EMAIL: confirm@mail-service.info": [[262, 287]], "URL: hxxps://datadata.cc/wp-content/uploads/doc.php": [[299, 345]], "MALWARE: RedLine Stealer": [[362, 377]], "URL: http://datanode.tech/portal/verify": [[410, 444]], "IP_ADDRESS: 172.72.193.125": [[458, 472]], "DOMAIN: nodeupdate.club": [[477, 492]]}, "info": {"id": "synth_v2_01713", "source": "synthetic_v2"}}
+{"text": "Tenable detected a multi-stage attack chain. The initial phishing email from admin@secure-verify.net contained a link to hxxp://backup-gateway.io/admin/config. This redirected to hxxps://sync-portal.tech/login on node-auth.link. A secondary email from service@auth-check.org pointed to https://cache-sync.link/secure/token which delivered TrickBot. The final payload callback was hxxp://portalbackup.top/login resolving to 192.3.207.191 via login-cloud.org.", "spans": {"ORGANIZATION: Tenable": [[0, 7]], "EMAIL: admin@secure-verify.net": [[77, 100]], "URL: hxxp://backup-gateway.io/admin/config": [[121, 158]], "URL: hxxps://sync-portal.tech/login": [[179, 209]], "DOMAIN: node-auth.link": [[213, 227]], "EMAIL: service@auth-check.org": [[252, 274]], "URL: https://cache-sync.link/secure/token": [[286, 322]], "MALWARE: TrickBot": [[339, 347]], "URL: hxxp://portalbackup.top/login": [[380, 409]], "IP_ADDRESS: 192.3.207.191": [[423, 436]], "DOMAIN: login-cloud.org": [[441, 456]]}, "info": {"id": "synth_v2_01714", "source": "synthetic_v2"}}
+{"text": "ESET Research detected a multi-stage attack chain. The initial phishing email from admin@mail-service.info contained a link to http://proxy-mail.com/secure/token. This redirected to http://cache-secure.site/gate.php on mailgateway.io. A secondary email from confirm@credential-check.site pointed to hxxps://updatesync.site/callback which delivered NjRAT. The final payload callback was https://login-node.top/wp-content/uploads/doc.php resolving to 10.116.196.201 via secureupdate.org.", "spans": {"ORGANIZATION: ESET Research": [[0, 13]], "EMAIL: admin@mail-service.info": [[83, 106]], "URL: http://proxy-mail.com/secure/token": [[127, 161]], "URL: http://cache-secure.site/gate.php": [[182, 215]], "DOMAIN: mailgateway.io": [[219, 233]], "EMAIL: confirm@credential-check.site": [[258, 287]], "URL: hxxps://updatesync.site/callback": [[299, 331]], "MALWARE: NjRAT": [[348, 353]], "URL: https://login-node.top/wp-content/uploads/doc.php": [[386, 435]], "IP_ADDRESS: 10.116.196.201": [[449, 463]], "DOMAIN: secureupdate.org": [[468, 484]]}, "info": {"id": "synth_v2_01715", "source": "synthetic_v2"}}
+{"text": "Europol detected a multi-stage attack chain. The initial phishing email from finance@credential-check.site contained a link to https://proxyportal.link/api/v2/auth. This redirected to http://backuplogin.club/api/v2/auth on cdn-login.top. A secondary email from billing@auth-check.org pointed to hxxps://backupstorage.xyz/portal/verify which delivered BlackCat. The final payload callback was hxxps://cachemail.tech/panel/index.html resolving to 66.69.229.177 via gateway-cache.tech.", "spans": {"ORGANIZATION: Europol": [[0, 7]], "EMAIL: finance@credential-check.site": [[77, 106]], "URL: https://proxyportal.link/api/v2/auth": [[127, 163]], "URL: http://backuplogin.club/api/v2/auth": [[184, 219]], "DOMAIN: cdn-login.top": [[223, 236]], "EMAIL: billing@auth-check.org": [[261, 283]], "URL: hxxps://backupstorage.xyz/portal/verify": [[295, 334]], "MALWARE: BlackCat": [[351, 359]], "URL: hxxps://cachemail.tech/panel/index.html": [[392, 431]], "IP_ADDRESS: 66.69.229.177": [[445, 458]], "DOMAIN: gateway-cache.tech": [[463, 481]]}, "info": {"id": "synth_v2_01716", "source": "synthetic_v2"}}
+{"text": "Volexity detected a multi-stage attack chain. The initial phishing email from security@account-update.xyz contained a link to hxxps://cloudgateway.top/login. This redirected to https://cache-node.org/secure/token on relay-backup.net. A secondary email from it@account-update.xyz pointed to http://node-auth.info/admin/config which delivered SmokeLoader. The final payload callback was hxxp://relaycdn.org/callback resolving to 83.103.41.49 via cdngateway.com.", "spans": {"ORGANIZATION: Volexity": [[0, 8]], "EMAIL: security@account-update.xyz": [[78, 105]], "URL: hxxps://cloudgateway.top/login": [[126, 156]], "URL: https://cache-node.org/secure/token": [[177, 212]], "DOMAIN: relay-backup.net": [[216, 232]], "EMAIL: it@account-update.xyz": [[257, 278]], "URL: http://node-auth.info/admin/config": [[290, 324]], "MALWARE: SmokeLoader": [[341, 352]], "URL: hxxp://relaycdn.org/callback": [[385, 413]], "IP_ADDRESS: 83.103.41.49": [[427, 439]], "DOMAIN: cdngateway.com": [[444, 458]]}, "info": {"id": "synth_v2_01717", "source": "synthetic_v2"}}
+{"text": "Dragos detected a multi-stage attack chain. The initial phishing email from report@identity-verify.cc contained a link to hxxp://relay-gateway.org/panel/index.html. This redirected to hxxps://cache-mail.info/gate.php on edge-auth.online. A secondary email from report@secure-verify.net pointed to http://synccdn.net/wp-content/uploads/doc.php which delivered AgentTesla. The final payload callback was https://staticcdn.tech/panel/index.html resolving to 192.83.216.167 via static-cloud.xyz.", "spans": {"ORGANIZATION: Dragos": [[0, 6]], "EMAIL: report@identity-verify.cc": [[76, 101]], "URL: hxxp://relay-gateway.org/panel/index.html": [[122, 163]], "URL: hxxps://cache-mail.info/gate.php": [[184, 216]], "DOMAIN: edge-auth.online": [[220, 236]], "EMAIL: report@secure-verify.net": [[261, 285]], "URL: http://synccdn.net/wp-content/uploads/doc.php": [[297, 342]], "MALWARE: AgentTesla": [[359, 369]], "URL: https://staticcdn.tech/panel/index.html": [[402, 441]], "IP_ADDRESS: 192.83.216.167": [[455, 469]], "DOMAIN: static-cloud.xyz": [[474, 490]]}, "info": {"id": "synth_v2_01718", "source": "synthetic_v2"}}
+{"text": "Check Point Research detected a multi-stage attack chain. The initial phishing email from admin@document-share.link contained a link to http://login-cdn.link/portal/verify. This redirected to http://syncgateway.live/callback on api-backup.xyz. A secondary email from notification@account-update.xyz pointed to https://relayedge.live/callback which delivered AgentTesla. The final payload callback was https://storage-cdn.io/secure/token resolving to 31.4.73.134 via mail-relay.dev.", "spans": {"ORGANIZATION: Check Point Research": [[0, 20]], "EMAIL: admin@document-share.link": [[90, 115]], "URL: http://login-cdn.link/portal/verify": [[136, 171]], "URL: http://syncgateway.live/callback": [[192, 224]], "DOMAIN: api-backup.xyz": [[228, 242]], "EMAIL: notification@account-update.xyz": [[267, 298]], "URL: https://relayedge.live/callback": [[310, 341]], "MALWARE: AgentTesla": [[358, 368]], "URL: https://storage-cdn.io/secure/token": [[401, 436]], "IP_ADDRESS: 31.4.73.134": [[450, 461]], "DOMAIN: mail-relay.dev": [[466, 480]]}, "info": {"id": "synth_v2_01719", "source": "synthetic_v2"}}
+{"text": "Check Point Research detected a multi-stage attack chain. The initial phishing email from admin@urgent-notice.online contained a link to hxxp://authsync.xyz/secure/token. This redirected to hxxp://loginupdate.xyz/admin/config on storage-cloud.com. A secondary email from helpdesk@phishing-domain.com pointed to hxxps://storagecache.net/collect which delivered XLoader. The final payload callback was hxxp://mail-secure.io/collect resolving to 192.148.9.27 via proxydata.dev.", "spans": {"ORGANIZATION: Check Point Research": [[0, 20]], "EMAIL: admin@urgent-notice.online": [[90, 116]], "URL: hxxp://authsync.xyz/secure/token": [[137, 169]], "URL: hxxp://loginupdate.xyz/admin/config": [[190, 225]], "DOMAIN: storage-cloud.com": [[229, 246]], "EMAIL: helpdesk@phishing-domain.com": [[271, 299]], "URL: hxxps://storagecache.net/collect": [[311, 343]], "MALWARE: XLoader": [[360, 367]], "URL: hxxp://mail-secure.io/collect": [[400, 429]], "IP_ADDRESS: 192.148.9.27": [[443, 455]], "DOMAIN: proxydata.dev": [[460, 473]]}, "info": {"id": "synth_v2_01720", "source": "synthetic_v2"}}
+{"text": "Dragos detected a multi-stage attack chain. The initial phishing email from updates@identity-verify.cc contained a link to hxxp://relayportal.cc/assets/js/payload.js. This redirected to hxxps://cache-auth.club/secure/token on updategateway.cc. A secondary email from verify@login-portal.tech pointed to http://proxy-auth.cc/login which delivered RedLine Stealer. The final payload callback was https://proxybackup.dev/secure/token resolving to 63.59.162.191 via backup-data.io.", "spans": {"ORGANIZATION: Dragos": [[0, 6]], "EMAIL: updates@identity-verify.cc": [[76, 102]], "URL: hxxp://relayportal.cc/assets/js/payload.js": [[123, 165]], "URL: hxxps://cache-auth.club/secure/token": [[186, 222]], "DOMAIN: updategateway.cc": [[226, 242]], "EMAIL: verify@login-portal.tech": [[267, 291]], "URL: http://proxy-auth.cc/login": [[303, 329]], "MALWARE: RedLine Stealer": [[346, 361]], "URL: https://proxybackup.dev/secure/token": [[394, 430]], "IP_ADDRESS: 63.59.162.191": [[444, 457]], "DOMAIN: backup-data.io": [[462, 476]]}, "info": {"id": "synth_v2_01721", "source": "synthetic_v2"}}
+{"text": "Huntress detected a multi-stage attack chain. The initial phishing email from helpdesk@mail-service.info contained a link to http://gatewaystatic.tech/collect. This redirected to http://cache-portal.org/wp-content/uploads/doc.php on storage-gateway.site. A secondary email from billing@phishing-domain.com pointed to https://proxy-cloud.org/wp-content/uploads/doc.php which delivered DanaBot. The final payload callback was hxxps://cdncloud.top/collect resolving to 102.118.76.244 via authsync.net.", "spans": {"ORGANIZATION: Huntress": [[0, 8]], "EMAIL: helpdesk@mail-service.info": [[78, 104]], "URL: http://gatewaystatic.tech/collect": [[125, 158]], "URL: http://cache-portal.org/wp-content/uploads/doc.php": [[179, 229]], "DOMAIN: storage-gateway.site": [[233, 253]], "EMAIL: billing@phishing-domain.com": [[278, 305]], "URL: https://proxy-cloud.org/wp-content/uploads/doc.php": [[317, 367]], "MALWARE: DanaBot": [[384, 391]], "URL: hxxps://cdncloud.top/collect": [[424, 452]], "IP_ADDRESS: 102.118.76.244": [[466, 480]], "DOMAIN: authsync.net": [[485, 497]]}, "info": {"id": "synth_v2_01722", "source": "synthetic_v2"}}
+{"text": "Volexity detected a multi-stage attack chain. The initial phishing email from billing@mail-service.info contained a link to http://portaledge.net/login. This redirected to http://apicache.net/login on edge-cdn.net. A secondary email from info@login-portal.tech pointed to hxxp://sync-secure.live/callback which delivered XLoader. The final payload callback was hxxp://relay-sync.club/gate.php resolving to 221.246.61.207 via api-node.info.", "spans": {"ORGANIZATION: Volexity": [[0, 8]], "EMAIL: billing@mail-service.info": [[78, 103]], "URL: http://portaledge.net/login": [[124, 151]], "URL: http://apicache.net/login": [[172, 197]], "DOMAIN: edge-cdn.net": [[201, 213]], "EMAIL: info@login-portal.tech": [[238, 260]], "URL: hxxp://sync-secure.live/callback": [[272, 304]], "MALWARE: XLoader": [[321, 328]], "URL: hxxp://relay-sync.club/gate.php": [[361, 392]], "IP_ADDRESS: 221.246.61.207": [[406, 420]], "DOMAIN: api-node.info": [[425, 438]]}, "info": {"id": "synth_v2_01723", "source": "synthetic_v2"}}
+{"text": "CrowdStrike detected a multi-stage attack chain. The initial phishing email from service@urgent-notice.online contained a link to hxxps://gateway-auth.net/assets/js/payload.js. This redirected to hxxp://relayportal.dev/login on backuprelay.dev. A secondary email from confirm@auth-check.org pointed to http://cloudsync.online/wp-content/uploads/doc.php which delivered TrickBot. The final payload callback was https://backupauth.info/secure/token resolving to 172.206.118.122 via api-auth.link.", "spans": {"ORGANIZATION: CrowdStrike": [[0, 11]], "EMAIL: service@urgent-notice.online": [[81, 109]], "URL: hxxps://gateway-auth.net/assets/js/payload.js": [[130, 175]], "URL: hxxp://relayportal.dev/login": [[196, 224]], "DOMAIN: backuprelay.dev": [[228, 243]], "EMAIL: confirm@auth-check.org": [[268, 290]], "URL: http://cloudsync.online/wp-content/uploads/doc.php": [[302, 352]], "MALWARE: TrickBot": [[369, 377]], "URL: https://backupauth.info/secure/token": [[410, 446]], "IP_ADDRESS: 172.206.118.122": [[460, 475]], "DOMAIN: api-auth.link": [[480, 493]]}, "info": {"id": "synth_v2_01724", "source": "synthetic_v2"}}
+{"text": "CISA detected a multi-stage attack chain. The initial phishing email from security@identity-verify.cc contained a link to hxxps://dataedge.xyz/api/v2/auth. This redirected to hxxps://edgemail.online/callback on backup-backup.site. A secondary email from info@credential-check.site pointed to hxxps://gatewayupdate.io/admin/config which delivered WarmCookie. The final payload callback was hxxps://apinode.top/admin/config resolving to 172.193.17.238 via edge-node.link.", "spans": {"ORGANIZATION: CISA": [[0, 4]], "EMAIL: security@identity-verify.cc": [[74, 101]], "URL: hxxps://dataedge.xyz/api/v2/auth": [[122, 154]], "URL: hxxps://edgemail.online/callback": [[175, 207]], "DOMAIN: backup-backup.site": [[211, 229]], "EMAIL: info@credential-check.site": [[254, 280]], "URL: hxxps://gatewayupdate.io/admin/config": [[292, 329]], "MALWARE: WarmCookie": [[346, 356]], "URL: hxxps://apinode.top/admin/config": [[389, 421]], "IP_ADDRESS: 172.193.17.238": [[435, 449]], "DOMAIN: edge-node.link": [[454, 468]]}, "info": {"id": "synth_v2_01725", "source": "synthetic_v2"}}
+{"text": "FireEye detected a multi-stage attack chain. The initial phishing email from contact@mail-service.info contained a link to https://gateway-cloud.net/collect. This redirected to hxxp://api-node.net/gate.php on sync-cache.net. A secondary email from notification@account-update.xyz pointed to hxxp://login-cache.club/panel/index.html which delivered Play. The final payload callback was hxxp://backup-storage.com/login resolving to 51.208.49.53 via portal-backup.online.", "spans": {"ORGANIZATION: FireEye": [[0, 7]], "EMAIL: contact@mail-service.info": [[77, 102]], "URL: https://gateway-cloud.net/collect": [[123, 156]], "URL: hxxp://api-node.net/gate.php": [[177, 205]], "DOMAIN: sync-cache.net": [[209, 223]], "EMAIL: notification@account-update.xyz": [[248, 279]], "URL: hxxp://login-cache.club/panel/index.html": [[291, 331]], "MALWARE: Play": [[348, 352]], "URL: hxxp://backup-storage.com/login": [[385, 416]], "IP_ADDRESS: 51.208.49.53": [[430, 442]], "DOMAIN: portal-backup.online": [[447, 467]]}, "info": {"id": "synth_v2_01726", "source": "synthetic_v2"}}
+{"text": "FBI detected a multi-stage attack chain. The initial phishing email from account@credential-check.site contained a link to http://loginsecure.top/assets/js/payload.js. This redirected to https://edge-api.tech/wp-content/uploads/doc.php on cdndata.xyz. A secondary email from service@phishing-domain.com pointed to hxxp://mail-node.io/login which delivered Emotet. The final payload callback was http://api-cloud.site/api/v2/auth resolving to 192.252.158.154 via apiproxy.link.", "spans": {"ORGANIZATION: FBI": [[0, 3]], "EMAIL: account@credential-check.site": [[73, 102]], "URL: http://loginsecure.top/assets/js/payload.js": [[123, 166]], "URL: https://edge-api.tech/wp-content/uploads/doc.php": [[187, 235]], "DOMAIN: cdndata.xyz": [[239, 250]], "EMAIL: service@phishing-domain.com": [[275, 302]], "URL: hxxp://mail-node.io/login": [[314, 339]], "MALWARE: Emotet": [[356, 362]], "URL: http://api-cloud.site/api/v2/auth": [[395, 428]], "IP_ADDRESS: 192.252.158.154": [[442, 457]], "DOMAIN: apiproxy.link": [[462, 475]]}, "info": {"id": "synth_v2_01727", "source": "synthetic_v2"}}
+{"text": "Mandiant detected a multi-stage attack chain. The initial phishing email from it@login-portal.tech contained a link to hxxps://gateway-sync.io/login. This redirected to hxxps://updatedata.cc/callback on secure-relay.top. A secondary email from notification@auth-check.org pointed to hxxp://edgeapi.org/gate.php which delivered DarkSide. The final payload callback was hxxp://static-edge.tech/login resolving to 172.76.124.243 via sync-gateway.cc.", "spans": {"ORGANIZATION: Mandiant": [[0, 8]], "EMAIL: it@login-portal.tech": [[78, 98]], "URL: hxxps://gateway-sync.io/login": [[119, 148]], "URL: hxxps://updatedata.cc/callback": [[169, 199]], "DOMAIN: secure-relay.top": [[203, 219]], "EMAIL: notification@auth-check.org": [[244, 271]], "URL: hxxp://edgeapi.org/gate.php": [[283, 310]], "MALWARE: DarkSide": [[327, 335]], "URL: hxxp://static-edge.tech/login": [[368, 397]], "IP_ADDRESS: 172.76.124.243": [[411, 425]], "DOMAIN: sync-gateway.cc": [[430, 445]]}, "info": {"id": "synth_v2_01728", "source": "synthetic_v2"}}
+{"text": "Trend Micro detected a multi-stage attack chain. The initial phishing email from alert@account-update.xyz contained a link to http://securebackup.live/api/v2/auth. This redirected to hxxp://storage-gateway.link/wp-content/uploads/doc.php on login-edge.dev. A secondary email from support@urgent-notice.online pointed to hxxps://portal-proxy.io/api/v2/auth which delivered PlugX. The final payload callback was hxxps://portalproxy.com/portal/verify resolving to 172.65.145.141 via sync-backup.online.", "spans": {"ORGANIZATION: Trend Micro": [[0, 11]], "EMAIL: alert@account-update.xyz": [[81, 105]], "URL: http://securebackup.live/api/v2/auth": [[126, 162]], "URL: hxxp://storage-gateway.link/wp-content/uploads/doc.php": [[183, 237]], "DOMAIN: login-edge.dev": [[241, 255]], "EMAIL: support@urgent-notice.online": [[280, 308]], "URL: hxxps://portal-proxy.io/api/v2/auth": [[320, 355]], "MALWARE: PlugX": [[372, 377]], "URL: hxxps://portalproxy.com/portal/verify": [[410, 447]], "IP_ADDRESS: 172.65.145.141": [[461, 475]], "DOMAIN: sync-backup.online": [[480, 498]]}, "info": {"id": "synth_v2_01729", "source": "synthetic_v2"}}
+{"text": "Symantec detected a multi-stage attack chain. The initial phishing email from helpdesk@identity-verify.cc contained a link to http://portalsecure.xyz/panel/index.html. This redirected to hxxp://apiproxy.dev/download/update.exe on proxybackup.net. A secondary email from service@login-portal.tech pointed to http://relaygateway.com/wp-content/uploads/doc.php which delivered Dridex. The final payload callback was hxxps://apidata.site/callback resolving to 172.190.213.200 via cacheedge.info.", "spans": {"ORGANIZATION: Symantec": [[0, 8]], "EMAIL: helpdesk@identity-verify.cc": [[78, 105]], "URL: http://portalsecure.xyz/panel/index.html": [[126, 166]], "URL: hxxp://apiproxy.dev/download/update.exe": [[187, 226]], "DOMAIN: proxybackup.net": [[230, 245]], "EMAIL: service@login-portal.tech": [[270, 295]], "URL: http://relaygateway.com/wp-content/uploads/doc.php": [[307, 357]], "MALWARE: Dridex": [[374, 380]], "URL: hxxps://apidata.site/callback": [[413, 442]], "IP_ADDRESS: 172.190.213.200": [[456, 471]], "DOMAIN: cacheedge.info": [[476, 490]]}, "info": {"id": "synth_v2_01730", "source": "synthetic_v2"}}
+{"text": "Google TAG detected a multi-stage attack chain. The initial phishing email from security@auth-check.org contained a link to http://maildata.tech/gate.php. This redirected to hxxp://proxynode.tech/assets/js/payload.js on cdnbackup.org. A secondary email from service@credential-check.site pointed to http://storagenode.xyz/api/v2/auth which delivered PikaBot. The final payload callback was hxxp://relay-backup.info/wp-content/uploads/doc.php resolving to 10.61.245.208 via syncstorage.com.", "spans": {"ORGANIZATION: Google TAG": [[0, 10]], "EMAIL: security@auth-check.org": [[80, 103]], "URL: http://maildata.tech/gate.php": [[124, 153]], "URL: hxxp://proxynode.tech/assets/js/payload.js": [[174, 216]], "DOMAIN: cdnbackup.org": [[220, 233]], "EMAIL: service@credential-check.site": [[258, 287]], "URL: http://storagenode.xyz/api/v2/auth": [[299, 333]], "MALWARE: PikaBot": [[350, 357]], "URL: hxxp://relay-backup.info/wp-content/uploads/doc.php": [[390, 441]], "IP_ADDRESS: 10.61.245.208": [[455, 468]], "DOMAIN: syncstorage.com": [[473, 488]]}, "info": {"id": "synth_v2_01731", "source": "synthetic_v2"}}
+{"text": "Qualys detected a multi-stage attack chain. The initial phishing email from ceo@secure-verify.net contained a link to hxxps://cacheedge.io/callback. This redirected to http://update-data.online/wp-content/uploads/doc.php on gateway-static.dev. A secondary email from admin@urgent-notice.online pointed to hxxp://cache-backup.com/panel/index.html which delivered Emotet. The final payload callback was https://backup-cloud.online/api/v2/auth resolving to 199.52.236.235 via node-portal.tech.", "spans": {"ORGANIZATION: Qualys": [[0, 6]], "EMAIL: ceo@secure-verify.net": [[76, 97]], "URL: hxxps://cacheedge.io/callback": [[118, 147]], "URL: http://update-data.online/wp-content/uploads/doc.php": [[168, 220]], "DOMAIN: gateway-static.dev": [[224, 242]], "EMAIL: admin@urgent-notice.online": [[267, 293]], "URL: hxxp://cache-backup.com/panel/index.html": [[305, 345]], "MALWARE: Emotet": [[362, 368]], "URL: https://backup-cloud.online/api/v2/auth": [[401, 440]], "IP_ADDRESS: 199.52.236.235": [[454, 468]], "DOMAIN: node-portal.tech": [[473, 489]]}, "info": {"id": "synth_v2_01732", "source": "synthetic_v2"}}
+{"text": "Proofpoint detected a multi-stage attack chain. The initial phishing email from billing@account-update.xyz contained a link to hxxp://nodecloud.cc/admin/config. This redirected to https://data-login.cc/login on mailmail.tech. A secondary email from confirm@secure-verify.net pointed to https://proxy-mail.cc/download/update.exe which delivered NjRAT. The final payload callback was http://cdnapi.dev/secure/token resolving to 192.253.1.201 via backupnode.site.", "spans": {"ORGANIZATION: Proofpoint": [[0, 10]], "EMAIL: billing@account-update.xyz": [[80, 106]], "URL: hxxp://nodecloud.cc/admin/config": [[127, 159]], "URL: https://data-login.cc/login": [[180, 207]], "DOMAIN: mailmail.tech": [[211, 224]], "EMAIL: confirm@secure-verify.net": [[249, 274]], "URL: https://proxy-mail.cc/download/update.exe": [[286, 327]], "MALWARE: NjRAT": [[344, 349]], "URL: http://cdnapi.dev/secure/token": [[382, 412]], "IP_ADDRESS: 192.253.1.201": [[426, 439]], "DOMAIN: backupnode.site": [[444, 459]]}, "info": {"id": "synth_v2_01733", "source": "synthetic_v2"}}
+{"text": "Qualys detected a multi-stage attack chain. The initial phishing email from updates@document-share.link contained a link to hxxp://storage-storage.online/panel/index.html. This redirected to http://authcdn.cc/login on updatesecure.info. A secondary email from info@urgent-notice.online pointed to hxxps://gateway-portal.live/callback which delivered Raccoon Stealer. The final payload callback was http://storage-cloud.net/callback resolving to 172.109.117.195 via mailportal.cc.", "spans": {"ORGANIZATION: Qualys": [[0, 6]], "EMAIL: updates@document-share.link": [[76, 103]], "URL: hxxp://storage-storage.online/panel/index.html": [[124, 170]], "URL: http://authcdn.cc/login": [[191, 214]], "DOMAIN: updatesecure.info": [[218, 235]], "EMAIL: info@urgent-notice.online": [[260, 285]], "URL: hxxps://gateway-portal.live/callback": [[297, 333]], "MALWARE: Raccoon Stealer": [[350, 365]], "URL: http://storage-cloud.net/callback": [[398, 431]], "IP_ADDRESS: 172.109.117.195": [[445, 460]], "DOMAIN: mailportal.cc": [[465, 478]]}, "info": {"id": "synth_v2_01734", "source": "synthetic_v2"}}
+{"text": "ESET Research detected a multi-stage attack chain. The initial phishing email from ceo@urgent-notice.online contained a link to https://storagerelay.tech/portal/verify. This redirected to hxxp://updateportal.io/portal/verify on portalcdn.io. A secondary email from confirm@phishing-domain.com pointed to hxxp://gateway-update.tech/wp-content/uploads/doc.php which delivered FormBook. The final payload callback was http://backup-static.club/collect resolving to 28.148.10.50 via node-relay.link.", "spans": {"ORGANIZATION: ESET Research": [[0, 13]], "EMAIL: ceo@urgent-notice.online": [[83, 107]], "URL: https://storagerelay.tech/portal/verify": [[128, 167]], "URL: hxxp://updateportal.io/portal/verify": [[188, 224]], "DOMAIN: portalcdn.io": [[228, 240]], "EMAIL: confirm@phishing-domain.com": [[265, 292]], "URL: hxxp://gateway-update.tech/wp-content/uploads/doc.php": [[304, 357]], "MALWARE: FormBook": [[374, 382]], "URL: http://backup-static.club/collect": [[415, 448]], "IP_ADDRESS: 28.148.10.50": [[462, 474]], "DOMAIN: node-relay.link": [[479, 494]]}, "info": {"id": "synth_v2_01735", "source": "synthetic_v2"}}
+{"text": "Mandiant detected a multi-stage attack chain. The initial phishing email from admin@phishing-domain.com contained a link to https://noderelay.info/api/v2/auth. This redirected to hxxp://portal-auth.dev/gate.php on sync-storage.tech. A secondary email from verify@account-update.xyz pointed to hxxp://secure-secure.top/login which delivered BumbleBee. The final payload callback was hxxp://backupcloud.net/api/v2/auth resolving to 103.198.248.34 via staticstatic.cc.", "spans": {"ORGANIZATION: Mandiant": [[0, 8]], "EMAIL: admin@phishing-domain.com": [[78, 103]], "URL: https://noderelay.info/api/v2/auth": [[124, 158]], "URL: hxxp://portal-auth.dev/gate.php": [[179, 210]], "DOMAIN: sync-storage.tech": [[214, 231]], "EMAIL: verify@account-update.xyz": [[256, 281]], "URL: hxxp://secure-secure.top/login": [[293, 323]], "MALWARE: BumbleBee": [[340, 349]], "URL: hxxp://backupcloud.net/api/v2/auth": [[382, 416]], "IP_ADDRESS: 103.198.248.34": [[430, 444]], "DOMAIN: staticstatic.cc": [[449, 464]]}, "info": {"id": "synth_v2_01736", "source": "synthetic_v2"}}
+{"text": "CrowdStrike detected a multi-stage attack chain. The initial phishing email from info@document-share.link contained a link to http://cloudgateway.tech/panel/index.html. This redirected to https://relay-api.top/api/v2/auth on login-login.info. A secondary email from contact@credential-check.site pointed to http://backup-auth.xyz/gate.php which delivered BlackCat. The final payload callback was https://proxyportal.online/collect resolving to 85.231.60.208 via proxycloud.online.", "spans": {"ORGANIZATION: CrowdStrike": [[0, 11]], "EMAIL: info@document-share.link": [[81, 105]], "URL: http://cloudgateway.tech/panel/index.html": [[126, 167]], "URL: https://relay-api.top/api/v2/auth": [[188, 221]], "DOMAIN: login-login.info": [[225, 241]], "EMAIL: contact@credential-check.site": [[266, 295]], "URL: http://backup-auth.xyz/gate.php": [[307, 338]], "MALWARE: BlackCat": [[355, 363]], "URL: https://proxyportal.online/collect": [[396, 430]], "IP_ADDRESS: 85.231.60.208": [[444, 457]], "DOMAIN: proxycloud.online": [[462, 479]]}, "info": {"id": "synth_v2_01737", "source": "synthetic_v2"}}
+{"text": "Zscaler ThreatLabz detected a multi-stage attack chain. The initial phishing email from notification@secure-verify.net contained a link to hxxps://storagesync.top/download/update.exe. This redirected to hxxp://backupcloud.io/callback on staticupdate.io. A secondary email from finance@secure-verify.net pointed to hxxps://portalcache.info/wp-content/uploads/doc.php which delivered QakBot. The final payload callback was http://portalproxy.info/panel/index.html resolving to 172.19.146.157 via nodegateway.xyz.", "spans": {"ORGANIZATION: Zscaler ThreatLabz": [[0, 18]], "EMAIL: notification@secure-verify.net": [[88, 118]], "URL: hxxps://storagesync.top/download/update.exe": [[139, 182]], "URL: hxxp://backupcloud.io/callback": [[203, 233]], "DOMAIN: staticupdate.io": [[237, 252]], "EMAIL: finance@secure-verify.net": [[277, 302]], "URL: hxxps://portalcache.info/wp-content/uploads/doc.php": [[314, 365]], "MALWARE: QakBot": [[382, 388]], "URL: http://portalproxy.info/panel/index.html": [[421, 461]], "IP_ADDRESS: 172.19.146.157": [[475, 489]], "DOMAIN: nodegateway.xyz": [[494, 509]]}, "info": {"id": "synth_v2_01738", "source": "synthetic_v2"}}
+{"text": "Google TAG detected a multi-stage attack chain. The initial phishing email from report@login-portal.tech contained a link to https://backupsync.online/download/update.exe. This redirected to https://cdnrelay.org/portal/verify on edge-proxy.info. A secondary email from report@secure-verify.net pointed to http://storagelogin.online/api/v2/auth which delivered WarmCookie. The final payload callback was http://static-storage.info/admin/config resolving to 98.3.122.115 via relay-storage.net.", "spans": {"ORGANIZATION: Google TAG": [[0, 10]], "EMAIL: report@login-portal.tech": [[80, 104]], "URL: https://backupsync.online/download/update.exe": [[125, 170]], "URL: https://cdnrelay.org/portal/verify": [[191, 225]], "DOMAIN: edge-proxy.info": [[229, 244]], "EMAIL: report@secure-verify.net": [[269, 293]], "URL: http://storagelogin.online/api/v2/auth": [[305, 343]], "MALWARE: WarmCookie": [[360, 370]], "URL: http://static-storage.info/admin/config": [[403, 442]], "IP_ADDRESS: 98.3.122.115": [[456, 468]], "DOMAIN: relay-storage.net": [[473, 490]]}, "info": {"id": "synth_v2_01739", "source": "synthetic_v2"}}
+{"text": "Volexity detected a multi-stage attack chain. The initial phishing email from helpdesk@secure-verify.net contained a link to hxxps://data-storage.site/admin/config. This redirected to http://edge-mail.io/gate.php on relaystatic.dev. A secondary email from verify@credential-check.site pointed to hxxps://updateproxy.tech/api/v2/auth which delivered FormBook. The final payload callback was hxxp://cache-static.xyz/secure/token resolving to 192.206.92.105 via backupportal.live.", "spans": {"ORGANIZATION: Volexity": [[0, 8]], "EMAIL: helpdesk@secure-verify.net": [[78, 104]], "URL: hxxps://data-storage.site/admin/config": [[125, 163]], "URL: http://edge-mail.io/gate.php": [[184, 212]], "DOMAIN: relaystatic.dev": [[216, 231]], "EMAIL: verify@credential-check.site": [[256, 284]], "URL: hxxps://updateproxy.tech/api/v2/auth": [[296, 332]], "MALWARE: FormBook": [[349, 357]], "URL: hxxp://cache-static.xyz/secure/token": [[390, 426]], "IP_ADDRESS: 192.206.92.105": [[440, 454]], "DOMAIN: backupportal.live": [[459, 476]]}, "info": {"id": "synth_v2_01740", "source": "synthetic_v2"}}
+{"text": "Check Point Research detected a multi-stage attack chain. The initial phishing email from admin@auth-check.org contained a link to http://nodegateway.net/wp-content/uploads/doc.php. This redirected to hxxps://edge-portal.xyz/wp-content/uploads/doc.php on portalportal.tech. A secondary email from helpdesk@identity-verify.cc pointed to http://cloud-login.club/download/update.exe which delivered DanaBot. The final payload callback was https://staticnode.site/login resolving to 69.127.131.248 via cacheproxy.online.", "spans": {"ORGANIZATION: Check Point Research": [[0, 20]], "EMAIL: admin@auth-check.org": [[90, 110]], "URL: http://nodegateway.net/wp-content/uploads/doc.php": [[131, 180]], "URL: hxxps://edge-portal.xyz/wp-content/uploads/doc.php": [[201, 251]], "DOMAIN: portalportal.tech": [[255, 272]], "EMAIL: helpdesk@identity-verify.cc": [[297, 324]], "URL: http://cloud-login.club/download/update.exe": [[336, 379]], "MALWARE: DanaBot": [[396, 403]], "URL: https://staticnode.site/login": [[436, 465]], "IP_ADDRESS: 69.127.131.248": [[479, 493]], "DOMAIN: cacheproxy.online": [[498, 515]]}, "info": {"id": "synth_v2_01741", "source": "synthetic_v2"}}
+{"text": "INTERPOL detected a multi-stage attack chain. The initial phishing email from it@identity-verify.cc contained a link to hxxps://backupauth.org/admin/config. This redirected to hxxps://portalsecure.com/api/v2/auth on update-mail.xyz. A secondary email from account@identity-verify.cc pointed to https://node-static.xyz/panel/index.html which delivered Dridex. The final payload callback was hxxps://edge-update.dev/admin/config resolving to 154.20.19.238 via storageupdate.info.", "spans": {"ORGANIZATION: INTERPOL": [[0, 8]], "EMAIL: it@identity-verify.cc": [[78, 99]], "URL: hxxps://backupauth.org/admin/config": [[120, 155]], "URL: hxxps://portalsecure.com/api/v2/auth": [[176, 212]], "DOMAIN: update-mail.xyz": [[216, 231]], "EMAIL: account@identity-verify.cc": [[256, 282]], "URL: https://node-static.xyz/panel/index.html": [[294, 334]], "MALWARE: Dridex": [[351, 357]], "URL: hxxps://edge-update.dev/admin/config": [[390, 426]], "IP_ADDRESS: 154.20.19.238": [[440, 453]], "DOMAIN: storageupdate.info": [[458, 476]]}, "info": {"id": "synth_v2_01742", "source": "synthetic_v2"}}
+{"text": "CISA detected a multi-stage attack chain. The initial phishing email from ceo@identity-verify.cc contained a link to https://cloud-cloud.net/download/update.exe. This redirected to hxxps://updatesync.dev/secure/token on proxy-relay.live. A secondary email from report@mail-service.info pointed to https://storagenode.club/assets/js/payload.js which delivered RemcosRAT. The final payload callback was http://relay-gateway.io/api/v2/auth resolving to 10.47.137.66 via data-data.xyz.", "spans": {"ORGANIZATION: CISA": [[0, 4]], "EMAIL: ceo@identity-verify.cc": [[74, 96]], "URL: https://cloud-cloud.net/download/update.exe": [[117, 160]], "URL: hxxps://updatesync.dev/secure/token": [[181, 216]], "DOMAIN: proxy-relay.live": [[220, 236]], "EMAIL: report@mail-service.info": [[261, 285]], "URL: https://storagenode.club/assets/js/payload.js": [[297, 342]], "MALWARE: RemcosRAT": [[359, 368]], "URL: http://relay-gateway.io/api/v2/auth": [[401, 436]], "IP_ADDRESS: 10.47.137.66": [[450, 462]], "DOMAIN: data-data.xyz": [[467, 480]]}, "info": {"id": "synth_v2_01743", "source": "synthetic_v2"}}
+{"text": "Dragos detected a multi-stage attack chain. The initial phishing email from contact@secure-verify.net contained a link to hxxp://portalapi.site/collect. This redirected to hxxps://cdngateway.info/login on cloud-sync.top. A secondary email from noreply@phishing-domain.com pointed to hxxps://api-edge.info/admin/config which delivered DarkSide. The final payload callback was http://datasecure.top/secure/token resolving to 192.143.210.117 via mailmail.info.", "spans": {"ORGANIZATION: Dragos": [[0, 6]], "EMAIL: contact@secure-verify.net": [[76, 101]], "URL: hxxp://portalapi.site/collect": [[122, 151]], "URL: hxxps://cdngateway.info/login": [[172, 201]], "DOMAIN: cloud-sync.top": [[205, 219]], "EMAIL: noreply@phishing-domain.com": [[244, 271]], "URL: hxxps://api-edge.info/admin/config": [[283, 317]], "MALWARE: DarkSide": [[334, 342]], "URL: http://datasecure.top/secure/token": [[375, 409]], "IP_ADDRESS: 192.143.210.117": [[423, 438]], "DOMAIN: mailmail.info": [[443, 456]]}, "info": {"id": "synth_v2_01744", "source": "synthetic_v2"}}
+{"text": "Symantec detected a multi-stage attack chain. The initial phishing email from support@credential-check.site contained a link to hxxp://backupcdn.net/assets/js/payload.js. This redirected to https://backup-cloud.live/wp-content/uploads/doc.php on relaystorage.live. A secondary email from hr@document-share.link pointed to http://syncsecure.tech/download/update.exe which delivered WarmCookie. The final payload callback was hxxps://updateproxy.club/wp-content/uploads/doc.php resolving to 192.162.9.96 via data-sync.link.", "spans": {"ORGANIZATION: Symantec": [[0, 8]], "EMAIL: support@credential-check.site": [[78, 107]], "URL: hxxp://backupcdn.net/assets/js/payload.js": [[128, 169]], "URL: https://backup-cloud.live/wp-content/uploads/doc.php": [[190, 242]], "DOMAIN: relaystorage.live": [[246, 263]], "EMAIL: hr@document-share.link": [[288, 310]], "URL: http://syncsecure.tech/download/update.exe": [[322, 364]], "MALWARE: WarmCookie": [[381, 391]], "URL: hxxps://updateproxy.club/wp-content/uploads/doc.php": [[424, 475]], "IP_ADDRESS: 192.162.9.96": [[489, 501]], "DOMAIN: data-sync.link": [[506, 520]]}, "info": {"id": "synth_v2_01745", "source": "synthetic_v2"}}
+{"text": "NCSC detected a multi-stage attack chain. The initial phishing email from alert@auth-check.org contained a link to https://sync-cdn.link/admin/config. This redirected to https://syncgateway.club/api/v2/auth on cloudrelay.org. A secondary email from confirm@mail-service.info pointed to hxxps://cdn-portal.cc/admin/config which delivered BlackCat. The final payload callback was https://authauth.cc/collect resolving to 80.116.128.70 via dataupdate.xyz.", "spans": {"ORGANIZATION: NCSC": [[0, 4]], "EMAIL: alert@auth-check.org": [[74, 94]], "URL: https://sync-cdn.link/admin/config": [[115, 149]], "URL: https://syncgateway.club/api/v2/auth": [[170, 206]], "DOMAIN: cloudrelay.org": [[210, 224]], "EMAIL: confirm@mail-service.info": [[249, 274]], "URL: hxxps://cdn-portal.cc/admin/config": [[286, 320]], "MALWARE: BlackCat": [[337, 345]], "URL: https://authauth.cc/collect": [[378, 405]], "IP_ADDRESS: 80.116.128.70": [[419, 432]], "DOMAIN: dataupdate.xyz": [[437, 451]]}, "info": {"id": "synth_v2_01746", "source": "synthetic_v2"}}
+{"text": "SentinelOne detected a multi-stage attack chain. The initial phishing email from ceo@auth-check.org contained a link to hxxps://storage-sync.top/login. This redirected to https://cloud-auth.cc/login on cloudsecure.club. A secondary email from it@auth-check.org pointed to hxxps://edgeproxy.xyz/secure/token which delivered Qbot. The final payload callback was hxxps://cache-update.live/wp-content/uploads/doc.php resolving to 210.75.154.156 via portal-login.com.", "spans": {"ORGANIZATION: SentinelOne": [[0, 11]], "EMAIL: ceo@auth-check.org": [[81, 99]], "URL: hxxps://storage-sync.top/login": [[120, 150]], "URL: https://cloud-auth.cc/login": [[171, 198]], "DOMAIN: cloudsecure.club": [[202, 218]], "EMAIL: it@auth-check.org": [[243, 260]], "URL: hxxps://edgeproxy.xyz/secure/token": [[272, 306]], "MALWARE: Qbot": [[323, 327]], "URL: hxxps://cache-update.live/wp-content/uploads/doc.php": [[360, 412]], "IP_ADDRESS: 210.75.154.156": [[426, 440]], "DOMAIN: portal-login.com": [[445, 461]]}, "info": {"id": "synth_v2_01747", "source": "synthetic_v2"}}
+{"text": "Qualys detected a multi-stage attack chain. The initial phishing email from updates@urgent-notice.online contained a link to hxxp://mailrelay.io/wp-content/uploads/doc.php. This redirected to https://static-cache.link/wp-content/uploads/doc.php on cache-storage.online. A secondary email from billing@phishing-domain.com pointed to https://update-cache.top/api/v2/auth which delivered Lumma Stealer. The final payload callback was hxxp://relayedge.online/panel/index.html resolving to 192.221.185.162 via node-data.cc.", "spans": {"ORGANIZATION: Qualys": [[0, 6]], "EMAIL: updates@urgent-notice.online": [[76, 104]], "URL: hxxp://mailrelay.io/wp-content/uploads/doc.php": [[125, 171]], "URL: https://static-cache.link/wp-content/uploads/doc.php": [[192, 244]], "DOMAIN: cache-storage.online": [[248, 268]], "EMAIL: billing@phishing-domain.com": [[293, 320]], "URL: https://update-cache.top/api/v2/auth": [[332, 368]], "MALWARE: Lumma Stealer": [[385, 398]], "URL: hxxp://relayedge.online/panel/index.html": [[431, 471]], "IP_ADDRESS: 192.221.185.162": [[485, 500]], "DOMAIN: node-data.cc": [[505, 517]]}, "info": {"id": "synth_v2_01748", "source": "synthetic_v2"}}
+{"text": "Cisco Talos detected a multi-stage attack chain. The initial phishing email from ceo@account-update.xyz contained a link to http://portalupdate.live/portal/verify. This redirected to https://gatewaysecure.top/admin/config on storagecdn.link. A secondary email from support@mail-service.info pointed to hxxp://relayupdate.dev/download/update.exe which delivered Gootloader. The final payload callback was http://authedge.link/secure/token resolving to 204.24.236.252 via login-cdn.online.", "spans": {"ORGANIZATION: Cisco Talos": [[0, 11]], "EMAIL: ceo@account-update.xyz": [[81, 103]], "URL: http://portalupdate.live/portal/verify": [[124, 162]], "URL: https://gatewaysecure.top/admin/config": [[183, 221]], "DOMAIN: storagecdn.link": [[225, 240]], "EMAIL: support@mail-service.info": [[265, 290]], "URL: hxxp://relayupdate.dev/download/update.exe": [[302, 344]], "MALWARE: Gootloader": [[361, 371]], "URL: http://authedge.link/secure/token": [[404, 437]], "IP_ADDRESS: 204.24.236.252": [[451, 465]], "DOMAIN: login-cdn.online": [[470, 486]]}, "info": {"id": "synth_v2_01749", "source": "synthetic_v2"}}
+{"text": "Dragos detected a multi-stage attack chain. The initial phishing email from security@document-share.link contained a link to https://portal-sync.dev/gate.php. This redirected to hxxps://cloudstatic.org/download/update.exe on secure-cdn.link. A secondary email from info@identity-verify.cc pointed to http://syncsync.com/wp-content/uploads/doc.php which delivered Vidar. The final payload callback was hxxps://cache-proxy.net/api/v2/auth resolving to 33.221.42.251 via portal-proxy.dev.", "spans": {"ORGANIZATION: Dragos": [[0, 6]], "EMAIL: security@document-share.link": [[76, 104]], "URL: https://portal-sync.dev/gate.php": [[125, 157]], "URL: hxxps://cloudstatic.org/download/update.exe": [[178, 221]], "DOMAIN: secure-cdn.link": [[225, 240]], "EMAIL: info@identity-verify.cc": [[265, 288]], "URL: http://syncsync.com/wp-content/uploads/doc.php": [[300, 346]], "MALWARE: Vidar": [[363, 368]], "URL: hxxps://cache-proxy.net/api/v2/auth": [[401, 436]], "IP_ADDRESS: 33.221.42.251": [[450, 463]], "DOMAIN: portal-proxy.dev": [[468, 484]]}, "info": {"id": "synth_v2_01750", "source": "synthetic_v2"}}
+{"text": "NCSC detected a multi-stage attack chain. The initial phishing email from verify@mail-service.info contained a link to hxxps://syncproxy.net/gate.php. This redirected to https://mail-secure.online/callback on secure-api.tech. A secondary email from info@identity-verify.cc pointed to hxxp://loginupdate.io/api/v2/auth which delivered Cobalt Strike. The final payload callback was http://update-update.net/api/v2/auth resolving to 183.137.107.244 via cache-cdn.com.", "spans": {"ORGANIZATION: NCSC": [[0, 4]], "EMAIL: verify@mail-service.info": [[74, 98]], "URL: hxxps://syncproxy.net/gate.php": [[119, 149]], "URL: https://mail-secure.online/callback": [[170, 205]], "DOMAIN: secure-api.tech": [[209, 224]], "EMAIL: info@identity-verify.cc": [[249, 272]], "URL: hxxp://loginupdate.io/api/v2/auth": [[284, 317]], "MALWARE: Cobalt Strike": [[334, 347]], "URL: http://update-update.net/api/v2/auth": [[380, 416]], "IP_ADDRESS: 183.137.107.244": [[430, 445]], "DOMAIN: cache-cdn.com": [[450, 463]]}, "info": {"id": "synth_v2_01751", "source": "synthetic_v2"}}
+{"text": "Rapid7 detected a multi-stage attack chain. The initial phishing email from confirm@secure-verify.net contained a link to hxxp://updatebackup.org/api/v2/auth. This redirected to hxxp://proxylogin.xyz/portal/verify on proxy-relay.io. A secondary email from support@phishing-domain.com pointed to hxxps://syncsync.online/login which delivered Meduza Stealer. The final payload callback was http://cdnportal.com/gate.php resolving to 42.13.131.121 via api-sync.net.", "spans": {"ORGANIZATION: Rapid7": [[0, 6]], "EMAIL: confirm@secure-verify.net": [[76, 101]], "URL: hxxp://updatebackup.org/api/v2/auth": [[122, 157]], "URL: hxxp://proxylogin.xyz/portal/verify": [[178, 213]], "DOMAIN: proxy-relay.io": [[217, 231]], "EMAIL: support@phishing-domain.com": [[256, 283]], "URL: hxxps://syncsync.online/login": [[295, 324]], "MALWARE: Meduza Stealer": [[341, 355]], "URL: http://cdnportal.com/gate.php": [[388, 417]], "IP_ADDRESS: 42.13.131.121": [[431, 444]], "DOMAIN: api-sync.net": [[449, 461]]}, "info": {"id": "synth_v2_01752", "source": "synthetic_v2"}}
+{"text": "Sophos X-Ops detected a multi-stage attack chain. The initial phishing email from admin@document-share.link contained a link to hxxps://auth-auth.online/assets/js/payload.js. This redirected to http://portalsync.online/assets/js/payload.js on cachesync.link. A secondary email from report@document-share.link pointed to https://edgemail.online/gate.php which delivered Vidar. The final payload callback was http://data-data.site/assets/js/payload.js resolving to 192.247.144.139 via staticapi.live.", "spans": {"ORGANIZATION: Sophos X-Ops": [[0, 12]], "EMAIL: admin@document-share.link": [[82, 107]], "URL: hxxps://auth-auth.online/assets/js/payload.js": [[128, 173]], "URL: http://portalsync.online/assets/js/payload.js": [[194, 239]], "DOMAIN: cachesync.link": [[243, 257]], "EMAIL: report@document-share.link": [[282, 308]], "URL: https://edgemail.online/gate.php": [[320, 352]], "MALWARE: Vidar": [[369, 374]], "URL: http://data-data.site/assets/js/payload.js": [[407, 449]], "IP_ADDRESS: 192.247.144.139": [[463, 478]], "DOMAIN: staticapi.live": [[483, 497]]}, "info": {"id": "synth_v2_01753", "source": "synthetic_v2"}}
+{"text": "Tenable detected a multi-stage attack chain. The initial phishing email from finance@secure-verify.net contained a link to hxxps://cloud-cdn.io/portal/verify. This redirected to hxxp://cloudcloud.info/login on storagesync.online. A secondary email from contact@login-portal.tech pointed to hxxps://staticedge.org/gate.php which delivered LockBit. The final payload callback was http://update-update.org/gate.php resolving to 172.41.53.121 via cloudstatic.site.", "spans": {"ORGANIZATION: Tenable": [[0, 7]], "EMAIL: finance@secure-verify.net": [[77, 102]], "URL: hxxps://cloud-cdn.io/portal/verify": [[123, 157]], "URL: hxxp://cloudcloud.info/login": [[178, 206]], "DOMAIN: storagesync.online": [[210, 228]], "EMAIL: contact@login-portal.tech": [[253, 278]], "URL: hxxps://staticedge.org/gate.php": [[290, 321]], "MALWARE: LockBit": [[338, 345]], "URL: http://update-update.org/gate.php": [[378, 411]], "IP_ADDRESS: 172.41.53.121": [[425, 438]], "DOMAIN: cloudstatic.site": [[443, 459]]}, "info": {"id": "synth_v2_01754", "source": "synthetic_v2"}}
+{"text": "Palo Alto Unit 42 detected a multi-stage attack chain. The initial phishing email from finance@login-portal.tech contained a link to https://cdn-cloud.live/panel/index.html. This redirected to hxxp://api-proxy.link/callback on auth-secure.link. A secondary email from support@identity-verify.cc pointed to hxxps://data-update.io/assets/js/payload.js which delivered Dridex. The final payload callback was http://edgeupdate.io/assets/js/payload.js resolving to 175.237.247.33 via nodeupdate.info.", "spans": {"ORGANIZATION: Palo Alto Unit 42": [[0, 17]], "EMAIL: finance@login-portal.tech": [[87, 112]], "URL: https://cdn-cloud.live/panel/index.html": [[133, 172]], "URL: hxxp://api-proxy.link/callback": [[193, 223]], "DOMAIN: auth-secure.link": [[227, 243]], "EMAIL: support@identity-verify.cc": [[268, 294]], "URL: hxxps://data-update.io/assets/js/payload.js": [[306, 349]], "MALWARE: Dridex": [[366, 372]], "URL: http://edgeupdate.io/assets/js/payload.js": [[405, 446]], "IP_ADDRESS: 175.237.247.33": [[460, 474]], "DOMAIN: nodeupdate.info": [[479, 494]]}, "info": {"id": "synth_v2_01755", "source": "synthetic_v2"}}
+{"text": "FBI detected a multi-stage attack chain. The initial phishing email from service@urgent-notice.online contained a link to http://relay-auth.club/panel/index.html. This redirected to hxxps://update-cache.io/admin/config on relay-auth.net. A secondary email from contact@urgent-notice.online pointed to https://gatewaygateway.xyz/download/update.exe which delivered Gootloader. The final payload callback was http://storage-login.dev/gate.php resolving to 71.214.157.26 via relay-update.dev.", "spans": {"ORGANIZATION: FBI": [[0, 3]], "EMAIL: service@urgent-notice.online": [[73, 101]], "URL: http://relay-auth.club/panel/index.html": [[122, 161]], "URL: hxxps://update-cache.io/admin/config": [[182, 218]], "DOMAIN: relay-auth.net": [[222, 236]], "EMAIL: contact@urgent-notice.online": [[261, 289]], "URL: https://gatewaygateway.xyz/download/update.exe": [[301, 347]], "MALWARE: Gootloader": [[364, 374]], "URL: http://storage-login.dev/gate.php": [[407, 440]], "IP_ADDRESS: 71.214.157.26": [[454, 467]], "DOMAIN: relay-update.dev": [[472, 488]]}, "info": {"id": "synth_v2_01756", "source": "synthetic_v2"}}
+{"text": "SentinelOne detected a multi-stage attack chain. The initial phishing email from admin@secure-verify.net contained a link to https://mail-static.live/callback. This redirected to hxxp://cloudrelay.info/secure/token on portalcdn.xyz. A secondary email from hr@phishing-domain.com pointed to http://storage-relay.online/panel/index.html which delivered IcedID. The final payload callback was https://proxydata.top/api/v2/auth resolving to 183.31.225.204 via data-proxy.club.", "spans": {"ORGANIZATION: SentinelOne": [[0, 11]], "EMAIL: admin@secure-verify.net": [[81, 104]], "URL: https://mail-static.live/callback": [[125, 158]], "URL: hxxp://cloudrelay.info/secure/token": [[179, 214]], "DOMAIN: portalcdn.xyz": [[218, 231]], "EMAIL: hr@phishing-domain.com": [[256, 278]], "URL: http://storage-relay.online/panel/index.html": [[290, 334]], "MALWARE: IcedID": [[351, 357]], "URL: https://proxydata.top/api/v2/auth": [[390, 423]], "IP_ADDRESS: 183.31.225.204": [[437, 451]], "DOMAIN: data-proxy.club": [[456, 471]]}, "info": {"id": "synth_v2_01757", "source": "synthetic_v2"}}
+{"text": "NCSC detected a multi-stage attack chain. The initial phishing email from account@secure-verify.net contained a link to hxxp://static-static.site/download/update.exe. This redirected to http://cdn-backup.online/download/update.exe on logincache.top. A secondary email from ceo@identity-verify.cc pointed to hxxps://cachegateway.net/secure/token which delivered DanaBot. The final payload callback was https://datadata.link/api/v2/auth resolving to 14.98.13.249 via gateway-secure.io.", "spans": {"ORGANIZATION: NCSC": [[0, 4]], "EMAIL: account@secure-verify.net": [[74, 99]], "URL: hxxp://static-static.site/download/update.exe": [[120, 165]], "URL: http://cdn-backup.online/download/update.exe": [[186, 230]], "DOMAIN: logincache.top": [[234, 248]], "EMAIL: ceo@identity-verify.cc": [[273, 295]], "URL: hxxps://cachegateway.net/secure/token": [[307, 344]], "MALWARE: DanaBot": [[361, 368]], "URL: https://datadata.link/api/v2/auth": [[401, 434]], "IP_ADDRESS: 14.98.13.249": [[448, 460]], "DOMAIN: gateway-secure.io": [[465, 482]]}, "info": {"id": "synth_v2_01758", "source": "synthetic_v2"}}
+{"text": "Microsoft MSRC detected a multi-stage attack chain. The initial phishing email from confirm@credential-check.site contained a link to hxxp://mail-api.top/portal/verify. This redirected to http://sync-cache.xyz/wp-content/uploads/doc.php on authgateway.online. A secondary email from finance@login-portal.tech pointed to http://gatewaynode.com/gate.php which delivered AsyncRAT. The final payload callback was https://backup-proxy.org/assets/js/payload.js resolving to 192.208.146.128 via loginauth.link.", "spans": {"ORGANIZATION: Microsoft MSRC": [[0, 14]], "EMAIL: confirm@credential-check.site": [[84, 113]], "URL: hxxp://mail-api.top/portal/verify": [[134, 167]], "URL: http://sync-cache.xyz/wp-content/uploads/doc.php": [[188, 236]], "DOMAIN: authgateway.online": [[240, 258]], "EMAIL: finance@login-portal.tech": [[283, 308]], "URL: http://gatewaynode.com/gate.php": [[320, 351]], "MALWARE: AsyncRAT": [[368, 376]], "URL: https://backup-proxy.org/assets/js/payload.js": [[409, 454]], "IP_ADDRESS: 192.208.146.128": [[468, 483]], "DOMAIN: loginauth.link": [[488, 502]]}, "info": {"id": "synth_v2_01759", "source": "synthetic_v2"}}
+{"text": "ESET Research detected a multi-stage attack chain. The initial phishing email from security@auth-check.org contained a link to hxxp://login-portal.io/assets/js/payload.js. This redirected to hxxp://nodeproxy.com/collect on portal-login.online. A secondary email from account@secure-verify.net pointed to hxxp://authgateway.top/panel/index.html which delivered Vidar. The final payload callback was https://edge-backup.tech/panel/index.html resolving to 192.238.201.252 via clouddata.net.", "spans": {"ORGANIZATION: ESET Research": [[0, 13]], "EMAIL: security@auth-check.org": [[83, 106]], "URL: hxxp://login-portal.io/assets/js/payload.js": [[127, 170]], "URL: hxxp://nodeproxy.com/collect": [[191, 219]], "DOMAIN: portal-login.online": [[223, 242]], "EMAIL: account@secure-verify.net": [[267, 292]], "URL: hxxp://authgateway.top/panel/index.html": [[304, 343]], "MALWARE: Vidar": [[360, 365]], "URL: https://edge-backup.tech/panel/index.html": [[398, 439]], "IP_ADDRESS: 192.238.201.252": [[453, 468]], "DOMAIN: clouddata.net": [[473, 486]]}, "info": {"id": "synth_v2_01760", "source": "synthetic_v2"}}
+{"text": "CrowdStrike detected a multi-stage attack chain. The initial phishing email from it@account-update.xyz contained a link to hxxps://updatesync.link/collect. This redirected to http://syncsync.dev/callback on api-proxy.tech. A secondary email from confirm@mail-service.info pointed to http://securelogin.info/collect which delivered RemcosRAT. The final payload callback was hxxps://nodestorage.link/callback resolving to 67.232.14.183 via relay-auth.xyz.", "spans": {"ORGANIZATION: CrowdStrike": [[0, 11]], "EMAIL: it@account-update.xyz": [[81, 102]], "URL: hxxps://updatesync.link/collect": [[123, 154]], "URL: http://syncsync.dev/callback": [[175, 203]], "DOMAIN: api-proxy.tech": [[207, 221]], "EMAIL: confirm@mail-service.info": [[246, 271]], "URL: http://securelogin.info/collect": [[283, 314]], "MALWARE: RemcosRAT": [[331, 340]], "URL: hxxps://nodestorage.link/callback": [[373, 406]], "IP_ADDRESS: 67.232.14.183": [[420, 433]], "DOMAIN: relay-auth.xyz": [[438, 452]]}, "info": {"id": "synth_v2_01761", "source": "synthetic_v2"}}
+{"text": "Zscaler ThreatLabz detected a multi-stage attack chain. The initial phishing email from security@account-update.xyz contained a link to https://mail-relay.info/assets/js/payload.js. This redirected to https://proxy-gateway.site/panel/index.html on edgedata.xyz. A secondary email from hr@auth-check.org pointed to hxxp://nodebackup.net/panel/index.html which delivered Emotet. The final payload callback was http://auth-secure.online/login resolving to 172.60.198.224 via staticbackup.io.", "spans": {"ORGANIZATION: Zscaler ThreatLabz": [[0, 18]], "EMAIL: security@account-update.xyz": [[88, 115]], "URL: https://mail-relay.info/assets/js/payload.js": [[136, 180]], "URL: https://proxy-gateway.site/panel/index.html": [[201, 244]], "DOMAIN: edgedata.xyz": [[248, 260]], "EMAIL: hr@auth-check.org": [[285, 302]], "URL: hxxp://nodebackup.net/panel/index.html": [[314, 352]], "MALWARE: Emotet": [[369, 375]], "URL: http://auth-secure.online/login": [[408, 439]], "IP_ADDRESS: 172.60.198.224": [[453, 467]], "DOMAIN: staticbackup.io": [[472, 487]]}, "info": {"id": "synth_v2_01762", "source": "synthetic_v2"}}
+{"text": "FBI detected a multi-stage attack chain. The initial phishing email from finance@urgent-notice.online contained a link to hxxps://mail-data.info/gate.php. This redirected to hxxps://mailbackup.site/portal/verify on secure-cache.io. A secondary email from admin@secure-verify.net pointed to hxxps://auth-cache.top/login which delivered PlugX. The final payload callback was hxxp://backup-relay.live/collect resolving to 172.243.37.35 via storage-node.info.", "spans": {"ORGANIZATION: FBI": [[0, 3]], "EMAIL: finance@urgent-notice.online": [[73, 101]], "URL: hxxps://mail-data.info/gate.php": [[122, 153]], "URL: hxxps://mailbackup.site/portal/verify": [[174, 211]], "DOMAIN: secure-cache.io": [[215, 230]], "EMAIL: admin@secure-verify.net": [[255, 278]], "URL: hxxps://auth-cache.top/login": [[290, 318]], "MALWARE: PlugX": [[335, 340]], "URL: hxxp://backup-relay.live/collect": [[373, 405]], "IP_ADDRESS: 172.243.37.35": [[419, 432]], "DOMAIN: storage-node.info": [[437, 454]]}, "info": {"id": "synth_v2_01763", "source": "synthetic_v2"}}
+{"text": "Sophos X-Ops detected a multi-stage attack chain. The initial phishing email from service@auth-check.org contained a link to https://storage-portal.top/wp-content/uploads/doc.php. This redirected to http://cache-auth.top/portal/verify on portal-sync.live. A secondary email from confirm@mail-service.info pointed to https://proxycache.dev/login which delivered SmokeLoader. The final payload callback was hxxp://cloud-update.link/download/update.exe resolving to 10.125.237.108 via static-static.link.", "spans": {"ORGANIZATION: Sophos X-Ops": [[0, 12]], "EMAIL: service@auth-check.org": [[82, 104]], "URL: https://storage-portal.top/wp-content/uploads/doc.php": [[125, 178]], "URL: http://cache-auth.top/portal/verify": [[199, 234]], "DOMAIN: portal-sync.live": [[238, 254]], "EMAIL: confirm@mail-service.info": [[279, 304]], "URL: https://proxycache.dev/login": [[316, 344]], "MALWARE: SmokeLoader": [[361, 372]], "URL: hxxp://cloud-update.link/download/update.exe": [[405, 449]], "IP_ADDRESS: 10.125.237.108": [[463, 477]], "DOMAIN: static-static.link": [[482, 500]]}, "info": {"id": "synth_v2_01764", "source": "synthetic_v2"}}
+{"text": "Rapid7 detected a multi-stage attack chain. The initial phishing email from admin@auth-check.org contained a link to http://gateway-storage.io/download/update.exe. This redirected to http://secure-data.io/secure/token on node-edge.io. A secondary email from billing@credential-check.site pointed to hxxps://securegateway.com/panel/index.html which delivered REvil. The final payload callback was hxxps://mail-cache.io/admin/config resolving to 192.203.245.162 via update-data.com.", "spans": {"ORGANIZATION: Rapid7": [[0, 6]], "EMAIL: admin@auth-check.org": [[76, 96]], "URL: http://gateway-storage.io/download/update.exe": [[117, 162]], "URL: http://secure-data.io/secure/token": [[183, 217]], "DOMAIN: node-edge.io": [[221, 233]], "EMAIL: billing@credential-check.site": [[258, 287]], "URL: hxxps://securegateway.com/panel/index.html": [[299, 341]], "MALWARE: REvil": [[358, 363]], "URL: hxxps://mail-cache.io/admin/config": [[396, 430]], "IP_ADDRESS: 192.203.245.162": [[444, 459]], "DOMAIN: update-data.com": [[464, 479]]}, "info": {"id": "synth_v2_01765", "source": "synthetic_v2"}}
+{"text": "Dragos detected a multi-stage attack chain. The initial phishing email from noreply@credential-check.site contained a link to http://cdn-cloud.com/api/v2/auth. This redirected to http://edge-api.dev/collect on apicache.io. A secondary email from noreply@document-share.link pointed to http://secure-cloud.live/callback which delivered Latrodectus. The final payload callback was https://secureauth.tech/api/v2/auth resolving to 192.157.79.170 via relay-update.live.", "spans": {"ORGANIZATION: Dragos": [[0, 6]], "EMAIL: noreply@credential-check.site": [[76, 105]], "URL: http://cdn-cloud.com/api/v2/auth": [[126, 158]], "URL: http://edge-api.dev/collect": [[179, 206]], "DOMAIN: apicache.io": [[210, 221]], "EMAIL: noreply@document-share.link": [[246, 273]], "URL: http://secure-cloud.live/callback": [[285, 318]], "MALWARE: Latrodectus": [[335, 346]], "URL: https://secureauth.tech/api/v2/auth": [[379, 414]], "IP_ADDRESS: 192.157.79.170": [[428, 442]], "DOMAIN: relay-update.live": [[447, 464]]}, "info": {"id": "synth_v2_01766", "source": "synthetic_v2"}}
+{"text": "FBI detected a multi-stage attack chain. The initial phishing email from billing@urgent-notice.online contained a link to hxxp://storage-edge.link/portal/verify. This redirected to http://portal-cloud.io/admin/config on relaylogin.dev. A secondary email from report@secure-verify.net pointed to hxxps://staticstorage.tech/login which delivered Latrodectus. The final payload callback was https://data-data.tech/panel/index.html resolving to 21.13.179.83 via sync-portal.top.", "spans": {"ORGANIZATION: FBI": [[0, 3]], "EMAIL: billing@urgent-notice.online": [[73, 101]], "URL: hxxp://storage-edge.link/portal/verify": [[122, 160]], "URL: http://portal-cloud.io/admin/config": [[181, 216]], "DOMAIN: relaylogin.dev": [[220, 234]], "EMAIL: report@secure-verify.net": [[259, 283]], "URL: hxxps://staticstorage.tech/login": [[295, 327]], "MALWARE: Latrodectus": [[344, 355]], "URL: https://data-data.tech/panel/index.html": [[388, 427]], "IP_ADDRESS: 21.13.179.83": [[441, 453]], "DOMAIN: sync-portal.top": [[458, 473]]}, "info": {"id": "synth_v2_01767", "source": "synthetic_v2"}}
+{"text": "Kaspersky GReAT detected a multi-stage attack chain. The initial phishing email from verify@account-update.xyz contained a link to hxxp://cloudupdate.club/collect. This redirected to hxxps://apisync.club/admin/config on syncedge.net. A secondary email from account@mail-service.info pointed to https://apigateway.online/admin/config which delivered Lumma Stealer. The final payload callback was hxxps://cdn-secure.online/portal/verify resolving to 201.154.247.70 via edge-static.net.", "spans": {"ORGANIZATION: Kaspersky GReAT": [[0, 15]], "EMAIL: verify@account-update.xyz": [[85, 110]], "URL: hxxp://cloudupdate.club/collect": [[131, 162]], "URL: hxxps://apisync.club/admin/config": [[183, 216]], "DOMAIN: syncedge.net": [[220, 232]], "EMAIL: account@mail-service.info": [[257, 282]], "URL: https://apigateway.online/admin/config": [[294, 332]], "MALWARE: Lumma Stealer": [[349, 362]], "URL: hxxps://cdn-secure.online/portal/verify": [[395, 434]], "IP_ADDRESS: 201.154.247.70": [[448, 462]], "DOMAIN: edge-static.net": [[467, 482]]}, "info": {"id": "synth_v2_01768", "source": "synthetic_v2"}}
+{"text": "Secureworks detected a multi-stage attack chain. The initial phishing email from noreply@document-share.link contained a link to hxxp://cdn-cache.live/callback. This redirected to https://edge-node.site/assets/js/payload.js on backupcloud.link. A secondary email from noreply@auth-check.org pointed to hxxps://proxy-secure.com/panel/index.html which delivered TrickBot. The final payload callback was hxxps://mail-relay.link/api/v2/auth resolving to 210.191.215.129 via relaystorage.top.", "spans": {"ORGANIZATION: Secureworks": [[0, 11]], "EMAIL: noreply@document-share.link": [[81, 108]], "URL: hxxp://cdn-cache.live/callback": [[129, 159]], "URL: https://edge-node.site/assets/js/payload.js": [[180, 223]], "DOMAIN: backupcloud.link": [[227, 243]], "EMAIL: noreply@auth-check.org": [[268, 290]], "URL: hxxps://proxy-secure.com/panel/index.html": [[302, 343]], "MALWARE: TrickBot": [[360, 368]], "URL: hxxps://mail-relay.link/api/v2/auth": [[401, 436]], "IP_ADDRESS: 210.191.215.129": [[450, 465]], "DOMAIN: relaystorage.top": [[470, 486]]}, "info": {"id": "synth_v2_01769", "source": "synthetic_v2"}}
+{"text": "Tenable detected a multi-stage attack chain. The initial phishing email from hr@identity-verify.cc contained a link to hxxps://gatewaystatic.club/login. This redirected to hxxp://storage-edge.net/wp-content/uploads/doc.php on cache-cdn.site. A secondary email from support@document-share.link pointed to hxxp://loginsync.club/portal/verify which delivered REvil. The final payload callback was hxxp://proxycdn.com/secure/token resolving to 208.242.248.230 via loginbackup.club.", "spans": {"ORGANIZATION: Tenable": [[0, 7]], "EMAIL: hr@identity-verify.cc": [[77, 98]], "URL: hxxps://gatewaystatic.club/login": [[119, 151]], "URL: hxxp://storage-edge.net/wp-content/uploads/doc.php": [[172, 222]], "DOMAIN: cache-cdn.site": [[226, 240]], "EMAIL: support@document-share.link": [[265, 292]], "URL: hxxp://loginsync.club/portal/verify": [[304, 339]], "MALWARE: REvil": [[356, 361]], "URL: hxxp://proxycdn.com/secure/token": [[394, 426]], "IP_ADDRESS: 208.242.248.230": [[440, 455]], "DOMAIN: loginbackup.club": [[460, 476]]}, "info": {"id": "synth_v2_01770", "source": "synthetic_v2"}}
+{"text": "FBI detected a multi-stage attack chain. The initial phishing email from hr@account-update.xyz contained a link to https://edgeproxy.online/gate.php. This redirected to hxxp://datacdn.top/secure/token on relaybackup.top. A secondary email from support@account-update.xyz pointed to hxxps://loginedge.cc/collect which delivered DanaBot. The final payload callback was http://cdn-cdn.club/wp-content/uploads/doc.php resolving to 10.7.161.200 via node-update.live.", "spans": {"ORGANIZATION: FBI": [[0, 3]], "EMAIL: hr@account-update.xyz": [[73, 94]], "URL: https://edgeproxy.online/gate.php": [[115, 148]], "URL: hxxp://datacdn.top/secure/token": [[169, 200]], "DOMAIN: relaybackup.top": [[204, 219]], "EMAIL: support@account-update.xyz": [[244, 270]], "URL: hxxps://loginedge.cc/collect": [[282, 310]], "MALWARE: DanaBot": [[327, 334]], "URL: http://cdn-cdn.club/wp-content/uploads/doc.php": [[367, 413]], "IP_ADDRESS: 10.7.161.200": [[427, 439]], "DOMAIN: node-update.live": [[444, 460]]}, "info": {"id": "synth_v2_01771", "source": "synthetic_v2"}}
+{"text": "Sophos X-Ops detected a multi-stage attack chain. The initial phishing email from service@mail-service.info contained a link to http://relaydata.xyz/panel/index.html. This redirected to https://node-proxy.site/gate.php on portalsync.io. A secondary email from account@credential-check.site pointed to https://mailmail.org/panel/index.html which delivered DarkSide. The final payload callback was https://edgestorage.site/login resolving to 10.23.26.14 via nodesecure.top.", "spans": {"ORGANIZATION: Sophos X-Ops": [[0, 12]], "EMAIL: service@mail-service.info": [[82, 107]], "URL: http://relaydata.xyz/panel/index.html": [[128, 165]], "URL: https://node-proxy.site/gate.php": [[186, 218]], "DOMAIN: portalsync.io": [[222, 235]], "EMAIL: account@credential-check.site": [[260, 289]], "URL: https://mailmail.org/panel/index.html": [[301, 338]], "MALWARE: DarkSide": [[355, 363]], "URL: https://edgestorage.site/login": [[396, 426]], "IP_ADDRESS: 10.23.26.14": [[440, 451]], "DOMAIN: nodesecure.top": [[456, 470]]}, "info": {"id": "synth_v2_01772", "source": "synthetic_v2"}}
+{"text": "Check Point Research detected a multi-stage attack chain. The initial phishing email from ceo@secure-verify.net contained a link to https://syncportal.top/secure/token. This redirected to https://data-backup.online/download/update.exe on cloudcloud.online. A secondary email from info@urgent-notice.online pointed to http://nodebackup.info/login which delivered WarmCookie. The final payload callback was hxxps://authbackup.tech/secure/token resolving to 192.201.61.51 via gateway-static.dev.", "spans": {"ORGANIZATION: Check Point Research": [[0, 20]], "EMAIL: ceo@secure-verify.net": [[90, 111]], "URL: https://syncportal.top/secure/token": [[132, 167]], "URL: https://data-backup.online/download/update.exe": [[188, 234]], "DOMAIN: cloudcloud.online": [[238, 255]], "EMAIL: info@urgent-notice.online": [[280, 305]], "URL: http://nodebackup.info/login": [[317, 345]], "MALWARE: WarmCookie": [[362, 372]], "URL: hxxps://authbackup.tech/secure/token": [[405, 441]], "IP_ADDRESS: 192.201.61.51": [[455, 468]], "DOMAIN: gateway-static.dev": [[473, 491]]}, "info": {"id": "synth_v2_01773", "source": "synthetic_v2"}}
+{"text": "ESET Research detected a multi-stage attack chain. The initial phishing email from hr@urgent-notice.online contained a link to https://mailstatic.tech/collect. This redirected to hxxps://securesecure.cc/admin/config on relayrelay.info. A secondary email from report@phishing-domain.com pointed to hxxps://data-login.info/collect which delivered SmokeLoader. The final payload callback was hxxps://relayapi.net/api/v2/auth resolving to 155.79.224.26 via portal-cdn.live.", "spans": {"ORGANIZATION: ESET Research": [[0, 13]], "EMAIL: hr@urgent-notice.online": [[83, 106]], "URL: https://mailstatic.tech/collect": [[127, 158]], "URL: hxxps://securesecure.cc/admin/config": [[179, 215]], "DOMAIN: relayrelay.info": [[219, 234]], "EMAIL: report@phishing-domain.com": [[259, 285]], "URL: hxxps://data-login.info/collect": [[297, 328]], "MALWARE: SmokeLoader": [[345, 356]], "URL: hxxps://relayapi.net/api/v2/auth": [[389, 421]], "IP_ADDRESS: 155.79.224.26": [[435, 448]], "DOMAIN: portal-cdn.live": [[453, 468]]}, "info": {"id": "synth_v2_01774", "source": "synthetic_v2"}}
+{"text": "Microsoft MSRC detected a multi-stage attack chain. The initial phishing email from ceo@account-update.xyz contained a link to https://cachesync.online/collect. This redirected to hxxp://backup-proxy.site/assets/js/payload.js on edge-backup.xyz. A secondary email from info@credential-check.site pointed to hxxps://apiportal.top/assets/js/payload.js which delivered IcedID. The final payload callback was https://relayportal.info/panel/index.html resolving to 192.14.164.50 via static-gateway.top.", "spans": {"ORGANIZATION: Microsoft MSRC": [[0, 14]], "EMAIL: ceo@account-update.xyz": [[84, 106]], "URL: https://cachesync.online/collect": [[127, 159]], "URL: hxxp://backup-proxy.site/assets/js/payload.js": [[180, 225]], "DOMAIN: edge-backup.xyz": [[229, 244]], "EMAIL: info@credential-check.site": [[269, 295]], "URL: hxxps://apiportal.top/assets/js/payload.js": [[307, 349]], "MALWARE: IcedID": [[366, 372]], "URL: https://relayportal.info/panel/index.html": [[405, 446]], "IP_ADDRESS: 192.14.164.50": [[460, 473]], "DOMAIN: static-gateway.top": [[478, 496]]}, "info": {"id": "synth_v2_01775", "source": "synthetic_v2"}}
+{"text": "Sophos X-Ops detected a multi-stage attack chain. The initial phishing email from account@login-portal.tech contained a link to http://updatemail.tech/portal/verify. This redirected to https://login-edge.link/secure/token on proxy-node.xyz. A secondary email from it@document-share.link pointed to https://edgerelay.site/secure/token which delivered SmokeLoader. The final payload callback was hxxps://secure-gateway.io/wp-content/uploads/doc.php resolving to 28.87.120.196 via cloudauth.link.", "spans": {"ORGANIZATION: Sophos X-Ops": [[0, 12]], "EMAIL: account@login-portal.tech": [[82, 107]], "URL: http://updatemail.tech/portal/verify": [[128, 164]], "URL: https://login-edge.link/secure/token": [[185, 221]], "DOMAIN: proxy-node.xyz": [[225, 239]], "EMAIL: it@document-share.link": [[264, 286]], "URL: https://edgerelay.site/secure/token": [[298, 333]], "MALWARE: SmokeLoader": [[350, 361]], "URL: hxxps://secure-gateway.io/wp-content/uploads/doc.php": [[394, 446]], "IP_ADDRESS: 28.87.120.196": [[460, 473]], "DOMAIN: cloudauth.link": [[478, 492]]}, "info": {"id": "synth_v2_01776", "source": "synthetic_v2"}}
+{"text": "CrowdStrike detected a multi-stage attack chain. The initial phishing email from billing@secure-verify.net contained a link to https://cloud-secure.link/assets/js/payload.js. This redirected to https://secure-backup.tech/gate.php on node-gateway.xyz. A secondary email from updates@mail-service.info pointed to http://auth-portal.org/portal/verify which delivered Raccoon Stealer. The final payload callback was https://storage-auth.dev/collect resolving to 10.38.22.247 via proxy-cdn.org.", "spans": {"ORGANIZATION: CrowdStrike": [[0, 11]], "EMAIL: billing@secure-verify.net": [[81, 106]], "URL: https://cloud-secure.link/assets/js/payload.js": [[127, 173]], "URL: https://secure-backup.tech/gate.php": [[194, 229]], "DOMAIN: node-gateway.xyz": [[233, 249]], "EMAIL: updates@mail-service.info": [[274, 299]], "URL: http://auth-portal.org/portal/verify": [[311, 347]], "MALWARE: Raccoon Stealer": [[364, 379]], "URL: https://storage-auth.dev/collect": [[412, 444]], "IP_ADDRESS: 10.38.22.247": [[458, 470]], "DOMAIN: proxy-cdn.org": [[475, 488]]}, "info": {"id": "synth_v2_01777", "source": "synthetic_v2"}}
+{"text": "FireEye detected a multi-stage attack chain. The initial phishing email from info@mail-service.info contained a link to https://portaldata.live/portal/verify. This redirected to http://cloud-sync.top/login on cdnsecure.tech. A secondary email from helpdesk@auth-check.org pointed to https://portal-cloud.xyz/callback which delivered Raccoon Stealer. The final payload callback was hxxp://apiportal.top/collect resolving to 172.66.101.172 via auth-mail.club.", "spans": {"ORGANIZATION: FireEye": [[0, 7]], "EMAIL: info@mail-service.info": [[77, 99]], "URL: https://portaldata.live/portal/verify": [[120, 157]], "URL: http://cloud-sync.top/login": [[178, 205]], "DOMAIN: cdnsecure.tech": [[209, 223]], "EMAIL: helpdesk@auth-check.org": [[248, 271]], "URL: https://portal-cloud.xyz/callback": [[283, 316]], "MALWARE: Raccoon Stealer": [[333, 348]], "URL: hxxp://apiportal.top/collect": [[381, 409]], "IP_ADDRESS: 172.66.101.172": [[423, 437]], "DOMAIN: auth-mail.club": [[442, 456]]}, "info": {"id": "synth_v2_01778", "source": "synthetic_v2"}}
+{"text": "Cisco Talos detected a multi-stage attack chain. The initial phishing email from report@phishing-domain.com contained a link to https://cdnsync.club/panel/index.html. This redirected to hxxp://secureportal.com/assets/js/payload.js on datacdn.link. A secondary email from admin@mail-service.info pointed to http://storage-backup.top/download/update.exe which delivered REvil. The final payload callback was https://sync-cdn.dev/assets/js/payload.js resolving to 168.69.242.94 via apiauth.xyz.", "spans": {"ORGANIZATION: Cisco Talos": [[0, 11]], "EMAIL: report@phishing-domain.com": [[81, 107]], "URL: https://cdnsync.club/panel/index.html": [[128, 165]], "URL: hxxp://secureportal.com/assets/js/payload.js": [[186, 230]], "DOMAIN: datacdn.link": [[234, 246]], "EMAIL: admin@mail-service.info": [[271, 294]], "URL: http://storage-backup.top/download/update.exe": [[306, 351]], "MALWARE: REvil": [[368, 373]], "URL: https://sync-cdn.dev/assets/js/payload.js": [[406, 447]], "IP_ADDRESS: 168.69.242.94": [[461, 474]], "DOMAIN: apiauth.xyz": [[479, 490]]}, "info": {"id": "synth_v2_01779", "source": "synthetic_v2"}}
+{"text": "Proofpoint detected a multi-stage attack chain. The initial phishing email from support@auth-check.org contained a link to hxxps://cdnnode.online/secure/token. This redirected to https://edgedata.xyz/secure/token on backupnode.link. A secondary email from it@credential-check.site pointed to https://portaldata.io/collect which delivered BlackCat. The final payload callback was https://node-login.io/wp-content/uploads/doc.php resolving to 10.1.235.160 via cacheedge.com.", "spans": {"ORGANIZATION: Proofpoint": [[0, 10]], "EMAIL: support@auth-check.org": [[80, 102]], "URL: hxxps://cdnnode.online/secure/token": [[123, 158]], "URL: https://edgedata.xyz/secure/token": [[179, 212]], "DOMAIN: backupnode.link": [[216, 231]], "EMAIL: it@credential-check.site": [[256, 280]], "URL: https://portaldata.io/collect": [[292, 321]], "MALWARE: BlackCat": [[338, 346]], "URL: https://node-login.io/wp-content/uploads/doc.php": [[379, 427]], "IP_ADDRESS: 10.1.235.160": [[441, 453]], "DOMAIN: cacheedge.com": [[458, 471]]}, "info": {"id": "synth_v2_01780", "source": "synthetic_v2"}}
+{"text": "Mandiant detected a multi-stage attack chain. The initial phishing email from noreply@account-update.xyz contained a link to https://updatecache.top/login. This redirected to https://syncrelay.dev/login on storageedge.dev. A secondary email from billing@account-update.xyz pointed to https://relay-storage.com/callback which delivered TrickBot. The final payload callback was hxxps://mailstorage.io/admin/config resolving to 47.21.129.62 via cacheproxy.live.", "spans": {"ORGANIZATION: Mandiant": [[0, 8]], "EMAIL: noreply@account-update.xyz": [[78, 104]], "URL: https://updatecache.top/login": [[125, 154]], "URL: https://syncrelay.dev/login": [[175, 202]], "DOMAIN: storageedge.dev": [[206, 221]], "EMAIL: billing@account-update.xyz": [[246, 272]], "URL: https://relay-storage.com/callback": [[284, 318]], "MALWARE: TrickBot": [[335, 343]], "URL: hxxps://mailstorage.io/admin/config": [[376, 411]], "IP_ADDRESS: 47.21.129.62": [[425, 437]], "DOMAIN: cacheproxy.live": [[442, 457]]}, "info": {"id": "synth_v2_01781", "source": "synthetic_v2"}}
+{"text": "Microsoft MSRC detected a multi-stage attack chain. The initial phishing email from contact@secure-verify.net contained a link to hxxps://dataapi.cc/login. This redirected to hxxps://cacheproxy.live/assets/js/payload.js on authlogin.live. A secondary email from hr@phishing-domain.com pointed to hxxps://portal-data.tech/admin/config which delivered BlackCat. The final payload callback was hxxps://backup-login.live/download/update.exe resolving to 192.147.168.77 via cloud-secure.io.", "spans": {"ORGANIZATION: Microsoft MSRC": [[0, 14]], "EMAIL: contact@secure-verify.net": [[84, 109]], "URL: hxxps://dataapi.cc/login": [[130, 154]], "URL: hxxps://cacheproxy.live/assets/js/payload.js": [[175, 219]], "DOMAIN: authlogin.live": [[223, 237]], "EMAIL: hr@phishing-domain.com": [[262, 284]], "URL: hxxps://portal-data.tech/admin/config": [[296, 333]], "MALWARE: BlackCat": [[350, 358]], "URL: hxxps://backup-login.live/download/update.exe": [[391, 436]], "IP_ADDRESS: 192.147.168.77": [[450, 464]], "DOMAIN: cloud-secure.io": [[469, 484]]}, "info": {"id": "synth_v2_01782", "source": "synthetic_v2"}}
+{"text": "Europol detected a multi-stage attack chain. The initial phishing email from helpdesk@auth-check.org contained a link to https://staticlogin.org/wp-content/uploads/doc.php. This redirected to hxxp://login-data.club/assets/js/payload.js on storage-cdn.top. A secondary email from helpdesk@account-update.xyz pointed to hxxp://update-update.net/download/update.exe which delivered DarkSide. The final payload callback was hxxp://nodestatic.org/portal/verify resolving to 98.59.248.106 via cacheauth.club.", "spans": {"ORGANIZATION: Europol": [[0, 7]], "EMAIL: helpdesk@auth-check.org": [[77, 100]], "URL: https://staticlogin.org/wp-content/uploads/doc.php": [[121, 171]], "URL: hxxp://login-data.club/assets/js/payload.js": [[192, 235]], "DOMAIN: storage-cdn.top": [[239, 254]], "EMAIL: helpdesk@account-update.xyz": [[279, 306]], "URL: hxxp://update-update.net/download/update.exe": [[318, 362]], "MALWARE: DarkSide": [[379, 387]], "URL: hxxp://nodestatic.org/portal/verify": [[420, 455]], "IP_ADDRESS: 98.59.248.106": [[469, 482]], "DOMAIN: cacheauth.club": [[487, 501]]}, "info": {"id": "synth_v2_01783", "source": "synthetic_v2"}}
+{"text": "Dragos detected a multi-stage attack chain. The initial phishing email from alert@auth-check.org contained a link to http://nodesync.site/callback. This redirected to http://cdnedge.link/gate.php on data-portal.com. A secondary email from contact@credential-check.site pointed to https://cloudportal.net/login which delivered Hive. The final payload callback was hxxps://update-relay.com/callback resolving to 172.35.250.191 via proxy-cloud.dev.", "spans": {"ORGANIZATION: Dragos": [[0, 6]], "EMAIL: alert@auth-check.org": [[76, 96]], "URL: http://nodesync.site/callback": [[117, 146]], "URL: http://cdnedge.link/gate.php": [[167, 195]], "DOMAIN: data-portal.com": [[199, 214]], "EMAIL: contact@credential-check.site": [[239, 268]], "URL: https://cloudportal.net/login": [[280, 309]], "MALWARE: Hive": [[326, 330]], "URL: hxxps://update-relay.com/callback": [[363, 396]], "IP_ADDRESS: 172.35.250.191": [[410, 424]], "DOMAIN: proxy-cloud.dev": [[429, 444]]}, "info": {"id": "synth_v2_01784", "source": "synthetic_v2"}}
+{"text": "Zscaler ThreatLabz detected a multi-stage attack chain. The initial phishing email from ceo@account-update.xyz contained a link to https://cache-login.info/collect. This redirected to hxxp://relayrelay.xyz/assets/js/payload.js on node-data.xyz. A secondary email from security@login-portal.tech pointed to hxxps://cloudnode.org/portal/verify which delivered Qbot. The final payload callback was hxxp://securestatic.org/download/update.exe resolving to 154.14.197.38 via cloud-node.dev.", "spans": {"ORGANIZATION: Zscaler ThreatLabz": [[0, 18]], "EMAIL: ceo@account-update.xyz": [[88, 110]], "URL: https://cache-login.info/collect": [[131, 163]], "URL: hxxp://relayrelay.xyz/assets/js/payload.js": [[184, 226]], "DOMAIN: node-data.xyz": [[230, 243]], "EMAIL: security@login-portal.tech": [[268, 294]], "URL: hxxps://cloudnode.org/portal/verify": [[306, 341]], "MALWARE: Qbot": [[358, 362]], "URL: hxxp://securestatic.org/download/update.exe": [[395, 438]], "IP_ADDRESS: 154.14.197.38": [[452, 465]], "DOMAIN: cloud-node.dev": [[470, 484]]}, "info": {"id": "synth_v2_01785", "source": "synthetic_v2"}}
+{"text": "Qualys detected a multi-stage attack chain. The initial phishing email from security@document-share.link contained a link to hxxps://cache-backup.dev/assets/js/payload.js. This redirected to hxxp://sync-backup.net/portal/verify on cache-data.dev. A secondary email from billing@login-portal.tech pointed to hxxp://securesecure.cc/portal/verify which delivered Hive. The final payload callback was hxxps://portalrelay.top/panel/index.html resolving to 72.57.180.237 via cdnsync.site.", "spans": {"ORGANIZATION: Qualys": [[0, 6]], "EMAIL: security@document-share.link": [[76, 104]], "URL: hxxps://cache-backup.dev/assets/js/payload.js": [[125, 170]], "URL: hxxp://sync-backup.net/portal/verify": [[191, 227]], "DOMAIN: cache-data.dev": [[231, 245]], "EMAIL: billing@login-portal.tech": [[270, 295]], "URL: hxxp://securesecure.cc/portal/verify": [[307, 343]], "MALWARE: Hive": [[360, 364]], "URL: hxxps://portalrelay.top/panel/index.html": [[397, 437]], "IP_ADDRESS: 72.57.180.237": [[451, 464]], "DOMAIN: cdnsync.site": [[469, 481]]}, "info": {"id": "synth_v2_01786", "source": "synthetic_v2"}}
+{"text": "Proofpoint detected a multi-stage attack chain. The initial phishing email from admin@credential-check.site contained a link to http://edgedata.xyz/panel/index.html. This redirected to hxxps://staticapi.club/secure/token on mail-proxy.org. A secondary email from admin@urgent-notice.online pointed to https://cdn-cache.top/secure/token which delivered AsyncRAT. The final payload callback was hxxps://mailcache.tech/panel/index.html resolving to 18.223.155.129 via secure-cloud.com.", "spans": {"ORGANIZATION: Proofpoint": [[0, 10]], "EMAIL: admin@credential-check.site": [[80, 107]], "URL: http://edgedata.xyz/panel/index.html": [[128, 164]], "URL: hxxps://staticapi.club/secure/token": [[185, 220]], "DOMAIN: mail-proxy.org": [[224, 238]], "EMAIL: admin@urgent-notice.online": [[263, 289]], "URL: https://cdn-cache.top/secure/token": [[301, 335]], "MALWARE: AsyncRAT": [[352, 360]], "URL: hxxps://mailcache.tech/panel/index.html": [[393, 432]], "IP_ADDRESS: 18.223.155.129": [[446, 460]], "DOMAIN: secure-cloud.com": [[465, 481]]}, "info": {"id": "synth_v2_01787", "source": "synthetic_v2"}}
+{"text": "Zscaler ThreatLabz detected a multi-stage attack chain. The initial phishing email from alert@phishing-domain.com contained a link to https://backuprelay.club/download/update.exe. This redirected to https://sync-edge.xyz/admin/config on storage-login.top. A secondary email from it@auth-check.org pointed to http://mailcdn.io/collect which delivered XLoader. The final payload callback was hxxps://login-relay.live/assets/js/payload.js resolving to 46.155.36.37 via syncauth.link.", "spans": {"ORGANIZATION: Zscaler ThreatLabz": [[0, 18]], "EMAIL: alert@phishing-domain.com": [[88, 113]], "URL: https://backuprelay.club/download/update.exe": [[134, 178]], "URL: https://sync-edge.xyz/admin/config": [[199, 233]], "DOMAIN: storage-login.top": [[237, 254]], "EMAIL: it@auth-check.org": [[279, 296]], "URL: http://mailcdn.io/collect": [[308, 333]], "MALWARE: XLoader": [[350, 357]], "URL: hxxps://login-relay.live/assets/js/payload.js": [[390, 435]], "IP_ADDRESS: 46.155.36.37": [[449, 461]], "DOMAIN: syncauth.link": [[466, 479]]}, "info": {"id": "synth_v2_01788", "source": "synthetic_v2"}}
+{"text": "Microsoft MSRC detected a multi-stage attack chain. The initial phishing email from info@mail-service.info contained a link to hxxps://relaygateway.dev/admin/config. This redirected to http://cdnstorage.cc/portal/verify on update-gateway.tech. A secondary email from helpdesk@mail-service.info pointed to http://cdndata.xyz/portal/verify which delivered AgentTesla. The final payload callback was hxxp://backup-storage.link/assets/js/payload.js resolving to 192.106.244.19 via datalogin.site.", "spans": {"ORGANIZATION: Microsoft MSRC": [[0, 14]], "EMAIL: info@mail-service.info": [[84, 106]], "URL: hxxps://relaygateway.dev/admin/config": [[127, 164]], "URL: http://cdnstorage.cc/portal/verify": [[185, 219]], "DOMAIN: update-gateway.tech": [[223, 242]], "EMAIL: helpdesk@mail-service.info": [[267, 293]], "URL: http://cdndata.xyz/portal/verify": [[305, 337]], "MALWARE: AgentTesla": [[354, 364]], "URL: hxxp://backup-storage.link/assets/js/payload.js": [[397, 444]], "IP_ADDRESS: 192.106.244.19": [[458, 472]], "DOMAIN: datalogin.site": [[477, 491]]}, "info": {"id": "synth_v2_01789", "source": "synthetic_v2"}}
+{"text": "Recorded Future detected a multi-stage attack chain. The initial phishing email from finance@account-update.xyz contained a link to hxxps://cloudauth.com/secure/token. This redirected to hxxps://edgedata.top/collect on edgerelay.com. A secondary email from account@identity-verify.cc pointed to hxxp://dataapi.club/download/update.exe which delivered PikaBot. The final payload callback was http://secureportal.info/portal/verify resolving to 10.238.15.118 via relayportal.info.", "spans": {"ORGANIZATION: Recorded Future": [[0, 15]], "EMAIL: finance@account-update.xyz": [[85, 111]], "URL: hxxps://cloudauth.com/secure/token": [[132, 166]], "URL: hxxps://edgedata.top/collect": [[187, 215]], "DOMAIN: edgerelay.com": [[219, 232]], "EMAIL: account@identity-verify.cc": [[257, 283]], "URL: hxxp://dataapi.club/download/update.exe": [[295, 334]], "MALWARE: PikaBot": [[351, 358]], "URL: http://secureportal.info/portal/verify": [[391, 429]], "IP_ADDRESS: 10.238.15.118": [[443, 456]], "DOMAIN: relayportal.info": [[461, 477]]}, "info": {"id": "synth_v2_01790", "source": "synthetic_v2"}}
+{"text": "Recorded Future detected a multi-stage attack chain. The initial phishing email from notification@account-update.xyz contained a link to hxxp://api-cdn.net/portal/verify. This redirected to http://nodeupdate.tech/collect on relay-secure.club. A secondary email from admin@mail-service.info pointed to http://loginauth.net/portal/verify which delivered SmokeLoader. The final payload callback was hxxps://update-sync.info/login resolving to 10.212.148.15 via api-backup.dev.", "spans": {"ORGANIZATION: Recorded Future": [[0, 15]], "EMAIL: notification@account-update.xyz": [[85, 116]], "URL: hxxp://api-cdn.net/portal/verify": [[137, 169]], "URL: http://nodeupdate.tech/collect": [[190, 220]], "DOMAIN: relay-secure.club": [[224, 241]], "EMAIL: admin@mail-service.info": [[266, 289]], "URL: http://loginauth.net/portal/verify": [[301, 335]], "MALWARE: SmokeLoader": [[352, 363]], "URL: hxxps://update-sync.info/login": [[396, 426]], "IP_ADDRESS: 10.212.148.15": [[440, 453]], "DOMAIN: api-backup.dev": [[458, 472]]}, "info": {"id": "synth_v2_01791", "source": "synthetic_v2"}}
+{"text": "FireEye detected a multi-stage attack chain. The initial phishing email from it@secure-verify.net contained a link to hxxps://api-cdn.online/admin/config. This redirected to https://cloudapi.com/secure/token on mailauth.info. A secondary email from ceo@identity-verify.cc pointed to http://cloud-api.tech/panel/index.html which delivered BlackCat. The final payload callback was hxxps://cdnportal.site/callback resolving to 192.179.61.69 via sync-node.xyz.", "spans": {"ORGANIZATION: FireEye": [[0, 7]], "EMAIL: it@secure-verify.net": [[77, 97]], "URL: hxxps://api-cdn.online/admin/config": [[118, 153]], "URL: https://cloudapi.com/secure/token": [[174, 207]], "DOMAIN: mailauth.info": [[211, 224]], "EMAIL: ceo@identity-verify.cc": [[249, 271]], "URL: http://cloud-api.tech/panel/index.html": [[283, 321]], "MALWARE: BlackCat": [[338, 346]], "URL: hxxps://cdnportal.site/callback": [[379, 410]], "IP_ADDRESS: 192.179.61.69": [[424, 437]], "DOMAIN: sync-node.xyz": [[442, 455]]}, "info": {"id": "synth_v2_01792", "source": "synthetic_v2"}}
+{"text": "FBI detected a multi-stage attack chain. The initial phishing email from admin@mail-service.info contained a link to hxxp://proxycdn.top/api/v2/auth. This redirected to hxxps://dataedge.site/api/v2/auth on sync-auth.com. A secondary email from verify@account-update.xyz pointed to http://authauth.net/download/update.exe which delivered Cobalt Strike. The final payload callback was https://authsync.xyz/collect resolving to 90.110.62.218 via authgateway.tech.", "spans": {"ORGANIZATION: FBI": [[0, 3]], "EMAIL: admin@mail-service.info": [[73, 96]], "URL: hxxp://proxycdn.top/api/v2/auth": [[117, 148]], "URL: hxxps://dataedge.site/api/v2/auth": [[169, 202]], "DOMAIN: sync-auth.com": [[206, 219]], "EMAIL: verify@account-update.xyz": [[244, 269]], "URL: http://authauth.net/download/update.exe": [[281, 320]], "MALWARE: Cobalt Strike": [[337, 350]], "URL: https://authsync.xyz/collect": [[383, 411]], "IP_ADDRESS: 90.110.62.218": [[425, 438]], "DOMAIN: authgateway.tech": [[443, 459]]}, "info": {"id": "synth_v2_01793", "source": "synthetic_v2"}}
+{"text": "INTERPOL detected a multi-stage attack chain. The initial phishing email from report@document-share.link contained a link to hxxp://proxy-api.org/login. This redirected to hxxps://loginstorage.club/panel/index.html on data-gateway.com. A secondary email from helpdesk@secure-verify.net pointed to hxxps://storagesecure.info/panel/index.html which delivered StealC. The final payload callback was hxxp://cdnstatic.site/secure/token resolving to 192.137.30.7 via update-cache.club.", "spans": {"ORGANIZATION: INTERPOL": [[0, 8]], "EMAIL: report@document-share.link": [[78, 104]], "URL: hxxp://proxy-api.org/login": [[125, 151]], "URL: hxxps://loginstorage.club/panel/index.html": [[172, 214]], "DOMAIN: data-gateway.com": [[218, 234]], "EMAIL: helpdesk@secure-verify.net": [[259, 285]], "URL: hxxps://storagesecure.info/panel/index.html": [[297, 340]], "MALWARE: StealC": [[357, 363]], "URL: hxxp://cdnstatic.site/secure/token": [[396, 430]], "IP_ADDRESS: 192.137.30.7": [[444, 456]], "DOMAIN: update-cache.club": [[461, 478]]}, "info": {"id": "synth_v2_01794", "source": "synthetic_v2"}}
+{"text": "Symantec detected a multi-stage attack chain. The initial phishing email from helpdesk@urgent-notice.online contained a link to hxxps://secure-static.online/collect. This redirected to http://secure-node.io/portal/verify on cdnlogin.site. A secondary email from contact@document-share.link pointed to https://storage-cache.live/collect which delivered IcedID. The final payload callback was hxxp://mail-sync.top/portal/verify resolving to 216.223.142.141 via syncsecure.online.", "spans": {"ORGANIZATION: Symantec": [[0, 8]], "EMAIL: helpdesk@urgent-notice.online": [[78, 107]], "URL: hxxps://secure-static.online/collect": [[128, 164]], "URL: http://secure-node.io/portal/verify": [[185, 220]], "DOMAIN: cdnlogin.site": [[224, 237]], "EMAIL: contact@document-share.link": [[262, 289]], "URL: https://storage-cache.live/collect": [[301, 335]], "MALWARE: IcedID": [[352, 358]], "URL: hxxp://mail-sync.top/portal/verify": [[391, 425]], "IP_ADDRESS: 216.223.142.141": [[439, 454]], "DOMAIN: syncsecure.online": [[459, 476]]}, "info": {"id": "synth_v2_01795", "source": "synthetic_v2"}}
+{"text": "Google TAG detected a multi-stage attack chain. The initial phishing email from report@login-portal.tech contained a link to hxxp://cdn-storage.net/collect. This redirected to https://relay-login.live/wp-content/uploads/doc.php on updatenode.club. A secondary email from it@secure-verify.net pointed to http://gateway-proxy.online/collect which delivered DanaBot. The final payload callback was hxxps://portal-relay.online/login resolving to 10.49.181.117 via sync-cdn.io.", "spans": {"ORGANIZATION: Google TAG": [[0, 10]], "EMAIL: report@login-portal.tech": [[80, 104]], "URL: hxxp://cdn-storage.net/collect": [[125, 155]], "URL: https://relay-login.live/wp-content/uploads/doc.php": [[176, 227]], "DOMAIN: updatenode.club": [[231, 246]], "EMAIL: it@secure-verify.net": [[271, 291]], "URL: http://gateway-proxy.online/collect": [[303, 338]], "MALWARE: DanaBot": [[355, 362]], "URL: hxxps://portal-relay.online/login": [[395, 428]], "IP_ADDRESS: 10.49.181.117": [[442, 455]], "DOMAIN: sync-cdn.io": [[460, 471]]}, "info": {"id": "synth_v2_01796", "source": "synthetic_v2"}}
+{"text": "Cisco Talos detected a multi-stage attack chain. The initial phishing email from hr@phishing-domain.com contained a link to hxxp://edge-secure.top/callback. This redirected to hxxp://apiportal.top/login on cachegateway.link. A secondary email from helpdesk@document-share.link pointed to https://relay-login.cc/assets/js/payload.js which delivered Amadey. The final payload callback was http://login-portal.top/login resolving to 192.92.244.101 via api-update.io.", "spans": {"ORGANIZATION: Cisco Talos": [[0, 11]], "EMAIL: hr@phishing-domain.com": [[81, 103]], "URL: hxxp://edge-secure.top/callback": [[124, 155]], "URL: hxxp://apiportal.top/login": [[176, 202]], "DOMAIN: cachegateway.link": [[206, 223]], "EMAIL: helpdesk@document-share.link": [[248, 276]], "URL: https://relay-login.cc/assets/js/payload.js": [[288, 331]], "MALWARE: Amadey": [[348, 354]], "URL: http://login-portal.top/login": [[387, 416]], "IP_ADDRESS: 192.92.244.101": [[430, 444]], "DOMAIN: api-update.io": [[449, 462]]}, "info": {"id": "synth_v2_01797", "source": "synthetic_v2"}}
+{"text": "Symantec detected a multi-stage attack chain. The initial phishing email from contact@document-share.link contained a link to hxxp://updatenode.site/wp-content/uploads/doc.php. This redirected to https://cache-static.top/login on storage-cdn.top. A secondary email from security@auth-check.org pointed to http://portalportal.top/callback which delivered RedLine Stealer. The final payload callback was hxxps://storage-mail.com/admin/config resolving to 192.18.179.252 via edge-cloud.com.", "spans": {"ORGANIZATION: Symantec": [[0, 8]], "EMAIL: contact@document-share.link": [[78, 105]], "URL: hxxp://updatenode.site/wp-content/uploads/doc.php": [[126, 175]], "URL: https://cache-static.top/login": [[196, 226]], "DOMAIN: storage-cdn.top": [[230, 245]], "EMAIL: security@auth-check.org": [[270, 293]], "URL: http://portalportal.top/callback": [[305, 337]], "MALWARE: RedLine Stealer": [[354, 369]], "URL: hxxps://storage-mail.com/admin/config": [[402, 439]], "IP_ADDRESS: 192.18.179.252": [[453, 467]], "DOMAIN: edge-cloud.com": [[472, 486]]}, "info": {"id": "synth_v2_01798", "source": "synthetic_v2"}}
+{"text": "CISA detected a multi-stage attack chain. The initial phishing email from confirm@login-portal.tech contained a link to hxxps://backupbackup.link/collect. This redirected to hxxp://apilogin.info/callback on apicache.net. A secondary email from contact@credential-check.site pointed to hxxps://portal-cdn.tech/assets/js/payload.js which delivered Dridex. The final payload callback was hxxps://static-cache.cc/gate.php resolving to 157.7.121.35 via backup-static.dev.", "spans": {"ORGANIZATION: CISA": [[0, 4]], "EMAIL: confirm@login-portal.tech": [[74, 99]], "URL: hxxps://backupbackup.link/collect": [[120, 153]], "URL: hxxp://apilogin.info/callback": [[174, 203]], "DOMAIN: apicache.net": [[207, 219]], "EMAIL: contact@credential-check.site": [[244, 273]], "URL: hxxps://portal-cdn.tech/assets/js/payload.js": [[285, 329]], "MALWARE: Dridex": [[346, 352]], "URL: hxxps://static-cache.cc/gate.php": [[385, 417]], "IP_ADDRESS: 157.7.121.35": [[431, 443]], "DOMAIN: backup-static.dev": [[448, 465]]}, "info": {"id": "synth_v2_01799", "source": "synthetic_v2"}}
+{"text": "Dragos detected a multi-stage attack chain. The initial phishing email from confirm@identity-verify.cc contained a link to hxxps://synccache.live/api/v2/auth. This redirected to https://gatewayrelay.tech/login on secure-static.tech. A secondary email from support@login-portal.tech pointed to http://sync-cloud.live/secure/token which delivered Latrodectus. The final payload callback was http://auth-storage.live/secure/token resolving to 10.217.253.75 via edge-data.live.", "spans": {"ORGANIZATION: Dragos": [[0, 6]], "EMAIL: confirm@identity-verify.cc": [[76, 102]], "URL: hxxps://synccache.live/api/v2/auth": [[123, 157]], "URL: https://gatewayrelay.tech/login": [[178, 209]], "DOMAIN: secure-static.tech": [[213, 231]], "EMAIL: support@login-portal.tech": [[256, 281]], "URL: http://sync-cloud.live/secure/token": [[293, 328]], "MALWARE: Latrodectus": [[345, 356]], "URL: http://auth-storage.live/secure/token": [[389, 426]], "IP_ADDRESS: 10.217.253.75": [[440, 453]], "DOMAIN: edge-data.live": [[458, 472]]}, "info": {"id": "synth_v2_01800", "source": "synthetic_v2"}}
+{"text": "CrowdStrike detected a multi-stage attack chain. The initial phishing email from helpdesk@account-update.xyz contained a link to https://mailportal.online/wp-content/uploads/doc.php. This redirected to https://apistorage.xyz/admin/config on update-cloud.online. A secondary email from admin@urgent-notice.online pointed to hxxp://backupcloud.cc/gate.php which delivered Vidar. The final payload callback was hxxps://node-auth.org/gate.php resolving to 10.131.49.209 via update-auth.com.", "spans": {"ORGANIZATION: CrowdStrike": [[0, 11]], "EMAIL: helpdesk@account-update.xyz": [[81, 108]], "URL: https://mailportal.online/wp-content/uploads/doc.php": [[129, 181]], "URL: https://apistorage.xyz/admin/config": [[202, 237]], "DOMAIN: update-cloud.online": [[241, 260]], "EMAIL: admin@urgent-notice.online": [[285, 311]], "URL: hxxp://backupcloud.cc/gate.php": [[323, 353]], "MALWARE: Vidar": [[370, 375]], "URL: hxxps://node-auth.org/gate.php": [[408, 438]], "IP_ADDRESS: 10.131.49.209": [[452, 465]], "DOMAIN: update-auth.com": [[470, 485]]}, "info": {"id": "synth_v2_01801", "source": "synthetic_v2"}}
+{"text": "CrowdStrike detected a multi-stage attack chain. The initial phishing email from updates@account-update.xyz contained a link to http://cache-relay.tech/assets/js/payload.js. This redirected to hxxps://authportal.site/collect on apigateway.top. A secondary email from contact@secure-verify.net pointed to https://proxy-portal.info/portal/verify which delivered Raccoon Stealer. The final payload callback was https://sync-data.link/assets/js/payload.js resolving to 172.137.19.44 via login-secure.online.", "spans": {"ORGANIZATION: CrowdStrike": [[0, 11]], "EMAIL: updates@account-update.xyz": [[81, 107]], "URL: http://cache-relay.tech/assets/js/payload.js": [[128, 172]], "URL: hxxps://authportal.site/collect": [[193, 224]], "DOMAIN: apigateway.top": [[228, 242]], "EMAIL: contact@secure-verify.net": [[267, 292]], "URL: https://proxy-portal.info/portal/verify": [[304, 343]], "MALWARE: Raccoon Stealer": [[360, 375]], "URL: https://sync-data.link/assets/js/payload.js": [[408, 451]], "IP_ADDRESS: 172.137.19.44": [[465, 478]], "DOMAIN: login-secure.online": [[483, 502]]}, "info": {"id": "synth_v2_01802", "source": "synthetic_v2"}}
+{"text": "Volexity detected a multi-stage attack chain. The initial phishing email from finance@urgent-notice.online contained a link to http://node-backup.live/secure/token. This redirected to hxxps://cachelogin.dev/assets/js/payload.js on static-api.io. A secondary email from updates@identity-verify.cc pointed to http://portaledge.io/portal/verify which delivered Play. The final payload callback was https://cloud-cache.online/secure/token resolving to 192.155.155.66 via secure-data.io.", "spans": {"ORGANIZATION: Volexity": [[0, 8]], "EMAIL: finance@urgent-notice.online": [[78, 106]], "URL: http://node-backup.live/secure/token": [[127, 163]], "URL: hxxps://cachelogin.dev/assets/js/payload.js": [[184, 227]], "DOMAIN: static-api.io": [[231, 244]], "EMAIL: updates@identity-verify.cc": [[269, 295]], "URL: http://portaledge.io/portal/verify": [[307, 341]], "MALWARE: Play": [[358, 362]], "URL: https://cloud-cache.online/secure/token": [[395, 434]], "IP_ADDRESS: 192.155.155.66": [[448, 462]], "DOMAIN: secure-data.io": [[467, 481]]}, "info": {"id": "synth_v2_01803", "source": "synthetic_v2"}}
+{"text": "Palo Alto Unit 42 detected a multi-stage attack chain. The initial phishing email from ceo@account-update.xyz contained a link to hxxps://relay-data.site/collect. This redirected to https://node-storage.online/wp-content/uploads/doc.php on update-secure.info. A secondary email from billing@mail-service.info pointed to http://staticbackup.online/wp-content/uploads/doc.php which delivered REvil. The final payload callback was https://node-cloud.top/download/update.exe resolving to 186.40.162.18 via proxy-edge.dev.", "spans": {"ORGANIZATION: Palo Alto Unit 42": [[0, 17]], "EMAIL: ceo@account-update.xyz": [[87, 109]], "URL: hxxps://relay-data.site/collect": [[130, 161]], "URL: https://node-storage.online/wp-content/uploads/doc.php": [[182, 236]], "DOMAIN: update-secure.info": [[240, 258]], "EMAIL: billing@mail-service.info": [[283, 308]], "URL: http://staticbackup.online/wp-content/uploads/doc.php": [[320, 373]], "MALWARE: REvil": [[390, 395]], "URL: https://node-cloud.top/download/update.exe": [[428, 470]], "IP_ADDRESS: 186.40.162.18": [[484, 497]], "DOMAIN: proxy-edge.dev": [[502, 516]]}, "info": {"id": "synth_v2_01804", "source": "synthetic_v2"}}
+{"text": "Volexity detected a multi-stage attack chain. The initial phishing email from finance@mail-service.info contained a link to hxxps://proxyportal.club/panel/index.html. This redirected to http://cdnapi.com/callback on cache-cloud.io. A secondary email from ceo@phishing-domain.com pointed to hxxp://nodestatic.online/assets/js/payload.js which delivered Hive. The final payload callback was http://loginmail.live/secure/token resolving to 192.204.99.135 via synccdn.top.", "spans": {"ORGANIZATION: Volexity": [[0, 8]], "EMAIL: finance@mail-service.info": [[78, 103]], "URL: hxxps://proxyportal.club/panel/index.html": [[124, 165]], "URL: http://cdnapi.com/callback": [[186, 212]], "DOMAIN: cache-cloud.io": [[216, 230]], "EMAIL: ceo@phishing-domain.com": [[255, 278]], "URL: hxxp://nodestatic.online/assets/js/payload.js": [[290, 335]], "MALWARE: Hive": [[352, 356]], "URL: http://loginmail.live/secure/token": [[389, 423]], "IP_ADDRESS: 192.204.99.135": [[437, 451]], "DOMAIN: synccdn.top": [[456, 467]]}, "info": {"id": "synth_v2_01805", "source": "synthetic_v2"}}
+{"text": "Secureworks detected a multi-stage attack chain. The initial phishing email from support@mail-service.info contained a link to hxxps://portalportal.cc/panel/index.html. This redirected to http://sync-backup.cc/login on update-proxy.com. A secondary email from account@credential-check.site pointed to https://static-portal.link/wp-content/uploads/doc.php which delivered BatLoader. The final payload callback was hxxps://edge-data.live/secure/token resolving to 6.38.183.16 via staticauth.cc.", "spans": {"ORGANIZATION: Secureworks": [[0, 11]], "EMAIL: support@mail-service.info": [[81, 106]], "URL: hxxps://portalportal.cc/panel/index.html": [[127, 167]], "URL: http://sync-backup.cc/login": [[188, 215]], "DOMAIN: update-proxy.com": [[219, 235]], "EMAIL: account@credential-check.site": [[260, 289]], "URL: https://static-portal.link/wp-content/uploads/doc.php": [[301, 354]], "MALWARE: BatLoader": [[371, 380]], "URL: hxxps://edge-data.live/secure/token": [[413, 448]], "IP_ADDRESS: 6.38.183.16": [[462, 473]], "DOMAIN: staticauth.cc": [[478, 491]]}, "info": {"id": "synth_v2_01806", "source": "synthetic_v2"}}
+{"text": "Dragos detected a multi-stage attack chain. The initial phishing email from noreply@phishing-domain.com contained a link to https://data-sync.link/api/v2/auth. This redirected to https://static-node.org/secure/token on updaterelay.link. A secondary email from billing@document-share.link pointed to hxxp://apinode.xyz/gate.php which delivered BatLoader. The final payload callback was https://backup-proxy.link/download/update.exe resolving to 212.30.28.114 via datanode.live.", "spans": {"ORGANIZATION: Dragos": [[0, 6]], "EMAIL: noreply@phishing-domain.com": [[76, 103]], "URL: https://data-sync.link/api/v2/auth": [[124, 158]], "URL: https://static-node.org/secure/token": [[179, 215]], "DOMAIN: updaterelay.link": [[219, 235]], "EMAIL: billing@document-share.link": [[260, 287]], "URL: hxxp://apinode.xyz/gate.php": [[299, 326]], "MALWARE: BatLoader": [[343, 352]], "URL: https://backup-proxy.link/download/update.exe": [[385, 430]], "IP_ADDRESS: 212.30.28.114": [[444, 457]], "DOMAIN: datanode.live": [[462, 475]]}, "info": {"id": "synth_v2_01807", "source": "synthetic_v2"}}
+{"text": "Check Point Research detected a multi-stage attack chain. The initial phishing email from report@auth-check.org contained a link to hxxps://relaystorage.tech/login. This redirected to http://cloudstorage.online/assets/js/payload.js on syncapi.tech. A secondary email from contact@identity-verify.cc pointed to http://data-portal.live/wp-content/uploads/doc.php which delivered SmokeLoader. The final payload callback was hxxp://portal-api.info/portal/verify resolving to 192.140.80.246 via gateway-data.org.", "spans": {"ORGANIZATION: Check Point Research": [[0, 20]], "EMAIL: report@auth-check.org": [[90, 111]], "URL: hxxps://relaystorage.tech/login": [[132, 163]], "URL: http://cloudstorage.online/assets/js/payload.js": [[184, 231]], "DOMAIN: syncapi.tech": [[235, 247]], "EMAIL: contact@identity-verify.cc": [[272, 298]], "URL: http://data-portal.live/wp-content/uploads/doc.php": [[310, 360]], "MALWARE: SmokeLoader": [[377, 388]], "URL: hxxp://portal-api.info/portal/verify": [[421, 457]], "IP_ADDRESS: 192.140.80.246": [[471, 485]], "DOMAIN: gateway-data.org": [[490, 506]]}, "info": {"id": "synth_v2_01808", "source": "synthetic_v2"}}
+{"text": "CISA detected a multi-stage attack chain. The initial phishing email from notification@account-update.xyz contained a link to https://gateway-backup.io/api/v2/auth. This redirected to http://nodesecure.club/admin/config on apistatic.site. A secondary email from ceo@identity-verify.cc pointed to hxxps://proxyproxy.xyz/callback which delivered BlackCat. The final payload callback was hxxps://sync-portal.com/gate.php resolving to 192.168.218.213 via updatecdn.com.", "spans": {"ORGANIZATION: CISA": [[0, 4]], "EMAIL: notification@account-update.xyz": [[74, 105]], "URL: https://gateway-backup.io/api/v2/auth": [[126, 163]], "URL: http://nodesecure.club/admin/config": [[184, 219]], "DOMAIN: apistatic.site": [[223, 237]], "EMAIL: ceo@identity-verify.cc": [[262, 284]], "URL: hxxps://proxyproxy.xyz/callback": [[296, 327]], "MALWARE: BlackCat": [[344, 352]], "URL: hxxps://sync-portal.com/gate.php": [[385, 417]], "IP_ADDRESS: 192.168.218.213": [[431, 446]], "DOMAIN: updatecdn.com": [[451, 464]]}, "info": {"id": "synth_v2_01809", "source": "synthetic_v2"}}
+{"text": "Sophos X-Ops detected a multi-stage attack chain. The initial phishing email from helpdesk@identity-verify.cc contained a link to http://edge-proxy.online/callback. This redirected to hxxp://syncupdate.org/portal/verify on gateway-mail.link. A secondary email from verify@auth-check.org pointed to hxxps://authbackup.tech/wp-content/uploads/doc.php which delivered SmokeLoader. The final payload callback was hxxp://syncupdate.link/panel/index.html resolving to 46.232.189.195 via storagesecure.cc.", "spans": {"ORGANIZATION: Sophos X-Ops": [[0, 12]], "EMAIL: helpdesk@identity-verify.cc": [[82, 109]], "URL: http://edge-proxy.online/callback": [[130, 163]], "URL: hxxp://syncupdate.org/portal/verify": [[184, 219]], "DOMAIN: gateway-mail.link": [[223, 240]], "EMAIL: verify@auth-check.org": [[265, 286]], "URL: hxxps://authbackup.tech/wp-content/uploads/doc.php": [[298, 348]], "MALWARE: SmokeLoader": [[365, 376]], "URL: hxxp://syncupdate.link/panel/index.html": [[409, 448]], "IP_ADDRESS: 46.232.189.195": [[462, 476]], "DOMAIN: storagesecure.cc": [[481, 497]]}, "info": {"id": "synth_v2_01810", "source": "synthetic_v2"}}
+{"text": "Qualys detected a multi-stage attack chain. The initial phishing email from billing@document-share.link contained a link to https://updatedata.link/collect. This redirected to https://static-relay.tech/secure/token on syncproxy.live. A secondary email from admin@secure-verify.net pointed to hxxp://portal-backup.top/download/update.exe which delivered SystemBC. The final payload callback was hxxps://cache-sync.online/secure/token resolving to 99.84.228.16 via mailnode.dev.", "spans": {"ORGANIZATION: Qualys": [[0, 6]], "EMAIL: billing@document-share.link": [[76, 103]], "URL: https://updatedata.link/collect": [[124, 155]], "URL: https://static-relay.tech/secure/token": [[176, 214]], "DOMAIN: syncproxy.live": [[218, 232]], "EMAIL: admin@secure-verify.net": [[257, 280]], "URL: hxxp://portal-backup.top/download/update.exe": [[292, 336]], "MALWARE: SystemBC": [[353, 361]], "URL: hxxps://cache-sync.online/secure/token": [[394, 432]], "IP_ADDRESS: 99.84.228.16": [[446, 458]], "DOMAIN: mailnode.dev": [[463, 475]]}, "info": {"id": "synth_v2_01811", "source": "synthetic_v2"}}
+{"text": "Zscaler ThreatLabz detected a multi-stage attack chain. The initial phishing email from contact@urgent-notice.online contained a link to hxxp://node-edge.tech/panel/index.html. This redirected to hxxp://apimail.link/portal/verify on cdnlogin.cc. A secondary email from account@identity-verify.cc pointed to http://dataupdate.org/assets/js/payload.js which delivered SmokeLoader. The final payload callback was https://edge-storage.info/download/update.exe resolving to 192.231.205.52 via edgeupdate.info.", "spans": {"ORGANIZATION: Zscaler ThreatLabz": [[0, 18]], "EMAIL: contact@urgent-notice.online": [[88, 116]], "URL: hxxp://node-edge.tech/panel/index.html": [[137, 175]], "URL: hxxp://apimail.link/portal/verify": [[196, 229]], "DOMAIN: cdnlogin.cc": [[233, 244]], "EMAIL: account@identity-verify.cc": [[269, 295]], "URL: http://dataupdate.org/assets/js/payload.js": [[307, 349]], "MALWARE: SmokeLoader": [[366, 377]], "URL: https://edge-storage.info/download/update.exe": [[410, 455]], "IP_ADDRESS: 192.231.205.52": [[469, 483]], "DOMAIN: edgeupdate.info": [[488, 503]]}, "info": {"id": "synth_v2_01812", "source": "synthetic_v2"}}
+{"text": "Dragos detected a multi-stage attack chain. The initial phishing email from admin@login-portal.tech contained a link to http://proxy-secure.info/gate.php. This redirected to http://auth-mail.online/wp-content/uploads/doc.php on proxyapi.xyz. A secondary email from info@document-share.link pointed to http://edgeapi.tech/api/v2/auth which delivered Conti. The final payload callback was http://secureapi.club/wp-content/uploads/doc.php resolving to 172.217.212.222 via cloudapi.info.", "spans": {"ORGANIZATION: Dragos": [[0, 6]], "EMAIL: admin@login-portal.tech": [[76, 99]], "URL: http://proxy-secure.info/gate.php": [[120, 153]], "URL: http://auth-mail.online/wp-content/uploads/doc.php": [[174, 224]], "DOMAIN: proxyapi.xyz": [[228, 240]], "EMAIL: info@document-share.link": [[265, 289]], "URL: http://edgeapi.tech/api/v2/auth": [[301, 332]], "MALWARE: Conti": [[349, 354]], "URL: http://secureapi.club/wp-content/uploads/doc.php": [[387, 435]], "IP_ADDRESS: 172.217.212.222": [[449, 464]], "DOMAIN: cloudapi.info": [[469, 482]]}, "info": {"id": "synth_v2_01813", "source": "synthetic_v2"}}
+{"text": "Cisco Talos detected a multi-stage attack chain. The initial phishing email from notification@auth-check.org contained a link to http://backup-portal.cc/gate.php. This redirected to hxxp://secureapi.io/download/update.exe on relay-auth.site. A secondary email from updates@document-share.link pointed to hxxp://relaycache.top/download/update.exe which delivered DarkSide. The final payload callback was http://proxyportal.top/gate.php resolving to 172.233.189.178 via apisync.io.", "spans": {"ORGANIZATION: Cisco Talos": [[0, 11]], "EMAIL: notification@auth-check.org": [[81, 108]], "URL: http://backup-portal.cc/gate.php": [[129, 161]], "URL: hxxp://secureapi.io/download/update.exe": [[182, 221]], "DOMAIN: relay-auth.site": [[225, 240]], "EMAIL: updates@document-share.link": [[265, 292]], "URL: hxxp://relaycache.top/download/update.exe": [[304, 345]], "MALWARE: DarkSide": [[362, 370]], "URL: http://proxyportal.top/gate.php": [[403, 434]], "IP_ADDRESS: 172.233.189.178": [[448, 463]], "DOMAIN: apisync.io": [[468, 478]]}, "info": {"id": "synth_v2_01814", "source": "synthetic_v2"}}
+{"text": "Check Point Research detected a multi-stage attack chain. The initial phishing email from updates@secure-verify.net contained a link to hxxps://loginstatic.io/login. This redirected to http://backup-api.xyz/wp-content/uploads/doc.php on secure-api.io. A secondary email from report@phishing-domain.com pointed to https://storagesync.org/gate.php which delivered Amadey. The final payload callback was https://api-mail.dev/panel/index.html resolving to 211.13.222.117 via cache-storage.net.", "spans": {"ORGANIZATION: Check Point Research": [[0, 20]], "EMAIL: updates@secure-verify.net": [[90, 115]], "URL: hxxps://loginstatic.io/login": [[136, 164]], "URL: http://backup-api.xyz/wp-content/uploads/doc.php": [[185, 233]], "DOMAIN: secure-api.io": [[237, 250]], "EMAIL: report@phishing-domain.com": [[275, 301]], "URL: https://storagesync.org/gate.php": [[313, 345]], "MALWARE: Amadey": [[362, 368]], "URL: https://api-mail.dev/panel/index.html": [[401, 438]], "IP_ADDRESS: 211.13.222.117": [[452, 466]], "DOMAIN: cache-storage.net": [[471, 488]]}, "info": {"id": "synth_v2_01815", "source": "synthetic_v2"}}
+{"text": "Zscaler ThreatLabz detected a multi-stage attack chain. The initial phishing email from ceo@mail-service.info contained a link to hxxps://staticcloud.live/wp-content/uploads/doc.php. This redirected to hxxp://portal-backup.tech/panel/index.html on data-secure.live. A secondary email from service@credential-check.site pointed to https://cloud-portal.dev/download/update.exe which delivered Lumma Stealer. The final payload callback was hxxp://storageupdate.live/secure/token resolving to 197.35.149.149 via cdn-auth.org.", "spans": {"ORGANIZATION: Zscaler ThreatLabz": [[0, 18]], "EMAIL: ceo@mail-service.info": [[88, 109]], "URL: hxxps://staticcloud.live/wp-content/uploads/doc.php": [[130, 181]], "URL: hxxp://portal-backup.tech/panel/index.html": [[202, 244]], "DOMAIN: data-secure.live": [[248, 264]], "EMAIL: service@credential-check.site": [[289, 318]], "URL: https://cloud-portal.dev/download/update.exe": [[330, 374]], "MALWARE: Lumma Stealer": [[391, 404]], "URL: hxxp://storageupdate.live/secure/token": [[437, 475]], "IP_ADDRESS: 197.35.149.149": [[489, 503]], "DOMAIN: cdn-auth.org": [[508, 520]]}, "info": {"id": "synth_v2_01816", "source": "synthetic_v2"}}
+{"text": "Symantec detected a multi-stage attack chain. The initial phishing email from helpdesk@identity-verify.cc contained a link to hxxps://cacherelay.online/wp-content/uploads/doc.php. This redirected to http://proxy-update.tech/panel/index.html on cloudportal.live. A secondary email from account@identity-verify.cc pointed to hxxp://mail-edge.xyz/login which delivered AsyncRAT. The final payload callback was https://sync-cloud.tech/secure/token resolving to 172.153.159.185 via staticnode.io.", "spans": {"ORGANIZATION: Symantec": [[0, 8]], "EMAIL: helpdesk@identity-verify.cc": [[78, 105]], "URL: hxxps://cacherelay.online/wp-content/uploads/doc.php": [[126, 178]], "URL: http://proxy-update.tech/panel/index.html": [[199, 240]], "DOMAIN: cloudportal.live": [[244, 260]], "EMAIL: account@identity-verify.cc": [[285, 311]], "URL: hxxp://mail-edge.xyz/login": [[323, 349]], "MALWARE: AsyncRAT": [[366, 374]], "URL: https://sync-cloud.tech/secure/token": [[407, 443]], "IP_ADDRESS: 172.153.159.185": [[457, 472]], "DOMAIN: staticnode.io": [[477, 490]]}, "info": {"id": "synth_v2_01817", "source": "synthetic_v2"}}
+{"text": "Volexity detected a multi-stage attack chain. The initial phishing email from ceo@phishing-domain.com contained a link to hxxp://update-portal.dev/download/update.exe. This redirected to hxxp://relaycloud.cc/admin/config on static-secure.info. A secondary email from contact@document-share.link pointed to hxxp://portal-update.info/collect which delivered Lumma Stealer. The final payload callback was hxxp://loginstatic.cc/api/v2/auth resolving to 139.86.30.148 via synccloud.top.", "spans": {"ORGANIZATION: Volexity": [[0, 8]], "EMAIL: ceo@phishing-domain.com": [[78, 101]], "URL: hxxp://update-portal.dev/download/update.exe": [[122, 166]], "URL: hxxp://relaycloud.cc/admin/config": [[187, 220]], "DOMAIN: static-secure.info": [[224, 242]], "EMAIL: contact@document-share.link": [[267, 294]], "URL: hxxp://portal-update.info/collect": [[306, 339]], "MALWARE: Lumma Stealer": [[356, 369]], "URL: hxxp://loginstatic.cc/api/v2/auth": [[402, 435]], "IP_ADDRESS: 139.86.30.148": [[449, 462]], "DOMAIN: synccloud.top": [[467, 480]]}, "info": {"id": "synth_v2_01818", "source": "synthetic_v2"}}
+{"text": "Recorded Future detected a multi-stage attack chain. The initial phishing email from helpdesk@phishing-domain.com contained a link to hxxps://node-proxy.org/api/v2/auth. This redirected to hxxp://update-cloud.io/assets/js/payload.js on gatewayapi.site. A secondary email from finance@phishing-domain.com pointed to hxxps://cache-static.dev/api/v2/auth which delivered TrickBot. The final payload callback was https://updatemail.cc/portal/verify resolving to 172.138.215.134 via portal-node.com.", "spans": {"ORGANIZATION: Recorded Future": [[0, 15]], "EMAIL: helpdesk@phishing-domain.com": [[85, 113]], "URL: hxxps://node-proxy.org/api/v2/auth": [[134, 168]], "URL: hxxp://update-cloud.io/assets/js/payload.js": [[189, 232]], "DOMAIN: gatewayapi.site": [[236, 251]], "EMAIL: finance@phishing-domain.com": [[276, 303]], "URL: hxxps://cache-static.dev/api/v2/auth": [[315, 351]], "MALWARE: TrickBot": [[368, 376]], "URL: https://updatemail.cc/portal/verify": [[409, 444]], "IP_ADDRESS: 172.138.215.134": [[458, 473]], "DOMAIN: portal-node.com": [[478, 493]]}, "info": {"id": "synth_v2_01819", "source": "synthetic_v2"}}
+{"text": "Microsoft MSRC detected a multi-stage attack chain. The initial phishing email from info@login-portal.tech contained a link to hxxp://auth-sync.xyz/callback. This redirected to hxxp://mail-proxy.info/download/update.exe on staticauth.cc. A secondary email from service@mail-service.info pointed to https://auth-auth.dev/portal/verify which delivered DanaBot. The final payload callback was hxxps://staticstatic.org/admin/config resolving to 172.213.162.245 via staticcdn.cc.", "spans": {"ORGANIZATION: Microsoft MSRC": [[0, 14]], "EMAIL: info@login-portal.tech": [[84, 106]], "URL: hxxp://auth-sync.xyz/callback": [[127, 156]], "URL: hxxp://mail-proxy.info/download/update.exe": [[177, 219]], "DOMAIN: staticauth.cc": [[223, 236]], "EMAIL: service@mail-service.info": [[261, 286]], "URL: https://auth-auth.dev/portal/verify": [[298, 333]], "MALWARE: DanaBot": [[350, 357]], "URL: hxxps://staticstatic.org/admin/config": [[390, 427]], "IP_ADDRESS: 172.213.162.245": [[441, 456]], "DOMAIN: staticcdn.cc": [[461, 473]]}, "info": {"id": "synth_v2_01820", "source": "synthetic_v2"}}
+{"text": "Cisco Talos detected a multi-stage attack chain. The initial phishing email from noreply@phishing-domain.com contained a link to hxxp://mail-cache.info/callback. This redirected to hxxps://cache-update.dev/callback on mailcloud.top. A secondary email from admin@document-share.link pointed to hxxp://auth-api.tech/assets/js/payload.js which delivered NjRAT. The final payload callback was https://updatestatic.site/wp-content/uploads/doc.php resolving to 9.59.190.51 via staticproxy.xyz.", "spans": {"ORGANIZATION: Cisco Talos": [[0, 11]], "EMAIL: noreply@phishing-domain.com": [[81, 108]], "URL: hxxp://mail-cache.info/callback": [[129, 160]], "URL: hxxps://cache-update.dev/callback": [[181, 214]], "DOMAIN: mailcloud.top": [[218, 231]], "EMAIL: admin@document-share.link": [[256, 281]], "URL: hxxp://auth-api.tech/assets/js/payload.js": [[293, 334]], "MALWARE: NjRAT": [[351, 356]], "URL: https://updatestatic.site/wp-content/uploads/doc.php": [[389, 441]], "IP_ADDRESS: 9.59.190.51": [[455, 466]], "DOMAIN: staticproxy.xyz": [[471, 486]]}, "info": {"id": "synth_v2_01821", "source": "synthetic_v2"}}
+{"text": "Check Point Research detected a multi-stage attack chain. The initial phishing email from info@document-share.link contained a link to https://mail-data.org/callback. This redirected to hxxps://backup-edge.io/portal/verify on secure-backup.com. A secondary email from billing@auth-check.org pointed to https://cdnsync.site/panel/index.html which delivered BatLoader. The final payload callback was http://storagemail.net/collect resolving to 192.50.0.61 via relaybackup.net.", "spans": {"ORGANIZATION: Check Point Research": [[0, 20]], "EMAIL: info@document-share.link": [[90, 114]], "URL: https://mail-data.org/callback": [[135, 165]], "URL: hxxps://backup-edge.io/portal/verify": [[186, 222]], "DOMAIN: secure-backup.com": [[226, 243]], "EMAIL: billing@auth-check.org": [[268, 290]], "URL: https://cdnsync.site/panel/index.html": [[302, 339]], "MALWARE: BatLoader": [[356, 365]], "URL: http://storagemail.net/collect": [[398, 428]], "IP_ADDRESS: 192.50.0.61": [[442, 453]], "DOMAIN: relaybackup.net": [[458, 473]]}, "info": {"id": "synth_v2_01822", "source": "synthetic_v2"}}
+{"text": "Cisco Talos detected a multi-stage attack chain. The initial phishing email from billing@document-share.link contained a link to http://portal-portal.online/admin/config. This redirected to hxxps://static-mail.org/panel/index.html on storage-edge.live. A secondary email from confirm@phishing-domain.com pointed to hxxps://nodeportal.io/portal/verify which delivered Amadey. The final payload callback was hxxps://static-sync.org/login resolving to 172.12.109.116 via proxynode.link.", "spans": {"ORGANIZATION: Cisco Talos": [[0, 11]], "EMAIL: billing@document-share.link": [[81, 108]], "URL: http://portal-portal.online/admin/config": [[129, 169]], "URL: hxxps://static-mail.org/panel/index.html": [[190, 230]], "DOMAIN: storage-edge.live": [[234, 251]], "EMAIL: confirm@phishing-domain.com": [[276, 303]], "URL: hxxps://nodeportal.io/portal/verify": [[315, 350]], "MALWARE: Amadey": [[367, 373]], "URL: hxxps://static-sync.org/login": [[406, 435]], "IP_ADDRESS: 172.12.109.116": [[449, 463]], "DOMAIN: proxynode.link": [[468, 482]]}, "info": {"id": "synth_v2_01823", "source": "synthetic_v2"}}
+{"text": "Volexity detected a multi-stage attack chain. The initial phishing email from service@secure-verify.net contained a link to http://login-cdn.tech/collect. This redirected to hxxps://nodemail.xyz/gate.php on storage-cdn.club. A secondary email from verify@phishing-domain.com pointed to hxxps://noderelay.io/wp-content/uploads/doc.php which delivered Ryuk. The final payload callback was hxxps://updatecache.tech/portal/verify resolving to 10.141.183.78 via edge-auth.xyz.", "spans": {"ORGANIZATION: Volexity": [[0, 8]], "EMAIL: service@secure-verify.net": [[78, 103]], "URL: http://login-cdn.tech/collect": [[124, 153]], "URL: hxxps://nodemail.xyz/gate.php": [[174, 203]], "DOMAIN: storage-cdn.club": [[207, 223]], "EMAIL: verify@phishing-domain.com": [[248, 274]], "URL: hxxps://noderelay.io/wp-content/uploads/doc.php": [[286, 333]], "MALWARE: Ryuk": [[350, 354]], "URL: hxxps://updatecache.tech/portal/verify": [[387, 425]], "IP_ADDRESS: 10.141.183.78": [[439, 452]], "DOMAIN: edge-auth.xyz": [[457, 470]]}, "info": {"id": "synth_v2_01824", "source": "synthetic_v2"}}
+{"text": "Palo Alto Unit 42 detected a multi-stage attack chain. The initial phishing email from noreply@secure-verify.net contained a link to hxxps://cloud-sync.io/login. This redirected to https://storagesecure.tech/wp-content/uploads/doc.php on cdnapi.dev. A secondary email from ceo@account-update.xyz pointed to https://loginstorage.live/callback which delivered Conti. The final payload callback was hxxp://sync-sync.net/admin/config resolving to 28.254.220.29 via static-cloud.top.", "spans": {"ORGANIZATION: Palo Alto Unit 42": [[0, 17]], "EMAIL: noreply@secure-verify.net": [[87, 112]], "URL: hxxps://cloud-sync.io/login": [[133, 160]], "URL: https://storagesecure.tech/wp-content/uploads/doc.php": [[181, 234]], "DOMAIN: cdnapi.dev": [[238, 248]], "EMAIL: ceo@account-update.xyz": [[273, 295]], "URL: https://loginstorage.live/callback": [[307, 341]], "MALWARE: Conti": [[358, 363]], "URL: hxxp://sync-sync.net/admin/config": [[396, 429]], "IP_ADDRESS: 28.254.220.29": [[443, 456]], "DOMAIN: static-cloud.top": [[461, 477]]}, "info": {"id": "synth_v2_01825", "source": "synthetic_v2"}}
+{"text": "Google TAG detected a multi-stage attack chain. The initial phishing email from contact@credential-check.site contained a link to https://nodedata.org/assets/js/payload.js. This redirected to https://static-portal.club/download/update.exe on api-secure.club. A secondary email from notification@identity-verify.cc pointed to http://apilogin.net/callback which delivered BumbleBee. The final payload callback was hxxps://nodeapi.dev/login resolving to 95.199.237.232 via data-update.net.", "spans": {"ORGANIZATION: Google TAG": [[0, 10]], "EMAIL: contact@credential-check.site": [[80, 109]], "URL: https://nodedata.org/assets/js/payload.js": [[130, 171]], "URL: https://static-portal.club/download/update.exe": [[192, 238]], "DOMAIN: api-secure.club": [[242, 257]], "EMAIL: notification@identity-verify.cc": [[282, 313]], "URL: http://apilogin.net/callback": [[325, 353]], "MALWARE: BumbleBee": [[370, 379]], "URL: hxxps://nodeapi.dev/login": [[412, 437]], "IP_ADDRESS: 95.199.237.232": [[451, 465]], "DOMAIN: data-update.net": [[470, 485]]}, "info": {"id": "synth_v2_01826", "source": "synthetic_v2"}}
+{"text": "Recorded Future detected a multi-stage attack chain. The initial phishing email from info@identity-verify.cc contained a link to https://edge-cloud.site/api/v2/auth. This redirected to http://databackup.info/download/update.exe on updatestatic.link. A secondary email from confirm@login-portal.tech pointed to http://node-update.club/portal/verify which delivered DarkSide. The final payload callback was hxxps://storage-cloud.io/secure/token resolving to 40.169.228.126 via securenode.top.", "spans": {"ORGANIZATION: Recorded Future": [[0, 15]], "EMAIL: info@identity-verify.cc": [[85, 108]], "URL: https://edge-cloud.site/api/v2/auth": [[129, 164]], "URL: http://databackup.info/download/update.exe": [[185, 227]], "DOMAIN: updatestatic.link": [[231, 248]], "EMAIL: confirm@login-portal.tech": [[273, 298]], "URL: http://node-update.club/portal/verify": [[310, 347]], "MALWARE: DarkSide": [[364, 372]], "URL: hxxps://storage-cloud.io/secure/token": [[405, 442]], "IP_ADDRESS: 40.169.228.126": [[456, 470]], "DOMAIN: securenode.top": [[475, 489]]}, "info": {"id": "synth_v2_01827", "source": "synthetic_v2"}}
+{"text": "Huntress detected a multi-stage attack chain. The initial phishing email from ceo@account-update.xyz contained a link to http://node-proxy.org/portal/verify. This redirected to hxxps://cdn-mail.cc/secure/token on mailsecure.cc. A secondary email from noreply@secure-verify.net pointed to hxxps://cachenode.club/secure/token which delivered SmokeLoader. The final payload callback was https://storageapi.io/collect resolving to 51.65.156.37 via syncdata.top.", "spans": {"ORGANIZATION: Huntress": [[0, 8]], "EMAIL: ceo@account-update.xyz": [[78, 100]], "URL: http://node-proxy.org/portal/verify": [[121, 156]], "URL: hxxps://cdn-mail.cc/secure/token": [[177, 209]], "DOMAIN: mailsecure.cc": [[213, 226]], "EMAIL: noreply@secure-verify.net": [[251, 276]], "URL: hxxps://cachenode.club/secure/token": [[288, 323]], "MALWARE: SmokeLoader": [[340, 351]], "URL: https://storageapi.io/collect": [[384, 413]], "IP_ADDRESS: 51.65.156.37": [[427, 439]], "DOMAIN: syncdata.top": [[444, 456]]}, "info": {"id": "synth_v2_01828", "source": "synthetic_v2"}}
+{"text": "Kaspersky GReAT detected a multi-stage attack chain. The initial phishing email from it@identity-verify.cc contained a link to hxxps://securecache.io/admin/config. This redirected to hxxps://update-login.cc/admin/config on proxynode.link. A secondary email from noreply@auth-check.org pointed to hxxps://secureportal.tech/admin/config which delivered BlackCat. The final payload callback was https://sync-login.com/admin/config resolving to 10.111.30.227 via data-auth.info.", "spans": {"ORGANIZATION: Kaspersky GReAT": [[0, 15]], "EMAIL: it@identity-verify.cc": [[85, 106]], "URL: hxxps://securecache.io/admin/config": [[127, 162]], "URL: hxxps://update-login.cc/admin/config": [[183, 219]], "DOMAIN: proxynode.link": [[223, 237]], "EMAIL: noreply@auth-check.org": [[262, 284]], "URL: hxxps://secureportal.tech/admin/config": [[296, 334]], "MALWARE: BlackCat": [[351, 359]], "URL: https://sync-login.com/admin/config": [[392, 427]], "IP_ADDRESS: 10.111.30.227": [[441, 454]], "DOMAIN: data-auth.info": [[459, 473]]}, "info": {"id": "synth_v2_01829", "source": "synthetic_v2"}}
+{"text": "Zscaler ThreatLabz detected a multi-stage attack chain. The initial phishing email from finance@document-share.link contained a link to hxxps://data-update.com/api/v2/auth. This redirected to https://api-backup.site/portal/verify on login-proxy.online. A secondary email from updates@identity-verify.cc pointed to http://api-backup.xyz/admin/config which delivered Vidar. The final payload callback was https://nodeupdate.live/secure/token resolving to 157.230.94.90 via login-gateway.com.", "spans": {"ORGANIZATION: Zscaler ThreatLabz": [[0, 18]], "EMAIL: finance@document-share.link": [[88, 115]], "URL: hxxps://data-update.com/api/v2/auth": [[136, 171]], "URL: https://api-backup.site/portal/verify": [[192, 229]], "DOMAIN: login-proxy.online": [[233, 251]], "EMAIL: updates@identity-verify.cc": [[276, 302]], "URL: http://api-backup.xyz/admin/config": [[314, 348]], "MALWARE: Vidar": [[365, 370]], "URL: https://nodeupdate.live/secure/token": [[403, 439]], "IP_ADDRESS: 157.230.94.90": [[453, 466]], "DOMAIN: login-gateway.com": [[471, 488]]}, "info": {"id": "synth_v2_01830", "source": "synthetic_v2"}}
+{"text": "Tenable detected a multi-stage attack chain. The initial phishing email from ceo@phishing-domain.com contained a link to hxxp://backupapi.net/secure/token. This redirected to https://relay-gateway.link/collect on cdn-relay.net. A secondary email from it@account-update.xyz pointed to http://relaysecure.club/assets/js/payload.js which delivered Amadey. The final payload callback was http://cloudcloud.cc/panel/index.html resolving to 10.48.33.37 via static-backup.online.", "spans": {"ORGANIZATION: Tenable": [[0, 7]], "EMAIL: ceo@phishing-domain.com": [[77, 100]], "URL: hxxp://backupapi.net/secure/token": [[121, 154]], "URL: https://relay-gateway.link/collect": [[175, 209]], "DOMAIN: cdn-relay.net": [[213, 226]], "EMAIL: it@account-update.xyz": [[251, 272]], "URL: http://relaysecure.club/assets/js/payload.js": [[284, 328]], "MALWARE: Amadey": [[345, 351]], "URL: http://cloudcloud.cc/panel/index.html": [[384, 421]], "IP_ADDRESS: 10.48.33.37": [[435, 446]], "DOMAIN: static-backup.online": [[451, 471]]}, "info": {"id": "synth_v2_01831", "source": "synthetic_v2"}}
+{"text": "Europol detected a multi-stage attack chain. The initial phishing email from notification@auth-check.org contained a link to https://backup-login.org/collect. This redirected to hxxps://data-login.xyz/portal/verify on cdnproxy.net. A secondary email from info@secure-verify.net pointed to hxxps://cloud-auth.site/callback which delivered BumbleBee. The final payload callback was https://staticproxy.info/callback resolving to 172.252.232.33 via static-node.link.", "spans": {"ORGANIZATION: Europol": [[0, 7]], "EMAIL: notification@auth-check.org": [[77, 104]], "URL: https://backup-login.org/collect": [[125, 157]], "URL: hxxps://data-login.xyz/portal/verify": [[178, 214]], "DOMAIN: cdnproxy.net": [[218, 230]], "EMAIL: info@secure-verify.net": [[255, 277]], "URL: hxxps://cloud-auth.site/callback": [[289, 321]], "MALWARE: BumbleBee": [[338, 347]], "URL: https://staticproxy.info/callback": [[380, 413]], "IP_ADDRESS: 172.252.232.33": [[427, 441]], "DOMAIN: static-node.link": [[446, 462]]}, "info": {"id": "synth_v2_01832", "source": "synthetic_v2"}}
+{"text": "NSA detected a multi-stage attack chain. The initial phishing email from confirm@credential-check.site contained a link to https://cloud-proxy.net/admin/config. This redirected to hxxp://nodeportal.com/callback on cachecloud.online. A secondary email from it@phishing-domain.com pointed to hxxp://logincloud.site/assets/js/payload.js which delivered Qbot. The final payload callback was https://storagenode.io/assets/js/payload.js resolving to 172.235.33.18 via sync-relay.top.", "spans": {"ORGANIZATION: NSA": [[0, 3]], "EMAIL: confirm@credential-check.site": [[73, 102]], "URL: https://cloud-proxy.net/admin/config": [[123, 159]], "URL: hxxp://nodeportal.com/callback": [[180, 210]], "DOMAIN: cachecloud.online": [[214, 231]], "EMAIL: it@phishing-domain.com": [[256, 278]], "URL: hxxp://logincloud.site/assets/js/payload.js": [[290, 333]], "MALWARE: Qbot": [[350, 354]], "URL: https://storagenode.io/assets/js/payload.js": [[387, 430]], "IP_ADDRESS: 172.235.33.18": [[444, 457]], "DOMAIN: sync-relay.top": [[462, 476]]}, "info": {"id": "synth_v2_01833", "source": "synthetic_v2"}}
+{"text": "Dragos detected a multi-stage attack chain. The initial phishing email from security@credential-check.site contained a link to hxxps://backupsync.com/download/update.exe. This redirected to https://syncnode.cc/download/update.exe on relayauth.net. A secondary email from updates@login-portal.tech pointed to hxxp://backupdata.online/callback which delivered Lumma Stealer. The final payload callback was https://gatewaycdn.info/panel/index.html resolving to 211.228.237.74 via gateway-api.io.", "spans": {"ORGANIZATION: Dragos": [[0, 6]], "EMAIL: security@credential-check.site": [[76, 106]], "URL: hxxps://backupsync.com/download/update.exe": [[127, 169]], "URL: https://syncnode.cc/download/update.exe": [[190, 229]], "DOMAIN: relayauth.net": [[233, 246]], "EMAIL: updates@login-portal.tech": [[271, 296]], "URL: hxxp://backupdata.online/callback": [[308, 341]], "MALWARE: Lumma Stealer": [[358, 371]], "URL: https://gatewaycdn.info/panel/index.html": [[404, 444]], "IP_ADDRESS: 211.228.237.74": [[458, 472]], "DOMAIN: gateway-api.io": [[477, 491]]}, "info": {"id": "synth_v2_01834", "source": "synthetic_v2"}}
+{"text": "CrowdStrike detected a multi-stage attack chain. The initial phishing email from support@credential-check.site contained a link to hxxp://nodebackup.tech/gate.php. This redirected to hxxps://data-auth.top/secure/token on staticrelay.top. A secondary email from updates@phishing-domain.com pointed to https://proxystorage.live/api/v2/auth which delivered Royal. The final payload callback was https://storage-sync.top/secure/token resolving to 162.191.172.248 via relay-static.link.", "spans": {"ORGANIZATION: CrowdStrike": [[0, 11]], "EMAIL: support@credential-check.site": [[81, 110]], "URL: hxxp://nodebackup.tech/gate.php": [[131, 162]], "URL: hxxps://data-auth.top/secure/token": [[183, 217]], "DOMAIN: staticrelay.top": [[221, 236]], "EMAIL: updates@phishing-domain.com": [[261, 288]], "URL: https://proxystorage.live/api/v2/auth": [[300, 337]], "MALWARE: Royal": [[354, 359]], "URL: https://storage-sync.top/secure/token": [[392, 429]], "IP_ADDRESS: 162.191.172.248": [[443, 458]], "DOMAIN: relay-static.link": [[463, 480]]}, "info": {"id": "synth_v2_01835", "source": "synthetic_v2"}}
+{"text": "Huntress detected a multi-stage attack chain. The initial phishing email from confirm@auth-check.org contained a link to hxxps://api-proxy.xyz/portal/verify. This redirected to https://login-proxy.org/collect on securestorage.live. A secondary email from contact@auth-check.org pointed to https://auth-secure.cc/callback which delivered LockBit. The final payload callback was https://loginsync.com/secure/token resolving to 192.206.157.234 via proxy-proxy.info.", "spans": {"ORGANIZATION: Huntress": [[0, 8]], "EMAIL: confirm@auth-check.org": [[78, 100]], "URL: hxxps://api-proxy.xyz/portal/verify": [[121, 156]], "URL: https://login-proxy.org/collect": [[177, 208]], "DOMAIN: securestorage.live": [[212, 230]], "EMAIL: contact@auth-check.org": [[255, 277]], "URL: https://auth-secure.cc/callback": [[289, 320]], "MALWARE: LockBit": [[337, 344]], "URL: https://loginsync.com/secure/token": [[377, 411]], "IP_ADDRESS: 192.206.157.234": [[425, 440]], "DOMAIN: proxy-proxy.info": [[445, 461]]}, "info": {"id": "synth_v2_01836", "source": "synthetic_v2"}}
+{"text": "Europol detected a multi-stage attack chain. The initial phishing email from support@document-share.link contained a link to hxxp://cloudrelay.info/panel/index.html. This redirected to hxxp://login-update.org/login on cdn-auth.club. A secondary email from contact@credential-check.site pointed to https://apiupdate.site/collect which delivered QakBot. The final payload callback was http://cdnrelay.org/secure/token resolving to 172.87.191.9 via noderelay.site.", "spans": {"ORGANIZATION: Europol": [[0, 7]], "EMAIL: support@document-share.link": [[77, 104]], "URL: hxxp://cloudrelay.info/panel/index.html": [[125, 164]], "URL: hxxp://login-update.org/login": [[185, 214]], "DOMAIN: cdn-auth.club": [[218, 231]], "EMAIL: contact@credential-check.site": [[256, 285]], "URL: https://apiupdate.site/collect": [[297, 327]], "MALWARE: QakBot": [[344, 350]], "URL: http://cdnrelay.org/secure/token": [[383, 415]], "IP_ADDRESS: 172.87.191.9": [[429, 441]], "DOMAIN: noderelay.site": [[446, 460]]}, "info": {"id": "synth_v2_01837", "source": "synthetic_v2"}}
+{"text": "Trend Micro detected a multi-stage attack chain. The initial phishing email from alert@phishing-domain.com contained a link to https://secure-auth.club/callback. This redirected to hxxps://secure-cdn.tech/callback on logincloud.site. A secondary email from support@account-update.xyz pointed to http://cdnportal.dev/admin/config which delivered Cobalt Strike. The final payload callback was https://storage-edge.io/portal/verify resolving to 192.192.251.104 via cachesync.net.", "spans": {"ORGANIZATION: Trend Micro": [[0, 11]], "EMAIL: alert@phishing-domain.com": [[81, 106]], "URL: https://secure-auth.club/callback": [[127, 160]], "URL: hxxps://secure-cdn.tech/callback": [[181, 213]], "DOMAIN: logincloud.site": [[217, 232]], "EMAIL: support@account-update.xyz": [[257, 283]], "URL: http://cdnportal.dev/admin/config": [[295, 328]], "MALWARE: Cobalt Strike": [[345, 358]], "URL: https://storage-edge.io/portal/verify": [[391, 428]], "IP_ADDRESS: 192.192.251.104": [[442, 457]], "DOMAIN: cachesync.net": [[462, 475]]}, "info": {"id": "synth_v2_01838", "source": "synthetic_v2"}}
+{"text": "Google TAG detected a multi-stage attack chain. The initial phishing email from support@credential-check.site contained a link to hxxp://gateway-login.xyz/api/v2/auth. This redirected to hxxps://authrelay.tech/collect on api-sync.top. A secondary email from support@mail-service.info pointed to hxxp://proxycache.link/collect which delivered REvil. The final payload callback was http://updatestorage.io/secure/token resolving to 10.23.233.118 via sync-secure.org.", "spans": {"ORGANIZATION: Google TAG": [[0, 10]], "EMAIL: support@credential-check.site": [[80, 109]], "URL: hxxp://gateway-login.xyz/api/v2/auth": [[130, 166]], "URL: hxxps://authrelay.tech/collect": [[187, 217]], "DOMAIN: api-sync.top": [[221, 233]], "EMAIL: support@mail-service.info": [[258, 283]], "URL: hxxp://proxycache.link/collect": [[295, 325]], "MALWARE: REvil": [[342, 347]], "URL: http://updatestorage.io/secure/token": [[380, 416]], "IP_ADDRESS: 10.23.233.118": [[430, 443]], "DOMAIN: sync-secure.org": [[448, 463]]}, "info": {"id": "synth_v2_01839", "source": "synthetic_v2"}}
+{"text": "Mandiant detected a multi-stage attack chain. The initial phishing email from billing@urgent-notice.online contained a link to https://edge-relay.info/panel/index.html. This redirected to https://portal-proxy.dev/download/update.exe on api-cloud.com. A secondary email from helpdesk@auth-check.org pointed to http://cdnapi.online/assets/js/payload.js which delivered NjRAT. The final payload callback was hxxps://noderelay.xyz/api/v2/auth resolving to 10.107.238.127 via securecache.org.", "spans": {"ORGANIZATION: Mandiant": [[0, 8]], "EMAIL: billing@urgent-notice.online": [[78, 106]], "URL: https://edge-relay.info/panel/index.html": [[127, 167]], "URL: https://portal-proxy.dev/download/update.exe": [[188, 232]], "DOMAIN: api-cloud.com": [[236, 249]], "EMAIL: helpdesk@auth-check.org": [[274, 297]], "URL: http://cdnapi.online/assets/js/payload.js": [[309, 350]], "MALWARE: NjRAT": [[367, 372]], "URL: hxxps://noderelay.xyz/api/v2/auth": [[405, 438]], "IP_ADDRESS: 10.107.238.127": [[452, 466]], "DOMAIN: securecache.org": [[471, 486]]}, "info": {"id": "synth_v2_01840", "source": "synthetic_v2"}}
+{"text": "INTERPOL detected a multi-stage attack chain. The initial phishing email from verify@phishing-domain.com contained a link to hxxps://backupnode.link/callback. This redirected to http://secure-sync.info/panel/index.html on loginrelay.cc. A secondary email from noreply@secure-verify.net pointed to hxxps://gatewaycdn.info/assets/js/payload.js which delivered Raccoon Stealer. The final payload callback was https://gateway-auth.site/secure/token resolving to 172.195.39.190 via cloud-cache.cc.", "spans": {"ORGANIZATION: INTERPOL": [[0, 8]], "EMAIL: verify@phishing-domain.com": [[78, 104]], "URL: hxxps://backupnode.link/callback": [[125, 157]], "URL: http://secure-sync.info/panel/index.html": [[178, 218]], "DOMAIN: loginrelay.cc": [[222, 235]], "EMAIL: noreply@secure-verify.net": [[260, 285]], "URL: hxxps://gatewaycdn.info/assets/js/payload.js": [[297, 341]], "MALWARE: Raccoon Stealer": [[358, 373]], "URL: https://gateway-auth.site/secure/token": [[406, 444]], "IP_ADDRESS: 172.195.39.190": [[458, 472]], "DOMAIN: cloud-cache.cc": [[477, 491]]}, "info": {"id": "synth_v2_01841", "source": "synthetic_v2"}}
+{"text": "CrowdStrike detected a multi-stage attack chain. The initial phishing email from security@login-portal.tech contained a link to http://backup-proxy.top/api/v2/auth. This redirected to http://login-static.live/admin/config on relaycdn.tech. A secondary email from updates@account-update.xyz pointed to hxxps://syncbackup.net/portal/verify which delivered Vidar. The final payload callback was hxxps://proxy-relay.live/download/update.exe resolving to 102.137.166.252 via cloud-storage.site.", "spans": {"ORGANIZATION: CrowdStrike": [[0, 11]], "EMAIL: security@login-portal.tech": [[81, 107]], "URL: http://backup-proxy.top/api/v2/auth": [[128, 163]], "URL: http://login-static.live/admin/config": [[184, 221]], "DOMAIN: relaycdn.tech": [[225, 238]], "EMAIL: updates@account-update.xyz": [[263, 289]], "URL: hxxps://syncbackup.net/portal/verify": [[301, 337]], "MALWARE: Vidar": [[354, 359]], "URL: hxxps://proxy-relay.live/download/update.exe": [[392, 436]], "IP_ADDRESS: 102.137.166.252": [[450, 465]], "DOMAIN: cloud-storage.site": [[470, 488]]}, "info": {"id": "synth_v2_01842", "source": "synthetic_v2"}}
+{"text": "Microsoft MSRC detected a multi-stage attack chain. The initial phishing email from notification@secure-verify.net contained a link to hxxps://edgemail.live/api/v2/auth. This redirected to http://portal-storage.link/assets/js/payload.js on authsecure.tech. A secondary email from service@document-share.link pointed to http://secure-secure.top/gate.php which delivered StealC. The final payload callback was http://auth-api.live/panel/index.html resolving to 36.74.66.226 via relay-secure.link.", "spans": {"ORGANIZATION: Microsoft MSRC": [[0, 14]], "EMAIL: notification@secure-verify.net": [[84, 114]], "URL: hxxps://edgemail.live/api/v2/auth": [[135, 168]], "URL: http://portal-storage.link/assets/js/payload.js": [[189, 236]], "DOMAIN: authsecure.tech": [[240, 255]], "EMAIL: service@document-share.link": [[280, 307]], "URL: http://secure-secure.top/gate.php": [[319, 352]], "MALWARE: StealC": [[369, 375]], "URL: http://auth-api.live/panel/index.html": [[408, 445]], "IP_ADDRESS: 36.74.66.226": [[459, 471]], "DOMAIN: relay-secure.link": [[476, 493]]}, "info": {"id": "synth_v2_01843", "source": "synthetic_v2"}}
+{"text": "Google TAG detected a multi-stage attack chain. The initial phishing email from account@login-portal.tech contained a link to hxxps://dataedge.info/panel/index.html. This redirected to http://storageproxy.dev/api/v2/auth on updateproxy.cc. A secondary email from billing@credential-check.site pointed to http://portalmail.top/download/update.exe which delivered DanaBot. The final payload callback was hxxp://sync-mail.live/callback resolving to 172.57.180.214 via data-backup.com.", "spans": {"ORGANIZATION: Google TAG": [[0, 10]], "EMAIL: account@login-portal.tech": [[80, 105]], "URL: hxxps://dataedge.info/panel/index.html": [[126, 164]], "URL: http://storageproxy.dev/api/v2/auth": [[185, 220]], "DOMAIN: updateproxy.cc": [[224, 238]], "EMAIL: billing@credential-check.site": [[263, 292]], "URL: http://portalmail.top/download/update.exe": [[304, 345]], "MALWARE: DanaBot": [[362, 369]], "URL: hxxp://sync-mail.live/callback": [[402, 432]], "IP_ADDRESS: 172.57.180.214": [[446, 460]], "DOMAIN: data-backup.com": [[465, 480]]}, "info": {"id": "synth_v2_01844", "source": "synthetic_v2"}}
+{"text": "Trend Micro detected a multi-stage attack chain. The initial phishing email from support@login-portal.tech contained a link to http://gatewaynode.site/admin/config. This redirected to https://edge-update.online/callback on updatesync.online. A secondary email from helpdesk@credential-check.site pointed to hxxps://datacdn.com/download/update.exe which delivered Amadey. The final payload callback was hxxp://proxy-mail.com/assets/js/payload.js resolving to 172.72.57.56 via static-login.io.", "spans": {"ORGANIZATION: Trend Micro": [[0, 11]], "EMAIL: support@login-portal.tech": [[81, 106]], "URL: http://gatewaynode.site/admin/config": [[127, 163]], "URL: https://edge-update.online/callback": [[184, 219]], "DOMAIN: updatesync.online": [[223, 240]], "EMAIL: helpdesk@credential-check.site": [[265, 295]], "URL: hxxps://datacdn.com/download/update.exe": [[307, 346]], "MALWARE: Amadey": [[363, 369]], "URL: hxxp://proxy-mail.com/assets/js/payload.js": [[402, 444]], "IP_ADDRESS: 172.72.57.56": [[458, 470]], "DOMAIN: static-login.io": [[475, 490]]}, "info": {"id": "synth_v2_01845", "source": "synthetic_v2"}}
+{"text": "CrowdStrike detected a multi-stage attack chain. The initial phishing email from report@auth-check.org contained a link to hxxp://secureproxy.live/collect. This redirected to https://login-gateway.club/collect on login-backup.com. A secondary email from report@urgent-notice.online pointed to http://syncsecure.online/assets/js/payload.js which delivered BatLoader. The final payload callback was hxxp://static-data.club/callback resolving to 192.213.38.171 via securenode.net.", "spans": {"ORGANIZATION: CrowdStrike": [[0, 11]], "EMAIL: report@auth-check.org": [[81, 102]], "URL: hxxp://secureproxy.live/collect": [[123, 154]], "URL: https://login-gateway.club/collect": [[175, 209]], "DOMAIN: login-backup.com": [[213, 229]], "EMAIL: report@urgent-notice.online": [[254, 281]], "URL: http://syncsecure.online/assets/js/payload.js": [[293, 338]], "MALWARE: BatLoader": [[355, 364]], "URL: hxxp://static-data.club/callback": [[397, 429]], "IP_ADDRESS: 192.213.38.171": [[443, 457]], "DOMAIN: securenode.net": [[462, 476]]}, "info": {"id": "synth_v2_01846", "source": "synthetic_v2"}}
+{"text": "Proofpoint detected a multi-stage attack chain. The initial phishing email from noreply@secure-verify.net contained a link to hxxps://static-edge.io/portal/verify. This redirected to http://static-cloud.xyz/assets/js/payload.js on proxydata.link. A secondary email from ceo@auth-check.org pointed to https://relay-login.info/secure/token which delivered Ryuk. The final payload callback was https://secure-proxy.tech/download/update.exe resolving to 10.163.25.199 via proxy-secure.org.", "spans": {"ORGANIZATION: Proofpoint": [[0, 10]], "EMAIL: noreply@secure-verify.net": [[80, 105]], "URL: hxxps://static-edge.io/portal/verify": [[126, 162]], "URL: http://static-cloud.xyz/assets/js/payload.js": [[183, 227]], "DOMAIN: proxydata.link": [[231, 245]], "EMAIL: ceo@auth-check.org": [[270, 288]], "URL: https://relay-login.info/secure/token": [[300, 337]], "MALWARE: Ryuk": [[354, 358]], "URL: https://secure-proxy.tech/download/update.exe": [[391, 436]], "IP_ADDRESS: 10.163.25.199": [[450, 463]], "DOMAIN: proxy-secure.org": [[468, 484]]}, "info": {"id": "synth_v2_01847", "source": "synthetic_v2"}}
+{"text": "Cisco Talos detected a multi-stage attack chain. The initial phishing email from noreply@document-share.link contained a link to http://secure-cache.dev/portal/verify. This redirected to http://authapi.club/secure/token on cache-gateway.site. A secondary email from service@identity-verify.cc pointed to http://gateway-update.io/download/update.exe which delivered Dridex. The final payload callback was hxxps://cachestorage.dev/wp-content/uploads/doc.php resolving to 123.33.47.132 via storage-relay.tech.", "spans": {"ORGANIZATION: Cisco Talos": [[0, 11]], "EMAIL: noreply@document-share.link": [[81, 108]], "URL: http://secure-cache.dev/portal/verify": [[129, 166]], "URL: http://authapi.club/secure/token": [[187, 219]], "DOMAIN: cache-gateway.site": [[223, 241]], "EMAIL: service@identity-verify.cc": [[266, 292]], "URL: http://gateway-update.io/download/update.exe": [[304, 348]], "MALWARE: Dridex": [[365, 371]], "URL: hxxps://cachestorage.dev/wp-content/uploads/doc.php": [[404, 455]], "IP_ADDRESS: 123.33.47.132": [[469, 482]], "DOMAIN: storage-relay.tech": [[487, 505]]}, "info": {"id": "synth_v2_01848", "source": "synthetic_v2"}}
+{"text": "Kaspersky GReAT detected a multi-stage attack chain. The initial phishing email from contact@document-share.link contained a link to hxxp://update-relay.org/assets/js/payload.js. This redirected to https://cache-api.io/callback on gatewaymail.tech. A secondary email from updates@identity-verify.cc pointed to http://mailcdn.link/wp-content/uploads/doc.php which delivered Raccoon Stealer. The final payload callback was hxxps://cachenode.tech/callback resolving to 192.94.70.51 via static-portal.live.", "spans": {"ORGANIZATION: Kaspersky GReAT": [[0, 15]], "EMAIL: contact@document-share.link": [[85, 112]], "URL: hxxp://update-relay.org/assets/js/payload.js": [[133, 177]], "URL: https://cache-api.io/callback": [[198, 227]], "DOMAIN: gatewaymail.tech": [[231, 247]], "EMAIL: updates@identity-verify.cc": [[272, 298]], "URL: http://mailcdn.link/wp-content/uploads/doc.php": [[310, 356]], "MALWARE: Raccoon Stealer": [[373, 388]], "URL: hxxps://cachenode.tech/callback": [[421, 452]], "IP_ADDRESS: 192.94.70.51": [[466, 478]], "DOMAIN: static-portal.live": [[483, 501]]}, "info": {"id": "synth_v2_01849", "source": "synthetic_v2"}}
+{"text": "Recorded Future detected a multi-stage attack chain. The initial phishing email from noreply@secure-verify.net contained a link to https://cachecache.link/admin/config. This redirected to hxxps://backup-data.online/assets/js/payload.js on relayproxy.link. A secondary email from security@mail-service.info pointed to https://cloudsync.org/collect which delivered BatLoader. The final payload callback was hxxp://gateway-login.site/api/v2/auth resolving to 192.55.245.50 via synclogin.org.", "spans": {"ORGANIZATION: Recorded Future": [[0, 15]], "EMAIL: noreply@secure-verify.net": [[85, 110]], "URL: https://cachecache.link/admin/config": [[131, 167]], "URL: hxxps://backup-data.online/assets/js/payload.js": [[188, 235]], "DOMAIN: relayproxy.link": [[239, 254]], "EMAIL: security@mail-service.info": [[279, 305]], "URL: https://cloudsync.org/collect": [[317, 346]], "MALWARE: BatLoader": [[363, 372]], "URL: hxxp://gateway-login.site/api/v2/auth": [[405, 442]], "IP_ADDRESS: 192.55.245.50": [[456, 469]], "DOMAIN: synclogin.org": [[474, 487]]}, "info": {"id": "synth_v2_01850", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for ShadowPad campaign:\nStage 1 dropper at C:\\Windows\\Temp\\helper.sh - SHA1: 272c1b843d42e539f6af76eda593374382c3d589\nStage 2 loader at /usr/local/bin/sam.hive - SHA1: 4b41b04068834d1f736cfa20a0e979ed4f6168ff\nFinal payload at /tmp/taskhost.exe - SHA1: f12b7f9289afc5413a1ab5765c58e13b75519a12\nExfiltration module - SHA1: e5d32333d56c7c5a1358a29ef01a7676aa96bd71\nAll stages communicated with 10.90.187.139. Hashcat signatures detected in Stage 2.", "spans": {"MALWARE: ShadowPad": [[22, 31]], "FILEPATH: C:\\Windows\\Temp\\helper.sh": [[61, 86]], "FILEPATH: /usr/local/bin/sam.hive": [[154, 177]], "FILEPATH: /tmp/taskhost.exe": [[244, 261]], "HASH: 272c1b843d42e539f6af76eda593374382c3d589": [[95, 135]], "HASH: 4b41b04068834d1f736cfa20a0e979ed4f6168ff": [[186, 226]], "HASH: f12b7f9289afc5413a1ab5765c58e13b75519a12": [[270, 310]], "HASH: e5d32333d56c7c5a1358a29ef01a7676aa96bd71": [[339, 379]], "IP_ADDRESS: 10.90.187.139": [[409, 422]], "TOOL: Hashcat": [[424, 431]]}, "info": {"id": "synth_v2_01851", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for Ryuk campaign:\nStage 1 dropper at C:\\Windows\\Temp\\loader.exe - SHA256: 3e4b4e871c332f852f679b8a2aac07fad976230f18ca3cdf9b8c314d53cd2674\nStage 2 loader at /tmp/helper.sh - SHA1: 745e9c0d27c0f5ea9ed39665df87e879b3846777\nFinal payload at C:\\Users\\admin\\Downloads\\beacon.dll - SHA1: 821b4432c61940a5a1c749ba569cca79bacc61e9\nExfiltration module - MD5: fd068f387d77bd4582b4e903fddcfe05\nAll stages communicated with 81.106.165.23. Mimikatz signatures detected in Stage 2.", "spans": {"MALWARE: Ryuk": [[22, 26]], "FILEPATH: C:\\Windows\\Temp\\loader.exe": [[56, 82]], "FILEPATH: /tmp/helper.sh": [[176, 190]], "FILEPATH: C:\\Users\\admin\\Downloads\\beacon.dll": [[257, 292]], "HASH: 3e4b4e871c332f852f679b8a2aac07fad976230f18ca3cdf9b8c314d53cd2674": [[93, 157]], "HASH: 745e9c0d27c0f5ea9ed39665df87e879b3846777": [[199, 239]], "HASH: 821b4432c61940a5a1c749ba569cca79bacc61e9": [[301, 341]], "HASH: fd068f387d77bd4582b4e903fddcfe05": [[369, 401]], "IP_ADDRESS: 81.106.165.23": [[431, 444]], "TOOL: Mimikatz": [[446, 454]]}, "info": {"id": "synth_v2_01852", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for StealC campaign:\nStage 1 dropper at /tmp/agent.py - SHA256: 4ea669fb144df7473a408069ea867cc7c1718b1bfe26238c124e41170d9b87a7\nStage 2 loader at /var/tmp/chrome_helper.exe - MD5: c09ff5a36af50f9dce849ceeae5d1038\nFinal payload at C:\\Windows\\Tasks\\chrome_helper.exe - SHA1: 4a63695b55720cb782cdb44b09c2dadafbe3a74a\nExfiltration module - MD5: df8d3f26abfb9ab5f6f14160108bfd7e\nAll stages communicated with 172.117.100.195. PowerView signatures detected in Stage 2.", "spans": {"MALWARE: StealC": [[22, 28]], "FILEPATH: /tmp/agent.py": [[58, 71]], "FILEPATH: /var/tmp/chrome_helper.exe": [[165, 191]], "FILEPATH: C:\\Windows\\Tasks\\chrome_helper.exe": [[249, 283]], "HASH: 4ea669fb144df7473a408069ea867cc7c1718b1bfe26238c124e41170d9b87a7": [[82, 146]], "HASH: c09ff5a36af50f9dce849ceeae5d1038": [[199, 231]], "HASH: 4a63695b55720cb782cdb44b09c2dadafbe3a74a": [[292, 332]], "HASH: df8d3f26abfb9ab5f6f14160108bfd7e": [[360, 392]], "IP_ADDRESS: 172.117.100.195": [[422, 437]], "TOOL: PowerView": [[439, 448]]}, "info": {"id": "synth_v2_01853", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for REvil campaign:\nStage 1 dropper at C:\\ProgramData\\csrss.exe - MD5: 501b52d42f7e469c628c50d392e5d0ca\nStage 2 loader at /usr/local/bin/runtime.dll - MD5: 43c043dbddfaa045ce7451865ed3659d\nFinal payload at /var/tmp/loader.exe - MD5: 3b6ad6390a47d951f441d2b4025b530b\nExfiltration module - SHA1: 605c41fcfc943c32094c5a727a66d1e43f593960\nAll stages communicated with 28.248.210.140. Hashcat signatures detected in Stage 2.", "spans": {"MALWARE: REvil": [[22, 27]], "FILEPATH: C:\\ProgramData\\csrss.exe": [[57, 81]], "FILEPATH: /usr/local/bin/runtime.dll": [[140, 166]], "FILEPATH: /var/tmp/loader.exe": [[224, 243]], "HASH: 501b52d42f7e469c628c50d392e5d0ca": [[89, 121]], "HASH: 43c043dbddfaa045ce7451865ed3659d": [[174, 206]], "HASH: 3b6ad6390a47d951f441d2b4025b530b": [[251, 283]], "HASH: 605c41fcfc943c32094c5a727a66d1e43f593960": [[312, 352]], "IP_ADDRESS: 28.248.210.140": [[382, 396]], "TOOL: Hashcat": [[398, 405]]}, "info": {"id": "synth_v2_01854", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for Lumma Stealer campaign:\nStage 1 dropper at C:\\Windows\\System32\\update.dll - SHA1: 8bbb74922c4ac80bb9548a9ca50a0cf07773f406\nStage 2 loader at C:\\Users\\admin\\Desktop\\dropper.ps1 - SHA256: 19549578513cec2aef4c23c919224015c87e850eab68f36d646b1f7a69bd56c1\nFinal payload at C:\\Windows\\System32\\shell.php - SHA1: 1aef6245b355faa7477201663bf9fae816bdc935\nExfiltration module - SHA1: 4cab829dd8d16c3f9e61f4599232857f479198c8\nAll stages communicated with 88.21.88.238. Mythic signatures detected in Stage 2.", "spans": {"MALWARE: Lumma Stealer": [[22, 35]], "FILEPATH: C:\\Windows\\System32\\update.dll": [[65, 95]], "FILEPATH: C:\\Users\\admin\\Desktop\\dropper.ps1": [[163, 197]], "FILEPATH: C:\\Windows\\System32\\shell.php": [[290, 319]], "HASH: 8bbb74922c4ac80bb9548a9ca50a0cf07773f406": [[104, 144]], "HASH: 19549578513cec2aef4c23c919224015c87e850eab68f36d646b1f7a69bd56c1": [[208, 272]], "HASH: 1aef6245b355faa7477201663bf9fae816bdc935": [[328, 368]], "HASH: 4cab829dd8d16c3f9e61f4599232857f479198c8": [[397, 437]], "IP_ADDRESS: 88.21.88.238": [[467, 479]], "TOOL: Mythic": [[481, 487]]}, "info": {"id": "synth_v2_01855", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for BatLoader campaign:\nStage 1 dropper at C:\\Users\\Public\\Documents\\dropper.ps1 - SHA1: 241950aedc9dd4bd71af0af08bff44092836ff84\nStage 2 loader at C:\\Program Files\\Common Files\\shell.php - MD5: ee004920e8e9996ae72a66bedffabcd6\nFinal payload at C:\\Users\\Public\\Documents\\shell.php - MD5: 648e9f0529fa90be928c3e94b02959bd\nExfiltration module - MD5: 8744a009f7948abd4c3bd6a47f164621\nAll stages communicated with 191.90.189.242. Impacket signatures detected in Stage 2.", "spans": {"MALWARE: BatLoader": [[22, 31]], "FILEPATH: C:\\Users\\Public\\Documents\\dropper.ps1": [[61, 98]], "FILEPATH: C:\\Program Files\\Common Files\\shell.php": [[166, 205]], "FILEPATH: C:\\Users\\Public\\Documents\\shell.php": [[263, 298]], "HASH: 241950aedc9dd4bd71af0af08bff44092836ff84": [[107, 147]], "HASH: ee004920e8e9996ae72a66bedffabcd6": [[213, 245]], "HASH: 648e9f0529fa90be928c3e94b02959bd": [[306, 338]], "HASH: 8744a009f7948abd4c3bd6a47f164621": [[366, 398]], "IP_ADDRESS: 191.90.189.242": [[428, 442]], "TOOL: Impacket": [[444, 452]]}, "info": {"id": "synth_v2_01856", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for Ryuk campaign:\nStage 1 dropper at C:\\Users\\Public\\Documents\\agent.py - MD5: 2f3c1066ad9a07b70e011f90f0f0e47a\nStage 2 loader at /opt/app/bin/helper.sh - SHA1: 946ecc612283d0f3975ffc9d8ecdc00418ca8015\nFinal payload at C:\\Program Files\\Common Files\\winlogon.exe - SHA1: a49470535c33d622dbec2347bb30fba35d41669e\nExfiltration module - SHA256: e9c00aa817b82ee85effeab488ce7d240b7308462ede24d9b49ee1a85bba1eb5\nAll stages communicated with 192.222.56.202. SharpHound signatures detected in Stage 2.", "spans": {"MALWARE: Ryuk": [[22, 26]], "FILEPATH: C:\\Users\\Public\\Documents\\agent.py": [[56, 90]], "FILEPATH: /opt/app/bin/helper.sh": [[149, 171]], "FILEPATH: C:\\Program Files\\Common Files\\winlogon.exe": [[238, 280]], "HASH: 2f3c1066ad9a07b70e011f90f0f0e47a": [[98, 130]], "HASH: 946ecc612283d0f3975ffc9d8ecdc00418ca8015": [[180, 220]], "HASH: a49470535c33d622dbec2347bb30fba35d41669e": [[289, 329]], "HASH: e9c00aa817b82ee85effeab488ce7d240b7308462ede24d9b49ee1a85bba1eb5": [[360, 424]], "IP_ADDRESS: 192.222.56.202": [[454, 468]], "TOOL: SharpHound": [[470, 480]]}, "info": {"id": "synth_v2_01857", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for Emotet campaign:\nStage 1 dropper at /home/user/.config/lsass.dmp - SHA256: 666beef6d9e182a1d1c7b879fc56cd42d051ad874471ce11f48d28c039da9c0e\nStage 2 loader at C:\\ProgramData\\ntds.dit - MD5: d5b376ff10c217969633ce129769ef0e\nFinal payload at C:\\Users\\Public\\Documents\\ntds.dit - MD5: fe78fbb537bb40134a3cce4bd7f0c956\nExfiltration module - SHA1: cc439d14fe07333bde59ffff44e8c5536eaea54f\nAll stages communicated with 62.115.231.175. Hashcat signatures detected in Stage 2.", "spans": {"MALWARE: Emotet": [[22, 28]], "FILEPATH: /home/user/.config/lsass.dmp": [[58, 86]], "FILEPATH: C:\\ProgramData\\ntds.dit": [[180, 203]], "FILEPATH: C:\\Users\\Public\\Documents\\ntds.dit": [[261, 295]], "HASH: 666beef6d9e182a1d1c7b879fc56cd42d051ad874471ce11f48d28c039da9c0e": [[97, 161]], "HASH: d5b376ff10c217969633ce129769ef0e": [[211, 243]], "HASH: fe78fbb537bb40134a3cce4bd7f0c956": [[303, 335]], "HASH: cc439d14fe07333bde59ffff44e8c5536eaea54f": [[364, 404]], "IP_ADDRESS: 62.115.231.175": [[434, 448]], "TOOL: Hashcat": [[450, 457]]}, "info": {"id": "synth_v2_01858", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for SmokeLoader campaign:\nStage 1 dropper at /var/tmp/lsass.dmp - SHA256: dd110048ef9419163dc69e9dc432d275f0b926c8ea7988ca75db5891bfa0ae0a\nStage 2 loader at /dev/shm/chrome_helper.exe - MD5: 1d17fc0bddb5ac8b8c8c53795e3a01a6\nFinal payload at C:\\Windows\\System32\\beacon.dll - SHA1: 99623582c761b5e04daf5360e988b0e439d76447\nExfiltration module - SHA1: 5d05abac4c723bf07e842ee6988fe6ed9397d354\nAll stages communicated with 172.191.122.206. PowerShell Empire signatures detected in Stage 2.", "spans": {"MALWARE: SmokeLoader": [[22, 33]], "FILEPATH: /var/tmp/lsass.dmp": [[63, 81]], "FILEPATH: /dev/shm/chrome_helper.exe": [[175, 201]], "FILEPATH: C:\\Windows\\System32\\beacon.dll": [[259, 289]], "HASH: dd110048ef9419163dc69e9dc432d275f0b926c8ea7988ca75db5891bfa0ae0a": [[92, 156]], "HASH: 1d17fc0bddb5ac8b8c8c53795e3a01a6": [[209, 241]], "HASH: 99623582c761b5e04daf5360e988b0e439d76447": [[298, 338]], "HASH: 5d05abac4c723bf07e842ee6988fe6ed9397d354": [[367, 407]], "IP_ADDRESS: 172.191.122.206": [[437, 452]], "TOOL: PowerShell Empire": [[454, 471]]}, "info": {"id": "synth_v2_01859", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for StealC campaign:\nStage 1 dropper at /home/user/.config/svchost.exe - SHA256: f644804e1e60c32e51753cf2cfa7b1059a6b28bd405590f2e65403adc42580fd\nStage 2 loader at C:\\Users\\admin\\Desktop\\implant.so - SHA256: 4ecedfae86bb0a46f37f1f7c16c7014e765959d7f22092afc2334f87bc7366b8\nFinal payload at C:\\Windows\\Tasks\\payload.bin - SHA256: 1a664bc85dc06b214abc90a0997c93614a1a555b725564bfca97ccb4ff667779\nExfiltration module - MD5: da0899795eb7b25c7ccd91482608b933\nAll stages communicated with 37.26.139.23. Sliver signatures detected in Stage 2.", "spans": {"MALWARE: StealC": [[22, 28]], "FILEPATH: /home/user/.config/svchost.exe": [[58, 88]], "FILEPATH: C:\\Users\\admin\\Desktop\\implant.so": [[182, 215]], "FILEPATH: C:\\Windows\\Tasks\\payload.bin": [[308, 336]], "HASH: f644804e1e60c32e51753cf2cfa7b1059a6b28bd405590f2e65403adc42580fd": [[99, 163]], "HASH: 4ecedfae86bb0a46f37f1f7c16c7014e765959d7f22092afc2334f87bc7366b8": [[226, 290]], "HASH: 1a664bc85dc06b214abc90a0997c93614a1a555b725564bfca97ccb4ff667779": [[347, 411]], "HASH: da0899795eb7b25c7ccd91482608b933": [[439, 471]], "IP_ADDRESS: 37.26.139.23": [[501, 513]], "TOOL: Sliver": [[515, 521]]}, "info": {"id": "synth_v2_01860", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for PlugX campaign:\nStage 1 dropper at /tmp/chrome_helper.exe - SHA1: bd9d7a7a023daf746f8d8ccaa73c3d1745465262\nStage 2 loader at C:\\Users\\Public\\Documents\\lsass.dmp - MD5: 42f2591e90e344a6e679591b9c93dc15\nFinal payload at C:\\Windows\\Tasks\\dropper.ps1 - SHA256: fc7b058f1f894eef7d63102b5ae90cee1392668e5499644f357878e6f546c97d\nExfiltration module - SHA1: f03a1d06db7b999dd9bd9cbc7badf8d6b8d12092\nAll stages communicated with 177.132.251.247. Hashcat signatures detected in Stage 2.", "spans": {"MALWARE: PlugX": [[22, 27]], "FILEPATH: /tmp/chrome_helper.exe": [[57, 79]], "FILEPATH: C:\\Users\\Public\\Documents\\lsass.dmp": [[147, 182]], "FILEPATH: C:\\Windows\\Tasks\\dropper.ps1": [[240, 268]], "HASH: bd9d7a7a023daf746f8d8ccaa73c3d1745465262": [[88, 128]], "HASH: 42f2591e90e344a6e679591b9c93dc15": [[190, 222]], "HASH: fc7b058f1f894eef7d63102b5ae90cee1392668e5499644f357878e6f546c97d": [[279, 343]], "HASH: f03a1d06db7b999dd9bd9cbc7badf8d6b8d12092": [[372, 412]], "IP_ADDRESS: 177.132.251.247": [[442, 457]], "TOOL: Hashcat": [[459, 466]]}, "info": {"id": "synth_v2_01861", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for NjRAT campaign:\nStage 1 dropper at C:\\Windows\\System32\\csrss.exe - MD5: 1fec74d50de58bdaa03b28a52d7b29b3\nStage 2 loader at /etc/cron.d/helper.sh - SHA256: 0a94b8cce0388d2ba2832a83b87e5e694628c8d1d2c7e888cb31d64203d59abb\nFinal payload at C:\\Users\\Public\\Documents\\sam.hive - SHA256: e880b0d1e76974085e371144c48e8030f93198e391eea4cb6265e0664a0690bf\nExfiltration module - SHA1: b3a25cf49a4e4549f624c6671e3edc3eb6eda6ef\nAll stages communicated with 172.200.52.112. Hashcat signatures detected in Stage 2.", "spans": {"MALWARE: NjRAT": [[22, 27]], "FILEPATH: C:\\Windows\\System32\\csrss.exe": [[57, 86]], "FILEPATH: /etc/cron.d/helper.sh": [[145, 166]], "FILEPATH: C:\\Users\\Public\\Documents\\sam.hive": [[259, 293]], "HASH: 1fec74d50de58bdaa03b28a52d7b29b3": [[94, 126]], "HASH: 0a94b8cce0388d2ba2832a83b87e5e694628c8d1d2c7e888cb31d64203d59abb": [[177, 241]], "HASH: e880b0d1e76974085e371144c48e8030f93198e391eea4cb6265e0664a0690bf": [[304, 368]], "HASH: b3a25cf49a4e4549f624c6671e3edc3eb6eda6ef": [[397, 437]], "IP_ADDRESS: 172.200.52.112": [[467, 481]], "TOOL: Hashcat": [[483, 490]]}, "info": {"id": "synth_v2_01862", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for Raccoon Stealer campaign:\nStage 1 dropper at /usr/local/bin/update.dll - SHA256: 17db5279b4a743ca3329249ca51ff781b4c431cd99315ceb658244eafd81d99e\nStage 2 loader at /var/tmp/implant.so - MD5: e22d329db3c4b612314db72e9de4b37e\nFinal payload at C:\\Windows\\Tasks\\payload.bin - SHA1: f18e6118efac43cfa7fd3476b4d0e5367af10849\nExfiltration module - SHA256: 23807456de6f7fa6220c0f0ac155c3545c775e332318f125bdc2e41e04407f7e\nAll stages communicated with 73.176.225.108. PowerShell Empire signatures detected in Stage 2.", "spans": {"MALWARE: Raccoon Stealer": [[22, 37]], "FILEPATH: /usr/local/bin/update.dll": [[67, 92]], "FILEPATH: /var/tmp/implant.so": [[186, 205]], "FILEPATH: C:\\Windows\\Tasks\\payload.bin": [[263, 291]], "HASH: 17db5279b4a743ca3329249ca51ff781b4c431cd99315ceb658244eafd81d99e": [[103, 167]], "HASH: e22d329db3c4b612314db72e9de4b37e": [[213, 245]], "HASH: f18e6118efac43cfa7fd3476b4d0e5367af10849": [[300, 340]], "HASH: 23807456de6f7fa6220c0f0ac155c3545c775e332318f125bdc2e41e04407f7e": [[371, 435]], "IP_ADDRESS: 73.176.225.108": [[465, 479]], "TOOL: PowerShell Empire": [[481, 498]]}, "info": {"id": "synth_v2_01863", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for Meduza Stealer campaign:\nStage 1 dropper at /home/user/.config/chrome_helper.exe - SHA1: 5d34bbbd6b1f6467554a41388b3b2a7797716f96\nStage 2 loader at /usr/local/bin/payload.bin - SHA1: 8cb87f022d27f2f8603143c5d4a44c47fda70dc5\nFinal payload at /etc/cron.d/update.dll - SHA256: 622586a1e42103851378c2b0c7b985cb88f0db80f4a7b8646087898aa07a28f6\nExfiltration module - SHA1: 422af7f79137d5857ee02d0d1a41c274b6a711c5\nAll stages communicated with 51.209.28.56. Chisel signatures detected in Stage 2.", "spans": {"MALWARE: Meduza Stealer": [[22, 36]], "FILEPATH: /home/user/.config/chrome_helper.exe": [[66, 102]], "FILEPATH: /usr/local/bin/payload.bin": [[170, 196]], "FILEPATH: /etc/cron.d/update.dll": [[263, 285]], "HASH: 5d34bbbd6b1f6467554a41388b3b2a7797716f96": [[111, 151]], "HASH: 8cb87f022d27f2f8603143c5d4a44c47fda70dc5": [[205, 245]], "HASH: 622586a1e42103851378c2b0c7b985cb88f0db80f4a7b8646087898aa07a28f6": [[296, 360]], "HASH: 422af7f79137d5857ee02d0d1a41c274b6a711c5": [[389, 429]], "IP_ADDRESS: 51.209.28.56": [[459, 471]], "TOOL: Chisel": [[473, 479]]}, "info": {"id": "synth_v2_01864", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for LockBit campaign:\nStage 1 dropper at C:\\Users\\admin\\Downloads\\loader.exe - SHA1: b752d0e06981d57894538524c075b6a307d2bb98\nStage 2 loader at C:\\Users\\admin\\Downloads\\runtime.dll - MD5: d249d09e3bff46ed55f184db2e9d833e\nFinal payload at C:\\Users\\Public\\Documents\\runtime.dll - SHA1: b149c519a368780d5d408a66a4de1727c8f5897f\nExfiltration module - MD5: 74be058a36fa89b5dadd522a09c97e85\nAll stages communicated with 125.110.158.52. ADFind signatures detected in Stage 2.", "spans": {"MALWARE: LockBit": [[22, 29]], "FILEPATH: C:\\Users\\admin\\Downloads\\loader.exe": [[59, 94]], "FILEPATH: C:\\Users\\admin\\Downloads\\runtime.dll": [[162, 198]], "FILEPATH: C:\\Users\\Public\\Documents\\runtime.dll": [[256, 293]], "HASH: b752d0e06981d57894538524c075b6a307d2bb98": [[103, 143]], "HASH: d249d09e3bff46ed55f184db2e9d833e": [[206, 238]], "HASH: b149c519a368780d5d408a66a4de1727c8f5897f": [[302, 342]], "HASH: 74be058a36fa89b5dadd522a09c97e85": [[370, 402]], "IP_ADDRESS: 125.110.158.52": [[432, 446]], "TOOL: ADFind": [[448, 454]]}, "info": {"id": "synth_v2_01865", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for FormBook campaign:\nStage 1 dropper at /etc/cron.d/implant.so - MD5: b9c2686f83914ab92da6ccff2228766e\nStage 2 loader at C:\\Users\\Public\\Documents\\implant.so - SHA1: 1fca76898877faeab8ef4aec4396c97d9d1201cb\nFinal payload at C:\\Windows\\Tasks\\sam.hive - SHA1: cd7dfb73500706e2c848d00a0702043eb20a63ee\nExfiltration module - SHA1: 6e525d8c0eb8044d3210e34de1c29590c9bc4b2e\nAll stages communicated with 132.200.75.37. PsExec signatures detected in Stage 2.", "spans": {"MALWARE: FormBook": [[22, 30]], "FILEPATH: /etc/cron.d/implant.so": [[60, 82]], "FILEPATH: C:\\Users\\Public\\Documents\\implant.so": [[141, 177]], "FILEPATH: C:\\Windows\\Tasks\\sam.hive": [[244, 269]], "HASH: b9c2686f83914ab92da6ccff2228766e": [[90, 122]], "HASH: 1fca76898877faeab8ef4aec4396c97d9d1201cb": [[186, 226]], "HASH: cd7dfb73500706e2c848d00a0702043eb20a63ee": [[278, 318]], "HASH: 6e525d8c0eb8044d3210e34de1c29590c9bc4b2e": [[347, 387]], "IP_ADDRESS: 132.200.75.37": [[417, 430]], "TOOL: PsExec": [[432, 438]]}, "info": {"id": "synth_v2_01866", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for Vidar campaign:\nStage 1 dropper at /usr/local/bin/helper.sh - MD5: 07f736a1593ac1ad8eb9c3ce52fb15de\nStage 2 loader at /dev/shm/ntds.dit - SHA1: c3cddbb88cd35ac6f32ca267d773962a262bc475\nFinal payload at /tmp/ntds.dit - SHA1: 0a9336c606e9a3158a2bd171c55682923ea825ba\nExfiltration module - SHA1: 0a82c2bda4cb8dba6d94974fb7370f24e5412951\nAll stages communicated with 25.39.236.208. Rubeus signatures detected in Stage 2.", "spans": {"MALWARE: Vidar": [[22, 27]], "FILEPATH: /usr/local/bin/helper.sh": [[57, 81]], "FILEPATH: /dev/shm/ntds.dit": [[140, 157]], "FILEPATH: /tmp/ntds.dit": [[224, 237]], "HASH: 07f736a1593ac1ad8eb9c3ce52fb15de": [[89, 121]], "HASH: c3cddbb88cd35ac6f32ca267d773962a262bc475": [[166, 206]], "HASH: 0a9336c606e9a3158a2bd171c55682923ea825ba": [[246, 286]], "HASH: 0a82c2bda4cb8dba6d94974fb7370f24e5412951": [[315, 355]], "IP_ADDRESS: 25.39.236.208": [[385, 398]], "TOOL: Rubeus": [[400, 406]]}, "info": {"id": "synth_v2_01867", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for SystemBC campaign:\nStage 1 dropper at /opt/app/bin/implant.so - SHA256: 4c8fd61872c2862d64277d4510888e60ad10bf761eb9bcaad2846dc6cb04a5c5\nStage 2 loader at /opt/app/bin/csrss.exe - MD5: 3c8b5d862509979e929c30f916a1247e\nFinal payload at /tmp/implant.so - MD5: 752b9e94ea3eee372c583ef5b940c35b\nExfiltration module - SHA256: 9729b4329dfe7ee02ea75932b534c9d8fd5bf1185bb5f9de34a2b70ff59e9859\nAll stages communicated with 207.24.217.171. Merlin signatures detected in Stage 2.", "spans": {"MALWARE: SystemBC": [[22, 30]], "FILEPATH: /opt/app/bin/implant.so": [[60, 83]], "FILEPATH: /opt/app/bin/csrss.exe": [[177, 199]], "FILEPATH: /tmp/implant.so": [[257, 272]], "HASH: 4c8fd61872c2862d64277d4510888e60ad10bf761eb9bcaad2846dc6cb04a5c5": [[94, 158]], "HASH: 3c8b5d862509979e929c30f916a1247e": [[207, 239]], "HASH: 752b9e94ea3eee372c583ef5b940c35b": [[280, 312]], "HASH: 9729b4329dfe7ee02ea75932b534c9d8fd5bf1185bb5f9de34a2b70ff59e9859": [[343, 407]], "IP_ADDRESS: 207.24.217.171": [[437, 451]], "TOOL: Merlin": [[453, 459]]}, "info": {"id": "synth_v2_01868", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for QakBot campaign:\nStage 1 dropper at C:\\Windows\\System32\\implant.so - SHA1: f0448a8c14a431e5151a2ace44a1d8c8941f106d\nStage 2 loader at /usr/local/bin/dropper.ps1 - SHA1: ef123a867a02fd32adb962792e6edf672efa2497\nFinal payload at C:\\Program Files\\Common Files\\helper.sh - SHA1: 53e68a8c6eb41ef8a90107dcce55d3e5d6bec2a5\nExfiltration module - MD5: 0fdbf1ed925aaf75a35815d7a3a060df\nAll stages communicated with 181.77.170.84. ADFind signatures detected in Stage 2.", "spans": {"MALWARE: QakBot": [[22, 28]], "FILEPATH: C:\\Windows\\System32\\implant.so": [[58, 88]], "FILEPATH: /usr/local/bin/dropper.ps1": [[156, 182]], "FILEPATH: C:\\Program Files\\Common Files\\helper.sh": [[249, 288]], "HASH: f0448a8c14a431e5151a2ace44a1d8c8941f106d": [[97, 137]], "HASH: ef123a867a02fd32adb962792e6edf672efa2497": [[191, 231]], "HASH: 53e68a8c6eb41ef8a90107dcce55d3e5d6bec2a5": [[297, 337]], "HASH: 0fdbf1ed925aaf75a35815d7a3a060df": [[365, 397]], "IP_ADDRESS: 181.77.170.84": [[427, 440]], "TOOL: ADFind": [[442, 448]]}, "info": {"id": "synth_v2_01869", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for Dridex campaign:\nStage 1 dropper at C:\\Windows\\Tasks\\shell.php - SHA1: ba4a697129fe0a157e80462ed3bd2916fd333014\nStage 2 loader at /tmp/implant.so - SHA1: 67f93cd86492d0b5f5dc4287b06703f010e7fb66\nFinal payload at /home/user/.config/helper.sh - MD5: 6b36d9ab6a185c99cb7fbacd3f75f406\nExfiltration module - SHA256: a8a886bf32d7f7476559d79d9cb660c10c9d08977fa2d59ee92d7fd4394568d2\nAll stages communicated with 172.81.36.92. Burp Suite signatures detected in Stage 2.", "spans": {"MALWARE: Dridex": [[22, 28]], "FILEPATH: C:\\Windows\\Tasks\\shell.php": [[58, 84]], "FILEPATH: /tmp/implant.so": [[152, 167]], "FILEPATH: /home/user/.config/helper.sh": [[234, 262]], "HASH: ba4a697129fe0a157e80462ed3bd2916fd333014": [[93, 133]], "HASH: 67f93cd86492d0b5f5dc4287b06703f010e7fb66": [[176, 216]], "HASH: 6b36d9ab6a185c99cb7fbacd3f75f406": [[270, 302]], "HASH: a8a886bf32d7f7476559d79d9cb660c10c9d08977fa2d59ee92d7fd4394568d2": [[333, 397]], "IP_ADDRESS: 172.81.36.92": [[427, 439]], "TOOL: Burp Suite": [[441, 451]]}, "info": {"id": "synth_v2_01870", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for Latrodectus campaign:\nStage 1 dropper at C:\\Users\\admin\\Desktop\\sam.hive - MD5: c5541733709ef2df6e6fed4ccfde18da\nStage 2 loader at C:\\Users\\admin\\Desktop\\payload.bin - MD5: 5913d38534c58ea1afe36f951c688d58\nFinal payload at /home/user/.config/payload.bin - SHA1: a61dda965395a88b4404bc984e842bc0544e8ce2\nExfiltration module - SHA256: eeebefb06e47e58bd6df32bb8759b17b8cd7dda6c8c9e7f7fa2ca1c0840a2973\nAll stages communicated with 67.16.158.6. Chisel signatures detected in Stage 2.", "spans": {"MALWARE: Latrodectus": [[22, 33]], "FILEPATH: C:\\Users\\admin\\Desktop\\sam.hive": [[63, 94]], "FILEPATH: C:\\Users\\admin\\Desktop\\payload.bin": [[153, 187]], "FILEPATH: /home/user/.config/payload.bin": [[245, 275]], "HASH: c5541733709ef2df6e6fed4ccfde18da": [[102, 134]], "HASH: 5913d38534c58ea1afe36f951c688d58": [[195, 227]], "HASH: a61dda965395a88b4404bc984e842bc0544e8ce2": [[284, 324]], "HASH: eeebefb06e47e58bd6df32bb8759b17b8cd7dda6c8c9e7f7fa2ca1c0840a2973": [[355, 419]], "IP_ADDRESS: 67.16.158.6": [[449, 460]], "TOOL: Chisel": [[462, 468]]}, "info": {"id": "synth_v2_01871", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for ShadowPad campaign:\nStage 1 dropper at /dev/shm/sam.hive - MD5: 884ca3356a527fb2fa1eb0e6e6be2762\nStage 2 loader at C:\\Windows\\Temp\\runtime.dll - SHA256: 65564bea2ac080c8721f175a4d10054d08e9d5512f3338d310a9b5295c5cf225\nFinal payload at /etc/cron.d/backdoor.elf - SHA1: ca44f8038e546ce2608513c72fd95e6b525c8147\nExfiltration module - SHA1: 8b5adf9ff370d0d952f2e75fafbf47812317378a\nAll stages communicated with 209.118.25.247. Sliver signatures detected in Stage 2.", "spans": {"MALWARE: ShadowPad": [[22, 31]], "FILEPATH: /dev/shm/sam.hive": [[61, 78]], "FILEPATH: C:\\Windows\\Temp\\runtime.dll": [[137, 164]], "FILEPATH: /etc/cron.d/backdoor.elf": [[257, 281]], "HASH: 884ca3356a527fb2fa1eb0e6e6be2762": [[86, 118]], "HASH: 65564bea2ac080c8721f175a4d10054d08e9d5512f3338d310a9b5295c5cf225": [[175, 239]], "HASH: ca44f8038e546ce2608513c72fd95e6b525c8147": [[290, 330]], "HASH: 8b5adf9ff370d0d952f2e75fafbf47812317378a": [[359, 399]], "IP_ADDRESS: 209.118.25.247": [[429, 443]], "TOOL: Sliver": [[445, 451]]}, "info": {"id": "synth_v2_01872", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for AgentTesla campaign:\nStage 1 dropper at /dev/shm/winlogon.exe - MD5: a4b121f3b8cf053d265109dc5636a78d\nStage 2 loader at C:\\ProgramData\\svchost.exe - SHA1: ee4a34e575e4d9aadb3a24692cc5fab8ee057cb8\nFinal payload at C:\\Windows\\Temp\\lsass.dmp - MD5: 6fb923ca07edf4385756e54bcdd5f870\nExfiltration module - SHA1: 788ae2fb1d60ef9a39531b35335b895c0515807c\nAll stages communicated with 192.144.11.125. Seatbelt signatures detected in Stage 2.", "spans": {"MALWARE: AgentTesla": [[22, 32]], "FILEPATH: /dev/shm/winlogon.exe": [[62, 83]], "FILEPATH: C:\\ProgramData\\svchost.exe": [[142, 168]], "FILEPATH: C:\\Windows\\Temp\\lsass.dmp": [[235, 260]], "HASH: a4b121f3b8cf053d265109dc5636a78d": [[91, 123]], "HASH: ee4a34e575e4d9aadb3a24692cc5fab8ee057cb8": [[177, 217]], "HASH: 6fb923ca07edf4385756e54bcdd5f870": [[268, 300]], "HASH: 788ae2fb1d60ef9a39531b35335b895c0515807c": [[329, 369]], "IP_ADDRESS: 192.144.11.125": [[399, 413]], "TOOL: Seatbelt": [[415, 423]]}, "info": {"id": "synth_v2_01873", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for Qbot campaign:\nStage 1 dropper at C:\\Users\\Public\\Documents\\csrss.exe - SHA256: 77289f13c9feb06f40792f3245b5d8f5188d264eb7a65c616473d4f4308c1df9\nStage 2 loader at C:\\Users\\admin\\AppData\\Local\\Temp\\backdoor.elf - SHA256: 5c03dfd0628aa5f48aa5fee1c09d93e765da96a27b6e7d0848696679cb635da7\nFinal payload at C:\\Users\\Public\\Documents\\chrome_helper.exe - MD5: b1e428d4b2db8baaf9e016c7155edae3\nExfiltration module - MD5: b437c5c828d8540289bc021546b2474f\nAll stages communicated with 192.77.71.14. BloodHound signatures detected in Stage 2.", "spans": {"MALWARE: Qbot": [[22, 26]], "FILEPATH: C:\\Users\\Public\\Documents\\csrss.exe": [[56, 91]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\backdoor.elf": [[185, 231]], "FILEPATH: C:\\Users\\Public\\Documents\\chrome_helper.exe": [[324, 367]], "HASH: 77289f13c9feb06f40792f3245b5d8f5188d264eb7a65c616473d4f4308c1df9": [[102, 166]], "HASH: 5c03dfd0628aa5f48aa5fee1c09d93e765da96a27b6e7d0848696679cb635da7": [[242, 306]], "HASH: b1e428d4b2db8baaf9e016c7155edae3": [[375, 407]], "HASH: b437c5c828d8540289bc021546b2474f": [[435, 467]], "IP_ADDRESS: 192.77.71.14": [[497, 509]], "TOOL: BloodHound": [[511, 521]]}, "info": {"id": "synth_v2_01874", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for AgentTesla campaign:\nStage 1 dropper at /tmp/implant.so - SHA1: 63003d9ce6c2659944e5c4b91949d4ff1c8d819e\nStage 2 loader at C:\\Windows\\Temp\\svchost.exe - SHA256: 24e1e25faa27a77018ab33668640f88d320e1c74a66a671349d7bc0e5bf628b1\nFinal payload at C:\\Users\\admin\\Downloads\\shell.php - MD5: 0c8c269bbe812eb666b6636b23719126\nExfiltration module - SHA256: bbb29f766be1866ea88fdab89ec02d6a288fa6353ed489923a9f300b859e70c0\nAll stages communicated with 192.47.155.113. BloodHound signatures detected in Stage 2.", "spans": {"MALWARE: AgentTesla": [[22, 32]], "FILEPATH: /tmp/implant.so": [[62, 77]], "FILEPATH: C:\\Windows\\Temp\\svchost.exe": [[145, 172]], "FILEPATH: C:\\Users\\admin\\Downloads\\shell.php": [[265, 299]], "HASH: 63003d9ce6c2659944e5c4b91949d4ff1c8d819e": [[86, 126]], "HASH: 24e1e25faa27a77018ab33668640f88d320e1c74a66a671349d7bc0e5bf628b1": [[183, 247]], "HASH: 0c8c269bbe812eb666b6636b23719126": [[307, 339]], "HASH: bbb29f766be1866ea88fdab89ec02d6a288fa6353ed489923a9f300b859e70c0": [[370, 434]], "IP_ADDRESS: 192.47.155.113": [[464, 478]], "TOOL: BloodHound": [[480, 490]]}, "info": {"id": "synth_v2_01875", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for Amadey campaign:\nStage 1 dropper at C:\\Users\\admin\\AppData\\Local\\Temp\\csrss.exe - MD5: 1cf4586d3b17db7d689b88566bec53be\nStage 2 loader at /etc/cron.d/winlogon.exe - SHA1: f1b8e36ff716aacc7abb74781d6da61887e30059\nFinal payload at C:\\Windows\\System32\\helper.sh - MD5: 48a44aa6a2673b6f6cdaf5f2643c2670\nExfiltration module - SHA256: 4db01633d044213f192fc19799b0b82927aa4fdd0c93117d32de69b668c114df\nAll stages communicated with 192.14.129.157. LaZagne signatures detected in Stage 2.", "spans": {"MALWARE: Amadey": [[22, 28]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\csrss.exe": [[58, 101]], "FILEPATH: /etc/cron.d/winlogon.exe": [[160, 184]], "FILEPATH: C:\\Windows\\System32\\helper.sh": [[251, 280]], "HASH: 1cf4586d3b17db7d689b88566bec53be": [[109, 141]], "HASH: f1b8e36ff716aacc7abb74781d6da61887e30059": [[193, 233]], "HASH: 48a44aa6a2673b6f6cdaf5f2643c2670": [[288, 320]], "HASH: 4db01633d044213f192fc19799b0b82927aa4fdd0c93117d32de69b668c114df": [[351, 415]], "IP_ADDRESS: 192.14.129.157": [[445, 459]], "TOOL: LaZagne": [[461, 468]]}, "info": {"id": "synth_v2_01876", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for BlackCat campaign:\nStage 1 dropper at /home/user/.config/winlogon.exe - MD5: ad2253dd51db543d594e713e75cedeee\nStage 2 loader at C:\\Users\\admin\\Desktop\\dropper.ps1 - MD5: 7ed5841f11f87eed42aaf9f108a3ac3b\nFinal payload at /home/user/.config/agent.py - MD5: 06f949d97f49cf09adccd55b5df69fa4\nExfiltration module - SHA1: d02e72587a62f6b7bccc22985ae5833cb917ddea\nAll stages communicated with 60.100.107.211. Covenant signatures detected in Stage 2.", "spans": {"MALWARE: BlackCat": [[22, 30]], "FILEPATH: /home/user/.config/winlogon.exe": [[60, 91]], "FILEPATH: C:\\Users\\admin\\Desktop\\dropper.ps1": [[150, 184]], "FILEPATH: /home/user/.config/agent.py": [[242, 269]], "HASH: ad2253dd51db543d594e713e75cedeee": [[99, 131]], "HASH: 7ed5841f11f87eed42aaf9f108a3ac3b": [[192, 224]], "HASH: 06f949d97f49cf09adccd55b5df69fa4": [[277, 309]], "HASH: d02e72587a62f6b7bccc22985ae5833cb917ddea": [[338, 378]], "IP_ADDRESS: 60.100.107.211": [[408, 422]], "TOOL: Covenant": [[424, 432]]}, "info": {"id": "synth_v2_01877", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for Gootloader campaign:\nStage 1 dropper at /home/user/.config/ntds.dit - SHA256: eb04273bb24b8b6f3a7cad6c3f1b6be66c4b120eaf11f6a2b19f2fc78e1c09c2\nStage 2 loader at /opt/app/bin/chrome_helper.exe - SHA1: 47044f5fbfa47a02d2b519907948086fdee0c8ad\nFinal payload at C:\\Users\\admin\\AppData\\Local\\Temp\\runtime.dll - SHA1: 78d87995bcbe3dc0b4878cabcde7dee9f7fc9773\nExfiltration module - SHA1: 30241c274b04dbf8e895ba42dfb799c0b4033895\nAll stages communicated with 10.70.150.23. Certutil signatures detected in Stage 2.", "spans": {"MALWARE: Gootloader": [[22, 32]], "FILEPATH: /home/user/.config/ntds.dit": [[62, 89]], "FILEPATH: /opt/app/bin/chrome_helper.exe": [[183, 213]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\runtime.dll": [[280, 325]], "HASH: eb04273bb24b8b6f3a7cad6c3f1b6be66c4b120eaf11f6a2b19f2fc78e1c09c2": [[100, 164]], "HASH: 47044f5fbfa47a02d2b519907948086fdee0c8ad": [[222, 262]], "HASH: 78d87995bcbe3dc0b4878cabcde7dee9f7fc9773": [[334, 374]], "HASH: 30241c274b04dbf8e895ba42dfb799c0b4033895": [[403, 443]], "IP_ADDRESS: 10.70.150.23": [[473, 485]], "TOOL: Certutil": [[487, 495]]}, "info": {"id": "synth_v2_01878", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for RedLine Stealer campaign:\nStage 1 dropper at C:\\Users\\admin\\AppData\\Local\\Temp\\lsass.dmp - SHA256: 29441fac67f23ef63db5cb9fca03065622c6e1abb61914ba2819fdd6e9d32c3e\nStage 2 loader at /usr/local/bin/backdoor.elf - SHA256: 173ad87fcfe5cc7fe02caf47ac495b57d3694a2d7a44c77498226b9eabb3f0d8\nFinal payload at C:\\Users\\admin\\AppData\\Local\\Temp\\runtime.dll - SHA256: 75c4f216ecbf68c7be3f08a83580150038dd55104694241ad7f67ff6b49a4dba\nExfiltration module - MD5: 02993c2548c5bafe781977e0073bda38\nAll stages communicated with 172.60.248.175. Sharphound signatures detected in Stage 2.", "spans": {"MALWARE: RedLine Stealer": [[22, 37]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\lsass.dmp": [[67, 110]], "FILEPATH: /usr/local/bin/backdoor.elf": [[204, 231]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\runtime.dll": [[324, 369]], "HASH: 29441fac67f23ef63db5cb9fca03065622c6e1abb61914ba2819fdd6e9d32c3e": [[121, 185]], "HASH: 173ad87fcfe5cc7fe02caf47ac495b57d3694a2d7a44c77498226b9eabb3f0d8": [[242, 306]], "HASH: 75c4f216ecbf68c7be3f08a83580150038dd55104694241ad7f67ff6b49a4dba": [[380, 444]], "HASH: 02993c2548c5bafe781977e0073bda38": [[472, 504]], "IP_ADDRESS: 172.60.248.175": [[534, 548]], "TOOL: Sharphound": [[550, 560]]}, "info": {"id": "synth_v2_01879", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for Latrodectus campaign:\nStage 1 dropper at /tmp/agent.py - MD5: 4095e2193c4521d09b05e8b60d1d779d\nStage 2 loader at /var/tmp/update.dll - SHA1: 8b8fb6d27c8ba372c3b345762612c32c0deb7613\nFinal payload at C:\\Windows\\Tasks\\taskhost.exe - SHA1: 2e9c8670abda459583f7abfd1038d61f1711aa5b\nExfiltration module - SHA256: 39d2239e3a9de21eb3275a76e625f7d2f1417fe1c7eb9979d1cd61be2e28053d\nAll stages communicated with 10.81.47.206. LinPEAS signatures detected in Stage 2.", "spans": {"MALWARE: Latrodectus": [[22, 33]], "FILEPATH: /tmp/agent.py": [[63, 76]], "FILEPATH: /var/tmp/update.dll": [[135, 154]], "FILEPATH: C:\\Windows\\Tasks\\taskhost.exe": [[221, 250]], "HASH: 4095e2193c4521d09b05e8b60d1d779d": [[84, 116]], "HASH: 8b8fb6d27c8ba372c3b345762612c32c0deb7613": [[163, 203]], "HASH: 2e9c8670abda459583f7abfd1038d61f1711aa5b": [[259, 299]], "HASH: 39d2239e3a9de21eb3275a76e625f7d2f1417fe1c7eb9979d1cd61be2e28053d": [[330, 394]], "IP_ADDRESS: 10.81.47.206": [[424, 436]], "TOOL: LinPEAS": [[438, 445]]}, "info": {"id": "synth_v2_01880", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for Raccoon Stealer campaign:\nStage 1 dropper at /tmp/shell.php - MD5: 6810d117f26a0e06ab15cd907e92f29b\nStage 2 loader at C:\\Users\\admin\\Downloads\\helper.sh - SHA1: a481a934c600bf7e95fbc6a1d4336fe03a6da4fc\nFinal payload at C:\\ProgramData\\loader.exe - SHA256: a7b61940ecb64720bb7c3d786d5f589a429a5792dcd6ef3cb171392161e11587\nExfiltration module - MD5: ee6b0481fbd5374be860c7f5598ed0e4\nAll stages communicated with 192.43.13.140. Brute Ratel signatures detected in Stage 2.", "spans": {"MALWARE: Raccoon Stealer": [[22, 37]], "FILEPATH: /tmp/shell.php": [[67, 81]], "FILEPATH: C:\\Users\\admin\\Downloads\\helper.sh": [[140, 174]], "FILEPATH: C:\\ProgramData\\loader.exe": [[241, 266]], "HASH: 6810d117f26a0e06ab15cd907e92f29b": [[89, 121]], "HASH: a481a934c600bf7e95fbc6a1d4336fe03a6da4fc": [[183, 223]], "HASH: a7b61940ecb64720bb7c3d786d5f589a429a5792dcd6ef3cb171392161e11587": [[277, 341]], "HASH: ee6b0481fbd5374be860c7f5598ed0e4": [[369, 401]], "IP_ADDRESS: 192.43.13.140": [[431, 444]], "TOOL: Brute Ratel": [[446, 457]]}, "info": {"id": "synth_v2_01881", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for PlugX campaign:\nStage 1 dropper at /var/tmp/lsass.dmp - SHA256: 493e23b09eda2d014d0270603464352c7f65e3efca2a79d821c24913708ef46f\nStage 2 loader at /dev/shm/svchost.exe - SHA256: 5c6c5597ac07668747d2f0fec19dc15e64555eff07bee99496522fc3aaff8d7a\nFinal payload at C:\\Windows\\System32\\csrss.exe - SHA256: 6b458fc681b2cbe36d04cb12b9f01ed546c2dc41cc028ef3249fd94399589ec4\nExfiltration module - SHA1: 497a7d649f9271293f0b354b2277c0a814a5d71c\nAll stages communicated with 62.183.216.80. ADFind signatures detected in Stage 2.", "spans": {"MALWARE: PlugX": [[22, 27]], "FILEPATH: /var/tmp/lsass.dmp": [[57, 75]], "FILEPATH: /dev/shm/svchost.exe": [[169, 189]], "FILEPATH: C:\\Windows\\System32\\csrss.exe": [[282, 311]], "HASH: 493e23b09eda2d014d0270603464352c7f65e3efca2a79d821c24913708ef46f": [[86, 150]], "HASH: 5c6c5597ac07668747d2f0fec19dc15e64555eff07bee99496522fc3aaff8d7a": [[200, 264]], "HASH: 6b458fc681b2cbe36d04cb12b9f01ed546c2dc41cc028ef3249fd94399589ec4": [[322, 386]], "HASH: 497a7d649f9271293f0b354b2277c0a814a5d71c": [[415, 455]], "IP_ADDRESS: 62.183.216.80": [[485, 498]], "TOOL: ADFind": [[500, 506]]}, "info": {"id": "synth_v2_01882", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for Vidar campaign:\nStage 1 dropper at /tmp/csrss.exe - MD5: 2914e439c22d9e6a46f0a424d09258f6\nStage 2 loader at /home/user/.config/sam.hive - SHA1: 70d43b0cffc16534c3af3e2b0eda3b165a98afbe\nFinal payload at C:\\Users\\admin\\Downloads\\loader.exe - SHA256: d6e18226d460d2adf10d8c2310fd7a9ea4c37c0d5090e3ea4a5833186989a378\nExfiltration module - SHA256: 5fd43635ebed7a265f45cf9313aeb1e69210db242ccf85d2c68895e23ccd93be\nAll stages communicated with 42.156.8.170. PsExec signatures detected in Stage 2.", "spans": {"MALWARE: Vidar": [[22, 27]], "FILEPATH: /tmp/csrss.exe": [[57, 71]], "FILEPATH: /home/user/.config/sam.hive": [[130, 157]], "FILEPATH: C:\\Users\\admin\\Downloads\\loader.exe": [[224, 259]], "HASH: 2914e439c22d9e6a46f0a424d09258f6": [[79, 111]], "HASH: 70d43b0cffc16534c3af3e2b0eda3b165a98afbe": [[166, 206]], "HASH: d6e18226d460d2adf10d8c2310fd7a9ea4c37c0d5090e3ea4a5833186989a378": [[270, 334]], "HASH: 5fd43635ebed7a265f45cf9313aeb1e69210db242ccf85d2c68895e23ccd93be": [[365, 429]], "IP_ADDRESS: 42.156.8.170": [[459, 471]], "TOOL: PsExec": [[473, 479]]}, "info": {"id": "synth_v2_01883", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for Amadey campaign:\nStage 1 dropper at /usr/local/bin/implant.so - SHA256: de057d68246f523c1ff3e66d44d618af9492c810ae4181b5f26881c8f0799a0d\nStage 2 loader at C:\\Windows\\System32\\update.dll - SHA256: 2a42deb924c0be162cc2397500e482d0a2157c6ab98d13ff81684dfa8dc28670\nFinal payload at /var/tmp/chrome_helper.exe - SHA1: 38f6aaf8e40ffc00f3379c73b95104b281faf48b\nExfiltration module - SHA1: 68c02776f593fc98b823d43a065e9fe30a1a8d44\nAll stages communicated with 160.38.133.83. Sharphound signatures detected in Stage 2.", "spans": {"MALWARE: Amadey": [[22, 28]], "FILEPATH: /usr/local/bin/implant.so": [[58, 83]], "FILEPATH: C:\\Windows\\System32\\update.dll": [[177, 207]], "FILEPATH: /var/tmp/chrome_helper.exe": [[300, 326]], "HASH: de057d68246f523c1ff3e66d44d618af9492c810ae4181b5f26881c8f0799a0d": [[94, 158]], "HASH: 2a42deb924c0be162cc2397500e482d0a2157c6ab98d13ff81684dfa8dc28670": [[218, 282]], "HASH: 38f6aaf8e40ffc00f3379c73b95104b281faf48b": [[335, 375]], "HASH: 68c02776f593fc98b823d43a065e9fe30a1a8d44": [[404, 444]], "IP_ADDRESS: 160.38.133.83": [[474, 487]], "TOOL: Sharphound": [[489, 499]]}, "info": {"id": "synth_v2_01884", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for Raccoon Stealer campaign:\nStage 1 dropper at C:\\Windows\\Temp\\runtime.dll - SHA256: 348b6282a569fe2cb03baad99aa588440b9160fefce5e614587a3230f16b6e96\nStage 2 loader at /etc/cron.d/beacon.dll - SHA1: cee609a11b2fc5234161d06b375713e3ba40f31e\nFinal payload at C:\\Windows\\System32\\loader.exe - SHA256: e39c2e8a74bde4f26ef02b189b6a9c18eaaa537b525f7e20f5aa55238c3ddc12\nExfiltration module - SHA1: 0b494327a72c3b2474a078cf7e32a0d3ef3c6354\nAll stages communicated with 192.174.120.148. ADFind signatures detected in Stage 2.", "spans": {"MALWARE: Raccoon Stealer": [[22, 37]], "FILEPATH: C:\\Windows\\Temp\\runtime.dll": [[67, 94]], "FILEPATH: /etc/cron.d/beacon.dll": [[188, 210]], "FILEPATH: C:\\Windows\\System32\\loader.exe": [[277, 307]], "HASH: 348b6282a569fe2cb03baad99aa588440b9160fefce5e614587a3230f16b6e96": [[105, 169]], "HASH: cee609a11b2fc5234161d06b375713e3ba40f31e": [[219, 259]], "HASH: e39c2e8a74bde4f26ef02b189b6a9c18eaaa537b525f7e20f5aa55238c3ddc12": [[318, 382]], "HASH: 0b494327a72c3b2474a078cf7e32a0d3ef3c6354": [[411, 451]], "IP_ADDRESS: 192.174.120.148": [[481, 496]], "TOOL: ADFind": [[498, 504]]}, "info": {"id": "synth_v2_01885", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for Raccoon Stealer campaign:\nStage 1 dropper at /dev/shm/helper.sh - SHA1: 9f543ccbf240d4a4985c4fcc62225cde7b1efa23\nStage 2 loader at /var/tmp/runtime.dll - SHA256: c6ce6b39d8a2ce20bab2476fd6bbd1c3c49be1eb67037ded12f61d73bbae6768\nFinal payload at C:\\Users\\admin\\Downloads\\sam.hive - SHA256: 512a7dbe6ebd97461f218f33cac7b869ff4dfc91524f355b10bed63f9d433911\nExfiltration module - MD5: 3c6ed6a5c6d6ff15a0dceaa422acb733\nAll stages communicated with 172.26.91.178. Hashcat signatures detected in Stage 2.", "spans": {"MALWARE: Raccoon Stealer": [[22, 37]], "FILEPATH: /dev/shm/helper.sh": [[67, 85]], "FILEPATH: /var/tmp/runtime.dll": [[153, 173]], "FILEPATH: C:\\Users\\admin\\Downloads\\sam.hive": [[266, 299]], "HASH: 9f543ccbf240d4a4985c4fcc62225cde7b1efa23": [[94, 134]], "HASH: c6ce6b39d8a2ce20bab2476fd6bbd1c3c49be1eb67037ded12f61d73bbae6768": [[184, 248]], "HASH: 512a7dbe6ebd97461f218f33cac7b869ff4dfc91524f355b10bed63f9d433911": [[310, 374]], "HASH: 3c6ed6a5c6d6ff15a0dceaa422acb733": [[402, 434]], "IP_ADDRESS: 172.26.91.178": [[464, 477]], "TOOL: Hashcat": [[479, 486]]}, "info": {"id": "synth_v2_01886", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for DarkSide campaign:\nStage 1 dropper at C:\\Users\\admin\\Downloads\\helper.sh - MD5: ea1b5f3afbad94ab343ba9eaa0be235a\nStage 2 loader at /etc/cron.d/dropper.ps1 - SHA1: eaf10105057a10d9bcea0bfc26a1ef3ed2b4ea78\nFinal payload at /etc/cron.d/winlogon.exe - MD5: 4be786c4dc2cc636ff77d9a670aa8a9e\nExfiltration module - MD5: bc8146ba403fd8a74e0cf77927a62354\nAll stages communicated with 10.57.186.174. Mimikatz signatures detected in Stage 2.", "spans": {"MALWARE: DarkSide": [[22, 30]], "FILEPATH: C:\\Users\\admin\\Downloads\\helper.sh": [[60, 94]], "FILEPATH: /etc/cron.d/dropper.ps1": [[153, 176]], "FILEPATH: /etc/cron.d/winlogon.exe": [[243, 267]], "HASH: ea1b5f3afbad94ab343ba9eaa0be235a": [[102, 134]], "HASH: eaf10105057a10d9bcea0bfc26a1ef3ed2b4ea78": [[185, 225]], "HASH: 4be786c4dc2cc636ff77d9a670aa8a9e": [[275, 307]], "HASH: bc8146ba403fd8a74e0cf77927a62354": [[335, 367]], "IP_ADDRESS: 10.57.186.174": [[397, 410]], "TOOL: Mimikatz": [[412, 420]]}, "info": {"id": "synth_v2_01887", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for QakBot campaign:\nStage 1 dropper at /home/user/.config/beacon.dll - MD5: 6daa627c2fdb6c723244bef0e878187c\nStage 2 loader at C:\\Windows\\System32\\svchost.exe - MD5: 4bf89171efa86969272b2700a121a3be\nFinal payload at C:\\Windows\\Tasks\\backdoor.elf - MD5: 50e89edbd76c34954c9cb7bdc76b09c9\nExfiltration module - SHA1: b35455fb6907ba4f69d044a07c0d190528c97d02\nAll stages communicated with 192.238.7.250. Chisel signatures detected in Stage 2.", "spans": {"MALWARE: QakBot": [[22, 28]], "FILEPATH: /home/user/.config/beacon.dll": [[58, 87]], "FILEPATH: C:\\Windows\\System32\\svchost.exe": [[146, 177]], "FILEPATH: C:\\Windows\\Tasks\\backdoor.elf": [[235, 264]], "HASH: 6daa627c2fdb6c723244bef0e878187c": [[95, 127]], "HASH: 4bf89171efa86969272b2700a121a3be": [[185, 217]], "HASH: 50e89edbd76c34954c9cb7bdc76b09c9": [[272, 304]], "HASH: b35455fb6907ba4f69d044a07c0d190528c97d02": [[333, 373]], "IP_ADDRESS: 192.238.7.250": [[403, 416]], "TOOL: Chisel": [[418, 424]]}, "info": {"id": "synth_v2_01888", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for AgentTesla campaign:\nStage 1 dropper at C:\\Users\\Public\\Documents\\sam.hive - SHA256: 95bde637f970990e30466499fe4e5efaf6d207d3e51ede1553c8f9de94a14590\nStage 2 loader at C:\\Windows\\Tasks\\winlogon.exe - SHA1: 715e1b17851f8999d6b54ac73d455d81e2f83059\nFinal payload at C:\\Users\\admin\\AppData\\Local\\Temp\\payload.bin - SHA256: 9ed0bc055f087ced9f1b1f3a616989dbf0e9f3606280588f7325a2ffb3f297ba\nExfiltration module - SHA256: 8d3e7325b5bdf39997cfc3dd2332c84b7a0f435a4f284cea3d961f6b4c784ff5\nAll stages communicated with 192.123.38.7. Seatbelt signatures detected in Stage 2.", "spans": {"MALWARE: AgentTesla": [[22, 32]], "FILEPATH: C:\\Users\\Public\\Documents\\sam.hive": [[62, 96]], "FILEPATH: C:\\Windows\\Tasks\\winlogon.exe": [[190, 219]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\payload.bin": [[286, 331]], "HASH: 95bde637f970990e30466499fe4e5efaf6d207d3e51ede1553c8f9de94a14590": [[107, 171]], "HASH: 715e1b17851f8999d6b54ac73d455d81e2f83059": [[228, 268]], "HASH: 9ed0bc055f087ced9f1b1f3a616989dbf0e9f3606280588f7325a2ffb3f297ba": [[342, 406]], "HASH: 8d3e7325b5bdf39997cfc3dd2332c84b7a0f435a4f284cea3d961f6b4c784ff5": [[437, 501]], "IP_ADDRESS: 192.123.38.7": [[531, 543]], "TOOL: Seatbelt": [[545, 553]]}, "info": {"id": "synth_v2_01889", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for BatLoader campaign:\nStage 1 dropper at /usr/local/bin/taskhost.exe - SHA256: 32722c795f43d3e18e722591f1b92e259e5c68acd02d72097f2098d93423996d\nStage 2 loader at C:\\Users\\admin\\AppData\\Local\\Temp\\helper.sh - SHA256: 7f6d7087ebec2ea8e78687d4a6a2ce8cd84a3adf3198a1d0bb1344c00169b35d\nFinal payload at /dev/shm/payload.bin - SHA256: 1eb33e12994d8253bea165d216a236b0d80b27d2a8bd964edebc09c160cb04a0\nExfiltration module - SHA1: 26300ee4dbcd28ba74ccda3a219d64d23fe1bbe8\nAll stages communicated with 10.76.232.45. Seatbelt signatures detected in Stage 2.", "spans": {"MALWARE: BatLoader": [[22, 31]], "FILEPATH: /usr/local/bin/taskhost.exe": [[61, 88]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\helper.sh": [[182, 225]], "FILEPATH: /dev/shm/payload.bin": [[318, 338]], "HASH: 32722c795f43d3e18e722591f1b92e259e5c68acd02d72097f2098d93423996d": [[99, 163]], "HASH: 7f6d7087ebec2ea8e78687d4a6a2ce8cd84a3adf3198a1d0bb1344c00169b35d": [[236, 300]], "HASH: 1eb33e12994d8253bea165d216a236b0d80b27d2a8bd964edebc09c160cb04a0": [[349, 413]], "HASH: 26300ee4dbcd28ba74ccda3a219d64d23fe1bbe8": [[442, 482]], "IP_ADDRESS: 10.76.232.45": [[512, 524]], "TOOL: Seatbelt": [[526, 534]]}, "info": {"id": "synth_v2_01890", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for QakBot campaign:\nStage 1 dropper at /etc/cron.d/taskhost.exe - SHA1: e49b5584c9a39e44afa1841fda6c741eaed9de87\nStage 2 loader at C:\\Windows\\System32\\ntds.dit - MD5: 1ac3af41120d8f2cef5b64cb7a44a764\nFinal payload at /tmp/sam.hive - MD5: 259cf8e670d054f2096361eac7f73984\nExfiltration module - MD5: ebf402b23bb74e3da2257acc31c4276f\nAll stages communicated with 172.218.108.54. Sharphound signatures detected in Stage 2.", "spans": {"MALWARE: QakBot": [[22, 28]], "FILEPATH: /etc/cron.d/taskhost.exe": [[58, 82]], "FILEPATH: C:\\Windows\\System32\\ntds.dit": [[150, 178]], "FILEPATH: /tmp/sam.hive": [[236, 249]], "HASH: e49b5584c9a39e44afa1841fda6c741eaed9de87": [[91, 131]], "HASH: 1ac3af41120d8f2cef5b64cb7a44a764": [[186, 218]], "HASH: 259cf8e670d054f2096361eac7f73984": [[257, 289]], "HASH: ebf402b23bb74e3da2257acc31c4276f": [[317, 349]], "IP_ADDRESS: 172.218.108.54": [[379, 393]], "TOOL: Sharphound": [[395, 405]]}, "info": {"id": "synth_v2_01891", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for WarmCookie campaign:\nStage 1 dropper at /etc/cron.d/taskhost.exe - SHA1: c2019561ae7f50d89173b77cb6d5ee77bc59bebe\nStage 2 loader at C:\\Windows\\Tasks\\lsass.dmp - SHA256: fbac811db09b7808999ba194b461ce075145ddc6668e640af0fcc461253c89ec\nFinal payload at C:\\Program Files\\Common Files\\ntds.dit - SHA256: 29a71b79596400c2d5191ac5495636a60d35f58ac7cbbed658df24c902b029ff\nExfiltration module - SHA256: cdf2046ed28eb38c8a8bde7570e146e6441b7291f5e49c3281a292697a86f308\nAll stages communicated with 10.84.250.74. ADFind signatures detected in Stage 2.", "spans": {"MALWARE: WarmCookie": [[22, 32]], "FILEPATH: /etc/cron.d/taskhost.exe": [[62, 86]], "FILEPATH: C:\\Windows\\Tasks\\lsass.dmp": [[154, 180]], "FILEPATH: C:\\Program Files\\Common Files\\ntds.dit": [[273, 311]], "HASH: c2019561ae7f50d89173b77cb6d5ee77bc59bebe": [[95, 135]], "HASH: fbac811db09b7808999ba194b461ce075145ddc6668e640af0fcc461253c89ec": [[191, 255]], "HASH: 29a71b79596400c2d5191ac5495636a60d35f58ac7cbbed658df24c902b029ff": [[322, 386]], "HASH: cdf2046ed28eb38c8a8bde7570e146e6441b7291f5e49c3281a292697a86f308": [[417, 481]], "IP_ADDRESS: 10.84.250.74": [[511, 523]], "TOOL: ADFind": [[525, 531]]}, "info": {"id": "synth_v2_01892", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for DarkSide campaign:\nStage 1 dropper at /tmp/agent.py - MD5: f0f77ea05d2a1f62324f3887124b3da2\nStage 2 loader at /etc/cron.d/shell.php - SHA256: bc652e95557574acb820d000c13f163fe2d31e3f599f29dcc88035ac59e06df3\nFinal payload at /etc/cron.d/dropper.ps1 - SHA256: cad0ed1f0267d5090a29b1d1a8e4a0bbdd64618c5165113038fe2bfc893d5a12\nExfiltration module - SHA256: 301d396ee37111ccad8d5b5c79ef76603c403e17bd29a0737828ac04af75386c\nAll stages communicated with 102.179.203.41. Sharphound signatures detected in Stage 2.", "spans": {"MALWARE: DarkSide": [[22, 30]], "FILEPATH: /tmp/agent.py": [[60, 73]], "FILEPATH: /etc/cron.d/shell.php": [[132, 153]], "FILEPATH: /etc/cron.d/dropper.ps1": [[246, 269]], "HASH: f0f77ea05d2a1f62324f3887124b3da2": [[81, 113]], "HASH: bc652e95557574acb820d000c13f163fe2d31e3f599f29dcc88035ac59e06df3": [[164, 228]], "HASH: cad0ed1f0267d5090a29b1d1a8e4a0bbdd64618c5165113038fe2bfc893d5a12": [[280, 344]], "HASH: 301d396ee37111ccad8d5b5c79ef76603c403e17bd29a0737828ac04af75386c": [[375, 439]], "IP_ADDRESS: 102.179.203.41": [[469, 483]], "TOOL: Sharphound": [[485, 495]]}, "info": {"id": "synth_v2_01893", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for IcedID campaign:\nStage 1 dropper at /opt/app/bin/implant.so - SHA256: 56fe03a871d3cb0e31654b4f5f6542602eeeba4f424cfa551a5cfefd6d5daca9\nStage 2 loader at C:\\Users\\admin\\AppData\\Local\\Temp\\shell.php - SHA1: 82f012690c907bb94428e4bc1749c13800eac800\nFinal payload at /home/user/.config/agent.py - SHA256: 60e8b685d487fcdce89a0ae7d657a6b82993c54a30e324140f96869425c67238\nExfiltration module - SHA1: 72168ffff3422c1bbe9853062e78df236f0527a0\nAll stages communicated with 128.186.106.195. Seatbelt signatures detected in Stage 2.", "spans": {"MALWARE: IcedID": [[22, 28]], "FILEPATH: /opt/app/bin/implant.so": [[58, 81]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\shell.php": [[175, 218]], "FILEPATH: /home/user/.config/agent.py": [[285, 312]], "HASH: 56fe03a871d3cb0e31654b4f5f6542602eeeba4f424cfa551a5cfefd6d5daca9": [[92, 156]], "HASH: 82f012690c907bb94428e4bc1749c13800eac800": [[227, 267]], "HASH: 60e8b685d487fcdce89a0ae7d657a6b82993c54a30e324140f96869425c67238": [[323, 387]], "HASH: 72168ffff3422c1bbe9853062e78df236f0527a0": [[416, 456]], "IP_ADDRESS: 128.186.106.195": [[486, 501]], "TOOL: Seatbelt": [[503, 511]]}, "info": {"id": "synth_v2_01894", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for XLoader campaign:\nStage 1 dropper at C:\\Users\\admin\\Downloads\\csrss.exe - MD5: 99e34945c47e2732c84b3a678592e0c2\nStage 2 loader at C:\\Program Files\\Common Files\\agent.py - MD5: 1a26a4c01d068f9c344f0a2b0695bd84\nFinal payload at /etc/cron.d/dropper.ps1 - SHA256: bc7df102d437f968546f0deccad330c7e8ab4a04d89270a1fd44ac9352aad64e\nExfiltration module - MD5: 3286cb3382ee7ca41acd514b249cc814\nAll stages communicated with 128.223.213.150. Merlin signatures detected in Stage 2.", "spans": {"MALWARE: XLoader": [[22, 29]], "FILEPATH: C:\\Users\\admin\\Downloads\\csrss.exe": [[59, 93]], "FILEPATH: C:\\Program Files\\Common Files\\agent.py": [[152, 190]], "FILEPATH: /etc/cron.d/dropper.ps1": [[248, 271]], "HASH: 99e34945c47e2732c84b3a678592e0c2": [[101, 133]], "HASH: 1a26a4c01d068f9c344f0a2b0695bd84": [[198, 230]], "HASH: bc7df102d437f968546f0deccad330c7e8ab4a04d89270a1fd44ac9352aad64e": [[282, 346]], "HASH: 3286cb3382ee7ca41acd514b249cc814": [[374, 406]], "IP_ADDRESS: 128.223.213.150": [[436, 451]], "TOOL: Merlin": [[453, 459]]}, "info": {"id": "synth_v2_01895", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for FormBook campaign:\nStage 1 dropper at /dev/shm/beacon.dll - MD5: b6d2017e8d9377ac886aa3084f540079\nStage 2 loader at C:\\Windows\\Temp\\winlogon.exe - SHA1: 8ec5cb8f537604e44c018e5e44a1cea66cd24343\nFinal payload at C:\\Users\\Public\\Documents\\dropper.ps1 - MD5: f35c4aa8df349f978cf493102305dd18\nExfiltration module - SHA1: 2b1708dbba5d0c9d1557a0e24deef7b654f54108\nAll stages communicated with 213.26.202.119. Havoc signatures detected in Stage 2.", "spans": {"MALWARE: FormBook": [[22, 30]], "FILEPATH: /dev/shm/beacon.dll": [[60, 79]], "FILEPATH: C:\\Windows\\Temp\\winlogon.exe": [[138, 166]], "FILEPATH: C:\\Users\\Public\\Documents\\dropper.ps1": [[233, 270]], "HASH: b6d2017e8d9377ac886aa3084f540079": [[87, 119]], "HASH: 8ec5cb8f537604e44c018e5e44a1cea66cd24343": [[175, 215]], "HASH: f35c4aa8df349f978cf493102305dd18": [[278, 310]], "HASH: 2b1708dbba5d0c9d1557a0e24deef7b654f54108": [[339, 379]], "IP_ADDRESS: 213.26.202.119": [[409, 423]], "TOOL: Havoc": [[425, 430]]}, "info": {"id": "synth_v2_01896", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for Emotet campaign:\nStage 1 dropper at /usr/local/bin/winlogon.exe - SHA1: c617f5b66b8cb27f811c87cd8cb6d7cf14d49c1d\nStage 2 loader at C:\\ProgramData\\taskhost.exe - SHA1: 36fb2b9f8743d6ab9a4c7a96f5c7007c04bae23d\nFinal payload at /etc/cron.d/shell.php - SHA1: 5c88785e18698adad9f6544de0c8ae80342fccdd\nExfiltration module - MD5: d3b984434da5a85c7d4fe72b130a7802\nAll stages communicated with 172.211.233.1. Hashcat signatures detected in Stage 2.", "spans": {"MALWARE: Emotet": [[22, 28]], "FILEPATH: /usr/local/bin/winlogon.exe": [[58, 85]], "FILEPATH: C:\\ProgramData\\taskhost.exe": [[153, 180]], "FILEPATH: /etc/cron.d/shell.php": [[247, 268]], "HASH: c617f5b66b8cb27f811c87cd8cb6d7cf14d49c1d": [[94, 134]], "HASH: 36fb2b9f8743d6ab9a4c7a96f5c7007c04bae23d": [[189, 229]], "HASH: 5c88785e18698adad9f6544de0c8ae80342fccdd": [[277, 317]], "HASH: d3b984434da5a85c7d4fe72b130a7802": [[345, 377]], "IP_ADDRESS: 172.211.233.1": [[407, 420]], "TOOL: Hashcat": [[422, 429]]}, "info": {"id": "synth_v2_01897", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for WarmCookie campaign:\nStage 1 dropper at C:\\Users\\admin\\Desktop\\implant.so - MD5: 7c3e542708b6d48c04704591862c8a33\nStage 2 loader at /dev/shm/implant.so - SHA256: aed800f7ed075cd08b9e43acf068c924492fe1bfd60195e7a7e01fc7b5c2ffb2\nFinal payload at /etc/cron.d/update.dll - MD5: c5225fc5dc3cf6ae4dba0157013f0920\nExfiltration module - MD5: 396bede1e1c13c1c1763962f1e74784d\nAll stages communicated with 177.203.208.215. BloodHound signatures detected in Stage 2.", "spans": {"MALWARE: WarmCookie": [[22, 32]], "FILEPATH: C:\\Users\\admin\\Desktop\\implant.so": [[62, 95]], "FILEPATH: /dev/shm/implant.so": [[154, 173]], "FILEPATH: /etc/cron.d/update.dll": [[266, 288]], "HASH: 7c3e542708b6d48c04704591862c8a33": [[103, 135]], "HASH: aed800f7ed075cd08b9e43acf068c924492fe1bfd60195e7a7e01fc7b5c2ffb2": [[184, 248]], "HASH: c5225fc5dc3cf6ae4dba0157013f0920": [[296, 328]], "HASH: 396bede1e1c13c1c1763962f1e74784d": [[356, 388]], "IP_ADDRESS: 177.203.208.215": [[418, 433]], "TOOL: BloodHound": [[435, 445]]}, "info": {"id": "synth_v2_01898", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for Gootloader campaign:\nStage 1 dropper at /var/tmp/loader.exe - SHA256: 0a05928a49b4a37219ddd89de71269ec113beed92be59803be9b5f08fcaccd47\nStage 2 loader at C:\\Users\\admin\\Downloads\\loader.exe - SHA1: 72f3968e91bcc323136dd30d85ae887382c487e2\nFinal payload at /etc/cron.d/update.dll - SHA1: 346f216583a1460bb97ebeee0e67f852d9770a45\nExfiltration module - MD5: f6c75c26890bae32e785b3c16b1dda08\nAll stages communicated with 37.237.169.1. Metasploit signatures detected in Stage 2.", "spans": {"MALWARE: Gootloader": [[22, 32]], "FILEPATH: /var/tmp/loader.exe": [[62, 81]], "FILEPATH: C:\\Users\\admin\\Downloads\\loader.exe": [[175, 210]], "FILEPATH: /etc/cron.d/update.dll": [[277, 299]], "HASH: 0a05928a49b4a37219ddd89de71269ec113beed92be59803be9b5f08fcaccd47": [[92, 156]], "HASH: 72f3968e91bcc323136dd30d85ae887382c487e2": [[219, 259]], "HASH: 346f216583a1460bb97ebeee0e67f852d9770a45": [[308, 348]], "HASH: f6c75c26890bae32e785b3c16b1dda08": [[376, 408]], "IP_ADDRESS: 37.237.169.1": [[438, 450]], "TOOL: Metasploit": [[452, 462]]}, "info": {"id": "synth_v2_01899", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for Play campaign:\nStage 1 dropper at C:\\Users\\admin\\Downloads\\config.dat - SHA1: dd3d854fc6ca8553e344852cb5694710df520fb6\nStage 2 loader at /opt/app/bin/config.dat - SHA1: b73737f7608c4415b2b6da80e7015b46998b3e12\nFinal payload at C:\\Users\\Public\\Documents\\config.dat - SHA256: e92b239aaa6c105a8157dda645582869bdbdc00a40f6c8f29d0e084f6fbc306b\nExfiltration module - SHA256: 8a8dbc517b02e2ccaca761929a8cee3db48bfff85cd01b560e9838c761d6eedf\nAll stages communicated with 10.144.135.180. Certutil signatures detected in Stage 2.", "spans": {"MALWARE: Play": [[22, 26]], "FILEPATH: C:\\Users\\admin\\Downloads\\config.dat": [[56, 91]], "FILEPATH: /opt/app/bin/config.dat": [[159, 182]], "FILEPATH: C:\\Users\\Public\\Documents\\config.dat": [[249, 285]], "HASH: dd3d854fc6ca8553e344852cb5694710df520fb6": [[100, 140]], "HASH: b73737f7608c4415b2b6da80e7015b46998b3e12": [[191, 231]], "HASH: e92b239aaa6c105a8157dda645582869bdbdc00a40f6c8f29d0e084f6fbc306b": [[296, 360]], "HASH: 8a8dbc517b02e2ccaca761929a8cee3db48bfff85cd01b560e9838c761d6eedf": [[391, 455]], "IP_ADDRESS: 10.144.135.180": [[485, 499]], "TOOL: Certutil": [[501, 509]]}, "info": {"id": "synth_v2_01900", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for Lumma Stealer campaign:\nStage 1 dropper at /var/tmp/winlogon.exe - MD5: f6545f35d7f122f8470cff90a919612d\nStage 2 loader at C:\\Users\\Public\\Documents\\agent.py - SHA256: 11a21d72c98ca12e4b932b508e023227e894651d901a1c1cd395aa2aada4c81e\nFinal payload at C:\\Windows\\Tasks\\backdoor.elf - MD5: 7fd5727090e186166cd46a3cbd7137d0\nExfiltration module - MD5: 89b158be09a8c233264dceebb828a976\nAll stages communicated with 162.46.161.172. Havoc signatures detected in Stage 2.", "spans": {"MALWARE: Lumma Stealer": [[22, 35]], "FILEPATH: /var/tmp/winlogon.exe": [[65, 86]], "FILEPATH: C:\\Users\\Public\\Documents\\agent.py": [[145, 179]], "FILEPATH: C:\\Windows\\Tasks\\backdoor.elf": [[272, 301]], "HASH: f6545f35d7f122f8470cff90a919612d": [[94, 126]], "HASH: 11a21d72c98ca12e4b932b508e023227e894651d901a1c1cd395aa2aada4c81e": [[190, 254]], "HASH: 7fd5727090e186166cd46a3cbd7137d0": [[309, 341]], "HASH: 89b158be09a8c233264dceebb828a976": [[369, 401]], "IP_ADDRESS: 162.46.161.172": [[431, 445]], "TOOL: Havoc": [[447, 452]]}, "info": {"id": "synth_v2_01901", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for RemcosRAT campaign:\nStage 1 dropper at /opt/app/bin/backdoor.elf - SHA256: 5e0baaa874c2fd76ca5ede95db7a7920b52b247563eb9b2a77c29a7f010b2d95\nStage 2 loader at /etc/cron.d/dropper.ps1 - SHA256: 0f06fde8b1fd7e7d92da73b6c17288a489cd6593cba2426c85dfea843f31b60b\nFinal payload at /var/tmp/dropper.ps1 - SHA1: 7936d7f9c2e8f059826b20d41cac45eab600f666\nExfiltration module - SHA1: a50751c6149f58c73ca30509e261470bef39a268\nAll stages communicated with 172.150.34.111. PsExec signatures detected in Stage 2.", "spans": {"MALWARE: RemcosRAT": [[22, 31]], "FILEPATH: /opt/app/bin/backdoor.elf": [[61, 86]], "FILEPATH: /etc/cron.d/dropper.ps1": [[180, 203]], "FILEPATH: /var/tmp/dropper.ps1": [[296, 316]], "HASH: 5e0baaa874c2fd76ca5ede95db7a7920b52b247563eb9b2a77c29a7f010b2d95": [[97, 161]], "HASH: 0f06fde8b1fd7e7d92da73b6c17288a489cd6593cba2426c85dfea843f31b60b": [[214, 278]], "HASH: 7936d7f9c2e8f059826b20d41cac45eab600f666": [[325, 365]], "HASH: a50751c6149f58c73ca30509e261470bef39a268": [[394, 434]], "IP_ADDRESS: 172.150.34.111": [[464, 478]], "TOOL: PsExec": [[480, 486]]}, "info": {"id": "synth_v2_01902", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for Dridex campaign:\nStage 1 dropper at /opt/app/bin/payload.bin - SHA1: 93d89d0ef31c69e501036864ea06319979fe47a3\nStage 2 loader at C:\\Windows\\System32\\dropper.ps1 - MD5: 6e18e28f8d48549d158068298a4e55c1\nFinal payload at /dev/shm/winlogon.exe - SHA256: 37e1bd86b72b7af020ad5bd14e4ba4d95c499180b22db316318417b8fa32f960\nExfiltration module - MD5: cb7fb5a1a8ce59879f87724224aa763c\nAll stages communicated with 192.22.33.141. CrackMapExec signatures detected in Stage 2.", "spans": {"MALWARE: Dridex": [[22, 28]], "FILEPATH: /opt/app/bin/payload.bin": [[58, 82]], "FILEPATH: C:\\Windows\\System32\\dropper.ps1": [[150, 181]], "FILEPATH: /dev/shm/winlogon.exe": [[239, 260]], "HASH: 93d89d0ef31c69e501036864ea06319979fe47a3": [[91, 131]], "HASH: 6e18e28f8d48549d158068298a4e55c1": [[189, 221]], "HASH: 37e1bd86b72b7af020ad5bd14e4ba4d95c499180b22db316318417b8fa32f960": [[271, 335]], "HASH: cb7fb5a1a8ce59879f87724224aa763c": [[363, 395]], "IP_ADDRESS: 192.22.33.141": [[425, 438]], "TOOL: CrackMapExec": [[440, 452]]}, "info": {"id": "synth_v2_01903", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for StealC campaign:\nStage 1 dropper at C:\\Windows\\Tasks\\helper.sh - SHA256: 9e06da8b0b7d7656ffa2d5520a827a9f8cde48a50185db3ffd6294d252375d17\nStage 2 loader at C:\\ProgramData\\taskhost.exe - MD5: 05802df647088a26be34c0c7e439adc0\nFinal payload at C:\\ProgramData\\agent.py - SHA1: 62b45bb44158ac6973c19d777c4d1906cd9884ca\nExfiltration module - MD5: bcc3c902ee9ae1c9ad587be8e089f070\nAll stages communicated with 10.216.13.145. Sliver signatures detected in Stage 2.", "spans": {"MALWARE: StealC": [[22, 28]], "FILEPATH: C:\\Windows\\Tasks\\helper.sh": [[58, 84]], "FILEPATH: C:\\ProgramData\\taskhost.exe": [[178, 205]], "FILEPATH: C:\\ProgramData\\agent.py": [[263, 286]], "HASH: 9e06da8b0b7d7656ffa2d5520a827a9f8cde48a50185db3ffd6294d252375d17": [[95, 159]], "HASH: 05802df647088a26be34c0c7e439adc0": [[213, 245]], "HASH: 62b45bb44158ac6973c19d777c4d1906cd9884ca": [[295, 335]], "HASH: bcc3c902ee9ae1c9ad587be8e089f070": [[363, 395]], "IP_ADDRESS: 10.216.13.145": [[425, 438]], "TOOL: Sliver": [[440, 446]]}, "info": {"id": "synth_v2_01904", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for Raccoon Stealer campaign:\nStage 1 dropper at C:\\Users\\admin\\AppData\\Local\\Temp\\winlogon.exe - SHA1: f54242483ecf0d90cb58984f1ff274d0f8ca0e28\nStage 2 loader at C:\\Windows\\Temp\\agent.py - SHA1: a7677024098a7ca7ffd46bf9c165b3d18e9c4ca2\nFinal payload at /opt/app/bin/implant.so - SHA1: 6ef4a70b38bc1d9d91df27f9370765a88387fb82\nExfiltration module - SHA256: d274e670c20b6b81f77b79ecf385c9891b9e38b67a03bc1a83f7726d3733a761\nAll stages communicated with 192.231.137.16. Sharphound signatures detected in Stage 2.", "spans": {"MALWARE: Raccoon Stealer": [[22, 37]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\winlogon.exe": [[67, 113]], "FILEPATH: C:\\Windows\\Temp\\agent.py": [[181, 205]], "FILEPATH: /opt/app/bin/implant.so": [[272, 295]], "HASH: f54242483ecf0d90cb58984f1ff274d0f8ca0e28": [[122, 162]], "HASH: a7677024098a7ca7ffd46bf9c165b3d18e9c4ca2": [[214, 254]], "HASH: 6ef4a70b38bc1d9d91df27f9370765a88387fb82": [[304, 344]], "HASH: d274e670c20b6b81f77b79ecf385c9891b9e38b67a03bc1a83f7726d3733a761": [[375, 439]], "IP_ADDRESS: 192.231.137.16": [[469, 483]], "TOOL: Sharphound": [[485, 495]]}, "info": {"id": "synth_v2_01905", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for StealC campaign:\nStage 1 dropper at /dev/shm/csrss.exe - SHA256: 6f99f018f08b70b995ddfa85f9a66be0c1f53010e8049744afaecb2d701b13aa\nStage 2 loader at /tmp/backdoor.elf - SHA1: 1a23b098137f62d394c9f440a957bc856ed186c0\nFinal payload at /home/user/.config/csrss.exe - MD5: c42c6d4e8636f75bf93f68f2d4200cda\nExfiltration module - SHA1: 3f1cacfd09fd2d2eee7fc8662935b1ca99dd5ecd\nAll stages communicated with 44.45.8.184. LinPEAS signatures detected in Stage 2.", "spans": {"MALWARE: StealC": [[22, 28]], "FILEPATH: /dev/shm/csrss.exe": [[58, 76]], "FILEPATH: /tmp/backdoor.elf": [[170, 187]], "FILEPATH: /home/user/.config/csrss.exe": [[254, 282]], "HASH: 6f99f018f08b70b995ddfa85f9a66be0c1f53010e8049744afaecb2d701b13aa": [[87, 151]], "HASH: 1a23b098137f62d394c9f440a957bc856ed186c0": [[196, 236]], "HASH: c42c6d4e8636f75bf93f68f2d4200cda": [[290, 322]], "HASH: 3f1cacfd09fd2d2eee7fc8662935b1ca99dd5ecd": [[351, 391]], "IP_ADDRESS: 44.45.8.184": [[421, 432]], "TOOL: LinPEAS": [[434, 441]]}, "info": {"id": "synth_v2_01906", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for SystemBC campaign:\nStage 1 dropper at /home/user/.config/chrome_helper.exe - MD5: b7f8fe6f24a5a3d0b6b7bfa4ac9ce81c\nStage 2 loader at C:\\Users\\admin\\Downloads\\dropper.ps1 - SHA256: 217ac5359b7ddcfaf49ee2014f349b2cce60842d0eab4e9ac8643261bb5d6870\nFinal payload at C:\\Program Files\\Common Files\\winlogon.exe - SHA256: 7d173bb4084afbdc792ea4b67ece84c817368b4332d80d5d6a4f1eefa7730444\nExfiltration module - SHA1: 757524de9f379427e5399b11a63ce71a4466516f\nAll stages communicated with 172.226.89.84. BITSAdmin signatures detected in Stage 2.", "spans": {"MALWARE: SystemBC": [[22, 30]], "FILEPATH: /home/user/.config/chrome_helper.exe": [[60, 96]], "FILEPATH: C:\\Users\\admin\\Downloads\\dropper.ps1": [[155, 191]], "FILEPATH: C:\\Program Files\\Common Files\\winlogon.exe": [[284, 326]], "HASH: b7f8fe6f24a5a3d0b6b7bfa4ac9ce81c": [[104, 136]], "HASH: 217ac5359b7ddcfaf49ee2014f349b2cce60842d0eab4e9ac8643261bb5d6870": [[202, 266]], "HASH: 7d173bb4084afbdc792ea4b67ece84c817368b4332d80d5d6a4f1eefa7730444": [[337, 401]], "HASH: 757524de9f379427e5399b11a63ce71a4466516f": [[430, 470]], "IP_ADDRESS: 172.226.89.84": [[500, 513]], "TOOL: BITSAdmin": [[515, 524]]}, "info": {"id": "synth_v2_01907", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for Royal campaign:\nStage 1 dropper at /home/user/.config/taskhost.exe - MD5: d37fe1bcca86b095ecb6b36a75e1733c\nStage 2 loader at /opt/app/bin/taskhost.exe - SHA256: d9a145c3b79fbe0b26eb833087e5e5da6bb63442eb601b04cdc9086a9507a82b\nFinal payload at C:\\Users\\admin\\AppData\\Local\\Temp\\shell.php - SHA1: a37ed3de0616f563e8e923015eef667cfa415467\nExfiltration module - MD5: 26a8bc215dc0619cebb4d98c0f3dc449\nAll stages communicated with 214.229.238.252. Brute Ratel signatures detected in Stage 2.", "spans": {"MALWARE: Royal": [[22, 27]], "FILEPATH: /home/user/.config/taskhost.exe": [[57, 88]], "FILEPATH: /opt/app/bin/taskhost.exe": [[147, 172]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\shell.php": [[265, 308]], "HASH: d37fe1bcca86b095ecb6b36a75e1733c": [[96, 128]], "HASH: d9a145c3b79fbe0b26eb833087e5e5da6bb63442eb601b04cdc9086a9507a82b": [[183, 247]], "HASH: a37ed3de0616f563e8e923015eef667cfa415467": [[317, 357]], "HASH: 26a8bc215dc0619cebb4d98c0f3dc449": [[385, 417]], "IP_ADDRESS: 214.229.238.252": [[447, 462]], "TOOL: Brute Ratel": [[464, 475]]}, "info": {"id": "synth_v2_01908", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for Royal campaign:\nStage 1 dropper at C:\\Windows\\Temp\\lsass.dmp - SHA256: 5e9917b349d683815bc88903bbb8cb6952a174112398de139646ae605903330c\nStage 2 loader at C:\\ProgramData\\ntds.dit - MD5: a912a5bd876c7df60be5d49a71405469\nFinal payload at /usr/local/bin/taskhost.exe - SHA1: 598d83992262e8963cc6f411a344e9f590969a44\nExfiltration module - MD5: d2c1bc4ca0b66b66d0af8be99d5c093f\nAll stages communicated with 209.51.87.210. Seatbelt signatures detected in Stage 2.", "spans": {"MALWARE: Royal": [[22, 27]], "FILEPATH: C:\\Windows\\Temp\\lsass.dmp": [[57, 82]], "FILEPATH: C:\\ProgramData\\ntds.dit": [[176, 199]], "FILEPATH: /usr/local/bin/taskhost.exe": [[257, 284]], "HASH: 5e9917b349d683815bc88903bbb8cb6952a174112398de139646ae605903330c": [[93, 157]], "HASH: a912a5bd876c7df60be5d49a71405469": [[207, 239]], "HASH: 598d83992262e8963cc6f411a344e9f590969a44": [[293, 333]], "HASH: d2c1bc4ca0b66b66d0af8be99d5c093f": [[361, 393]], "IP_ADDRESS: 209.51.87.210": [[423, 436]], "TOOL: Seatbelt": [[438, 446]]}, "info": {"id": "synth_v2_01909", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for REvil campaign:\nStage 1 dropper at C:\\Users\\admin\\Desktop\\implant.so - SHA1: 33828197a5f18a6b876a7719fcb12b089e57966c\nStage 2 loader at /opt/app/bin/csrss.exe - MD5: 1154f9f6df106a9e720f5d14305dcd5a\nFinal payload at /etc/cron.d/dropper.ps1 - SHA1: d0ee5a7d60db379f8993a022400d4b62c024148b\nExfiltration module - SHA256: 3d025f17b8af2726faf39d39cef1185dc232156c096215e0da2e8af5823c0546\nAll stages communicated with 189.31.209.150. PowerShell Empire signatures detected in Stage 2.", "spans": {"MALWARE: REvil": [[22, 27]], "FILEPATH: C:\\Users\\admin\\Desktop\\implant.so": [[57, 90]], "FILEPATH: /opt/app/bin/csrss.exe": [[158, 180]], "FILEPATH: /etc/cron.d/dropper.ps1": [[238, 261]], "HASH: 33828197a5f18a6b876a7719fcb12b089e57966c": [[99, 139]], "HASH: 1154f9f6df106a9e720f5d14305dcd5a": [[188, 220]], "HASH: d0ee5a7d60db379f8993a022400d4b62c024148b": [[270, 310]], "HASH: 3d025f17b8af2726faf39d39cef1185dc232156c096215e0da2e8af5823c0546": [[341, 405]], "IP_ADDRESS: 189.31.209.150": [[435, 449]], "TOOL: PowerShell Empire": [[451, 468]]}, "info": {"id": "synth_v2_01910", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for TrickBot campaign:\nStage 1 dropper at C:\\Users\\Public\\Documents\\csrss.exe - SHA1: 0be602b7ace287256732021f987efb76ab89afef\nStage 2 loader at C:\\Users\\admin\\Desktop\\shell.php - SHA256: e88ee190f4ec91746a92fa2fee9572aae5e95c247d017a82ff0a5e9d56359b86\nFinal payload at /usr/local/bin/implant.so - SHA256: 7575767ae1c0bf5386daedfd74a3806dbf491e390db36e366642c1eff658691e\nExfiltration module - MD5: 9db2df171b01dc40e7cf4b36bfc29029\nAll stages communicated with 192.91.254.109. Sliver signatures detected in Stage 2.", "spans": {"MALWARE: TrickBot": [[22, 30]], "FILEPATH: C:\\Users\\Public\\Documents\\csrss.exe": [[60, 95]], "FILEPATH: C:\\Users\\admin\\Desktop\\shell.php": [[163, 195]], "FILEPATH: /usr/local/bin/implant.so": [[288, 313]], "HASH: 0be602b7ace287256732021f987efb76ab89afef": [[104, 144]], "HASH: e88ee190f4ec91746a92fa2fee9572aae5e95c247d017a82ff0a5e9d56359b86": [[206, 270]], "HASH: 7575767ae1c0bf5386daedfd74a3806dbf491e390db36e366642c1eff658691e": [[324, 388]], "HASH: 9db2df171b01dc40e7cf4b36bfc29029": [[416, 448]], "IP_ADDRESS: 192.91.254.109": [[478, 492]], "TOOL: Sliver": [[494, 500]]}, "info": {"id": "synth_v2_01911", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for SmokeLoader campaign:\nStage 1 dropper at /var/tmp/csrss.exe - SHA256: af4a7b6fafd1f922f19201a0894a7e4997dcc2688875ef7fe9f422e1f4a62738\nStage 2 loader at C:\\ProgramData\\payload.bin - SHA256: dd5e9a9129f94304e116edc5e39e77db4f002affab48f6ad57e337cab1de7a14\nFinal payload at C:\\Windows\\Temp\\implant.so - SHA256: 7b8a33c4b482e140d952e89870e31451d7e1ca70bf38d3c88d12ccbebe8ad757\nExfiltration module - SHA256: d434772eb248ade072461ae23777c72b0739450f7362e01dda9ac9f7439b70a5\nAll stages communicated with 150.56.171.244. Chisel signatures detected in Stage 2.", "spans": {"MALWARE: SmokeLoader": [[22, 33]], "FILEPATH: /var/tmp/csrss.exe": [[63, 81]], "FILEPATH: C:\\ProgramData\\payload.bin": [[175, 201]], "FILEPATH: C:\\Windows\\Temp\\implant.so": [[294, 320]], "HASH: af4a7b6fafd1f922f19201a0894a7e4997dcc2688875ef7fe9f422e1f4a62738": [[92, 156]], "HASH: dd5e9a9129f94304e116edc5e39e77db4f002affab48f6ad57e337cab1de7a14": [[212, 276]], "HASH: 7b8a33c4b482e140d952e89870e31451d7e1ca70bf38d3c88d12ccbebe8ad757": [[331, 395]], "HASH: d434772eb248ade072461ae23777c72b0739450f7362e01dda9ac9f7439b70a5": [[426, 490]], "IP_ADDRESS: 150.56.171.244": [[520, 534]], "TOOL: Chisel": [[536, 542]]}, "info": {"id": "synth_v2_01912", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for Amadey campaign:\nStage 1 dropper at /usr/local/bin/runtime.dll - MD5: 5accbf6e241cdb2e8427a7afef730fc1\nStage 2 loader at /etc/cron.d/ntds.dit - SHA256: 51c0a4886999a2bcf0cc017844b996cdb666eb3d69a54709f566ef60160ed6af\nFinal payload at /tmp/runtime.dll - SHA1: d9845ac72966f6cfc937cb89388af51c2712c944\nExfiltration module - MD5: d148c2d45a862c3a6dabee5048770a9c\nAll stages communicated with 152.43.124.188. Chisel signatures detected in Stage 2.", "spans": {"MALWARE: Amadey": [[22, 28]], "FILEPATH: /usr/local/bin/runtime.dll": [[58, 84]], "FILEPATH: /etc/cron.d/ntds.dit": [[143, 163]], "FILEPATH: /tmp/runtime.dll": [[256, 272]], "HASH: 5accbf6e241cdb2e8427a7afef730fc1": [[92, 124]], "HASH: 51c0a4886999a2bcf0cc017844b996cdb666eb3d69a54709f566ef60160ed6af": [[174, 238]], "HASH: d9845ac72966f6cfc937cb89388af51c2712c944": [[281, 321]], "HASH: d148c2d45a862c3a6dabee5048770a9c": [[349, 381]], "IP_ADDRESS: 152.43.124.188": [[411, 425]], "TOOL: Chisel": [[427, 433]]}, "info": {"id": "synth_v2_01913", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for Conti campaign:\nStage 1 dropper at /dev/shm/svchost.exe - SHA1: b88e0dd1ec5361b5ae981436038808fdbef0c7a8\nStage 2 loader at C:\\Users\\Public\\Documents\\dropper.ps1 - SHA1: d97b0cc3843949b26b23c7d52c4cbf4f34ff8993\nFinal payload at C:\\ProgramData\\chrome_helper.exe - MD5: c3d76aca6e3dda8f68b0d61c73addb78\nExfiltration module - SHA1: 58892a9cab8ed81e14f1d522e752ff069a45f151\nAll stages communicated with 10.242.166.225. LinPEAS signatures detected in Stage 2.", "spans": {"MALWARE: Conti": [[22, 27]], "FILEPATH: /dev/shm/svchost.exe": [[57, 77]], "FILEPATH: C:\\Users\\Public\\Documents\\dropper.ps1": [[145, 182]], "FILEPATH: C:\\ProgramData\\chrome_helper.exe": [[249, 281]], "HASH: b88e0dd1ec5361b5ae981436038808fdbef0c7a8": [[86, 126]], "HASH: d97b0cc3843949b26b23c7d52c4cbf4f34ff8993": [[191, 231]], "HASH: c3d76aca6e3dda8f68b0d61c73addb78": [[289, 321]], "HASH: 58892a9cab8ed81e14f1d522e752ff069a45f151": [[350, 390]], "IP_ADDRESS: 10.242.166.225": [[420, 434]], "TOOL: LinPEAS": [[436, 443]]}, "info": {"id": "synth_v2_01914", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for PlugX campaign:\nStage 1 dropper at C:\\Users\\Public\\Documents\\backdoor.elf - SHA1: b278543148358963a4de3d8e7c151b0dbfa30aad\nStage 2 loader at /var/tmp/config.dat - SHA256: dfb1b04b8a545efc84fd575365ebe194ee59b59cc8c5003bf8b9fdb3bc1f7887\nFinal payload at /usr/local/bin/chrome_helper.exe - SHA256: 925e335f6d3dbfbbedead4750177e3ebc57413b81b0358f2e56cca8ef387dded\nExfiltration module - SHA256: af304d186ee6bca6516ae9810c56b3e53ab68595f0ac4e9405ac818dd708bade\nAll stages communicated with 195.50.74.126. Mimikatz signatures detected in Stage 2.", "spans": {"MALWARE: PlugX": [[22, 27]], "FILEPATH: C:\\Users\\Public\\Documents\\backdoor.elf": [[57, 95]], "FILEPATH: /var/tmp/config.dat": [[163, 182]], "FILEPATH: /usr/local/bin/chrome_helper.exe": [[275, 307]], "HASH: b278543148358963a4de3d8e7c151b0dbfa30aad": [[104, 144]], "HASH: dfb1b04b8a545efc84fd575365ebe194ee59b59cc8c5003bf8b9fdb3bc1f7887": [[193, 257]], "HASH: 925e335f6d3dbfbbedead4750177e3ebc57413b81b0358f2e56cca8ef387dded": [[318, 382]], "HASH: af304d186ee6bca6516ae9810c56b3e53ab68595f0ac4e9405ac818dd708bade": [[413, 477]], "IP_ADDRESS: 195.50.74.126": [[507, 520]], "TOOL: Mimikatz": [[522, 530]]}, "info": {"id": "synth_v2_01915", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for IcedID campaign:\nStage 1 dropper at /var/tmp/helper.sh - SHA1: ed2cf532bdc138c9609384b19e66f277e05f1845\nStage 2 loader at /dev/shm/implant.so - MD5: aa4e58c5de00993658a1117ed9c18584\nFinal payload at C:\\Users\\admin\\AppData\\Local\\Temp\\loader.exe - SHA1: e8771022c0699c22a89ff65aac462fd34f72f596\nExfiltration module - MD5: 65e9d87306848c943a56c44abd00645e\nAll stages communicated with 10.25.72.47. SharpHound signatures detected in Stage 2.", "spans": {"MALWARE: IcedID": [[22, 28]], "FILEPATH: /var/tmp/helper.sh": [[58, 76]], "FILEPATH: /dev/shm/implant.so": [[144, 163]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\loader.exe": [[221, 265]], "HASH: ed2cf532bdc138c9609384b19e66f277e05f1845": [[85, 125]], "HASH: aa4e58c5de00993658a1117ed9c18584": [[171, 203]], "HASH: e8771022c0699c22a89ff65aac462fd34f72f596": [[274, 314]], "HASH: 65e9d87306848c943a56c44abd00645e": [[342, 374]], "IP_ADDRESS: 10.25.72.47": [[404, 415]], "TOOL: SharpHound": [[417, 427]]}, "info": {"id": "synth_v2_01916", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for Latrodectus campaign:\nStage 1 dropper at /home/user/.config/helper.sh - SHA256: fcfb26d520354676c22e4d3952337ba654d7c7b0d3c7e4174e449236d3b7b1c3\nStage 2 loader at /opt/app/bin/taskhost.exe - MD5: 203306efc80a92520634bfaa05803c84\nFinal payload at /dev/shm/loader.exe - MD5: 970265e9ff1654b782a45d152032e2da\nExfiltration module - SHA1: de4cdc283e24258a76c88ff929813b9ef27fb1f1\nAll stages communicated with 66.180.243.29. Metasploit signatures detected in Stage 2.", "spans": {"MALWARE: Latrodectus": [[22, 33]], "FILEPATH: /home/user/.config/helper.sh": [[63, 91]], "FILEPATH: /opt/app/bin/taskhost.exe": [[185, 210]], "FILEPATH: /dev/shm/loader.exe": [[268, 287]], "HASH: fcfb26d520354676c22e4d3952337ba654d7c7b0d3c7e4174e449236d3b7b1c3": [[102, 166]], "HASH: 203306efc80a92520634bfaa05803c84": [[218, 250]], "HASH: 970265e9ff1654b782a45d152032e2da": [[295, 327]], "HASH: de4cdc283e24258a76c88ff929813b9ef27fb1f1": [[356, 396]], "IP_ADDRESS: 66.180.243.29": [[426, 439]], "TOOL: Metasploit": [[441, 451]]}, "info": {"id": "synth_v2_01917", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for Gootloader campaign:\nStage 1 dropper at /opt/app/bin/implant.so - SHA256: 2b83998e725c06241bc4f6728a67c5f877584e19bdae0dfec4809d20ba41c235\nStage 2 loader at C:\\Windows\\Temp\\svchost.exe - MD5: 6b34e45a57c6cae335e65c0df28eaa96\nFinal payload at C:\\Users\\admin\\Downloads\\loader.exe - SHA256: 0a0ff3171997875d2898b344e02fcb698bbca13f4a4986514e65125d6bce5d91\nExfiltration module - SHA1: c5b80e66e103b36a57144e0ccddb929a4f93f7e2\nAll stages communicated with 172.49.255.12. Rubeus signatures detected in Stage 2.", "spans": {"MALWARE: Gootloader": [[22, 32]], "FILEPATH: /opt/app/bin/implant.so": [[62, 85]], "FILEPATH: C:\\Windows\\Temp\\svchost.exe": [[179, 206]], "FILEPATH: C:\\Users\\admin\\Downloads\\loader.exe": [[264, 299]], "HASH: 2b83998e725c06241bc4f6728a67c5f877584e19bdae0dfec4809d20ba41c235": [[96, 160]], "HASH: 6b34e45a57c6cae335e65c0df28eaa96": [[214, 246]], "HASH: 0a0ff3171997875d2898b344e02fcb698bbca13f4a4986514e65125d6bce5d91": [[310, 374]], "HASH: c5b80e66e103b36a57144e0ccddb929a4f93f7e2": [[403, 443]], "IP_ADDRESS: 172.49.255.12": [[473, 486]], "TOOL: Rubeus": [[488, 494]]}, "info": {"id": "synth_v2_01918", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for Royal campaign:\nStage 1 dropper at /var/tmp/taskhost.exe - SHA1: f8e95e214e3679b5d836b6292ed4f7e3cb9acc91\nStage 2 loader at /var/tmp/beacon.dll - SHA256: 7c812af944df48ca140539c161c7859d9e6133dae2cb848605149fe4122ce059\nFinal payload at /dev/shm/backdoor.elf - SHA1: 6d846d93d899729fe7bbac0619454d9e46234e20\nExfiltration module - SHA1: 63ca06c5b1e4acfdd0266369c4ce0d22318bfff4\nAll stages communicated with 10.30.174.190. Nmap signatures detected in Stage 2.", "spans": {"MALWARE: Royal": [[22, 27]], "FILEPATH: /var/tmp/taskhost.exe": [[57, 78]], "FILEPATH: /var/tmp/beacon.dll": [[146, 165]], "FILEPATH: /dev/shm/backdoor.elf": [[258, 279]], "HASH: f8e95e214e3679b5d836b6292ed4f7e3cb9acc91": [[87, 127]], "HASH: 7c812af944df48ca140539c161c7859d9e6133dae2cb848605149fe4122ce059": [[176, 240]], "HASH: 6d846d93d899729fe7bbac0619454d9e46234e20": [[288, 328]], "HASH: 63ca06c5b1e4acfdd0266369c4ce0d22318bfff4": [[357, 397]], "IP_ADDRESS: 10.30.174.190": [[427, 440]], "TOOL: Nmap": [[442, 446]]}, "info": {"id": "synth_v2_01919", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for AgentTesla campaign:\nStage 1 dropper at /opt/app/bin/chrome_helper.exe - SHA1: 049dde5df1eb121eaf6138aa1b6f205165bd52bd\nStage 2 loader at /dev/shm/helper.sh - MD5: c0bfe0bd58818bb7d5ee5046c03b7823\nFinal payload at /var/tmp/helper.sh - SHA1: be03e8366b34d1571bc75d90204aefc766c4b1b2\nExfiltration module - SHA256: 86e245ea637eb30903da074310e1eadd756d21385a37335d93e7cded8a1edc8c\nAll stages communicated with 10.209.83.195. LaZagne signatures detected in Stage 2.", "spans": {"MALWARE: AgentTesla": [[22, 32]], "FILEPATH: /opt/app/bin/chrome_helper.exe": [[62, 92]], "FILEPATH: /dev/shm/helper.sh": [[160, 178]], "FILEPATH: /var/tmp/helper.sh": [[236, 254]], "HASH: 049dde5df1eb121eaf6138aa1b6f205165bd52bd": [[101, 141]], "HASH: c0bfe0bd58818bb7d5ee5046c03b7823": [[186, 218]], "HASH: be03e8366b34d1571bc75d90204aefc766c4b1b2": [[263, 303]], "HASH: 86e245ea637eb30903da074310e1eadd756d21385a37335d93e7cded8a1edc8c": [[334, 398]], "IP_ADDRESS: 10.209.83.195": [[428, 441]], "TOOL: LaZagne": [[443, 450]]}, "info": {"id": "synth_v2_01920", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for RedLine Stealer campaign:\nStage 1 dropper at /opt/app/bin/payload.bin - SHA256: 767ffd8a2714241ea98a3a0e20ac3aff5751a570f6255caf4252fbb18d08943d\nStage 2 loader at /dev/shm/implant.so - SHA256: 15bca80cd19dd140c8e72e8b6e7ea5a50ce01706f3a332c7bba0a8c21060668c\nFinal payload at C:\\Program Files\\Common Files\\dropper.ps1 - SHA256: b65fa9bfe173296f2d8276b43d2c710581dd76debeee8f9ddf0c9b44baf43628\nExfiltration module - SHA1: fa0bce7fed6f936f2baaf3ca89e2b9ca1d0fbd6e\nAll stages communicated with 45.41.47.99. Burp Suite signatures detected in Stage 2.", "spans": {"MALWARE: RedLine Stealer": [[22, 37]], "FILEPATH: /opt/app/bin/payload.bin": [[67, 91]], "FILEPATH: /dev/shm/implant.so": [[185, 204]], "FILEPATH: C:\\Program Files\\Common Files\\dropper.ps1": [[297, 338]], "HASH: 767ffd8a2714241ea98a3a0e20ac3aff5751a570f6255caf4252fbb18d08943d": [[102, 166]], "HASH: 15bca80cd19dd140c8e72e8b6e7ea5a50ce01706f3a332c7bba0a8c21060668c": [[215, 279]], "HASH: b65fa9bfe173296f2d8276b43d2c710581dd76debeee8f9ddf0c9b44baf43628": [[349, 413]], "HASH: fa0bce7fed6f936f2baaf3ca89e2b9ca1d0fbd6e": [[442, 482]], "IP_ADDRESS: 45.41.47.99": [[512, 523]], "TOOL: Burp Suite": [[525, 535]]}, "info": {"id": "synth_v2_01921", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for BlackCat campaign:\nStage 1 dropper at C:\\Program Files\\Common Files\\config.dat - MD5: 17e9f56ae0f01a50f8c26ab97cfdb254\nStage 2 loader at C:\\Users\\admin\\AppData\\Local\\Temp\\loader.exe - SHA256: 7766c93f15a7093d9d5dd7887e80cc46436cd55ac29d9024dbc454a4f4f34400\nFinal payload at C:\\Windows\\System32\\taskhost.exe - SHA1: 06a023d22fcef9d62b0b45fa7eac2644f71a8ea9\nExfiltration module - SHA256: 804805c96da52d1f40b9bacdd30563ee7276f105f0b931d4a29d4518dfe378ac\nAll stages communicated with 172.193.221.73. Nmap signatures detected in Stage 2.", "spans": {"MALWARE: BlackCat": [[22, 30]], "FILEPATH: C:\\Program Files\\Common Files\\config.dat": [[60, 100]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\loader.exe": [[159, 203]], "FILEPATH: C:\\Windows\\System32\\taskhost.exe": [[296, 328]], "HASH: 17e9f56ae0f01a50f8c26ab97cfdb254": [[108, 140]], "HASH: 7766c93f15a7093d9d5dd7887e80cc46436cd55ac29d9024dbc454a4f4f34400": [[214, 278]], "HASH: 06a023d22fcef9d62b0b45fa7eac2644f71a8ea9": [[337, 377]], "HASH: 804805c96da52d1f40b9bacdd30563ee7276f105f0b931d4a29d4518dfe378ac": [[408, 472]], "IP_ADDRESS: 172.193.221.73": [[502, 516]], "TOOL: Nmap": [[518, 522]]}, "info": {"id": "synth_v2_01922", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for BumbleBee campaign:\nStage 1 dropper at /tmp/lsass.dmp - SHA1: 620b36f14e9d9a001084d7969d78c63080b51c34\nStage 2 loader at C:\\Windows\\System32\\shell.php - SHA1: 0b95540e8a705e44f6732fd1e098e6e2a68dd0dd\nFinal payload at C:\\Windows\\System32\\taskhost.exe - SHA1: 275aa648bed4a47a073dbd3094e06a2c372045ad\nExfiltration module - MD5: 2f55e7e50b37cefdb035a2e5ad9d9787\nAll stages communicated with 12.51.53.62. Mythic signatures detected in Stage 2.", "spans": {"MALWARE: BumbleBee": [[22, 31]], "FILEPATH: /tmp/lsass.dmp": [[61, 75]], "FILEPATH: C:\\Windows\\System32\\shell.php": [[143, 172]], "FILEPATH: C:\\Windows\\System32\\taskhost.exe": [[239, 271]], "HASH: 620b36f14e9d9a001084d7969d78c63080b51c34": [[84, 124]], "HASH: 0b95540e8a705e44f6732fd1e098e6e2a68dd0dd": [[181, 221]], "HASH: 275aa648bed4a47a073dbd3094e06a2c372045ad": [[280, 320]], "HASH: 2f55e7e50b37cefdb035a2e5ad9d9787": [[348, 380]], "IP_ADDRESS: 12.51.53.62": [[410, 421]], "TOOL: Mythic": [[423, 429]]}, "info": {"id": "synth_v2_01923", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for Gootloader campaign:\nStage 1 dropper at /opt/app/bin/svchost.exe - MD5: 9837a11027f52230a8fde1ff46fbb3b5\nStage 2 loader at C:\\Windows\\System32\\shell.php - MD5: 61420328e7056b3ab9e30e18f63b3cd8\nFinal payload at C:\\ProgramData\\loader.exe - SHA1: 7b947bf3dd95bba37ac1129f5492266e928032e0\nExfiltration module - MD5: de6e4e40c77a96aaca9948eeec994fd3\nAll stages communicated with 92.139.142.189. LaZagne signatures detected in Stage 2.", "spans": {"MALWARE: Gootloader": [[22, 32]], "FILEPATH: /opt/app/bin/svchost.exe": [[62, 86]], "FILEPATH: C:\\Windows\\System32\\shell.php": [[145, 174]], "FILEPATH: C:\\ProgramData\\loader.exe": [[232, 257]], "HASH: 9837a11027f52230a8fde1ff46fbb3b5": [[94, 126]], "HASH: 61420328e7056b3ab9e30e18f63b3cd8": [[182, 214]], "HASH: 7b947bf3dd95bba37ac1129f5492266e928032e0": [[266, 306]], "HASH: de6e4e40c77a96aaca9948eeec994fd3": [[334, 366]], "IP_ADDRESS: 92.139.142.189": [[396, 410]], "TOOL: LaZagne": [[412, 419]]}, "info": {"id": "synth_v2_01924", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for SmokeLoader campaign:\nStage 1 dropper at /home/user/.config/sam.hive - SHA1: 9214709cfce0ca16583170fa1f57cfa500767357\nStage 2 loader at C:\\Windows\\System32\\update.dll - MD5: 5a2f8b4df2e979dc1de2e0253f6ece3f\nFinal payload at /home/user/.config/beacon.dll - SHA256: 52e2f546e476f83f940339fc046c776be5ae44302a42cf3dd88a240674e30eca\nExfiltration module - MD5: ad3d89c8991e732e1bb62b37b0ca9806\nAll stages communicated with 33.55.229.215. GhostPack signatures detected in Stage 2.", "spans": {"MALWARE: SmokeLoader": [[22, 33]], "FILEPATH: /home/user/.config/sam.hive": [[63, 90]], "FILEPATH: C:\\Windows\\System32\\update.dll": [[158, 188]], "FILEPATH: /home/user/.config/beacon.dll": [[246, 275]], "HASH: 9214709cfce0ca16583170fa1f57cfa500767357": [[99, 139]], "HASH: 5a2f8b4df2e979dc1de2e0253f6ece3f": [[196, 228]], "HASH: 52e2f546e476f83f940339fc046c776be5ae44302a42cf3dd88a240674e30eca": [[286, 350]], "HASH: ad3d89c8991e732e1bb62b37b0ca9806": [[378, 410]], "IP_ADDRESS: 33.55.229.215": [[440, 453]], "TOOL: GhostPack": [[455, 464]]}, "info": {"id": "synth_v2_01925", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for Ryuk campaign:\nStage 1 dropper at /usr/local/bin/shell.php - MD5: 35b83c721ce9b8ec63ee708c8db4259b\nStage 2 loader at C:\\Windows\\Temp\\backdoor.elf - MD5: 308e847e76d95136e7f77da572e8a822\nFinal payload at C:\\Users\\admin\\Desktop\\winlogon.exe - SHA256: 0b5b036058db0d4f0bf640f33c398de5a20b9cdd055c819e0c7cc972f6c5ba67\nExfiltration module - SHA1: 24a4fe14db31ae6e1a49d3d700faa09673b0f93d\nAll stages communicated with 78.132.156.108. Havoc signatures detected in Stage 2.", "spans": {"MALWARE: Ryuk": [[22, 26]], "FILEPATH: /usr/local/bin/shell.php": [[56, 80]], "FILEPATH: C:\\Windows\\Temp\\backdoor.elf": [[139, 167]], "FILEPATH: C:\\Users\\admin\\Desktop\\winlogon.exe": [[225, 260]], "HASH: 35b83c721ce9b8ec63ee708c8db4259b": [[88, 120]], "HASH: 308e847e76d95136e7f77da572e8a822": [[175, 207]], "HASH: 0b5b036058db0d4f0bf640f33c398de5a20b9cdd055c819e0c7cc972f6c5ba67": [[271, 335]], "HASH: 24a4fe14db31ae6e1a49d3d700faa09673b0f93d": [[364, 404]], "IP_ADDRESS: 78.132.156.108": [[434, 448]], "TOOL: Havoc": [[450, 455]]}, "info": {"id": "synth_v2_01926", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for BatLoader campaign:\nStage 1 dropper at C:\\ProgramData\\agent.py - SHA1: f8989b56cc480be9ae80b2fa721e3be19fc95aa4\nStage 2 loader at /opt/app/bin/config.dat - MD5: 53eecbd9df190056a69c90861f6f1112\nFinal payload at /opt/app/bin/payload.bin - MD5: ccb0dd1d4b6b2bf6c52e923b70514a4f\nExfiltration module - MD5: 0eeffd30add4ff0ce1eba5ce0ce31a3e\nAll stages communicated with 77.194.162.222. Seatbelt signatures detected in Stage 2.", "spans": {"MALWARE: BatLoader": [[22, 31]], "FILEPATH: C:\\ProgramData\\agent.py": [[61, 84]], "FILEPATH: /opt/app/bin/config.dat": [[152, 175]], "FILEPATH: /opt/app/bin/payload.bin": [[233, 257]], "HASH: f8989b56cc480be9ae80b2fa721e3be19fc95aa4": [[93, 133]], "HASH: 53eecbd9df190056a69c90861f6f1112": [[183, 215]], "HASH: ccb0dd1d4b6b2bf6c52e923b70514a4f": [[265, 297]], "HASH: 0eeffd30add4ff0ce1eba5ce0ce31a3e": [[325, 357]], "IP_ADDRESS: 77.194.162.222": [[387, 401]], "TOOL: Seatbelt": [[403, 411]]}, "info": {"id": "synth_v2_01927", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for Gootloader campaign:\nStage 1 dropper at C:\\Windows\\Temp\\backdoor.elf - SHA256: c8681ef6dec549bdaee3fa06b8950419507529ed032ad06082553aed550c08af\nStage 2 loader at /var/tmp/chrome_helper.exe - SHA1: ea0fdba952f559f0ff3dfff4f6fd4f9311bfa1fd\nFinal payload at /dev/shm/dropper.ps1 - SHA1: 35aec5b1c69bf2a59ea7982f14c40fed313e1e48\nExfiltration module - SHA256: 7247041adadb50a0bd5e0d05f734bdc4e2e816ccbb4701a046b0dc92a3273b96\nAll stages communicated with 10.50.114.199. CrackMapExec signatures detected in Stage 2.", "spans": {"MALWARE: Gootloader": [[22, 32]], "FILEPATH: C:\\Windows\\Temp\\backdoor.elf": [[62, 90]], "FILEPATH: /var/tmp/chrome_helper.exe": [[184, 210]], "FILEPATH: /dev/shm/dropper.ps1": [[277, 297]], "HASH: c8681ef6dec549bdaee3fa06b8950419507529ed032ad06082553aed550c08af": [[101, 165]], "HASH: ea0fdba952f559f0ff3dfff4f6fd4f9311bfa1fd": [[219, 259]], "HASH: 35aec5b1c69bf2a59ea7982f14c40fed313e1e48": [[306, 346]], "HASH: 7247041adadb50a0bd5e0d05f734bdc4e2e816ccbb4701a046b0dc92a3273b96": [[377, 441]], "IP_ADDRESS: 10.50.114.199": [[471, 484]], "TOOL: CrackMapExec": [[486, 498]]}, "info": {"id": "synth_v2_01928", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for Royal campaign:\nStage 1 dropper at /dev/shm/winlogon.exe - MD5: 044bd431ea8e7afd6fb8d8d4fb7085b4\nStage 2 loader at /usr/local/bin/loader.exe - SHA1: 7c3cce49d758619b8e05a053713c5f3954d5a393\nFinal payload at /var/tmp/implant.so - SHA1: 507860f7aa59b4bcb03f053b3bd74e02e6599155\nExfiltration module - SHA1: 5fd8043623225118dddf98e0abc5ba2b6aff3438\nAll stages communicated with 124.67.225.189. PowerShell Empire signatures detected in Stage 2.", "spans": {"MALWARE: Royal": [[22, 27]], "FILEPATH: /dev/shm/winlogon.exe": [[57, 78]], "FILEPATH: /usr/local/bin/loader.exe": [[137, 162]], "FILEPATH: /var/tmp/implant.so": [[229, 248]], "HASH: 044bd431ea8e7afd6fb8d8d4fb7085b4": [[86, 118]], "HASH: 7c3cce49d758619b8e05a053713c5f3954d5a393": [[171, 211]], "HASH: 507860f7aa59b4bcb03f053b3bd74e02e6599155": [[257, 297]], "HASH: 5fd8043623225118dddf98e0abc5ba2b6aff3438": [[326, 366]], "IP_ADDRESS: 124.67.225.189": [[396, 410]], "TOOL: PowerShell Empire": [[412, 429]]}, "info": {"id": "synth_v2_01929", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for Royal campaign:\nStage 1 dropper at C:\\Users\\admin\\Downloads\\backdoor.elf - SHA256: e922b64d2d3d59e459edab60119c23e657fb99742f868d178a517c261a71a129\nStage 2 loader at C:\\Users\\Public\\Documents\\config.dat - MD5: c876898d6af88cd7d48c3048f01ab6ad\nFinal payload at /opt/app/bin/svchost.exe - MD5: 329ea69a32e112827912b477a0dd77e0\nExfiltration module - SHA256: b165e9278845df9d891bfecc5b5534b3d8a72811cde6594dc7e406bab40a8dd5\nAll stages communicated with 172.50.95.74. Havoc signatures detected in Stage 2.", "spans": {"MALWARE: Royal": [[22, 27]], "FILEPATH: C:\\Users\\admin\\Downloads\\backdoor.elf": [[57, 94]], "FILEPATH: C:\\Users\\Public\\Documents\\config.dat": [[188, 224]], "FILEPATH: /opt/app/bin/svchost.exe": [[282, 306]], "HASH: e922b64d2d3d59e459edab60119c23e657fb99742f868d178a517c261a71a129": [[105, 169]], "HASH: c876898d6af88cd7d48c3048f01ab6ad": [[232, 264]], "HASH: 329ea69a32e112827912b477a0dd77e0": [[314, 346]], "HASH: b165e9278845df9d891bfecc5b5534b3d8a72811cde6594dc7e406bab40a8dd5": [[377, 441]], "IP_ADDRESS: 172.50.95.74": [[471, 483]], "TOOL: Havoc": [[485, 490]]}, "info": {"id": "synth_v2_01930", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for StealC campaign:\nStage 1 dropper at C:\\Windows\\Tasks\\payload.bin - MD5: 0c7c14a5a6c4fa603c4a8f1b24db09c2\nStage 2 loader at C:\\Users\\admin\\AppData\\Local\\Temp\\sam.hive - SHA256: 0c44c651b481b3f2094a0e066ea6f274fa99be82235a944aa247f8d86927fe49\nFinal payload at /home/user/.config/chrome_helper.exe - SHA256: 988f361295b6c849bf478e26cd64f752b9a1a4fd7d8fe249bd8228e2145768bd\nExfiltration module - SHA256: 138418c77d26a48d6b3da213e52b9119e096659c22d4db8707c543135bf01b24\nAll stages communicated with 56.244.25.242. PowerShell Empire signatures detected in Stage 2.", "spans": {"MALWARE: StealC": [[22, 28]], "FILEPATH: C:\\Windows\\Tasks\\payload.bin": [[58, 86]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\sam.hive": [[145, 187]], "FILEPATH: /home/user/.config/chrome_helper.exe": [[280, 316]], "HASH: 0c7c14a5a6c4fa603c4a8f1b24db09c2": [[94, 126]], "HASH: 0c44c651b481b3f2094a0e066ea6f274fa99be82235a944aa247f8d86927fe49": [[198, 262]], "HASH: 988f361295b6c849bf478e26cd64f752b9a1a4fd7d8fe249bd8228e2145768bd": [[327, 391]], "HASH: 138418c77d26a48d6b3da213e52b9119e096659c22d4db8707c543135bf01b24": [[422, 486]], "IP_ADDRESS: 56.244.25.242": [[516, 529]], "TOOL: PowerShell Empire": [[531, 548]]}, "info": {"id": "synth_v2_01931", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for RedLine Stealer campaign:\nStage 1 dropper at C:\\Users\\admin\\Downloads\\helper.sh - SHA1: afbf4afad2e0896a7a492e61c56d5297f2c63845\nStage 2 loader at /dev/shm/sam.hive - SHA256: e84a3b7ceea13a82300c89cba3314bea18626113e959556ab27b5b64a287255b\nFinal payload at /tmp/helper.sh - MD5: 31ca3b8e0d1dd4218c4bdde7b6a65c8a\nExfiltration module - SHA256: 838b706f2a80971e26961eef2a91eefa4d90434c49f2a8c970f70809b552ae93\nAll stages communicated with 10.174.96.248. Rubeus signatures detected in Stage 2.", "spans": {"MALWARE: RedLine Stealer": [[22, 37]], "FILEPATH: C:\\Users\\admin\\Downloads\\helper.sh": [[67, 101]], "FILEPATH: /dev/shm/sam.hive": [[169, 186]], "FILEPATH: /tmp/helper.sh": [[279, 293]], "HASH: afbf4afad2e0896a7a492e61c56d5297f2c63845": [[110, 150]], "HASH: e84a3b7ceea13a82300c89cba3314bea18626113e959556ab27b5b64a287255b": [[197, 261]], "HASH: 31ca3b8e0d1dd4218c4bdde7b6a65c8a": [[301, 333]], "HASH: 838b706f2a80971e26961eef2a91eefa4d90434c49f2a8c970f70809b552ae93": [[364, 428]], "IP_ADDRESS: 10.174.96.248": [[458, 471]], "TOOL: Rubeus": [[473, 479]]}, "info": {"id": "synth_v2_01932", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for StealC campaign:\nStage 1 dropper at C:\\Users\\admin\\Downloads\\ntds.dit - SHA1: dd6808993c5c589f57a878f242e4525f93705d98\nStage 2 loader at /var/tmp/config.dat - MD5: a4b2192dfdce0207a01ff7433ab99424\nFinal payload at C:\\ProgramData\\loader.exe - MD5: 400c4608aa1abfa7cd3a44d46bfb4d23\nExfiltration module - MD5: 13c0df09d121beb4784e0c67b79284bc\nAll stages communicated with 26.31.177.196. Nmap signatures detected in Stage 2.", "spans": {"MALWARE: StealC": [[22, 28]], "FILEPATH: C:\\Users\\admin\\Downloads\\ntds.dit": [[58, 91]], "FILEPATH: /var/tmp/config.dat": [[159, 178]], "FILEPATH: C:\\ProgramData\\loader.exe": [[236, 261]], "HASH: dd6808993c5c589f57a878f242e4525f93705d98": [[100, 140]], "HASH: a4b2192dfdce0207a01ff7433ab99424": [[186, 218]], "HASH: 400c4608aa1abfa7cd3a44d46bfb4d23": [[269, 301]], "HASH: 13c0df09d121beb4784e0c67b79284bc": [[329, 361]], "IP_ADDRESS: 26.31.177.196": [[391, 404]], "TOOL: Nmap": [[406, 410]]}, "info": {"id": "synth_v2_01933", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for Latrodectus campaign:\nStage 1 dropper at C:\\ProgramData\\loader.exe - SHA1: 25db062c1e7b9c28c8bcb8ec225f0803aa957d10\nStage 2 loader at C:\\Users\\Public\\Documents\\taskhost.exe - SHA1: 40881c94c725d45fc443989b84b0c3cc0c65494f\nFinal payload at /usr/local/bin/config.dat - SHA1: b9fa96dd2163f841673480b704208ccdef1b49bd\nExfiltration module - SHA1: 31d70025f98071398781e3638835e829a8fc2096\nAll stages communicated with 210.120.146.35. Metasploit signatures detected in Stage 2.", "spans": {"MALWARE: Latrodectus": [[22, 33]], "FILEPATH: C:\\ProgramData\\loader.exe": [[63, 88]], "FILEPATH: C:\\Users\\Public\\Documents\\taskhost.exe": [[156, 194]], "FILEPATH: /usr/local/bin/config.dat": [[261, 286]], "HASH: 25db062c1e7b9c28c8bcb8ec225f0803aa957d10": [[97, 137]], "HASH: 40881c94c725d45fc443989b84b0c3cc0c65494f": [[203, 243]], "HASH: b9fa96dd2163f841673480b704208ccdef1b49bd": [[295, 335]], "HASH: 31d70025f98071398781e3638835e829a8fc2096": [[364, 404]], "IP_ADDRESS: 210.120.146.35": [[434, 448]], "TOOL: Metasploit": [[450, 460]]}, "info": {"id": "synth_v2_01934", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for Hive campaign:\nStage 1 dropper at /tmp/runtime.dll - SHA1: 76c56c312f132da6c6d2088ef01ec47e83a57522\nStage 2 loader at /opt/app/bin/winlogon.exe - SHA256: 8f0ab0ed11e325b5b0486fca111adedd555e81d7424922c9a17d3ce3440adc3f\nFinal payload at /tmp/agent.py - MD5: 99f0ee29aff2c870a2de8be368460362\nExfiltration module - MD5: d1380bd108ca829f9dbb0e751e4e7832\nAll stages communicated with 145.232.50.197. SharpHound signatures detected in Stage 2.", "spans": {"MALWARE: Hive": [[22, 26]], "FILEPATH: /tmp/runtime.dll": [[56, 72]], "FILEPATH: /opt/app/bin/winlogon.exe": [[140, 165]], "FILEPATH: /tmp/agent.py": [[258, 271]], "HASH: 76c56c312f132da6c6d2088ef01ec47e83a57522": [[81, 121]], "HASH: 8f0ab0ed11e325b5b0486fca111adedd555e81d7424922c9a17d3ce3440adc3f": [[176, 240]], "HASH: 99f0ee29aff2c870a2de8be368460362": [[279, 311]], "HASH: d1380bd108ca829f9dbb0e751e4e7832": [[339, 371]], "IP_ADDRESS: 145.232.50.197": [[401, 415]], "TOOL: SharpHound": [[417, 427]]}, "info": {"id": "synth_v2_01935", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for Gootloader campaign:\nStage 1 dropper at C:\\Windows\\Temp\\backdoor.elf - SHA1: b036e4dfa947c7efd71baa9cdb299e21d40dec09\nStage 2 loader at C:\\Users\\admin\\AppData\\Local\\Temp\\shell.php - MD5: 5c964309d6994bf1706549281f9a4ac6\nFinal payload at /tmp/config.dat - SHA256: cc01d845df0a969eca9b2adec2c57f2eaa72aaa00f29e5c61f8e630357b2984b\nExfiltration module - SHA1: 4ceeb8ffcdbc2a2a486f6ea63185bf845bfe1325\nAll stages communicated with 199.100.16.222. CrackMapExec signatures detected in Stage 2.", "spans": {"MALWARE: Gootloader": [[22, 32]], "FILEPATH: C:\\Windows\\Temp\\backdoor.elf": [[62, 90]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\shell.php": [[158, 201]], "FILEPATH: /tmp/config.dat": [[259, 274]], "HASH: b036e4dfa947c7efd71baa9cdb299e21d40dec09": [[99, 139]], "HASH: 5c964309d6994bf1706549281f9a4ac6": [[209, 241]], "HASH: cc01d845df0a969eca9b2adec2c57f2eaa72aaa00f29e5c61f8e630357b2984b": [[285, 349]], "HASH: 4ceeb8ffcdbc2a2a486f6ea63185bf845bfe1325": [[378, 418]], "IP_ADDRESS: 199.100.16.222": [[448, 462]], "TOOL: CrackMapExec": [[464, 476]]}, "info": {"id": "synth_v2_01936", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for BlackCat campaign:\nStage 1 dropper at C:\\Windows\\Tasks\\helper.sh - SHA256: 640a97f94a3ac1e0811517f9f39a4a12ae08219a956019a463e072ab2e26838f\nStage 2 loader at C:\\Users\\Public\\Documents\\lsass.dmp - SHA1: 587f425dcf610f037b556aafd402842a7712c79d\nFinal payload at /tmp/helper.sh - SHA1: e77ef94cf33dea9f8d97c062da655c970346b606\nExfiltration module - SHA256: 1c13f53bc228670d512451a477167e756f7a3109b010fc97f20317e954756bb7\nAll stages communicated with 10.254.87.79. Burp Suite signatures detected in Stage 2.", "spans": {"MALWARE: BlackCat": [[22, 30]], "FILEPATH: C:\\Windows\\Tasks\\helper.sh": [[60, 86]], "FILEPATH: C:\\Users\\Public\\Documents\\lsass.dmp": [[180, 215]], "FILEPATH: /tmp/helper.sh": [[282, 296]], "HASH: 640a97f94a3ac1e0811517f9f39a4a12ae08219a956019a463e072ab2e26838f": [[97, 161]], "HASH: 587f425dcf610f037b556aafd402842a7712c79d": [[224, 264]], "HASH: e77ef94cf33dea9f8d97c062da655c970346b606": [[305, 345]], "HASH: 1c13f53bc228670d512451a477167e756f7a3109b010fc97f20317e954756bb7": [[376, 440]], "IP_ADDRESS: 10.254.87.79": [[470, 482]], "TOOL: Burp Suite": [[484, 494]]}, "info": {"id": "synth_v2_01937", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for RedLine Stealer campaign:\nStage 1 dropper at C:\\Windows\\Temp\\beacon.dll - MD5: 6ec35a241998edbf93b4f18a72c51d17\nStage 2 loader at C:\\Users\\Public\\Documents\\payload.bin - MD5: a24bb5e83fc2c43a1adf388aae6a78f9\nFinal payload at C:\\ProgramData\\config.dat - SHA1: 9103179775827a21f6140add595dda10102f025e\nExfiltration module - SHA256: 0233acfd7efef6e7a997c9a15a4f8eac56edd66f6e11a6ed23361b23e090d4fe\nAll stages communicated with 154.39.25.38. PowerShell Empire signatures detected in Stage 2.", "spans": {"MALWARE: RedLine Stealer": [[22, 37]], "FILEPATH: C:\\Windows\\Temp\\beacon.dll": [[67, 93]], "FILEPATH: C:\\Users\\Public\\Documents\\payload.bin": [[152, 189]], "FILEPATH: C:\\ProgramData\\config.dat": [[247, 272]], "HASH: 6ec35a241998edbf93b4f18a72c51d17": [[101, 133]], "HASH: a24bb5e83fc2c43a1adf388aae6a78f9": [[197, 229]], "HASH: 9103179775827a21f6140add595dda10102f025e": [[281, 321]], "HASH: 0233acfd7efef6e7a997c9a15a4f8eac56edd66f6e11a6ed23361b23e090d4fe": [[352, 416]], "IP_ADDRESS: 154.39.25.38": [[446, 458]], "TOOL: PowerShell Empire": [[460, 477]]}, "info": {"id": "synth_v2_01938", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for RedLine Stealer campaign:\nStage 1 dropper at C:\\Users\\admin\\Downloads\\beacon.dll - MD5: 57c3a9d14f88f5ebc0148887e45e0cd2\nStage 2 loader at C:\\Users\\admin\\Downloads\\backdoor.elf - SHA256: 6f3b379ec10f1181a5186e2d1020ab2795296972585d52bfbceffd8c7b2eea8b\nFinal payload at /home/user/.config/implant.so - SHA1: 4f35ecad44a2dbcc59af30eabc86dee0e75ddd01\nExfiltration module - SHA1: c3cd86ed8fa844153f3e32bb7048dca316dcf2a1\nAll stages communicated with 172.196.39.92. Rubeus signatures detected in Stage 2.", "spans": {"MALWARE: RedLine Stealer": [[22, 37]], "FILEPATH: C:\\Users\\admin\\Downloads\\beacon.dll": [[67, 102]], "FILEPATH: C:\\Users\\admin\\Downloads\\backdoor.elf": [[161, 198]], "FILEPATH: /home/user/.config/implant.so": [[291, 320]], "HASH: 57c3a9d14f88f5ebc0148887e45e0cd2": [[110, 142]], "HASH: 6f3b379ec10f1181a5186e2d1020ab2795296972585d52bfbceffd8c7b2eea8b": [[209, 273]], "HASH: 4f35ecad44a2dbcc59af30eabc86dee0e75ddd01": [[329, 369]], "HASH: c3cd86ed8fa844153f3e32bb7048dca316dcf2a1": [[398, 438]], "IP_ADDRESS: 172.196.39.92": [[468, 481]], "TOOL: Rubeus": [[483, 489]]}, "info": {"id": "synth_v2_01939", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for XLoader campaign:\nStage 1 dropper at C:\\ProgramData\\shell.php - SHA256: 42452d1853982f86d90650d494b29426bf329f74fde9c167e8698da2d9f01d72\nStage 2 loader at C:\\Windows\\Tasks\\beacon.dll - SHA1: c554bbb6dcb6e78e278419e9951a8b0536baed1c\nFinal payload at /etc/cron.d/taskhost.exe - SHA256: 1abd3090cf962f3dd7f271a5e47ad17fc030de2cff3116bdede55d8336bf9a10\nExfiltration module - SHA256: b0e2acbd1aa5ef721652310b46b5f398fa9f97179fe5b33d05645d1166e0aa06\nAll stages communicated with 219.28.54.226. Ligolo signatures detected in Stage 2.", "spans": {"MALWARE: XLoader": [[22, 29]], "FILEPATH: C:\\ProgramData\\shell.php": [[59, 83]], "FILEPATH: C:\\Windows\\Tasks\\beacon.dll": [[177, 204]], "FILEPATH: /etc/cron.d/taskhost.exe": [[271, 295]], "HASH: 42452d1853982f86d90650d494b29426bf329f74fde9c167e8698da2d9f01d72": [[94, 158]], "HASH: c554bbb6dcb6e78e278419e9951a8b0536baed1c": [[213, 253]], "HASH: 1abd3090cf962f3dd7f271a5e47ad17fc030de2cff3116bdede55d8336bf9a10": [[306, 370]], "HASH: b0e2acbd1aa5ef721652310b46b5f398fa9f97179fe5b33d05645d1166e0aa06": [[401, 465]], "IP_ADDRESS: 219.28.54.226": [[495, 508]], "TOOL: Ligolo": [[510, 516]]}, "info": {"id": "synth_v2_01940", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for Raccoon Stealer campaign:\nStage 1 dropper at /usr/local/bin/agent.py - SHA1: 6b467b4ae11d5ef7ed08278f952190e7a0744926\nStage 2 loader at C:\\Windows\\Temp\\payload.bin - SHA256: a0f3d7ea67347badc27a07b3773ba60afda1edbd760485153603adce1624026d\nFinal payload at C:\\Windows\\Tasks\\sam.hive - SHA256: a0189a2036d50d39cae32fedf07141f966dfabbe126d8c58d662942a2013d5ce\nExfiltration module - MD5: 7f649dab1c29194f08e683642b0a2b35\nAll stages communicated with 192.64.113.25. BloodHound signatures detected in Stage 2.", "spans": {"MALWARE: Raccoon Stealer": [[22, 37]], "FILEPATH: /usr/local/bin/agent.py": [[67, 90]], "FILEPATH: C:\\Windows\\Temp\\payload.bin": [[158, 185]], "FILEPATH: C:\\Windows\\Tasks\\sam.hive": [[278, 303]], "HASH: 6b467b4ae11d5ef7ed08278f952190e7a0744926": [[99, 139]], "HASH: a0f3d7ea67347badc27a07b3773ba60afda1edbd760485153603adce1624026d": [[196, 260]], "HASH: a0189a2036d50d39cae32fedf07141f966dfabbe126d8c58d662942a2013d5ce": [[314, 378]], "HASH: 7f649dab1c29194f08e683642b0a2b35": [[406, 438]], "IP_ADDRESS: 192.64.113.25": [[468, 481]], "TOOL: BloodHound": [[483, 493]]}, "info": {"id": "synth_v2_01941", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for Raccoon Stealer campaign:\nStage 1 dropper at /etc/cron.d/chrome_helper.exe - MD5: 16d72cc367a8e8387905b511ded54a54\nStage 2 loader at C:\\Windows\\Temp\\update.dll - SHA256: 48e061b2704b8f717cd35a51d2ee65b0bac76fcd3cd25bbccab8d8821b01163d\nFinal payload at C:\\Windows\\Temp\\runtime.dll - MD5: 735773488a601104cb92bc998550a222\nExfiltration module - MD5: d538e82d3229f7126c8cece075e55916\nAll stages communicated with 193.178.241.221. Havoc signatures detected in Stage 2.", "spans": {"MALWARE: Raccoon Stealer": [[22, 37]], "FILEPATH: /etc/cron.d/chrome_helper.exe": [[67, 96]], "FILEPATH: C:\\Windows\\Temp\\update.dll": [[155, 181]], "FILEPATH: C:\\Windows\\Temp\\runtime.dll": [[274, 301]], "HASH: 16d72cc367a8e8387905b511ded54a54": [[104, 136]], "HASH: 48e061b2704b8f717cd35a51d2ee65b0bac76fcd3cd25bbccab8d8821b01163d": [[192, 256]], "HASH: 735773488a601104cb92bc998550a222": [[309, 341]], "HASH: d538e82d3229f7126c8cece075e55916": [[369, 401]], "IP_ADDRESS: 193.178.241.221": [[431, 446]], "TOOL: Havoc": [[448, 453]]}, "info": {"id": "synth_v2_01942", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for SystemBC campaign:\nStage 1 dropper at /var/tmp/dropper.ps1 - MD5: 9ada78a708b4eda87feddaa43692c853\nStage 2 loader at /usr/local/bin/sam.hive - SHA256: 5c26d440cdc8f8a295fa3b216f4953402dc0fcaf3a6e8d6da14961da80d9af5b\nFinal payload at C:\\ProgramData\\dropper.ps1 - SHA1: 410a858bc0b3cb3f702a0c0511868cf595d72119\nExfiltration module - MD5: 4119e4afd96476a952541afd2d06a479\nAll stages communicated with 129.38.198.59. GhostPack signatures detected in Stage 2.", "spans": {"MALWARE: SystemBC": [[22, 30]], "FILEPATH: /var/tmp/dropper.ps1": [[60, 80]], "FILEPATH: /usr/local/bin/sam.hive": [[139, 162]], "FILEPATH: C:\\ProgramData\\dropper.ps1": [[255, 281]], "HASH: 9ada78a708b4eda87feddaa43692c853": [[88, 120]], "HASH: 5c26d440cdc8f8a295fa3b216f4953402dc0fcaf3a6e8d6da14961da80d9af5b": [[173, 237]], "HASH: 410a858bc0b3cb3f702a0c0511868cf595d72119": [[290, 330]], "HASH: 4119e4afd96476a952541afd2d06a479": [[358, 390]], "IP_ADDRESS: 129.38.198.59": [[420, 433]], "TOOL: GhostPack": [[435, 444]]}, "info": {"id": "synth_v2_01943", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for Amadey campaign:\nStage 1 dropper at C:\\ProgramData\\dropper.ps1 - SHA256: 278c3087646f7f5538c85de2133fa4543e99cc61a4bd6ae10afe9139b1678f56\nStage 2 loader at C:\\Users\\admin\\Downloads\\runtime.dll - SHA256: c7689602ac7bf2fb695108b95d7ff7da0e24c5a8c63040530a0ac0ec627372d3\nFinal payload at C:\\Program Files\\Common Files\\runtime.dll - SHA256: 143ff7982c599d27247cf1982f17097aa5babade2c02b4e2d0a5eb158168e0ee\nExfiltration module - SHA256: fe72ce0eb5a653a546ea123f63278ab27cd240a813219ef6926a30e5731ea1b8\nAll stages communicated with 212.57.47.36. CrackMapExec signatures detected in Stage 2.", "spans": {"MALWARE: Amadey": [[22, 28]], "FILEPATH: C:\\ProgramData\\dropper.ps1": [[58, 84]], "FILEPATH: C:\\Users\\admin\\Downloads\\runtime.dll": [[178, 214]], "FILEPATH: C:\\Program Files\\Common Files\\runtime.dll": [[307, 348]], "HASH: 278c3087646f7f5538c85de2133fa4543e99cc61a4bd6ae10afe9139b1678f56": [[95, 159]], "HASH: c7689602ac7bf2fb695108b95d7ff7da0e24c5a8c63040530a0ac0ec627372d3": [[225, 289]], "HASH: 143ff7982c599d27247cf1982f17097aa5babade2c02b4e2d0a5eb158168e0ee": [[359, 423]], "HASH: fe72ce0eb5a653a546ea123f63278ab27cd240a813219ef6926a30e5731ea1b8": [[454, 518]], "IP_ADDRESS: 212.57.47.36": [[548, 560]], "TOOL: CrackMapExec": [[562, 574]]}, "info": {"id": "synth_v2_01944", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for Play campaign:\nStage 1 dropper at /tmp/chrome_helper.exe - SHA1: 0a1414cbf2239b8895ec3653601918735a56e926\nStage 2 loader at C:\\Users\\admin\\AppData\\Local\\Temp\\payload.bin - SHA1: d32768fa20784f0fb1df27e63de9e00b6d0ec437\nFinal payload at C:\\Users\\admin\\Desktop\\payload.bin - SHA1: b155f6526835416e130e2680cc97a15603c7d04b\nExfiltration module - SHA256: 9b3f7966855474c01d0e5105e53bd7fcd500cecd817a1f24b1751fc4dca84b41\nAll stages communicated with 172.18.196.201. Brute Ratel signatures detected in Stage 2.", "spans": {"MALWARE: Play": [[22, 26]], "FILEPATH: /tmp/chrome_helper.exe": [[56, 78]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\payload.bin": [[146, 191]], "FILEPATH: C:\\Users\\admin\\Desktop\\payload.bin": [[258, 292]], "HASH: 0a1414cbf2239b8895ec3653601918735a56e926": [[87, 127]], "HASH: d32768fa20784f0fb1df27e63de9e00b6d0ec437": [[200, 240]], "HASH: b155f6526835416e130e2680cc97a15603c7d04b": [[301, 341]], "HASH: 9b3f7966855474c01d0e5105e53bd7fcd500cecd817a1f24b1751fc4dca84b41": [[372, 436]], "IP_ADDRESS: 172.18.196.201": [[466, 480]], "TOOL: Brute Ratel": [[482, 493]]}, "info": {"id": "synth_v2_01945", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for Gootloader campaign:\nStage 1 dropper at C:\\Users\\admin\\Downloads\\csrss.exe - MD5: 6b8d6e70f6a2283fc7bcb17bfca371d8\nStage 2 loader at C:\\Users\\admin\\Downloads\\payload.bin - SHA1: 9881716b7d79f524c60379231d01b0a4ed5512f5\nFinal payload at C:\\Users\\admin\\Downloads\\winlogon.exe - MD5: 689a8649ed097c1fb10f6f1fbab07817\nExfiltration module - SHA1: 2ebec8343f49a76a00e10bdc7efbe4275a02009e\nAll stages communicated with 87.142.253.97. Havoc signatures detected in Stage 2.", "spans": {"MALWARE: Gootloader": [[22, 32]], "FILEPATH: C:\\Users\\admin\\Downloads\\csrss.exe": [[62, 96]], "FILEPATH: C:\\Users\\admin\\Downloads\\payload.bin": [[155, 191]], "FILEPATH: C:\\Users\\admin\\Downloads\\winlogon.exe": [[258, 295]], "HASH: 6b8d6e70f6a2283fc7bcb17bfca371d8": [[104, 136]], "HASH: 9881716b7d79f524c60379231d01b0a4ed5512f5": [[200, 240]], "HASH: 689a8649ed097c1fb10f6f1fbab07817": [[303, 335]], "HASH: 2ebec8343f49a76a00e10bdc7efbe4275a02009e": [[364, 404]], "IP_ADDRESS: 87.142.253.97": [[434, 447]], "TOOL: Havoc": [[449, 454]]}, "info": {"id": "synth_v2_01946", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for Raccoon Stealer campaign:\nStage 1 dropper at C:\\ProgramData\\agent.py - SHA256: f828e46eb81da2ea53d9b8bcf0d9398d49f02773b77f44734e268fe17f98c806\nStage 2 loader at /etc/cron.d/csrss.exe - SHA256: 54aac501a17f4c7332b9ef144ecc72e6c71e1930bed9416d112004abde99be84\nFinal payload at C:\\Users\\admin\\AppData\\Local\\Temp\\runtime.dll - MD5: 871567a6e031f380b213c228ffa60956\nExfiltration module - SHA1: 3d14b63672f606f0d956ad9bb2d18677fddae77a\nAll stages communicated with 172.144.81.214. Hashcat signatures detected in Stage 2.", "spans": {"MALWARE: Raccoon Stealer": [[22, 37]], "FILEPATH: C:\\ProgramData\\agent.py": [[67, 90]], "FILEPATH: /etc/cron.d/csrss.exe": [[184, 205]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\runtime.dll": [[298, 343]], "HASH: f828e46eb81da2ea53d9b8bcf0d9398d49f02773b77f44734e268fe17f98c806": [[101, 165]], "HASH: 54aac501a17f4c7332b9ef144ecc72e6c71e1930bed9416d112004abde99be84": [[216, 280]], "HASH: 871567a6e031f380b213c228ffa60956": [[351, 383]], "HASH: 3d14b63672f606f0d956ad9bb2d18677fddae77a": [[412, 452]], "IP_ADDRESS: 172.144.81.214": [[482, 496]], "TOOL: Hashcat": [[498, 505]]}, "info": {"id": "synth_v2_01947", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for FormBook campaign:\nStage 1 dropper at C:\\Program Files\\Common Files\\ntds.dit - SHA256: 8f069676fa4eea6856dad09ee2f3325d7193d707b283879c9e9c8a8ec3b06bea\nStage 2 loader at C:\\Windows\\Tasks\\lsass.dmp - MD5: 50958d154cab1e2c13b8a657234227a8\nFinal payload at C:\\Windows\\System32\\config.dat - SHA256: fe2f57354fe041d1a2b3c3399338634a82521eb32adb3a6fc94ccca2fab0c753\nExfiltration module - MD5: 6e6913527d7e4334d2fd296de7e3eb15\nAll stages communicated with 100.37.252.78. Merlin signatures detected in Stage 2.", "spans": {"MALWARE: FormBook": [[22, 30]], "FILEPATH: C:\\Program Files\\Common Files\\ntds.dit": [[60, 98]], "FILEPATH: C:\\Windows\\Tasks\\lsass.dmp": [[192, 218]], "FILEPATH: C:\\Windows\\System32\\config.dat": [[276, 306]], "HASH: 8f069676fa4eea6856dad09ee2f3325d7193d707b283879c9e9c8a8ec3b06bea": [[109, 173]], "HASH: 50958d154cab1e2c13b8a657234227a8": [[226, 258]], "HASH: fe2f57354fe041d1a2b3c3399338634a82521eb32adb3a6fc94ccca2fab0c753": [[317, 381]], "HASH: 6e6913527d7e4334d2fd296de7e3eb15": [[409, 441]], "IP_ADDRESS: 100.37.252.78": [[471, 484]], "TOOL: Merlin": [[486, 492]]}, "info": {"id": "synth_v2_01948", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for REvil campaign:\nStage 1 dropper at /usr/local/bin/csrss.exe - SHA1: 9bce4339d067491a841f0135ba3d92d8250e9b72\nStage 2 loader at /opt/app/bin/config.dat - MD5: 6a0dafdf27f441fcc01e1cfe704e3dbb\nFinal payload at C:\\Windows\\System32\\agent.py - SHA1: 8b28d53e519702764d3c5843ad8d893338060757\nExfiltration module - SHA256: cad05140806a618a26008c1aaa36fe0f91eef11e1944b06fee65f75c7e610182\nAll stages communicated with 172.218.133.249. WinPEAS signatures detected in Stage 2.", "spans": {"MALWARE: REvil": [[22, 27]], "FILEPATH: /usr/local/bin/csrss.exe": [[57, 81]], "FILEPATH: /opt/app/bin/config.dat": [[149, 172]], "FILEPATH: C:\\Windows\\System32\\agent.py": [[230, 258]], "HASH: 9bce4339d067491a841f0135ba3d92d8250e9b72": [[90, 130]], "HASH: 6a0dafdf27f441fcc01e1cfe704e3dbb": [[180, 212]], "HASH: 8b28d53e519702764d3c5843ad8d893338060757": [[267, 307]], "HASH: cad05140806a618a26008c1aaa36fe0f91eef11e1944b06fee65f75c7e610182": [[338, 402]], "IP_ADDRESS: 172.218.133.249": [[432, 447]], "TOOL: WinPEAS": [[449, 456]]}, "info": {"id": "synth_v2_01949", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for Amadey campaign:\nStage 1 dropper at C:\\Windows\\Tasks\\dropper.ps1 - SHA256: 3649bba27289d010dcee3af212ca259e8293f1f410255e4948051013899b1fe6\nStage 2 loader at C:\\Users\\admin\\AppData\\Local\\Temp\\lsass.dmp - MD5: 6094ba8f81897afc9b2d438e0b6775fd\nFinal payload at /usr/local/bin/helper.sh - MD5: 530666eb12579f21057a902649a74985\nExfiltration module - SHA1: f3651936c44203ad97f202251c6771eac9e4cf14\nAll stages communicated with 11.96.148.218. Impacket signatures detected in Stage 2.", "spans": {"MALWARE: Amadey": [[22, 28]], "FILEPATH: C:\\Windows\\Tasks\\dropper.ps1": [[58, 86]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\lsass.dmp": [[180, 223]], "FILEPATH: /usr/local/bin/helper.sh": [[281, 305]], "HASH: 3649bba27289d010dcee3af212ca259e8293f1f410255e4948051013899b1fe6": [[97, 161]], "HASH: 6094ba8f81897afc9b2d438e0b6775fd": [[231, 263]], "HASH: 530666eb12579f21057a902649a74985": [[313, 345]], "HASH: f3651936c44203ad97f202251c6771eac9e4cf14": [[374, 414]], "IP_ADDRESS: 11.96.148.218": [[444, 457]], "TOOL: Impacket": [[459, 467]]}, "info": {"id": "synth_v2_01950", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for Raccoon Stealer campaign:\nStage 1 dropper at C:\\ProgramData\\taskhost.exe - SHA1: ca7ec44d095c278af6a7e0b7477646b11e9615c1\nStage 2 loader at C:\\Program Files\\Common Files\\update.dll - SHA1: 31fbfbb95f62a932f33026643c437dfd749707c8\nFinal payload at C:\\Users\\Public\\Documents\\csrss.exe - MD5: 38ff55b0a92b142e09a2625a1e16ec2b\nExfiltration module - SHA256: 3e40493656bbbde19c267eae64df54a2c754c835945f7ac23d224bb1c7f163c7\nAll stages communicated with 61.189.94.238. Havoc signatures detected in Stage 2.", "spans": {"MALWARE: Raccoon Stealer": [[22, 37]], "FILEPATH: C:\\ProgramData\\taskhost.exe": [[67, 94]], "FILEPATH: C:\\Program Files\\Common Files\\update.dll": [[162, 202]], "FILEPATH: C:\\Users\\Public\\Documents\\csrss.exe": [[269, 304]], "HASH: ca7ec44d095c278af6a7e0b7477646b11e9615c1": [[103, 143]], "HASH: 31fbfbb95f62a932f33026643c437dfd749707c8": [[211, 251]], "HASH: 38ff55b0a92b142e09a2625a1e16ec2b": [[312, 344]], "HASH: 3e40493656bbbde19c267eae64df54a2c754c835945f7ac23d224bb1c7f163c7": [[375, 439]], "IP_ADDRESS: 61.189.94.238": [[469, 482]], "TOOL: Havoc": [[484, 489]]}, "info": {"id": "synth_v2_01951", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for AgentTesla campaign:\nStage 1 dropper at /opt/app/bin/backdoor.elf - SHA256: 9070e50954849e1156e922de89df186c2f895b3d77ab5e6dc4ae16be65b9b49a\nStage 2 loader at C:\\Users\\admin\\Downloads\\backdoor.elf - SHA256: d53bbac182d2253eb94a5cb3e4aed42e03e555d6bddcc19ac5c0947d204dc2f9\nFinal payload at C:\\Windows\\Temp\\chrome_helper.exe - SHA1: 6c7444a18c0dabc5fff540e4e16c0293b36de56d\nExfiltration module - SHA1: e4cbac248c4e11bccd800221c4276b7bba3d79aa\nAll stages communicated with 55.238.31.181. Mimikatz signatures detected in Stage 2.", "spans": {"MALWARE: AgentTesla": [[22, 32]], "FILEPATH: /opt/app/bin/backdoor.elf": [[62, 87]], "FILEPATH: C:\\Users\\admin\\Downloads\\backdoor.elf": [[181, 218]], "FILEPATH: C:\\Windows\\Temp\\chrome_helper.exe": [[311, 344]], "HASH: 9070e50954849e1156e922de89df186c2f895b3d77ab5e6dc4ae16be65b9b49a": [[98, 162]], "HASH: d53bbac182d2253eb94a5cb3e4aed42e03e555d6bddcc19ac5c0947d204dc2f9": [[229, 293]], "HASH: 6c7444a18c0dabc5fff540e4e16c0293b36de56d": [[353, 393]], "HASH: e4cbac248c4e11bccd800221c4276b7bba3d79aa": [[422, 462]], "IP_ADDRESS: 55.238.31.181": [[492, 505]], "TOOL: Mimikatz": [[507, 515]]}, "info": {"id": "synth_v2_01952", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for SmokeLoader campaign:\nStage 1 dropper at /var/tmp/winlogon.exe - SHA1: 4f6db7165f884312d44973e0072d5050fcbaf505\nStage 2 loader at /etc/cron.d/csrss.exe - MD5: fd7112457f6e909882ace31e6ec985c6\nFinal payload at /var/tmp/ntds.dit - SHA1: 80d42894a6606617525e69417293083428c479d2\nExfiltration module - SHA256: 9e1564490f28811b107cba26529800f7f9efa31dcfb79f09355441532ba396d4\nAll stages communicated with 163.229.191.196. Hashcat signatures detected in Stage 2.", "spans": {"MALWARE: SmokeLoader": [[22, 33]], "FILEPATH: /var/tmp/winlogon.exe": [[63, 84]], "FILEPATH: /etc/cron.d/csrss.exe": [[152, 173]], "FILEPATH: /var/tmp/ntds.dit": [[231, 248]], "HASH: 4f6db7165f884312d44973e0072d5050fcbaf505": [[93, 133]], "HASH: fd7112457f6e909882ace31e6ec985c6": [[181, 213]], "HASH: 80d42894a6606617525e69417293083428c479d2": [[257, 297]], "HASH: 9e1564490f28811b107cba26529800f7f9efa31dcfb79f09355441532ba396d4": [[328, 392]], "IP_ADDRESS: 163.229.191.196": [[422, 437]], "TOOL: Hashcat": [[439, 446]]}, "info": {"id": "synth_v2_01953", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for Lumma Stealer campaign:\nStage 1 dropper at /dev/shm/backdoor.elf - SHA1: fa79baa348f5fb335baa0b34c993360b58d60c90\nStage 2 loader at C:\\Windows\\System32\\csrss.exe - MD5: 9c78d6e702c42094807bb8b086ce48b1\nFinal payload at /home/user/.config/config.dat - SHA1: fb3ef401dc6d5194281271f734e42c45273dc989\nExfiltration module - SHA1: 916ebd7a4311f06767066527fcf9ea42190a36f3\nAll stages communicated with 192.155.109.99. Sharphound signatures detected in Stage 2.", "spans": {"MALWARE: Lumma Stealer": [[22, 35]], "FILEPATH: /dev/shm/backdoor.elf": [[65, 86]], "FILEPATH: C:\\Windows\\System32\\csrss.exe": [[154, 183]], "FILEPATH: /home/user/.config/config.dat": [[241, 270]], "HASH: fa79baa348f5fb335baa0b34c993360b58d60c90": [[95, 135]], "HASH: 9c78d6e702c42094807bb8b086ce48b1": [[191, 223]], "HASH: fb3ef401dc6d5194281271f734e42c45273dc989": [[279, 319]], "HASH: 916ebd7a4311f06767066527fcf9ea42190a36f3": [[348, 388]], "IP_ADDRESS: 192.155.109.99": [[418, 432]], "TOOL: Sharphound": [[434, 444]]}, "info": {"id": "synth_v2_01954", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for RemcosRAT campaign:\nStage 1 dropper at C:\\Users\\admin\\Desktop\\loader.exe - SHA1: d813f2091cf13106e87326861d69bdeb700c4113\nStage 2 loader at /usr/local/bin/shell.php - SHA256: 02819c5743c9722f0b9ea890257278dcc65f3e98990ce5c5e4b3a28233f86417\nFinal payload at /dev/shm/loader.exe - MD5: fe8a4dc57f6b3399faf6d941445103ae\nExfiltration module - MD5: 65db24bfae2f1e50105784811a7c8b0b\nAll stages communicated with 134.220.246.238. BloodHound signatures detected in Stage 2.", "spans": {"MALWARE: RemcosRAT": [[22, 31]], "FILEPATH: C:\\Users\\admin\\Desktop\\loader.exe": [[61, 94]], "FILEPATH: /usr/local/bin/shell.php": [[162, 186]], "FILEPATH: /dev/shm/loader.exe": [[279, 298]], "HASH: d813f2091cf13106e87326861d69bdeb700c4113": [[103, 143]], "HASH: 02819c5743c9722f0b9ea890257278dcc65f3e98990ce5c5e4b3a28233f86417": [[197, 261]], "HASH: fe8a4dc57f6b3399faf6d941445103ae": [[306, 338]], "HASH: 65db24bfae2f1e50105784811a7c8b0b": [[366, 398]], "IP_ADDRESS: 134.220.246.238": [[428, 443]], "TOOL: BloodHound": [[445, 455]]}, "info": {"id": "synth_v2_01955", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for PikaBot campaign:\nStage 1 dropper at C:\\Users\\Public\\Documents\\winlogon.exe - SHA256: 8edc463e72afddca73051c344d7aafeffb6c26bd56aa911a47852508ba214157\nStage 2 loader at C:\\Windows\\Temp\\dropper.ps1 - MD5: a63ebebea0f42b4313b4e0fd94662b0d\nFinal payload at C:\\Users\\admin\\Desktop\\sam.hive - SHA256: 2f4770a2f9bbbef360a31a0cb94cb52f635ad4cdedb06b390ab90b74fb4acb07\nExfiltration module - SHA256: 125d3f689d0ee9617b6cb9e60fe53a87973892fbe5e92e94994990b32fd8b875\nAll stages communicated with 96.55.55.217. PowerView signatures detected in Stage 2.", "spans": {"MALWARE: PikaBot": [[22, 29]], "FILEPATH: C:\\Users\\Public\\Documents\\winlogon.exe": [[59, 97]], "FILEPATH: C:\\Windows\\Temp\\dropper.ps1": [[191, 218]], "FILEPATH: C:\\Users\\admin\\Desktop\\sam.hive": [[276, 307]], "HASH: 8edc463e72afddca73051c344d7aafeffb6c26bd56aa911a47852508ba214157": [[108, 172]], "HASH: a63ebebea0f42b4313b4e0fd94662b0d": [[226, 258]], "HASH: 2f4770a2f9bbbef360a31a0cb94cb52f635ad4cdedb06b390ab90b74fb4acb07": [[318, 382]], "HASH: 125d3f689d0ee9617b6cb9e60fe53a87973892fbe5e92e94994990b32fd8b875": [[413, 477]], "IP_ADDRESS: 96.55.55.217": [[507, 519]], "TOOL: PowerView": [[521, 530]]}, "info": {"id": "synth_v2_01956", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for NjRAT campaign:\nStage 1 dropper at /home/user/.config/ntds.dit - SHA1: b80a263fd9f037095230343136aac7e19bb3fb12\nStage 2 loader at /dev/shm/chrome_helper.exe - SHA256: c8c2e1f6b992adc4ea862c7e52875a84fbbf966eec02d5a62ae9b057bd3025de\nFinal payload at C:\\Windows\\System32\\sam.hive - SHA1: e9d5ed616fc3ae5658a23fb99b7c183cd116b80f\nExfiltration module - SHA256: ab7aae150f0c0a60a8944b87f0259bccd705464809b241715c9bbb2319276baa\nAll stages communicated with 172.54.10.225. Rubeus signatures detected in Stage 2.", "spans": {"MALWARE: NjRAT": [[22, 27]], "FILEPATH: /home/user/.config/ntds.dit": [[57, 84]], "FILEPATH: /dev/shm/chrome_helper.exe": [[152, 178]], "FILEPATH: C:\\Windows\\System32\\sam.hive": [[271, 299]], "HASH: b80a263fd9f037095230343136aac7e19bb3fb12": [[93, 133]], "HASH: c8c2e1f6b992adc4ea862c7e52875a84fbbf966eec02d5a62ae9b057bd3025de": [[189, 253]], "HASH: e9d5ed616fc3ae5658a23fb99b7c183cd116b80f": [[308, 348]], "HASH: ab7aae150f0c0a60a8944b87f0259bccd705464809b241715c9bbb2319276baa": [[379, 443]], "IP_ADDRESS: 172.54.10.225": [[473, 486]], "TOOL: Rubeus": [[488, 494]]}, "info": {"id": "synth_v2_01957", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for Latrodectus campaign:\nStage 1 dropper at /etc/cron.d/implant.so - SHA256: accc7052c902d2b2636309be15d3d4d65bffd2583e1456d80074bea4275ffe18\nStage 2 loader at C:\\Users\\admin\\Desktop\\runtime.dll - SHA1: 40ead3e906eb0e2d3667075fce34060da216fc36\nFinal payload at /opt/app/bin/chrome_helper.exe - SHA256: 9d42da2cf1008f90ad71e252067f2f239638d30efe596392c79306fc20401037\nExfiltration module - SHA1: a4ff088fcaf108d69fa820b8bad648710ffd7e85\nAll stages communicated with 90.231.28.94. Havoc signatures detected in Stage 2.", "spans": {"MALWARE: Latrodectus": [[22, 33]], "FILEPATH: /etc/cron.d/implant.so": [[63, 85]], "FILEPATH: C:\\Users\\admin\\Desktop\\runtime.dll": [[179, 213]], "FILEPATH: /opt/app/bin/chrome_helper.exe": [[280, 310]], "HASH: accc7052c902d2b2636309be15d3d4d65bffd2583e1456d80074bea4275ffe18": [[96, 160]], "HASH: 40ead3e906eb0e2d3667075fce34060da216fc36": [[222, 262]], "HASH: 9d42da2cf1008f90ad71e252067f2f239638d30efe596392c79306fc20401037": [[321, 385]], "HASH: a4ff088fcaf108d69fa820b8bad648710ffd7e85": [[414, 454]], "IP_ADDRESS: 90.231.28.94": [[484, 496]], "TOOL: Havoc": [[498, 503]]}, "info": {"id": "synth_v2_01958", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for Gootloader campaign:\nStage 1 dropper at /var/tmp/lsass.dmp - SHA256: a6a404e3771fd33d7830cb47b7455502802b681bbd45021791f5ea6f937c54b4\nStage 2 loader at C:\\ProgramData\\helper.sh - SHA256: 533cc53d308ed07bf7cd542aa464f36d7ec9c385c642090a3fc25591e692278e\nFinal payload at C:\\Windows\\Temp\\chrome_helper.exe - SHA256: af96a03902d3eb56d9b0a349c414bdcfe24dc4b9b83df0e5a9b9d85ff41a1ba6\nExfiltration module - SHA1: 77022c34bdbe34e159aa3bf97fcd1495c6c3cbb8\nAll stages communicated with 71.55.246.41. Burp Suite signatures detected in Stage 2.", "spans": {"MALWARE: Gootloader": [[22, 32]], "FILEPATH: /var/tmp/lsass.dmp": [[62, 80]], "FILEPATH: C:\\ProgramData\\helper.sh": [[174, 198]], "FILEPATH: C:\\Windows\\Temp\\chrome_helper.exe": [[291, 324]], "HASH: a6a404e3771fd33d7830cb47b7455502802b681bbd45021791f5ea6f937c54b4": [[91, 155]], "HASH: 533cc53d308ed07bf7cd542aa464f36d7ec9c385c642090a3fc25591e692278e": [[209, 273]], "HASH: af96a03902d3eb56d9b0a349c414bdcfe24dc4b9b83df0e5a9b9d85ff41a1ba6": [[335, 399]], "HASH: 77022c34bdbe34e159aa3bf97fcd1495c6c3cbb8": [[428, 468]], "IP_ADDRESS: 71.55.246.41": [[498, 510]], "TOOL: Burp Suite": [[512, 522]]}, "info": {"id": "synth_v2_01959", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for PikaBot campaign:\nStage 1 dropper at C:\\ProgramData\\update.dll - SHA1: 66cc1f8eb7f9eb32df1c007691d84b197c1b8850\nStage 2 loader at /tmp/ntds.dit - SHA1: 9dd53075a431a60689ef393ed6cf3b7c6e203173\nFinal payload at /dev/shm/winlogon.exe - SHA1: ae71dbc6de84be0f98da3fe87d3ef39f0bb16a82\nExfiltration module - MD5: 500a28b53203292393c2f601ae1d3fbd\nAll stages communicated with 146.113.78.182. Mimikatz signatures detected in Stage 2.", "spans": {"MALWARE: PikaBot": [[22, 29]], "FILEPATH: C:\\ProgramData\\update.dll": [[59, 84]], "FILEPATH: /tmp/ntds.dit": [[152, 165]], "FILEPATH: /dev/shm/winlogon.exe": [[232, 253]], "HASH: 66cc1f8eb7f9eb32df1c007691d84b197c1b8850": [[93, 133]], "HASH: 9dd53075a431a60689ef393ed6cf3b7c6e203173": [[174, 214]], "HASH: ae71dbc6de84be0f98da3fe87d3ef39f0bb16a82": [[262, 302]], "HASH: 500a28b53203292393c2f601ae1d3fbd": [[330, 362]], "IP_ADDRESS: 146.113.78.182": [[392, 406]], "TOOL: Mimikatz": [[408, 416]]}, "info": {"id": "synth_v2_01960", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for Hive campaign:\nStage 1 dropper at /usr/local/bin/update.dll - SHA1: 368feb0c3e00f0552bc6652f78ec7f44aac2619f\nStage 2 loader at C:\\ProgramData\\chrome_helper.exe - SHA1: 4a9d57fd49d24413f34505a67b3f9d98b22703bf\nFinal payload at C:\\Windows\\Tasks\\chrome_helper.exe - SHA1: 8a96d01808177b09353af34d6180bba0e6bed61d\nExfiltration module - SHA1: 90ac8b0187692b6ce2a557a26fab8e5404f73be6\nAll stages communicated with 10.248.14.159. Mythic signatures detected in Stage 2.", "spans": {"MALWARE: Hive": [[22, 26]], "FILEPATH: /usr/local/bin/update.dll": [[56, 81]], "FILEPATH: C:\\ProgramData\\chrome_helper.exe": [[149, 181]], "FILEPATH: C:\\Windows\\Tasks\\chrome_helper.exe": [[248, 282]], "HASH: 368feb0c3e00f0552bc6652f78ec7f44aac2619f": [[90, 130]], "HASH: 4a9d57fd49d24413f34505a67b3f9d98b22703bf": [[190, 230]], "HASH: 8a96d01808177b09353af34d6180bba0e6bed61d": [[291, 331]], "HASH: 90ac8b0187692b6ce2a557a26fab8e5404f73be6": [[360, 400]], "IP_ADDRESS: 10.248.14.159": [[430, 443]], "TOOL: Mythic": [[445, 451]]}, "info": {"id": "synth_v2_01961", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for Play campaign:\nStage 1 dropper at C:\\Program Files\\Common Files\\sam.hive - MD5: 1d0087910ab4b56ca2d3e24a09f7b532\nStage 2 loader at C:\\Users\\admin\\AppData\\Local\\Temp\\dropper.ps1 - SHA256: eab66ef3e0cd77e3e0b0a38095cdb801c136f572bcceb220e47d6343a799f905\nFinal payload at C:\\Windows\\Tasks\\beacon.dll - SHA1: 34492fdffe0eb2d094fb0a5730ae914b376e4e48\nExfiltration module - MD5: bfedff0d880824b021827ae5e3e2f447\nAll stages communicated with 192.54.213.206. PowerShell Empire signatures detected in Stage 2.", "spans": {"MALWARE: Play": [[22, 26]], "FILEPATH: C:\\Program Files\\Common Files\\sam.hive": [[56, 94]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\dropper.ps1": [[153, 198]], "FILEPATH: C:\\Windows\\Tasks\\beacon.dll": [[291, 318]], "HASH: 1d0087910ab4b56ca2d3e24a09f7b532": [[102, 134]], "HASH: eab66ef3e0cd77e3e0b0a38095cdb801c136f572bcceb220e47d6343a799f905": [[209, 273]], "HASH: 34492fdffe0eb2d094fb0a5730ae914b376e4e48": [[327, 367]], "HASH: bfedff0d880824b021827ae5e3e2f447": [[395, 427]], "IP_ADDRESS: 192.54.213.206": [[457, 471]], "TOOL: PowerShell Empire": [[473, 490]]}, "info": {"id": "synth_v2_01962", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for Cobalt Strike campaign:\nStage 1 dropper at C:\\Users\\admin\\Downloads\\beacon.dll - SHA1: 5eae7f7fa70041459a5ab944e359b4f1d532126b\nStage 2 loader at /home/user/.config/ntds.dit - SHA256: 0c22ee447d954557ee4040d80c7016cf04fc11251dc5cfdb48536965ee781b9d\nFinal payload at C:\\Users\\admin\\AppData\\Local\\Temp\\chrome_helper.exe - MD5: bb8d8a764e58be68664ad022526d6349\nExfiltration module - MD5: 62e5bc435cba6edf9d66a562923f16cc\nAll stages communicated with 164.226.240.75. Mimikatz signatures detected in Stage 2.", "spans": {"MALWARE: Cobalt Strike": [[22, 35]], "FILEPATH: C:\\Users\\admin\\Downloads\\beacon.dll": [[65, 100]], "FILEPATH: /home/user/.config/ntds.dit": [[168, 195]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\chrome_helper.exe": [[288, 339]], "HASH: 5eae7f7fa70041459a5ab944e359b4f1d532126b": [[109, 149]], "HASH: 0c22ee447d954557ee4040d80c7016cf04fc11251dc5cfdb48536965ee781b9d": [[206, 270]], "HASH: bb8d8a764e58be68664ad022526d6349": [[347, 379]], "HASH: 62e5bc435cba6edf9d66a562923f16cc": [[407, 439]], "IP_ADDRESS: 164.226.240.75": [[469, 483]], "TOOL: Mimikatz": [[485, 493]]}, "info": {"id": "synth_v2_01963", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for RedLine Stealer campaign:\nStage 1 dropper at C:\\Windows\\Tasks\\update.dll - SHA256: 5e7fe7ef9a01c4c2987bfef5e8e067988f18d966baa0a26edcf3b90b5df2b6aa\nStage 2 loader at C:\\ProgramData\\loader.exe - SHA256: f89423ae1722d36d8bec508ce1a44418578f4f841ea211435b606d7cc37b2b27\nFinal payload at /tmp/payload.bin - SHA1: 9222c2e74c59f1777dd292643a8a8be72f833dfa\nExfiltration module - SHA1: 498a8d5586553346c7cd3611fcae83c7dc25ba7a\nAll stages communicated with 98.36.4.97. Sharphound signatures detected in Stage 2.", "spans": {"MALWARE: RedLine Stealer": [[22, 37]], "FILEPATH: C:\\Windows\\Tasks\\update.dll": [[67, 94]], "FILEPATH: C:\\ProgramData\\loader.exe": [[188, 213]], "FILEPATH: /tmp/payload.bin": [[306, 322]], "HASH: 5e7fe7ef9a01c4c2987bfef5e8e067988f18d966baa0a26edcf3b90b5df2b6aa": [[105, 169]], "HASH: f89423ae1722d36d8bec508ce1a44418578f4f841ea211435b606d7cc37b2b27": [[224, 288]], "HASH: 9222c2e74c59f1777dd292643a8a8be72f833dfa": [[331, 371]], "HASH: 498a8d5586553346c7cd3611fcae83c7dc25ba7a": [[400, 440]], "IP_ADDRESS: 98.36.4.97": [[470, 480]], "TOOL: Sharphound": [[482, 492]]}, "info": {"id": "synth_v2_01964", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for TrickBot campaign:\nStage 1 dropper at /var/tmp/sam.hive - SHA256: 969df54751ae076bed12eee82eb2133ca9770e99d82f6d87f8a7f241b2bbde38\nStage 2 loader at C:\\Users\\admin\\AppData\\Local\\Temp\\svchost.exe - SHA256: d69f6aede50f208f953fa214d1215f105436a531ebcd1461663f3caca7aed8ca\nFinal payload at /dev/shm/update.dll - SHA1: fcd72033da0a4386a5d057ad332feffe3dad3ee7\nExfiltration module - MD5: 9303b0a2c5455bb5441b6ee3c1b2ee78\nAll stages communicated with 10.71.67.186. Metasploit signatures detected in Stage 2.", "spans": {"MALWARE: TrickBot": [[22, 30]], "FILEPATH: /var/tmp/sam.hive": [[60, 77]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\svchost.exe": [[171, 216]], "FILEPATH: /dev/shm/update.dll": [[309, 328]], "HASH: 969df54751ae076bed12eee82eb2133ca9770e99d82f6d87f8a7f241b2bbde38": [[88, 152]], "HASH: d69f6aede50f208f953fa214d1215f105436a531ebcd1461663f3caca7aed8ca": [[227, 291]], "HASH: fcd72033da0a4386a5d057ad332feffe3dad3ee7": [[337, 377]], "HASH: 9303b0a2c5455bb5441b6ee3c1b2ee78": [[405, 437]], "IP_ADDRESS: 10.71.67.186": [[467, 479]], "TOOL: Metasploit": [[481, 491]]}, "info": {"id": "synth_v2_01965", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for Conti campaign:\nStage 1 dropper at /tmp/implant.so - SHA256: 5c605c2b3dfbb9036119cfb4ae7452eb975712f61b45f839ec2153d7011b0397\nStage 2 loader at C:\\Users\\admin\\AppData\\Local\\Temp\\winlogon.exe - SHA256: 1590230d0dce6bb691bbec1ebe1a0a5d0cc74ccbeb7a5ebb9884bb9d41bd3fca\nFinal payload at C:\\Users\\Public\\Documents\\update.dll - SHA1: d8527fccd9f976e4e393fbb75bd2f3c48e73b9be\nExfiltration module - MD5: ed54456de2cab7d14bf3ba309772e007\nAll stages communicated with 192.34.193.145. Merlin signatures detected in Stage 2.", "spans": {"MALWARE: Conti": [[22, 27]], "FILEPATH: /tmp/implant.so": [[57, 72]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\winlogon.exe": [[166, 212]], "FILEPATH: C:\\Users\\Public\\Documents\\update.dll": [[305, 341]], "HASH: 5c605c2b3dfbb9036119cfb4ae7452eb975712f61b45f839ec2153d7011b0397": [[83, 147]], "HASH: 1590230d0dce6bb691bbec1ebe1a0a5d0cc74ccbeb7a5ebb9884bb9d41bd3fca": [[223, 287]], "HASH: d8527fccd9f976e4e393fbb75bd2f3c48e73b9be": [[350, 390]], "HASH: ed54456de2cab7d14bf3ba309772e007": [[418, 450]], "IP_ADDRESS: 192.34.193.145": [[480, 494]], "TOOL: Merlin": [[496, 502]]}, "info": {"id": "synth_v2_01966", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for PikaBot campaign:\nStage 1 dropper at C:\\Users\\Public\\Documents\\svchost.exe - SHA256: ca8f13f631b3f1f228274d188c299c6df957580c7bb17b7a051c9a49eb4dda05\nStage 2 loader at C:\\Users\\admin\\Desktop\\sam.hive - MD5: 1ed7fb9545e840e69e067413fa90514f\nFinal payload at C:\\Program Files\\Common Files\\implant.so - SHA1: 498a2234a7526768417990aeca3f34185a9ada2e\nExfiltration module - SHA1: c4eee474df8877653c85924fec48c78e12d403af\nAll stages communicated with 216.33.20.215. Mythic signatures detected in Stage 2.", "spans": {"MALWARE: PikaBot": [[22, 29]], "FILEPATH: C:\\Users\\Public\\Documents\\svchost.exe": [[59, 96]], "FILEPATH: C:\\Users\\admin\\Desktop\\sam.hive": [[190, 221]], "FILEPATH: C:\\Program Files\\Common Files\\implant.so": [[279, 319]], "HASH: ca8f13f631b3f1f228274d188c299c6df957580c7bb17b7a051c9a49eb4dda05": [[107, 171]], "HASH: 1ed7fb9545e840e69e067413fa90514f": [[229, 261]], "HASH: 498a2234a7526768417990aeca3f34185a9ada2e": [[328, 368]], "HASH: c4eee474df8877653c85924fec48c78e12d403af": [[397, 437]], "IP_ADDRESS: 216.33.20.215": [[467, 480]], "TOOL: Mythic": [[482, 488]]}, "info": {"id": "synth_v2_01967", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for LockBit campaign:\nStage 1 dropper at C:\\ProgramData\\chrome_helper.exe - SHA256: 4b470fb6baf78ea21eb9df9fd471012356651922573981ab648bc6e665648d37\nStage 2 loader at C:\\Program Files\\Common Files\\helper.sh - MD5: b4ac4aa6462340e3c6fd4d04a336da2e\nFinal payload at C:\\Users\\admin\\Downloads\\dropper.ps1 - SHA1: 60b666c2373e7b0962c721ba025575037d0d8434\nExfiltration module - MD5: 9e0b7c9dd95280119273c4f9f61178c3\nAll stages communicated with 172.57.195.66. LinPEAS signatures detected in Stage 2.", "spans": {"MALWARE: LockBit": [[22, 29]], "FILEPATH: C:\\ProgramData\\chrome_helper.exe": [[59, 91]], "FILEPATH: C:\\Program Files\\Common Files\\helper.sh": [[185, 224]], "FILEPATH: C:\\Users\\admin\\Downloads\\dropper.ps1": [[282, 318]], "HASH: 4b470fb6baf78ea21eb9df9fd471012356651922573981ab648bc6e665648d37": [[102, 166]], "HASH: b4ac4aa6462340e3c6fd4d04a336da2e": [[232, 264]], "HASH: 60b666c2373e7b0962c721ba025575037d0d8434": [[327, 367]], "HASH: 9e0b7c9dd95280119273c4f9f61178c3": [[395, 427]], "IP_ADDRESS: 172.57.195.66": [[457, 470]], "TOOL: LinPEAS": [[472, 479]]}, "info": {"id": "synth_v2_01968", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for IcedID campaign:\nStage 1 dropper at C:\\Users\\admin\\Desktop\\taskhost.exe - SHA256: 0b26bd4ade5a2dff0fce635964c24619088043cc338035d4507bb52fafa3f45e\nStage 2 loader at C:\\Program Files\\Common Files\\sam.hive - SHA1: a0277a419c3506a4dd88b7d481fef7ff69152729\nFinal payload at C:\\Windows\\System32\\taskhost.exe - MD5: a61c92ff7dd78aaab21969665a45a64e\nExfiltration module - SHA1: 150f436789e7d1e87c4448baf3016fd0428f9d1d\nAll stages communicated with 6.79.167.65. Mythic signatures detected in Stage 2.", "spans": {"MALWARE: IcedID": [[22, 28]], "FILEPATH: C:\\Users\\admin\\Desktop\\taskhost.exe": [[58, 93]], "FILEPATH: C:\\Program Files\\Common Files\\sam.hive": [[187, 225]], "FILEPATH: C:\\Windows\\System32\\taskhost.exe": [[292, 324]], "HASH: 0b26bd4ade5a2dff0fce635964c24619088043cc338035d4507bb52fafa3f45e": [[104, 168]], "HASH: a0277a419c3506a4dd88b7d481fef7ff69152729": [[234, 274]], "HASH: a61c92ff7dd78aaab21969665a45a64e": [[332, 364]], "HASH: 150f436789e7d1e87c4448baf3016fd0428f9d1d": [[393, 433]], "IP_ADDRESS: 6.79.167.65": [[463, 474]], "TOOL: Mythic": [[476, 482]]}, "info": {"id": "synth_v2_01969", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for PikaBot campaign:\nStage 1 dropper at /opt/app/bin/update.dll - MD5: f5ddbe6ab76e374d4b31c31c5364ba90\nStage 2 loader at C:\\Users\\admin\\Downloads\\backdoor.elf - SHA1: d4ceda6da974bd6b57dbe0d309fc7dcccc18592a\nFinal payload at C:\\Users\\admin\\Downloads\\chrome_helper.exe - MD5: 6c99a1bb936744fef825e6c2dac3b855\nExfiltration module - MD5: e9925a4e70eba82a8d9ce48f235cd096\nAll stages communicated with 172.134.25.85. PowerView signatures detected in Stage 2.", "spans": {"MALWARE: PikaBot": [[22, 29]], "FILEPATH: /opt/app/bin/update.dll": [[59, 82]], "FILEPATH: C:\\Users\\admin\\Downloads\\backdoor.elf": [[141, 178]], "FILEPATH: C:\\Users\\admin\\Downloads\\chrome_helper.exe": [[245, 287]], "HASH: f5ddbe6ab76e374d4b31c31c5364ba90": [[90, 122]], "HASH: d4ceda6da974bd6b57dbe0d309fc7dcccc18592a": [[187, 227]], "HASH: 6c99a1bb936744fef825e6c2dac3b855": [[295, 327]], "HASH: e9925a4e70eba82a8d9ce48f235cd096": [[355, 387]], "IP_ADDRESS: 172.134.25.85": [[417, 430]], "TOOL: PowerView": [[432, 441]]}, "info": {"id": "synth_v2_01970", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for BlackCat campaign:\nStage 1 dropper at /opt/app/bin/svchost.exe - SHA1: 8498928683e518848806498c06fd5f219ffa8f29\nStage 2 loader at C:\\Users\\admin\\Downloads\\agent.py - MD5: f777fb8697e4f3b539f80a75c6f3ec77\nFinal payload at C:\\Windows\\System32\\backdoor.elf - MD5: 65cd672c78f04296256846274558684b\nExfiltration module - SHA1: 1f075a3e3de862d313f97963563cf8a5997d98d2\nAll stages communicated with 10.191.91.59. Sliver signatures detected in Stage 2.", "spans": {"MALWARE: BlackCat": [[22, 30]], "FILEPATH: /opt/app/bin/svchost.exe": [[60, 84]], "FILEPATH: C:\\Users\\admin\\Downloads\\agent.py": [[152, 185]], "FILEPATH: C:\\Windows\\System32\\backdoor.elf": [[243, 275]], "HASH: 8498928683e518848806498c06fd5f219ffa8f29": [[93, 133]], "HASH: f777fb8697e4f3b539f80a75c6f3ec77": [[193, 225]], "HASH: 65cd672c78f04296256846274558684b": [[283, 315]], "HASH: 1f075a3e3de862d313f97963563cf8a5997d98d2": [[344, 384]], "IP_ADDRESS: 10.191.91.59": [[414, 426]], "TOOL: Sliver": [[428, 434]]}, "info": {"id": "synth_v2_01971", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for LockBit campaign:\nStage 1 dropper at /opt/app/bin/agent.py - SHA256: 41b1aa1216cc9eebe262cd3c5fffd5a7cddbcc80909c543a1add45e2b37c5f55\nStage 2 loader at C:\\Windows\\Tasks\\beacon.dll - SHA1: 8e81e1776ef9a6fa9243acac388ca89691df999b\nFinal payload at C:\\Users\\Public\\Documents\\runtime.dll - MD5: 3dee144ef644abc0e4db8756b1217eea\nExfiltration module - SHA1: 11df3359d0d5b1cdc6e8acbf8ef38eb2797f3d3a\nAll stages communicated with 10.205.46.177. Mimikatz signatures detected in Stage 2.", "spans": {"MALWARE: LockBit": [[22, 29]], "FILEPATH: /opt/app/bin/agent.py": [[59, 80]], "FILEPATH: C:\\Windows\\Tasks\\beacon.dll": [[174, 201]], "FILEPATH: C:\\Users\\Public\\Documents\\runtime.dll": [[268, 305]], "HASH: 41b1aa1216cc9eebe262cd3c5fffd5a7cddbcc80909c543a1add45e2b37c5f55": [[91, 155]], "HASH: 8e81e1776ef9a6fa9243acac388ca89691df999b": [[210, 250]], "HASH: 3dee144ef644abc0e4db8756b1217eea": [[313, 345]], "HASH: 11df3359d0d5b1cdc6e8acbf8ef38eb2797f3d3a": [[374, 414]], "IP_ADDRESS: 10.205.46.177": [[444, 457]], "TOOL: Mimikatz": [[459, 467]]}, "info": {"id": "synth_v2_01972", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for XLoader campaign:\nStage 1 dropper at C:\\Windows\\Temp\\helper.sh - SHA256: 5f9b22033f5140321c54e259dfdbb3ddd4b7884286f7f6d2a70ddfb29b2786ed\nStage 2 loader at C:\\Users\\Public\\Documents\\loader.exe - SHA1: 4f014205d7184f5f0e9348086c4c40a50bbdfdfc\nFinal payload at C:\\Program Files\\Common Files\\sam.hive - SHA1: f043cad98cb8c7c61f170ad3817e7362f8e5bac8\nExfiltration module - SHA256: 3afefb949260ce23fcaf6a99c94418d6610f2b386012bdc29b72d29a35cdbb8c\nAll stages communicated with 72.157.85.46. Covenant signatures detected in Stage 2.", "spans": {"MALWARE: XLoader": [[22, 29]], "FILEPATH: C:\\Windows\\Temp\\helper.sh": [[59, 84]], "FILEPATH: C:\\Users\\Public\\Documents\\loader.exe": [[178, 214]], "FILEPATH: C:\\Program Files\\Common Files\\sam.hive": [[281, 319]], "HASH: 5f9b22033f5140321c54e259dfdbb3ddd4b7884286f7f6d2a70ddfb29b2786ed": [[95, 159]], "HASH: 4f014205d7184f5f0e9348086c4c40a50bbdfdfc": [[223, 263]], "HASH: f043cad98cb8c7c61f170ad3817e7362f8e5bac8": [[328, 368]], "HASH: 3afefb949260ce23fcaf6a99c94418d6610f2b386012bdc29b72d29a35cdbb8c": [[399, 463]], "IP_ADDRESS: 72.157.85.46": [[493, 505]], "TOOL: Covenant": [[507, 515]]}, "info": {"id": "synth_v2_01973", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for AsyncRAT campaign:\nStage 1 dropper at C:\\Windows\\Temp\\beacon.dll - SHA1: b90b4560c9197981aa5a95c7348d5df888efd628\nStage 2 loader at /tmp/implant.so - SHA1: 1f6b4150b02a63eeff0296edd950b72f5e0ed9f9\nFinal payload at C:\\Users\\admin\\AppData\\Local\\Temp\\update.dll - MD5: 83ed60a4a50bfe7ed5f0897654afd28c\nExfiltration module - SHA1: ba7b284bac5010da8cf97d47200fb08e9d8a705b\nAll stages communicated with 59.16.197.107. ADFind signatures detected in Stage 2.", "spans": {"MALWARE: AsyncRAT": [[22, 30]], "FILEPATH: C:\\Windows\\Temp\\beacon.dll": [[60, 86]], "FILEPATH: /tmp/implant.so": [[154, 169]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\update.dll": [[236, 280]], "HASH: b90b4560c9197981aa5a95c7348d5df888efd628": [[95, 135]], "HASH: 1f6b4150b02a63eeff0296edd950b72f5e0ed9f9": [[178, 218]], "HASH: 83ed60a4a50bfe7ed5f0897654afd28c": [[288, 320]], "HASH: ba7b284bac5010da8cf97d47200fb08e9d8a705b": [[349, 389]], "IP_ADDRESS: 59.16.197.107": [[419, 432]], "TOOL: ADFind": [[434, 440]]}, "info": {"id": "synth_v2_01974", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for Meduza Stealer campaign:\nStage 1 dropper at C:\\Users\\admin\\Desktop\\update.dll - MD5: 55174984f16dff7dc500a064de99a432\nStage 2 loader at C:\\Users\\admin\\Downloads\\implant.so - MD5: bdb2f246a2e33b2e7c0105aff7bd6d8f\nFinal payload at C:\\Program Files\\Common Files\\agent.py - MD5: 71c8bca68dbd2a556691638fe6ec457a\nExfiltration module - SHA256: 85b41076f8e526bd47edf4a3a5d5c6a0642e1783d834c123ee19d1ba71be4e05\nAll stages communicated with 192.21.131.203. ADFind signatures detected in Stage 2.", "spans": {"MALWARE: Meduza Stealer": [[22, 36]], "FILEPATH: C:\\Users\\admin\\Desktop\\update.dll": [[66, 99]], "FILEPATH: C:\\Users\\admin\\Downloads\\implant.so": [[158, 193]], "FILEPATH: C:\\Program Files\\Common Files\\agent.py": [[251, 289]], "HASH: 55174984f16dff7dc500a064de99a432": [[107, 139]], "HASH: bdb2f246a2e33b2e7c0105aff7bd6d8f": [[201, 233]], "HASH: 71c8bca68dbd2a556691638fe6ec457a": [[297, 329]], "HASH: 85b41076f8e526bd47edf4a3a5d5c6a0642e1783d834c123ee19d1ba71be4e05": [[360, 424]], "IP_ADDRESS: 192.21.131.203": [[454, 468]], "TOOL: ADFind": [[470, 476]]}, "info": {"id": "synth_v2_01975", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for SmokeLoader campaign:\nStage 1 dropper at /home/user/.config/implant.so - SHA1: 9bf309e9d308e9f3b06b59b48f0e3c402ee7e972\nStage 2 loader at /opt/app/bin/backdoor.elf - MD5: 611dc0181f4f1035b6296ae029736ab3\nFinal payload at /opt/app/bin/loader.exe - SHA256: cf4f047d3f50369dd0916260fc50bfcc5fa6134fdeaf1875fc33bcf8ec4d1bd6\nExfiltration module - MD5: d12232c7ede33e5e65663bdd6274af5b\nAll stages communicated with 105.176.239.119. LinPEAS signatures detected in Stage 2.", "spans": {"MALWARE: SmokeLoader": [[22, 33]], "FILEPATH: /home/user/.config/implant.so": [[63, 92]], "FILEPATH: /opt/app/bin/backdoor.elf": [[160, 185]], "FILEPATH: /opt/app/bin/loader.exe": [[243, 266]], "HASH: 9bf309e9d308e9f3b06b59b48f0e3c402ee7e972": [[101, 141]], "HASH: 611dc0181f4f1035b6296ae029736ab3": [[193, 225]], "HASH: cf4f047d3f50369dd0916260fc50bfcc5fa6134fdeaf1875fc33bcf8ec4d1bd6": [[277, 341]], "HASH: d12232c7ede33e5e65663bdd6274af5b": [[369, 401]], "IP_ADDRESS: 105.176.239.119": [[431, 446]], "TOOL: LinPEAS": [[448, 455]]}, "info": {"id": "synth_v2_01976", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for ShadowPad campaign:\nStage 1 dropper at C:\\Windows\\Tasks\\taskhost.exe - SHA1: 404c11c8a5513c340c0d3fef74a40d1c4eac14ba\nStage 2 loader at /etc/cron.d/runtime.dll - SHA256: 108b8d2d16aa2245253d3c10543774ce38c370589fbc3818a6137cf7d162b825\nFinal payload at /usr/local/bin/config.dat - SHA256: 0ddf3dd5691f6ba2b36bedd64dac60ba8b4c2003c852bf9c4b3dcda648c0bbd3\nExfiltration module - SHA1: 4575a8e18191b195177ee4042949494b43d4a7c8\nAll stages communicated with 192.89.237.198. LaZagne signatures detected in Stage 2.", "spans": {"MALWARE: ShadowPad": [[22, 31]], "FILEPATH: C:\\Windows\\Tasks\\taskhost.exe": [[61, 90]], "FILEPATH: /etc/cron.d/runtime.dll": [[158, 181]], "FILEPATH: /usr/local/bin/config.dat": [[274, 299]], "HASH: 404c11c8a5513c340c0d3fef74a40d1c4eac14ba": [[99, 139]], "HASH: 108b8d2d16aa2245253d3c10543774ce38c370589fbc3818a6137cf7d162b825": [[192, 256]], "HASH: 0ddf3dd5691f6ba2b36bedd64dac60ba8b4c2003c852bf9c4b3dcda648c0bbd3": [[310, 374]], "HASH: 4575a8e18191b195177ee4042949494b43d4a7c8": [[403, 443]], "IP_ADDRESS: 192.89.237.198": [[473, 487]], "TOOL: LaZagne": [[489, 496]]}, "info": {"id": "synth_v2_01977", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for Qbot campaign:\nStage 1 dropper at C:\\Users\\admin\\Desktop\\ntds.dit - SHA256: 27c6321989e67ca79508f8e56e20efdac3e390fec8a73877b7f8cb1e80ddd8e2\nStage 2 loader at /opt/app/bin/backdoor.elf - SHA256: 5a436011d333cc54a292a8f4a43497a68c776c7838aff4db8591dc200d7cb8b9\nFinal payload at /home/user/.config/payload.bin - SHA256: 8bb08eeb6c994f0cd3ea43ffc45a3fb76e05aea3b1c39abb690f91456fd21f8e\nExfiltration module - MD5: 88a471c230391768d7f8ba8b1790248d\nAll stages communicated with 197.148.219.177. Havoc signatures detected in Stage 2.", "spans": {"MALWARE: Qbot": [[22, 26]], "FILEPATH: C:\\Users\\admin\\Desktop\\ntds.dit": [[56, 87]], "FILEPATH: /opt/app/bin/backdoor.elf": [[181, 206]], "FILEPATH: /home/user/.config/payload.bin": [[299, 329]], "HASH: 27c6321989e67ca79508f8e56e20efdac3e390fec8a73877b7f8cb1e80ddd8e2": [[98, 162]], "HASH: 5a436011d333cc54a292a8f4a43497a68c776c7838aff4db8591dc200d7cb8b9": [[217, 281]], "HASH: 8bb08eeb6c994f0cd3ea43ffc45a3fb76e05aea3b1c39abb690f91456fd21f8e": [[340, 404]], "HASH: 88a471c230391768d7f8ba8b1790248d": [[432, 464]], "IP_ADDRESS: 197.148.219.177": [[494, 509]], "TOOL: Havoc": [[511, 516]]}, "info": {"id": "synth_v2_01978", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for AsyncRAT campaign:\nStage 1 dropper at C:\\Users\\admin\\AppData\\Local\\Temp\\runtime.dll - MD5: 4c3c69673167f03276f847009a5ce3bf\nStage 2 loader at C:\\Windows\\Temp\\svchost.exe - MD5: ebc24af121e0690b13319f14f9ad3930\nFinal payload at C:\\Windows\\System32\\taskhost.exe - SHA1: ca3265b2cbe04e531eed166debd7efe42346ed28\nExfiltration module - MD5: 07b6d974738efeb4171809efb4a1a2e3\nAll stages communicated with 107.167.150.92. PsExec signatures detected in Stage 2.", "spans": {"MALWARE: AsyncRAT": [[22, 30]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\runtime.dll": [[60, 105]], "FILEPATH: C:\\Windows\\Temp\\svchost.exe": [[164, 191]], "FILEPATH: C:\\Windows\\System32\\taskhost.exe": [[249, 281]], "HASH: 4c3c69673167f03276f847009a5ce3bf": [[113, 145]], "HASH: ebc24af121e0690b13319f14f9ad3930": [[199, 231]], "HASH: ca3265b2cbe04e531eed166debd7efe42346ed28": [[290, 330]], "HASH: 07b6d974738efeb4171809efb4a1a2e3": [[358, 390]], "IP_ADDRESS: 107.167.150.92": [[420, 434]], "TOOL: PsExec": [[436, 442]]}, "info": {"id": "synth_v2_01979", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for Royal campaign:\nStage 1 dropper at /tmp/payload.bin - SHA256: b0cfa2721a8b6a7309101bd87646148d837b4d6d6a8de32a78889ded4d9841f1\nStage 2 loader at /var/tmp/agent.py - SHA1: 646c44f1b445e2676eb8121bee8b1240c81ddcf1\nFinal payload at /opt/app/bin/helper.sh - SHA1: c54686ffee846c752987e1eb34720ae0ab396eff\nExfiltration module - SHA256: f7326c08024d3709fd6f6f0bc959382c9ba86fea13d7e4e87b3f634a17e71d31\nAll stages communicated with 107.82.67.199. Chisel signatures detected in Stage 2.", "spans": {"MALWARE: Royal": [[22, 27]], "FILEPATH: /tmp/payload.bin": [[57, 73]], "FILEPATH: /var/tmp/agent.py": [[167, 184]], "FILEPATH: /opt/app/bin/helper.sh": [[251, 273]], "HASH: b0cfa2721a8b6a7309101bd87646148d837b4d6d6a8de32a78889ded4d9841f1": [[84, 148]], "HASH: 646c44f1b445e2676eb8121bee8b1240c81ddcf1": [[193, 233]], "HASH: c54686ffee846c752987e1eb34720ae0ab396eff": [[282, 322]], "HASH: f7326c08024d3709fd6f6f0bc959382c9ba86fea13d7e4e87b3f634a17e71d31": [[353, 417]], "IP_ADDRESS: 107.82.67.199": [[447, 460]], "TOOL: Chisel": [[462, 468]]}, "info": {"id": "synth_v2_01980", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for Play campaign:\nStage 1 dropper at /etc/cron.d/beacon.dll - SHA1: 6763316e86e659b21d74ad0aae76ba416d485030\nStage 2 loader at /etc/cron.d/agent.py - SHA1: 2b4d42ed33fe458eb4b875a7dff5e080eac8f0cc\nFinal payload at C:\\Windows\\System32\\svchost.exe - SHA1: a70e746d52aba02fceede966c3648c8100ea1f9e\nExfiltration module - MD5: 9d1a2a7d45a014a4252cb1d88f173ef1\nAll stages communicated with 10.103.119.208. Covenant signatures detected in Stage 2.", "spans": {"MALWARE: Play": [[22, 26]], "FILEPATH: /etc/cron.d/beacon.dll": [[56, 78]], "FILEPATH: /etc/cron.d/agent.py": [[146, 166]], "FILEPATH: C:\\Windows\\System32\\svchost.exe": [[233, 264]], "HASH: 6763316e86e659b21d74ad0aae76ba416d485030": [[87, 127]], "HASH: 2b4d42ed33fe458eb4b875a7dff5e080eac8f0cc": [[175, 215]], "HASH: a70e746d52aba02fceede966c3648c8100ea1f9e": [[273, 313]], "HASH: 9d1a2a7d45a014a4252cb1d88f173ef1": [[341, 373]], "IP_ADDRESS: 10.103.119.208": [[403, 417]], "TOOL: Covenant": [[419, 427]]}, "info": {"id": "synth_v2_01981", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for Emotet campaign:\nStage 1 dropper at C:\\ProgramData\\implant.so - SHA1: ab3dc5201f48ab58c0a05def0e3f02011da1e79c\nStage 2 loader at C:\\ProgramData\\csrss.exe - MD5: 907363e9f86f20c6e9ac7bafa1a3b5a1\nFinal payload at C:\\Windows\\Tasks\\beacon.dll - SHA1: edd5adef8fa71768a84b78d0b28e60a4c84199ef\nExfiltration module - MD5: 98b815f5ed8c317264e1d537ea516758\nAll stages communicated with 23.58.40.92. Metasploit signatures detected in Stage 2.", "spans": {"MALWARE: Emotet": [[22, 28]], "FILEPATH: C:\\ProgramData\\implant.so": [[58, 83]], "FILEPATH: C:\\ProgramData\\csrss.exe": [[151, 175]], "FILEPATH: C:\\Windows\\Tasks\\beacon.dll": [[233, 260]], "HASH: ab3dc5201f48ab58c0a05def0e3f02011da1e79c": [[92, 132]], "HASH: 907363e9f86f20c6e9ac7bafa1a3b5a1": [[183, 215]], "HASH: edd5adef8fa71768a84b78d0b28e60a4c84199ef": [[269, 309]], "HASH: 98b815f5ed8c317264e1d537ea516758": [[337, 369]], "IP_ADDRESS: 23.58.40.92": [[399, 410]], "TOOL: Metasploit": [[412, 422]]}, "info": {"id": "synth_v2_01982", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for Meduza Stealer campaign:\nStage 1 dropper at C:\\Users\\admin\\Desktop\\payload.bin - SHA1: 93340b9f1e731f93ed5a9cb5f5152f8e364dfb95\nStage 2 loader at /tmp/chrome_helper.exe - SHA1: 37778ccf5b641ba4cfdb0ca5ee3fde52c7e46cf8\nFinal payload at /etc/cron.d/helper.sh - SHA256: 49347bcb845b29752879daf1f5526e2b7395e63e9caadea3544e9a4fe4125c73\nExfiltration module - SHA1: f5d7e7f6f12c13fd250ae24b48c055ae9300fc44\nAll stages communicated with 192.37.57.92. Nmap signatures detected in Stage 2.", "spans": {"MALWARE: Meduza Stealer": [[22, 36]], "FILEPATH: C:\\Users\\admin\\Desktop\\payload.bin": [[66, 100]], "FILEPATH: /tmp/chrome_helper.exe": [[168, 190]], "FILEPATH: /etc/cron.d/helper.sh": [[257, 278]], "HASH: 93340b9f1e731f93ed5a9cb5f5152f8e364dfb95": [[109, 149]], "HASH: 37778ccf5b641ba4cfdb0ca5ee3fde52c7e46cf8": [[199, 239]], "HASH: 49347bcb845b29752879daf1f5526e2b7395e63e9caadea3544e9a4fe4125c73": [[289, 353]], "HASH: f5d7e7f6f12c13fd250ae24b48c055ae9300fc44": [[382, 422]], "IP_ADDRESS: 192.37.57.92": [[452, 464]], "TOOL: Nmap": [[466, 470]]}, "info": {"id": "synth_v2_01983", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for PlugX campaign:\nStage 1 dropper at /opt/app/bin/update.dll - SHA1: fa2b5e83a303db43635b96f4db41c77cf73be409\nStage 2 loader at C:\\ProgramData\\lsass.dmp - MD5: e49ef82a2ece08e96884cfa8769fc4b6\nFinal payload at /tmp/implant.so - SHA1: 2f1446ab1e68a193ff560aa3f0b350cd95d1921d\nExfiltration module - MD5: 5e03c45cbf87af540b3f78c7bb168f1f\nAll stages communicated with 6.188.224.210. Mythic signatures detected in Stage 2.", "spans": {"MALWARE: PlugX": [[22, 27]], "FILEPATH: /opt/app/bin/update.dll": [[57, 80]], "FILEPATH: C:\\ProgramData\\lsass.dmp": [[148, 172]], "FILEPATH: /tmp/implant.so": [[230, 245]], "HASH: fa2b5e83a303db43635b96f4db41c77cf73be409": [[89, 129]], "HASH: e49ef82a2ece08e96884cfa8769fc4b6": [[180, 212]], "HASH: 2f1446ab1e68a193ff560aa3f0b350cd95d1921d": [[254, 294]], "HASH: 5e03c45cbf87af540b3f78c7bb168f1f": [[322, 354]], "IP_ADDRESS: 6.188.224.210": [[384, 397]], "TOOL: Mythic": [[399, 405]]}, "info": {"id": "synth_v2_01984", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for TrickBot campaign:\nStage 1 dropper at /etc/cron.d/chrome_helper.exe - SHA1: b5beb5635baa396e227fd79331fd3442ad70105b\nStage 2 loader at C:\\Users\\admin\\AppData\\Local\\Temp\\implant.so - SHA1: 281eaefeabb72cf07ab45c7c6af14e11c6e31fd5\nFinal payload at C:\\ProgramData\\update.dll - SHA256: 0a54faf272ad58bf7b7ace7a3b8de248c3a3bfb75c715bbced6b4520a4ba0f0a\nExfiltration module - SHA256: 24df310619e615c0b8148ee3070511cdce287633d9ce73863bf64fa608d2fe7b\nAll stages communicated with 76.113.7.10. Sharphound signatures detected in Stage 2.", "spans": {"MALWARE: TrickBot": [[22, 30]], "FILEPATH: /etc/cron.d/chrome_helper.exe": [[60, 89]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\implant.so": [[157, 201]], "FILEPATH: C:\\ProgramData\\update.dll": [[268, 293]], "HASH: b5beb5635baa396e227fd79331fd3442ad70105b": [[98, 138]], "HASH: 281eaefeabb72cf07ab45c7c6af14e11c6e31fd5": [[210, 250]], "HASH: 0a54faf272ad58bf7b7ace7a3b8de248c3a3bfb75c715bbced6b4520a4ba0f0a": [[304, 368]], "HASH: 24df310619e615c0b8148ee3070511cdce287633d9ce73863bf64fa608d2fe7b": [[399, 463]], "IP_ADDRESS: 76.113.7.10": [[493, 504]], "TOOL: Sharphound": [[506, 516]]}, "info": {"id": "synth_v2_01985", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for Gootloader campaign:\nStage 1 dropper at C:\\Windows\\System32\\svchost.exe - SHA256: 0be3b838d217897a6578b21470ae6c4635600775b6ce9fe6177dbafbfdac24b2\nStage 2 loader at C:\\Users\\admin\\Desktop\\winlogon.exe - MD5: 5e0a17218d12f86420a812dfbce8d17d\nFinal payload at C:\\Users\\admin\\Desktop\\shell.php - MD5: c8dbea38ec7a86b3140b5c6649dd38ee\nExfiltration module - SHA256: 48f3032b2afa80f2247dbfc4f02de0cd3851114bcceda4977c051b609a56885d\nAll stages communicated with 165.211.96.142. CrackMapExec signatures detected in Stage 2.", "spans": {"MALWARE: Gootloader": [[22, 32]], "FILEPATH: C:\\Windows\\System32\\svchost.exe": [[62, 93]], "FILEPATH: C:\\Users\\admin\\Desktop\\winlogon.exe": [[187, 222]], "FILEPATH: C:\\Users\\admin\\Desktop\\shell.php": [[280, 312]], "HASH: 0be3b838d217897a6578b21470ae6c4635600775b6ce9fe6177dbafbfdac24b2": [[104, 168]], "HASH: 5e0a17218d12f86420a812dfbce8d17d": [[230, 262]], "HASH: c8dbea38ec7a86b3140b5c6649dd38ee": [[320, 352]], "HASH: 48f3032b2afa80f2247dbfc4f02de0cd3851114bcceda4977c051b609a56885d": [[383, 447]], "IP_ADDRESS: 165.211.96.142": [[477, 491]], "TOOL: CrackMapExec": [[493, 505]]}, "info": {"id": "synth_v2_01986", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for Play campaign:\nStage 1 dropper at C:\\Users\\admin\\Desktop\\runtime.dll - SHA256: b38f5ac30bb8990a0369fb56347aef217e8126ef2bd02ab0c7487ea6a45ab633\nStage 2 loader at C:\\Users\\admin\\Downloads\\lsass.dmp - SHA1: ea97080547fe94f7485c5c8bb0bf3af92c53258a\nFinal payload at C:\\Windows\\Tasks\\ntds.dit - SHA1: 4f406d18f5f1cb656d368b0e1f1398dfa01cd15c\nExfiltration module - SHA256: 0a21ea8262870079d1956ae565349c47664bb3b4ec35cdb65ae2197d7704b1c8\nAll stages communicated with 10.158.126.21. WinPEAS signatures detected in Stage 2.", "spans": {"MALWARE: Play": [[22, 26]], "FILEPATH: C:\\Users\\admin\\Desktop\\runtime.dll": [[56, 90]], "FILEPATH: C:\\Users\\admin\\Downloads\\lsass.dmp": [[184, 218]], "FILEPATH: C:\\Windows\\Tasks\\ntds.dit": [[285, 310]], "HASH: b38f5ac30bb8990a0369fb56347aef217e8126ef2bd02ab0c7487ea6a45ab633": [[101, 165]], "HASH: ea97080547fe94f7485c5c8bb0bf3af92c53258a": [[227, 267]], "HASH: 4f406d18f5f1cb656d368b0e1f1398dfa01cd15c": [[319, 359]], "HASH: 0a21ea8262870079d1956ae565349c47664bb3b4ec35cdb65ae2197d7704b1c8": [[390, 454]], "IP_ADDRESS: 10.158.126.21": [[484, 497]], "TOOL: WinPEAS": [[499, 506]]}, "info": {"id": "synth_v2_01987", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for SystemBC campaign:\nStage 1 dropper at /var/tmp/implant.so - SHA1: 4cdae49ff61b0bed3bbb0baf5cd4af97e88e1e45\nStage 2 loader at /dev/shm/chrome_helper.exe - SHA256: e7bff95e155d4c52cc881a267942c99c4c2da45e2651edc648b86af2ff697a38\nFinal payload at /usr/local/bin/taskhost.exe - MD5: 721007c6ff13c76d4a79dd21c2230607\nExfiltration module - MD5: f73248c6ad72af7460580dcf4813103e\nAll stages communicated with 172.149.68.152. Havoc signatures detected in Stage 2.", "spans": {"MALWARE: SystemBC": [[22, 30]], "FILEPATH: /var/tmp/implant.so": [[60, 79]], "FILEPATH: /dev/shm/chrome_helper.exe": [[147, 173]], "FILEPATH: /usr/local/bin/taskhost.exe": [[266, 293]], "HASH: 4cdae49ff61b0bed3bbb0baf5cd4af97e88e1e45": [[88, 128]], "HASH: e7bff95e155d4c52cc881a267942c99c4c2da45e2651edc648b86af2ff697a38": [[184, 248]], "HASH: 721007c6ff13c76d4a79dd21c2230607": [[301, 333]], "HASH: f73248c6ad72af7460580dcf4813103e": [[361, 393]], "IP_ADDRESS: 172.149.68.152": [[423, 437]], "TOOL: Havoc": [[439, 444]]}, "info": {"id": "synth_v2_01988", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for Hive campaign:\nStage 1 dropper at /usr/local/bin/lsass.dmp - SHA256: 1bcb0a6eed1c296651a768bb74cc64d005c762063547ff12704940f80d60384f\nStage 2 loader at C:\\Users\\Public\\Documents\\agent.py - SHA256: 665e5f2d382cea6d7f9da97bb0d4d87569a997beaee37f85e1ac143aea71c46a\nFinal payload at /tmp/loader.exe - MD5: fceb7b43f0db4102ab6a7afcb092763c\nExfiltration module - SHA1: 8fa3b6f7705cbdcd5780d42a8039942081baad88\nAll stages communicated with 172.254.153.182. Covenant signatures detected in Stage 2.", "spans": {"MALWARE: Hive": [[22, 26]], "FILEPATH: /usr/local/bin/lsass.dmp": [[56, 80]], "FILEPATH: C:\\Users\\Public\\Documents\\agent.py": [[174, 208]], "FILEPATH: /tmp/loader.exe": [[301, 316]], "HASH: 1bcb0a6eed1c296651a768bb74cc64d005c762063547ff12704940f80d60384f": [[91, 155]], "HASH: 665e5f2d382cea6d7f9da97bb0d4d87569a997beaee37f85e1ac143aea71c46a": [[219, 283]], "HASH: fceb7b43f0db4102ab6a7afcb092763c": [[324, 356]], "HASH: 8fa3b6f7705cbdcd5780d42a8039942081baad88": [[385, 425]], "IP_ADDRESS: 172.254.153.182": [[455, 470]], "TOOL: Covenant": [[472, 480]]}, "info": {"id": "synth_v2_01989", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for SmokeLoader campaign:\nStage 1 dropper at /opt/app/bin/agent.py - SHA1: bc3596961e3c7d365d3e46e20a52b68e683361f9\nStage 2 loader at C:\\Users\\admin\\AppData\\Local\\Temp\\csrss.exe - SHA256: 839e132455cd1373f93bd1679955b0abdf6de865c08e35fcdaaa35d88ad90ae9\nFinal payload at /home/user/.config/beacon.dll - SHA1: d55c529b6dc988b95797fd47682c851fe2848e32\nExfiltration module - SHA1: b12f52d2d60e711afe4aca818a798910229bcb74\nAll stages communicated with 126.172.68.204. PsExec signatures detected in Stage 2.", "spans": {"MALWARE: SmokeLoader": [[22, 33]], "FILEPATH: /opt/app/bin/agent.py": [[63, 84]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\csrss.exe": [[152, 195]], "FILEPATH: /home/user/.config/beacon.dll": [[288, 317]], "HASH: bc3596961e3c7d365d3e46e20a52b68e683361f9": [[93, 133]], "HASH: 839e132455cd1373f93bd1679955b0abdf6de865c08e35fcdaaa35d88ad90ae9": [[206, 270]], "HASH: d55c529b6dc988b95797fd47682c851fe2848e32": [[326, 366]], "HASH: b12f52d2d60e711afe4aca818a798910229bcb74": [[395, 435]], "IP_ADDRESS: 126.172.68.204": [[465, 479]], "TOOL: PsExec": [[481, 487]]}, "info": {"id": "synth_v2_01990", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for Gootloader campaign:\nStage 1 dropper at /home/user/.config/winlogon.exe - SHA1: f3d59a7e032067cfe774c2dcfe4e0371c99628f6\nStage 2 loader at C:\\Windows\\Tasks\\shell.php - SHA1: 0ccb754d0163a9d3b147bb32c12117997c42f052\nFinal payload at C:\\Users\\admin\\Downloads\\config.dat - MD5: 954158127a2206e1170710f60467b2a9\nExfiltration module - SHA256: fe5fbaed4f51015f72d170a524582a1d3ed889274ae06e62d270ac82ac268df4\nAll stages communicated with 178.151.13.187. Hashcat signatures detected in Stage 2.", "spans": {"MALWARE: Gootloader": [[22, 32]], "FILEPATH: /home/user/.config/winlogon.exe": [[62, 93]], "FILEPATH: C:\\Windows\\Tasks\\shell.php": [[161, 187]], "FILEPATH: C:\\Users\\admin\\Downloads\\config.dat": [[254, 289]], "HASH: f3d59a7e032067cfe774c2dcfe4e0371c99628f6": [[102, 142]], "HASH: 0ccb754d0163a9d3b147bb32c12117997c42f052": [[196, 236]], "HASH: 954158127a2206e1170710f60467b2a9": [[297, 329]], "HASH: fe5fbaed4f51015f72d170a524582a1d3ed889274ae06e62d270ac82ac268df4": [[360, 424]], "IP_ADDRESS: 178.151.13.187": [[454, 468]], "TOOL: Hashcat": [[470, 477]]}, "info": {"id": "synth_v2_01991", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for Conti campaign:\nStage 1 dropper at C:\\Windows\\Temp\\svchost.exe - SHA1: 7cca2341bb85488bb380ab1f58d9d61901236c09\nStage 2 loader at C:\\Users\\Public\\Documents\\agent.py - MD5: 0ef0832f8007827bb0e92b82cbfd7d4c\nFinal payload at C:\\Users\\admin\\Desktop\\taskhost.exe - SHA256: 560de4ce64a64fe8161221872335ada988e0e8495a580e5247591b3c6a52e839\nExfiltration module - SHA256: 59b397023dc826d4bd790929c2b6d80b609aba656724c593d579a6fb58ce65d9\nAll stages communicated with 115.164.143.96. Seatbelt signatures detected in Stage 2.", "spans": {"MALWARE: Conti": [[22, 27]], "FILEPATH: C:\\Windows\\Temp\\svchost.exe": [[57, 84]], "FILEPATH: C:\\Users\\Public\\Documents\\agent.py": [[152, 186]], "FILEPATH: C:\\Users\\admin\\Desktop\\taskhost.exe": [[244, 279]], "HASH: 7cca2341bb85488bb380ab1f58d9d61901236c09": [[93, 133]], "HASH: 0ef0832f8007827bb0e92b82cbfd7d4c": [[194, 226]], "HASH: 560de4ce64a64fe8161221872335ada988e0e8495a580e5247591b3c6a52e839": [[290, 354]], "HASH: 59b397023dc826d4bd790929c2b6d80b609aba656724c593d579a6fb58ce65d9": [[385, 449]], "IP_ADDRESS: 115.164.143.96": [[479, 493]], "TOOL: Seatbelt": [[495, 503]]}, "info": {"id": "synth_v2_01992", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for BlackCat campaign:\nStage 1 dropper at C:\\Users\\admin\\AppData\\Local\\Temp\\csrss.exe - SHA256: a16a35403663a1262b4080e869303cc5f48c6278af283b0ebb6118822bc25c9f\nStage 2 loader at C:\\Windows\\Tasks\\implant.so - SHA1: c61f85d8f083079b4c2d2f2188786d1c8dc6d201\nFinal payload at C:\\Users\\admin\\Desktop\\lsass.dmp - SHA1: 2d1f09ae91bf2bf9f10c5e61138fdea4d3a2bbcf\nExfiltration module - SHA1: 5fb3b7373a3f44942e0d0dd1b14ab29a34ce1912\nAll stages communicated with 153.90.110.61. LinPEAS signatures detected in Stage 2.", "spans": {"MALWARE: BlackCat": [[22, 30]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\csrss.exe": [[60, 103]], "FILEPATH: C:\\Windows\\Tasks\\implant.so": [[197, 224]], "FILEPATH: C:\\Users\\admin\\Desktop\\lsass.dmp": [[291, 323]], "HASH: a16a35403663a1262b4080e869303cc5f48c6278af283b0ebb6118822bc25c9f": [[114, 178]], "HASH: c61f85d8f083079b4c2d2f2188786d1c8dc6d201": [[233, 273]], "HASH: 2d1f09ae91bf2bf9f10c5e61138fdea4d3a2bbcf": [[332, 372]], "HASH: 5fb3b7373a3f44942e0d0dd1b14ab29a34ce1912": [[401, 441]], "IP_ADDRESS: 153.90.110.61": [[471, 484]], "TOOL: LinPEAS": [[486, 493]]}, "info": {"id": "synth_v2_01993", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for StealC campaign:\nStage 1 dropper at C:\\Windows\\Temp\\update.dll - SHA1: e9b797d94ae1178b104797db9bdd56c42eea6d4f\nStage 2 loader at C:\\Windows\\System32\\csrss.exe - MD5: 2a8a5d728d5fb332a7fd50432fc7db4a\nFinal payload at /etc/cron.d/runtime.dll - SHA256: b567e13943128c3d7e0c143b81491b37ae47127ed0a89a38c7837dfce3033336\nExfiltration module - SHA1: 073c9bd061596e02a6a09534583f6fff57512939\nAll stages communicated with 192.189.204.178. Hashcat signatures detected in Stage 2.", "spans": {"MALWARE: StealC": [[22, 28]], "FILEPATH: C:\\Windows\\Temp\\update.dll": [[58, 84]], "FILEPATH: C:\\Windows\\System32\\csrss.exe": [[152, 181]], "FILEPATH: /etc/cron.d/runtime.dll": [[239, 262]], "HASH: e9b797d94ae1178b104797db9bdd56c42eea6d4f": [[93, 133]], "HASH: 2a8a5d728d5fb332a7fd50432fc7db4a": [[189, 221]], "HASH: b567e13943128c3d7e0c143b81491b37ae47127ed0a89a38c7837dfce3033336": [[273, 337]], "HASH: 073c9bd061596e02a6a09534583f6fff57512939": [[366, 406]], "IP_ADDRESS: 192.189.204.178": [[436, 451]], "TOOL: Hashcat": [[453, 460]]}, "info": {"id": "synth_v2_01994", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for RedLine Stealer campaign:\nStage 1 dropper at /tmp/taskhost.exe - SHA256: 666b9995b6355c0b8727da604c0bf6fb505fe2e4fb0e6a5ff2b8c9e77eb48ebd\nStage 2 loader at C:\\Users\\admin\\Downloads\\csrss.exe - MD5: 09d8685246bf38b0ecadfff7aa9c1085\nFinal payload at C:\\Users\\admin\\Downloads\\agent.py - MD5: 478844240b8d53ad45ef53af836e004c\nExfiltration module - SHA1: 7cb6d96d5cd6621b9c2ae28c02684b0ed9f96c0c\nAll stages communicated with 207.16.62.57. LaZagne signatures detected in Stage 2.", "spans": {"MALWARE: RedLine Stealer": [[22, 37]], "FILEPATH: /tmp/taskhost.exe": [[67, 84]], "FILEPATH: C:\\Users\\admin\\Downloads\\csrss.exe": [[178, 212]], "FILEPATH: C:\\Users\\admin\\Downloads\\agent.py": [[270, 303]], "HASH: 666b9995b6355c0b8727da604c0bf6fb505fe2e4fb0e6a5ff2b8c9e77eb48ebd": [[95, 159]], "HASH: 09d8685246bf38b0ecadfff7aa9c1085": [[220, 252]], "HASH: 478844240b8d53ad45ef53af836e004c": [[311, 343]], "HASH: 7cb6d96d5cd6621b9c2ae28c02684b0ed9f96c0c": [[372, 412]], "IP_ADDRESS: 207.16.62.57": [[442, 454]], "TOOL: LaZagne": [[456, 463]]}, "info": {"id": "synth_v2_01995", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for RedLine Stealer campaign:\nStage 1 dropper at C:\\Windows\\Tasks\\csrss.exe - SHA256: 180ca30c3f8523e518e5d372e7a9cbd25dc71cb1de23d62bb03d73bb9653fb17\nStage 2 loader at C:\\Users\\Public\\Documents\\beacon.dll - SHA1: a1e96c735871a3ec2f2393f7d18bc9a2b827ddbd\nFinal payload at /var/tmp/runtime.dll - SHA256: 105475e8d68bd72b3077a10cf790d0e9a23b30279fb45c3124284b6b5916a667\nExfiltration module - SHA256: c3759e6e61dfe5c49f8816e6faedae49f6756efee1979eb7d3bb139ecd4d992b\nAll stages communicated with 172.72.150.214. Certutil signatures detected in Stage 2.", "spans": {"MALWARE: RedLine Stealer": [[22, 37]], "FILEPATH: C:\\Windows\\Tasks\\csrss.exe": [[67, 93]], "FILEPATH: C:\\Users\\Public\\Documents\\beacon.dll": [[187, 223]], "FILEPATH: /var/tmp/runtime.dll": [[290, 310]], "HASH: 180ca30c3f8523e518e5d372e7a9cbd25dc71cb1de23d62bb03d73bb9653fb17": [[104, 168]], "HASH: a1e96c735871a3ec2f2393f7d18bc9a2b827ddbd": [[232, 272]], "HASH: 105475e8d68bd72b3077a10cf790d0e9a23b30279fb45c3124284b6b5916a667": [[321, 385]], "HASH: c3759e6e61dfe5c49f8816e6faedae49f6756efee1979eb7d3bb139ecd4d992b": [[416, 480]], "IP_ADDRESS: 172.72.150.214": [[510, 524]], "TOOL: Certutil": [[526, 534]]}, "info": {"id": "synth_v2_01996", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for Play campaign:\nStage 1 dropper at /opt/app/bin/chrome_helper.exe - SHA1: c84efe513c8ec15228d6afa5a20b681c823f9281\nStage 2 loader at /opt/app/bin/ntds.dit - SHA1: 0d548d270f993b66383c81b642299d8850696c7b\nFinal payload at /home/user/.config/agent.py - SHA256: c3ebb4eecf2ff44bf175c33687bd42a9fce23a99d5cd6904ef43597fa6b07f05\nExfiltration module - SHA256: bf9e95ae367322e03813d0996a0d979457881542f1ca66a75018d799cabcc9a9\nAll stages communicated with 141.243.35.118. Certutil signatures detected in Stage 2.", "spans": {"MALWARE: Play": [[22, 26]], "FILEPATH: /opt/app/bin/chrome_helper.exe": [[56, 86]], "FILEPATH: /opt/app/bin/ntds.dit": [[154, 175]], "FILEPATH: /home/user/.config/agent.py": [[242, 269]], "HASH: c84efe513c8ec15228d6afa5a20b681c823f9281": [[95, 135]], "HASH: 0d548d270f993b66383c81b642299d8850696c7b": [[184, 224]], "HASH: c3ebb4eecf2ff44bf175c33687bd42a9fce23a99d5cd6904ef43597fa6b07f05": [[280, 344]], "HASH: bf9e95ae367322e03813d0996a0d979457881542f1ca66a75018d799cabcc9a9": [[375, 439]], "IP_ADDRESS: 141.243.35.118": [[469, 483]], "TOOL: Certutil": [[485, 493]]}, "info": {"id": "synth_v2_01997", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for WarmCookie campaign:\nStage 1 dropper at /tmp/csrss.exe - SHA256: 6f87f8c11922a7310941edda8a85d486e96066d1c2f525e2cac7ae42239726d5\nStage 2 loader at C:\\ProgramData\\update.dll - SHA256: 5a3d228830583c1eb8381e9cef6ffa15f0094f0fb480e0f16af304c54b5155d4\nFinal payload at /etc/cron.d/backdoor.elf - MD5: 889a93d0230f2675d55bb03f02cd197e\nExfiltration module - SHA1: 74dbc436d395bd3173e6021f5a2b3f376a73d107\nAll stages communicated with 172.221.81.185. Mythic signatures detected in Stage 2.", "spans": {"MALWARE: WarmCookie": [[22, 32]], "FILEPATH: /tmp/csrss.exe": [[62, 76]], "FILEPATH: C:\\ProgramData\\update.dll": [[170, 195]], "FILEPATH: /etc/cron.d/backdoor.elf": [[288, 312]], "HASH: 6f87f8c11922a7310941edda8a85d486e96066d1c2f525e2cac7ae42239726d5": [[87, 151]], "HASH: 5a3d228830583c1eb8381e9cef6ffa15f0094f0fb480e0f16af304c54b5155d4": [[206, 270]], "HASH: 889a93d0230f2675d55bb03f02cd197e": [[320, 352]], "HASH: 74dbc436d395bd3173e6021f5a2b3f376a73d107": [[381, 421]], "IP_ADDRESS: 172.221.81.185": [[451, 465]], "TOOL: Mythic": [[467, 473]]}, "info": {"id": "synth_v2_01998", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for LockBit campaign:\nStage 1 dropper at /usr/local/bin/runtime.dll - MD5: c47a32415b722653860ffc11a89e6675\nStage 2 loader at /tmp/taskhost.exe - SHA256: 808a9908c1b60e10f9b0b023ed17f4ea826beab1ab01ab4294d17d61cfaa6405\nFinal payload at C:\\Program Files\\Common Files\\chrome_helper.exe - SHA1: be6ab38376884a37609a1587c9a513ba57b36293\nExfiltration module - MD5: df98cbfd34e5ff436b38d928b0f6fb50\nAll stages communicated with 192.215.243.143. Mimikatz signatures detected in Stage 2.", "spans": {"MALWARE: LockBit": [[22, 29]], "FILEPATH: /usr/local/bin/runtime.dll": [[59, 85]], "FILEPATH: /tmp/taskhost.exe": [[144, 161]], "FILEPATH: C:\\Program Files\\Common Files\\chrome_helper.exe": [[254, 301]], "HASH: c47a32415b722653860ffc11a89e6675": [[93, 125]], "HASH: 808a9908c1b60e10f9b0b023ed17f4ea826beab1ab01ab4294d17d61cfaa6405": [[172, 236]], "HASH: be6ab38376884a37609a1587c9a513ba57b36293": [[310, 350]], "HASH: df98cbfd34e5ff436b38d928b0f6fb50": [[378, 410]], "IP_ADDRESS: 192.215.243.143": [[440, 455]], "TOOL: Mimikatz": [[457, 465]]}, "info": {"id": "synth_v2_01999", "source": "synthetic_v2"}}
+{"text": "Artifact Analysis for Vidar campaign:\nStage 1 dropper at /dev/shm/beacon.dll - MD5: d40888ea6f08d7e535f0845be1a845e7\nStage 2 loader at /opt/app/bin/taskhost.exe - SHA256: e99339e49abe6312c43636f34542491017885d181f2748f907e600768f23c2b3\nFinal payload at /opt/app/bin/helper.sh - SHA1: 0d13549dcb7d87b52f38e7dbe1452806e08b5e6c\nExfiltration module - SHA1: 9eb1cac59ccc705330f998659e4ebccc436fe574\nAll stages communicated with 203.70.24.178. PowerView signatures detected in Stage 2.", "spans": {"MALWARE: Vidar": [[22, 27]], "FILEPATH: /dev/shm/beacon.dll": [[57, 76]], "FILEPATH: /opt/app/bin/taskhost.exe": [[135, 160]], "FILEPATH: /opt/app/bin/helper.sh": [[253, 275]], "HASH: d40888ea6f08d7e535f0845be1a845e7": [[84, 116]], "HASH: e99339e49abe6312c43636f34542491017885d181f2748f907e600768f23c2b3": [[171, 235]], "HASH: 0d13549dcb7d87b52f38e7dbe1452806e08b5e6c": [[284, 324]], "HASH: 9eb1cac59ccc705330f998659e4ebccc436fe574": [[353, 393]], "IP_ADDRESS: 203.70.24.178": [[423, 436]], "TOOL: PowerView": [[438, 447]]}, "info": {"id": "synth_v2_02000", "source": "synthetic_v2"}}