#Censys Queries for North Korea's #Kimsuky #APT Infra. 1)services.http.response.body_hashes="sha256:e5bd74ceee37fce5805dfdd7dd38df39411f4997fdcc7ab223b0589840111669".2)services.http.response.body="Million OK !!!!". IOCs: Note: Domains are enriched from VT.

#Fofa Query for #APT37 / #RicochetChollima / #ScarCruft #APT. Query: banner="Location: && server="Apache". Link: Infra: #Malware #ioc #APT

#Fofa Query for #SideWinder #APT Targeting #Pakistan Govt entities. Query: .title="Ministry of Interior Pakistan" . {or}.fid="7ScatbeyuWf5T8iQrNzPxQ==". Link: Infra: @500mk500 #Malware #ioc

#APT36 / #TransparentTribe Go-based malware . File: myprogram.exe.33e1da22fb1068c73c033e3bc6bd3f1e.C2: modgovin.onthewifi[.]com:11520. File: output.exe.12c7e30db0c3eb636d11702baf254c0a.C2: 101.99.92[.]182:9080. defence-nic.3utilities[.]com.drdo-mss.serveirc[.]com. #Malware #ioc

RT @fofabot: Exciting news!🥳🥳.We've launched FOFA AI beta ver, an automatical attack surface discovery platform powered by AI Agents. If i….

#Fofa Query for #APT42 / #GreenCharlie / #CharmingKitten Infra. Query: fid="A9oetQ7WFEnaRCbnVezkSA==" && server=="Apache/2.4.52 (Ubuntu)". Link: Infra: @500mk500 @MichalKoczwara #Malware #ioc

Latest #Reshell #Backdoor sample of #EarthKrahang #APT targeting #Vietnam 🇻🇳. File: <no-name>.zip.MD5: b565d87c8ecabb01140fd966253c5836. File: ClientApp.exe.MD5: 760e15c07658bf63ede7994ac01f9d28.C2: 118.107.221[.]43:5000. Related: #Malware #ioc

#Sidewinder #APT is dropping its favorite RTF file while launching multiple phishing campaigns. Target countries: 🇱🇰 🇧🇩 🇵🇰 🇳🇵 🇲🇲 🇲🇻 🇮🇩. We have consolidated all infra and are available at: . @500mk500 (for update if any new infra) #Malware #ioc

#CrimsonRAT Payloads of #APT36 / #TransparentTribe. imrthirs irndga.exe (02).25c0eb541818b569c0448b32ce5f911e.91ed5b3797fef26a8d0ad35277b10686. jimasvrn imthv.exe.fec10dbb7d3afa0a4714345b3f96c08d. C2: 212.56.45[.]254: {9525, 24224 & 28822}. signature: { infrwodao=command }. #RAT

Latest #Pakistan's #SideCopy #APT Targeting #Indian Govt. entities with the python-based #Ares #RAT Malware. Infra: Note: Infection chain of the campaign and other details are explained in the screenshot. @500mk500 @PrakkiSathwik #Malware #ioc

#Fofa Query for #APT35 / #CharmingKitten Latest Infra. #Query: fid="1lmXjCUdHBUj9pgeMNTlXQ==". Link: Infra (Latest): @MichalKoczwara @500mk500 #APT #Malware #IOC. Note: Most of the domains theme related to "meeting".

[2/2]. Infra:.185.235.137[.]195:3311.185.235.137[.]195:3309.server1.securenesst[.]com.securenesst[.]com.hxxps://expressholidays.co[.]in/ups/r.php. @500mk500 #APT36 #TransparentTribe #CrimsonRAT #Malware #ioc.

[1/2]. #APT36 / #TransparentTribe 's #CrimsonRAT Campaign through HTML Frame attack. File: presentation.accdb (it executes a VBA script).30908d3c69dc8aaa0368b3a3593eb66c. File: Syssm.exe (dropped by VBA script from "expressholidays[.]co[.]in").e948aa916d1f9f9b5bba72ad7de7e27f

#APT36 / #TransparentTribe dropping #ElizaRAT using CPL (Control Panel) file. File: Audit Objection's Document.rar (Pass-protected hosted on G-Drive).MD5: e7152c45fb4c2df442ef069d30daca40. File: Audit Objection's Document.cpl.MD5: 0f527665709f76a34b5612829293c849. #Malware #ioc

Fofa Query for #Kimsuky #APT / #APT43 / #VelvetChollima. Query: icon_hash="-545893547" && os!="". Link: Infra: Note: Most of the infra hosted in South Korea (AS135377, AS4766, AS20473), France & USA. @500mk500 #Malware #ioc

[2/2]. #SideCopy #APT Infra:.176.65.143[.]215 (AS - Dolphin 1337 Limited).ministryofdefenceindia[.]org.departmentofdefence[.]de. @500mk500 #Malware #ioc.

[1/2]. Latest Undetected #SideCopy #APT sample (VT-0). File: Alleged Case of Sexual Harassment by Senior Army Officer.pdf .MD5: 00cd306f7cdcfe187c561dd42ab40f33.POST C2: hxxps://indianarmy.nic.in.departmentofdefence[.]de/publications/publications-site-main/index.htm

#Fofa Query for #MustangPanda #APT / #StatelyTaurus. Query: title="System Update Reminder". Link: Infra: Note: Some Infra enriched from VT. @500mk500 #Malware #ioc

#Fofa Query for #NomadPanda / #RedFoxtrot #APT 's campaign using #ShadowPad Cluster. #Query: "Microsoft Windows Publisher". Link: Infra (as on 5th Apr): @500mk500 (for update pls) #Backdoor #Malware #ioc

[2/2]. #Fofa Query: .jarm="21d19d00021d21d00021d19d21d21d43557f863337159163ca547c5ea19523" && asn="24940" && title=="404 Not Found" && server=="nginx" && "" && "" && cert="Not Before: 2025". #Vidar #Stealer #Malware #ioc.

[1/2]. Hunting for #Vidar #Stealer infra using #Fofa. Link: Infra: