🚨#DarkCloud, New research of this #malware #stealer. Seen in numerous campaigns, hits companies and users for all kinds of information🚨. 🔗Full Analysis: #RE #intel #threat #malwareanalysis #infosec #cti

#IOC. 8930abf86e2e94b1a4b373e25d01f2ff.e5cfa25f8f3fab90dc1777ac1b96c890.29e584797a4c1bb71e8c1c018bd431ad.4cc371651f43e31df87b9f08013a14f6.13c5617da56d8b821e6acd1d5c8f8780.2f1b002352c3a5469f5708de756f3f76.85ba2585c44c95c9ab40fffa2cdd6e36. 🔗VT:

#TTP. 📩[T1566.001] Spear-Phishing.👥[T1036] Bait PDF.🗂️[T1204.002] LNK.📥[T1105] Download next stage.⚓️[T1053] Persistence over Tasks.🧩[T1140] Decrypt code.💉[T1055] Inject SC in mem.🕷️[T1082] Get device & user info.📡[T1071] C&C communication

#APT #Patchwork #DroppingElephant #WhiteElephant #threat #malware. 📍🇮🇳.💥🇵🇰🇨🇳🌏. ⛓️ #Phishing > LNK > PS > Download > Bait doc + exe > Task persistence > exe decrypt SC + Load > #RAT > Info Collection > #C2. 🔗QiAnXin:

#IOC. f4cd4449e556b0580c2282fec1ca661f.d1ec20144c83bba921243e72c517da5e.16d30316a6b700c78d021df5758db775.a6598bbdc947286c84f951289d14425c.07fbf46d3a595a6f82e477ed4571294b. 🔗VT:

#TTP. 📩[T1566.001] Spear-Phishing .🧩[T1140] Decrypt code.📇[T1218.005] HTA exec.📜[T1059.005] VBS script.🔃[T1218.010] Abuse of regsvr to load dll.📥[T1105] Download Next stage.🕷️[T1082] Get device info.⚓️[T1053] Persistence tasks.👥[T1105] Copy Itself (dll).📡[T1071] C&C

#APT #Kimsuky #VelvetChollima #Thallium #malware #HappyDoor #threat. 📍🇰🇵.💥🇰🇷🇺🇸🇪🇺🌏. ⛓️ #Phishing > Bandizip > regsvr32+dll & mshta (.HTA) exec > #VBS + Load > Steal info > Persistence in Tasks > #C2 . 🔗360 Threat Intel:

#IOC. b15cadf2a4e6670c075f80d618b26093.e5c4f8ad27df5aa60ceb36972e29a5fb.d4db59139f2ae0b5c5da192d8c6c5fa0.hxxp://june[.]drydate[.]p-e[.]kr. 🔗VT:

#TTP . 👥[T1036] Fake PDF extension.🧩[T1140] Decrypt code.📥[T1620] Load code in mem.⚓️[T1053] Persistence over Tasks.🕷️[T1082] Get device info.📡[T1071] C&C

#APT #Kimsuky #VelvetChollima #Thallium #malware #threat. 📍🇰🇵.💥🇰🇷🌏. ⛓️ #Phishing | Watering Hole | Social Eng > Exe decryptor (pdf extension) + DLL (#Endoor) > Exe decrypt & load code > Task Persistence > Device + User Info > #C2. 🔗QiAnXin report:

#IOC. 452cd18570471e80dd6bf34addede334.d5a3766e744a563278b18267d6bd7113.c763ecf315481525afcd47c5f32c1fd7.68fbe197c62a3777d2299f9eabed2c70.43e4260c595b20e357be75c0c1fbec29.d24c797f94933a3ec5227a6f57e15358.c8c21b4642f12c28f6e5e0389bbf8c36. 🔗VT:

#TTP. ✉️[T1566.001] Spear-Phishing .👥[T1036] Fake PDF.📥[T1105] Download next stage (G Cloud).🧩[T1140] Decrypt file info.⚓️[T1053] Task to persistence.🔋[T1543.003] Create Service.🕷️[T1555.003] Info from browsers.🕷️[T1560] Steal docs/pdf/xls. 📡[T1567.002] C&C exfil

#APT #APT36 #TransparentTribe #MythicLeopard #threat #malware #Disgomoji. 📍🇵🇰.💥🇮🇳🌏. ⛓️#Phishing > ZIP > PDF bait + psw file > Download next (Curl G Drive) > #Disgomoji + Aux files > Persistence Task > Steal info > #C2. 🔗360 Advanced Threat intel:

#IOC + related info. 60d49d1dce771612aa87b885db493147.des-cinema-democrat-san.trycloudflare[.]com/history.mit-walking-endorsed-lc.trycloudflare[.]com/restringent. 🔗VT: 🧬Related:

#TTP. 📩[T1566.001] Spear-Phishing.📜[T1059.005] VBS script execution.®️[T1112] Registry with C2 info.🗂️[T1204.002] LNK as PDF/DOC.⚓️[T1053] Persistence over Tasks.🕷️[T1082] Get device & user info.📦[T1012] Collect info & registry (Created before).📡[T1071] C&C communication

#APT #Gamaredon #TridentUrsa #BlueAlpha #PrimitiveBear #threat #malware. 📍🇷🇺.💥🪖🌍. ⛓️#Phishing > #VBS dopped > decode + VBS script > TMP folder file > Public folder copy > Task Persistence > Collect info > #C2. 🔗360 Advanced Threat Research:

#IOC. e39413d9a67acbc5df2d8b8c0a170f4b.8157be7acc05f719dc125d677133ca40.c13dfd03cbdd66c0d6d53eb55ba9d551.2f1c58c7214471c28283b9e161ceed1c.f8e30dad9130bbc04164dda4f31a1b23. 🔗VT:

#TTP. 📩[T1566.001] Spear-Phishing.🗂️[T1137.001] Macros.👥[T1036] Fake ppt & fake traffic to github.📥[T1105] Download next stage.⚓️[T1053] Persistence over Tasks.🕷️[T1082] Get device & user info.🧩[T1027.013] Domain XOR info.📡[T1071] C&C communication

#APT #Patchwork #DroppingElephant #WhiteElephant & #DONOT #threat #malware. 📍🇮🇳.💥🇵🇰🇧🇩🇱🇰🌏. ⛓️ #Phishing > ppt+VBA macro | #Spyder > Download DLL+Rundll32 exec | Fake ppt > #C2 check > Persistence (Tasks) > Info Collection > #C2. 🔗QiAnXin:

#IOC. 81c08366ea7fc0f933f368b120104384.723f80d1843315717bc56e9e58e89be5.7822e53536c1cf86c3e44e31e77bd088.324688238c42d7190a2b50303cbc6a3c.a635bd019674b25038cd8f02e15eebd2.beeaca6a34fb05e73a6d8b7d2b8c2ee3. 🔗VT:

#TTP . ✉️[T1566.001] Spear-Phishing .📥[T1105] Download next stage (Dropbox).📇[T1027.012] LNK file.📜[T1059] PS & BAT script execution.👥[T1620] Load #RokRat SC (BAT/PS execution).🧩[T1140] Decrypt PE (#RokRat).🕷️[T1082] System info collection.📡[T1071.001] C&C