I'm very glad to present my first huge report about #SideWinder #APT written in solo. I hope that this research will bring order to the attribution.

APT #CloudAtlas FUD #PowerShower. AdobeMon.ps1. powershell -w 01 -Exec Bypass -enc [base64_payload]. URL: hxxps://gimnazija[.]org/dmvc.html/bopyrus40

Related:.Susp #APT #SharpPanda.878-CV-DU.docx.Template URL: hxxp://38.54.31[.]43/WindowsTime/Fishing.png

Susp #APT #SharpPanda.out.png (#RoyalRoad RTF). WSWtmf.a (5t Downloader).6dfba2e6ae44c0efc5835e0c5838c5ea.C2: hxxp://38.54.31[.]43/WindowsTime/update.php?Data=<encrypted_data>.Task: WindowsUpdateTaskMachine - rundll32.exe %TEMP%\WSWtmf.a StartW. @nao_sec

#APT #CloudAtlas attacks #Belarus.Инженерная записка.doc.URLs:.hxxps://triger-working[.]com/en/about-us/unshelling.hxxps://triger-working[.]com/unshelling/c0.hxxps://web-telegrama[.]org/podcast/accademia-solferino/backtracker

Susp pro-Ukrainian #APT #StickyWerewolf now attacks #Poland. Wezwanie_swiadka.pdf.exe.d7ff05311350b4990ccd642a44679d1d. MicroWord.exe.542678c60cf6de9e6ca876e102b233e6. hxxps://share-files[.]pl/Wezwanie_swiadka.pdf. #Darktrack #RAT C2: 46.246.97[.]61:7412.Mutex: E4B6tMOXArC4kQ36

RT @nao_sec: Long time no see! #FirePeony (aka #SharpPanda) #RoyalRoad RTF -> 5.t Downloader.

#APT #Donot.Fax Copy 20 Dec 23.xls (no decoy, macros).Downloader nikes.exe.hxxps://life.natureplants[.]online/bvgdtye/yuetyt2tw4.hxxps://life.natureplants[.]online/gfvgdteo/loqtyntc2.User-Agent: "Microcrop org"

RT @cyb3rops: Introducing YARA-Forge ⚡️.- Streamlined Public YARA Rule Collection. Excited to share my latest project with the community ju….

RT @rivitna2: #DecoyDog #CLEFIA.Here are my Python scripts for DecoyDog :-).

#APT #Donot.Application to Consulate General.doc.URL: hxxp://speedrugg[.]info/ZKlVWfynYHjd1nm7/aXFwQpdVsYmKbkoWi9y9ZBzIkFE6GHxv0ePSSilV3Ai6F2Ir.(ico|png|mp3|mp4). Jaca sample (PE32+).C2: trigershop[.]info

RT @rivitna2: #Mallox #Mallab #Ransomware #Decryptor.ah6GlfAw$cV7LUHurrQq.

#APT #Donot.Program on Cyber Security Studies (PCSS-25-1).doc.URL: hxxp://harddive[.]info/hM2acgcg15KzzO9d/yErKU1yd97xzKdqmojnG9fMtjhAnu9dBrvXvBJJwbGqvxnxV.(ico|png|mp3|mp4). Jaca sample C2: bulkquantity[.]info

#APT #Donot.Fax Copy.xls.Downloader IxVr.exe.fdc74c66146828985c3f2cc8ef80c0f5.hxxps://records.mindef[.]live/bjhruhukuru/rkuahruhueike.hxxps://records.mindef[.]live/oiporoioqk/lporurkiqjffqe.User-Agent: FireFox 17.13. @DmitriyMelikov

Susp #APT #CloudAtlas.7bdb049cb0cc3623e4fa1d8e2574f1ce.1Table Template URL: hxxps://network-list[.]com?wkbi.html_handfeed

RT @rivitna2: #TgRAT 3.0.078125 (Linux version) dropper.

RT @AzakaSekai_: #VirusTotal just got back to us confirming that #Retrohunt quota is now counted on a per rule basis instead of per job WIT….

#APT #Donot.XLS:..URL: hxxp://thanrole[.]buzz/Ur7AdyiXFB1VNNl8/rHhiHSQwiAkySF9iqJEoCk7SOHz8DHf8zosMprQQOEERSk10.(ico|png|mp3|mp4). Jaca sample:.C2: adjusteble[.]info

#phishing.Be careful when buying theater/exhibition tickets. hxxps://culture-afisha[.]com/1.php.hxxps://culture-afisha[.]com/booking/card.php?id=<id>.hxxps://culture-afisha[.]com/booking/new_wait.php?id=<id>. @Namecheap

#APT #CloudAtlas РЕЗЮМЕ_e48ef291-9b7a-49af-8f12-708d09d9f0a3.1.doc (old sample).1Table Template URL: hxxps://supportpanel.agent-group[.]org/certificates/kainite

#APT #Donot.e.doc.URL: hxxp://mentsele[.]info/XA3JOnMP01TenAuE/442WpoKwPlGlPBMPFMI1q5TzgOKfNQXZhkIKRv9rfAgEQfC6.(ico|png|mp3|mp4). Jaca variant.DLL: mvcfinder32.dll.Export: blstingFindUpl, blstingFindUplP1.C2: gizgashineson[.]buzz (encoded: leasly[.]buzz)