Unit 42 @Unit42_Intel Twitter profile

Last Seen Profiles

@_simi_sola_

@CathyGassSLT

@margarethodge

@44nnn

@aseidman

@atiselsts_eth

@an_liberte

@SheldonKeefe

@TrendX_official

@bert_dragon

@alshrifEssa

@_er66

@RealRazzieBinx

@SurfsBri

@Salsa_Anteater

@charismaakapoor

@SnaiLords

@autodrp

@SpringerMuse

@RobertZeltinsh

@Rachel_lynnP

@Yin_store

@La_Tania

@PurebredNeon

@_Foof__

@VISLinfo

@ejizzy22

@K0_taz

@YUSUKE_BANQUET

@_mari_shibata_

@SecureBorderTX

@biljanicaaa

@MestresFina

@WomensPrize

@burnergpt

@ParamountPlusUK

Unit 42

@Unit42_Intel

3 years

Today, we exposed "BendyBear," one of the most sophisticated, well-engineered and difficult-to-detect samples of shellcode employed by an APT, says the Unit 42 researcher who analyzed it.

5

159

301

Unit 42

@Unit42_Intel

4 years

🦈 Good news everyone! 🦈 @malware_traffic is back with another great #Wireshark tutorial - this one covers a recent infection with the information stealer Qakbot (aka Qbot).

Wireshark Tutorial: Examining Qakbot Infections

A Wireshark tutorial to help security pros understand traffic patterns for investigating Qakbot infections, which steals information.

unit42.paloaltonetworks.com

0

148

297

Unit 42

@Unit42_Intel

3 years

In our latest Wireshark tutorial, we demonstrate how to prepare the environment, obtain a decryption key and use it to decrypt RDP traffic.

1

104

285

Unit 42

@Unit42_Intel

3 years

Love our Wireshark Tutorials? We've just released five free Wireshark Workshop videos from @malware_traffic

2

101

281

Unit 42

@Unit42_Intel

5 months

2023-12-07 (Thursday) - PDF file found on VirusTotal led to #DarkGate infection - Windows shortcut retrieved DarkGate install script from DNS TXT record - activity may have started as early as 2023-11-27 - IOCs available at #TimelyThreatIntel #Wireshark

3

86

276

Unit 42

@Unit42_Intel

7 months

2023-10-12 (Thursday): The latest example of #DarkGate malware distributed through Microsoft Teams. Attacker poses as target organization's CEO and sends victim a Teams invite. Message contains password-protected zip archive. IOCs available at

1

103

278

Unit 42

@Unit42_Intel

1 year

2023-01-16 (Monday) - Google ad led to fake software site sending malware. Post-infection activity for #Gozi ( #ISFB / #Ursnif ) and #RedlineStealer . Seeing this for different software searches. Indicators for an infection from a fake 7-Zip page available at

3

108

242

Unit 42

@Unit42_Intel

1 year

2023-01-31 (Tuesday) - #Qakbot ( #Qbot ) returns after one month hiatus, now using OneNote (.one) files as initial lure. Saw #CobaltStrike on 104.237.219[.]36 using ciruvowuto[.]com as the domain. Also saw VNC traffic from this infection. IoCs available at

8

100

237

Unit 42

@Unit42_Intel

1 year

2023-02-07 (Tuesday): Among the wave of #Qakbot malspam, we found an email with a #OneNote attachment pushing probable #Matanbuchus malware. IoCs from an infection run available at

5

102

238

Unit 42

@Unit42_Intel

1 year

2022-11-28 (Monday) - Thanks to @pr0xylife for sharing a #Qakbot ( #Qbot ) sample from today. We generated a Qakbot infection that led to #CobaltStrike ( #BEACON ) on 108.177.235[.]29:443 using jesofidiwi[.]com as its domain. IoCs available at

5

94

225

Unit 42

@Unit42_Intel

1 year

2023-01-23 (Monday) - Google ad led to a fake AnyDesk page. Distributed malicious .msi package first reported to VirusTotal in December 2022. This malware contacts a domain associated with #TA505 infrastructure from 2020. Indicators available at

4

93

223

Unit 42

@Unit42_Intel

4 years

🦈WireShark tutorials are back! 🦈 In this installment, @malware_traffic sinks his teeth into Ursnif, banking malware that has been active for years.

2

84

224

Unit 42

@Unit42_Intel

1 year

2022-12-29 (Thursday): Google ad leads to fake Adobe Reader page pushing malware. IOCs available at:

1

65

215

Unit 42

@Unit42_Intel

7 months

2023-10-03 (Tuesday) - #Pikabot infection led to #CobaltStrike HTTPS C2 traffic using zzerxc[.]com on 179.60.149[.]244:443. List of indicators available at . Thanks to the @Cryptolaemus1 crew for initially reporting today's Pikabot activity!

1

81

215

Unit 42

@Unit42_Intel

3 years

Learn how to use Wireshark to analyze malicious traffic caused by Windows-based malware with these free videos from @malware_traffic

3

72

215

Unit 42

@Unit42_Intel

2 years

2022-10-04 (Tuesday) - #HTMLsmuggling used to distribute #IcedID ( #Bokbot ) which led to #CobaltStrike - Unusual traffic over TCP port 8080 included plain text instructions to retrieve and run Cobalt Strike - IOCs available at

5

90

203

Unit 42

@Unit42_Intel

2 years

2022-07-21 (Thursday) - password-protected zip archive --> ISO --> Windows shortcut runs hidden DLL for #IcedID ( #Bokbot ) - Led to #DarkVNC on 212.114.52[.]91:8080 and #CobaltStrike on 194.135.24[.]240:443 - Full list of IOCs available at:

1

92

188

Unit 42

@Unit42_Intel

1 year

2022-11-07 (Monday) - We saw #IcedID ( #Bokbot ) again from an #Emotet infection. We also saw #Bumblebee malware during the same infection. IOCs available at

1

88

188

Unit 42

@Unit42_Intel

5 months

2023-11-20 (Monday): #DarkGate infection from probable email. List of IOCs available at #TimelyThreatIntel #Unit42ThreatIntel #Malware #Wireshark

2

67

188

Unit 42

@Unit42_Intel

3 years

New Wireshark tutorial! Learn about recent Emotet activity and get tips on identifying this malware based on traffic analysis.

0

56

188

Unit 42

@Unit42_Intel

1 year

2023-01-12 (Thursday) - #IcedID ( #Bokbot ) infection leads to #CobaltStrike using fepopeguc[.]com on 185.173.34[.]36:443 for its C2 traffic. List of indicators available at

2

76

179

Unit 42

@Unit42_Intel

15 days

Malicious activity tracked under the campaign #OperationMidnightEclipse is targeting CVE-2024-3400, which exploits a vulnerability in certain versions of PAN-OS software. This threat brief covers mitigations and product protections:

1

81

181

Unit 42

@Unit42_Intel

6 years

Introducing the adversary playbook by #Unit42 . First up, #OilRig

Introducing the Adversary Playbook: First up, OilRig

Introducing the adversary playbook by Unit 42. First up, OilRig.

unit42.paloaltonetworks.com

8

118

174

Unit 42

@Unit42_Intel

9 months

2023-08-09 (Wednesday) — Trojanized Webex .msix installer package contains PowerShell script to install #IcedID ( #Bokbot ). We also saw #BackConnect traffic and #KeyholeVNC from the infection. List of indicators available at

0

73

167

Unit 42

@Unit42_Intel

1 month

2024-03-19 (Tuesday): #DarkGate infection from malicious Excel file. Since last week, DarkGate started using AutoHotkey script instead of AutoIt script for its infection. Indicators from an infection available at #Unit42ThreatIntel #TimelyThreatIntel

2

65

168

Unit 42

@Unit42_Intel

1 year

2023-05-17 (Wednesday): Today, this week's BB28 #Qakbot -style distribution chain pushed #Pikabot instead of Qakbot. Followed up with #CobaltStrike using #DNSTunneling . We later saw additional Cobalt Strike traffic over HTTPS. List of IOCs available at

1

74

163

Unit 42

@Unit42_Intel

1 year

2023-04-03 (Monday) - IoC update: A consistently reliable indicator of #Qakbot ( #Qbot ) over the past few years has been C2 traffic using TCP port 65400. Since 2021-09-20, this has occurred on 23.111.114[.]52. However, today Qakbot TCP port 65400 traffic switched to 172.107.98[.]3

1

59

160

Unit 42

@Unit42_Intel

2 years

Threat actors using nation-state tradecraft have begun to adopt the pentest tool #BruteRatel C4

3

78

164

Unit 42

@Unit42_Intel

1 year

2023-03-07 (Tuesday) - Like @Cryptolaemus1 and many others, we've also seen new #Emotet #malspam and the associated malware (inflated Word docs and inflated Emotet DLL files) - Some IoCs from today's Emotet are available at

3

74

155

Unit 42

@Unit42_Intel

2 years

2022-02-02 (Wednesday) - Example of #CobaltStrike sent to an #Emotet -infected Windows client - Sample available at: - Cobalt Strike HTTPS C2 traffic on 66.42.65[.]229:443 at grizmit[.]com

0

71

153

Unit 42

@Unit42_Intel

9 months

The Unit 42 Managed Threat Hunting team observed #Mythic being delivered by #Blister and #Socgholish (Socgholish → Blister → Mythic). Mythic using makethumbmoney[.]com on 104.243.33[.]129:443 for its C2 traffic.

4

68

151

Unit 42

@Unit42_Intel

19 days

Our telemetry revealed an interesting case of #BoggySerpens ( #MuddyWater ) against a Middle East target: Persistence through scheduled task that runs PowerShell to abuse AutodialDLL registry key. AutodialDLL loads DLL for C2 framework. Details at

1

64

154

Unit 42

@Unit42_Intel

1 year

2022-11-03 (Thursday) - #Emotet once again pushing massive amounts of malspam. Researchers are now seeing #IcedID ( #Bokbot ) as follow-up activity. We've seen IcedID from Emotet before, especially in 2018 & 2019. IOCs for this new infection are available at

2

70

150

Unit 42

@Unit42_Intel

3 years

2021-10-07 (Thursday) - #Qakbot ( #Qbot ) infection with #CobaltStrike and #ANGRYPUPPY / #BloodHound reconnaissance activity - IOCs with link to malware/artifact samples (and link to more info about ANGRYPUPPY) available at:

3

61

152

Unit 42

@Unit42_Intel

2 years

2022-05-03 (Tuesday) - #ContactForms campaign pushes #Bumblebee malware, leads to #CobaltStrike - Cobalt Strike traffic seen from 4 different IP addresses using 3 different domains - IOCs from the infection are available at:

1

66

147

Unit 42

@Unit42_Intel

1 year

New #ransomware calling itself #CylanceRansomware targets #Windows and #Linux platforms. Mutex used in Windows: CylanceMutex. Extension used: .Cylance md5: 4601076b807ed013844ac7e8a394eb33(Linux), 31ed39e13ae9da7fa610f85b56838dde(Windows) #LinuxSecurity

1

84

146

Unit 42

@Unit42_Intel

1 year

New #Linux #ransomware #Monti targets #ESXi . Similar to #Conti , but Monti uses extension .puuuk IoCs: monti5o7lvyrpyk26lqofnfvajtyqruwatlfaazgm3zskt3xiktudwid[.]onion/chat/c7c5b8b0703950c40e6614bf957f94c1/ Hash: edfe81babf50c2506853fd8375f1be0b7bebbefb2e5e9a33eff95ec23e867de1

4

50

145

Unit 42

@Unit42_Intel

6 months

2023-10-25 (Wednesday): #DarkGate malware distributed through fake invoice/billing emails with PDF attachments that spoof DocuSign. Indicators from an infection run are available at #TimelyThreatIntel #Wireshark #Unit42ThreatIntel

1

71

144

Unit 42

@Unit42_Intel

2 years

2022-05-23 (Monday) - #IcedID ( #Bokbot ) with #DarkVNC - chain of events: link --> zip -- Windows shortcut --> HTA --> EXE --> gzip binary --> IcedID post-infection traffic --> DarkVNC traffic - IOCs available at:

0

53

140

Unit 42

@Unit42_Intel

6 months

2023-10-17 (Tuesday): #TA577 #Pikabot infection with HTTPS #CobaltStrike traffic on 45.155.249[.]171:443 using ponturded[.]com. Thanks to the @Cryptolaemus1 group for their initial post on today's Pikabot activity! IOCs from our infection run available at

0

62

141

Unit 42

@Unit42_Intel

2 years

2022-09-29 (Thursday) - #Qakbot ( #Qbot ) infection led to HTTP #CobaltStrike traffic on 194.165.16[.]64:80 using onefile[.]icu as its domain. IOCs available at - Of note, Qakbot HTTPS C2 traffic during this infection used TLSv1.3 instead of TLSv1.2.

1

54

141

Unit 42

@Unit42_Intel

2 years

2022-01-12 (Wednesday) - Malspam campaign using links to download Excel Add-in files (.xll file extension) delivered #IcedID ( #Bokbot ) which led to #CobaltStrike and #DarkVNC activity. IOCs available at:

0

55

137

Unit 42

@Unit42_Intel

2 years

2021-11-15 (Monday) - #Matanbuchus Loader delivered #Qakbot ( #Qbot ) distribution tag obama128b - Led to spambot activity and #CobaltStrike - IOCs available at: - Unit42 originally reviewed Matanbuchus in June 2021 at:

2

64

138

Unit 42

@Unit42_Intel

3 months

2024-01-25 (Thursday): #DarkGate active again this week. IOCs from an infection run earlier today are available at #Unit42ThreatIntel #TimelyThreatIntel #IndicatorsOfCompromise #Wireshark #InfectionTraffic

1

63

136

Unit 42

@Unit42_Intel

7 months

2023-09-28 (Thursday) - #IcedID ( #Bokbot ) infection led to #BackConnect traffic and #KeyholeVNC on 172.86.75[.]88:443 and HTTPS traffic for #CobaltStrike on umomrmwa[.]com using 141.98.80[.]158:443. Details available at

0

44

136

Unit 42

@Unit42_Intel

2 years

2022-08-29 (Monday) - #MonsterLibra ( #TA551 / #Shathak ) pushed #IcedID ( #Bokbot ) and led to #CobaltStrike from hxxp://fumukav[.]com/web.dll - Cobalt Strike C2 on 45.147.229[.]157:443 used jevomukif[.]com - IOCs available at:

0

61

131

Unit 42

@Unit42_Intel

2 months

Increased visibility into the TTPs of Chinese hackers is one of the outcomes of the data leaks affecting Chinese IT company i-Soon (aka Auxun). Our observations link leaked texts to two Chinese-affiliated APTs.

0

55

133

Unit 42

@Unit42_Intel

6 months

2023-11-02 (Thursday) - Like many others, we've also seen #TA577 #Pikabot activity throughout this week. We collected indicators of compromise (IOCs) from a 10 hour infection run. List of IOCs available at #Unit42ThreatIntel #TimelyThreatIntelligence

1

58

135

Unit 42

@Unit42_Intel

2 years

2022-03-03 (Thursday) - Still seeing #CobaltStrike from #Emotet infections - IOCs from our latest example available at:

1

64

133

Unit 42

@Unit42_Intel

2 years

2022-04-05 (Monday) - From a #Bumblebee malware infection, we saw #CobaltStrike traffic from 23.108.57[.]23 using cuhitiro[.]com as its domain. More info available at:

3

45

129

Unit 42

@Unit42_Intel

2 years

2022-07-06 (Wed) - #TA578 #ContactForms campaign used Yandex URL to deliver zip-ed ISO - Led to #IcedID ( #Bokbot ), which led to #DarkVNC on 188.40.246[.]37:8080 & #CobaltStrike on 198.44.132[.]80:8080 using centertechengineering[.]com - IoCs available at:

3

60

127

Unit 42

@Unit42_Intel

2 years

2022-02-07 (Monday) - #BazarLoader infection with #CobaltStrike - IOCs available at:

0

46

128

Unit 42

@Unit42_Intel

2 years

2022-04-14 (Thursday) - Ongoing activity using URL --> zip --> .msi --> #Qakbot --> #CobaltStrike . Researchers started seeing this infection method as early as Monday (2022-04-11). IOCs for today's activity available at:

3

55

127

Unit 42

@Unit42_Intel

3 years

We share details of the first known malware targeting Windows containers to compromise cloud environments.

2

69

130

Unit 42

@Unit42_Intel

1 year

A new method for delivering #RedLineStealer via #OneNote attachments was observed (e03d1dc90b981455ff453c996a919848074c6e735719148eeb8e1185935c28b3). Extracted C2 configuration: {"C2 url": ["172.245.45.213:3235"], "Bot Id": "Skijay2"}

2

69

126

Unit 42

@Unit42_Intel

2 years

2021-12-07 (Tuesday) - Malspam pushing #Qakbot and #Matanbuchus malware - Qakbot showed "obama141" as the distribution tag - IOCs available at:

1

65

126

Unit 42

@Unit42_Intel

2 years

2022-02-10 (Thursday) - We continue to see #CobaltStrike from #Emotet infections - A list of IOCs from our latest example is available at:

2

56

125

Unit 42

@Unit42_Intel

2 years

2022-08-03 (Wednesday) - #IcedID ( #Bokbot ) from emails with zip attachments containing ISO images - Led to #CobaltStrike stager from hxxp://voxepimid[.]com/Lssaas.dll - CobaltStrike C2 on 185.173.34[.]75:443 muwokok[.]com - IOCs at:

1

43

125

Unit 42

@Unit42_Intel

2 years

2022-06-28 (Tuesday) - #TA578 thread-hijacked email pushed #IcedID ( #Bokbot ) - Led to #DarkVNC on 91.238.50[.]80:8080, then #CobaltStrike on 217.79.243[.]147:8080 using bcnupdate[.]com and on 194.37.97[.]139:8080 using solvesalesoft[.]com - IOCs at:

3

56

122

Unit 42

@Unit42_Intel

2 years

2022-03-01 (Tuesday) - #Emotet epoch4 infection with #CobaltStrike as follow-up malware - Cobalt Strike HTTP C2 traffic on 139.60.161[.]225 over port 80 using klycnmik[.]com as the domain - IOCs available at:

2

53

121

Unit 42

@Unit42_Intel

1 year

We're observing that ROMCOM RAT is now being packaged as an installer for Veeam Backup and Recovery software. This is in addition to the KeePass Password Manager and SolarWinds Orion installers identified by BlackBerry yesterday.

1

80

119

Unit 42

@Unit42_Intel

2 years

2022-03-14 (Monday) - Our latest #CobaltStrike sample from an #Emotet infection - IOCs available at:

0

58

120

Unit 42

@Unit42_Intel

2 years

2022-06-17 (Friday) - Today we saw #Matanbuchus actiity - This activity led to #CobaltStrike using gudugil[.]com on 23.82.141[.]136:443 - IOCs available at:

0

36

117

Unit 42

@Unit42_Intel

7 months

We observed multiple exploit attempts of WS_FTP Server Critical Vulnerability, where threat actors attempted to deliver #meterpreter payload via the URL 103[.]163.187.12:8080/cz3eKnhcaD0Fik7Eexo66A. #CVE202340044 #CVE202342657 #TimelyThreatIntel #Unit42ThreatIntel

0

61

116

Unit 42

@Unit42_Intel

1 year

2023-05-02 (Tuesday): obama259 #Qakbot ( #Qbot ) infection led to #BackConnect activity on 46.151.30[.]109:443. Approximately 12 hours later, #DarkCatVNC traffic appeared using the same IP address. IOCs available at

2

53

119

Unit 42

@Unit42_Intel

3 months

2024-01-30 (Tuesday): #DarkGate activity continues this week. IOCs from an infection run are available at #Unit42ThreatIntel #TimelyThreatIntel #Wireshark #InfectionTraffic #RATs #MaaS #WindowsMalware

2

52

116

Unit 42

@Unit42_Intel

3 years

When writing signatures to detect RDP vulnerabilities and prevent attacks, it's sometimes necessary to decrypt RDP traffic. Learn how in our latest Wireshark tutorial.

1

44

117

Unit 42

@Unit42_Intel

1 year

2023-05-10 (Wednesday): obama262 #Qakbot ( #Qbot ) infection led to #BackConnect activity on 46.151.30[.]109:443 with #DarkCatVNC . Also saw #CobaltStrike from this infection using HTTPS traffic to floatfil[.]com. IOCs available at

2

55

115

Unit 42

@Unit42_Intel

1 month

2024-03-27 (Wednesday): With the recent rise in malicious Google ads impersonating legitimate software, today we found one leading to a fake Cisco AnyConnect page pushing #NetSupportRAT . Indicators available at #Unit42ThreatIntel #RemoteAccessTrojan

1

48

116

Unit 42

@Unit42_Intel

3 years

2021-07-29 (Thursday) - #BazarLoader ( #BazaLoader ) infection from "Stolen Images Evidence" zip archive - Follow-up malware was #CobaltStrike , which led to a Powershell script file for #PrintNightmare - List of IOCs available at:

2

51

114

Unit 42

@Unit42_Intel

3 months

2024-01-23 (Tuesday): #UltraVNC infection generated by EXE from Dropbox URL. Dropbox URL now offline! IOCs from an infection run available at #TimelyThreatIntel #IndicatorsOfCompromise #Unit42ThreatIntel #Wireshark #InfectionTraffic

1

42

116

Unit 42

@Unit42_Intel

2 years

2022-07-25 (Monday) - More #IcedID ( #Bokbot ) from emails with password-protected zip files containing ISO image - Led to #CobaltStrike binary from hxxp://209.222.98[.]13/download/msb.exe - CobaltStrike C2 on 172.93.193[.]21:443 sezijiru[.]com - IOCs at:

1

47

115

Unit 42

@Unit42_Intel

6 years

#Unit42 shares a lesson on customizing #Wireshark to better meet security researcher needs

0

68

110

Unit 42

@Unit42_Intel

5 months

2023-12-05 (Tuesday): Loader EXE leads to unidentified malware with C2 using encoded/encrypted TCP traffic on 91.92.120[.]119:62520 - IOCs available at #MalwareTraffic #TimelyThreatIntel #Unit42ThreatIntel #Wireshark

4

47

116

Unit 42

@Unit42_Intel

3 years

2021-09-20 (Monday) - #Squirrelwaffle Loader activity with #CobaltStrike - list of IOCs available at:

0

36

111

Unit 42

@Unit42_Intel

3 years

2020-11-16 (Monday) - Excel spreadsheet with .xlsb file extension pushes #CobaltStrike - IOCs available at:

0

34

114

Unit 42

@Unit42_Intel

4 years

When reviewing suspicious network activity, we often run across encrypted traffic. This tutorial describes how to decrypt HTTPS traffic from a pcap in Wireshark.

0

39

113

Unit 42

@Unit42_Intel

1 year

2023-04-05 (Wednesday): OneNote file has embedded .vbe file to distribute Java-based #STRAAT malware. The .vbe will install Java if the victim doesn't have it. We saw an attacker open files from the infected Windows host's Documents folder. More info at

4

63

113

Unit 42

@Unit42_Intel

6 months

2023-10-31 (Tuesday) - #IcedID ( #Bokbot ) infection from an MSI file. Along with the regular HTTPS C2 traffic, we saw IcedID BackConnect activity on 159.89.124[.]188:443. List of indicators available at #TimelyThreatIntel #Unit42ThreatIntel #Wireshark

0

37

111

Unit 42

@Unit42_Intel

12 days

2024-04-15 (Monday): #ContactForms campaign pushing #SSLoad malware as early as Thursday, 2024-04-11. List of indicators available at #Wirshark #Unit42ThreatIntel #TimelyThreatIntel #InfectionTraffic

2

54

112

Unit 42

@Unit42_Intel

1 month

2024-03-13 (Wednesday): Another fake forum post leads to #GootLoader malware. This distribution method has been remarkably consistent since at least 2021. List of indicators for this infection: #TimelyThreatIntel #Unit42ThreatIntel #Wireshark #Malware

1

40

112

Unit 42

@Unit42_Intel

4 months

2023-12-15 (Friday): #TA577 pushing #Pikabot again this week. Here are IOCs from an infection run we generated today: #TimelyThreatIntel #Unit42ThreatIntel #Wireshark #MalwareTraffic #IndicatorsOfCompromise

2

50

112

Unit 42

@Unit42_Intel

2 years

2022-06-09 (Thursday) - #TA578 #Bumblebee malware infection led to #CobaltStrike activity on 23.82.141[.]226:443 using zupeyico[.]com - IOCs available at:

0

47

108

Unit 42

@Unit42_Intel

5 years

Using #Wireshark to review #pcaps of network traffic generated by #malware samples? We are offering some tips for analysts to better use Wireshark:

1

47

108

Unit 42

@Unit42_Intel

30 days

Unit 42 Managed Services spotted active exploitations of the new FortiClient EMS vulnerability CVE-2023-48788 since Sunday 2024-03-24. This led to unauthorized installations of #Atera Agent, #ScreenConnect and #Meterpreter . List of indicators available at

0

48

108

Unit 42

@Unit42_Intel

1 year

2023-03-16 (Thursday): #Emotet now also using #OneNote files, but we're still seeing zip attachments with inflated Word docs. IoCs from our latest infection and info on the malware (OneNote files, zip archives, inflated Word docs, etc.) available at

1

53

107

Unit 42

@Unit42_Intel

23 days

2024-04-04 (Thursday): We generated an infection in a lab environment based on the latest round of #KoiLoader / #KoiStealer activity. Initial bank-themed lures started earlier this week on 2024-04-02. Some indicators available at #Unit42ThreatIntel

2

47

111

Unit 42

@Unit42_Intel

1 year

2022-10-31 (Monday) #IcedID ( #Bokbot ) infection led to #DarkVNC on 137.74.104[.]108:443 and #CobaltStrike on 198.44.140[.]67:8008 - More info available at:

3

37

108

Unit 42

@Unit42_Intel

1 year

2022-12-28 (Wednesday): USPS-themed #malspam pushing #NetSupportRAT - Some indicators available at:

2

42

104

Unit 42

@Unit42_Intel

1 year

#LockBit 3.0 #Linux ESXi Locker version 1.2 continues targeting #ESXI hash: 0f7c10dfa562adf15f1f6078ecaee788 Also it includes #PTRACE anti-debug technique. #RAAS #Ransomware

2

46

105

Unit 42

@Unit42_Intel

1 year

New #Buhti #Ransomware written in #Golang targets the #Linux platform. Go build-id: 8yZfeORaUS9t0VEvm/6XZH_UamxCKSLaG5ICV9/o5iSux6xbO8HBoNLibae/0NSWg12Yrs4I1IE91H9o MD5: 6dc27523eb048bb7197bfdf39d6d15dd

1

53

103

Unit 42

@Unit42_Intel

3 years

We urge everyone to share what they know about the supply-chain attack on SolarWinds Orion software so that we as a cybersecurity community get a complete picture. We’ve put together a timeline.

2

44

105

Unit 42

@Unit42_Intel

6 months

2023-10-18 (Wednesday): #IcedID forked variant infection with #BackConnect , #AnubisVNC , #CobaltStrike & #ScreenConnect . Saw "hands on keyboard" approximately 95 minutes after initial infection. IOCs available at #TimelyThreatIntel

2

43

104

Unit 42

@Unit42_Intel

4 years

Here's @malware_traffic 's tutorial on how to identify a notorious piece of malware that's been around since 2016. #Unit42WiresharkWeek Part 5: Examining Trickbot Infections

0

48

105

Unit 42

@Unit42_Intel

2 years

2021-11-22 (Monday) - #ContactForms Campaign still using "Stolen Images Evidence" theme to push #BazarLoader - Infection led to #CobaltStrike - IOCs available at:

0

46

101

Unit 42

@Unit42_Intel

1 year

2023-03-06 (Monday): Malspam targeting Italy leads to #Gozi ( #ISFB / #Ursnif ) infection - URL and server hosting malicious files from our test run still active today (Thursday 2023-03-09) - IoCs from our infection run available at

1

41

99

Unit 42

@Unit42_Intel

3 years

2021-04-26 (Monday) - #IcedID ( #Bokbot ) with #CobaltStrike from StolenImages_Evidence.zip - List of indicators available at: - includes download links for malware samples, artifacts, and #pcap of infection traffic

0

49

102

Unit 42

@Unit42_Intel

10 months

2023-07-12 (Wednesday) - #Gozi / #ISFB infection in an AD environment led to #CobaltStrike C2: 170.130.55[.]162:443 - iamupdate[.]com. List of IOCs at

1

38

102

Unit 42

@Unit42_Intel

2 years

2022-08-08 (Monday) #IcedID ( #Bokbot ) infection led to #CobaltStrike . Possible Cobalt Strike C2 on 23.106.223[.]135:443 rehazosipa[.]com. Saw stager on 104.238.220[.]131/download/sys.exe & Cobalt Strike C2 on 172.93.179[.]196:443 waafefuvuko[.]com. IOCs at

1

35

100

Unit 42

@Unit42_Intel

1 year

We observed multiple infections of #ApolloRAT using fake installers, creating persistence in the user’s startup folder with a binary called MicrosofOffice.exe (imphash: 5bd3497bfd913b30bbdb13331f9ba919)

2

47

102