#threatreport #HighCompleteness Operation Dragon Weave : Uncovering a China-Linked Campaign Targeting Czech Republic and Taiwan Using Azure Cloud C2 | 29-05-2026 Source: seqrite.com/blog/operation-d… Key details below ↓ 🧑‍💻Actors/Campaigns: Dragon_weave (🧠motivation: cyber_espionage, information_theft) 💀Threats: Spear-phishing_technique, Adaptixc2_tool, Dll_sideloading_technique, Rustcloak, Azureveil, Dead_drop_technique, Process_injection_technique, 🎯Victims: Officials, Citizens 🏭Industry: Education, Government 🌐Geo: Chinese, Czech, China, Taiwan 📚TTPs: ⚔️Tactics: 4 🛠️Technics: 18 🧨IOCs: - Domain: 1 - File: 8 - Hash: 12 💽Software: Azure Blob, Microsoft Edge 🔢Algorithms: cbc, rc4, xor, zip, base64 🗂️Win API: VirtualAlloc, VirtualProtect, CreateFiberEx, SwitchToFiber 📜Programming Languages: powershell, rust, visual_basic 💻Platforms: amd64 #threatreport: Operation Dragon Weave is a sophisticated cyber espionage campaign identified as targeting entities in the Czech Republic and Taiwan, potentially linked to a China-based threat actor. The attack leverages a spearphishing strategy utilizing malicious ZIP files resembling official documents to initiate a structured infection chain. The ZIP archive includes various legitimate-looking files, notably a shortcut file designed to appear as a PDF, which, when executed, leads to the deployment of malware. The primary infection method consists of two paths: Path A and Path B. In Path A, the user is tricked into clicking a Windows shortcut file, which triggers a VBScript that subsequently executes a PowerShell script responsible for decrypting the payload and launching a malicious executable. Path B, on the other hand, involves running a Rust-based executable that directly extracts and executes all necessary components, including the final payload. Both paths result in the execution of a core component named RuntimeBroker_update.exe, which sideloads a malicious DLL referred to as RUSTCLOAK. RUSTCLOAK is a Rust-based loader adept at evading detection. It employs anti-analysis techniques, such as sandbox evasion checks based on a hardcoded list of common analyst machine names. Upon successful execution, RUSTCLOAK decrypts the final payload, identified as AZUREVEIL, through a multi-layer decryption approach utilizing various algorithms, and executes it in-memory to avoid detection. AZUREVEIL is a highly capable Adaptix command-and-control (C2) agent, notable for its method of communication via Microsoft Azure Blob Storage. This approach cleverly disguises malicious traffic as legitimate cloud activity, complicating detection efforts. The agent is structured to function without a traditional C2 server, performing operations through data exchange in a shared Azure storage container. Commands are uploaded to the Azure Blob, from where AZUREVEIL retrieves, decrypts, and executes them while sending back results as encrypted blobs. In total, AZUREVEIL supports a wide range of post-exploitation commands, enabling full system control, data exfiltration, and lateral movement within the network. Its capabilities include file operations, network enumeration, and even the ability to function as a proxy, showcasing the extensive control and flexibility afforded to the attackers. The campaign manifests a high degree of sophistication with multi-layer encryption for payload protection, a focus on targeted geopolitical interests, and the use of cloud infrastructure to maintain stealth in its operations. The technical innovations employed, particularly the use of Azure for C2, significantly highlight the evolving tactics of modern cyber threats, making mitigation efforts more challenging.

#threatreport #HighCompleteness Operation Dragon Whistle: UNG002 Targets Chinese Academia via Weaponized Institutional Lure | 20-05-2026 Source: seqrite.com/blog/operation-d… Key details below ↓ 🧑‍💻Actors/Campaigns: Dragon_whistle Ung002 Cobalt_whisper 💀Threats: Spear-phishing_technique, Dll_sideloading_technique, Lolbin_technique, Dllsearchorder_hijacking_technique, Cobalt_strike_tool, 🎯Victims: Education, Government affiliated academic bodies, Sports and physical education departments, Students, Academic administration 🏭Industry: Healthcare, Education, Government 🌐Geo: Chinese, China, Korean 📚TTPs: ⚔️Tactics: 6 🛠️Technics: 18 🧨IOCs: - File: 14 - IP: 1 - Domain: 1 - Hash: 6 💽Software: macOS, Bandizip, Windows security, Event Tracing for Windows, Alibaba Cloud, Feishu, HiChina, baba Cloud spec 🔢Algorithms: sha256, zip 🔠Functions: CreateArk 🗂️Win API: GetTickCount, CheckRemoteDebuggerPresent, IsDebuggerPresent, VirtualAlloc, CreateToolhelp32Snapshot, Process32First, Process32Next 📜Programming Languages: visual_basic #threatreport: Operation Dragon Whistle, attributed to threat actor UNG002, involves a sophisticated spear-phishing campaign targeting students and faculty at Changzhou University in China. The campaign utilizes a carefully crafted lure connected to the university's upcoming mandatory physical fitness assessment scheduled for 2026. The phishing email contains a ZIP file labeled with an official-looking title, compelling recipients to download and execute it due to the urgency related to their graduation eligibility. Upon analysis, the spear-phishing email was found to originate from a free mail service, specifically designed to bypass conventional email security measures. The ZIP file includes a decoy document that closely mimics the official notice from the university, reflecting the attackers' deep understanding of institutional processes and culture. The decoy is accompanied by additional elements such as real staff names and contacts, which contribute to a high level of social engineering fidelity. Once the ZIP file is executed, it utilizes a living-off-the-land technique by harnessing the legitimate Windows Explorer executable to run a VBScript payload. This script is vital for orchestrating the attack sequence, managing the execution of both the decoy PDF and the real malicious payload simultaneously and stealthily. It dynamically constructs paths to these files at runtime to avoid detection through static analysis, while also ensuring the decoy has enough time to display before launching the actual payload. The subsequent stage of the attack involves DLL side-loading, where the script launches a legitimate file (Bandizip) contaminated with a malicious DLL (ark.x64.dll). The malware employs various anti-analysis techniques, such as checking for active monitoring processes and evading detection from common analysis tools. If the malware detects any such monitoring activity, it terminates its execution to maintain anonymity. After confirming a safe execution environment, the malware progresses to deliver its payload, which culminates in the execution of a Cobalt Strike Beacon. Notably, the entire process occurs in memory to minimize on-disk artifacts, directly communicating with command-and-control (C2) infrastructure hosted on Alibaba Cloud, a recurrent choice for this actor to avoid detection and blocking efforts. The investigation into this campaign revealed extensive operational ties to previous activities by UNG002, particularly reflecting similar tactics, techniques, and procedures observed in earlier campaigns like Operation Cobalt Whisper. The use of Feishu's infrastructure and other domain indicators further reinforced the attribution to a Chinese actor. In summary, Operation Dragon Whistle represents a significant escalation in UNG002's targeting strategy, effectively leveraging societal pressures within academic institutions to manipulate behavior, drive engagement, and execute malware while remaining undetected.

#threatreport #MediumCompleteness Analyzing Iranian Tradecraft: Leveraging Loader Scripts and Telegram for C2 | 04-05-2026 Source: blog.pulsedive.com/analyzing… Key details below ↓ 💀Threats: Bloat_technique, 🎯Victims: Users 🏭Industry: E-commerce 🌐Geo: Iran, Iranian 📚TTPs: ⚔️Tactics: 3 🛠️Technics: 7 🧨IOCs: - File: 8 - Url: 2 - Path: 2 - Hash: 5 💽Software: Telegram, Microsoft Defender 🔢Algorithms: md5, zip, base64, sha256, sha1 📜Programming Languages: visual_basic, python, powershell #threatreport: Recent analyses reveal that Iranian cyber threat actors, particularly those aligned with the Ministry of Intelligence and Security (MOIS), have been employing loader scripts as part of their cyber operations. These scripts, often basic in nature, primarily aim to facilitate the download of secondary payloads hosted on Vultr Object Storage. In particular, a PowerShell-based loader script utilizes base64 encoding to conceal its payload, which leads to the downloading of a zip archive containing the executable RuntimeSSH.exe. This executable, noted in an FBI FLASH report, is implicated in the exfiltration of sensitive data from infected devices. Telegram has emerged as a crucial tool for these threat actors, functioning as a command-and-control (C2) platform. Its usage capitalizes on the platform’s ability to blend in with legitimate network traffic and the relative ease of creating bots. Telegram serves a dual purpose, allowing actors not only to manage command-and-control operations but also to act as a marketplace for cybercriminal services and malware. This has notably included groups like Handela Hack, which actively utilize Telegram for operational communications. Intrusions typically initiate through social engineering tactics, where malicious actors pose as support personnel or prominent figures to trick victims into executing malware. The threat actors leveraged popular applications to disguise their malware, which is deployed via PowerShell scripts and is capable of modifying Windows registry keys to maintain persistence. Once installed, the malware exhibits functionality such as screen and audio capture along with data retrieval from local caches. Exfiltration of this collected data has been reported to occur through Telegram channels. Two specific PowerShell scripts, identified as ps.ps1 and cmd.ps1, are among the loader samples discovered. Both scripts execute base64-encoded commands with hidden PowerShell windows, differing slightly in their command specifications. Another notable script, a VBScript, queries the disk size and may execute the PowerShell commands if the disk exceeds a certain threshold. This alongside a larger set of scripts indicates a sophisticated method of evading detection while ensuring execution of malicious tasks. Additionally, the payload referenced in the FBI report—smqdservice.exe—contains more elaborate tactics. This executable seeks to evade Microsoft Defender's detection by creating exclusions in its configuration. Upon executing smqdservice.exe, various Python modules, including python311.dll, are loaded to enhance the malware’s functionality. Extracted details from the malware reveal specific Telegram bot configurations providing insights into their operational architecture.

#threatreport #HighCompleteness Forbidden Hyena attacks with new remote access trojan BlackReaperRAT | 03-03-2026 Source: bi.zone/expertise/blog/forbi… Key details below ↓ 🧑‍💻Actors/Campaigns: Forbidden_hyena (🧠motivation: financially_motivated, hacktivism) 💀Threats: Blackreaperrat, Blackout_locker, Garble_tool, Sliver_c2_tool, Viper, Powerview_tool, Powersploit_tool, Anydesk_tool, Shadow_copies_delete_technique, Putty_tool, Proxychains_tool, Netcat_tool, Junk_code_technique, Procmon_tool, Credential_dumping_technique, Vssadmin_tool, 📚TTPs: ⚔️Tactics: 10 🛠️Technics: 0 🧨IOCs: - File: 29 - Command: 7 - IP: 4 - Path: 10 - Url: 14 - Registry: 4 - Hash: 25 - Domain: 2 💽Software: Windows registry, Unix, winlogon, Windows Defender, Linux, msexchange, outlook, telegram, firefox, onenote, ... 🔢Algorithms: aes-256, aes-128, zip 🗂️Win API: PsMapExec, CreateProcessA, DuplicateTokenEx, SetThreadToken, GetTickCount, IsDebuggerPresent ⚙️Win Services: WebClient, SecurityHealthService, WinDefend, WdNisSvc, WdFilter, WdBoot, MsSecFlt, wscsvc, MsMpEng, ocssd, ... 📜Programming Languages: powershell, visual_basic, golang 💻Platforms: x86 #threatreport: BI.ZONE Threat Intelligence observed significant activity from the Forbidden Hyena threat actor group in late 2025 into early 2026, unveiling a novel remote access trojan (RAT) named BlackReaperRAT and a modified version of the Blackout Locker ransomware, now rebranded as Milkyway. BlackReaperRAT is disseminated via RAR files containing a batch script (1.bat) designed to execute a malicious VBS script (1.vbs), which subsequently downloads the RAT and a misleading document to distract users. The BlackReaperRAT is implemented as an obfuscated VBS script that generates a unique BotID upon execution, storing it in the user’s application data directory. Persistence mechanisms are robustly built in; it utilizes registry modifications to create autorun entries to ensure it executes upon system startup and employs Windows Task Scheduler for additional persistence as it registers these tasks under the highest privileges. The RAT is equipped with a multi-faceted command and control system that communicates via HTTPS with a Telegram channel to receive commands and send back system information including usernames and timestamps. Both the BlackReaperRAT and the Milkyway ransomware utilize complex evasion techniques. Milkyway is noted for its encryption capabilities, applying AES-128 to files and renaming them with a distinctive .milkyway extension. This ransomware variant optimizes its operational efficiency by recursively scanning storage volumes for files to encrypt and has been observed to disable key Windows services to prevent recovery and resist detection by security solutions. The Forbidden Hyena group employs a mix of advanced tools, including various PowerShell and Bash scripts for penetration and post-exploitation tactics. Some scripts are seemingly developed or modified using machine learning techniques, enhancing camouflage against detection. Notable scripts include those for extracting sensitive data from security database files, installing additional remote access tools such as AnyDesk for long-term access, and establishing new user accounts with administrative privileges.

#threatreport #MediumCompleteness Judicial Notification Phish Targets Colombian Users .SVG Attachment Deploys Info-stealer Malware | 13-10-2025 Source: seqrite.com/blog/judicial-no… Key details below ↓ 💀Threats: Asyncrat, Junk_code_technique, Amsi_bypass_technique, 🎯Victims: Colombian users 🏭Industry: Government 🌐Geo: Colombian, Colombia, Spanish 📚TTPs: ⚔️Tactics: 9 🛠️Technics: 22 🧨IOCs: - File: 12 - Command: 1 - Hash: 6 - Registry: 1 💽Software: VirtualBox 🔢Algorithms: base64, xor, md5 🔠Functions: VBS, openDocument, createObjectURL 📜Programming Languages: visual_basic, powershell, javascript #threatreport: A recent cybersecurity campaign has targeted Colombian users through a phishing attack designed to impersonate a judicial notification from the "17th Municipal Civil Court of the Bogot Circuit." The attack utilizes SVG (Scalable Vector Graphics) files, which have gained popularity among threat actors for embedding malicious code due to their XML-based format, making them go undetected by many traditional security solutions. The infection chain starts with a phishing email in Spanish, containing a deceptive subject line pertaining to a judicial claim. This email includes a seemingly innocuous SVG attachment. Upon execution, the SVG file releases a malicious HTA (HTML Application) file, which contains both harmless and harmful code. A significant portion of this malicious code is hidden as base64 encoded data, which, when decoded, reveals a VBS (Visual Basic Script) file. This VBS file generates a PowerShell script that is encoded in a manner that obscures its true intent, relying on encoded character substitutions and further nesting of base64 encodings. The PowerShell script downloads a plaintext file from a remote location and subsequently executes a .NET DLL file, functioning as a downloader-loader. This component is primarily engineered to establish persistence on the infected system, while also managing a connection to a command-and-control (C&C) server for further instructions. Key persistence techniques include the creation of scheduled tasks and registry entries that ensure the malware persists even after system reboots. The malware itself has been identified as AsyncRAT, a remote access Trojan that can perform a variety of malicious activities including keystroke logging and executing other payloads. The functionality of AsyncRAT varies depending on its configuration, but its main goal is to exfiltrate data back to the attackers via encrypted communications. Notably, the malware includes multiple defense evasion tactics that protect it from detection. It employs techniques such as checking for virtual machine environments to avoid analysis and utilizing obfuscation methods to obscure its code. Furthermore, it can enumerate running processes and collect system information, including webcam presence. In summary, this campaign exemplifies a sophisticated use of SVG files for initial access, leveraging various scripting languages and employing advanced techniques for persistence and evasion, culminating in the deployment of AsyncRAT.

#threatreport #HighCompleteness GPUGate Malware: Malicious GitHub Desktop Implants Use Hardware-Specific Decryption, Abuse Google Ads to Target Western Europe | 06-09-2025 Source: arcticwolf.com/resources/blo… Key details below ↓ 💀Threats: Gpugate, Gpugate_technique, Bloat_technique, Dll_sideloading_technique, Amos_stealer, Supply_chain_technique, Spear-phishing_technique, Process_injection_technique, Process_hollowing_technique, Dead_drop_technique, 🎯Victims: Information technology sector, Technical professionals 🏭Industry: Entertainment, Software_development, Education 🌐Geo: Russian 📚TTPs: ⚔️Tactics: 11 🛠️Technics: 31 🧨IOCs: - Domain: 17 - File: 4 - Path: 4 - Hash: 7 - Url: 3 - IP: 19 - Command: 3 💽Software: Windows Installer, Windows Defender, Microsoft Defender, Windows service, macOS, Telegram, gatekeepers, chrome, Microsoft Visual C , Mac OS, ... 🔢Algorithms: sha256, aes, aes-cbc, xor, zip, sha1, md5 📜Programming Languages: visual_basic, powershell, php 💻Platforms: x64, arm, cross-platform YARA: Found #threatreport: The GPUGate malware represents a sophisticated attack vector that exploits GitHub repository structures and Google Ads to disseminate malicious payloads. Discovered on August 19, 2025, this threat primarily targets users in Western Europe, particularly those within the Information Technology sector. By leveraging a series of deceptive practices, including creating lookalike domains and embedding commit-specific links in advertisements, threat actors have effectively masked the origin of the malicious downloads, leading users to unwittingly install the malware. The core of the GPUGate technique is its specialized delivery mechanism, which includes a unique GPU-gated decryption routine. This routine ensures that the malicious payload remains encrypted on devices lacking a proper GPU—those not equipped with a GPU that meets specific criteria (e.g., a device name of at least ten characters long). This characteristic not only complicates analysis in environments devoid of graphic processing capabilities but also suggests a targeting strategy aimed at users engaged in resource-intensive activities such as gaming, development, or cryptocurrency mining. Upon execution, the initial malware installer, disguised as a legitimate GitHub Desktop installation (GitHubDesktopSetup-x64.exe), begins a series of malicious and legitimate operations to establish persistence and evade detection. It copies itself to the user’s %APPDATA% directory, requests administrator privileges, and operates in a detached mode to reduce visibility. Furthermore, it alters Windows Defender settings to avoid scrutiny, creates a scheduled task to maintain its presence in the system, and downloads additional payloads from a remote server. The prime objective of the GPUGate malware campaign seems to revolve around gaining initial access for further malicious activities, such as credential theft, information exfiltration, and the potential deployment of ransomware. The malvertising used in this campaign reinforces the attackers' ability to manipulate search engine results, pointing users toward malicious sites under the guise of trusted applications. Attribution analysis indicates that the threat actors likely possess native Russian language proficiency, as evidenced by the comments within the PowerShell scripts utilized during the attack. This provides insight into the probable nationality of the group behind this sophisticated scheme while highlighting the extensive planning and execution involved in such cyber attacks.

#threatreport #HighCompleteness Advisory: Pahalgam Attack themed decoys used by APT36 to target the Indian Government | 30-04-2025 Source: seqrite.com/blog/advisory-pa… Key details below ↓ 🧑‍💻Actors/Campaigns: Transparenttribe (🧠motivation: hacktivism, propaganda, disinformation, cyber_espionage) 💀Threats: Crimson_rat, Qilin_ransomware, Ppam_dropper, Spear-phishing_technique, 🎯Victims: Indian government, Defense personnel, Military personnel, Government agencies, Defense and research organizations, Activists, Journalists 🏭Industry: Military, Government 🌐Geo: India, Indian, Kashmir, Pakistan 📚TTPs: ⚔️Tactics: 7 🛠️Technics: 12 🧨IOCs: - File: 12 - Url: 15 - Domain: 16 - Path: 1 - IP: 9 - Hash: 19 📜Programming Languages: visual_basic #threatreport: The Pakistan-linked APT group Transparent Tribe (APT36) is conducting targeted campaigns against Indian government and defense personnel, evident in their use of "Pahalgam Terror Attack" themed documents. This campaign employs credential phishing techniques and malicious payload deployment, utilizing fake domains that impersonate the Jammu & Kashmir Police and the Indian Air Force. The deceptive domains surfaced shortly after a terror attack on April 22, 2025, to capitalize on the resultant geopolitical sensitivity. One significant phishing document, dated April 24, 2025, is crafted by an author identified as "Kalu Badshah," with filenames related to the government's response to the aforementioned attack. The fraudulent domain mimics the legitimate Jammu & Kashmir Police domain, suggesting targeted deception to harvest credentials from government email accounts such as @gov.in or @nic.in. This phishing approach reflects the group's agility in adapting to current events for crafting lures, with multiple variations of phishing documents aimed at enticing victims into providing sensitive information. In addition to the PDFs, a PowerPoint add-on file named similarly to the phishing document contains harmful macros. This file extracts embedded payloads into a concealed user directory and activates the Crimson RAT, whose internal name is "jnmxrvt hcsm.exe," rebranded as "WEISTT.jpg." The RAT exhibits a hardcoded IP address that serves as a decoy, while the actual command and control (C2) server is decoded to an IP address of 93.127.133.58. The malware supports various commands to interact with compromised systems, indicating a robust feature set for data exfiltration and system manipulation. The identified phishing domains are created in close proximity to the generation of the related documents, illustrating a classic psychological exploitation technique employed by threat actors. By leveraging sensitive geopolitical issues, the attackers aim to sow discord, extract intelligence, and potentially mislead public perception through disinformation. This operation aligns with previous tactics used by APT36, which has consistently targeted Indian military and governmental entities while employing similar methods of domain impersonation and exploiting sensitive themes such as the Kashmir conflict. The potential consequences of such attacks are multifaceted, ranging from the disruption of sensitive governmental operations and the dissemination of misinformation, to serious breaches of espionage where sensitive data could be compromised. As a whole, this campaign manifests the inherent risks associated with cyber threats enveloped in geopolitical disputes, signaling a need for heightened vigilance and cybersecurity measures among targeted organizations.

#threatreport #MediumCompleteness Pentagon Stealer: Go and Python Malware with Crypto Theft Capabilities | 29-04-2025 Source: any.run/cybersecurity-blog/p… Key details below ↓ 🧑‍💻Actors/Campaigns: Muddywater 💀Threats: Pentagon_stealer, Typosquatting_technique, Purecryptor, 📚TTPs: ⚔️Tactics: 6 🛠️Technics: 10 🧨IOCs: - Domain: 5 - Url: 6 - File: 10 - Path: 1 - Hash: 1 💽Software: Mozilla Firefox, Firefox, Discord, Telegram, Electron, Chrome, Windows Defender, Chromium, SeaMonkey, Waterfox, ... 📲Wallets: exodus_wallet, atomicwallet 🔢Algorithms: sha1, aes, sha256, cbc, md5 🔠Functions: UnProtect 📜Programming Languages: powershell, javascript, golang, visual_basic, python 💻Platforms: intel #threatreport: The Pentagon Stealer malware, identified by various names including 1312, Acab, Vilsa, and BLX Stealer, utilizes a technique known as "typosquatting" to mask itself within popular PyPI Python packages. The malware has evolved through several campaigns and variations, with some exhibiting enhanced functionalities. The initial attack vector involves a Python-based dropper, which runs an encrypted payload to initiate the malware's main module. Upon execution, the malware first checks for the presence of a specific directory indicative of prior infection, creating it if absent. This mechanism serves to prevent redundant infection attempts. The Pentagon Stealer is designed to extract a variety of sensitive data from both Chromium-based browsers and applications like Discord and Telegram, including login credentials, cookies, and authorization tokens. Notably, it has the capability to inject malicious code into the app.asar files of cryptocurrency wallet management applications such as Atomic and Exodus, effectively allowing attackers to access users' mnemonic phrases and passwords. The malware employs a communication structure that utilizes HTTP requests to interact with its command and control (C2) servers, specifically through domains like pentagon.cy and stealer.cy. This interaction involves sending logs of stolen data back to the C2 server, identified by a loguuid, which helps the attackers track compromised victims. In its evolution, subsequent versions have incorporated theft capabilities targeting Gecko-based browsers and enhanced functionality for exfiltrating data. Notably, the Golang variant of the malware simplifies some processes, lacking the encryption seen in its Python predecessors, pointing toward a potential change in distribution structure. The attack chain often involves a multi-stage process, where initial infections may be facilitated through malicious installers that lead to further malicious payloads, including mining software in addition to the stealing capabilities. While the Pentagon Stealer's functionality has largely remained intact—primarily revolving around data theft—the development landscape indicates a trend of obfuscation and modularization without fundamentally increasing complexity. Despite its simplistic design, the malware continues to adapt and reappear under different guises, maintaining relevance in the cyber threat landscape. Recent examples indicate ongoing modifications that enhance its capability, suggesting that this malware remains an active threat.

#threatreport #HighCompleteness GetSmoked: UAC-0006 Returns With SmokeLoader Targeting Ukraine's Largest State-Owned Bank | 06-02-2025 Source: cloudsek.com/blog/getsmoked-… Key details below ↓ 🧑‍💻Actors/Campaigns: Getsmoked (🧠motivation: cyber_espionage, financially_motivated) Uac-0006 (🧠motivation: cyber_espionage, financially_motivated) Carbanak Empiremonkey 💀Threats: Smokeloader, Process_injection_technique, Blackbasta, Credential_harvesting_technique, Supply_chain_technique, Spear-phishing_technique, 🎯Victims: Privatbank, Cmit solutions, Soho square solutions, Templar protective associates 🏭Industry: Financial 🌐Geo: Ukraine, Russian 📚TTPs: ⚔️Tactics: 6 🛠️Technics: 13 🧨IOCs: - Hash: 42 - File: 8 - Url: 12 - Domain: 6 - IP: 3 🔢Algorithms: sha256, aes, zip 🔠Functions: GetSmoked 🗂️Win API: CreateProcessW 📜Programming Languages: javascript, visual_basic, powershell YARA: Found #threatreport: UAC-0006, a financially motivated threat actor group, is actively conducting phishing campaigns targeting customers of PrivatBank, Ukraine’s largest state-owned bank. These campaigns leverage password-protected archives containing malicious JavaScript, VBScript, or LNK files to bypass detection mechanisms. The primary malware utilized is SmokeLoader, which is introduced through process injection, leveraging PowerShell and legitimate system binaries that facilitate command-and-control (C2) communication and payload execution. Detailed analysis of the phishing lures reveals two significant SHA256 identifiers for malicious files, one targeting payment instructions and another aimed at providing a scanned copy of a passport. The documentation indicates that attackers use email deception to encourage the download of a zip or rar attachment, which is password-protected to obscure its malicious content. Upon extraction, a JavaScript file is executed, which performs process injection to the Windows Script Host (wscript.exe) and launches an encoded PowerShell command. This command has dual purposes: first, it opens the associated PDF file that the user expects to see, and second, it establishes a connection to the SmokeLoader C2 servers to download additional payloads. The campaign's evolution shows a recent shift toward using LNK files in their phishing strategies. When executed, these LNK files invoke PowerShell with specified arguments that ultimately call mshta.exe to execute files from C2 servers. This development illustrates their increasing sophistication and reliance on PowerShell for execution. The Tactics, Techniques, and Procedures (TTPs) employed by UAC-0006 display significant overlap with those of FIN7 and other Russian APT groups, including noted connections to the Black Basta ransomware group. Between 2023 and 2025, there has been an observable increase in the use of VBScripts and LNK files as components of their phishing infrastructure. The implications of these campaigns pose considerable risks, including the potential compromise of sensitive personal and corporate data, credential harvesting, and espionage activities targeting individuals in critical sectors, which could lead to unauthorized access and operational disruptions. Furthermore, these phishing attacks threaten brand integrity and client trust for organizations impersonated in the phishing lures, as well as risking supply chain vulnerabilities through impersonation of service providers. Victims, therefore, not only face immediate risks but also long-term damage to their reputation within their respective industries.

Supporting 52 major programming languages: 'java', 'markdown', 'python', 'php', 'javascript', 'c ', 'c#', 'c', 'typescript', 'html', 'go', 'java_server_pages', 'dart', 'objective-c', 'kotlin', 'tex', 'swift', 'ruby', 'sql', 'rust', 'css', 'yaml', 'matlab', 'lua', 'json', 'shell', 'visual_basic', 'scala', 'rmarkdown', 'pascal', 'fortran', 'haskell', 'assembly', 'perl', 'julia', 'cmake', 'groovy', 'ocaml', 'powershell', 'elixir', 'clojure', 'makefile', 'coffeescript', 'erlang', 'lisp', 'toml', 'batchfile', 'cobol', 'dockerfile', 'r', 'prolog', 'verilog'

If Live = True Then StartActivity(Life) End If #Visual_Basic

🚨 👉 Si tienes conocimientos en: - #ERP - #CRM - Gestión y administración en entorno #WIndows - Gestión de bases de datos, #redes, #firewalls, comunicaciones. - #Programación en #VIsual_Basic y #C#, esta es tu oportunidad 👍 #empleo buff.ly/4393GmM

🚨👉🏻Empresa tecnológica, selecciona 🕵🏻 para #Álava un Responsable 👱🏻‍♀️🧑🏻 de #Sistemas con conocimientos en #ERP, #CRM, #entorno Windows, gestión de #bases_de_datos, #redes, #firewalls, #comunicaciones, programación en #VIsual_Basic y #C# #empleo ow.ly/ueqH50NjSvp

🚨Empresa #tecnológica selecciona 🕵🏻 Programador 🧔🏻👩🏻‍🦰 💻 .#net, #visual_basic y C# con #inglés 💂🏻‍♀️, alta remuneración #empleo ow.ly/5O0T50NiOig

🚨👉🏻Empresa #tecnológica selecciona 🕵🏻#Programador/a .Net 🧑🏻👩🏻💻‍🦰 con experiencia en #visual_basic , #C# y .#net Incorporación inmediata #empleo ow.ly/yifp50Mnpa8

🚨¿Tienes experiencia programando💻 en .#net, #visual_basic y #C#? ¿Tienes buen nivel de #inglés 💂‍♀️? Si tu respuesta es SI 👍, este #empleo te puede interesar 🕵️ ow.ly/FqUz50LG2Tq

@coding_jobs #Python, #Matlab, #c, c#, #c , #Java, #Javascript, #Networking, #php, #Ruby, #Swift, #web #Html, #logic, #Assembly, #SQL, #Rust, #Kotlin #Visual_Basic, #BASIC, #Dart, #Ada, #Haskell, , #Objective_C, My WhatsApp link: wa.me/qr/EXZLUBT4XI4VG1

سوف انقل تجربتي لهذه الظاهرة والتي حصلت معي شخصيا في الثريد التالي : في احد المرات عندما كنت طالبا في الجامعة ما بين عام 2004 و 2005 طلب منا المحاضر واجبا منزليا وهو برمجة لعبة ( XO ) أو ما تعرف بلعبة Tic Tac Toe باستخدام لغة #الفيجول_بيسك #Visual_Basic

Why doesn't VB.NET allow unnamed, one-line objects to be used? - Visit programmatic.solutions/1t9mf… for the answer. #design #net #vb_net #visual_basic #programming

🚨Si 👍🏻tienes experiencia #programando 👱🏻 👨🏻‍🦱 en .#net, #visual_basic y #C#, importante empresa del sector #tecnológico te ofrece este #empleo 👉🏻infoempleo.com/ofertasdetrab…