{ "metadata": { "malware_name": "HijackLoader / Penguish / Rugmi → AsyncRAT-class .NET RAT", "campaign_id": "OpenDirectory-MultiFamily-MaaS-62.60.237.100", "family_aliases": ["HijackLoader", "IDAT Loader", "GhostPulse", "Penguish", "Rugmi"], "final_stealer_family": "AsyncRAT-class .NET RAT (AsyncRAT / zgRAT / DCRat — variant inconclusive)", "report_date": "2026-05-06", "analyst": "The Hunters Ledger", "confidence_overall": "HIGH", "tlp": "WHITE", "confidence_note": "Confidence levels: HIGH (strong evidence with minor gaps), MODERATE (notable gaps), LOW (weak evidence). DEFINITE for direct evidence with no ambiguity.", "perspective": "Third-party threat intelligence — IOC feed for ingestion into SIEM/EDR/perimeter blocklists" }, "file_indicators": { "sha256": [ {"hash": "1afbe5d960af45832539b11e92a09b808f0c3868ab437a7ef1b5d1bd5e16d0c3", "filename": "Carriers.exe", "confidence": "HIGH", "context": "Inno Setup outer wrapper, primary delivery binary; VT 36/76; Kaspersky Trojan.Win32.Penguish.gun; VT IDS rules confirm AsyncRAT/zgRAT/DCRat downstream"}, {"hash": "3666f859cc9f49957a150b6fed225dc8226160ef173161edccd15dd68fffef88", "filename": "Carriers.tmp", "confidence": "HIGH", "context": "Inno Setup runtime extracted from Carriers.exe; spawns CrystSupervisor32.exe"}, {"hash": "44f009ca786bc541cda11c61bab7b272e96ce9e3d656c10bdac2e126f3a9cc35", "filename": "CrystSupervisor32.exe", "confidence": "HIGH", "context": "Genuine signed Wondershare SlideShowEditor.exe (renamed); side-load HOST. CAMPAIGN-SPECIFIC USE; same hash exists in legit Wondershare distribution. DO NOT add to generic blocklists — flag only when found in operator drop paths"}, {"hash": "c085a724a067eec46d9a2c1eeae3cc04db33b9840f5c33eb87cc3027e12a6bcd", "filename": "WVault.exe", "confidence": "HIGH", "context": "Renamed Qihoo 360 PromoUtil.exe; runtime drop, hollow target for .NET RAT injection. CAMPAIGN-SPECIFIC USE; binary itself is legit-signed. Flag presence of orphan WVault.exe with .NET CLR threads", "false_positive_risk": "Hash is legitimate Qihoo 360 product — only flag when dropped to non-standard paths (C:\\ProgramData\\WVault.exe)"}, {"hash": "c2e62475768c9546efe1da92a55f3bb2a55350eed83241139917aabd1ad25f8a", "filename": "Crisp.exe", "confidence": "HIGH", "context": "Genuine Crisp Squirrel paulb StubExecutable; persistence-establishing binary that drops watchermgmt.job. CAMPAIGN-SPECIFIC USE — flag when found in %APPDATA%\\adv_ctrl\\"}, {"hash": "a3d0a9c71be732cdaafc7c1a9ef00c2a5a01e93b4a29c8944f8ea14a79f52ce0", "filename": "ExceptionHandler.dll", "confidence": "HIGH", "context": "Operator-modified Wondershare Plowshare crash reporter; reflective loader function FUN_100024B0 reads shadermgr93.rc and hollows tapisrv.dll; campaign-unique hash"}, {"hash": "3480d0478d35d8a12331b97769401e16e4956bdc24b9a7175ae08e2c9e9acf8f", "filename": "NLEService.dll", "confidence": "MODERATE", "context": "Operator-rebuilt Wondershare AudioClip service; campaign-bespoke hash but no operator code modifications observed; pure decoy"}, {"hash": "7e2000ceb89574fe95e819f5f47da346119b666b7f64e8b5b01e5152e37d76cf", "filename": "networkspec17.log", "confidence": "DEFINITE", "context": "Operator encrypted Stage-3 LZNT1 carrier (2.6 MB, entropy 7.88); never on VT before this investigation; PNG-IDAT framed + 4-byte XOR 0xE1D5B4A2 + LZNT1 chunked"}, {"hash": "585f41db259ff0150f717e0862dcc4c6df91b1b5624439037420736d1d35c80b", "filename": "shadermgr93.rc", "confidence": "DEFINITE", "context": "Operator config blob (27 KB, mixed entropy 5.48); never on VT; contains relocation header + tapisrv.dll string + 5808-byte stage-2 shellcode"}, {"hash": "dd4874b7646798264bf6e204ca74ab3b4e4f7b7b4124bd16ce6cbd9d2d5e28c9", "filename": "807D7B6.tmp", "confidence": "HIGH", "context": "Encrypted final-stealer payload (~3.2 MB); per-host encrypted; cipher unrecovered after 270 cryptographic combinations; pointed at by env var FVTADTEB"}, {"hash": "253fdb10a694c8749fc83554ac458dd0592ef40cd87755ab558d4719b6e202ef", "filename": "865FDFD.tmp", "confidence": "HIGH", "context": "PE-mapping metadata blob (40 bytes); pointed at by env var JJZIUTSQYJMNTZ"}, {"hash": "30200bcf6fab87862f9348cac03f97a3d8d735040314163dda173635291087dc", "filename": "watchermgmt.job", "confidence": "HIGH", "context": "Legacy .job persistence file (262 bytes); created in C:\\Windows\\Tasks\\; autorunsc blind spot"}, {"hash": "005161d5e2be81c4af5facea96fe901c51cff16cedbd31be7211d07bf92c8963", "filename": "watchermgmt", "confidence": "HIGH", "context": "XML-format migrated task at C:\\Windows\\System32\\Tasks\\watchermgmt; auto-generated by Schedule service within 90ms of legacy .job write"}, {"hash": "8ad22e349a1cb327857228f179cefc0ff25f9d36e5267312dfee96b5646f9915", "filename": "stage2_shellcode.bin", "confidence": "HIGH", "context": "Extracted stage-2 shellcode from shadermgr93.rc bytes 0x53A8..0x6A57 after relocation; 5,808 bytes; analyst-extracted artifact"}, {"hash": "68fb61225b457172368d43af7ec2afe48f59404089d095584944edbfd0171feb", "filename": "pe_03 (HijackLoader proper)", "confidence": "DEFINITE", "context": "HijackLoader/Penguish/Rugmi/GhostPulse proper; Microsoft TrojanDownloader:Win64/Rugmi.HNL!MTB; VT 52/70; uses ntdll!RtlHashUnicodeString as API hash function (rare TTP)"}, {"hash": "68bee500e0080f21c003126e73b6d07804d23ac98b2376a8b76c26297d467abe", "filename": "pe_06 (Rugmi.HP GoProxy installer)", "confidence": "DEFINITE", "context": "GoProxy CA cert installer; Microsoft Trojan:Win32/Rugmi.HP!MTB; VT 50/71; export _tiny_erase_ via rundll32"}, {"hash": "2d8728f0f371107ff124a39b3c9f624cae115f8b6cc6ec87fbeb96fc8c2b51e6", "filename": "pe_07 (operator-bespoke cleanup helper)", "confidence": "HIGH", "context": "Operator-bespoke bundle-cleanup helper; NOT on VT (campaign-unique); same _tiny_erase_ export name as pe_06; manifest with filenames"}, {"hash": "692ed97141059a1481fa2aacd5d48f037792f5bfddfa44f72078fc7256c764ad", "filename": "LDKPOIZD.exe (= cytotoxin.exe)", "confidence": "HIGH", "context": "Penguish family loader; VT canonical filename 'cytotoxin.exe'; sibling sample on staging server"}, {"hash": "d8b5f0befed26af5c5d1d2d8307bc54145c7472189145668600be6c6a2aaca31", "filename": "MWXTCKDB.exe", "confidence": "HIGH", "context": "Penguish family loader; VT 43/73; same VHash family as Carriers.exe"}, {"hash": "b4098f2bb99ce112fb27560237b84a52d9303fade048b8f83ac40f0d082ee2f7", "filename": "VFSZQPTV.exe", "confidence": "HIGH", "context": "Sibling Embarcadero Delphi loader on staging server"}, {"hash": "c2b7b67e9daafef4847d99b4014b7ba77369fb776bba333a585f16d736c192e4", "filename": "PPMANLYP.exe", "confidence": "MODERATE", "context": "Different toolchain (MSVC + 7-Zip SFX, 42 capa hits); possibly different family bundled in same kit"}, {"hash": "5273fc9f5c5c754bf37c58a391fe9ea7d98de470f042d2478d3beb0b71838b77", "filename": "5273fc9f sibling wrapper", "confidence": "HIGH", "context": "Sibling Carriers.exe variant per VT execution_parents pivot; VT 39/77; same operator DLL drop pattern; first-seen 2026-03-12"}, {"hash": "a35073d242f8325801766660b9effd52993b99f1f370a947d4ec5688b0b0341a", "filename": "NDA_Agreements.PDF_2025-12-22 06-50-31-659.exe", "confidence": "HIGH", "context": "NDA-themed fake-PDF .exe; long-timestamp filename hides .exe extension"}, {"hash": "f9bd3434f8be8b13890c5a8f4c200cf1447d2a4199b29ff37f645fee90ae1e1d", "filename": "NDA_Agreements.PDF_2025-12-22-06-50-39-658.exe (5.4 MB)", "confidence": "HIGH", "context": "NDA-themed fake-PDF .exe variant"}, {"hash": "8477b9fb3f6aaa7d2d50a661a238ff1ac34ab58df6638e535cc004587d209e0c", "filename": "PriceList.PDF_2025-12-22 06-50-39-659.exe", "confidence": "HIGH", "context": "Price-themed fake-PDF .exe"}, {"hash": "1861e9cd45136ed09f60391450171658c995a5ea6b0b9361658cc69db7fea10c", "filename": "NDA_Agreementsfdp.msi", "confidence": "HIGH", "context": "RTLO-disguised MSI installer (filename appears as .PDF via U+202E)"}, {"hash": "7d366451fcd530c4493a75bc577283a96f28fc8a72e64310e8742f561068725c", "filename": "Carriers_Agreements_009RCARHEFfd..scr", "confidence": "HIGH", "context": "RTLO + Cyrillic-р homoglyph variant; not on VT as of 2026-05-03; fresh build by operator; defeats Unicode-only RTLO-stripping rules"}, {"hash": "5268a97aea245c15220126d4ddb7e10d56a47d2d1492efd859da8e4223f9ecb0", "filename": "Price5.docm", "confidence": "HIGH", "context": "Macro Office doc; 29/63 VT; downloads from Mega.io /busket/putty2.exe"}, {"hash": "00103e807a4d31570f9c11cea37310d7464b8f275e62f4517b071daeb3c47a29", "filename": "Price6.doc", "confidence": "HIGH", "context": "Macro Office doc; downloads from Mega.io /busket/putty2.exe"}, {"hash": "b51c6db1160f9c55c404a7202bad5378a1f1bbb6bd0b5f45af4fcb770ea989eb", "filename": "NDA.doc", "confidence": "HIGH", "context": "Macro Office doc; downloads from Mega.io /busket/Bravo/vida/NGZTDICF.exe"}, {"hash": "a98ce0c5bb2933100f84ff1adb8c4ece702a42cbb70f1154c9855c35a3889a90", "filename": "Price4.xls", "confidence": "HIGH", "context": "Macro Office doc; downloads from Mega.io /busket/putty2.exe"}, {"hash": "6091a6e5ce9a8e0d7f896ebd3dfd798ac41a7c355a48e5643dfcf798437cf736", "filename": "Price3.xll", "confidence": "HIGH", "context": "Excel XLL add-in (3.4 MB DLL with init.dll,#1 rundll32 entry); macro-block bypass"}, {"hash": "990a90036c974aaecef681776fb28972f5a3a72d044308339c974eb37990e9bc", "filename": "Macros64_2_.xll", "confidence": "HIGH", "context": "Excel XLL add-in (49 KB)"}, {"hash": "4c765ffe43c1fa4be6a33d6c5bc76bdca989be2f780f416a4815e0b6bf956603", "filename": "1.msc", "confidence": "HIGH", "context": "MSC file (GrimResource technique); Tier-1 simplest variant"}, {"hash": "90193252040e222733522603e17be8c21e52cd04cd99897392aea189a78bb217", "filename": "Price2.pdf.msc", "confidence": "HIGH", "context": "MSC file (GrimResource Tier-2 with Defender exclusion + dual-source download)"}, {"hash": "8e302ffb38ff4ef382baadb06f5e644e1a007b241573f54f96b9bebcd7ddb211", "filename": "MSCFile.msc", "confidence": "HIGH", "context": "MSC file (Tier-2); inside Price.zip"}, {"hash": "f1ba9ec2ec964bb29c8999d88b0ca8496ab23e9f44fecf5cc819ed62e447dee5", "filename": "VSEZBSRABOTAT.url", "confidence": "HIGH", "context": "Russian-language .url (transliteration 'vse zarabotat' = 'earn everything'); points to microsoft.com-app.cc"}, {"hash": "dd4ec224c574a9d1f301568a1b82ed57ed1d0a5efe8b725138dfd23361b3f624", "filename": "NDA_Verification222.url", "confidence": "HIGH", "context": "NDA-themed .url; points to onedrive.to"}, {"hash": "2303fa9d3836f99eb40ab338f4ddc40521299501d117be65b19ff9f61e2beb88", "filename": "sss.lnk", "confidence": "HIGH", "context": "LNK shortcut targeting explorer.exe + UNC argument"}, {"hash": "fd89aea524a9c6b77efcf0d9d350f2fd625525887a1ef078017d8ceee0eaafee", "filename": "xxx.lnk", "confidence": "HIGH", "context": "LNK shortcut targeting explorer.exe + UNC argument"}, {"hash": "b8da80a5ecdeb2536911cb38c878014d6873aad998f4f510301929146717941f", "filename": "13223.lnk", "confidence": "HIGH", "context": "LNK shortcut chained through 2.url"}, {"hash": "a1cc69dfb1350f4c9fe1a9ef24c27fd2d72eea9407457c472fbb98c49aa6b6b9", "filename": "Excel_2016_Windows.bat", "confidence": "HIGH", "context": "Macro security disable BAT — sets Office VBAWarnings=1"}, {"hash": "e3a777326a9a1a91d3224b90683642db22d2b7143dd21985200b9ac3ad2afc05", "filename": "NDA2026.zip", "confidence": "HIGH", "context": "Russian-doll archive containing NDA.zip"}, {"hash": "df54bff16203d07df01eda47fe57aefa5cf4847a0f1d48e2b43e115a6173cd9b", "filename": "Price.zip", "confidence": "HIGH", "context": "Russian-doll archive containing MSCFile.msc and other lures"}, {"hash": "4b2595eee4a24d2caa885e9fe6bf06d5fed9aa3a40d94b75f766b4433bcddbc2", "filename": "price2026.zip", "confidence": "HIGH", "context": "Sibling zip variant"}, {"hash": "8667ef6e2d71585f963dc7076c3409390f5d63da6b66e02a0194b6d4ea448a0f", "filename": "1468_US_23.106.161.1_28-01-26.cab", "confidence": "MODERATE", "context": "CAB file with embedded victim/3rd-party IP in filename (per-victim customization pattern)"} ], "md5": [ {"hash": "1a8abfce832bdbfe1c3ba9a134948e63", "filename": "Carriers.exe", "confidence": "HIGH", "context": "Sysmon EID 1-captured MD5 of primary delivery binary"}, {"hash": "8a331882e1fcfed10f2664231c7ce1af", "filename": "Carriers.tmp", "confidence": "HIGH", "context": "Sysmon-captured MD5"}, {"hash": "a4b240cce6e3da6e959f33bd82394034", "filename": "CrystSupervisor32.exe", "confidence": "HIGH", "context": "Sysmon-captured MD5"}, {"hash": "9fe84f7e1a8efc69d6169f47f9b67257", "filename": "WVault.exe", "confidence": "HIGH", "context": "Sysmon-captured MD5"}, {"hash": "5f9f88c9a16b62dc38504549e93d3667", "filename": "Crisp.exe", "confidence": "HIGH", "context": "Sysmon-captured MD5"}, {"hash": "33bc1ffdcc8fc3aa7646fc2cb1a0a5e5", "filename": "807D7B6.tmp", "confidence": "HIGH", "context": "MD5 of encrypted payload"}, {"hash": "1730e17c2277c47cd6c40037d2f12133", "filename": "watchermgmt.job", "confidence": "HIGH", "context": "MD5 of legacy persistence task"}, {"hash": "34ea62976f42c141fa01de955bc809f4", "filename": "watchermgmt", "confidence": "HIGH", "context": "MD5 of XML migrated task"} ], "imphash": [ {"hash": "e8ac1646024d52d1534a88da2e8037cd", "filename": "Carriers.exe", "confidence": "HIGH", "context": "Import-table hash; useful for finding repackaged variants with different SHA256 but same imports"}, {"hash": "adcd9682585d11d95f17bb6ffa76f15e", "filename": "Carriers.tmp", "confidence": "HIGH", "context": "IMPHASH"}, {"hash": "051ba42fa7a26bf65df9922daa07c458", "filename": "CrystSupervisor32.exe", "confidence": "HIGH", "context": "IMPHASH; matches genuine Wondershare SlideShowEditor.exe — only flag with context"}, {"hash": "921f3ea587ffbd647ff4d520165ecd50", "filename": "WVault.exe", "confidence": "HIGH", "context": "IMPHASH; matches genuine Qihoo PromoUtil.exe"}, {"hash": "ab9e4224c1ccf1355ae462a22ff3253e", "filename": "Crisp.exe", "confidence": "HIGH", "context": "IMPHASH"} ], "filenames": [ {"name": "CrystSupervisor32.exe", "confidence": "HIGH", "context": "Operator-renamed Wondershare SlideShowEditor; appears in operator drop paths C:\\ProgramData\\adv_ctrl\\ and %TEMP%\\is-*.tmp\\"}, {"name": "WVault.exe", "confidence": "HIGH", "context": "Operator-renamed Qihoo PromoUtil.exe; dropped to C:\\ProgramData\\WVault.exe; .NET injection host"}, {"name": "ExceptionHandler.dll", "confidence": "HIGH", "context": "Operator-modified Plowshare crash reporter; dropped alongside CrystSupervisor32.exe for side-load"}, {"name": "NLEService.dll", "confidence": "MODERATE", "context": "Operator-rebuilt-but-unmodified Wondershare DLL; campaign-bespoke hash"}, {"name": "networkspec17.log", "confidence": "HIGH", "context": "Operator encrypted Stage-3 carrier; distinctive filename"}, {"name": "shadermgr93.rc", "confidence": "HIGH", "context": "Operator config blob; distinctive filename"}, {"name": "watchermgmt.job", "confidence": "HIGH", "context": "Persistence — legacy .job file in C:\\Windows\\Tasks\\"}, {"name": "watchermgmt", "confidence": "HIGH", "context": "Persistence — XML-format migrated task in C:\\Windows\\System32\\Tasks\\"}, {"name": "cytotoxin.exe", "confidence": "HIGH", "context": "VT canonical filename for LDKPOIZD.exe (Penguish loader codename)"}, {"name": "Apophyge", "confidence": "HIGH", "context": "Inno Setup AppName operator codename — distinctive (architectural term, eclectic vocabulary signal)"}, {"name": "Veteran", "confidence": "HIGH", "context": "Inno Setup DefaultDirName operator codename"} ], "file_paths": [ {"value": "C:\\Users\\*\\AppData\\Local\\Temp\\is-*.tmp\\CrystSupervisor32.exe", "path": "C:\\Users\\*\\AppData\\Local\\Temp\\is-*.tmp\\CrystSupervisor32.exe", "confidence": "HIGH", "context": "Inno Setup self-extraction directory pattern; high-confidence campaign indicator when paired with Wondershare DLL pack"}, {"value": "C:\\Users\\*\\AppData\\Local\\Temp\\is-*.tmp\\ExceptionHandler.dll", "path": "C:\\Users\\*\\AppData\\Local\\Temp\\is-*.tmp\\ExceptionHandler.dll", "confidence": "HIGH", "context": "Operator side-loaded DLL in Inno temp"}, {"value": "C:\\Users\\*\\AppData\\Local\\Temp\\is-*.tmp\\networkspec17.log", "path": "C:\\Users\\*\\AppData\\Local\\Temp\\is-*.tmp\\networkspec17.log", "confidence": "HIGH", "context": "Encrypted payload in Inno temp; distinctive filename"}, {"value": "C:\\Users\\*\\AppData\\Local\\Temp\\is-*.tmp\\shadermgr93.rc", "path": "C:\\Users\\*\\AppData\\Local\\Temp\\is-*.tmp\\shadermgr93.rc", "confidence": "HIGH", "context": "Loader config blob in Inno temp"}, {"value": "C:\\ProgramData\\adv_ctrl\\", "path": "C:\\ProgramData\\adv_ctrl\\", "confidence": "HIGH", "context": "Persistent drop directory (operator codename); contains CrystSupervisor32.exe + camouflage DLLs + operator artifacts"}, {"value": "C:\\ProgramData\\adv_ctrl\\CrystSupervisor32.exe", "path": "C:\\ProgramData\\adv_ctrl\\CrystSupervisor32.exe", "confidence": "HIGH", "context": "Persistent loader binary"}, {"value": "C:\\ProgramData\\WVault.exe", "path": "C:\\ProgramData\\WVault.exe", "confidence": "HIGH", "context": "Renamed Qihoo PromoUtil; .NET injection host; non-standard path for Qihoo binary"}, {"value": "C:\\Users\\*\\AppData\\Roaming\\adv_ctrl\\Crisp.exe", "path": "C:\\Users\\*\\AppData\\Roaming\\adv_ctrl\\Crisp.exe", "confidence": "HIGH", "context": "Persistence-establishing binary in user-writable adv_ctrl"}, {"value": "C:\\Users\\*\\AppData\\Local\\Temp\\????????.tmp", "path": "C:\\Users\\*\\AppData\\Local\\Temp\\????????.tmp", "confidence": "MODERATE", "context": "Encrypted payload pattern (8-hex-char tmp files referenced by per-host random env vars)", "false_positive_risk": "Generic %TEMP% .tmp pattern is broad — pair with env var names of length 8-16"}, {"value": "C:\\Windows\\Tasks\\watchermgmt.job", "path": "C:\\Windows\\Tasks\\watchermgmt.job", "confidence": "HIGH", "context": "Legacy .job persistence — autorunsc blind spot"}, {"value": "C:\\Windows\\System32\\Tasks\\watchermgmt", "path": "C:\\Windows\\System32\\Tasks\\watchermgmt", "confidence": "HIGH", "context": "XML-migrated task counterpart"} ] }, "network_indicators": { "ipv4": [ {"ip": "185.241.208.129", "port": "56167", "protocol": "TCP/TLSv1", "confidence": "DEFINITE", "context": "C2 server confirmed via Suricata flow + Noriben + netstat (PID 2596 WVault.exe); AS210558 1337 Services GmbH (Poland); Spamhaus DROP listed; ET DROP rule 2400036 fired; VT confirms Carriers.exe as known communicating file", "asn": "AS210558", "asn_org": "1337 Services GmbH", "country": "PL", "spamhaus_drop": true}, {"ip": "62.60.237.100", "port": "80", "protocol": "HTTP", "confidence": "DEFINITE", "context": "Primary staging server; AEZA Finland; Apache/2.4.58 (Ubuntu); /Documents/ and /download/Documents/ open directories with 32+ phishing artifacts; VT 5/91 malicious", "asn": "AS210644", "asn_org": "AEZA GROUP LLC", "country": "FI"}, {"ip": "109.120.137.6", "port": "80", "protocol": "HTTP", "confidence": "HIGH", "context": "Second-stage payload server; H2nexus Ltd Germany; hosts PUTTY.exe, RDP.exe, RMS.exe, Glovo.exe; Russian-language URL 'mozhno-li-vyvesti-dengi-s-krakena.html' historically observed; VT 6/91 malicious", "asn": "AS215730", "asn_org": "H2nexus Ltd", "country": "DE"}, {"ip": "80.253.249.186", "port": "5504", "protocol": "HTTP", "confidence": "HIGH", "context": "Shared malware-staging infrastructure; serves the legit Wondershare DLL pack (BugSplat.dll, COMSupport.dll, etc.); QWINS LTD Germany; VT 11/47 malicious; useful pivot for tracking other operators using the same side-loading template", "asn_org": "QWINS LTD", "country": "DE"}, {"ip": "23.106.161.1", "port": "0", "protocol": "N/A", "confidence": "LOW", "context": "Embedded in CAB filename '1468_US_23.106.161.1_28-01-26.cab'; Synology QuickConnect / Leaseweb VPN; possibly victim/3rd-party IP rather than attacker infrastructure; UNC5267 cluster overlap is incidental", "asn": "AS7203", "asn_org": "Leaseweb USA", "country": "US", "false_positive_risk": "Likely victim/3rd-party — DO NOT block at perimeter without further verification"} ], "domains": [ {"domain": "onedrive.to", "confidence": "DEFINITE", "context": "Microsoft typosquat created 2025-12-20; Spaceship registrar; Cloudflare-fronted; resolves to 62.60.237.100; hosts WebDAV paths /DavWWWRoot/Carriers/ and /download/Documents/", "first_seen": "2025-12-20"}, {"domain": "microsoft.com-app.cc", "confidence": "HIGH", "context": "Subdomain typosquat (apex app.cc); resolves to 62.60.237.100; hosts WebDAV path /download/6f14/ (the '6f14' likely a campaign/victim ID)"}, {"domain": "www-microsoft.live", "confidence": "HIGH", "context": "Typosquat; historical resolution to 62.60.237.100 (2025-10-03); discovered via VT historical pDNS; same operator as the other two typosquats"}, {"domain": "s3.g.s4.mega.io", "confidence": "HIGH", "context": "Mega.io abuse — operator bucket aileqac3yep7oqdhygjpberqqnk2zrnhck2lx; subdir 'busket' (typo); hosts putty.exe, putty2.exe, Bravo/vida/NGZTDICF.exe; VT 13/60 malicious", "false_positive_risk": "Mega.io is legitimate cloud storage — only flag URLs containing the specific bucket ID + /busket/ path"}, {"domain": "g.s4.mega.io", "confidence": "MODERATE", "context": "Mega.io subdomain; VT 1/58 malicious"}, {"domain": "goproxy.github.io", "confidence": "MODERATE", "context": "Open-source GoProxy MITM proxy project; appears as CN in CA cert installed by pe_06 for HTTPS interception; the project itself is legitimate but cert install in user trust store is malicious", "false_positive_risk": "GoProxy is a legitimate open-source project — flag CA cert install in HKCU/HKLM trust stores, not the domain itself"} ], "urls": [ {"url": "http://62.60.237.100:80/Documents/", "confidence": "DEFINITE", "context": "Primary staging open directory"}, {"url": "http://62.60.237.100:80/download/Documents/", "confidence": "DEFINITE", "context": "Mirror staging open directory"}, {"url": "http://62.60.237.100:80/Documents/Carriers.exe", "confidence": "HIGH", "context": "Direct payload URL"}, {"url": "http://109.120.137.6/PUTTY.exe", "confidence": "HIGH", "context": "Second-stage payload — invoked by embedded shell-redirect commands containing post-fetch -OutFile and ren/del operations"}, {"url": "https://s3.g.s4.mega.io/aileqac3yep7oqdhygjpberqqnk2zrnhck2lx/busket/putty.exe", "confidence": "HIGH", "context": "Mega.io payload — Tier-1 MSC chain"}, {"url": "https://s3.g.s4.mega.io/aileqac3yep7oqdhygjpberqqnk2zrnhck2lx/busket/putty2.exe", "confidence": "HIGH", "context": "Mega.io payload — Price-themed (Price5.docm, Price6.doc, Price4.xls)"}, {"url": "https://s3.g.s4.mega.io/aileqac3yep7oqdhygjpberqqnk2zrnhck2lx/busket/Bravo/vida/NGZTDICF.exe", "confidence": "HIGH", "context": "Mega.io payload — NDA-themed (NDA.doc); 'Bravo/vida' is operator NDA campaign codename"}, {"url": "http://80.253.249.186:5504/BugSplat.dll", "confidence": "HIGH", "context": "Shared-staging Wondershare DLL pack download URL pattern"}, {"url": "http://80.253.249.186:5504/COMSupport.dll", "confidence": "HIGH", "context": "Shared-staging download"}, {"url": "http://80.253.249.186:5504/DBGHelp.dll", "confidence": "HIGH", "context": "Shared-staging download"}, {"url": "http://80.253.249.186:5504/DVDSetting.dll", "confidence": "HIGH", "context": "Shared-staging download"}, {"url": "http://80.253.249.186:5504/NLEResource.dll", "confidence": "HIGH", "context": "Shared-staging download"}, {"url": "http://80.253.249.186:5504/NLETransitionMgr.dll", "confidence": "HIGH", "context": "Shared-staging download"}, {"url": "http://80.253.249.186:5504/WSUtilities.dll", "confidence": "HIGH", "context": "Shared-staging download"}, {"url": "http://80.253.249.186:5504/WS_ImageProc.dll", "confidence": "HIGH", "context": "Shared-staging download"}, {"url": "http://80.253.249.186:5504/WS_Log.dll", "confidence": "HIGH", "context": "Shared-staging download"}, {"url": "http://80.253.249.186:5504/WsBurn.dll", "confidence": "HIGH", "context": "Shared-staging download"} ], "unc_paths": [ {"value": "\\\\onedrive.to\\DavWWWRoot\\Carriers\\", "unc": "\\\\onedrive.to\\DavWWWRoot\\Carriers\\", "confidence": "HIGH", "context": "WebDAV path — primary distribution"}, {"value": "\\\\onedrive.to\\DavWWWRoot\\Carriers\\putty.exe", "unc": "\\\\onedrive.to\\DavWWWRoot\\Carriers\\putty.exe", "confidence": "HIGH", "context": "Specific payload UNC"}, {"value": "\\\\onedrive.to\\download\\Documents\\NDA_Agreements.PDF_2025-12-22-06-50-39-658.exe", "unc": "\\\\onedrive.to\\download\\Documents\\NDA_Agreements.PDF_2025-12-22-06-50-39-658.exe", "confidence": "HIGH", "context": "NDA-themed payload UNC"}, {"value": "\\\\microsoft.com-app.cc\\download\\6f14\\putty.exe", "unc": "\\\\microsoft.com-app.cc\\download\\6f14\\putty.exe", "confidence": "HIGH", "context": "Typosquat WebDAV payload"} ], "tls_fingerprints": [ {"type": "JA3", "value": "07af4aa9e4d215a5ee63f9a0a277fbe3", "confidence": "DEFINITE", "context": "WVault.exe TLS ClientHello fingerprint; matches SSLBL AsyncRAT JA3 list; durable across C2 IP changes"}, {"type": "JA4", "value": "t10i060500_4dc025c38c38_1a3805c3aa63", "confidence": "DEFINITE", "context": "WVault.exe TLS JA4 fingerprint; modern TLS fingerprint format"}, {"type": "TLS-ClientHello-cipher-list", "value": "49162-49161-49172-49171-53-47", "confidence": "HIGH", "context": "TLSv1.0 cipher suite ordering"}, {"type": "TLS-ClientHello-length", "value": "93 bytes outbound", "confidence": "HIGH", "context": "Stable per-connection signature"} ], "ids_signatures_observed": [ {"value": "ET MALWARE Generic AsyncRAT/zgRAT Style SSL Cert", "signature": "ET MALWARE Generic AsyncRAT/zgRAT Style SSL Cert", "severity": "HIGH", "source": "Emerging Threats", "confidence": "HIGH", "context": "Fired in VT C2AE sandbox on Carriers.exe SSL handshake"}, {"value": "SSLBL: Malicious SSL certificate detected (DCRat C&C)", "signature": "SSLBL: Malicious SSL certificate detected (DCRat C&C)", "severity": "MEDIUM", "source": "Abuse.ch SSLBL", "confidence": "HIGH", "context": "Fired in VT C2AE sandbox"}, {"value": "SSLBL: Malicious JA3 SSL-Client Fingerprint detected (AsyncRAT)", "signature": "SSLBL: Malicious JA3 SSL-Client Fingerprint detected (AsyncRAT)", "severity": "HIGH", "source": "Abuse.ch SSLBL", "confidence": "HIGH", "context": "Fired in VT C2AE sandbox"}, {"value": "ET DROP Spamhaus DROP Listed Traffic Inbound group 37", "signature": "ET DROP Spamhaus DROP Listed Traffic Inbound group 37", "severity": "MEDIUM", "source": "Emerging Threats / Spamhaus", "confidence": "DEFINITE", "context": "Fired in Round 13 dynamic analysis on outbound to 185.241.208.129; rule 2400036"} ] }, "host_indicators": { "registry_keys": [ {"value": "HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Paths", "key": "HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Paths", "value_name": "C:\\ProgramData\\adv_ctrl", "value_data": "0", "value_type": "REG_DWORD", "confidence": "HIGH", "context": "Defender exclusion of drop directory; set programmatically via MsMpEng.exe (likely Set-MpPreference -ExclusionPath or WMI)"}, {"value": "HKEY_USERS\\\\Software\\Microsoft\\SystemCertificates\\Root\\Certificates\\0174E68C97DDF1E0EEEA415EA336A163D2B61AFD", "key": "HKEY_USERS\\\\Software\\Microsoft\\SystemCertificates\\Root\\Certificates\\0174E68C97DDF1E0EEEA415EA336A163D2B61AFD", "value_name": "Blob", "value_data": "", "value_type": "REG_BINARY", "confidence": "HIGH", "context": "GoProxy CA cert install for HTTPS MITM; subject CN=goproxy.github.io, O=GoProxy, OU=GoProxy, C=IL, ST=Center, L=Lod; thumbprint 0174E68C97DDF1E0EEEA415EA336A163D2B61AFD; not observed in our specific 5-min Noriben window but confirmed in VT C2AE behavior"}, {"value": "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{1F2952E4-FC07-4482-B9E6-E795507DA7D2}_is1", "key": "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{1F2952E4-FC07-4482-B9E6-E795507DA7D2}_is1", "value_name": "*", "value_data": "*", "value_type": "REG_SZ", "confidence": "HIGH", "context": "Inno Setup AppId GUID post-install marker — campaign IOC"}, {"value": "HKCU\\Software\\Microsoft\\Office\\1[6,9].0\\Word\\Security", "key": "HKCU\\Software\\Microsoft\\Office\\1[6,9].0\\Word\\Security", "value_name": "VBAWarnings", "value_data": "1", "value_type": "REG_DWORD", "confidence": "HIGH", "context": "Macro security disable set by Excel_2016_Windows.bat"}, {"value": "HKCU\\Software\\Microsoft\\Office\\1[6,9].0\\Excel\\Security", "key": "HKCU\\Software\\Microsoft\\Office\\1[6,9].0\\Excel\\Security", "value_name": "VBAWarnings", "value_data": "1", "value_type": "REG_DWORD", "confidence": "HIGH", "context": "Macro security disable for Excel"} ], "scheduled_tasks": [ {"name": "watchermgmt", "task_path": "\\watchermgmt", "action": "C:\\ProgramData\\adv_ctrl\\CrystSupervisor32.exe", "trigger": "CalendarTrigger PT1H Interval P1D Duration with daily ScheduleByDay", "run_as": "InteractiveToken (HighestAvailable)", "enabled": true, "hidden": false, "confidence": "HIGH", "context": "Legacy .job at C:\\Windows\\Tasks\\watchermgmt.job + auto-migrated XML at C:\\Windows\\System32\\Tasks\\watchermgmt; 1-hour heartbeat"} ], "named_pipes": [ {"type": "named_pe_path", "name": "\\\\.\\pipe\\WondershareCrashServices", "confidence": "HIGH", "context": "IPC channel between operator stages mimicking legitimate Wondershare crash-reporter pipe name; ExceptionHandler.dll uses Breakpad protocol as covert IPC"} ], "appid_guid": [ {"value": "{1F2952E4-FC07-4482-B9E6-E795507DA7D2}", "guid": "{1F2952E4-FC07-4482-B9E6-E795507DA7D2}", "confidence": "HIGH", "context": "Inno Setup AppId for Apophyge installer"} ], "environment_variables": [ {"pattern": "Uppercase ASCII A-Z, length 8-16", "examples": ["EUOJCZYGOUCUG", "FVTADTEB", "JJZIUTSQYJMNTZ", "PBZULMYY"], "confidence": "HIGH", "context": "Per-host random env var names set by CrystSupervisor32.exe at runtime; deterministic from hostname; values are paths to %TEMP%\\<8hex>.tmp files or persistent loader path"} ] }, "behavioral_indicators": { "process_patterns": [ {"pattern": "Carriers.exe → Carriers.tmp (with /SL5= flag) → CrystSupervisor32.exe (in is-*.tmp\\) → CrystSupervisor32.exe (in adv_ctrl\\) → WVault.exe + Crisp.exe", "confidence": "HIGH", "context": "Full process tree from Sysmon EID 1; ~43 seconds from launch to first C2 beacon"}, {"pattern": "Inno Setup wrapper that returns FALSE from InitializeSetup AFTER calling WinExec on a dropped file", "confidence": "HIGH", "context": "Stealth-by-design Pascal Script pattern; defeats sandboxes flagging wizard-completion or [Run] section execution"}, {"pattern": ".exe → .tmp (Inno Setup runtime) → SlideShowEditor.exe / CrystSupervisor32.exe from %TEMP%\\is-*.tmp\\ immediately following silent installer abort", "confidence": "HIGH", "context": "Distinctive process-tree fingerprint"}, {"pattern": "Orphan WVault.exe (or PromoUtil.exe) with .NET CLR threads (clr.dll!CreateAssemblyNameObject, clr.dll!GetIdentityAuthority) AND outbound TLSv1 to non-standard high port", "confidence": "HIGH", "context": ".NET RAT injection signature; cross-campaign TTP cluster used by 8+ campaigns since 2025"}, {"pattern": "mmc.exe → cmd.exe / powershell.exe AND PowerShell command line contains Add-MpPreference -ExclusionExtension *", "confidence": "HIGH", "context": "Tier-2 MSC GrimResource Defender bypass"}, {"pattern": "taskkill /IM mmc.exe /F invoked by a child of mmc.exe", "confidence": "HIGH", "context": "GrimResource self-cleanup signature"}, {"pattern": "Process tree where parent .exe exits ~immediately after spawning SlideShowEditor.exe / CrystSupervisor32.exe", "confidence": "HIGH", "context": "Wrapper-then-exit-camouflage pattern"} ], "file_access_patterns": [ {"pattern": "Process accessing C:\\Windows\\Tasks\\*.job (file create) from non-system-installer parent", "confidence": "HIGH", "context": "Legacy .job persistence — autorunsc blind spot"}, {"pattern": "Process delete-then-rewrite pattern on %TEMP%\\<8hex>.tmp via SetDispositionInformationEx (FILE_DISPOSITION_DELETE + POSIX_SEMANTICS)", "confidence": "MODERATE", "context": "Anti-forensics — wipe + restore to clear forensic file IDs OR state-reset between stages"}, {"pattern": "Multiple Wondershare DLLs (BugSplat.dll, COMSupport.dll, DBGHelp.dll, NLEService.dll, NLETransitionMgr.dll, WS_ImageProc.dll, WS_Log.dll, WsBurn.dll, WSUtilities.dll, DVDSetting.dll, NLEResource.dll) co-located with networkspec17.log AND shadermgr93.rc in %TEMP%\\is-*.tmp\\", "confidence": "HIGH", "context": "Bundle-format detection — pure decoy DLLs surrounding operator artifacts"} ], "ttp_clusters": [ {"name": "Multi-vendor camouflage bundle", "confidence": "HIGH", "context": "Operator co-locates 4 GENUINE legitimate vendor binaries (Crisp Squirrel + Info-ZIP zip + Google Updater + Qihoo 360 PromoUtil) with 3 malicious operator-controlled PEs (HijackLoader proper + GoProxy installer + cleanup helper); bundle-LAYOUT tradecraft"}, {"name": "Renamed signed-vendor hollow target", "confidence": "HIGH", "context": "Drops genuine signed Qihoo 360 PromoUtil.exe under name 'WVault.exe' and hollows it for .NET injection; cross-campaign TTP cluster; 8+ campaigns using this pattern since 2025"}, {"name": "Three-layer wrapping", "confidence": "HIGH", "context": "Outer (Crisp App Desktop bundle) + Middle (chained DLL hollowing into tapisrv.dll → input.dll) + Inner (Qihoo 360 brand impersonation)"}, {"name": "Per-host execution guardrail via hostname-keyed crypto", "confidence": "MODERATE", "context": "Encrypted payload + env var names are deterministic from hostname via X65599 hash; resists static recovery without knowing the original infected host's hostname"}, {"name": "Inno Setup InitializeSetup → WinExec → return False stealth", "confidence": "HIGH", "context": "Defeats sandboxes/triage that don't decompile CompiledCode.bin"}, {"name": "Legacy .job + Defender exclusion combo persistence", "confidence": "HIGH", "context": "Autorunsc blind spot + real-time scan bypass"}, {"name": "Heaven's Gate (32↔64 mode switch) in pe_03", "confidence": "HIGH", "context": "Elastic + CAPE YARA hits on pe_03; less commonly discussed in public reporting than hollowing/injection"} ] }, "operator_artifacts": [ {"type": "operator_codename", "value": "Penguish", "context": "Kaspersky family alias for HijackLoader; appears in detection labels"}, {"type": "operator_codename", "value": "Apophyge", "context": "Inno Setup AppName — architectural term for column-base curve; eclectic vocabulary signal"}, {"type": "operator_codename", "value": "Veteran", "context": "Inno Setup DefaultDirName"}, {"type": "operator_codename", "value": "cytotoxin", "context": "VT canonical filename for LDKPOIZD.exe"}, {"type": "operator_codename", "value": "adv_ctrl", "context": "Persistence directory name (cf. brokerbg, exttracer_net48, thread_adapter, Sulfathiazole)"}, {"type": "operator_codename", "value": "Plowshare", "context": "Operator project name from PDB path I:\\CompanySource\\Plowshare\\Src\\Symbol\\Release\\ExceptionHandler.pdb"}, {"type": "operator_codename", "value": "Bravo/vida", "context": "Mega.io NDA-themed campaign subfolder"}, {"type": "operator_codename", "value": "busket", "context": "Mega.io subdir typo of 'bucket' — language tell"}, {"type": "language_signal", "value": "VSEZBSRABOTAT", "context": "Russian transliteration 'vse zarabotat' (= 'earn everything') in .url filename"}, {"type": "language_signal", "value": "mozhno-li-vyvesti-dengi-s-krakena.html", "context": "Russian 'can-you-withdraw-money-from-Kraken' historical URL on second-stage IP"}, {"type": "appid", "value": "{1F2952E4-FC07-4482-B9E6-E795507DA7D2}", "context": "Inno Setup AppId GUID for Apophyge installer"}, {"type": "pdb_path", "value": "I:\\CompanySource\\Plowshare\\Src\\Symbol\\Release\\ExceptionHandler.pdb", "context": "Operator-rebuilt Wondershare crash reporter PDB"}, {"type": "pdb_path", "value": "D:\\project\\MediaAuthorLib\\NLEPlatform\\SymbolTable\\Release\\NLEService.pdb", "context": "Wondershare-mimicking build path for NLEService.dll"}, {"type": "named_pipe", "value": "\\\\.\\pipe\\WondershareCrashServices", "context": "Operator IPC channel mimicking Wondershare crash-reporter naming"} ], "known_legitimate_DO_NOT_BLOCKLIST": { "context": "These hashes are GENUINE legitimate vendor binaries co-located in the operator bundle as camouflage. They have valid Authenticode signatures and exist in legitimate vendor distributions worldwide. DO NOT add to generic blocklists — flag only when found in operator drop paths (C:\\ProgramData\\adv_ctrl\\, %TEMP%\\is-*.tmp\\). Generic hash blocking would cause massive false positives across legitimate user populations.", "wondershare_dlls": [ {"hash": "44f009ca786bc541cda11c61bab7b272e96ce9e3d656c10bdac2e126f3a9cc35", "filename": "CrystSupervisor32.exe (= Wondershare SlideShowEditor.exe)"}, {"hash": "4b33ee0e8a4153c0c8ccd945adb18d8f91b5b824746a15986bf6781f081f9968", "filename": "BugSplat.dll"}, {"hash": "b1038928a6da2a1b5064a27187403563f3ab7e8d4ec034dfa8d5d3f6be231191", "filename": "COMSupport.dll"}, {"hash": "c1275ddf04a0942b416c1a0b2d32003a4eda732c6f97c74181c236e35d12420f", "filename": "DBGHelp.dll"}, {"hash": "718cfb5195d0e43e795627c781fb3f427856f1cf29f33eedbbc6059b6f214549", "filename": "DVDSetting.dll"}, {"hash": "7cd5072111581133c5e28b56bef060b3d3b0d8acca3396ef23c6c384eb292d25", "filename": "NLEResource.dll"}, {"hash": "41050f6f6919a4516d481f7c9b5fe6074c447afc6e9cc28d180982eea50ae165", "filename": "NLETransitionMgr.dll"}, {"hash": "30b9b877aa1112105069be6b4de794b7a7147a1d968e71fa63f2edc7397e126f", "filename": "WSUtilities.dll"}, {"hash": "58ef42507d9fc1e8a7b240ef5cddc9f600c3d9a61ee6a42a4045278bb332b86a", "filename": "WS_ImageProc.dll"}, {"hash": "e841fe9fa09ddc4292f22db95cb2d348d8f37594513f5848d545db92e3b07c66", "filename": "WS_Log.dll"}, {"hash": "8fcae9719a3f831cb73ef50b587a6222ff73d6c1a6ae617636cb31c6e02d5e3a", "filename": "WsBurn.dll"} ], "stage3_bundle_legitimate": [ {"hash": "fcebe8bee86d02093380c7c2eb6dd083ec4d765ed1dae9a1d9fbc1a6328a7778", "filename": "pe_01 (Crisp Squirrel StubExecutable from paulb)"}, {"hash": "c50bffbef786eb689358c63fc0585792d174c5e281499f12035afa1ce2ce19c8", "filename": "pe_02 (Info-ZIP zip.exe v3.0)"}, {"hash": "3594a835ed3dbf80ac460c0e852fa91baa3b17aadff9c3b40c03eff6b34658d2", "filename": "pe_04 (Google Updater stub)"}, {"hash": "729e5965e43ff458f6da901536c9a43be52a3820718e2dd5456150e2d73bb97f", "filename": "pe_05 (Google Updater component)"}, {"hash": "ca9f859f01940c1d4cfe7465460485398e2de8606e3a4eea977a430555c3bcae", "filename": "pe_08 (Qihoo 360 PromoUtil.exe)"} ], "wondershare_code_signing_cert_DO_NOT_REVOKE": { "subject": "CN=\"Wondershare Technology Group Co.,Ltd\"", "issuer": "CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1", "thumbprint_sha1": "BC99A77A68F18005CAC0C784A176D3199F735ECF", "serial": "059917FD7718808BC34BE224E415216F", "validity": "2022-04-08 to 2025-04-05", "context": "GENUINE Wondershare cert; signs legitimate Wondershare DVD Creator and other products; adding to revocation feeds would block legit customers worldwide" } } }