| https://twitter.com/ginkgo_g |
π¨ Suspected #APT Alert (MSC Attack - Not Kimsuky)
New attack sample: using Egyptian Foreign Ministry's visit to Belgium as lure.
π¦ No.09.rar
π hxxps://www.mediafire.com/file_premium/9qgx04se3hw6gia/No.09.rar/file
830ab16657abbbcff4d0048754054876 | RAR
cc2f9443a48131ca72576f3267156b4b | MSC
β οΈ Subsequent payloads currently inactive
π C2: hxxps://gofinancially.com/images/upload/0422.png
New malicious samples identified:
π 8650fff81d597e1a3406baf3bb87297f
2025-013-PAK-MoD-Invitation_the_UN_Peacekeeping.rar
Lure: "Invitation to the UN Peacekeeping Ministerial on 13th and 14th May 2025"
π c12ea05baf94ef6f0ea73470d70db3b2
M6XA.rar
Lure: "Details of Courses for Special Forces, Details of All Arms Courses"
π C2: hxxp://149.154.153.184/loccs.php?cn=%computername%--%username%
Contents: PDF, LNK, & batch files. Exploits CVE-2023-38831.
Stay vigilant! #CyberSecurity #ThreatIntel
#APT #Sidewinder may attacked #NEPAL Army
c87e8d369a9718304e253ebe24da5267bf3a39f0b456c4191029b6be4bc04a42
Dispatch of the APC HMLTV technical team.zip
960d08384896ca7a160371f7e19b15d804f225d242cade03f55f387cf69e7f15
Dispatch of the APC HMLTV technical team.jpg.lnk
d45137fcd0e87b0819bbffc8cd87c55f93837700deac73d07ceb8ea5497df449
Bio Data Form.jpg.lnk
f1be1d4c0cc7622af82e10bd6350019c7ecb87cca0e69f8f1a7ba8c9828983d8
Appendix.jpg.lnk
hxxps://mailnepalarmymil.mods.email/dispachofapc-46703841?yui=2
hxxps://mailnepalarmymil.mods.email/dispachofapc-46703841?yui=1
hxxps://mailnepalarmymil.mods.email/dispachofapc-46703841?yui=0
686d4be34b6f83cb5ee5b8f607a09855
Minutes_of_15th_Session_of_PSC.zip
a51493ca2948491e60759223c3be8502
Minutes_of_15th_Session_of_PSC.pdf.exe
hxxps://oraclewebonline.com/log.php?computername={}&username={}
Another file connected to the same C2π
16c33dbd1d7f6f98827e14f9d6d918e7
Searchapp.exe
New sample uploaded from United Arab Emiratesπ¦πͺ, It may be related to the #APT #Sidewinder.
216be0b5a0bbe6066604530539b647b6
SIR_206_48_MON_28_03_2024.img
Same as above
e65a608d1dcd49291634f60d8d18548b
evil.zip
d466c92a9ed1b0dd7a9789d24182b387
IntelWiDiUtils64.dll
64.46.102.63
ctd2.police.fia-gov[.]com
Group-IB has disclosed this domain name in a report:https://www.group-ib.com/blog/hunting-sidewinder/
10f4479d5f531def842a712277ae9611
Training nominations UN Mil Expert on Msn Course 2024.pdf.lnk
demolaservices[.]com/mml.php
-> %public%\Documents\config.xml
Task Scheduler: MicrosoftEdgeUpdateEngine
2023120314221759826.pdf.lnk
4938bd735cdb8ca0ea592482018a0979
hxxps://pd35.b-cdn.net/ymj
-> C:\Users\Public\2023120314221759826.pdf
hxxps://pl335.b-cdn.net/fgn
-> C:\Windows\Tasks\Services.exe
eecee405c8c2536778131ba44dfb3987
wingpao[.]info
#APT #Patchworkπ₯π΅π°
Tax_Deduction_Revised_Q1-2024.pdf.lnk
218d85723396ddddaf75fc5853338997
hxxps://tyfk1.b-cdn.net/dox
C:\Users\Public\Tax_Deduction_Revised_Q1-2024.pdf
hxxps://tyfk1.b-cdn.net/dix
C:\Windows\Tasks\Services.exe
6582a4df50948aaf2dcfbc6d8b84a58e
kungkao[.]online
e2a3edc708016316477228de885f0c39
The decoy document is information about the itinerary of Nepali Prime Minister Pushpa Kamal Dahal.
After the macro code is run, multiple VBScript files, batch files, and ZIP files containing the Nim backdoor will be released.
IOC-Files
OCu3HBg7gyI9aUaB.vbs
1cc8e1cc36a18681148872e164431688
8lGghf8kIPIuu3cM.bat
63d42ffa1568d9a379f448052927a237
skriven.vbs
32c5141b0704609b9404eff6c18b47bf
conhost\.zip
3b629910a9432f456b59f4e779907aa6
conhost.exe
777fcc34fef4a16b2276e420c5fb3a73
IOC-URLs
hxxp://mail.mofa.govnp.org/mail/AFA/
hxxp://nitc.govnp.org/mail/AFA/
hxxp://dns.govnp.org/mail/AFA/
hxxp://mx1.nepal.govnp.org/mail/AFA/