OSINT - Egregor RaaS Continues the Chaos with Cobalt Strike and Rclone
OSINT - Egregor RaaS Continues the Chaos with Cobalt Strike and Rclone
AI Analysis
Technical Summary
The Egregor ransomware-as-a-service (RaaS) operation represents a significant and ongoing threat in the ransomware landscape. Egregor ransomware is known for its use of sophisticated tactics, techniques, and procedures (TTPs), including the deployment of Cobalt Strike and Rclone tools to facilitate payload delivery and data exfiltration. Cobalt Strike is a legitimate penetration testing tool often abused by threat actors to establish command and control (C2) channels, execute lateral movement, and deploy ransomware payloads within compromised networks. Rclone is a command-line program used for managing files on cloud storage, which attackers leverage to exfiltrate stolen data to cloud repositories, increasing the difficulty of tracing and mitigating data theft. The combination of these tools with Egregor ransomware enables attackers to not only encrypt victim data but also threaten data leakage, thereby increasing pressure on victims to pay ransoms. The threat is categorized as medium severity, reflecting its impactful but not necessarily critical nature, and no patches are available since this is a malware campaign rather than a software vulnerability. The campaign is persistent and has been observed in multiple ransomware incidents, indicating a mature and well-resourced threat actor group. The lack of known exploits in the wild for specific software vulnerabilities suggests that the attack vector relies heavily on social engineering, phishing, or exploitation of weak credentials rather than zero-day vulnerabilities. The perpetual nature of the OSINT data indicates ongoing monitoring and activity of this ransomware group.
Potential Impact
For European organizations, the impact of an Egregor ransomware infection can be severe. The dual threat of data encryption and exfiltration can lead to significant operational disruption, financial losses from ransom payments, regulatory penalties under GDPR for data breaches, and reputational damage. Critical sectors such as finance, healthcare, manufacturing, and government are particularly vulnerable due to their reliance on continuous data availability and confidentiality. The use of Cobalt Strike facilitates deep network penetration, making containment and remediation more complex and costly. Additionally, the exfiltration of sensitive personal or corporate data can trigger mandatory breach notifications and legal consequences under European data protection laws. The medium severity rating reflects the ransomware's capability to cause substantial harm but also indicates that effective detection and response can mitigate the worst outcomes.
Mitigation Recommendations
European organizations should implement targeted mitigation strategies beyond generic ransomware defenses. These include: 1) Deploy advanced endpoint detection and response (EDR) solutions capable of identifying Cobalt Strike beaconing and anomalous Rclone usage patterns. 2) Enforce strict network segmentation to limit lateral movement opportunities for attackers using Cobalt Strike. 3) Monitor outbound network traffic for unusual cloud storage uploads indicative of data exfiltration via Rclone. 4) Conduct regular phishing awareness training to reduce the risk of initial compromise. 5) Implement multi-factor authentication (MFA) across all remote access and privileged accounts to prevent credential abuse. 6) Maintain offline, immutable backups to enable recovery without paying ransom. 7) Establish incident response playbooks specifically addressing ransomware combined with data exfiltration scenarios. 8) Collaborate with threat intelligence sharing communities to stay updated on Egregor TTPs and indicators of compromise. These measures, combined with continuous network and user behavior monitoring, can significantly reduce the risk and impact of Egregor ransomware attacks.
Affected Countries
Germany, France, United Kingdom, Italy, Netherlands, Spain, Belgium, Poland
Indicators of Compromise
- ip: 45.153.242.129
- ip: 217.8.117.148
- ip: 45.11.19.70
- file: 49.12.104.241
- hash: 81
- ip: 185.238.0.233
- hash: 8483aaf9e1fa5b46486c9f2a14c688c30d2006e88de65d0295a57892de0bf4c9
- hash: 3fd510a3b2e0b0802d57cd5b1cac1e61797d50a08b87d9b5243becd9e2f7073f
- hash: 2b3518937fd231560c7dc4f5af672a033b1c810d7f2f82c8151c025ce75775bf
- hash: 444a6897058fd4965770167b15a2ab13e6fd559a3e6f6cf5565d4d3282587459
- hash: c3c50adcc0a5cd2b39677f17fb5f2efca52cc4e47ccd2cdbbf38815d426be9e1
- hash: 004a2dc3ec7b98fa7fe6ae9c23a8b051ec30bcfcd2bc387c440c07ff5180fe9a
- hash: 608b5bf065f25cd1c6ac145e3bcdf0b1b6dc742a08e59ec0ce136fe5142774e9
- hash: 3e5a6834cf6192a987ca9b0b4c8cb9202660e399ebe387af8c7407b12ae2da63
- hash: 4ea8b8c37cfb02ccdba95fe91c12fb68a2b7174fdcbee7ddaadded8ceb0fdf97
- hash: 9017c070ad6ac9ac52e361286b3ff24a315f721f488b53b7aaf6ac35de477f44
- hash: ee06c557f1acd5c4948b1df0413e49f3885f8ac96185a9d986b91a1231444541
- hash: 765327e1dc0888c69c92203d90037c5154db9787f54d3fc8f1097830be8c76ab
- hash: 14e547bebaa738b8605ba4182c4379317d121e268f846c0ed3da171375e65fe4
- hash: 3fc382ae51ceca3ad6ef5880cdd2d89ef508f368911d3cd41c71a54453004c55
- hash: f0adfd3f89c9268953f93bfdfefb84432532a1e30542fee7bddda14dcb69a76c
- hash: a9d483c0f021b72a94324562068d8164f8cce0aa8f779faea304669390775436
- hash: 3aad14d200887119f316be71d71aec11735dd3698a4fcaa50902fce71bdccb07
- hash: 6ad7b3e0873c9ff122c32006fdc3675706a03c4778287085a020d839b74cd780
- hash: 932778732711cd18d5c4aabc507a65180bf1d4bd2b7d2d4e5506be4b8193596e
- url: http://185.238.0.233/p.dll
- url: http://185.238.0.233/b.dll
- url: http://185.238.0.233/sed.dll
- url: http://185.238.0.233/hnt.dll
- url: http://185.238.0.233/88/k057.exe
- url: http://185.238.0.233/newsvc.zip
- url: http://egregoranrmzapcv.onion
- url: https://egregornews.com/
- url: http://egregor4u5ipdzhv.onion/
- link: https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone/
- hash: 6f600974c45eec97016c1259e769a4ef
- hash: 56eed20ea731d28d621723130518ac00bf50170d
- hash: 9017c070ad6ac9ac52e361286b3ff24a315f721f488b53b7aaf6ac35de477f44
- datetime: 2020-12-10T13:44:49+00:00
- link: https://www.virustotal.com/gui/file/9017c070ad6ac9ac52e361286b3ff24a315f721f488b53b7aaf6ac35de477f44/detection/f-9017c070ad6ac9ac52e361286b3ff24a315f721f488b53b7aaf6ac35de477f44-1607607889
- text: 59/70
- hash: 666f8d920f85f9afffcf0865a98efe69
- hash: 50c3b800294f7ee4bde577d99f2118fc1c4ba3b9
- hash: a9d483c0f021b72a94324562068d8164f8cce0aa8f779faea304669390775436
- datetime: 2021-01-01T01:23:15+00:00
- link: https://www.virustotal.com/gui/file/a9d483c0f021b72a94324562068d8164f8cce0aa8f779faea304669390775436/detection/f-a9d483c0f021b72a94324562068d8164f8cce0aa8f779faea304669390775436-1609464195
- text: 54/70
- hash: 44a7085f729b68073b5c67bbc66829cc
- hash: 3c03a1c61932bec2b276600ea52bd2803285ec62
- hash: 8483aaf9e1fa5b46486c9f2a14c688c30d2006e88de65d0295a57892de0bf4c9
- datetime: 2020-12-16T04:36:39+00:00
- link: https://www.virustotal.com/gui/file/8483aaf9e1fa5b46486c9f2a14c688c30d2006e88de65d0295a57892de0bf4c9/detection/f-8483aaf9e1fa5b46486c9f2a14c688c30d2006e88de65d0295a57892de0bf4c9-1608093399
- text: 54/69
- hash: 0de24cec66ef9d1042be7cf12b87cfc4
- hash: f7bf7cea89c6205d78fa42d735d81c1e5c183041
- hash: 765327e1dc0888c69c92203d90037c5154db9787f54d3fc8f1097830be8c76ab
- datetime: 2020-12-30T16:37:33+00:00
- link: https://www.virustotal.com/gui/file/765327e1dc0888c69c92203d90037c5154db9787f54d3fc8f1097830be8c76ab/detection/f-765327e1dc0888c69c92203d90037c5154db9787f54d3fc8f1097830be8c76ab-1609346253
- text: 55/70
- hash: de3110dce011088cd4add1950a49182f
- hash: c9da06e3dbf406aec50bc145cba1a50b26db853a
- hash: 608b5bf065f25cd1c6ac145e3bcdf0b1b6dc742a08e59ec0ce136fe5142774e9
- datetime: 2020-12-21T17:59:21+00:00
- link: https://www.virustotal.com/gui/file/608b5bf065f25cd1c6ac145e3bcdf0b1b6dc742a08e59ec0ce136fe5142774e9/detection/f-608b5bf065f25cd1c6ac145e3bcdf0b1b6dc742a08e59ec0ce136fe5142774e9-1608573561
- text: 0/59
- hash: 8ba3a9d73903bd252f8d99a682d60858
- hash: 95aea6b24ed28c6ad13ec8d7a6f62652b039765e
- hash: 444a6897058fd4965770167b15a2ab13e6fd559a3e6f6cf5565d4d3282587459
- datetime: 2020-12-18T09:52:23+00:00
- link: https://www.virustotal.com/gui/file/444a6897058fd4965770167b15a2ab13e6fd559a3e6f6cf5565d4d3282587459/detection/f-444a6897058fd4965770167b15a2ab13e6fd559a3e6f6cf5565d4d3282587459-1608285143
- text: 14/60
- hash: 81bc3a2409991325c6e71a06f6b7b881
- hash: 38c88de0ece0451b0665f3616c02c2bad77a92a2
- hash: 2b3518937fd231560c7dc4f5af672a033b1c810d7f2f82c8151c025ce75775bf
- datetime: 2020-12-08T20:04:16+00:00
- link: https://www.virustotal.com/gui/file/2b3518937fd231560c7dc4f5af672a033b1c810d7f2f82c8151c025ce75775bf/detection/f-2b3518937fd231560c7dc4f5af672a033b1c810d7f2f82c8151c025ce75775bf-1607457856
- text: 60/68
- hash: 65c320bc5258d8fa86aa9ffd876291d3
- hash: f0215aac7be36a5fedeea51d34d8f8da2e98bf1b
- hash: 3fd510a3b2e0b0802d57cd5b1cac1e61797d50a08b87d9b5243becd9e2f7073f
- datetime: 2020-12-30T20:10:05+00:00
- link: https://www.virustotal.com/gui/file/3fd510a3b2e0b0802d57cd5b1cac1e61797d50a08b87d9b5243becd9e2f7073f/detection/f-3fd510a3b2e0b0802d57cd5b1cac1e61797d50a08b87d9b5243becd9e2f7073f-1609359005
- text: 58/69
- hash: ac33fea4c2a9bbca3559142838441f84
- hash: 948ef8caef5c1254be551cab8a64c687ea0faf84
- hash: 932778732711cd18d5c4aabc507a65180bf1d4bd2b7d2d4e5506be4b8193596e
- datetime: 2020-12-14T11:31:47+00:00
- link: https://www.virustotal.com/gui/file/932778732711cd18d5c4aabc507a65180bf1d4bd2b7d2d4e5506be4b8193596e/detection/f-932778732711cd18d5c4aabc507a65180bf1d4bd2b7d2d4e5506be4b8193596e-1607945507
- text: 57/69
- hash: dd8e8bfb45fcd5f0621fe7085bfcab94
- hash: 5c99dc80ca69ce0f2d9b4f790ec1b57dba7153c9
- hash: 3aad14d200887119f316be71d71aec11735dd3698a4fcaa50902fce71bdccb07
- datetime: 2020-12-08T20:09:40+00:00
- link: https://www.virustotal.com/gui/file/3aad14d200887119f316be71d71aec11735dd3698a4fcaa50902fce71bdccb07/detection/f-3aad14d200887119f316be71d71aec11735dd3698a4fcaa50902fce71bdccb07-1607458180
- text: 55/70
- hash: 427105821263afeeccca05b43ea8dac4
- hash: fa33fd577f5eb4813bc69dce891361871cda860c
- hash: ee06c557f1acd5c4948b1df0413e49f3885f8ac96185a9d986b91a1231444541
- datetime: 2020-12-11T02:01:31+00:00
- link: https://www.virustotal.com/gui/file/ee06c557f1acd5c4948b1df0413e49f3885f8ac96185a9d986b91a1231444541/detection/f-ee06c557f1acd5c4948b1df0413e49f3885f8ac96185a9d986b91a1231444541-1607652091
- text: 56/69
- hash: d1aa0f26f557addd45e0d9fa4afecf15
- hash: f1603f1ddf52391b16ee9e73e68f5dd405ab06b0
- hash: 14e547bebaa738b8605ba4182c4379317d121e268f846c0ed3da171375e65fe4
- datetime: 2020-12-10T13:38:09+00:00
- link: https://www.virustotal.com/gui/file/14e547bebaa738b8605ba4182c4379317d121e268f846c0ed3da171375e65fe4/detection/f-14e547bebaa738b8605ba4182c4379317d121e268f846c0ed3da171375e65fe4-1607607489
- text: 57/70
- hash: a922987d1488e2dede7e39a99faf98bb
- hash: beb48c2a7ff957d467d9199c954b89f8411d3ca8
- hash: 6ad7b3e0873c9ff122c32006fdc3675706a03c4778287085a020d839b74cd780
- datetime: 2020-12-08T20:11:25+00:00
- link: https://www.virustotal.com/gui/file/6ad7b3e0873c9ff122c32006fdc3675706a03c4778287085a020d839b74cd780/detection/f-6ad7b3e0873c9ff122c32006fdc3675706a03c4778287085a020d839b74cd780-1607458285
- text: 57/67
- hash: 5f9fcbdf7ad86583eb2bbcaa5741d88a
- hash: 03cdec4a0a63a016d0767650cdaf1d4d24669795
- hash: 004a2dc3ec7b98fa7fe6ae9c23a8b051ec30bcfcd2bc387c440c07ff5180fe9a
- datetime: 2020-12-11T07:11:00+00:00
- link: https://www.virustotal.com/gui/file/004a2dc3ec7b98fa7fe6ae9c23a8b051ec30bcfcd2bc387c440c07ff5180fe9a/detection/f-004a2dc3ec7b98fa7fe6ae9c23a8b051ec30bcfcd2bc387c440c07ff5180fe9a-1607670660
- text: 58/68
- hash: 9b7ccaa2ae6a5b96e3110ebcbc4311f6
- hash: 3cc616d959eb2fe59642102f0565c0e55ee67dbc
- hash: c3c50adcc0a5cd2b39677f17fb5f2efca52cc4e47ccd2cdbbf38815d426be9e1
- datetime: 2020-12-08T20:00:16+00:00
- link: https://www.virustotal.com/gui/file/c3c50adcc0a5cd2b39677f17fb5f2efca52cc4e47ccd2cdbbf38815d426be9e1/detection/f-c3c50adcc0a5cd2b39677f17fb5f2efca52cc4e47ccd2cdbbf38815d426be9e1-1607457616
- text: 59/70
- hash: 1d6aa29e98d3f54b8c891929c34eb426
- hash: ceca1a691c736632b3e98f2ed5b028d33c0f3c64
- hash: 3e5a6834cf6192a987ca9b0b4c8cb9202660e399ebe387af8c7407b12ae2da63
- datetime: 2020-12-10T13:40:24+00:00
- link: https://www.virustotal.com/gui/file/3e5a6834cf6192a987ca9b0b4c8cb9202660e399ebe387af8c7407b12ae2da63/detection/f-3e5a6834cf6192a987ca9b0b4c8cb9202660e399ebe387af8c7407b12ae2da63-1607607624
- text: 55/70
- hash: c3c7a97da396085eb48953e638c3c9c6
- hash: 8768cf56e12a81d838e270dca9b82d30c35d026e
- hash: 3fc382ae51ceca3ad6ef5880cdd2d89ef508f368911d3cd41c71a54453004c55
- datetime: 2021-01-04T14:00:43+00:00
- link: https://www.virustotal.com/gui/file/3fc382ae51ceca3ad6ef5880cdd2d89ef508f368911d3cd41c71a54453004c55/detection/f-3fc382ae51ceca3ad6ef5880cdd2d89ef508f368911d3cd41c71a54453004c55-1609768843
- text: 58/70
- hash: c96df334b5ed70473ec6a58a545208b6
- hash: f6ad7b0a1d93b7a70e286b87f423119daa4ea4df
- hash: 4ea8b8c37cfb02ccdba95fe91c12fb68a2b7174fdcbee7ddaadded8ceb0fdf97
- datetime: 2020-12-26T00:01:37+00:00
- link: https://www.virustotal.com/gui/file/4ea8b8c37cfb02ccdba95fe91c12fb68a2b7174fdcbee7ddaadded8ceb0fdf97/detection/f-4ea8b8c37cfb02ccdba95fe91c12fb68a2b7174fdcbee7ddaadded8ceb0fdf97-1608940897
- text: 54/69
- hash: 7375083934dd17f0532da3bd6770ab25
- hash: ac6d919b313bbb18624d26745121fca3e4ae0fd3
- hash: f0adfd3f89c9268953f93bfdfefb84432532a1e30542fee7bddda14dcb69a76c
- datetime: 2020-12-29T02:03:45+00:00
- link: https://www.virustotal.com/gui/file/f0adfd3f89c9268953f93bfdfefb84432532a1e30542fee7bddda14dcb69a76c/detection/f-f0adfd3f89c9268953f93bfdfefb84432532a1e30542fee7bddda14dcb69a76c-1609207425
- text: 25/60
- text: RSA
- text: pWEzuKkw9nY82VRKYfrw4f4wvrnfnKEApQ5JTkf/YQPzxJtJmwKUjXV759aYQnPIZdGN1RUckdpMZWiYGmsWFYzkNJZpsPihvk9c14zLJDJdmpitYvoy22JFox9iBHqhFAjDC37kzpVH6bafVABdUgUdr0r2EzK+ysJBiR0Ge28ToH94wJTXwBC7hi3G42vk4KmLncPm55NUuz9ZzQ+xqovtN/RyDNL8MDbW4lHWe9Lmi5qlNN/ckIgwDh+sI1rO/T+DmS1Uoo62QWeYTgmlRaCp91AfeC7mNFkXvXUVMs3GlqpIrgbMLPBbBi04sra/pmXp9oteZK4b1fAWKgDZ2B0f11AiX9SFIpJn8odT+Z0tVL2H8IKvANB1507SGq3S2JR3a6SLGODy3yjm3vwfnyaVqL1gNNudkDc5dLVx0tavBj2h5v1PMDCFYpuSZ56qYY1VeQfA56bsPKI2J102ztOktaFmU9jI3G3oxBCV9j1JKOJhltPRjyXAmg9o3sqB5VCxPzmMIL+bxJnEelHdBzVdRpY4pPyEPmdrn2mQ5sXwIA1RfdvF9JruxQF/0yl2WKqK0CE4pKazQWdrYdQaLTPCdMxZv7JKO8Dy5vyHBW08+UTJEuEiQa6Q/1qVkGipUPgK4Wpg3iP6xas9SaV1ovy1o2yC0beVhD+Ean6/5/lfIiG1w/ouzyq0Vprhfmr59ftnduimCDgAPi9mv2Fzg1BcGYt5P0qE7Ya0ycGFyvNvS2eoiA5mjvN67R6jeJ8JF0fPnz7O2QMldjZj0uVfAoMHlgaRP74vOKfOzFHCiPhyXwe8V9Wd3xjctlG4PCVMuUvYn7BFSW82AMefXIWTeIhHD4UdoAuZ3sHsgsFyyaTdVo1WCEWJtMMN0FOyhF0m1R5ozQPJSyuaOUzrDU1fKD57v3Cf5T860kath1w+CQAeWXdbXSR0mvN45rPgYN24qVvvB6kle5Vr20x0EZJ4viCERcreKcJqOV/0GwZU4BR8jUGQkokgD3UvJQf0Vu4mIv6vLZUtvRvEl3URsZNWh7nnKR5jjq3Tx911IH+UQznFncGD402REUpyADZpv0aRfyMZzZFecaxlo/EMS8lhkeukkZQJiwXJH2SV77olADcOfnaOQEq+YU23kRJf+YOdKW3E9NsqF1MKLTdn5+31ka4OyN7wed9HVyJj+clXkNT/YJkS/E869Hm1MPBQv+25451tiXgGcKo/9L5BFmmy77TxYuZMjuRVIanXWwK8tQ+kz0gEj1BG4I477yrhqN2yaQQ2cZ7QhpNPFlnsereCoI8rNBRBp/VgxKS+AKqkKj9UyghlABrYlRypEsM7FDC44tvDJILfb+9IL70qEe+BdPmIIv4/HWHJSEI7K9MWLah7cX4OGLG2eqT9pSkLISFvyEM+9ylo3WYWx2G0m5s0r7O+jRAOdZ1Joy5eGx7PPRCnVcEv0IyhNnFpz4HsNibUAR664rZ+Os05SDNitn3t8RgtAcvTdNHAbtNGLZZj/7KFIyGb1f37teR9/oty8BFsaHhRNVHx22+u+AFR/HbucnbY+prvzAWY3dpjQIO2O+3HoCuz2MXx5gFIfJ0pIA6V9px/j4LOPGPfN159CRItKeOy3ZLtKByaD+FwHBzYHpIWgCvL2vWo+eRWF66oYNvDhB5yVtDgXx0LU789ypKu/vjuvo7obGEoF3NoxJhmNS4DfVMzsy4YdBRhHrBfF36a8ahFSBApu9cd0RmuT09hKmV7m+EGGCXr+MNvzlFQSMzt5Ce5Mj9w507PN/IDLQz8h6236WGZSH2iM2PGUq/UF1wADoHSjPXRcfPparHHHPTcZZkil4HMWP6Y+gDlN0BKKl9ntqyd8QiiqDqwcJIZZG4Jm6lRIhvpBZ14P+z83zePzjMNhVkNVnU4sfDRaemkxZFPF+hGM/PEvqFuEOsX4LfWxOpwLAf+OLLpe71+6QdKDAcwf6553t0TOPCqGr3B+flGGAhi0pqCeAsB0KzS28MakLBxJQPkR/E+F0tHmwBYCCl0haxZnBZ9rJVApq2rAAENA2gQLPaStc0DzrdkIRY6r789la7OzAUqvcTyX8fq/xfYJpz+zUt4PUcVWxoO1+1g9+BpCAlPgZEkIKSbqoSNtkeIMz65CthNiCsX817p8nqBb4BdpcuCihoL49fK6fn/WUnj3xaTiQuNDnvcW9NARgIzqu2lvsZa+qvDBW99gsaeLb4feNlGqZUk98zht7GvywgFEAEYASCAAigAOg5QAEgAWABGAFMAMgAAAEIiQgAwADIARAAwAEYAMwAyAEEAMQBDADkAMgBFADAAOAAAAEqQAXwAQQA6AFIAXwAwAC8AMAB8AEMAOgBGAF8ANAA0ADMAMAA4AC8ANwA2ADQANAA3AHwARAA6AEMAXwAwAC8AMAB8AEUAOgBGAF8AMQA3ADEANgA0ADQALwAyADAAOQA3ADEANAA5AHwARgA6AEYAXwAyADkANAA5ADQANQAvADIAMAA0ADcAOAA2ADgAfAAAAFIQagBnAHIAYQBuAGoAYQAAAGgDckBXAGkAbgBkAG8AdwBzACAAUwBlAHIAdgBlAHIAIAAyADAAMQAyACAAUgAyACAAUwB0AGEAbgBkAGEAcgBkAAAAehJJAE0AUABSAEkATQBJAFMAAAA=
- text: malware-extraction
OSINT - Egregor RaaS Continues the Chaos with Cobalt Strike and Rclone
Description
OSINT - Egregor RaaS Continues the Chaos with Cobalt Strike and Rclone
AI-Powered Analysis
Technical Analysis
The Egregor ransomware-as-a-service (RaaS) operation represents a significant and ongoing threat in the ransomware landscape. Egregor ransomware is known for its use of sophisticated tactics, techniques, and procedures (TTPs), including the deployment of Cobalt Strike and Rclone tools to facilitate payload delivery and data exfiltration. Cobalt Strike is a legitimate penetration testing tool often abused by threat actors to establish command and control (C2) channels, execute lateral movement, and deploy ransomware payloads within compromised networks. Rclone is a command-line program used for managing files on cloud storage, which attackers leverage to exfiltrate stolen data to cloud repositories, increasing the difficulty of tracing and mitigating data theft. The combination of these tools with Egregor ransomware enables attackers to not only encrypt victim data but also threaten data leakage, thereby increasing pressure on victims to pay ransoms. The threat is categorized as medium severity, reflecting its impactful but not necessarily critical nature, and no patches are available since this is a malware campaign rather than a software vulnerability. The campaign is persistent and has been observed in multiple ransomware incidents, indicating a mature and well-resourced threat actor group. The lack of known exploits in the wild for specific software vulnerabilities suggests that the attack vector relies heavily on social engineering, phishing, or exploitation of weak credentials rather than zero-day vulnerabilities. The perpetual nature of the OSINT data indicates ongoing monitoring and activity of this ransomware group.
Potential Impact
For European organizations, the impact of an Egregor ransomware infection can be severe. The dual threat of data encryption and exfiltration can lead to significant operational disruption, financial losses from ransom payments, regulatory penalties under GDPR for data breaches, and reputational damage. Critical sectors such as finance, healthcare, manufacturing, and government are particularly vulnerable due to their reliance on continuous data availability and confidentiality. The use of Cobalt Strike facilitates deep network penetration, making containment and remediation more complex and costly. Additionally, the exfiltration of sensitive personal or corporate data can trigger mandatory breach notifications and legal consequences under European data protection laws. The medium severity rating reflects the ransomware's capability to cause substantial harm but also indicates that effective detection and response can mitigate the worst outcomes.
Mitigation Recommendations
European organizations should implement targeted mitigation strategies beyond generic ransomware defenses. These include: 1) Deploy advanced endpoint detection and response (EDR) solutions capable of identifying Cobalt Strike beaconing and anomalous Rclone usage patterns. 2) Enforce strict network segmentation to limit lateral movement opportunities for attackers using Cobalt Strike. 3) Monitor outbound network traffic for unusual cloud storage uploads indicative of data exfiltration via Rclone. 4) Conduct regular phishing awareness training to reduce the risk of initial compromise. 5) Implement multi-factor authentication (MFA) across all remote access and privileged accounts to prevent credential abuse. 6) Maintain offline, immutable backups to enable recovery without paying ransom. 7) Establish incident response playbooks specifically addressing ransomware combined with data exfiltration scenarios. 8) Collaborate with threat intelligence sharing communities to stay updated on Egregor TTPs and indicators of compromise. These measures, combined with continuous network and user behavior monitoring, can significantly reduce the risk and impact of Egregor ransomware attacks.
Affected Countries
Technical Details
- Threat Level
- 2
- Analysis
- 2
- Uuid
- f42c106c-df01-47f3-bc36-16072ad63856
- Original Timestamp
- 1609779788
Indicators of Compromise
Ip
| Value | Description | Copy |
|---|---|---|
ip45.153.242.129 | — | |
ip217.8.117.148 | — | |
ip45.11.19.70 | — | |
ip185.238.0.233 | — |
File
| Value | Description | Copy |
|---|---|---|
file49.12.104.241 | On port 81 |
Hash
| Value | Description | Copy |
|---|---|---|
hash81 | On port 81 | |
hash8483aaf9e1fa5b46486c9f2a14c688c30d2006e88de65d0295a57892de0bf4c9 | — | |
hash3fd510a3b2e0b0802d57cd5b1cac1e61797d50a08b87d9b5243becd9e2f7073f | — | |
hash2b3518937fd231560c7dc4f5af672a033b1c810d7f2f82c8151c025ce75775bf | — | |
hash444a6897058fd4965770167b15a2ab13e6fd559a3e6f6cf5565d4d3282587459 | — | |
hashc3c50adcc0a5cd2b39677f17fb5f2efca52cc4e47ccd2cdbbf38815d426be9e1 | — | |
hash004a2dc3ec7b98fa7fe6ae9c23a8b051ec30bcfcd2bc387c440c07ff5180fe9a | — | |
hash608b5bf065f25cd1c6ac145e3bcdf0b1b6dc742a08e59ec0ce136fe5142774e9 | — | |
hash3e5a6834cf6192a987ca9b0b4c8cb9202660e399ebe387af8c7407b12ae2da63 | — | |
hash4ea8b8c37cfb02ccdba95fe91c12fb68a2b7174fdcbee7ddaadded8ceb0fdf97 | — | |
hash9017c070ad6ac9ac52e361286b3ff24a315f721f488b53b7aaf6ac35de477f44 | — | |
hashee06c557f1acd5c4948b1df0413e49f3885f8ac96185a9d986b91a1231444541 | — | |
hash765327e1dc0888c69c92203d90037c5154db9787f54d3fc8f1097830be8c76ab | — | |
hash14e547bebaa738b8605ba4182c4379317d121e268f846c0ed3da171375e65fe4 | — | |
hash3fc382ae51ceca3ad6ef5880cdd2d89ef508f368911d3cd41c71a54453004c55 | — | |
hashf0adfd3f89c9268953f93bfdfefb84432532a1e30542fee7bddda14dcb69a76c | — | |
hasha9d483c0f021b72a94324562068d8164f8cce0aa8f779faea304669390775436 | — | |
hash3aad14d200887119f316be71d71aec11735dd3698a4fcaa50902fce71bdccb07 | — | |
hash6ad7b3e0873c9ff122c32006fdc3675706a03c4778287085a020d839b74cd780 | — | |
hash932778732711cd18d5c4aabc507a65180bf1d4bd2b7d2d4e5506be4b8193596e | — | |
hash6f600974c45eec97016c1259e769a4ef | — | |
hash56eed20ea731d28d621723130518ac00bf50170d | — | |
hash9017c070ad6ac9ac52e361286b3ff24a315f721f488b53b7aaf6ac35de477f44 | — | |
hash666f8d920f85f9afffcf0865a98efe69 | — | |
hash50c3b800294f7ee4bde577d99f2118fc1c4ba3b9 | — | |
hasha9d483c0f021b72a94324562068d8164f8cce0aa8f779faea304669390775436 | — | |
hash44a7085f729b68073b5c67bbc66829cc | — | |
hash3c03a1c61932bec2b276600ea52bd2803285ec62 | — | |
hash8483aaf9e1fa5b46486c9f2a14c688c30d2006e88de65d0295a57892de0bf4c9 | — | |
hash0de24cec66ef9d1042be7cf12b87cfc4 | — | |
hashf7bf7cea89c6205d78fa42d735d81c1e5c183041 | — | |
hash765327e1dc0888c69c92203d90037c5154db9787f54d3fc8f1097830be8c76ab | — | |
hashde3110dce011088cd4add1950a49182f | — | |
hashc9da06e3dbf406aec50bc145cba1a50b26db853a | — | |
hash608b5bf065f25cd1c6ac145e3bcdf0b1b6dc742a08e59ec0ce136fe5142774e9 | — | |
hash8ba3a9d73903bd252f8d99a682d60858 | — | |
hash95aea6b24ed28c6ad13ec8d7a6f62652b039765e | — | |
hash444a6897058fd4965770167b15a2ab13e6fd559a3e6f6cf5565d4d3282587459 | — | |
hash81bc3a2409991325c6e71a06f6b7b881 | — | |
hash38c88de0ece0451b0665f3616c02c2bad77a92a2 | — | |
hash2b3518937fd231560c7dc4f5af672a033b1c810d7f2f82c8151c025ce75775bf | — | |
hash65c320bc5258d8fa86aa9ffd876291d3 | — | |
hashf0215aac7be36a5fedeea51d34d8f8da2e98bf1b | — | |
hash3fd510a3b2e0b0802d57cd5b1cac1e61797d50a08b87d9b5243becd9e2f7073f | — | |
hashac33fea4c2a9bbca3559142838441f84 | — | |
hash948ef8caef5c1254be551cab8a64c687ea0faf84 | — | |
hash932778732711cd18d5c4aabc507a65180bf1d4bd2b7d2d4e5506be4b8193596e | — | |
hashdd8e8bfb45fcd5f0621fe7085bfcab94 | — | |
hash5c99dc80ca69ce0f2d9b4f790ec1b57dba7153c9 | — | |
hash3aad14d200887119f316be71d71aec11735dd3698a4fcaa50902fce71bdccb07 | — | |
hash427105821263afeeccca05b43ea8dac4 | — | |
hashfa33fd577f5eb4813bc69dce891361871cda860c | — | |
hashee06c557f1acd5c4948b1df0413e49f3885f8ac96185a9d986b91a1231444541 | — | |
hashd1aa0f26f557addd45e0d9fa4afecf15 | — | |
hashf1603f1ddf52391b16ee9e73e68f5dd405ab06b0 | — | |
hash14e547bebaa738b8605ba4182c4379317d121e268f846c0ed3da171375e65fe4 | — | |
hasha922987d1488e2dede7e39a99faf98bb | — | |
hashbeb48c2a7ff957d467d9199c954b89f8411d3ca8 | — | |
hash6ad7b3e0873c9ff122c32006fdc3675706a03c4778287085a020d839b74cd780 | — | |
hash5f9fcbdf7ad86583eb2bbcaa5741d88a | — | |
hash03cdec4a0a63a016d0767650cdaf1d4d24669795 | — | |
hash004a2dc3ec7b98fa7fe6ae9c23a8b051ec30bcfcd2bc387c440c07ff5180fe9a | — | |
hash9b7ccaa2ae6a5b96e3110ebcbc4311f6 | — | |
hash3cc616d959eb2fe59642102f0565c0e55ee67dbc | — | |
hashc3c50adcc0a5cd2b39677f17fb5f2efca52cc4e47ccd2cdbbf38815d426be9e1 | — | |
hash1d6aa29e98d3f54b8c891929c34eb426 | — | |
hashceca1a691c736632b3e98f2ed5b028d33c0f3c64 | — | |
hash3e5a6834cf6192a987ca9b0b4c8cb9202660e399ebe387af8c7407b12ae2da63 | — | |
hashc3c7a97da396085eb48953e638c3c9c6 | — | |
hash8768cf56e12a81d838e270dca9b82d30c35d026e | — | |
hash3fc382ae51ceca3ad6ef5880cdd2d89ef508f368911d3cd41c71a54453004c55 | — | |
hashc96df334b5ed70473ec6a58a545208b6 | — | |
hashf6ad7b0a1d93b7a70e286b87f423119daa4ea4df | — | |
hash4ea8b8c37cfb02ccdba95fe91c12fb68a2b7174fdcbee7ddaadded8ceb0fdf97 | — | |
hash7375083934dd17f0532da3bd6770ab25 | — | |
hashac6d919b313bbb18624d26745121fca3e4ae0fd3 | — | |
hashf0adfd3f89c9268953f93bfdfefb84432532a1e30542fee7bddda14dcb69a76c | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://185.238.0.233/p.dll | — | |
urlhttp://185.238.0.233/b.dll | — | |
urlhttp://185.238.0.233/sed.dll | — | |
urlhttp://185.238.0.233/hnt.dll | — | |
urlhttp://185.238.0.233/88/k057.exe | — | |
urlhttp://185.238.0.233/newsvc.zip | — | |
urlhttp://egregoranrmzapcv.onion | — | |
urlhttps://egregornews.com/ | — | |
urlhttp://egregor4u5ipdzhv.onion/ | Payment Portal |
Link
| Value | Description | Copy |
|---|---|---|
linkhttps://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone/ | — | |
linkhttps://www.virustotal.com/gui/file/9017c070ad6ac9ac52e361286b3ff24a315f721f488b53b7aaf6ac35de477f44/detection/f-9017c070ad6ac9ac52e361286b3ff24a315f721f488b53b7aaf6ac35de477f44-1607607889 | — | |
linkhttps://www.virustotal.com/gui/file/a9d483c0f021b72a94324562068d8164f8cce0aa8f779faea304669390775436/detection/f-a9d483c0f021b72a94324562068d8164f8cce0aa8f779faea304669390775436-1609464195 | — | |
linkhttps://www.virustotal.com/gui/file/8483aaf9e1fa5b46486c9f2a14c688c30d2006e88de65d0295a57892de0bf4c9/detection/f-8483aaf9e1fa5b46486c9f2a14c688c30d2006e88de65d0295a57892de0bf4c9-1608093399 | — | |
linkhttps://www.virustotal.com/gui/file/765327e1dc0888c69c92203d90037c5154db9787f54d3fc8f1097830be8c76ab/detection/f-765327e1dc0888c69c92203d90037c5154db9787f54d3fc8f1097830be8c76ab-1609346253 | — | |
linkhttps://www.virustotal.com/gui/file/608b5bf065f25cd1c6ac145e3bcdf0b1b6dc742a08e59ec0ce136fe5142774e9/detection/f-608b5bf065f25cd1c6ac145e3bcdf0b1b6dc742a08e59ec0ce136fe5142774e9-1608573561 | — | |
linkhttps://www.virustotal.com/gui/file/444a6897058fd4965770167b15a2ab13e6fd559a3e6f6cf5565d4d3282587459/detection/f-444a6897058fd4965770167b15a2ab13e6fd559a3e6f6cf5565d4d3282587459-1608285143 | — | |
linkhttps://www.virustotal.com/gui/file/2b3518937fd231560c7dc4f5af672a033b1c810d7f2f82c8151c025ce75775bf/detection/f-2b3518937fd231560c7dc4f5af672a033b1c810d7f2f82c8151c025ce75775bf-1607457856 | — | |
linkhttps://www.virustotal.com/gui/file/3fd510a3b2e0b0802d57cd5b1cac1e61797d50a08b87d9b5243becd9e2f7073f/detection/f-3fd510a3b2e0b0802d57cd5b1cac1e61797d50a08b87d9b5243becd9e2f7073f-1609359005 | — | |
linkhttps://www.virustotal.com/gui/file/932778732711cd18d5c4aabc507a65180bf1d4bd2b7d2d4e5506be4b8193596e/detection/f-932778732711cd18d5c4aabc507a65180bf1d4bd2b7d2d4e5506be4b8193596e-1607945507 | — | |
linkhttps://www.virustotal.com/gui/file/3aad14d200887119f316be71d71aec11735dd3698a4fcaa50902fce71bdccb07/detection/f-3aad14d200887119f316be71d71aec11735dd3698a4fcaa50902fce71bdccb07-1607458180 | — | |
linkhttps://www.virustotal.com/gui/file/ee06c557f1acd5c4948b1df0413e49f3885f8ac96185a9d986b91a1231444541/detection/f-ee06c557f1acd5c4948b1df0413e49f3885f8ac96185a9d986b91a1231444541-1607652091 | — | |
linkhttps://www.virustotal.com/gui/file/14e547bebaa738b8605ba4182c4379317d121e268f846c0ed3da171375e65fe4/detection/f-14e547bebaa738b8605ba4182c4379317d121e268f846c0ed3da171375e65fe4-1607607489 | — | |
linkhttps://www.virustotal.com/gui/file/6ad7b3e0873c9ff122c32006fdc3675706a03c4778287085a020d839b74cd780/detection/f-6ad7b3e0873c9ff122c32006fdc3675706a03c4778287085a020d839b74cd780-1607458285 | — | |
linkhttps://www.virustotal.com/gui/file/004a2dc3ec7b98fa7fe6ae9c23a8b051ec30bcfcd2bc387c440c07ff5180fe9a/detection/f-004a2dc3ec7b98fa7fe6ae9c23a8b051ec30bcfcd2bc387c440c07ff5180fe9a-1607670660 | — | |
linkhttps://www.virustotal.com/gui/file/c3c50adcc0a5cd2b39677f17fb5f2efca52cc4e47ccd2cdbbf38815d426be9e1/detection/f-c3c50adcc0a5cd2b39677f17fb5f2efca52cc4e47ccd2cdbbf38815d426be9e1-1607457616 | — | |
linkhttps://www.virustotal.com/gui/file/3e5a6834cf6192a987ca9b0b4c8cb9202660e399ebe387af8c7407b12ae2da63/detection/f-3e5a6834cf6192a987ca9b0b4c8cb9202660e399ebe387af8c7407b12ae2da63-1607607624 | — | |
linkhttps://www.virustotal.com/gui/file/3fc382ae51ceca3ad6ef5880cdd2d89ef508f368911d3cd41c71a54453004c55/detection/f-3fc382ae51ceca3ad6ef5880cdd2d89ef508f368911d3cd41c71a54453004c55-1609768843 | — | |
linkhttps://www.virustotal.com/gui/file/4ea8b8c37cfb02ccdba95fe91c12fb68a2b7174fdcbee7ddaadded8ceb0fdf97/detection/f-4ea8b8c37cfb02ccdba95fe91c12fb68a2b7174fdcbee7ddaadded8ceb0fdf97-1608940897 | — | |
linkhttps://www.virustotal.com/gui/file/f0adfd3f89c9268953f93bfdfefb84432532a1e30542fee7bddda14dcb69a76c/detection/f-f0adfd3f89c9268953f93bfdfefb84432532a1e30542fee7bddda14dcb69a76c-1609207425 | — |
Datetime
| Value | Description | Copy |
|---|---|---|
datetime2020-12-10T13:44:49+00:00 | — | |
datetime2021-01-01T01:23:15+00:00 | — | |
datetime2020-12-16T04:36:39+00:00 | — | |
datetime2020-12-30T16:37:33+00:00 | — | |
datetime2020-12-21T17:59:21+00:00 | — | |
datetime2020-12-18T09:52:23+00:00 | — | |
datetime2020-12-08T20:04:16+00:00 | — | |
datetime2020-12-30T20:10:05+00:00 | — | |
datetime2020-12-14T11:31:47+00:00 | — | |
datetime2020-12-08T20:09:40+00:00 | — | |
datetime2020-12-11T02:01:31+00:00 | — | |
datetime2020-12-10T13:38:09+00:00 | — | |
datetime2020-12-08T20:11:25+00:00 | — | |
datetime2020-12-11T07:11:00+00:00 | — | |
datetime2020-12-08T20:00:16+00:00 | — | |
datetime2020-12-10T13:40:24+00:00 | — | |
datetime2021-01-04T14:00:43+00:00 | — | |
datetime2020-12-26T00:01:37+00:00 | — | |
datetime2020-12-29T02:03:45+00:00 | — |
Text
| Value | Description | Copy |
|---|---|---|
text59/70 | — | |
text54/70 | — | |
text54/69 | — | |
text55/70 | — | |
text0/59 | — | |
text14/60 | — | |
text60/68 | — | |
text58/69 | — | |
text57/69 | — | |
text55/70 | — | |
text56/69 | — | |
text57/70 | — | |
text57/67 | — | |
text58/68 | — | |
text59/70 | — | |
text55/70 | — | |
text58/70 | — | |
text54/69 | — | |
text25/60 | — | |
textRSA | — | |
textpWEzuKkw9nY82VRKYfrw4f4wvrnfnKEApQ5JTkf/YQPzxJtJmwKUjXV759aYQnPIZdGN1RUckdpMZWiYGmsWFYzkNJZpsPihvk9c14zLJDJdmpitYvoy22JFox9iBHqhFAjDC37kzpVH6bafVABdUgUdr0r2EzK+ysJBiR0Ge28ToH94wJTXwBC7hi3G42vk4KmLncPm55NUuz9ZzQ+xqovtN/RyDNL8MDbW4lHWe9Lmi5qlNN/ckIgwDh+sI1rO/T+DmS1Uoo62QWeYTgmlRaCp91AfeC7mNFkXvXUVMs3GlqpIrgbMLPBbBi04sra/pmXp9oteZK4b1fAWKgDZ2B0f11AiX9SFIpJn8odT+Z0tVL2H8IKvANB1507SGq3S2JR3a6SLGODy3yjm3vwfnyaVqL1gNNudkDc5dLVx0tavBj2h5v1PMDCFYpuSZ56qYY1VeQfA56bsPKI2J102ztOktaFmU9jI3G3oxBCV9j1JKOJhltPRjyXAmg9o3sqB5VCxPzmMIL+bxJnEelHdBzVdRpY4pPyEPmdrn2mQ5sXwIA1RfdvF9JruxQF/0yl2WKqK0CE4pKazQWdrYdQaLTPCdMxZv7JKO8Dy5vyHBW08+UTJEuEiQa6Q/1qVkGipUPgK4Wpg3iP6xas9SaV1ovy1o2yC0beVhD+Ean6/5/lfIiG1w/ouzyq0Vprhfmr59ftnduimCDgAPi9mv2Fzg1BcGYt5P0qE7Ya0ycGFyvNvS2eoiA5mjvN67R6jeJ8JF0fPnz7O2QMldjZj0uVfAoMHlgaRP74vOKfOzFHCiPhyXwe8V9Wd3xjctlG4PCVMuUvYn7BFSW82AMefXIWTeIhHD4UdoAuZ3sHsgsFyyaTdVo1WCEWJtMMN0FOyhF0m1R5ozQPJSyuaOUzrDU1fKD57v3Cf5T860kath1w+CQAeWXdbXSR0mvN45rPgYN24qVvvB6kle5Vr20x0EZJ4viCERcreKcJqOV/0GwZU4BR8jUGQkokgD3UvJQf0Vu4mIv6vLZUtvRvEl3URsZNWh7nnKR5jjq3Tx911IH+UQznFncGD402REUpyADZpv0aRfyMZzZFecaxlo/EMS8lhkeukkZQJiwXJH2SV77olADcOfnaOQEq+YU23kRJf+YOdKW3E9NsqF1MKLTdn5+31ka4OyN7wed9HVyJj+clXkNT/YJkS/E869Hm1MPBQv+25451tiXgGcKo/9L5BFmmy77TxYuZMjuRVIanXWwK8tQ+kz0gEj1BG4I477yrhqN2yaQQ2cZ7QhpNPFlnsereCoI8rNBRBp/VgxKS+AKqkKj9UyghlABrYlRypEsM7FDC44tvDJILfb+9IL70qEe+BdPmIIv4/HWHJSEI7K9MWLah7cX4OGLG2eqT9pSkLISFvyEM+9ylo3WYWx2G0m5s0r7O+jRAOdZ1Joy5eGx7PPRCnVcEv0IyhNnFpz4HsNibUAR664rZ+Os05SDNitn3t8RgtAcvTdNHAbtNGLZZj/7KFIyGb1f37teR9/oty8BFsaHhRNVHx22+u+AFR/HbucnbY+prvzAWY3dpjQIO2O+3HoCuz2MXx5gFIfJ0pIA6V9px/j4LOPGPfN159CRItKeOy3ZLtKByaD+FwHBzYHpIWgCvL2vWo+eRWF66oYNvDhB5yVtDgXx0LU789ypKu/vjuvo7obGEoF3NoxJhmNS4DfVMzsy4YdBRhHrBfF36a8ahFSBApu9cd0RmuT09hKmV7m+EGGCXr+MNvzlFQSMzt5Ce5Mj9w507PN/IDLQz8h6236WGZSH2iM2PGUq/UF1wADoHSjPXRcfPparHHHPTcZZkil4HMWP6Y+gDlN0BKKl9ntqyd8QiiqDqwcJIZZG4Jm6lRIhvpBZ14P+z83zePzjMNhVkNVnU4sfDRaemkxZFPF+hGM/PEvqFuEOsX4LfWxOpwLAf+OLLpe71+6QdKDAcwf6553t0TOPCqGr3B+flGGAhi0pqCeAsB0KzS28MakLBxJQPkR/E+F0tHmwBYCCl0haxZnBZ9rJVApq2rAAENA2gQLPaStc0DzrdkIRY6r789la7OzAUqvcTyX8fq/xfYJpz+zUt4PUcVWxoO1+1g9+BpCAlPgZEkIKSbqoSNtkeIMz65CthNiCsX817p8nqBb4BdpcuCihoL49fK6fn/WUnj3xaTiQuNDnvcW9NARgIzqu2lvsZa+qvDBW99gsaeLb4feNlGqZUk98zht7GvywgFEAEYASCAAigAOg5QAEgAWABGAFMAMgAAAEIiQgAwADIARAAwAEYAMwAyAEEAMQBDADkAMgBFADAAOAAAAEqQAXwAQQA6AFIAXwAwAC8AMAB8AEMAOgBGAF8ANAA0ADMAMAA4AC8ANwA2ADQANAA3AHwARAA6AEMAXwAwAC8AMAB8AEUAOgBGAF8AMQA3ADEANgA0ADQALwAyADAAOQA3ADEANAA5AHwARgA6AEYAXwAyADkANAA5ADQANQAvADIAMAA0ADcAOAA2ADgAfAAAAFIQagBnAHIAYQBuAGoAYQAAAGgDckBXAGkAbgBkAG8AdwBzACAAUwBlAHIAdgBlAHIAIAAyADAAMQAyACAAUgAyACAAUwB0AGEAbgBkAGEAcgBkAAAAehJJAE0AUABSAEkATQBJAFMAAAA= | — | |
textmalware-extraction | — |
Threat ID: 682acdbebbaf20d303f0e5b0
Added to database: 5/19/2025, 6:20:46 AM
Last enriched: 7/2/2025, 7:12:04 AM
Last updated: 2/7/2026, 8:19:35 PM
Views: 37
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
China-Linked DKnife AitM Framework Targets Routers for Traffic Hijacking, Malware Delivery
MediumThreatFox IOCs for 2026-02-06
MediumThreatFox IOCs for 2026-02-05
MediumTechnical Analysis of Marco Stealer
MediumNew Clickfix variant 'CrashFix' deploying Python Remote Access Trojan
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.