OSINT - Frozen in transit: Secret Blizzard’s AiTM campaign against diplomats
OSINT - Frozen in transit: Secret Blizzard’s AiTM campaign against diplomats
AI Analysis
Technical Summary
The threat described is an OSINT (Open Source Intelligence) report on a campaign named "Frozen in transit," attributed to the Russian threat actor group Turla. This campaign is characterized as an Account-in-the-Middle (AiTM) attack targeting diplomats. AiTM attacks are sophisticated phishing or man-in-the-middle techniques that intercept authentication tokens or credentials during login processes, often bypassing multi-factor authentication (MFA). The campaign reportedly involves network activity and payload delivery mechanisms, suggesting that attackers intercept or manipulate network traffic to compromise diplomatic communications or credentials. The campaign is ongoing (perpetual lifetime) with moderate certainty (50%) and is linked to Microsoft as a producer of related telemetry or detection capabilities. No specific affected software versions or patches are available, indicating that this is a threat actor campaign rather than a software vulnerability. The lack of known exploits in the wild suggests the campaign may be targeted and not yet widely observed. The technical details are minimal, with no explicit indicators of compromise (IOCs) provided. The threat actor Turla is known for advanced persistent threat (APT) operations, often targeting government and diplomatic entities, leveraging custom malware and sophisticated network intrusion techniques. This campaign likely involves interception of authentication flows to gain unauthorized access to sensitive diplomatic accounts, potentially enabling espionage or data exfiltration.
Potential Impact
For European organizations, particularly diplomatic missions, foreign affairs ministries, and international organizations, this campaign poses a significant espionage risk. Successful AiTM attacks can lead to unauthorized access to confidential communications, compromising the confidentiality and integrity of sensitive diplomatic information. This could result in exposure of negotiation positions, intelligence sharing, or personal data of diplomats. The campaign’s focus on diplomats suggests a high-value target profile, where the impact extends beyond individual organizations to national security and international relations. The medium severity indicates that while the campaign is sophisticated, it may require targeted conditions or specific vulnerabilities to succeed. However, given the strategic importance of diplomatic communications in Europe, even limited successful intrusions could have disproportionate geopolitical consequences. The absence of patches or direct software vulnerabilities means traditional patch management will not mitigate this threat, emphasizing the need for robust authentication and network monitoring controls.
Mitigation Recommendations
European organizations should implement advanced multi-factor authentication methods resistant to interception, such as hardware security keys (FIDO2/WebAuthn) rather than SMS or OTP-based MFA, which are more susceptible to AiTM attacks. Employing continuous monitoring of authentication flows and anomalous login behavior can help detect suspicious activities indicative of AiTM campaigns. Network segmentation and the use of encrypted, endpoint-to-endpoint communication channels reduce the risk of interception. Security awareness training focused on phishing and social engineering tactics is critical, as AiTM attacks often begin with credential harvesting via phishing. Organizations should also deploy threat intelligence sharing platforms to receive timely updates on Turla’s tactics and indicators. Utilizing Microsoft’s security tools and telemetry, as referenced, can aid in detection and response. Incident response plans should be updated to address AiTM-specific scenarios, including rapid credential revocation and forensic analysis of authentication logs. Finally, diplomatic entities should coordinate with national cybersecurity agencies for threat intelligence and support.
Affected Countries
France, Germany, United Kingdom, Belgium, Netherlands, Italy, Poland, Sweden
Indicators of Compromise
- domain: kav-certificates.info
- ip: 45.61.149.109
- hash: 13fafb1ae2d5de024e68f2e2fc820bc79ef0690c40dbfd70246bcc394c52ea20
- link: https://www.microsoft.com/en-us/security/blog/2025/07/31/frozen-in-transit-secret-blizzards-aitm-campaign-against-diplomats/
- text: Microsoft Threat Intelligence has uncovered a cyberespionage campaign by the Russian state actor we track as Secret Blizzard that has been targeting embassies located in Moscow using an adversary-in-the-middle (AiTM) position to deploy their custom ApolloShadow malware. ApolloShadow has the capability to install a trusted root certificate to trick devices into trusting malicious actor-controlled sites, enabling Secret Blizzard to maintain persistence on diplomatic devices, likely for intelligence collection. This campaign, which has been ongoing since at least 2024, poses a high risk to foreign embassies, diplomatic entities, and other sensitive organizations operating in Moscow, particularly to those entities who rely on local internet providers.
- text: Blog
- text: United States
- text: US
- float: 38
- float: -97
- text: db_source: GeoOpen-Country. build_db: 2025-03-12 07:11:56. Latitude and longitude are country average.
- text: United States
- text: US
- float: 38
- float: -97
- text: db_source: GeoOpen-Country-ASN. build_db: 2025-03-12 07:19:04. Latitude and longitude are country average.
- text: 14956
- text: ASNOrganization: ROUTERHOSTING. db_source: GeoOpen-Country-ASN. build_db: 2025-03-12 07:19:04.
- hash: 1bc5621a4818f2124ac085da21f607ca
- hash: 60f2c0932b114e99eb81e1ace478b5f5d0fa4d27
- hash: 13fafb1ae2d5de024e68f2e2fc820bc79ef0690c40dbfd70246bcc394c52ea20
- tlsh: t1d5344a0973d50cf9e837813988525a46ea72b8150771dfaf13a0426adf776e0ed3af21
- vhash: 025076655d15551565508016z521z7jzc1z5bz
- ssdeep: 3072:7UAhJPJwCZQw5eA8H/Y+rjTMRGX/C32kjWb/nE3LcgZQz35S0pzoY46CQ1gqLMGx:IA5RRqUjWrnEPQzbohq1LM8
- text: Sentinel Advanced Security Information Model
- text: // file hash list - imFileEvent let ioc_sha_hashes =dynamic(["13fafb1ae2d5de024e68f2e2fc820bc79ef0690c40dbfd70246bcc394c52ea20"]); imFileEvent | where SrcFileSHA256 in (ioc_sha_hashes) or TargetFileSHA256 in (ioc_sha_hashes) | extend AccountName = tostring(split(User, @'')[1]), AccountNTDomain = tostring(split(User, @'')[0]) | extend AlgorithmType = "SHA256"
- text: Sentinel Advanced Security Information Model
- text: //IP list - _Im_WebSession let lookback = 30d; let ioc_ip_addr = dynamic(["45.61.149.109"]); let ioc_sha_hashes =dynamic(["13fafb1ae2d5de024e68f2e2fc820bc79ef0690c40dbfd70246bcc394c52ea20"]); _Im_WebSession(starttime=todatetime(ago(lookback)), endtime=now()) | where DstIpAddr in (ioc_ip_addr) or FileSHA256 in (ioc_sha_hashes) | summarize imWS_mintime=min(TimeGenerated), imWS_maxtime=max(TimeGenerated), EventCount=count() by SrcIpAddr, DstIpAddr, Url, Dvc, EventProduct, EventVendor // Domain list - _Im_WebSession let ioc_domains = dynamic(["kav-certificates.info"]); _Im_WebSession (url_has_any = ioc_domains)
- text: Sentinel Advanced Security Information Model
- text: //IP list and domain list- _Im_NetworkSession let lookback = 30d; let ioc_ip_addr = dynamic(["45.61.149.109"]); let ioc_domains = dynamic(["kav-certificates.info"]); _Im_NetworkSession(starttime=todatetime(ago(lookback)), endtime=now()) | where DstIpAddr in (ioc_ip_addr) or DstDomain has_any (ioc_domains) | summarize imNWS_mintime=min(TimeGenerated), imNWS_maxtime=max(TimeGenerated), EventCount=count() by SrcIpAddr, DstIpAddr, DstDomain, Dvc, EventProduct, EventVendor
- text: Microsoft Defender XDR
- text: let CaptiveRedirectEvents = DeviceNetworkEvents | where RemoteUrl contains "msftconnecttest.com/redirect" | project DeviceId, RedirectTimestamp = Timestamp, RemoteUrl; let FileDownloadEvents = DeviceFileEvents | where ActionType == "FileDownloaded" | project DeviceId, DownloadTimestamp = Timestamp, FileName, FolderPath; CaptiveRedirectEvents | join kind=inner (FileDownloadEvents) on DeviceId | where DownloadTimestamp between (RedirectTimestamp .. (RedirectTimestamp + 2m)) | project DeviceId, RedirectTimestamp, RemoteUrl, DownloadTimestamp, FileName, FolderPath
- text: .text
- size-in-bytes: 128000
- float: 6.4687295604183
- hash: 9587f236e40b9581bd7084f68c83b14b
- hash: 3b165b249f0f93aa64de57543adbbe84da190e95
- hash: dd72350864b15b6c9f7aba96b684fb64221f739c11315077b30077f3e70066e3
- hash: 6e1e998d04e6cc4d269778c76212de86bffb96ec5256fc072dc3137d87695767744b6f32f6a88f17a7336996db0db88704ef56c5da9f66751a7fc4eb6088ccc4
- ssdeep: 3072:AUAhJPJwCZQw5eA8H/Y+rjTMRGX/C32kjWb/nE3LcgZQzx:jA5RRqUjWrnEPQzx
- text: .rdata
- size-in-bytes: 90624
- float: 4.9337559296997
- hash: b1adac9933b929c845b4471cf7c2ab27
- hash: 2a117c1346a4e881498670b01a782b172df64d2d
- hash: af5a9ec8881f3c17e909bba8083309a6f960b786d81770dd5ef52bbb1f19ffbd
- hash: 5ff34ecfc1fb42401f37b765a3fee10c758aad316b49c6a358e254e2ce6a784610ddb1b7b76c76d07277a84f53f0659ae16d70f86548625c14b984f462d5e452
- ssdeep: 1536:rFss84dh1qE4oajTdobHoWJ4K9dlUzisWtd1ip1DqL/HstcbM:55S0pzoY46CQ1gqLMGbM
- text: .data
- size-in-bytes: 4608
- float: 3.068662876151
- hash: ca44b063f1235f3451f044bd6f091112
- hash: edb2f2e868ade96f788710cd51a6b43ccbb68743
- hash: 0431e7e6741272791142debbd3a9971a72d2f8d9705dcad9c9af73365aa44929
- hash: de0031619cb4d95227daa550b9d1f56c3628b4e2286e36e0e01a9594936e4638940abae6d5574c5c7880f8a1563a7856b9ac3d6440cfe4e525b10c82ea144c73
- ssdeep: 48:z+EEEEEEJLjTkPkBTkQnuDQafFdpcHIG4:z+EEEEEEZaklnulfFdprG4
- text: .pdata
- size-in-bytes: 7168
- float: 5.2142325249842
- hash: f09fea2159d2cd09f4e312d3d4fc15f3
- hash: c344c8141a2795e848aa439772d45c68fb1ba477
- hash: e6be7b3fa94419af6744391b2bae63169a408e09353f35d8b1fe00fff05e8bec
- hash: aec86b1de75fd103957dd8ab1038986c624a36d0536e34beb8e7e69fafab67f0d3f4b93013808cdba6601e8da3beb82a362c083892c57b67dc98639f737e173b
- ssdeep: 96:9zLLE98v0oONctjLbw0R/zrUHu1Wnau58EjKcBgDJDsYHQgJIcYOxUVl9IUKp/qR:p3E9iONQhpIHu1Lu/KpdJXYOCl9e4
- text: _RDATA
- size-in-bytes: 512
- float: 2.8235356273006
- hash: 26584de413aa0d9faf6f99e155ca4377
- hash: 442dc0ce232caa323084aa827cd0dcff64037bf3
- hash: c6cd32408bcaeee92ddf99653ae5f2ec380b7a7e90e8b1ccebb6a9ec72807cdd
- hash: 812000defd1f1c1d1da2da158bbb0735b9b65e2ad4671110e4bb04fa97c6aa659d73a1560806418f5dd84a0d271ddb92b35a9040497982072241826cf8f99378
- ssdeep: 3:klJVllEflrldyLzObZllJFhr5et2/6lzxbXZh1lPXlPNFPn:kjV/ZGctmOL
- text: .rsrc
- size-in-bytes: 2048
- float: 6.591825724894
- hash: 27aacebda1952009c41b6fbb989f999d
- hash: 1f2c5f58cf8e8017181bac151832a64f71640ef0
- hash: 0a40e81744d3133766dd74a52c66106ee8afeaa8ce3ad8c8644eea2cd3d52d1c
- hash: e8c199be0c64c5df3c5cfcbb9eaf6d59c3899db4c400b89dca47dcbce18a45f8e89203d09725353d96dc2410934ea57a69086959c2a419318be37004c4caeecb
- ssdeep: 24:edOWNRb9SeI1hCc1CE9yr37uVHdt4VBgD4IINfr/biNK+bIgMy5xvW0WiCgu8:edOU9I1NNyO9SngsIE6K+bIgMy/548
- text: .reloc
- size-in-bytes: 3584
- float: 5.4193323730566
- hash: 847b0fc839110d9617b6e957695c0821
- hash: 4c1f1b9b0cd8027ca44b8740684507a7ea0618ba
- hash: 7dbf5dcea0b582bead47e024e5a1b0506265a1c07c70b6a053e89b1e60156e8d
- hash: 3f00d7f6c5d5683e4885be0ba43d845966da6ce58c80f91f16cd19d9be35bfe26ac7e4db6bd6ca81cbf543302ec8534df1ce522841907b88b94db968e85c9308
- ssdeep: 96:8TxP8vvElvvNiPEvv2nJOnnsnDPEvvIkvP8vviUPEvv7HcGx:CxsElqEX2JusrEXIssKcEX7HcGx
- text: exe
- text: 5368754252
- datetime: 2024-02-08T06:16:20+00:00
- imphash: 8b85b6f1045e6f05aad33e1fed74b176
- authentihash: 37cf8e0d1d57931ec4fcb56e6116ccc225fbd44fc383732e76609554d0ae46b4
- counter: 7
- file: 13fafb1ae2d5de024e68f2e2fc820bc79ef0690c40dbfd70246bcc394c52ea20
- size-in-bytes: 237568
- float: 6.1025152826652
- hash: 1bc5621a4818f2124ac085da21f607ca
- hash: 60f2c0932b114e99eb81e1ace478b5f5d0fa4d27
- hash: 13fafb1ae2d5de024e68f2e2fc820bc79ef0690c40dbfd70246bcc394c52ea20
- hash: 0ce6ff2aea3c2381b17a26840d2ccb8e7621773b167aebe530a06b936243f786ee3640c3cb9a56a297388b691ccbe0611d85c5167ff9ad2e74a4a19a15869361
- malware-sample: 13fafb1ae2d5de024e68f2e2fc820bc79ef0690c40dbfd70246bcc394c52ea20|1bc5621a4818f2124ac085da21f607ca
- mime-type: application/vnd.microsoft.portable-executable
- ssdeep: 3072:7UAhJPJwCZQw5eA8H/Y+rjTMRGX/C32kjWb/nE3LcgZQz35S0pzoY46CQ1gqLMGx:IA5RRqUjWrnEPQzbohq1LM8
OSINT - Frozen in transit: Secret Blizzard’s AiTM campaign against diplomats
Description
OSINT - Frozen in transit: Secret Blizzard’s AiTM campaign against diplomats
AI-Powered Analysis
Technical Analysis
The threat described is an OSINT (Open Source Intelligence) report on a campaign named "Frozen in transit," attributed to the Russian threat actor group Turla. This campaign is characterized as an Account-in-the-Middle (AiTM) attack targeting diplomats. AiTM attacks are sophisticated phishing or man-in-the-middle techniques that intercept authentication tokens or credentials during login processes, often bypassing multi-factor authentication (MFA). The campaign reportedly involves network activity and payload delivery mechanisms, suggesting that attackers intercept or manipulate network traffic to compromise diplomatic communications or credentials. The campaign is ongoing (perpetual lifetime) with moderate certainty (50%) and is linked to Microsoft as a producer of related telemetry or detection capabilities. No specific affected software versions or patches are available, indicating that this is a threat actor campaign rather than a software vulnerability. The lack of known exploits in the wild suggests the campaign may be targeted and not yet widely observed. The technical details are minimal, with no explicit indicators of compromise (IOCs) provided. The threat actor Turla is known for advanced persistent threat (APT) operations, often targeting government and diplomatic entities, leveraging custom malware and sophisticated network intrusion techniques. This campaign likely involves interception of authentication flows to gain unauthorized access to sensitive diplomatic accounts, potentially enabling espionage or data exfiltration.
Potential Impact
For European organizations, particularly diplomatic missions, foreign affairs ministries, and international organizations, this campaign poses a significant espionage risk. Successful AiTM attacks can lead to unauthorized access to confidential communications, compromising the confidentiality and integrity of sensitive diplomatic information. This could result in exposure of negotiation positions, intelligence sharing, or personal data of diplomats. The campaign’s focus on diplomats suggests a high-value target profile, where the impact extends beyond individual organizations to national security and international relations. The medium severity indicates that while the campaign is sophisticated, it may require targeted conditions or specific vulnerabilities to succeed. However, given the strategic importance of diplomatic communications in Europe, even limited successful intrusions could have disproportionate geopolitical consequences. The absence of patches or direct software vulnerabilities means traditional patch management will not mitigate this threat, emphasizing the need for robust authentication and network monitoring controls.
Mitigation Recommendations
European organizations should implement advanced multi-factor authentication methods resistant to interception, such as hardware security keys (FIDO2/WebAuthn) rather than SMS or OTP-based MFA, which are more susceptible to AiTM attacks. Employing continuous monitoring of authentication flows and anomalous login behavior can help detect suspicious activities indicative of AiTM campaigns. Network segmentation and the use of encrypted, endpoint-to-endpoint communication channels reduce the risk of interception. Security awareness training focused on phishing and social engineering tactics is critical, as AiTM attacks often begin with credential harvesting via phishing. Organizations should also deploy threat intelligence sharing platforms to receive timely updates on Turla’s tactics and indicators. Utilizing Microsoft’s security tools and telemetry, as referenced, can aid in detection and response. Incident response plans should be updated to address AiTM-specific scenarios, including rapid credential revocation and forensic analysis of authentication logs. Finally, diplomatic entities should coordinate with national cybersecurity agencies for threat intelligence and support.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Uuid
- 0e955ede-dd8d-404e-acb4-41f47f79c820
- Original Timestamp
- 1754035577
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domainkav-certificates.info | Actor-controlled domain that downloads the malware |
Ip
| Value | Description | Copy |
|---|---|---|
ip45.61.149.109 | kav-certificates.info: Enriched via the dns module |
Hash
| Value | Description | Copy |
|---|---|---|
hash13fafb1ae2d5de024e68f2e2fc820bc79ef0690c40dbfd70246bcc394c52ea20 | ApolloShadow malware | |
hash1bc5621a4818f2124ac085da21f607ca | — | |
hash60f2c0932b114e99eb81e1ace478b5f5d0fa4d27 | — | |
hash13fafb1ae2d5de024e68f2e2fc820bc79ef0690c40dbfd70246bcc394c52ea20 | — | |
hash9587f236e40b9581bd7084f68c83b14b | — | |
hash3b165b249f0f93aa64de57543adbbe84da190e95 | — | |
hashdd72350864b15b6c9f7aba96b684fb64221f739c11315077b30077f3e70066e3 | — | |
hash6e1e998d04e6cc4d269778c76212de86bffb96ec5256fc072dc3137d87695767744b6f32f6a88f17a7336996db0db88704ef56c5da9f66751a7fc4eb6088ccc4 | — | |
hashb1adac9933b929c845b4471cf7c2ab27 | — | |
hash2a117c1346a4e881498670b01a782b172df64d2d | — | |
hashaf5a9ec8881f3c17e909bba8083309a6f960b786d81770dd5ef52bbb1f19ffbd | — | |
hash5ff34ecfc1fb42401f37b765a3fee10c758aad316b49c6a358e254e2ce6a784610ddb1b7b76c76d07277a84f53f0659ae16d70f86548625c14b984f462d5e452 | — | |
hashca44b063f1235f3451f044bd6f091112 | — | |
hashedb2f2e868ade96f788710cd51a6b43ccbb68743 | — | |
hash0431e7e6741272791142debbd3a9971a72d2f8d9705dcad9c9af73365aa44929 | — | |
hashde0031619cb4d95227daa550b9d1f56c3628b4e2286e36e0e01a9594936e4638940abae6d5574c5c7880f8a1563a7856b9ac3d6440cfe4e525b10c82ea144c73 | — | |
hashf09fea2159d2cd09f4e312d3d4fc15f3 | — | |
hashc344c8141a2795e848aa439772d45c68fb1ba477 | — | |
hashe6be7b3fa94419af6744391b2bae63169a408e09353f35d8b1fe00fff05e8bec | — | |
hashaec86b1de75fd103957dd8ab1038986c624a36d0536e34beb8e7e69fafab67f0d3f4b93013808cdba6601e8da3beb82a362c083892c57b67dc98639f737e173b | — | |
hash26584de413aa0d9faf6f99e155ca4377 | — | |
hash442dc0ce232caa323084aa827cd0dcff64037bf3 | — | |
hashc6cd32408bcaeee92ddf99653ae5f2ec380b7a7e90e8b1ccebb6a9ec72807cdd | — | |
hash812000defd1f1c1d1da2da158bbb0735b9b65e2ad4671110e4bb04fa97c6aa659d73a1560806418f5dd84a0d271ddb92b35a9040497982072241826cf8f99378 | — | |
hash27aacebda1952009c41b6fbb989f999d | — | |
hash1f2c5f58cf8e8017181bac151832a64f71640ef0 | — | |
hash0a40e81744d3133766dd74a52c66106ee8afeaa8ce3ad8c8644eea2cd3d52d1c | — | |
hashe8c199be0c64c5df3c5cfcbb9eaf6d59c3899db4c400b89dca47dcbce18a45f8e89203d09725353d96dc2410934ea57a69086959c2a419318be37004c4caeecb | — | |
hash847b0fc839110d9617b6e957695c0821 | — | |
hash4c1f1b9b0cd8027ca44b8740684507a7ea0618ba | — | |
hash7dbf5dcea0b582bead47e024e5a1b0506265a1c07c70b6a053e89b1e60156e8d | — | |
hash3f00d7f6c5d5683e4885be0ba43d845966da6ce58c80f91f16cd19d9be35bfe26ac7e4db6bd6ca81cbf543302ec8534df1ce522841907b88b94db968e85c9308 | — | |
hash1bc5621a4818f2124ac085da21f607ca | — | |
hash60f2c0932b114e99eb81e1ace478b5f5d0fa4d27 | — | |
hash13fafb1ae2d5de024e68f2e2fc820bc79ef0690c40dbfd70246bcc394c52ea20 | — | |
hash0ce6ff2aea3c2381b17a26840d2ccb8e7621773b167aebe530a06b936243f786ee3640c3cb9a56a297388b691ccbe0611d85c5167ff9ad2e74a4a19a15869361 | — |
Link
| Value | Description | Copy |
|---|---|---|
linkhttps://www.microsoft.com/en-us/security/blog/2025/07/31/frozen-in-transit-secret-blizzards-aitm-campaign-against-diplomats/ | — |
Text
| Value | Description | Copy |
|---|---|---|
textMicrosoft Threat Intelligence has uncovered a cyberespionage campaign by the Russian state actor we track as Secret Blizzard that has been targeting embassies located in Moscow using an adversary-in-the-middle (AiTM) position to deploy their custom ApolloShadow malware. ApolloShadow has the capability to install a trusted root certificate to trick devices into trusting malicious actor-controlled sites, enabling Secret Blizzard to maintain persistence on diplomatic devices, likely for intelligence collection. This campaign, which has been ongoing since at least 2024, poses a high risk to foreign embassies, diplomatic entities, and other sensitive organizations operating in Moscow, particularly to those entities who rely on local internet providers. | — | |
textBlog | — | |
textUnited States | — | |
textUS | — | |
textdb_source: GeoOpen-Country. build_db: 2025-03-12 07:11:56. Latitude and longitude are country average. | — | |
textUnited States | — | |
textUS | — | |
textdb_source: GeoOpen-Country-ASN. build_db: 2025-03-12 07:19:04. Latitude and longitude are country average. | — | |
text14956 | — | |
textASNOrganization: ROUTERHOSTING. db_source: GeoOpen-Country-ASN. build_db: 2025-03-12 07:19:04. | — | |
textSentinel Advanced Security Information Model | — | |
text// file hash list - imFileEvent
let ioc_sha_hashes =dynamic(["13fafb1ae2d5de024e68f2e2fc820bc79ef0690c40dbfd70246bcc394c52ea20"]);
imFileEvent
| where SrcFileSHA256 in (ioc_sha_hashes) or
TargetFileSHA256 in (ioc_sha_hashes)
| extend AccountName = tostring(split(User, @'')[1]),
AccountNTDomain = tostring(split(User, @'')[0])
| extend AlgorithmType = "SHA256" | — | |
textSentinel Advanced Security Information Model | — | |
text//IP list - _Im_WebSession
let lookback = 30d;
let ioc_ip_addr = dynamic(["45.61.149.109"]);
let ioc_sha_hashes =dynamic(["13fafb1ae2d5de024e68f2e2fc820bc79ef0690c40dbfd70246bcc394c52ea20"]);
_Im_WebSession(starttime=todatetime(ago(lookback)), endtime=now())
| where DstIpAddr in (ioc_ip_addr) or FileSHA256 in (ioc_sha_hashes)
| summarize imWS_mintime=min(TimeGenerated), imWS_maxtime=max(TimeGenerated),
EventCount=count() by SrcIpAddr, DstIpAddr, Url, Dvc, EventProduct, EventVendor
// Domain list - _Im_WebSession
let ioc_domains = dynamic(["kav-certificates.info"]);
_Im_WebSession (url_has_any = ioc_domains) | — | |
textSentinel Advanced Security Information Model | — | |
text//IP list and domain list- _Im_NetworkSession
let lookback = 30d;
let ioc_ip_addr = dynamic(["45.61.149.109"]);
let ioc_domains = dynamic(["kav-certificates.info"]);
_Im_NetworkSession(starttime=todatetime(ago(lookback)), endtime=now())
| where DstIpAddr in (ioc_ip_addr) or DstDomain has_any (ioc_domains)
| summarize imNWS_mintime=min(TimeGenerated), imNWS_maxtime=max(TimeGenerated),
EventCount=count() by SrcIpAddr, DstIpAddr, DstDomain, Dvc, EventProduct, EventVendor | — | |
textMicrosoft Defender XDR | — | |
textlet CaptiveRedirectEvents = DeviceNetworkEvents
| where RemoteUrl contains "msftconnecttest.com/redirect"
| project DeviceId, RedirectTimestamp = Timestamp, RemoteUrl;
let FileDownloadEvents = DeviceFileEvents
| where ActionType == "FileDownloaded"
| project DeviceId, DownloadTimestamp = Timestamp, FileName, FolderPath; CaptiveRedirectEvents
| join kind=inner (FileDownloadEvents) on DeviceId
| where DownloadTimestamp between (RedirectTimestamp .. (RedirectTimestamp + 2m))
| project DeviceId, RedirectTimestamp, RemoteUrl, DownloadTimestamp, FileName, FolderPath | — | |
text.text | — | |
text.rdata | — | |
text.data | — | |
text.pdata | — | |
text_RDATA | — | |
text.rsrc | — | |
text.reloc | — | |
textexe | — | |
text5368754252 | — |
Float
| Value | Description | Copy |
|---|---|---|
float38 | — | |
float-97 | — | |
float38 | — | |
float-97 | — | |
float6.4687295604183 | — | |
float4.9337559296997 | — | |
float3.068662876151 | — | |
float5.2142325249842 | — | |
float2.8235356273006 | — | |
float6.591825724894 | — | |
float5.4193323730566 | — | |
float6.1025152826652 | — |
Tlsh
| Value | Description | Copy |
|---|---|---|
tlsht1d5344a0973d50cf9e837813988525a46ea72b8150771dfaf13a0426adf776e0ed3af21 | — |
Vhash
| Value | Description | Copy |
|---|---|---|
vhash025076655d15551565508016z521z7jzc1z5bz | — |
Ssdeep
| Value | Description | Copy |
|---|---|---|
ssdeep3072:7UAhJPJwCZQw5eA8H/Y+rjTMRGX/C32kjWb/nE3LcgZQz35S0pzoY46CQ1gqLMGx:IA5RRqUjWrnEPQzbohq1LM8 | — | |
ssdeep3072:AUAhJPJwCZQw5eA8H/Y+rjTMRGX/C32kjWb/nE3LcgZQzx:jA5RRqUjWrnEPQzx | — | |
ssdeep1536:rFss84dh1qE4oajTdobHoWJ4K9dlUzisWtd1ip1DqL/HstcbM:55S0pzoY46CQ1gqLMGbM | — | |
ssdeep48:z+EEEEEEJLjTkPkBTkQnuDQafFdpcHIG4:z+EEEEEEZaklnulfFdprG4 | — | |
ssdeep96:9zLLE98v0oONctjLbw0R/zrUHu1Wnau58EjKcBgDJDsYHQgJIcYOxUVl9IUKp/qR:p3E9iONQhpIHu1Lu/KpdJXYOCl9e4 | — | |
ssdeep3:klJVllEflrldyLzObZllJFhr5et2/6lzxbXZh1lPXlPNFPn:kjV/ZGctmOL | — | |
ssdeep24:edOWNRb9SeI1hCc1CE9yr37uVHdt4VBgD4IINfr/biNK+bIgMy5xvW0WiCgu8:edOU9I1NNyO9SngsIE6K+bIgMy/548 | — | |
ssdeep96:8TxP8vvElvvNiPEvv2nJOnnsnDPEvvIkvP8vviUPEvv7HcGx:CxsElqEX2JusrEXIssKcEX7HcGx | — | |
ssdeep3072:7UAhJPJwCZQw5eA8H/Y+rjTMRGX/C32kjWb/nE3LcgZQz35S0pzoY46CQ1gqLMGx:IA5RRqUjWrnEPQzbohq1LM8 | — |
Size in-bytes
| Value | Description | Copy |
|---|---|---|
size-in-bytes128000 | — | |
size-in-bytes90624 | — | |
size-in-bytes4608 | — | |
size-in-bytes7168 | — | |
size-in-bytes512 | — | |
size-in-bytes2048 | — | |
size-in-bytes3584 | — | |
size-in-bytes237568 | — |
Datetime
| Value | Description | Copy |
|---|---|---|
datetime2024-02-08T06:16:20+00:00 | — |
Imphash
| Value | Description | Copy |
|---|---|---|
imphash8b85b6f1045e6f05aad33e1fed74b176 | — |
Authentihash
| Value | Description | Copy |
|---|---|---|
authentihash37cf8e0d1d57931ec4fcb56e6116ccc225fbd44fc383732e76609554d0ae46b4 | — |
Counter
| Value | Description | Copy |
|---|---|---|
counter7 | — |
File
| Value | Description | Copy |
|---|---|---|
file13fafb1ae2d5de024e68f2e2fc820bc79ef0690c40dbfd70246bcc394c52ea20 | — |
Malware sample
| Value | Description | Copy |
|---|---|---|
malware-sample13fafb1ae2d5de024e68f2e2fc820bc79ef0690c40dbfd70246bcc394c52ea20|1bc5621a4818f2124ac085da21f607ca | — |
Mime type
| Value | Description | Copy |
|---|---|---|
mime-typeapplication/vnd.microsoft.portable-executable | — |
Threat ID: 688ce196ad5a09ad00ca121e
Added to database: 8/1/2025, 3:47:34 PM
Last enriched: 8/31/2025, 1:13:07 AM
Last updated: 9/13/2025, 6:23:58 PM
Views: 76
Related Threats
ThreatFox IOCs for 2025-09-14
MediumThreatFox IOCs for 2025-09-13
MediumQrator Labs Mitigated Record L7 DDoS Attack from 5.76M-Device Botnet
MediumThreatFox IOCs for 2025-09-12
MediumThreatFox IOCs for 2025-09-11
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.