OSINT - Frozen in transit: Secret Blizzard’s AiTM campaign against diplomats
OSINT - Frozen in transit: Secret Blizzard’s AiTM campaign against diplomats
AI Analysis
Technical Summary
The threat described is an OSINT (Open Source Intelligence) campaign named "Frozen in transit: Secret Blizzard's AiTM campaign against diplomats," attributed to the Russian threat actor group Turla. AiTM stands for Adversary-in-the-Middle, a sophisticated attack technique where the attacker intercepts and manipulates communications between two parties without their knowledge. This campaign targets diplomats, indicating a focus on espionage and intelligence gathering. The campaign is characterized by network activity and payload delivery mechanisms, suggesting that the attackers use advanced methods to infiltrate diplomatic communications and possibly implant malicious payloads to maintain persistent access or exfiltrate sensitive information. The campaign is ongoing (lifetime="perpetual") and has a medium certainty level (50%), meaning that while there is credible intelligence about its existence and modus operandi, some details remain unconfirmed. No specific affected software versions or patches are available, indicating that this is not a vulnerability in a software product but rather a targeted cyber espionage campaign. The campaign is linked to Microsoft as a producer tag, likely because Microsoft technologies or platforms are involved or targeted. The absence of known exploits in the wild and patches suggests that this is a threat actor-driven campaign rather than a widespread vulnerability exploitation. The campaign's technical details are limited, but the focus on diplomats and the use of AiTM techniques highlight the high sophistication and targeted nature of the threat.
Potential Impact
For European organizations, especially diplomatic missions, government agencies, and international organizations, this campaign poses a significant risk to confidentiality and integrity of sensitive communications. Successful AiTM attacks can lead to interception of classified diplomatic communications, manipulation of messages, and unauthorized access to sensitive data, potentially compromising national security and diplomatic relations. The medium severity indicates that while the campaign is not currently widespread, the targeted nature means that affected entities could suffer severe consequences, including espionage, data theft, and reputational damage. The lack of patches and the sophisticated nature of the attack make detection and mitigation challenging, increasing the potential impact on European diplomatic entities and related organizations.
Mitigation Recommendations
European organizations should implement advanced network monitoring to detect unusual traffic patterns indicative of AiTM attacks, including anomalies in TLS/SSL certificates and unexpected proxying of communications. Employing multi-factor authentication (MFA) with hardware tokens can reduce the risk of credential interception and misuse. Diplomatic entities should use end-to-end encrypted communication platforms that are resistant to interception and manipulation. Regular security awareness training focused on spear-phishing and social engineering tactics used by Turla can help reduce initial compromise. Network segmentation and strict access controls should be enforced to limit lateral movement if an intrusion occurs. Additionally, organizations should collaborate with national cybersecurity centers and intelligence agencies to share threat intelligence and receive timely alerts about emerging tactics used by Turla. Given the lack of patches, proactive threat hunting and incident response readiness are critical to identify and mitigate intrusions early.
Affected Countries
France, Germany, United Kingdom, Belgium, Netherlands, Poland, Italy, Spain
Indicators of Compromise
- domain: kav-certificates.info
- ip: 45.61.149.109
- hash: 13fafb1ae2d5de024e68f2e2fc820bc79ef0690c40dbfd70246bcc394c52ea20
- link: https://www.microsoft.com/en-us/security/blog/2025/07/31/frozen-in-transit-secret-blizzards-aitm-campaign-against-diplomats/
- text: Microsoft Threat Intelligence has uncovered a cyberespionage campaign by the Russian state actor we track as Secret Blizzard that has been targeting embassies located in Moscow using an adversary-in-the-middle (AiTM) position to deploy their custom ApolloShadow malware. ApolloShadow has the capability to install a trusted root certificate to trick devices into trusting malicious actor-controlled sites, enabling Secret Blizzard to maintain persistence on diplomatic devices, likely for intelligence collection. This campaign, which has been ongoing since at least 2024, poses a high risk to foreign embassies, diplomatic entities, and other sensitive organizations operating in Moscow, particularly to those entities who rely on local internet providers.
- text: Blog
- text: United States
- text: US
- float: 38
- float: -97
- text: db_source: GeoOpen-Country. build_db: 2025-03-12 07:11:56. Latitude and longitude are country average.
- text: United States
- text: US
- float: 38
- float: -97
- text: db_source: GeoOpen-Country-ASN. build_db: 2025-03-12 07:19:04. Latitude and longitude are country average.
- text: 14956
- text: ASNOrganization: ROUTERHOSTING. db_source: GeoOpen-Country-ASN. build_db: 2025-03-12 07:19:04.
- hash: 1bc5621a4818f2124ac085da21f607ca
- hash: 60f2c0932b114e99eb81e1ace478b5f5d0fa4d27
- hash: 13fafb1ae2d5de024e68f2e2fc820bc79ef0690c40dbfd70246bcc394c52ea20
- tlsh: t1d5344a0973d50cf9e837813988525a46ea72b8150771dfaf13a0426adf776e0ed3af21
- vhash: 025076655d15551565508016z521z7jzc1z5bz
- ssdeep: 3072:7UAhJPJwCZQw5eA8H/Y+rjTMRGX/C32kjWb/nE3LcgZQz35S0pzoY46CQ1gqLMGx:IA5RRqUjWrnEPQzbohq1LM8
- text: Sentinel Advanced Security Information Model
- text: // file hash list - imFileEvent let ioc_sha_hashes =dynamic(["13fafb1ae2d5de024e68f2e2fc820bc79ef0690c40dbfd70246bcc394c52ea20"]); imFileEvent | where SrcFileSHA256 in (ioc_sha_hashes) or TargetFileSHA256 in (ioc_sha_hashes) | extend AccountName = tostring(split(User, @'')[1]), AccountNTDomain = tostring(split(User, @'')[0]) | extend AlgorithmType = "SHA256"
- text: Sentinel Advanced Security Information Model
- text: //IP list - _Im_WebSession let lookback = 30d; let ioc_ip_addr = dynamic(["45.61.149.109"]); let ioc_sha_hashes =dynamic(["13fafb1ae2d5de024e68f2e2fc820bc79ef0690c40dbfd70246bcc394c52ea20"]); _Im_WebSession(starttime=todatetime(ago(lookback)), endtime=now()) | where DstIpAddr in (ioc_ip_addr) or FileSHA256 in (ioc_sha_hashes) | summarize imWS_mintime=min(TimeGenerated), imWS_maxtime=max(TimeGenerated), EventCount=count() by SrcIpAddr, DstIpAddr, Url, Dvc, EventProduct, EventVendor // Domain list - _Im_WebSession let ioc_domains = dynamic(["kav-certificates.info"]); _Im_WebSession (url_has_any = ioc_domains)
- text: Sentinel Advanced Security Information Model
- text: //IP list and domain list- _Im_NetworkSession let lookback = 30d; let ioc_ip_addr = dynamic(["45.61.149.109"]); let ioc_domains = dynamic(["kav-certificates.info"]); _Im_NetworkSession(starttime=todatetime(ago(lookback)), endtime=now()) | where DstIpAddr in (ioc_ip_addr) or DstDomain has_any (ioc_domains) | summarize imNWS_mintime=min(TimeGenerated), imNWS_maxtime=max(TimeGenerated), EventCount=count() by SrcIpAddr, DstIpAddr, DstDomain, Dvc, EventProduct, EventVendor
- text: Microsoft Defender XDR
- text: let CaptiveRedirectEvents = DeviceNetworkEvents | where RemoteUrl contains "msftconnecttest.com/redirect" | project DeviceId, RedirectTimestamp = Timestamp, RemoteUrl; let FileDownloadEvents = DeviceFileEvents | where ActionType == "FileDownloaded" | project DeviceId, DownloadTimestamp = Timestamp, FileName, FolderPath; CaptiveRedirectEvents | join kind=inner (FileDownloadEvents) on DeviceId | where DownloadTimestamp between (RedirectTimestamp .. (RedirectTimestamp + 2m)) | project DeviceId, RedirectTimestamp, RemoteUrl, DownloadTimestamp, FileName, FolderPath
- text: .text
- size-in-bytes: 128000
- float: 6.4687295604183
- hash: 9587f236e40b9581bd7084f68c83b14b
- hash: 3b165b249f0f93aa64de57543adbbe84da190e95
- hash: dd72350864b15b6c9f7aba96b684fb64221f739c11315077b30077f3e70066e3
- hash: 6e1e998d04e6cc4d269778c76212de86bffb96ec5256fc072dc3137d87695767744b6f32f6a88f17a7336996db0db88704ef56c5da9f66751a7fc4eb6088ccc4
- ssdeep: 3072:AUAhJPJwCZQw5eA8H/Y+rjTMRGX/C32kjWb/nE3LcgZQzx:jA5RRqUjWrnEPQzx
- text: .rdata
- size-in-bytes: 90624
- float: 4.9337559296997
- hash: b1adac9933b929c845b4471cf7c2ab27
- hash: 2a117c1346a4e881498670b01a782b172df64d2d
- hash: af5a9ec8881f3c17e909bba8083309a6f960b786d81770dd5ef52bbb1f19ffbd
- hash: 5ff34ecfc1fb42401f37b765a3fee10c758aad316b49c6a358e254e2ce6a784610ddb1b7b76c76d07277a84f53f0659ae16d70f86548625c14b984f462d5e452
- ssdeep: 1536:rFss84dh1qE4oajTdobHoWJ4K9dlUzisWtd1ip1DqL/HstcbM:55S0pzoY46CQ1gqLMGbM
- text: .data
- size-in-bytes: 4608
- float: 3.068662876151
- hash: ca44b063f1235f3451f044bd6f091112
- hash: edb2f2e868ade96f788710cd51a6b43ccbb68743
- hash: 0431e7e6741272791142debbd3a9971a72d2f8d9705dcad9c9af73365aa44929
- hash: de0031619cb4d95227daa550b9d1f56c3628b4e2286e36e0e01a9594936e4638940abae6d5574c5c7880f8a1563a7856b9ac3d6440cfe4e525b10c82ea144c73
- ssdeep: 48:z+EEEEEEJLjTkPkBTkQnuDQafFdpcHIG4:z+EEEEEEZaklnulfFdprG4
- text: .pdata
- size-in-bytes: 7168
- float: 5.2142325249842
- hash: f09fea2159d2cd09f4e312d3d4fc15f3
- hash: c344c8141a2795e848aa439772d45c68fb1ba477
- hash: e6be7b3fa94419af6744391b2bae63169a408e09353f35d8b1fe00fff05e8bec
- hash: aec86b1de75fd103957dd8ab1038986c624a36d0536e34beb8e7e69fafab67f0d3f4b93013808cdba6601e8da3beb82a362c083892c57b67dc98639f737e173b
- ssdeep: 96:9zLLE98v0oONctjLbw0R/zrUHu1Wnau58EjKcBgDJDsYHQgJIcYOxUVl9IUKp/qR:p3E9iONQhpIHu1Lu/KpdJXYOCl9e4
- text: _RDATA
- size-in-bytes: 512
- float: 2.8235356273006
- hash: 26584de413aa0d9faf6f99e155ca4377
- hash: 442dc0ce232caa323084aa827cd0dcff64037bf3
- hash: c6cd32408bcaeee92ddf99653ae5f2ec380b7a7e90e8b1ccebb6a9ec72807cdd
- hash: 812000defd1f1c1d1da2da158bbb0735b9b65e2ad4671110e4bb04fa97c6aa659d73a1560806418f5dd84a0d271ddb92b35a9040497982072241826cf8f99378
- ssdeep: 3:klJVllEflrldyLzObZllJFhr5et2/6lzxbXZh1lPXlPNFPn:kjV/ZGctmOL
- text: .rsrc
- size-in-bytes: 2048
- float: 6.591825724894
- hash: 27aacebda1952009c41b6fbb989f999d
- hash: 1f2c5f58cf8e8017181bac151832a64f71640ef0
- hash: 0a40e81744d3133766dd74a52c66106ee8afeaa8ce3ad8c8644eea2cd3d52d1c
- hash: e8c199be0c64c5df3c5cfcbb9eaf6d59c3899db4c400b89dca47dcbce18a45f8e89203d09725353d96dc2410934ea57a69086959c2a419318be37004c4caeecb
- ssdeep: 24:edOWNRb9SeI1hCc1CE9yr37uVHdt4VBgD4IINfr/biNK+bIgMy5xvW0WiCgu8:edOU9I1NNyO9SngsIE6K+bIgMy/548
- text: .reloc
- size-in-bytes: 3584
- float: 5.4193323730566
- hash: 847b0fc839110d9617b6e957695c0821
- hash: 4c1f1b9b0cd8027ca44b8740684507a7ea0618ba
- hash: 7dbf5dcea0b582bead47e024e5a1b0506265a1c07c70b6a053e89b1e60156e8d
- hash: 3f00d7f6c5d5683e4885be0ba43d845966da6ce58c80f91f16cd19d9be35bfe26ac7e4db6bd6ca81cbf543302ec8534df1ce522841907b88b94db968e85c9308
- ssdeep: 96:8TxP8vvElvvNiPEvv2nJOnnsnDPEvvIkvP8vviUPEvv7HcGx:CxsElqEX2JusrEXIssKcEX7HcGx
- text: exe
- text: 5368754252
- datetime: 2024-02-08T06:16:20+00:00
- imphash: 8b85b6f1045e6f05aad33e1fed74b176
- authentihash: 37cf8e0d1d57931ec4fcb56e6116ccc225fbd44fc383732e76609554d0ae46b4
- counter: 7
- file: 13fafb1ae2d5de024e68f2e2fc820bc79ef0690c40dbfd70246bcc394c52ea20
- size-in-bytes: 237568
- float: 6.1025152826652
- hash: 1bc5621a4818f2124ac085da21f607ca
- hash: 60f2c0932b114e99eb81e1ace478b5f5d0fa4d27
- hash: 13fafb1ae2d5de024e68f2e2fc820bc79ef0690c40dbfd70246bcc394c52ea20
- hash: 0ce6ff2aea3c2381b17a26840d2ccb8e7621773b167aebe530a06b936243f786ee3640c3cb9a56a297388b691ccbe0611d85c5167ff9ad2e74a4a19a15869361
- malware-sample: 13fafb1ae2d5de024e68f2e2fc820bc79ef0690c40dbfd70246bcc394c52ea20|1bc5621a4818f2124ac085da21f607ca
- mime-type: application/vnd.microsoft.portable-executable
- ssdeep: 3072:7UAhJPJwCZQw5eA8H/Y+rjTMRGX/C32kjWb/nE3LcgZQz35S0pzoY46CQ1gqLMGx:IA5RRqUjWrnEPQzbohq1LM8
OSINT - Frozen in transit: Secret Blizzard’s AiTM campaign against diplomats
Description
OSINT - Frozen in transit: Secret Blizzard’s AiTM campaign against diplomats
AI-Powered Analysis
Technical Analysis
The threat described is an OSINT (Open Source Intelligence) campaign named "Frozen in transit: Secret Blizzard's AiTM campaign against diplomats," attributed to the Russian threat actor group Turla. AiTM stands for Adversary-in-the-Middle, a sophisticated attack technique where the attacker intercepts and manipulates communications between two parties without their knowledge. This campaign targets diplomats, indicating a focus on espionage and intelligence gathering. The campaign is characterized by network activity and payload delivery mechanisms, suggesting that the attackers use advanced methods to infiltrate diplomatic communications and possibly implant malicious payloads to maintain persistent access or exfiltrate sensitive information. The campaign is ongoing (lifetime="perpetual") and has a medium certainty level (50%), meaning that while there is credible intelligence about its existence and modus operandi, some details remain unconfirmed. No specific affected software versions or patches are available, indicating that this is not a vulnerability in a software product but rather a targeted cyber espionage campaign. The campaign is linked to Microsoft as a producer tag, likely because Microsoft technologies or platforms are involved or targeted. The absence of known exploits in the wild and patches suggests that this is a threat actor-driven campaign rather than a widespread vulnerability exploitation. The campaign's technical details are limited, but the focus on diplomats and the use of AiTM techniques highlight the high sophistication and targeted nature of the threat.
Potential Impact
For European organizations, especially diplomatic missions, government agencies, and international organizations, this campaign poses a significant risk to confidentiality and integrity of sensitive communications. Successful AiTM attacks can lead to interception of classified diplomatic communications, manipulation of messages, and unauthorized access to sensitive data, potentially compromising national security and diplomatic relations. The medium severity indicates that while the campaign is not currently widespread, the targeted nature means that affected entities could suffer severe consequences, including espionage, data theft, and reputational damage. The lack of patches and the sophisticated nature of the attack make detection and mitigation challenging, increasing the potential impact on European diplomatic entities and related organizations.
Mitigation Recommendations
European organizations should implement advanced network monitoring to detect unusual traffic patterns indicative of AiTM attacks, including anomalies in TLS/SSL certificates and unexpected proxying of communications. Employing multi-factor authentication (MFA) with hardware tokens can reduce the risk of credential interception and misuse. Diplomatic entities should use end-to-end encrypted communication platforms that are resistant to interception and manipulation. Regular security awareness training focused on spear-phishing and social engineering tactics used by Turla can help reduce initial compromise. Network segmentation and strict access controls should be enforced to limit lateral movement if an intrusion occurs. Additionally, organizations should collaborate with national cybersecurity centers and intelligence agencies to share threat intelligence and receive timely alerts about emerging tactics used by Turla. Given the lack of patches, proactive threat hunting and incident response readiness are critical to identify and mitigate intrusions early.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Uuid
- 0e955ede-dd8d-404e-acb4-41f47f79c820
- Original Timestamp
- 1754035577
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domainkav-certificates.info | Actor-controlled domain that downloads the malware |
Ip
| Value | Description | Copy |
|---|---|---|
ip45.61.149.109 | kav-certificates.info: Enriched via the dns module |
Hash
| Value | Description | Copy |
|---|---|---|
hash13fafb1ae2d5de024e68f2e2fc820bc79ef0690c40dbfd70246bcc394c52ea20 | ApolloShadow malware | |
hash1bc5621a4818f2124ac085da21f607ca | — | |
hash60f2c0932b114e99eb81e1ace478b5f5d0fa4d27 | — | |
hash13fafb1ae2d5de024e68f2e2fc820bc79ef0690c40dbfd70246bcc394c52ea20 | — | |
hash9587f236e40b9581bd7084f68c83b14b | — | |
hash3b165b249f0f93aa64de57543adbbe84da190e95 | — | |
hashdd72350864b15b6c9f7aba96b684fb64221f739c11315077b30077f3e70066e3 | — | |
hash6e1e998d04e6cc4d269778c76212de86bffb96ec5256fc072dc3137d87695767744b6f32f6a88f17a7336996db0db88704ef56c5da9f66751a7fc4eb6088ccc4 | — | |
hashb1adac9933b929c845b4471cf7c2ab27 | — | |
hash2a117c1346a4e881498670b01a782b172df64d2d | — | |
hashaf5a9ec8881f3c17e909bba8083309a6f960b786d81770dd5ef52bbb1f19ffbd | — | |
hash5ff34ecfc1fb42401f37b765a3fee10c758aad316b49c6a358e254e2ce6a784610ddb1b7b76c76d07277a84f53f0659ae16d70f86548625c14b984f462d5e452 | — | |
hashca44b063f1235f3451f044bd6f091112 | — | |
hashedb2f2e868ade96f788710cd51a6b43ccbb68743 | — | |
hash0431e7e6741272791142debbd3a9971a72d2f8d9705dcad9c9af73365aa44929 | — | |
hashde0031619cb4d95227daa550b9d1f56c3628b4e2286e36e0e01a9594936e4638940abae6d5574c5c7880f8a1563a7856b9ac3d6440cfe4e525b10c82ea144c73 | — | |
hashf09fea2159d2cd09f4e312d3d4fc15f3 | — | |
hashc344c8141a2795e848aa439772d45c68fb1ba477 | — | |
hashe6be7b3fa94419af6744391b2bae63169a408e09353f35d8b1fe00fff05e8bec | — | |
hashaec86b1de75fd103957dd8ab1038986c624a36d0536e34beb8e7e69fafab67f0d3f4b93013808cdba6601e8da3beb82a362c083892c57b67dc98639f737e173b | — | |
hash26584de413aa0d9faf6f99e155ca4377 | — | |
hash442dc0ce232caa323084aa827cd0dcff64037bf3 | — | |
hashc6cd32408bcaeee92ddf99653ae5f2ec380b7a7e90e8b1ccebb6a9ec72807cdd | — | |
hash812000defd1f1c1d1da2da158bbb0735b9b65e2ad4671110e4bb04fa97c6aa659d73a1560806418f5dd84a0d271ddb92b35a9040497982072241826cf8f99378 | — | |
hash27aacebda1952009c41b6fbb989f999d | — | |
hash1f2c5f58cf8e8017181bac151832a64f71640ef0 | — | |
hash0a40e81744d3133766dd74a52c66106ee8afeaa8ce3ad8c8644eea2cd3d52d1c | — | |
hashe8c199be0c64c5df3c5cfcbb9eaf6d59c3899db4c400b89dca47dcbce18a45f8e89203d09725353d96dc2410934ea57a69086959c2a419318be37004c4caeecb | — | |
hash847b0fc839110d9617b6e957695c0821 | — | |
hash4c1f1b9b0cd8027ca44b8740684507a7ea0618ba | — | |
hash7dbf5dcea0b582bead47e024e5a1b0506265a1c07c70b6a053e89b1e60156e8d | — | |
hash3f00d7f6c5d5683e4885be0ba43d845966da6ce58c80f91f16cd19d9be35bfe26ac7e4db6bd6ca81cbf543302ec8534df1ce522841907b88b94db968e85c9308 | — | |
hash1bc5621a4818f2124ac085da21f607ca | — | |
hash60f2c0932b114e99eb81e1ace478b5f5d0fa4d27 | — | |
hash13fafb1ae2d5de024e68f2e2fc820bc79ef0690c40dbfd70246bcc394c52ea20 | — | |
hash0ce6ff2aea3c2381b17a26840d2ccb8e7621773b167aebe530a06b936243f786ee3640c3cb9a56a297388b691ccbe0611d85c5167ff9ad2e74a4a19a15869361 | — |
Link
| Value | Description | Copy |
|---|---|---|
linkhttps://www.microsoft.com/en-us/security/blog/2025/07/31/frozen-in-transit-secret-blizzards-aitm-campaign-against-diplomats/ | — |
Text
| Value | Description | Copy |
|---|---|---|
textMicrosoft Threat Intelligence has uncovered a cyberespionage campaign by the Russian state actor we track as Secret Blizzard that has been targeting embassies located in Moscow using an adversary-in-the-middle (AiTM) position to deploy their custom ApolloShadow malware. ApolloShadow has the capability to install a trusted root certificate to trick devices into trusting malicious actor-controlled sites, enabling Secret Blizzard to maintain persistence on diplomatic devices, likely for intelligence collection. This campaign, which has been ongoing since at least 2024, poses a high risk to foreign embassies, diplomatic entities, and other sensitive organizations operating in Moscow, particularly to those entities who rely on local internet providers. | — | |
textBlog | — | |
textUnited States | — | |
textUS | — | |
textdb_source: GeoOpen-Country. build_db: 2025-03-12 07:11:56. Latitude and longitude are country average. | — | |
textUnited States | — | |
textUS | — | |
textdb_source: GeoOpen-Country-ASN. build_db: 2025-03-12 07:19:04. Latitude and longitude are country average. | — | |
text14956 | — | |
textASNOrganization: ROUTERHOSTING. db_source: GeoOpen-Country-ASN. build_db: 2025-03-12 07:19:04. | — | |
textSentinel Advanced Security Information Model | — | |
text// file hash list - imFileEvent
let ioc_sha_hashes =dynamic(["13fafb1ae2d5de024e68f2e2fc820bc79ef0690c40dbfd70246bcc394c52ea20"]);
imFileEvent
| where SrcFileSHA256 in (ioc_sha_hashes) or
TargetFileSHA256 in (ioc_sha_hashes)
| extend AccountName = tostring(split(User, @'')[1]),
AccountNTDomain = tostring(split(User, @'')[0])
| extend AlgorithmType = "SHA256" | — | |
textSentinel Advanced Security Information Model | — | |
text//IP list - _Im_WebSession
let lookback = 30d;
let ioc_ip_addr = dynamic(["45.61.149.109"]);
let ioc_sha_hashes =dynamic(["13fafb1ae2d5de024e68f2e2fc820bc79ef0690c40dbfd70246bcc394c52ea20"]);
_Im_WebSession(starttime=todatetime(ago(lookback)), endtime=now())
| where DstIpAddr in (ioc_ip_addr) or FileSHA256 in (ioc_sha_hashes)
| summarize imWS_mintime=min(TimeGenerated), imWS_maxtime=max(TimeGenerated),
EventCount=count() by SrcIpAddr, DstIpAddr, Url, Dvc, EventProduct, EventVendor
// Domain list - _Im_WebSession
let ioc_domains = dynamic(["kav-certificates.info"]);
_Im_WebSession (url_has_any = ioc_domains) | — | |
textSentinel Advanced Security Information Model | — | |
text//IP list and domain list- _Im_NetworkSession
let lookback = 30d;
let ioc_ip_addr = dynamic(["45.61.149.109"]);
let ioc_domains = dynamic(["kav-certificates.info"]);
_Im_NetworkSession(starttime=todatetime(ago(lookback)), endtime=now())
| where DstIpAddr in (ioc_ip_addr) or DstDomain has_any (ioc_domains)
| summarize imNWS_mintime=min(TimeGenerated), imNWS_maxtime=max(TimeGenerated),
EventCount=count() by SrcIpAddr, DstIpAddr, DstDomain, Dvc, EventProduct, EventVendor | — | |
textMicrosoft Defender XDR | — | |
textlet CaptiveRedirectEvents = DeviceNetworkEvents
| where RemoteUrl contains "msftconnecttest.com/redirect"
| project DeviceId, RedirectTimestamp = Timestamp, RemoteUrl;
let FileDownloadEvents = DeviceFileEvents
| where ActionType == "FileDownloaded"
| project DeviceId, DownloadTimestamp = Timestamp, FileName, FolderPath; CaptiveRedirectEvents
| join kind=inner (FileDownloadEvents) on DeviceId
| where DownloadTimestamp between (RedirectTimestamp .. (RedirectTimestamp + 2m))
| project DeviceId, RedirectTimestamp, RemoteUrl, DownloadTimestamp, FileName, FolderPath | — | |
text.text | — | |
text.rdata | — | |
text.data | — | |
text.pdata | — | |
text_RDATA | — | |
text.rsrc | — | |
text.reloc | — | |
textexe | — | |
text5368754252 | — |
Float
| Value | Description | Copy |
|---|---|---|
float38 | — | |
float-97 | — | |
float38 | — | |
float-97 | — | |
float6.4687295604183 | — | |
float4.9337559296997 | — | |
float3.068662876151 | — | |
float5.2142325249842 | — | |
float2.8235356273006 | — | |
float6.591825724894 | — | |
float5.4193323730566 | — | |
float6.1025152826652 | — |
Tlsh
| Value | Description | Copy |
|---|---|---|
tlsht1d5344a0973d50cf9e837813988525a46ea72b8150771dfaf13a0426adf776e0ed3af21 | — |
Vhash
| Value | Description | Copy |
|---|---|---|
vhash025076655d15551565508016z521z7jzc1z5bz | — |
Ssdeep
| Value | Description | Copy |
|---|---|---|
ssdeep3072:7UAhJPJwCZQw5eA8H/Y+rjTMRGX/C32kjWb/nE3LcgZQz35S0pzoY46CQ1gqLMGx:IA5RRqUjWrnEPQzbohq1LM8 | — | |
ssdeep3072:AUAhJPJwCZQw5eA8H/Y+rjTMRGX/C32kjWb/nE3LcgZQzx:jA5RRqUjWrnEPQzx | — | |
ssdeep1536:rFss84dh1qE4oajTdobHoWJ4K9dlUzisWtd1ip1DqL/HstcbM:55S0pzoY46CQ1gqLMGbM | — | |
ssdeep48:z+EEEEEEJLjTkPkBTkQnuDQafFdpcHIG4:z+EEEEEEZaklnulfFdprG4 | — | |
ssdeep96:9zLLE98v0oONctjLbw0R/zrUHu1Wnau58EjKcBgDJDsYHQgJIcYOxUVl9IUKp/qR:p3E9iONQhpIHu1Lu/KpdJXYOCl9e4 | — | |
ssdeep3:klJVllEflrldyLzObZllJFhr5et2/6lzxbXZh1lPXlPNFPn:kjV/ZGctmOL | — | |
ssdeep24:edOWNRb9SeI1hCc1CE9yr37uVHdt4VBgD4IINfr/biNK+bIgMy5xvW0WiCgu8:edOU9I1NNyO9SngsIE6K+bIgMy/548 | — | |
ssdeep96:8TxP8vvElvvNiPEvv2nJOnnsnDPEvvIkvP8vviUPEvv7HcGx:CxsElqEX2JusrEXIssKcEX7HcGx | — | |
ssdeep3072:7UAhJPJwCZQw5eA8H/Y+rjTMRGX/C32kjWb/nE3LcgZQz35S0pzoY46CQ1gqLMGx:IA5RRqUjWrnEPQzbohq1LM8 | — |
Size in-bytes
| Value | Description | Copy |
|---|---|---|
size-in-bytes128000 | — | |
size-in-bytes90624 | — | |
size-in-bytes4608 | — | |
size-in-bytes7168 | — | |
size-in-bytes512 | — | |
size-in-bytes2048 | — | |
size-in-bytes3584 | — | |
size-in-bytes237568 | — |
Datetime
| Value | Description | Copy |
|---|---|---|
datetime2024-02-08T06:16:20+00:00 | — |
Imphash
| Value | Description | Copy |
|---|---|---|
imphash8b85b6f1045e6f05aad33e1fed74b176 | — |
Authentihash
| Value | Description | Copy |
|---|---|---|
authentihash37cf8e0d1d57931ec4fcb56e6116ccc225fbd44fc383732e76609554d0ae46b4 | — |
Counter
| Value | Description | Copy |
|---|---|---|
counter7 | — |
File
| Value | Description | Copy |
|---|---|---|
file13fafb1ae2d5de024e68f2e2fc820bc79ef0690c40dbfd70246bcc394c52ea20 | — |
Malware sample
| Value | Description | Copy |
|---|---|---|
malware-sample13fafb1ae2d5de024e68f2e2fc820bc79ef0690c40dbfd70246bcc394c52ea20|1bc5621a4818f2124ac085da21f607ca | — |
Mime type
| Value | Description | Copy |
|---|---|---|
mime-typeapplication/vnd.microsoft.portable-executable | — |
Threat ID: 688ce196ad5a09ad00ca121e
Added to database: 8/1/2025, 3:47:34 PM
Last enriched: 8/1/2025, 4:03:09 PM
Last updated: 8/2/2025, 1:56:41 AM
Views: 7
Related Threats
ThreatFox IOCs for 2025-08-01
MediumToolShell under siege: Check Point analyzes Chinese APT Storm-2603
MediumThreatFox IOCs for 2025-07-31
MediumResearchers Link New SS7 Encoding Attack to Surveillance Vendor Activity
MediumThreatFox IOCs for 2025-07-30
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.