OSINT - Frozen in transit: Secret Blizzard’s AiTM campaign against diplomats
OSINT - Frozen in transit: Secret Blizzard’s AiTM campaign against diplomats
AI Analysis
Technical Summary
The 'Frozen in transit' campaign is an ongoing AI-powered Man-in-the-Middle (AiTM) attack attributed to the Russian advanced persistent threat (APT) group Turla. This campaign specifically targets diplomats, leveraging sophisticated network activity and payload delivery methods to intercept, manipulate, or exfiltrate sensitive communications. AiTM attacks typically involve intercepting authentication flows or communication channels to bypass multi-factor authentication and gain unauthorized access. Although no specific affected software versions or exploits are identified, the campaign's medium severity rating and lack of available patches indicate a complex threat that exploits operational or procedural weaknesses rather than software vulnerabilities. The campaign's attribution to Turla, a well-known espionage-focused actor, and its targeting of diplomats highlight its strategic intent to conduct espionage and intelligence gathering. The campaign was identified through OSINT sources with moderate confidence (50%), indicating ongoing monitoring is necessary. No direct indicators of compromise or technical signatures are provided, complicating detection efforts. The absence of known exploits in the wild suggests the campaign may rely on custom or targeted attack vectors, emphasizing the need for proactive defense measures. The campaign's focus on network activity and payload delivery suggests attackers may use phishing, compromised infrastructure, or network interception techniques to achieve their objectives. Given the geopolitical context and the targeting of diplomatic entities, this campaign represents a significant threat to the confidentiality and integrity of sensitive communications.
Potential Impact
For European organizations, particularly diplomatic missions and government agencies, this campaign poses a significant risk of espionage, data theft, and operational disruption. Successful AiTM attacks can lead to unauthorized access to confidential communications, manipulation of diplomatic messages, and potential compromise of authentication mechanisms. This undermines trust in communication channels and may result in exposure of sensitive negotiations or strategic information. The campaign's targeting of diplomats means that European countries with active diplomatic engagements and international organizations are at heightened risk. The impact extends beyond confidentiality to include potential integrity violations and availability disruptions if payloads interfere with communication systems. The medium confidence level and lack of known exploits suggest the threat is currently targeted and sophisticated, requiring specialized detection capabilities. The absence of patches means organizations must rely on procedural and network defenses rather than software updates. Overall, the campaign threatens the security posture of European diplomatic entities and could have broader geopolitical consequences if successful.
Mitigation Recommendations
European organizations should implement multi-layered defenses tailored to AiTM attack vectors. This includes deploying advanced network monitoring and anomaly detection to identify unusual interception or redirection of traffic. Strict email and web gateway filtering should be enforced to block phishing and malicious payload delivery. Organizations must enforce strong authentication mechanisms, including hardware-based multi-factor authentication resistant to interception. Regular threat intelligence sharing focused on Turla and AiTM tactics can improve detection and response. Network segmentation and zero-trust principles should be applied to limit lateral movement if compromise occurs. Diplomatic entities should conduct regular security awareness training emphasizing targeted phishing and social engineering risks. Incident response plans must include scenarios for AiTM attacks, ensuring rapid containment and forensic analysis. Since no patches are available, organizations should review and harden operational procedures around communication channels, including the use of encrypted and out-of-band verification methods. Collaboration with national cybersecurity agencies and international partners is critical to stay updated on emerging indicators and tactics.
Affected Countries
Germany, France, United Kingdom, Belgium, Netherlands, Italy, Poland
Indicators of Compromise
- domain: kav-certificates.info
- ip: 45.61.149.109
- hash: 13fafb1ae2d5de024e68f2e2fc820bc79ef0690c40dbfd70246bcc394c52ea20
- link: https://www.microsoft.com/en-us/security/blog/2025/07/31/frozen-in-transit-secret-blizzards-aitm-campaign-against-diplomats/
- text: Microsoft Threat Intelligence has uncovered a cyberespionage campaign by the Russian state actor we track as Secret Blizzard that has been targeting embassies located in Moscow using an adversary-in-the-middle (AiTM) position to deploy their custom ApolloShadow malware. ApolloShadow has the capability to install a trusted root certificate to trick devices into trusting malicious actor-controlled sites, enabling Secret Blizzard to maintain persistence on diplomatic devices, likely for intelligence collection. This campaign, which has been ongoing since at least 2024, poses a high risk to foreign embassies, diplomatic entities, and other sensitive organizations operating in Moscow, particularly to those entities who rely on local internet providers.
- text: Blog
- text: United States
- text: US
- float: 38
- float: -97
- text: db_source: GeoOpen-Country. build_db: 2025-03-12 07:11:56. Latitude and longitude are country average.
- text: United States
- text: US
- float: 38
- float: -97
- text: db_source: GeoOpen-Country-ASN. build_db: 2025-03-12 07:19:04. Latitude and longitude are country average.
- text: 14956
- text: ASNOrganization: ROUTERHOSTING. db_source: GeoOpen-Country-ASN. build_db: 2025-03-12 07:19:04.
- hash: 1bc5621a4818f2124ac085da21f607ca
- hash: 60f2c0932b114e99eb81e1ace478b5f5d0fa4d27
- hash: 13fafb1ae2d5de024e68f2e2fc820bc79ef0690c40dbfd70246bcc394c52ea20
- tlsh: t1d5344a0973d50cf9e837813988525a46ea72b8150771dfaf13a0426adf776e0ed3af21
- vhash: 025076655d15551565508016z521z7jzc1z5bz
- ssdeep: 3072:7UAhJPJwCZQw5eA8H/Y+rjTMRGX/C32kjWb/nE3LcgZQz35S0pzoY46CQ1gqLMGx:IA5RRqUjWrnEPQzbohq1LM8
- text: Sentinel Advanced Security Information Model
- text: // file hash list - imFileEvent let ioc_sha_hashes =dynamic(["13fafb1ae2d5de024e68f2e2fc820bc79ef0690c40dbfd70246bcc394c52ea20"]); imFileEvent | where SrcFileSHA256 in (ioc_sha_hashes) or TargetFileSHA256 in (ioc_sha_hashes) | extend AccountName = tostring(split(User, @'')[1]), AccountNTDomain = tostring(split(User, @'')[0]) | extend AlgorithmType = "SHA256"
- text: Sentinel Advanced Security Information Model
- text: //IP list - _Im_WebSession let lookback = 30d; let ioc_ip_addr = dynamic(["45.61.149.109"]); let ioc_sha_hashes =dynamic(["13fafb1ae2d5de024e68f2e2fc820bc79ef0690c40dbfd70246bcc394c52ea20"]); _Im_WebSession(starttime=todatetime(ago(lookback)), endtime=now()) | where DstIpAddr in (ioc_ip_addr) or FileSHA256 in (ioc_sha_hashes) | summarize imWS_mintime=min(TimeGenerated), imWS_maxtime=max(TimeGenerated), EventCount=count() by SrcIpAddr, DstIpAddr, Url, Dvc, EventProduct, EventVendor // Domain list - _Im_WebSession let ioc_domains = dynamic(["kav-certificates.info"]); _Im_WebSession (url_has_any = ioc_domains)
- text: Sentinel Advanced Security Information Model
- text: //IP list and domain list- _Im_NetworkSession let lookback = 30d; let ioc_ip_addr = dynamic(["45.61.149.109"]); let ioc_domains = dynamic(["kav-certificates.info"]); _Im_NetworkSession(starttime=todatetime(ago(lookback)), endtime=now()) | where DstIpAddr in (ioc_ip_addr) or DstDomain has_any (ioc_domains) | summarize imNWS_mintime=min(TimeGenerated), imNWS_maxtime=max(TimeGenerated), EventCount=count() by SrcIpAddr, DstIpAddr, DstDomain, Dvc, EventProduct, EventVendor
- text: Microsoft Defender XDR
- text: let CaptiveRedirectEvents = DeviceNetworkEvents | where RemoteUrl contains "msftconnecttest.com/redirect" | project DeviceId, RedirectTimestamp = Timestamp, RemoteUrl; let FileDownloadEvents = DeviceFileEvents | where ActionType == "FileDownloaded" | project DeviceId, DownloadTimestamp = Timestamp, FileName, FolderPath; CaptiveRedirectEvents | join kind=inner (FileDownloadEvents) on DeviceId | where DownloadTimestamp between (RedirectTimestamp .. (RedirectTimestamp + 2m)) | project DeviceId, RedirectTimestamp, RemoteUrl, DownloadTimestamp, FileName, FolderPath
- text: .text
- size-in-bytes: 128000
- float: 6.4687295604183
- hash: 9587f236e40b9581bd7084f68c83b14b
- hash: 3b165b249f0f93aa64de57543adbbe84da190e95
- hash: dd72350864b15b6c9f7aba96b684fb64221f739c11315077b30077f3e70066e3
- hash: 6e1e998d04e6cc4d269778c76212de86bffb96ec5256fc072dc3137d87695767744b6f32f6a88f17a7336996db0db88704ef56c5da9f66751a7fc4eb6088ccc4
- ssdeep: 3072:AUAhJPJwCZQw5eA8H/Y+rjTMRGX/C32kjWb/nE3LcgZQzx:jA5RRqUjWrnEPQzx
- text: .rdata
- size-in-bytes: 90624
- float: 4.9337559296997
- hash: b1adac9933b929c845b4471cf7c2ab27
- hash: 2a117c1346a4e881498670b01a782b172df64d2d
- hash: af5a9ec8881f3c17e909bba8083309a6f960b786d81770dd5ef52bbb1f19ffbd
- hash: 5ff34ecfc1fb42401f37b765a3fee10c758aad316b49c6a358e254e2ce6a784610ddb1b7b76c76d07277a84f53f0659ae16d70f86548625c14b984f462d5e452
- ssdeep: 1536:rFss84dh1qE4oajTdobHoWJ4K9dlUzisWtd1ip1DqL/HstcbM:55S0pzoY46CQ1gqLMGbM
- text: .data
- size-in-bytes: 4608
- float: 3.068662876151
- hash: ca44b063f1235f3451f044bd6f091112
- hash: edb2f2e868ade96f788710cd51a6b43ccbb68743
- hash: 0431e7e6741272791142debbd3a9971a72d2f8d9705dcad9c9af73365aa44929
- hash: de0031619cb4d95227daa550b9d1f56c3628b4e2286e36e0e01a9594936e4638940abae6d5574c5c7880f8a1563a7856b9ac3d6440cfe4e525b10c82ea144c73
- ssdeep: 48:z+EEEEEEJLjTkPkBTkQnuDQafFdpcHIG4:z+EEEEEEZaklnulfFdprG4
- text: .pdata
- size-in-bytes: 7168
- float: 5.2142325249842
- hash: f09fea2159d2cd09f4e312d3d4fc15f3
- hash: c344c8141a2795e848aa439772d45c68fb1ba477
- hash: e6be7b3fa94419af6744391b2bae63169a408e09353f35d8b1fe00fff05e8bec
- hash: aec86b1de75fd103957dd8ab1038986c624a36d0536e34beb8e7e69fafab67f0d3f4b93013808cdba6601e8da3beb82a362c083892c57b67dc98639f737e173b
- ssdeep: 96:9zLLE98v0oONctjLbw0R/zrUHu1Wnau58EjKcBgDJDsYHQgJIcYOxUVl9IUKp/qR:p3E9iONQhpIHu1Lu/KpdJXYOCl9e4
- text: _RDATA
- size-in-bytes: 512
- float: 2.8235356273006
- hash: 26584de413aa0d9faf6f99e155ca4377
- hash: 442dc0ce232caa323084aa827cd0dcff64037bf3
- hash: c6cd32408bcaeee92ddf99653ae5f2ec380b7a7e90e8b1ccebb6a9ec72807cdd
- hash: 812000defd1f1c1d1da2da158bbb0735b9b65e2ad4671110e4bb04fa97c6aa659d73a1560806418f5dd84a0d271ddb92b35a9040497982072241826cf8f99378
- ssdeep: 3:klJVllEflrldyLzObZllJFhr5et2/6lzxbXZh1lPXlPNFPn:kjV/ZGctmOL
- text: .rsrc
- size-in-bytes: 2048
- float: 6.591825724894
- hash: 27aacebda1952009c41b6fbb989f999d
- hash: 1f2c5f58cf8e8017181bac151832a64f71640ef0
- hash: 0a40e81744d3133766dd74a52c66106ee8afeaa8ce3ad8c8644eea2cd3d52d1c
- hash: e8c199be0c64c5df3c5cfcbb9eaf6d59c3899db4c400b89dca47dcbce18a45f8e89203d09725353d96dc2410934ea57a69086959c2a419318be37004c4caeecb
- ssdeep: 24:edOWNRb9SeI1hCc1CE9yr37uVHdt4VBgD4IINfr/biNK+bIgMy5xvW0WiCgu8:edOU9I1NNyO9SngsIE6K+bIgMy/548
- text: .reloc
- size-in-bytes: 3584
- float: 5.4193323730566
- hash: 847b0fc839110d9617b6e957695c0821
- hash: 4c1f1b9b0cd8027ca44b8740684507a7ea0618ba
- hash: 7dbf5dcea0b582bead47e024e5a1b0506265a1c07c70b6a053e89b1e60156e8d
- hash: 3f00d7f6c5d5683e4885be0ba43d845966da6ce58c80f91f16cd19d9be35bfe26ac7e4db6bd6ca81cbf543302ec8534df1ce522841907b88b94db968e85c9308
- ssdeep: 96:8TxP8vvElvvNiPEvv2nJOnnsnDPEvvIkvP8vviUPEvv7HcGx:CxsElqEX2JusrEXIssKcEX7HcGx
- text: exe
- text: 5368754252
- datetime: 2024-02-08T06:16:20+00:00
- imphash: 8b85b6f1045e6f05aad33e1fed74b176
- authentihash: 37cf8e0d1d57931ec4fcb56e6116ccc225fbd44fc383732e76609554d0ae46b4
- counter: 7
- file: 13fafb1ae2d5de024e68f2e2fc820bc79ef0690c40dbfd70246bcc394c52ea20
- size-in-bytes: 237568
- float: 6.1025152826652
- hash: 1bc5621a4818f2124ac085da21f607ca
- hash: 60f2c0932b114e99eb81e1ace478b5f5d0fa4d27
- hash: 13fafb1ae2d5de024e68f2e2fc820bc79ef0690c40dbfd70246bcc394c52ea20
- hash: 0ce6ff2aea3c2381b17a26840d2ccb8e7621773b167aebe530a06b936243f786ee3640c3cb9a56a297388b691ccbe0611d85c5167ff9ad2e74a4a19a15869361
- malware-sample: 13fafb1ae2d5de024e68f2e2fc820bc79ef0690c40dbfd70246bcc394c52ea20|1bc5621a4818f2124ac085da21f607ca
- mime-type: application/vnd.microsoft.portable-executable
- ssdeep: 3072:7UAhJPJwCZQw5eA8H/Y+rjTMRGX/C32kjWb/nE3LcgZQz35S0pzoY46CQ1gqLMGx:IA5RRqUjWrnEPQzbohq1LM8
OSINT - Frozen in transit: Secret Blizzard’s AiTM campaign against diplomats
Description
OSINT - Frozen in transit: Secret Blizzard’s AiTM campaign against diplomats
AI-Powered Analysis
Technical Analysis
The 'Frozen in transit' campaign is an ongoing AI-powered Man-in-the-Middle (AiTM) attack attributed to the Russian advanced persistent threat (APT) group Turla. This campaign specifically targets diplomats, leveraging sophisticated network activity and payload delivery methods to intercept, manipulate, or exfiltrate sensitive communications. AiTM attacks typically involve intercepting authentication flows or communication channels to bypass multi-factor authentication and gain unauthorized access. Although no specific affected software versions or exploits are identified, the campaign's medium severity rating and lack of available patches indicate a complex threat that exploits operational or procedural weaknesses rather than software vulnerabilities. The campaign's attribution to Turla, a well-known espionage-focused actor, and its targeting of diplomats highlight its strategic intent to conduct espionage and intelligence gathering. The campaign was identified through OSINT sources with moderate confidence (50%), indicating ongoing monitoring is necessary. No direct indicators of compromise or technical signatures are provided, complicating detection efforts. The absence of known exploits in the wild suggests the campaign may rely on custom or targeted attack vectors, emphasizing the need for proactive defense measures. The campaign's focus on network activity and payload delivery suggests attackers may use phishing, compromised infrastructure, or network interception techniques to achieve their objectives. Given the geopolitical context and the targeting of diplomatic entities, this campaign represents a significant threat to the confidentiality and integrity of sensitive communications.
Potential Impact
For European organizations, particularly diplomatic missions and government agencies, this campaign poses a significant risk of espionage, data theft, and operational disruption. Successful AiTM attacks can lead to unauthorized access to confidential communications, manipulation of diplomatic messages, and potential compromise of authentication mechanisms. This undermines trust in communication channels and may result in exposure of sensitive negotiations or strategic information. The campaign's targeting of diplomats means that European countries with active diplomatic engagements and international organizations are at heightened risk. The impact extends beyond confidentiality to include potential integrity violations and availability disruptions if payloads interfere with communication systems. The medium confidence level and lack of known exploits suggest the threat is currently targeted and sophisticated, requiring specialized detection capabilities. The absence of patches means organizations must rely on procedural and network defenses rather than software updates. Overall, the campaign threatens the security posture of European diplomatic entities and could have broader geopolitical consequences if successful.
Mitigation Recommendations
European organizations should implement multi-layered defenses tailored to AiTM attack vectors. This includes deploying advanced network monitoring and anomaly detection to identify unusual interception or redirection of traffic. Strict email and web gateway filtering should be enforced to block phishing and malicious payload delivery. Organizations must enforce strong authentication mechanisms, including hardware-based multi-factor authentication resistant to interception. Regular threat intelligence sharing focused on Turla and AiTM tactics can improve detection and response. Network segmentation and zero-trust principles should be applied to limit lateral movement if compromise occurs. Diplomatic entities should conduct regular security awareness training emphasizing targeted phishing and social engineering risks. Incident response plans must include scenarios for AiTM attacks, ensuring rapid containment and forensic analysis. Since no patches are available, organizations should review and harden operational procedures around communication channels, including the use of encrypted and out-of-band verification methods. Collaboration with national cybersecurity agencies and international partners is critical to stay updated on emerging indicators and tactics.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Uuid
- 0e955ede-dd8d-404e-acb4-41f47f79c820
- Original Timestamp
- 1754035577
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domainkav-certificates.info | Actor-controlled domain that downloads the malware |
Ip
| Value | Description | Copy |
|---|---|---|
ip45.61.149.109 | kav-certificates.info: Enriched via the dns module |
Hash
| Value | Description | Copy |
|---|---|---|
hash13fafb1ae2d5de024e68f2e2fc820bc79ef0690c40dbfd70246bcc394c52ea20 | ApolloShadow malware | |
hash1bc5621a4818f2124ac085da21f607ca | — | |
hash60f2c0932b114e99eb81e1ace478b5f5d0fa4d27 | — | |
hash13fafb1ae2d5de024e68f2e2fc820bc79ef0690c40dbfd70246bcc394c52ea20 | — | |
hash9587f236e40b9581bd7084f68c83b14b | — | |
hash3b165b249f0f93aa64de57543adbbe84da190e95 | — | |
hashdd72350864b15b6c9f7aba96b684fb64221f739c11315077b30077f3e70066e3 | — | |
hash6e1e998d04e6cc4d269778c76212de86bffb96ec5256fc072dc3137d87695767744b6f32f6a88f17a7336996db0db88704ef56c5da9f66751a7fc4eb6088ccc4 | — | |
hashb1adac9933b929c845b4471cf7c2ab27 | — | |
hash2a117c1346a4e881498670b01a782b172df64d2d | — | |
hashaf5a9ec8881f3c17e909bba8083309a6f960b786d81770dd5ef52bbb1f19ffbd | — | |
hash5ff34ecfc1fb42401f37b765a3fee10c758aad316b49c6a358e254e2ce6a784610ddb1b7b76c76d07277a84f53f0659ae16d70f86548625c14b984f462d5e452 | — | |
hashca44b063f1235f3451f044bd6f091112 | — | |
hashedb2f2e868ade96f788710cd51a6b43ccbb68743 | — | |
hash0431e7e6741272791142debbd3a9971a72d2f8d9705dcad9c9af73365aa44929 | — | |
hashde0031619cb4d95227daa550b9d1f56c3628b4e2286e36e0e01a9594936e4638940abae6d5574c5c7880f8a1563a7856b9ac3d6440cfe4e525b10c82ea144c73 | — | |
hashf09fea2159d2cd09f4e312d3d4fc15f3 | — | |
hashc344c8141a2795e848aa439772d45c68fb1ba477 | — | |
hashe6be7b3fa94419af6744391b2bae63169a408e09353f35d8b1fe00fff05e8bec | — | |
hashaec86b1de75fd103957dd8ab1038986c624a36d0536e34beb8e7e69fafab67f0d3f4b93013808cdba6601e8da3beb82a362c083892c57b67dc98639f737e173b | — | |
hash26584de413aa0d9faf6f99e155ca4377 | — | |
hash442dc0ce232caa323084aa827cd0dcff64037bf3 | — | |
hashc6cd32408bcaeee92ddf99653ae5f2ec380b7a7e90e8b1ccebb6a9ec72807cdd | — | |
hash812000defd1f1c1d1da2da158bbb0735b9b65e2ad4671110e4bb04fa97c6aa659d73a1560806418f5dd84a0d271ddb92b35a9040497982072241826cf8f99378 | — | |
hash27aacebda1952009c41b6fbb989f999d | — | |
hash1f2c5f58cf8e8017181bac151832a64f71640ef0 | — | |
hash0a40e81744d3133766dd74a52c66106ee8afeaa8ce3ad8c8644eea2cd3d52d1c | — | |
hashe8c199be0c64c5df3c5cfcbb9eaf6d59c3899db4c400b89dca47dcbce18a45f8e89203d09725353d96dc2410934ea57a69086959c2a419318be37004c4caeecb | — | |
hash847b0fc839110d9617b6e957695c0821 | — | |
hash4c1f1b9b0cd8027ca44b8740684507a7ea0618ba | — | |
hash7dbf5dcea0b582bead47e024e5a1b0506265a1c07c70b6a053e89b1e60156e8d | — | |
hash3f00d7f6c5d5683e4885be0ba43d845966da6ce58c80f91f16cd19d9be35bfe26ac7e4db6bd6ca81cbf543302ec8534df1ce522841907b88b94db968e85c9308 | — | |
hash1bc5621a4818f2124ac085da21f607ca | — | |
hash60f2c0932b114e99eb81e1ace478b5f5d0fa4d27 | — | |
hash13fafb1ae2d5de024e68f2e2fc820bc79ef0690c40dbfd70246bcc394c52ea20 | — | |
hash0ce6ff2aea3c2381b17a26840d2ccb8e7621773b167aebe530a06b936243f786ee3640c3cb9a56a297388b691ccbe0611d85c5167ff9ad2e74a4a19a15869361 | — |
Link
| Value | Description | Copy |
|---|---|---|
linkhttps://www.microsoft.com/en-us/security/blog/2025/07/31/frozen-in-transit-secret-blizzards-aitm-campaign-against-diplomats/ | — |
Text
| Value | Description | Copy |
|---|---|---|
textMicrosoft Threat Intelligence has uncovered a cyberespionage campaign by the Russian state actor we track as Secret Blizzard that has been targeting embassies located in Moscow using an adversary-in-the-middle (AiTM) position to deploy their custom ApolloShadow malware. ApolloShadow has the capability to install a trusted root certificate to trick devices into trusting malicious actor-controlled sites, enabling Secret Blizzard to maintain persistence on diplomatic devices, likely for intelligence collection. This campaign, which has been ongoing since at least 2024, poses a high risk to foreign embassies, diplomatic entities, and other sensitive organizations operating in Moscow, particularly to those entities who rely on local internet providers. | — | |
textBlog | — | |
textUnited States | — | |
textUS | — | |
textdb_source: GeoOpen-Country. build_db: 2025-03-12 07:11:56. Latitude and longitude are country average. | — | |
textUnited States | — | |
textUS | — | |
textdb_source: GeoOpen-Country-ASN. build_db: 2025-03-12 07:19:04. Latitude and longitude are country average. | — | |
text14956 | — | |
textASNOrganization: ROUTERHOSTING. db_source: GeoOpen-Country-ASN. build_db: 2025-03-12 07:19:04. | — | |
textSentinel Advanced Security Information Model | — | |
text// file hash list - imFileEvent
let ioc_sha_hashes =dynamic(["13fafb1ae2d5de024e68f2e2fc820bc79ef0690c40dbfd70246bcc394c52ea20"]);
imFileEvent
| where SrcFileSHA256 in (ioc_sha_hashes) or
TargetFileSHA256 in (ioc_sha_hashes)
| extend AccountName = tostring(split(User, @'')[1]),
AccountNTDomain = tostring(split(User, @'')[0])
| extend AlgorithmType = "SHA256" | — | |
textSentinel Advanced Security Information Model | — | |
text//IP list - _Im_WebSession
let lookback = 30d;
let ioc_ip_addr = dynamic(["45.61.149.109"]);
let ioc_sha_hashes =dynamic(["13fafb1ae2d5de024e68f2e2fc820bc79ef0690c40dbfd70246bcc394c52ea20"]);
_Im_WebSession(starttime=todatetime(ago(lookback)), endtime=now())
| where DstIpAddr in (ioc_ip_addr) or FileSHA256 in (ioc_sha_hashes)
| summarize imWS_mintime=min(TimeGenerated), imWS_maxtime=max(TimeGenerated),
EventCount=count() by SrcIpAddr, DstIpAddr, Url, Dvc, EventProduct, EventVendor
// Domain list - _Im_WebSession
let ioc_domains = dynamic(["kav-certificates.info"]);
_Im_WebSession (url_has_any = ioc_domains) | — | |
textSentinel Advanced Security Information Model | — | |
text//IP list and domain list- _Im_NetworkSession
let lookback = 30d;
let ioc_ip_addr = dynamic(["45.61.149.109"]);
let ioc_domains = dynamic(["kav-certificates.info"]);
_Im_NetworkSession(starttime=todatetime(ago(lookback)), endtime=now())
| where DstIpAddr in (ioc_ip_addr) or DstDomain has_any (ioc_domains)
| summarize imNWS_mintime=min(TimeGenerated), imNWS_maxtime=max(TimeGenerated),
EventCount=count() by SrcIpAddr, DstIpAddr, DstDomain, Dvc, EventProduct, EventVendor | — | |
textMicrosoft Defender XDR | — | |
textlet CaptiveRedirectEvents = DeviceNetworkEvents
| where RemoteUrl contains "msftconnecttest.com/redirect"
| project DeviceId, RedirectTimestamp = Timestamp, RemoteUrl;
let FileDownloadEvents = DeviceFileEvents
| where ActionType == "FileDownloaded"
| project DeviceId, DownloadTimestamp = Timestamp, FileName, FolderPath; CaptiveRedirectEvents
| join kind=inner (FileDownloadEvents) on DeviceId
| where DownloadTimestamp between (RedirectTimestamp .. (RedirectTimestamp + 2m))
| project DeviceId, RedirectTimestamp, RemoteUrl, DownloadTimestamp, FileName, FolderPath | — | |
text.text | — | |
text.rdata | — | |
text.data | — | |
text.pdata | — | |
text_RDATA | — | |
text.rsrc | — | |
text.reloc | — | |
textexe | — | |
text5368754252 | — |
Float
| Value | Description | Copy |
|---|---|---|
float38 | — | |
float-97 | — | |
float38 | — | |
float-97 | — | |
float6.4687295604183 | — | |
float4.9337559296997 | — | |
float3.068662876151 | — | |
float5.2142325249842 | — | |
float2.8235356273006 | — | |
float6.591825724894 | — | |
float5.4193323730566 | — | |
float6.1025152826652 | — |
Tlsh
| Value | Description | Copy |
|---|---|---|
tlsht1d5344a0973d50cf9e837813988525a46ea72b8150771dfaf13a0426adf776e0ed3af21 | — |
Vhash
| Value | Description | Copy |
|---|---|---|
vhash025076655d15551565508016z521z7jzc1z5bz | — |
Ssdeep
| Value | Description | Copy |
|---|---|---|
ssdeep3072:7UAhJPJwCZQw5eA8H/Y+rjTMRGX/C32kjWb/nE3LcgZQz35S0pzoY46CQ1gqLMGx:IA5RRqUjWrnEPQzbohq1LM8 | — | |
ssdeep3072:AUAhJPJwCZQw5eA8H/Y+rjTMRGX/C32kjWb/nE3LcgZQzx:jA5RRqUjWrnEPQzx | — | |
ssdeep1536:rFss84dh1qE4oajTdobHoWJ4K9dlUzisWtd1ip1DqL/HstcbM:55S0pzoY46CQ1gqLMGbM | — | |
ssdeep48:z+EEEEEEJLjTkPkBTkQnuDQafFdpcHIG4:z+EEEEEEZaklnulfFdprG4 | — | |
ssdeep96:9zLLE98v0oONctjLbw0R/zrUHu1Wnau58EjKcBgDJDsYHQgJIcYOxUVl9IUKp/qR:p3E9iONQhpIHu1Lu/KpdJXYOCl9e4 | — | |
ssdeep3:klJVllEflrldyLzObZllJFhr5et2/6lzxbXZh1lPXlPNFPn:kjV/ZGctmOL | — | |
ssdeep24:edOWNRb9SeI1hCc1CE9yr37uVHdt4VBgD4IINfr/biNK+bIgMy5xvW0WiCgu8:edOU9I1NNyO9SngsIE6K+bIgMy/548 | — | |
ssdeep96:8TxP8vvElvvNiPEvv2nJOnnsnDPEvvIkvP8vviUPEvv7HcGx:CxsElqEX2JusrEXIssKcEX7HcGx | — | |
ssdeep3072:7UAhJPJwCZQw5eA8H/Y+rjTMRGX/C32kjWb/nE3LcgZQz35S0pzoY46CQ1gqLMGx:IA5RRqUjWrnEPQzbohq1LM8 | — |
Size in-bytes
| Value | Description | Copy |
|---|---|---|
size-in-bytes128000 | — | |
size-in-bytes90624 | — | |
size-in-bytes4608 | — | |
size-in-bytes7168 | — | |
size-in-bytes512 | — | |
size-in-bytes2048 | — | |
size-in-bytes3584 | — | |
size-in-bytes237568 | — |
Datetime
| Value | Description | Copy |
|---|---|---|
datetime2024-02-08T06:16:20+00:00 | — |
Imphash
| Value | Description | Copy |
|---|---|---|
imphash8b85b6f1045e6f05aad33e1fed74b176 | — |
Authentihash
| Value | Description | Copy |
|---|---|---|
authentihash37cf8e0d1d57931ec4fcb56e6116ccc225fbd44fc383732e76609554d0ae46b4 | — |
Counter
| Value | Description | Copy |
|---|---|---|
counter7 | — |
File
| Value | Description | Copy |
|---|---|---|
file13fafb1ae2d5de024e68f2e2fc820bc79ef0690c40dbfd70246bcc394c52ea20 | — |
Malware sample
| Value | Description | Copy |
|---|---|---|
malware-sample13fafb1ae2d5de024e68f2e2fc820bc79ef0690c40dbfd70246bcc394c52ea20|1bc5621a4818f2124ac085da21f607ca | — |
Mime type
| Value | Description | Copy |
|---|---|---|
mime-typeapplication/vnd.microsoft.portable-executable | — |
Threat ID: 688ce196ad5a09ad00ca121e
Added to database: 8/1/2025, 3:47:34 PM
Last enriched: 10/29/2025, 1:22:49 AM
Last updated: 11/1/2025, 12:28:18 PM
Views: 113
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
ThreatFox IOCs for 2025-10-31
MediumOperation SkyCloak: Tor Campaign targets Military of Russia & Belarus
MediumThreatFox IOCs for 2025-10-30
MediumXCTDH Crypto Heist Part 2 - Ellis Stannard
MediumThreatFox IOCs for 2025-10-29
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.