OSINT - New Malware with Ties to SunOrcal Discovered
Unit 42 has discovered a new malware family we’ve named “Reaver†with ties to attackers who use SunOrcal malware. SunOrcal activity has been documented to at least 2013, and based on metadata surrounding some of the C2s, may have been active as early as 2010. The new family appears to have been in the wild since late 2016 and to date we have only identified 10 unique samples, indicating it may be sparingly used. Reaver is also somewhat unique in the fact that its final payload is in the form of a Control panel item, or CPL file. To date, only 0.006% of all malware seen by Palo Alto Networks employs this technique, indicating that it is in fact fairly rare.
AI Analysis
Technical Summary
The newly discovered malware family named "Reaver" has been identified by Unit 42 and is linked to threat actors previously associated with the SunOrcal malware. SunOrcal has a documented history dating back to at least 2013, with some indicators suggesting activity as early as 2010. Reaver appears to have been active since late 2016 but remains rare, with only 10 unique samples identified to date. This scarcity suggests limited or targeted use rather than widespread campaigns. A notable technical characteristic of Reaver is its use of a Control Panel item (CPL) file as its final payload. This is an uncommon technique, employed by only 0.006% of malware samples observed by Palo Alto Networks, which may help evade detection by traditional antivirus and endpoint protection solutions that focus on more common executable formats. The use of CPL files can allow the malware to execute code within the Windows Control Panel framework, potentially bypassing some security controls or user suspicion. There are no known exploits in the wild associated with this malware, and no specific affected software versions have been identified. The threat level and analysis scores provided are relatively low, and the overall severity is classified as low. However, the connection to a long-standing threat actor group and the unique payload delivery method warrant attention from security teams. The lack of detailed indicators or patch information limits the ability to perform signature-based detection or immediate remediation steps.
Potential Impact
For European organizations, the impact of Reaver is currently assessed as low due to its rarity and limited distribution. However, the malware's unique use of CPL files as payloads could enable stealthy persistence or execution, potentially leading to unauthorized access, data exfiltration, or lateral movement if deployed in targeted attacks. Organizations in sectors with high-value intellectual property or sensitive data could face confidentiality risks if targeted. The malware's ties to a threat actor with a long operational history suggest potential for espionage or targeted intrusion campaigns rather than broad disruption. Given the absence of widespread exploitation, the immediate risk to availability and integrity is minimal, but the stealthy nature of the payload delivery could delay detection and response, increasing potential damage in targeted scenarios.
Mitigation Recommendations
European organizations should enhance monitoring for unusual CPL file executions and incorporate CPL file analysis into their endpoint detection and response (EDR) strategies. Network defenders should implement strict application whitelisting policies that include Control Panel extensions and monitor for unauthorized CPL file creation or modification. Deploy behavioral analytics to detect anomalous activity related to Control Panel processes (e.g., rundll32.exe executing CPL files). Since traditional signature-based detection may be insufficient, organizations should leverage threat intelligence feeds to update detection rules with any emerging indicators related to Reaver or SunOrcal. Regularly audit and restrict administrative privileges to limit the malware's ability to install or execute CPL payloads. Additionally, organizations should conduct targeted threat hunting exercises focusing on CPL file usage and review logs for any suspicious activity dating back to late 2016. Given the malware's rarity, sharing any findings with trusted information sharing and analysis centers (ISACs) or national cybersecurity authorities can help build collective defense.
Affected Countries
Germany, France, United Kingdom, Netherlands, Belgium, Italy, Sweden
Indicators of Compromise
- link: https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/
- comment: Unit 42 has discovered a new malware family we’ve named “Reaver†with ties to attackers who use SunOrcal malware. SunOrcal activity has been documented to at least 2013, and based on metadata surrounding some of the C2s, may have been active as early as 2010. The new family appears to have been in the wild since late 2016 and to date we have only identified 10 unique samples, indicating it may be sparingly used. Reaver is also somewhat unique in the fact that its final payload is in the form of a Control panel item, or CPL file. To date, only 0.006% of all malware seen by Palo Alto Networks employs this technique, indicating that it is in fact fairly rare.
- regkey: %COMMONPROGRAMFILES%\services\
- regkey: %APPDATA%\microsoft\mmc\
- regkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Startup
- regkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Startup
- file: ‘%TEMP%\~WUpdate.lnk
- file: %TEMP%\~Update.lnk
- regkey: %APPDATA%\microsoft\credentials\
- file: %TEMP%\winhelp.dat
- file: [path_previously_identified]\winhelp.cpl
- domain: www.fyoutside.com
- domain: www.tashdqdxp.com
- domain: www.weryhstui.com
- ip: 98.126.156.210
- domain: www.olinaodi.com
- hash: d560f44188fb56d3abb11d9508e1167329470de19b811163eb1167534722e666
- hash: 98eb5465c6330b9b49df2e7c9ad0b1164aa5b35423d9e80495a178eb510cdc1c
- hash: 05ddbd0506ec95fb460b3994e5b21cdb0418ba4aa406374ca1b91249349b7640
- hash: 18ac3b14300ecfeed4b64a844c16dccb06b0e3513d0954d6c6182f2ea14e4c92
- hash: c0f8bb77284b96e07cab1c3fab8800b1bbd030720c74628c4ee5666694ef903d
- hash: 9213f70bce491991c4cbbbd7dc3e67d3a3d535b965d7064973b35c50f265e59b
- hash: 26c234c73e2c3448589c7d4a0cf17f615ad3666541a4e611e2d8b77637205bcf
- hash: ae9f158e4886cfdbfb4f1b3b25707d05f6fd873d0be9d8e7334a2c28741228ee
- hash: 1fcda755e8fa23d27329e4bc0443a82e1c1e9a6c1691639db256a187365e4db1
- hash: c906250e0a4c457663e37119ebe1efa1e4b97eef1d975f383ac3243f9f09908c
- hash: 1813f10bcf74beb582c824c64fff63cb150d178bef93af81d875ca84214307a1
- hash: 799139b5278dc2ac24279cc6c3db44f4ef0ea78ee7b721b0ace38fd8018c51ac
- hash: 81d887fefdbb0219647991c2b7bddf45c2fede4dc6fc18408f1706e0279615b2
- hash: 58312fb742ce881e040e1b5b8555f00a402b8dd4fc886acaae2f862040b3bfc5
- hash: 38ea33dab0ba2edd16ecd98cba161c550d1036b253c8666c4110d198948329fb
- hash: cb7c0cf1750baaa11783e93369230ee666b9f3da7298e4d1bb9a07af6a439f2f
- ip: 104.148.70.217
- hash: da7a5e54d1d45462bda65807c1ef03ee34b7e777
- hash: 7dcf79a66192e88b92ccc12810e61329
- link: https://www.virustotal.com/file/cb7c0cf1750baaa11783e93369230ee666b9f3da7298e4d1bb9a07af6a439f2f/analysis/1510574305/
- hash: 704886d56ded5817e39d7442b0203c2f76207f92
- hash: af6a25fc28e0560860c01d74854a2cba
- link: https://www.virustotal.com/file/38ea33dab0ba2edd16ecd98cba161c550d1036b253c8666c4110d198948329fb/analysis/1510574322/
- hash: 9adbe92835ee2cc93e0d99b9d4536eb7727acf47
- hash: 47cc3592bbf8c3b516ae74c95efb3344
- link: https://www.virustotal.com/file/58312fb742ce881e040e1b5b8555f00a402b8dd4fc886acaae2f862040b3bfc5/analysis/1510574347/
- hash: 7fa8bfc051b98698e6b95cbc7163e4aa41880279
- hash: 5eb3a846092cae378fcd45bdf5453536
- link: https://www.virustotal.com/file/81d887fefdbb0219647991c2b7bddf45c2fede4dc6fc18408f1706e0279615b2/analysis/1510574318/
- hash: a6e538a01c366580e90e49249251b66dfe39c72f
- hash: 11a5b1901243396984670af7acc6cf72
- link: https://www.virustotal.com/file/799139b5278dc2ac24279cc6c3db44f4ef0ea78ee7b721b0ace38fd8018c51ac/analysis/1510574343/
- hash: 03bc4181fb54af3151cab60406a01a44158e5277
- hash: 17587683361d8458aebd9b8fdd07137a
- link: https://www.virustotal.com/file/1813f10bcf74beb582c824c64fff63cb150d178bef93af81d875ca84214307a1/analysis/1510849386/
- hash: b31160953ff19e6abf12fc8319420ab2e1c88e77
- hash: 2d563bf83bddca1f24e8a0ffb951a7e9
- link: https://www.virustotal.com/file/c906250e0a4c457663e37119ebe1efa1e4b97eef1d975f383ac3243f9f09908c/analysis/1510574300/
- hash: 172b4578cb50985b08c227360d9c9df2cf32117a
- hash: aab319d9715d38a37a10d82e87478dfc
- link: https://www.virustotal.com/file/1fcda755e8fa23d27329e4bc0443a82e1c1e9a6c1691639db256a187365e4db1/analysis/1510574331/
- hash: d62f1f039d0be1d7b2a8ed122d97ee917dbc9ce8
- hash: 892350b2a44efd9fa1e7c88aec013818
- link: https://www.virustotal.com/file/ae9f158e4886cfdbfb4f1b3b25707d05f6fd873d0be9d8e7334a2c28741228ee/analysis/1510574327/
- hash: e96be5b542d100913a5bca0f02fb094d6f3ad85b
- hash: dd7edadd019bc120978a4dad284fbea6
- link: https://www.virustotal.com/file/9213f70bce491991c4cbbbd7dc3e67d3a3d535b965d7064973b35c50f265e59b/analysis/1510574335/
- hash: cbde40a234bff8870f8746eca969c364da7f4aec
- hash: ae185e9c43bb1498a3c653a0886896e3
- link: https://www.virustotal.com/file/c0f8bb77284b96e07cab1c3fab8800b1bbd030720c74628c4ee5666694ef903d/analysis/1510921773/
- hash: 5c6b231111239c0625dc9ff4359d1b8553159ecc
- hash: c629f8f3206e5a6de83b4c996a2bacfb
- link: https://www.virustotal.com/file/18ac3b14300ecfeed4b64a844c16dccb06b0e3513d0954d6c6182f2ea14e4c92/analysis/1510610402/
- hash: c05d15fc94d096a821f2c689a29dff7679ce087a
- hash: dadf3d3dd411bc02d7c05ee3a18259ea
- link: https://www.virustotal.com/file/98eb5465c6330b9b49df2e7c9ad0b1164aa5b35423d9e80495a178eb510cdc1c/analysis/1510823791/
- hash: 0cea48067ddbc9227363168013142f6f3a5dea9f
- hash: 9f289cce6f95949450e3f4c96a187f5d
- link: https://www.virustotal.com/file/d560f44188fb56d3abb11d9508e1167329470de19b811163eb1167534722e666/analysis/1510823685/
OSINT - New Malware with Ties to SunOrcal Discovered
Description
Unit 42 has discovered a new malware family we’ve named “Reaver†with ties to attackers who use SunOrcal malware. SunOrcal activity has been documented to at least 2013, and based on metadata surrounding some of the C2s, may have been active as early as 2010. The new family appears to have been in the wild since late 2016 and to date we have only identified 10 unique samples, indicating it may be sparingly used. Reaver is also somewhat unique in the fact that its final payload is in the form of a Control panel item, or CPL file. To date, only 0.006% of all malware seen by Palo Alto Networks employs this technique, indicating that it is in fact fairly rare.
AI-Powered Analysis
Technical Analysis
The newly discovered malware family named "Reaver" has been identified by Unit 42 and is linked to threat actors previously associated with the SunOrcal malware. SunOrcal has a documented history dating back to at least 2013, with some indicators suggesting activity as early as 2010. Reaver appears to have been active since late 2016 but remains rare, with only 10 unique samples identified to date. This scarcity suggests limited or targeted use rather than widespread campaigns. A notable technical characteristic of Reaver is its use of a Control Panel item (CPL) file as its final payload. This is an uncommon technique, employed by only 0.006% of malware samples observed by Palo Alto Networks, which may help evade detection by traditional antivirus and endpoint protection solutions that focus on more common executable formats. The use of CPL files can allow the malware to execute code within the Windows Control Panel framework, potentially bypassing some security controls or user suspicion. There are no known exploits in the wild associated with this malware, and no specific affected software versions have been identified. The threat level and analysis scores provided are relatively low, and the overall severity is classified as low. However, the connection to a long-standing threat actor group and the unique payload delivery method warrant attention from security teams. The lack of detailed indicators or patch information limits the ability to perform signature-based detection or immediate remediation steps.
Potential Impact
For European organizations, the impact of Reaver is currently assessed as low due to its rarity and limited distribution. However, the malware's unique use of CPL files as payloads could enable stealthy persistence or execution, potentially leading to unauthorized access, data exfiltration, or lateral movement if deployed in targeted attacks. Organizations in sectors with high-value intellectual property or sensitive data could face confidentiality risks if targeted. The malware's ties to a threat actor with a long operational history suggest potential for espionage or targeted intrusion campaigns rather than broad disruption. Given the absence of widespread exploitation, the immediate risk to availability and integrity is minimal, but the stealthy nature of the payload delivery could delay detection and response, increasing potential damage in targeted scenarios.
Mitigation Recommendations
European organizations should enhance monitoring for unusual CPL file executions and incorporate CPL file analysis into their endpoint detection and response (EDR) strategies. Network defenders should implement strict application whitelisting policies that include Control Panel extensions and monitor for unauthorized CPL file creation or modification. Deploy behavioral analytics to detect anomalous activity related to Control Panel processes (e.g., rundll32.exe executing CPL files). Since traditional signature-based detection may be insufficient, organizations should leverage threat intelligence feeds to update detection rules with any emerging indicators related to Reaver or SunOrcal. Regularly audit and restrict administrative privileges to limit the malware's ability to install or execute CPL payloads. Additionally, organizations should conduct targeted threat hunting exercises focusing on CPL file usage and review logs for any suspicious activity dating back to late 2016. Given the malware's rarity, sharing any findings with trusted information sharing and analysis centers (ISACs) or national cybersecurity authorities can help build collective defense.
Affected Countries
Technical Details
- Threat Level
- 3
- Analysis
- 2
- Uuid
- 5a0a9aa9-23a4-4607-b6df-41a9950d210f
- Original Timestamp
- 1510922435
Indicators of Compromise
Link
| Value | Description | Copy |
|---|---|---|
linkhttps://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/ | — | |
linkhttps://www.virustotal.com/file/cb7c0cf1750baaa11783e93369230ee666b9f3da7298e4d1bb9a07af6a439f2f/analysis/1510574305/ | SunOrcal - Xchecked via VT: cb7c0cf1750baaa11783e93369230ee666b9f3da7298e4d1bb9a07af6a439f2f | |
linkhttps://www.virustotal.com/file/38ea33dab0ba2edd16ecd98cba161c550d1036b253c8666c4110d198948329fb/analysis/1510574322/ | SunOrcal - Xchecked via VT: 38ea33dab0ba2edd16ecd98cba161c550d1036b253c8666c4110d198948329fb | |
linkhttps://www.virustotal.com/file/58312fb742ce881e040e1b5b8555f00a402b8dd4fc886acaae2f862040b3bfc5/analysis/1510574347/ | SunOrcal - Xchecked via VT: 58312fb742ce881e040e1b5b8555f00a402b8dd4fc886acaae2f862040b3bfc5 | |
linkhttps://www.virustotal.com/file/81d887fefdbb0219647991c2b7bddf45c2fede4dc6fc18408f1706e0279615b2/analysis/1510574318/ | SunOrcal - Xchecked via VT: 81d887fefdbb0219647991c2b7bddf45c2fede4dc6fc18408f1706e0279615b2 | |
linkhttps://www.virustotal.com/file/799139b5278dc2ac24279cc6c3db44f4ef0ea78ee7b721b0ace38fd8018c51ac/analysis/1510574343/ | SunOrcal - Xchecked via VT: 799139b5278dc2ac24279cc6c3db44f4ef0ea78ee7b721b0ace38fd8018c51ac | |
linkhttps://www.virustotal.com/file/1813f10bcf74beb582c824c64fff63cb150d178bef93af81d875ca84214307a1/analysis/1510849386/ | Reaver.v3 - Xchecked via VT: 1813f10bcf74beb582c824c64fff63cb150d178bef93af81d875ca84214307a1 | |
linkhttps://www.virustotal.com/file/c906250e0a4c457663e37119ebe1efa1e4b97eef1d975f383ac3243f9f09908c/analysis/1510574300/ | Reaver.v3 - Xchecked via VT: c906250e0a4c457663e37119ebe1efa1e4b97eef1d975f383ac3243f9f09908c | |
linkhttps://www.virustotal.com/file/1fcda755e8fa23d27329e4bc0443a82e1c1e9a6c1691639db256a187365e4db1/analysis/1510574331/ | Reaver.v3 - Xchecked via VT: 1fcda755e8fa23d27329e4bc0443a82e1c1e9a6c1691639db256a187365e4db1 | |
linkhttps://www.virustotal.com/file/ae9f158e4886cfdbfb4f1b3b25707d05f6fd873d0be9d8e7334a2c28741228ee/analysis/1510574327/ | Reaver.v3 - Xchecked via VT: ae9f158e4886cfdbfb4f1b3b25707d05f6fd873d0be9d8e7334a2c28741228ee | |
linkhttps://www.virustotal.com/file/9213f70bce491991c4cbbbd7dc3e67d3a3d535b965d7064973b35c50f265e59b/analysis/1510574335/ | Reaver.v3 - Xchecked via VT: 9213f70bce491991c4cbbbd7dc3e67d3a3d535b965d7064973b35c50f265e59b | |
linkhttps://www.virustotal.com/file/c0f8bb77284b96e07cab1c3fab8800b1bbd030720c74628c4ee5666694ef903d/analysis/1510921773/ | Reaver.v3 - Xchecked via VT: c0f8bb77284b96e07cab1c3fab8800b1bbd030720c74628c4ee5666694ef903d | |
linkhttps://www.virustotal.com/file/18ac3b14300ecfeed4b64a844c16dccb06b0e3513d0954d6c6182f2ea14e4c92/analysis/1510610402/ | Reaver.v3 - Xchecked via VT: 18ac3b14300ecfeed4b64a844c16dccb06b0e3513d0954d6c6182f2ea14e4c92 | |
linkhttps://www.virustotal.com/file/98eb5465c6330b9b49df2e7c9ad0b1164aa5b35423d9e80495a178eb510cdc1c/analysis/1510823791/ | Reaver.v2 - Xchecked via VT: 98eb5465c6330b9b49df2e7c9ad0b1164aa5b35423d9e80495a178eb510cdc1c | |
linkhttps://www.virustotal.com/file/d560f44188fb56d3abb11d9508e1167329470de19b811163eb1167534722e666/analysis/1510823685/ | Reaver.v1 - Xchecked via VT: d560f44188fb56d3abb11d9508e1167329470de19b811163eb1167534722e666 |
Comment
| Value | Description | Copy |
|---|---|---|
commentUnit 42 has discovered a new malware family we’ve named “Reaver†with ties to attackers who use SunOrcal malware. SunOrcal activity has been documented to at least 2013, and based on metadata surrounding some of the C2s, may have been active as early as 2010. The new family appears to have been in the wild since late 2016 and to date we have only identified 10 unique samples, indicating it may be sparingly used. Reaver is also somewhat unique in the fact that its final payload is in the form of a Control panel item, or CPL file. To date, only 0.006% of all malware seen by Palo Alto Networks employs this technique, indicating that it is in fact fairly rare. | — |
Regkey
| Value | Description | Copy |
|---|---|---|
regkey%COMMONPROGRAMFILES%\services\ | — | |
regkey%APPDATA%\microsoft\mmc\ | — | |
regkeyHKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Startup | — | |
regkeyHKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Startup | — | |
regkey%APPDATA%\microsoft\credentials\ | — |
File
| Value | Description | Copy |
|---|---|---|
file‘%TEMP%\~WUpdate.lnk | — | |
file%TEMP%\~Update.lnk | — | |
file%TEMP%\winhelp.dat | — | |
file[path_previously_identified]\winhelp.cpl | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainwww.fyoutside.com | C2 | |
domainwww.tashdqdxp.com | C2 | |
domainwww.weryhstui.com | C2 | |
domainwww.olinaodi.com | C2 |
Ip
| Value | Description | Copy |
|---|---|---|
ip98.126.156.210 | — | |
ip104.148.70.217 | C2 |
Hash
| Value | Description | Copy |
|---|---|---|
hashd560f44188fb56d3abb11d9508e1167329470de19b811163eb1167534722e666 | Reaver.v1 | |
hash98eb5465c6330b9b49df2e7c9ad0b1164aa5b35423d9e80495a178eb510cdc1c | Reaver.v2 | |
hash05ddbd0506ec95fb460b3994e5b21cdb0418ba4aa406374ca1b91249349b7640 | Reaver.v2 | |
hash18ac3b14300ecfeed4b64a844c16dccb06b0e3513d0954d6c6182f2ea14e4c92 | Reaver.v3 | |
hashc0f8bb77284b96e07cab1c3fab8800b1bbd030720c74628c4ee5666694ef903d | Reaver.v3 | |
hash9213f70bce491991c4cbbbd7dc3e67d3a3d535b965d7064973b35c50f265e59b | Reaver.v3 | |
hash26c234c73e2c3448589c7d4a0cf17f615ad3666541a4e611e2d8b77637205bcf | Reaver.v3 | |
hashae9f158e4886cfdbfb4f1b3b25707d05f6fd873d0be9d8e7334a2c28741228ee | Reaver.v3 | |
hash1fcda755e8fa23d27329e4bc0443a82e1c1e9a6c1691639db256a187365e4db1 | Reaver.v3 | |
hashc906250e0a4c457663e37119ebe1efa1e4b97eef1d975f383ac3243f9f09908c | Reaver.v3 | |
hash1813f10bcf74beb582c824c64fff63cb150d178bef93af81d875ca84214307a1 | Reaver.v3 | |
hash799139b5278dc2ac24279cc6c3db44f4ef0ea78ee7b721b0ace38fd8018c51ac | SunOrcal | |
hash81d887fefdbb0219647991c2b7bddf45c2fede4dc6fc18408f1706e0279615b2 | SunOrcal | |
hash58312fb742ce881e040e1b5b8555f00a402b8dd4fc886acaae2f862040b3bfc5 | SunOrcal | |
hash38ea33dab0ba2edd16ecd98cba161c550d1036b253c8666c4110d198948329fb | SunOrcal | |
hashcb7c0cf1750baaa11783e93369230ee666b9f3da7298e4d1bb9a07af6a439f2f | SunOrcal | |
hashda7a5e54d1d45462bda65807c1ef03ee34b7e777 | SunOrcal - Xchecked via VT: cb7c0cf1750baaa11783e93369230ee666b9f3da7298e4d1bb9a07af6a439f2f | |
hash7dcf79a66192e88b92ccc12810e61329 | SunOrcal - Xchecked via VT: cb7c0cf1750baaa11783e93369230ee666b9f3da7298e4d1bb9a07af6a439f2f | |
hash704886d56ded5817e39d7442b0203c2f76207f92 | SunOrcal - Xchecked via VT: 38ea33dab0ba2edd16ecd98cba161c550d1036b253c8666c4110d198948329fb | |
hashaf6a25fc28e0560860c01d74854a2cba | SunOrcal - Xchecked via VT: 38ea33dab0ba2edd16ecd98cba161c550d1036b253c8666c4110d198948329fb | |
hash9adbe92835ee2cc93e0d99b9d4536eb7727acf47 | SunOrcal - Xchecked via VT: 58312fb742ce881e040e1b5b8555f00a402b8dd4fc886acaae2f862040b3bfc5 | |
hash47cc3592bbf8c3b516ae74c95efb3344 | SunOrcal - Xchecked via VT: 58312fb742ce881e040e1b5b8555f00a402b8dd4fc886acaae2f862040b3bfc5 | |
hash7fa8bfc051b98698e6b95cbc7163e4aa41880279 | SunOrcal - Xchecked via VT: 81d887fefdbb0219647991c2b7bddf45c2fede4dc6fc18408f1706e0279615b2 | |
hash5eb3a846092cae378fcd45bdf5453536 | SunOrcal - Xchecked via VT: 81d887fefdbb0219647991c2b7bddf45c2fede4dc6fc18408f1706e0279615b2 | |
hasha6e538a01c366580e90e49249251b66dfe39c72f | SunOrcal - Xchecked via VT: 799139b5278dc2ac24279cc6c3db44f4ef0ea78ee7b721b0ace38fd8018c51ac | |
hash11a5b1901243396984670af7acc6cf72 | SunOrcal - Xchecked via VT: 799139b5278dc2ac24279cc6c3db44f4ef0ea78ee7b721b0ace38fd8018c51ac | |
hash03bc4181fb54af3151cab60406a01a44158e5277 | Reaver.v3 - Xchecked via VT: 1813f10bcf74beb582c824c64fff63cb150d178bef93af81d875ca84214307a1 | |
hash17587683361d8458aebd9b8fdd07137a | Reaver.v3 - Xchecked via VT: 1813f10bcf74beb582c824c64fff63cb150d178bef93af81d875ca84214307a1 | |
hashb31160953ff19e6abf12fc8319420ab2e1c88e77 | Reaver.v3 - Xchecked via VT: c906250e0a4c457663e37119ebe1efa1e4b97eef1d975f383ac3243f9f09908c | |
hash2d563bf83bddca1f24e8a0ffb951a7e9 | Reaver.v3 - Xchecked via VT: c906250e0a4c457663e37119ebe1efa1e4b97eef1d975f383ac3243f9f09908c | |
hash172b4578cb50985b08c227360d9c9df2cf32117a | Reaver.v3 - Xchecked via VT: 1fcda755e8fa23d27329e4bc0443a82e1c1e9a6c1691639db256a187365e4db1 | |
hashaab319d9715d38a37a10d82e87478dfc | Reaver.v3 - Xchecked via VT: 1fcda755e8fa23d27329e4bc0443a82e1c1e9a6c1691639db256a187365e4db1 | |
hashd62f1f039d0be1d7b2a8ed122d97ee917dbc9ce8 | Reaver.v3 - Xchecked via VT: ae9f158e4886cfdbfb4f1b3b25707d05f6fd873d0be9d8e7334a2c28741228ee | |
hash892350b2a44efd9fa1e7c88aec013818 | Reaver.v3 - Xchecked via VT: ae9f158e4886cfdbfb4f1b3b25707d05f6fd873d0be9d8e7334a2c28741228ee | |
hashe96be5b542d100913a5bca0f02fb094d6f3ad85b | Reaver.v3 - Xchecked via VT: 9213f70bce491991c4cbbbd7dc3e67d3a3d535b965d7064973b35c50f265e59b | |
hashdd7edadd019bc120978a4dad284fbea6 | Reaver.v3 - Xchecked via VT: 9213f70bce491991c4cbbbd7dc3e67d3a3d535b965d7064973b35c50f265e59b | |
hashcbde40a234bff8870f8746eca969c364da7f4aec | Reaver.v3 - Xchecked via VT: c0f8bb77284b96e07cab1c3fab8800b1bbd030720c74628c4ee5666694ef903d | |
hashae185e9c43bb1498a3c653a0886896e3 | Reaver.v3 - Xchecked via VT: c0f8bb77284b96e07cab1c3fab8800b1bbd030720c74628c4ee5666694ef903d | |
hash5c6b231111239c0625dc9ff4359d1b8553159ecc | Reaver.v3 - Xchecked via VT: 18ac3b14300ecfeed4b64a844c16dccb06b0e3513d0954d6c6182f2ea14e4c92 | |
hashc629f8f3206e5a6de83b4c996a2bacfb | Reaver.v3 - Xchecked via VT: 18ac3b14300ecfeed4b64a844c16dccb06b0e3513d0954d6c6182f2ea14e4c92 | |
hashc05d15fc94d096a821f2c689a29dff7679ce087a | Reaver.v2 - Xchecked via VT: 98eb5465c6330b9b49df2e7c9ad0b1164aa5b35423d9e80495a178eb510cdc1c | |
hashdadf3d3dd411bc02d7c05ee3a18259ea | Reaver.v2 - Xchecked via VT: 98eb5465c6330b9b49df2e7c9ad0b1164aa5b35423d9e80495a178eb510cdc1c | |
hash0cea48067ddbc9227363168013142f6f3a5dea9f | Reaver.v1 - Xchecked via VT: d560f44188fb56d3abb11d9508e1167329470de19b811163eb1167534722e666 | |
hash9f289cce6f95949450e3f4c96a187f5d | Reaver.v1 - Xchecked via VT: d560f44188fb56d3abb11d9508e1167329470de19b811163eb1167534722e666 |
Threat ID: 682b81078ee1a77b717bd7da
Added to database: 5/19/2025, 7:05:43 PM
Last enriched: 6/18/2025, 7:34:34 PM
Last updated: 2/7/2026, 11:36:58 AM
Views: 40
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
ThreatFox IOCs for 2026-02-06
MediumThreatFox IOCs for 2026-02-05
MediumThreatFox IOCs for 2026-02-04
MediumThreatFox IOCs for 2026-02-03
MediumNotepad++ Official Update Mechanism Hijacked to Deliver Malware to Select Users
LowActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.