Rainbow Hyena strikes again: new backdoor and shift in tactics
A new phishing campaign targeting healthcare and IT organizations in Russia has been attributed to the Rainbow Hyena cluster. The attackers used compromised email addresses to distribute malicious attachments, including polyglot files and LNK files mimicking legitimate documents. A new custom-built backdoor called PhantomRemote was identified, capable of system information gathering and command execution. The campaign demonstrates a shift in tactics, with threat actors abandoning traditional malicious documents in favor of alternative formats. The sophistication of the tools and techniques suggests a move towards more conventional illicit activities such as espionage and financial gain.
Indicators of Compromise
- ip: 91.239.148.21
- hash: 08a92ba1d1d9e5c498dcaf53af7cd071
- hash: 1dff0bcf719f3509c597a8955e49af38
- hash: 65967d019076e700deb20dcbc989c99c
- hash: 698337a1be374f3ebb9556ccdc794389
- hash: 75a26a138783032ee18dcfc713b1b34c
- hash: 7e52be17fd33a281c70fec14805113a8
- hash: 88453eb954669b5c7ac712ecf1e0179c
- hash: 9f8e2e09e37142a21c16b37ba310e009
- hash: b49a7ef89cfb317a540996c3425fcdc2
- hash: b586cf958334415777719bf512304fbd
- hash: be990a49fa1e3789ebc5c55961038029
- hash: 04d364d7cc98379352e89757d62521271cb410cb
- hash: 2a14a9dd1032479ab5bf8ed945ef9a22ebd4999d
- hash: 49a18dc1d8f84394d3373481dbac89d11e373dbd
- hash: 4ce5e6e0b21323409db8cd8ed2a7ed251656d18a
- hash: 6942e07e7d08781cba571211a08e779838e72e9a
- hash: 775b7e726ba6cf6d9a6463a62797c97612018066
- hash: 851157c01da6e85ffa94ded7f42cab19aa8528d6
- hash: c52d70b92e41db70d4ca342c8dc32eff7883c861
- hash: d9a4fd39a55cd20d55e00d3cace3f637b8888213
- hash: dc149c042747ddf4f58c7ac6bf23e6a02ce1fc77
- hash: efe10ad0b49e6889597b5c3254139b92ed72064c
- hash: 01f12bb3f4359fae1138a194237914f4fcdbf9e472804e428a765ad820f399be
- hash: 204544fc8a8cac64bb07825a7bd58c54cb3e605707e2d72206ac23a1657bfe1e
- hash: 413c9e2963b8cca256d3960285854614e2f2e78dba023713b3dd67af369d5d08
- hash: 47262571a87e70238bd6afd376560e9cfdc94bfacae72f36b6aa9fb6e769eb9c
- hash: 4c78d6bba282aaff0eab749cfa8a28e432f7cbf9c61dec8de8f4800fd27e0314
- hash: 4d4304d7ad1a8d0dacb300739d4dcaade299b28f8be3f171628a7358720ca6c5
- hash: a9324a1fa529e5c115232cbbc60330d37cef5c20860bafc63b11e14d1e75697c
- hash: b683235791e3106971269259026e05fdc2a4008f703ff2a4d32642877e57429a
- hash: da53c49641b05e00cde09d47260da927ec403f01ac388605b785eac98306f9c2
- hash: e3e3f7d9abb9696904684d8e32f36818e1939c8122dcc73299a1b7f6b6b700b2
- hash: ed9b24a77a74cd34c96b30f8de794fe85eb1d9f188f516bd7d6020cc81a86728
- ip: 185.225.17.104
- ip: 188.127.254.44
Rainbow Hyena strikes again: new backdoor and shift in tactics
Description
A new phishing campaign targeting healthcare and IT organizations in Russia has been attributed to the Rainbow Hyena cluster. The attackers used compromised email addresses to distribute malicious attachments, including polyglot files and LNK files mimicking legitimate documents. A new custom-built backdoor called PhantomRemote was identified, capable of system information gathering and command execution. The campaign demonstrates a shift in tactics, with threat actors abandoning traditional malicious documents in favor of alternative formats. The sophistication of the tools and techniques suggests a move towards more conventional illicit activities such as espionage and financial gain.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://bi-zone.medium.com/rainbow-hyena-strikes-again-new-backdoor-and-shift-in-tactics-2dd99a10aea9?source=rss-3882bedad280------2"]
- Adversary
- Rainbow Hyena
- Pulse Id
- 6876bc94560fb5bc92a8936f
- Threat Score
- null
Indicators of Compromise
Ip
| Value | Description | Copy |
|---|---|---|
ip91.239.148.21 | — | |
ip185.225.17.104 | — | |
ip188.127.254.44 | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash08a92ba1d1d9e5c498dcaf53af7cd071 | — | |
hash1dff0bcf719f3509c597a8955e49af38 | — | |
hash65967d019076e700deb20dcbc989c99c | — | |
hash698337a1be374f3ebb9556ccdc794389 | — | |
hash75a26a138783032ee18dcfc713b1b34c | — | |
hash7e52be17fd33a281c70fec14805113a8 | — | |
hash88453eb954669b5c7ac712ecf1e0179c | — | |
hash9f8e2e09e37142a21c16b37ba310e009 | — | |
hashb49a7ef89cfb317a540996c3425fcdc2 | — | |
hashb586cf958334415777719bf512304fbd | — | |
hashbe990a49fa1e3789ebc5c55961038029 | — | |
hash04d364d7cc98379352e89757d62521271cb410cb | — | |
hash2a14a9dd1032479ab5bf8ed945ef9a22ebd4999d | — | |
hash49a18dc1d8f84394d3373481dbac89d11e373dbd | — | |
hash4ce5e6e0b21323409db8cd8ed2a7ed251656d18a | — | |
hash6942e07e7d08781cba571211a08e779838e72e9a | — | |
hash775b7e726ba6cf6d9a6463a62797c97612018066 | — | |
hash851157c01da6e85ffa94ded7f42cab19aa8528d6 | — | |
hashc52d70b92e41db70d4ca342c8dc32eff7883c861 | — | |
hashd9a4fd39a55cd20d55e00d3cace3f637b8888213 | — | |
hashdc149c042747ddf4f58c7ac6bf23e6a02ce1fc77 | — | |
hashefe10ad0b49e6889597b5c3254139b92ed72064c | — | |
hash01f12bb3f4359fae1138a194237914f4fcdbf9e472804e428a765ad820f399be | — | |
hash204544fc8a8cac64bb07825a7bd58c54cb3e605707e2d72206ac23a1657bfe1e | — | |
hash413c9e2963b8cca256d3960285854614e2f2e78dba023713b3dd67af369d5d08 | — | |
hash47262571a87e70238bd6afd376560e9cfdc94bfacae72f36b6aa9fb6e769eb9c | — | |
hash4c78d6bba282aaff0eab749cfa8a28e432f7cbf9c61dec8de8f4800fd27e0314 | — | |
hash4d4304d7ad1a8d0dacb300739d4dcaade299b28f8be3f171628a7358720ca6c5 | — | |
hasha9324a1fa529e5c115232cbbc60330d37cef5c20860bafc63b11e14d1e75697c | — | |
hashb683235791e3106971269259026e05fdc2a4008f703ff2a4d32642877e57429a | — | |
hashda53c49641b05e00cde09d47260da927ec403f01ac388605b785eac98306f9c2 | — | |
hashe3e3f7d9abb9696904684d8e32f36818e1939c8122dcc73299a1b7f6b6b700b2 | — | |
hashed9b24a77a74cd34c96b30f8de794fe85eb1d9f188f516bd7d6020cc81a86728 | — |
Threat ID: 68775c90a83201eaacd4c651
Added to database: 7/16/2025, 8:02:24 AM
Last updated: 7/16/2025, 8:02:24 AM
Views: 1
Related Threats
Unmasking AsyncRAT: Navigating the labyrinth of forks
MediumKonfety Returns: Classic Mobile Threat with New Evasion Techniques
MediumThreatFox IOCs for 2025-07-15
MediumFake Telegram Apps Spread via 607 Domains in New Android Malware Attack
MediumHomebrew Malware Campaign
MediumActions
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.