SadFuture: Mapping XDSpy latest evolution
This report examines recent activities attributed to the XDSpy threat actor, focusing on an ongoing campaign targeting Eastern European and Russian governmental entities using the XDigo malware since March 2025. The investigation stemmed from analyzing a vulnerability in LNK files, leading to the discovery of a multi-stage infection chain. The report provides analysis of the XDigo implant and its connections to previous XDSpy activities. It also details the exploitation of LNK parsing issues and infrastructure used across different campaigns. The research uncovered additional, more recent XDSpy activity employing an alternative infection chain. Targets include government entities in Eastern Europe, with a confirmed victim in Belarus.
AI Analysis
Technical Summary
The threat known as SadFuture represents the latest evolution of the XDSpy threat actor's activities, focusing on a sophisticated multi-stage malware campaign targeting governmental entities primarily in Eastern Europe and Russia. The campaign has been active since at least March 2025 and centers around the deployment of the XDigo implant, a malware strain linked to previous XDSpy operations. The infection chain exploits a vulnerability in the parsing of LNK (Windows shortcut) files, enabling initial compromise without requiring user authentication but potentially involving user interaction to trigger the payload. This exploitation leverages Windows' handling of LNK files to execute malicious code, a technique that bypasses some traditional security controls. The campaign infrastructure and tactics have evolved, with recent activity showing an alternative infection chain, indicating adaptability and ongoing development by the threat actor. The attack techniques include a range of tactics and procedures such as etdownloader usage, living-off-the-land binaries (LOLBins) exploitation (e.g., T1218.011), credential dumping, data staging, and command and control communications, reflecting a comprehensive and persistent attack methodology. The confirmed targeting of government entities, including a victim in Belarus, underscores the geopolitical motivations behind the campaign. The threat actor's use of multiple techniques to maintain persistence, evade detection, and exfiltrate data highlights the advanced nature of this threat. No known public exploits are currently reported, but the exploitation of LNK parsing vulnerabilities remains a critical vector. The campaign's complexity and targeted nature suggest a well-resourced adversary with significant operational capabilities.
Potential Impact
For European organizations, particularly governmental and critical infrastructure entities in Eastern Europe, the SadFuture campaign poses a significant risk to confidentiality, integrity, and availability of sensitive information and systems. Successful exploitation could lead to unauthorized access to classified or sensitive governmental data, disruption of governmental operations, and potential espionage activities. The use of sophisticated multi-stage malware and living-off-the-land techniques complicates detection and response, increasing the likelihood of prolonged undetected presence within networks. The geopolitical targeting suggests that organizations in countries with strategic importance or ongoing regional tensions may face heightened risk. The compromise of governmental systems could have cascading effects on national security, public trust, and international relations. Additionally, the adaptability of the threat actor implies that mitigation efforts must be dynamic and continuously updated to address evolving tactics.
Mitigation Recommendations
To mitigate the SadFuture threat, European organizations should implement targeted defenses beyond generic best practices: 1) Harden LNK file handling by disabling or restricting the automatic parsing and execution of LNK files, especially from untrusted sources or removable media. 2) Employ application whitelisting and restrict execution of unknown or suspicious binaries, particularly those leveraging LOLBins or living-off-the-land techniques. 3) Enhance endpoint detection and response (EDR) capabilities to identify anomalous behaviors associated with multi-stage infection chains and lateral movement. 4) Conduct regular threat hunting focused on indicators of compromise related to XDSpy and XDigo malware, including monitoring for known TTPs such as credential dumping and unusual network communications. 5) Implement strict network segmentation and least privilege access controls to limit the spread and impact of potential intrusions. 6) Maintain up-to-date threat intelligence feeds and collaborate with national cybersecurity agencies to share information on emerging variants and infrastructure changes. 7) Educate users on the risks of opening unknown shortcut files and implement email filtering to reduce spear-phishing attempts. 8) Regularly audit and update security policies related to removable media and external device usage. These measures, combined with continuous monitoring and incident response preparedness, will help reduce the risk and impact of SadFuture campaigns.
Affected Countries
Belarus, Ukraine, Poland, Romania, Hungary, Bulgaria, Slovakia, Czech Republic, Lithuania, Latvia, Estonia
Indicators of Compromise
- hash: 00ba7711404c657cc2eb4a23578dc191
- hash: 129399b838d6526751faf16ecea92942
- hash: 17d9277bac3f58ab11d7e7a9c73bb8d3
- hash: 1b24b16d33ba5b7dcc3ebd146a4e60de
- hash: 227c96ada9cb46a2a437070bd354bc3e
- hash: 2bdd91c8b815db57708c288d0b5b0934
- hash: 2c944a50f4a94731613452f6477cbed3
- hash: 362d38490003907aba860fa003dd1b3f
- hash: 38d77107a537b7c56d3246fc57c83c36
- hash: 3d529f6f077eae5c7c2830729f20689f
- hash: 40e14abd06af70230849704760272cea
- hash: 4ba5235782c270c7df22f6382210fefe
- hash: 5d44ea30c918bbdcb9c18c8ae3a85a12
- hash: 5daf7a4f8ec97c0cd5013378712f816d
- hash: 717d1d614e06230bdf4c5dd121706a2d
- hash: 987822015413905afe5a95797fdbdd1d
- hash: 99de8bf76c4a148cc0508aba9636de2e
- hash: 9fc714dfe11a84e013ee18d44405852b
- hash: a53115a21b25872d828a288b786fed6f
- hash: c402f9d8ae02450613e871584047ba2c
- hash: cb36db26550d804add58f92fe636d120
- hash: d0907aae24c3721d56e29a5e178cfcc4
- hash: d5b1c03f2f09579f7cdcdde8db779671
- hash: d8c1609d82a74843dc795128121c190c
- hash: e1fc82da9949afccf65308512ccc1a94
- hash: fae06cd491519b67a08739365bd40ff2
- hash: fb127a60b29af914eebdf87121320224
- hash: 057a4807cf66bfa95bd227846823b546ed94ee2a
- hash: 1ad071c3a13c2bceabf0f35c5528854c5c87d0e0
- hash: 2b649070fdec0d9847dc4565872dc84c7e18a8bf
- hash: 2c9a829ded6f1bad3ab87520792bc60206224375
- hash: 39e66bbb5a31314d4ffabfccbf98f6b68987e3d1
- hash: 3c1d516b2057240ed83166b46b34d7c85b74b581
- hash: 40f68fe13718b2e81dbba41743ea3c90a9ffe4f8
- hash: 41a38be150a92327316ad862f1df9eabd15b0952
- hash: 43f3e62b8659ec02c44f831ac30cbbadb59329ac
- hash: 468c6dce270310045cf70c57c6cddd82d3bffa38
- hash: 4e2eaf83c7d75f76c95ca091cab98a09bae1a310
- hash: 68528fca41ba3b0ae91a511e4d44d1d57e7ba30f
- hash: 6ca7244a254e6ee28f93c5722aa7615fcc32e1b0
- hash: 7317270f9b18018cb1ea33cfae2e5aacefbd58a7
- hash: 740fc5bd3acddc1ebe607d9507cc63e77ca882bf
- hash: 76cc7b3c94e8cc83999e361cafeea060bff115ba
- hash: 89a6f448ea62b4508cc211b91a38f53f034d92b1
- hash: 8d096d48875be6c9d46259a853891b9b12c4432a
- hash: 8ede1e751f799612d2c383e59cb5ae0cfb4ea9e4
- hash: 92335b522bf02dc047e5a38faf3a85bf6f0ac204
- hash: a072e5f086eecb523453d094c10c193dcc660b24
- hash: a2a005cfc39f7202dc0b17ae0a31e282fd79d1c5
- hash: b81440538672f011351e0c2bdb346ebc4d86c3e1
- hash: cbf4671ea72268a9bd618ab3f753442c2fc38a2a
- hash: dc0625ec8ef237b3797ce2d2b4f000c743d9f7b1
- hash: e1df750645beb81e4e0dc50bdd2f893f5063e7ee
- hash: e5e06c7e6ee2f2bbd86bbb011c0e0d0f0284704c
- hash: 021d13de99e996fbf03e57b78ce67630c19d33242eee8480383d7b065edebb51
- hash: 031e05d15afabef6010179d2acd09925395167fd442b64b6aa8ffd81bd5e268e
- hash: 056cd36bf4bc6efc119a64f2ffedd76f3dcb75daa95c22c59d91664dfcaa6fd5
- hash: 07e2376d2c4318b0f9c472d01342d67e23a2e8edc182533a291336dfeaff4e60
- hash: 0993b0bb897402954eb9057bc84ea98e2c12ff1185a87ac3c3a15a241560bb1a
- hash: 0a626f1837da9043e65ccf9e23192aef36d58402a1fd56577952c7bb426f2ec5
- hash: 0b705938e0063e73e03645e0c7a00f7c8d8533f1912eab5bf9ad7bc44d2cf9c3
- hash: 0d983f5fb403b500ec48f13a951548d5a10572fde207cf3f976b9daefb660f7e
- hash: 12fd8d45a181adfd6725ea9806d72ed61b3af1e31d80fa7ddd32e1932a8dfd75
- hash: 15277bfc6b784c373d535fbda9396bd16c15d990943423167602fb81b26d0f07
- hash: 155b94be1c3dca48314f6f2ee0c89c09553851ecc9ceefc436e16ebb7fca5f1a
- hash: 1793dae4d05cc7be9575f14ae7a73ffe3b8279a811c0db40f56f0e2c1ee8dd61
- hash: 2414dd462e3ca05ecd37aa56dc8841f5ef9588663572e7bc36d07520af7864b1
- hash: 2dde92fc0936cb275be79d5864c98772d1270e4a54c01e61ebc4b856b5e048d5
- hash: 38489af1360af2cb7ba70f61e4c562fa63ce58e59576ba452db560f75ed1680a
- hash: 3adeda2a154dcf017ffed634fba593f80df496eb2be4bee0940767c8631be7c1
- hash: 40bc204062a1f936c246fbffbed1a6bb41107ad9e5ad25df8970e4090258e145
- hash: 40e3fcfcc09fd84b2745b75e0e5e7beae866f4300ec8f36e2e9ab3197f198dcd
- hash: 448245612a5388074e32251a0b44769170c586cc4c2ae06cd953c7a461ce34a6
- hash: 49714e2a0eb4d16882654fd60304e6fa8bfcf9dbd9cd272df4e003f68c865341
- hash: 4f1d5081adf8ceed3c3daaaa3804e5a4ac2e964ec90590e716bc8b34953083e8
- hash: 5248b0e4af1914762cc1c436a898d12d5f74980b816155f4191dc9692402668f
- hash: 52a98f2b2de46bc0835a11d2ba22b874a09788596507c13ac22b9b8877a8f3c6
- hash: 536cd589cd685806b4348b9efa06843a90decae9f4135d1b11d8e74c7911f37d
- hash: 5409eb70942a6b875d8343437bb04e368f56de1854953fa87890fc8ee8a8bc37
- hash: 564b2184a7f53d5f1680673ced354f5e956d897b7e1ea7d3f992cc38be6a9b20
- hash: 59b907430dde62fc7a0d1c33c38081b7dcf43777815d1abcf07e0c77f76f5894
- hash: 5be9aba659baa089bcd253905deaf3f084f2b8f03701e90f2a46b36781165925
- hash: 5e34d754b0a938de7e512614f8fc6d7cd6c704f76b05044e07c97bd44bd5d591
- hash: 65209053f042e428b64f79ea8f570528beaa537038aa3aa50a0db6846ba8d2ec
- hash: 666f4977abf17db6da2d05b385c5cf53f6500517226a3ac5bd0360eda9193d08
- hash: 678f79e78847a1274238740bb8cada62f9c41cab96df8537d87d38850502d0a2
- hash: 68347b0c6494a56dd0f6492c6c56158b46bcaf44878a8741f6e63ff2946cf30f
- hash: 747dfd7f0ca893034136fd286c737b55edc9276b5794a02c6dd3771da0342729
- hash: 77b2f2ef5bc3b7bb2d1b85491ece85b56da37685652526c6fa6e3562cd12e3b6
- hash: 792c5a2628ec1be86e38b0a73a44c1a9247572453555e7996bb9d0a58e37b62b
- hash: 7a2af22372a4fd3ba89d36fdee38967cb77f43e14255d0b5ad80da863b146625
- hash: 7c0597aa77031a100db0941921b60f08079bec7f710b6e736a15012db6465c39
- hash: 7d6eb47ff307bebf87022575edd19181ad34ee5a5db1f408a25d16cd27d8aa2f
- hash: 7e04c69685d8612f7fc3512ad9ad1802a28428f75874b8717c0f04e939a3324d
- hash: 81bb1cf3a805c1375bb3251eea9f1ad132ab1266295a75cda9ffe9278588ac7f
- hash: 83341b08425a1a247becd79e829064ddbd309636d7d62a369338ffd47af6e955
- hash: 904db68a915b4bbd0b4b2d665bb1e2c51fa1b71b9c44ce45ccd4b4664f2bfd8e
- hash: 95060ba948948eea9bfc801731960b97d3efceb300622630afcbccfe12c21ccd
- hash: 9c1acde0627da8b518b0522d6fed15cecf35b20ed8920628e9f580cfc3f450ed
- hash: 9f17ff59172a802bc6ce8490c1ea379a5bf75af839f8b59373fba8c51e878af0
- hash: a28ee84bfbad9107ad39802e25c24ae0eaa00a870eca09039076a0360dcbd869
- hash: a8d578d4b50ac4029db22b76563e927ab691075aacc87621795b16b388b7d48c
- hash: a9b9022aedd1b9afbd7ab1f11f60f236102e1f70b340658da8cb39c072a9af61
- hash: b03d9dd170cd82890ee1a5503529b81ce8064893e31a88b87081a8c72610d810
- hash: bbc5e80d3f068d8eff0cfa745ecba97903a83dfd9fe6f43cf05e803bbe9ce8b9
- hash: bc0b9075e3b8504c4e0c7097c6be8aa05f96032053ec43e502d297136aaf375e
- hash: bcb5df098a79e3bc1d8bcb3b1a354b6643afdb4ca40333e0548e5ed1a9470cac
- hash: be6a545180300554eea2ee6ece9f835a12996059d726df810fe13ba0044033cd
- hash: c8899a6e8d3dd11c75217253f8dd78f5029c01e886880cafce0388d5fd6aa54b
- hash: ccf56b6b727da47c89f7a1a47cc04ab3a41d225c1298a74f16c939a5622b03f2
- hash: cfd0d56ca3d6c9ca232252570522c4b904be2807c461276979b1f8c551ccd4aa
- hash: d5c0fd26ba1504bde3222202f7a257efa9cdbc6949718495a7c33cd6510fce2a
- hash: dd279ea6c2a660ff7e70788af4a6c98524836c1b63beed756a77942c83de06fa
- hash: e0ffc3442215b888c55d8dfd9d33c5cfff315a59089aeb42da4cf6869eed8f5d
- hash: e14fdb6c0b5b64e1ca318b7ad3ac9a4fd6dec60ef03089b87199306eba6e0ca6
- hash: e32f04362ec4db90e024bfb57adf6e5c02f1061cd17dbf81a5bbc0b588119b25
- hash: e62c3135fd708ee420cf767fa1654d8d66ff01f5160ddadf633e3cc5eaeaa926
- hash: e95f2982195399b5f9e453be6db02a346bb516320659a3ade2c385bcb7fc27da
- hash: ef34c433c818774b466ba4e6f677b1c6cf51bb9213a60fd779fd7df39011e97b
- hash: ef8fdec66751b6a17da45dd4d9c22cef8d3c78604e7a8bc6fc8e2b30342ff408
- hash: efd44bc4e0efcab72106ea065c8a89d51d499202732319b21324487e8d00eccf
- hash: f3f2c3c5836ce6e3cb92aa6dfc0f133e15a7fd169a3d1049b7d82e49d1577273
- hash: f7be89ae645831d519b7c781d69cf8e88e5762b824c9a6753eb16b25c4abef76
- hash: fb1df37336d79861b13d5f4ba875393c7e91b12cd73302cb414c1d084104a6a8
- hash: ffc538f2c6e91f07be067311ed143d28c5437a8af69974f751c043e2944d60b2
- yara: 76baaba5532eaa219e363af68863c21c38c5a0f3
- yara: 851064b7714941a5e4775c534869f56d7791a7bd
- yara: eaf978ddd190164d21ae1e91b382e36fc2cff439
- domain: aoc-upravleniye.com
- domain: bukhgalter-x5group.com
- domain: bystryvelosiped.com
- domain: cellporyad.com
- domain: chistyyvozdukh.com
- domain: coolpelear.com
- domain: doverennyye-fayly.com
- domain: downloading24.com
- domain: dversteklo.com
- domain: dwd765m.com
- domain: easy-download24.com
- domain: enjoyever.com
- domain: faylbox365.com
- domain: faylsklad.com
- domain: file-magazin.com
- domain: full-downloader.com
- domain: khitrayalisitsa.com
- domain: khoroshayamych.com
- domain: kletchatayarubashka.com
- domain: krasnayastena.com
- domain: laultrachunk.com
- domain: lunnayareka.com
- domain: magnitgroup.com
- domain: melodicprogress.com
- domain: moy-fayl.com
- domain: moy-pdf.com
- domain: nevynosimayapchela.com
- domain: nniir.com
- domain: obmen-faylami.com
- domain: otpravkafaylov.com
- domain: pdf-reyestr.com
- domain: pdf-sklad.com
- domain: pdfdepozit.com
- domain: pdfmagazin.com
- domain: pdfsklad.com
- domain: pechalnoyebudushcheye.com
- domain: portfolio-elena.com
- domain: promenimath.com
- domain: quan-miami.com
- domain: reyestr-faylov.com
- domain: ru-pochta365.com
- domain: ru-sistema.com
- domain: serayagrust.com
- domain: seychaspozzhe.com
- domain: skachivanie-failov.com
- domain: skachivanie-failov24.com
- domain: slomannyymonitor.com
- domain: sogrevayushchiynapitok.com
- domain: svobodnoepredlozheniye.com
- domain: tantsuyushchiykarlik.com
- domain: temnayamashina.com
- domain: tvoi-fayly.com
- domain: tvoy-disk.com
- domain: utrenneyesolntse.com
- domain: vash-disk.com
- domain: zagruzka-pdf.com
- domain: zagruzkadannykh.com
- domain: zagruzkafayla.com
- domain: zelenyysalat.com
- domain: zetta-strakhovaniye.com
- domain: zhestovyyliker.com
- domain: zimniyeravlecheniya.com
- domain: protej.org.nniir.com
SadFuture: Mapping XDSpy latest evolution
Description
This report examines recent activities attributed to the XDSpy threat actor, focusing on an ongoing campaign targeting Eastern European and Russian governmental entities using the XDigo malware since March 2025. The investigation stemmed from analyzing a vulnerability in LNK files, leading to the discovery of a multi-stage infection chain. The report provides analysis of the XDigo implant and its connections to previous XDSpy activities. It also details the exploitation of LNK parsing issues and infrastructure used across different campaigns. The research uncovered additional, more recent XDSpy activity employing an alternative infection chain. Targets include government entities in Eastern Europe, with a confirmed victim in Belarus.
AI-Powered Analysis
Technical Analysis
The threat known as SadFuture represents the latest evolution of the XDSpy threat actor's activities, focusing on a sophisticated multi-stage malware campaign targeting governmental entities primarily in Eastern Europe and Russia. The campaign has been active since at least March 2025 and centers around the deployment of the XDigo implant, a malware strain linked to previous XDSpy operations. The infection chain exploits a vulnerability in the parsing of LNK (Windows shortcut) files, enabling initial compromise without requiring user authentication but potentially involving user interaction to trigger the payload. This exploitation leverages Windows' handling of LNK files to execute malicious code, a technique that bypasses some traditional security controls. The campaign infrastructure and tactics have evolved, with recent activity showing an alternative infection chain, indicating adaptability and ongoing development by the threat actor. The attack techniques include a range of tactics and procedures such as etdownloader usage, living-off-the-land binaries (LOLBins) exploitation (e.g., T1218.011), credential dumping, data staging, and command and control communications, reflecting a comprehensive and persistent attack methodology. The confirmed targeting of government entities, including a victim in Belarus, underscores the geopolitical motivations behind the campaign. The threat actor's use of multiple techniques to maintain persistence, evade detection, and exfiltrate data highlights the advanced nature of this threat. No known public exploits are currently reported, but the exploitation of LNK parsing vulnerabilities remains a critical vector. The campaign's complexity and targeted nature suggest a well-resourced adversary with significant operational capabilities.
Potential Impact
For European organizations, particularly governmental and critical infrastructure entities in Eastern Europe, the SadFuture campaign poses a significant risk to confidentiality, integrity, and availability of sensitive information and systems. Successful exploitation could lead to unauthorized access to classified or sensitive governmental data, disruption of governmental operations, and potential espionage activities. The use of sophisticated multi-stage malware and living-off-the-land techniques complicates detection and response, increasing the likelihood of prolonged undetected presence within networks. The geopolitical targeting suggests that organizations in countries with strategic importance or ongoing regional tensions may face heightened risk. The compromise of governmental systems could have cascading effects on national security, public trust, and international relations. Additionally, the adaptability of the threat actor implies that mitigation efforts must be dynamic and continuously updated to address evolving tactics.
Mitigation Recommendations
To mitigate the SadFuture threat, European organizations should implement targeted defenses beyond generic best practices: 1) Harden LNK file handling by disabling or restricting the automatic parsing and execution of LNK files, especially from untrusted sources or removable media. 2) Employ application whitelisting and restrict execution of unknown or suspicious binaries, particularly those leveraging LOLBins or living-off-the-land techniques. 3) Enhance endpoint detection and response (EDR) capabilities to identify anomalous behaviors associated with multi-stage infection chains and lateral movement. 4) Conduct regular threat hunting focused on indicators of compromise related to XDSpy and XDigo malware, including monitoring for known TTPs such as credential dumping and unusual network communications. 5) Implement strict network segmentation and least privilege access controls to limit the spread and impact of potential intrusions. 6) Maintain up-to-date threat intelligence feeds and collaborate with national cybersecurity agencies to share information on emerging variants and infrastructure changes. 7) Educate users on the risks of opening unknown shortcut files and implement email filtering to reduce spear-phishing attempts. 8) Regularly audit and update security policies related to removable media and external device usage. These measures, combined with continuous monitoring and incident response preparedness, will help reduce the risk and impact of SadFuture campaigns.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://harfanglab.io/insidethelab/sadfuture-xdspy-latest-evolution/"]
- Adversary
- XDSpy
- Pulse Id
- 685dbaf793f1bd2d7f80f7f8
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash00ba7711404c657cc2eb4a23578dc191 | — | |
hash129399b838d6526751faf16ecea92942 | — | |
hash17d9277bac3f58ab11d7e7a9c73bb8d3 | — | |
hash1b24b16d33ba5b7dcc3ebd146a4e60de | — | |
hash227c96ada9cb46a2a437070bd354bc3e | — | |
hash2bdd91c8b815db57708c288d0b5b0934 | — | |
hash2c944a50f4a94731613452f6477cbed3 | — | |
hash362d38490003907aba860fa003dd1b3f | — | |
hash38d77107a537b7c56d3246fc57c83c36 | — | |
hash3d529f6f077eae5c7c2830729f20689f | — | |
hash40e14abd06af70230849704760272cea | — | |
hash4ba5235782c270c7df22f6382210fefe | — | |
hash5d44ea30c918bbdcb9c18c8ae3a85a12 | — | |
hash5daf7a4f8ec97c0cd5013378712f816d | — | |
hash717d1d614e06230bdf4c5dd121706a2d | — | |
hash987822015413905afe5a95797fdbdd1d | — | |
hash99de8bf76c4a148cc0508aba9636de2e | — | |
hash9fc714dfe11a84e013ee18d44405852b | — | |
hasha53115a21b25872d828a288b786fed6f | — | |
hashc402f9d8ae02450613e871584047ba2c | — | |
hashcb36db26550d804add58f92fe636d120 | — | |
hashd0907aae24c3721d56e29a5e178cfcc4 | — | |
hashd5b1c03f2f09579f7cdcdde8db779671 | — | |
hashd8c1609d82a74843dc795128121c190c | — | |
hashe1fc82da9949afccf65308512ccc1a94 | — | |
hashfae06cd491519b67a08739365bd40ff2 | — | |
hashfb127a60b29af914eebdf87121320224 | — | |
hash057a4807cf66bfa95bd227846823b546ed94ee2a | — | |
hash1ad071c3a13c2bceabf0f35c5528854c5c87d0e0 | — | |
hash2b649070fdec0d9847dc4565872dc84c7e18a8bf | — | |
hash2c9a829ded6f1bad3ab87520792bc60206224375 | — | |
hash39e66bbb5a31314d4ffabfccbf98f6b68987e3d1 | — | |
hash3c1d516b2057240ed83166b46b34d7c85b74b581 | — | |
hash40f68fe13718b2e81dbba41743ea3c90a9ffe4f8 | — | |
hash41a38be150a92327316ad862f1df9eabd15b0952 | — | |
hash43f3e62b8659ec02c44f831ac30cbbadb59329ac | — | |
hash468c6dce270310045cf70c57c6cddd82d3bffa38 | — | |
hash4e2eaf83c7d75f76c95ca091cab98a09bae1a310 | — | |
hash68528fca41ba3b0ae91a511e4d44d1d57e7ba30f | — | |
hash6ca7244a254e6ee28f93c5722aa7615fcc32e1b0 | — | |
hash7317270f9b18018cb1ea33cfae2e5aacefbd58a7 | — | |
hash740fc5bd3acddc1ebe607d9507cc63e77ca882bf | — | |
hash76cc7b3c94e8cc83999e361cafeea060bff115ba | — | |
hash89a6f448ea62b4508cc211b91a38f53f034d92b1 | — | |
hash8d096d48875be6c9d46259a853891b9b12c4432a | — | |
hash8ede1e751f799612d2c383e59cb5ae0cfb4ea9e4 | — | |
hash92335b522bf02dc047e5a38faf3a85bf6f0ac204 | — | |
hasha072e5f086eecb523453d094c10c193dcc660b24 | — | |
hasha2a005cfc39f7202dc0b17ae0a31e282fd79d1c5 | — | |
hashb81440538672f011351e0c2bdb346ebc4d86c3e1 | — | |
hashcbf4671ea72268a9bd618ab3f753442c2fc38a2a | — | |
hashdc0625ec8ef237b3797ce2d2b4f000c743d9f7b1 | — | |
hashe1df750645beb81e4e0dc50bdd2f893f5063e7ee | — | |
hashe5e06c7e6ee2f2bbd86bbb011c0e0d0f0284704c | — | |
hash021d13de99e996fbf03e57b78ce67630c19d33242eee8480383d7b065edebb51 | — | |
hash031e05d15afabef6010179d2acd09925395167fd442b64b6aa8ffd81bd5e268e | — | |
hash056cd36bf4bc6efc119a64f2ffedd76f3dcb75daa95c22c59d91664dfcaa6fd5 | — | |
hash07e2376d2c4318b0f9c472d01342d67e23a2e8edc182533a291336dfeaff4e60 | — | |
hash0993b0bb897402954eb9057bc84ea98e2c12ff1185a87ac3c3a15a241560bb1a | — | |
hash0a626f1837da9043e65ccf9e23192aef36d58402a1fd56577952c7bb426f2ec5 | — | |
hash0b705938e0063e73e03645e0c7a00f7c8d8533f1912eab5bf9ad7bc44d2cf9c3 | — | |
hash0d983f5fb403b500ec48f13a951548d5a10572fde207cf3f976b9daefb660f7e | — | |
hash12fd8d45a181adfd6725ea9806d72ed61b3af1e31d80fa7ddd32e1932a8dfd75 | — | |
hash15277bfc6b784c373d535fbda9396bd16c15d990943423167602fb81b26d0f07 | — | |
hash155b94be1c3dca48314f6f2ee0c89c09553851ecc9ceefc436e16ebb7fca5f1a | — | |
hash1793dae4d05cc7be9575f14ae7a73ffe3b8279a811c0db40f56f0e2c1ee8dd61 | — | |
hash2414dd462e3ca05ecd37aa56dc8841f5ef9588663572e7bc36d07520af7864b1 | — | |
hash2dde92fc0936cb275be79d5864c98772d1270e4a54c01e61ebc4b856b5e048d5 | — | |
hash38489af1360af2cb7ba70f61e4c562fa63ce58e59576ba452db560f75ed1680a | — | |
hash3adeda2a154dcf017ffed634fba593f80df496eb2be4bee0940767c8631be7c1 | — | |
hash40bc204062a1f936c246fbffbed1a6bb41107ad9e5ad25df8970e4090258e145 | — | |
hash40e3fcfcc09fd84b2745b75e0e5e7beae866f4300ec8f36e2e9ab3197f198dcd | — | |
hash448245612a5388074e32251a0b44769170c586cc4c2ae06cd953c7a461ce34a6 | — | |
hash49714e2a0eb4d16882654fd60304e6fa8bfcf9dbd9cd272df4e003f68c865341 | — | |
hash4f1d5081adf8ceed3c3daaaa3804e5a4ac2e964ec90590e716bc8b34953083e8 | — | |
hash5248b0e4af1914762cc1c436a898d12d5f74980b816155f4191dc9692402668f | — | |
hash52a98f2b2de46bc0835a11d2ba22b874a09788596507c13ac22b9b8877a8f3c6 | — | |
hash536cd589cd685806b4348b9efa06843a90decae9f4135d1b11d8e74c7911f37d | — | |
hash5409eb70942a6b875d8343437bb04e368f56de1854953fa87890fc8ee8a8bc37 | — | |
hash564b2184a7f53d5f1680673ced354f5e956d897b7e1ea7d3f992cc38be6a9b20 | — | |
hash59b907430dde62fc7a0d1c33c38081b7dcf43777815d1abcf07e0c77f76f5894 | — | |
hash5be9aba659baa089bcd253905deaf3f084f2b8f03701e90f2a46b36781165925 | — | |
hash5e34d754b0a938de7e512614f8fc6d7cd6c704f76b05044e07c97bd44bd5d591 | — | |
hash65209053f042e428b64f79ea8f570528beaa537038aa3aa50a0db6846ba8d2ec | — | |
hash666f4977abf17db6da2d05b385c5cf53f6500517226a3ac5bd0360eda9193d08 | — | |
hash678f79e78847a1274238740bb8cada62f9c41cab96df8537d87d38850502d0a2 | — | |
hash68347b0c6494a56dd0f6492c6c56158b46bcaf44878a8741f6e63ff2946cf30f | — | |
hash747dfd7f0ca893034136fd286c737b55edc9276b5794a02c6dd3771da0342729 | — | |
hash77b2f2ef5bc3b7bb2d1b85491ece85b56da37685652526c6fa6e3562cd12e3b6 | — | |
hash792c5a2628ec1be86e38b0a73a44c1a9247572453555e7996bb9d0a58e37b62b | — | |
hash7a2af22372a4fd3ba89d36fdee38967cb77f43e14255d0b5ad80da863b146625 | — | |
hash7c0597aa77031a100db0941921b60f08079bec7f710b6e736a15012db6465c39 | — | |
hash7d6eb47ff307bebf87022575edd19181ad34ee5a5db1f408a25d16cd27d8aa2f | — | |
hash7e04c69685d8612f7fc3512ad9ad1802a28428f75874b8717c0f04e939a3324d | — | |
hash81bb1cf3a805c1375bb3251eea9f1ad132ab1266295a75cda9ffe9278588ac7f | — | |
hash83341b08425a1a247becd79e829064ddbd309636d7d62a369338ffd47af6e955 | — | |
hash904db68a915b4bbd0b4b2d665bb1e2c51fa1b71b9c44ce45ccd4b4664f2bfd8e | — | |
hash95060ba948948eea9bfc801731960b97d3efceb300622630afcbccfe12c21ccd | — | |
hash9c1acde0627da8b518b0522d6fed15cecf35b20ed8920628e9f580cfc3f450ed | — | |
hash9f17ff59172a802bc6ce8490c1ea379a5bf75af839f8b59373fba8c51e878af0 | — | |
hasha28ee84bfbad9107ad39802e25c24ae0eaa00a870eca09039076a0360dcbd869 | — | |
hasha8d578d4b50ac4029db22b76563e927ab691075aacc87621795b16b388b7d48c | — | |
hasha9b9022aedd1b9afbd7ab1f11f60f236102e1f70b340658da8cb39c072a9af61 | — | |
hashb03d9dd170cd82890ee1a5503529b81ce8064893e31a88b87081a8c72610d810 | — | |
hashbbc5e80d3f068d8eff0cfa745ecba97903a83dfd9fe6f43cf05e803bbe9ce8b9 | — | |
hashbc0b9075e3b8504c4e0c7097c6be8aa05f96032053ec43e502d297136aaf375e | — | |
hashbcb5df098a79e3bc1d8bcb3b1a354b6643afdb4ca40333e0548e5ed1a9470cac | — | |
hashbe6a545180300554eea2ee6ece9f835a12996059d726df810fe13ba0044033cd | — | |
hashc8899a6e8d3dd11c75217253f8dd78f5029c01e886880cafce0388d5fd6aa54b | — | |
hashccf56b6b727da47c89f7a1a47cc04ab3a41d225c1298a74f16c939a5622b03f2 | — | |
hashcfd0d56ca3d6c9ca232252570522c4b904be2807c461276979b1f8c551ccd4aa | — | |
hashd5c0fd26ba1504bde3222202f7a257efa9cdbc6949718495a7c33cd6510fce2a | — | |
hashdd279ea6c2a660ff7e70788af4a6c98524836c1b63beed756a77942c83de06fa | — | |
hashe0ffc3442215b888c55d8dfd9d33c5cfff315a59089aeb42da4cf6869eed8f5d | — | |
hashe14fdb6c0b5b64e1ca318b7ad3ac9a4fd6dec60ef03089b87199306eba6e0ca6 | — | |
hashe32f04362ec4db90e024bfb57adf6e5c02f1061cd17dbf81a5bbc0b588119b25 | — | |
hashe62c3135fd708ee420cf767fa1654d8d66ff01f5160ddadf633e3cc5eaeaa926 | — | |
hashe95f2982195399b5f9e453be6db02a346bb516320659a3ade2c385bcb7fc27da | — | |
hashef34c433c818774b466ba4e6f677b1c6cf51bb9213a60fd779fd7df39011e97b | — | |
hashef8fdec66751b6a17da45dd4d9c22cef8d3c78604e7a8bc6fc8e2b30342ff408 | — | |
hashefd44bc4e0efcab72106ea065c8a89d51d499202732319b21324487e8d00eccf | — | |
hashf3f2c3c5836ce6e3cb92aa6dfc0f133e15a7fd169a3d1049b7d82e49d1577273 | — | |
hashf7be89ae645831d519b7c781d69cf8e88e5762b824c9a6753eb16b25c4abef76 | — | |
hashfb1df37336d79861b13d5f4ba875393c7e91b12cd73302cb414c1d084104a6a8 | — | |
hashffc538f2c6e91f07be067311ed143d28c5437a8af69974f751c043e2944d60b2 | — |
Yara
| Value | Description | Copy |
|---|---|---|
yara76baaba5532eaa219e363af68863c21c38c5a0f3 | — | |
yara851064b7714941a5e4775c534869f56d7791a7bd | — | |
yaraeaf978ddd190164d21ae1e91b382e36fc2cff439 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainaoc-upravleniye.com | — | |
domainbukhgalter-x5group.com | — | |
domainbystryvelosiped.com | — | |
domaincellporyad.com | — | |
domainchistyyvozdukh.com | — | |
domaincoolpelear.com | — | |
domaindoverennyye-fayly.com | — | |
domaindownloading24.com | — | |
domaindversteklo.com | — | |
domaindwd765m.com | — | |
domaineasy-download24.com | — | |
domainenjoyever.com | — | |
domainfaylbox365.com | — | |
domainfaylsklad.com | — | |
domainfile-magazin.com | — | |
domainfull-downloader.com | — | |
domainkhitrayalisitsa.com | — | |
domainkhoroshayamych.com | — | |
domainkletchatayarubashka.com | — | |
domainkrasnayastena.com | — | |
domainlaultrachunk.com | — | |
domainlunnayareka.com | — | |
domainmagnitgroup.com | — | |
domainmelodicprogress.com | — | |
domainmoy-fayl.com | — | |
domainmoy-pdf.com | — | |
domainnevynosimayapchela.com | — | |
domainnniir.com | — | |
domainobmen-faylami.com | — | |
domainotpravkafaylov.com | — | |
domainpdf-reyestr.com | — | |
domainpdf-sklad.com | — | |
domainpdfdepozit.com | — | |
domainpdfmagazin.com | — | |
domainpdfsklad.com | — | |
domainpechalnoyebudushcheye.com | — | |
domainportfolio-elena.com | — | |
domainpromenimath.com | — | |
domainquan-miami.com | — | |
domainreyestr-faylov.com | — | |
domainru-pochta365.com | — | |
domainru-sistema.com | — | |
domainserayagrust.com | — | |
domainseychaspozzhe.com | — | |
domainskachivanie-failov.com | — | |
domainskachivanie-failov24.com | — | |
domainslomannyymonitor.com | — | |
domainsogrevayushchiynapitok.com | — | |
domainsvobodnoepredlozheniye.com | — | |
domaintantsuyushchiykarlik.com | — | |
domaintemnayamashina.com | — | |
domaintvoi-fayly.com | — | |
domaintvoy-disk.com | — | |
domainutrenneyesolntse.com | — | |
domainvash-disk.com | — | |
domainzagruzka-pdf.com | — | |
domainzagruzkadannykh.com | — | |
domainzagruzkafayla.com | — | |
domainzelenyysalat.com | — | |
domainzetta-strakhovaniye.com | — | |
domainzhestovyyliker.com | — | |
domainzimniyeravlecheniya.com | — | |
domainprotej.org.nniir.com | — |
Threat ID: 685dbcffca1063fb874915dc
Added to database: 6/26/2025, 9:34:55 PM
Last enriched: 6/26/2025, 9:50:32 PM
Last updated: 9/27/2025, 12:36:03 PM
Views: 88
Related Threats
ThreatFox IOCs for 2025-09-26
MediumGoogle Ads Used to Spread Trojan Disguised as TradingView Premium
MediumIranian linked conglomerate MuddyWater comprised of regionally focused subgroups
MediumHTML File Attachments: Still A Threat
MediumBeyond Signatures: Detecting Lumma Stealer with an ML-Powered Sandbox
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.