Serverless InfoStealer delivered in Est European Countries
Serverless InfoStealer delivered in Est European Countries
AI Analysis
Technical Summary
The threat identified as 'Serverless InfoStealer delivered in Est European Countries' is a malware campaign focused on information theft, specifically targeting entities within Eastern European countries. The term 'serverless' suggests that the malware operates without relying on traditional server infrastructure, potentially leveraging cloud functions or ephemeral execution environments to evade detection and persistence mechanisms. This approach complicates traditional network-based detection and mitigation strategies. The malware is categorized under OSINT (Open Source Intelligence), payload delivery, and network activity, indicating that it likely collects sensitive information and exfiltrates it over the network without requiring persistent installation on victim systems. The lack of affected versions and patch availability implies that this malware exploits either zero-day vulnerabilities or uses social engineering and other non-patchable attack vectors. The technical details are minimal, with a low threat level rating (1) and no known exploits in the wild, suggesting limited current exploitation or detection. However, the severity is marked as high, reflecting the potential impact of information theft. The campaign's delivery in Eastern European countries indicates a geographically targeted operation, possibly focusing on specific sectors or organizations. The absence of indicators and CWEs limits detailed technical attribution or signature-based detection. Overall, this malware represents a sophisticated, stealthy threat that leverages modern serverless computing paradigms to conduct information theft operations in a targeted regional context.
Potential Impact
For European organizations, particularly those in Eastern Europe, this malware poses significant risks to confidentiality due to its information-stealing capabilities. Compromised data could include sensitive corporate information, intellectual property, personal data, or credentials, leading to financial loss, reputational damage, and regulatory penalties under GDPR. The serverless nature of the malware complicates detection and response, increasing the likelihood of prolonged undetected presence within networks. This can facilitate further attacks such as lateral movement, espionage, or supply chain compromises. Additionally, organizations with cloud-native architectures or those leveraging serverless technologies may be more vulnerable, as attackers exploit these environments' ephemeral and distributed characteristics. The lack of patches or known exploits suggests that traditional vulnerability management may be insufficient, requiring enhanced monitoring and behavioral analysis. The targeted delivery in Eastern Europe also raises concerns about geopolitical motivations, potentially affecting critical infrastructure, government agencies, and key industries in the region.
Mitigation Recommendations
Implement advanced network monitoring solutions capable of detecting anomalous outbound traffic patterns typical of data exfiltration, especially focusing on unusual use of cloud service APIs or serverless function invocations. Enhance endpoint detection and response (EDR) tools with behavioral analytics to identify suspicious processes that do not rely on traditional persistence mechanisms. Conduct regular threat hunting exercises targeting serverless environments and cloud-native applications to identify potential compromises early. Restrict and monitor the use of serverless functions and cloud APIs, applying the principle of least privilege and employing strong authentication and authorization controls. Educate employees on social engineering tactics that may be used to deliver such malware, emphasizing caution with unsolicited links or attachments. Deploy data loss prevention (DLP) solutions tailored to detect and block unauthorized data transfers, particularly from sensitive repositories. Collaborate with cloud service providers to gain visibility into serverless function usage and to implement security best practices specific to serverless architectures. Maintain up-to-date incident response plans that include scenarios involving serverless malware and information theft. Leverage threat intelligence sharing platforms to stay informed about emerging indicators and tactics related to this malware campaign.
Affected Countries
Estonia, Latvia, Lithuania, Poland, Czech Republic, Slovakia, Hungary, Romania, Bulgaria
Indicators of Compromise
- file: hulalalMCROSOFT.vbs
- url: http://crypters.coolpage.biz/rumps/Rumppp.txt
- url: https://bitbucket.org/!api/2.0/snippets/hogya/KpMMLg/a2975578cff84cf6c198f055b21a7a6e3f14cd15/files/rotyh12
- url: https://bitbucket.org/hogya/workspace/snippets/
- url: https://bitbucket.org/choasknight/workspace/snippets/
- url: https://1230948%1230948%1230948%1230948%1230948%1230948@bitly.]com/dsasabshjkahsadnjksalhndjksa
- url: https://bitly.com/dghiaksgdbshagdh
- url: https://bitly.com/etwuiqdbshadbsgha
- url: https://bitly.com/etyqwuidgshaja
- url: https://bitly.com/etywuiqdbhsnadg
- url: https://bitly.com/etywuiqdhbsgjj
- url: https://bitly.com/etywuiqdhjkasdnbvh
- url: https://bitly.com/eyuiasdbnjkasdhkashd
- url: https://bitly.com/eyuiqwdbhasgdjsha
- url: https://bitly.com/eyuiqwdhjkasdbsadgb
- url: https://bitly.com/eyuiqwdhksbgjsha
- url: https://bitly.com/eyuiqwdhsgaddasvdj
- url: https://bitly.com/eyuiqwhdjkasdghj
- url: https://bitly.com/eywuiqdbnamsdgjh
- url: https://bitly.com/eywuiqdhjkasdbgmh
- url: https://bitly.com/eywuiqdhnjkasbdjsghah
- url: https://bitly.com/qywuiehasgdshaj
- url: https://bitly.com/twyiqgshagsja
- url: https://bitly.com/yeuioqwhdkjasgd
- url: https://bitly.com/yeuiwqhdbasnvgjha
- url: https://bitly.com/yqweikkajsbdjsgadhasdbg
- url: https://madarbloghogya.blogspot.com/p/longdickback1.]html
- url: https://madarbloghogya.blogspot.com/p/rothwellback.]html
- url: https://bitbucket.]org/!api/2.0/snippets/hogya/bxkkpz/4118f44550b85bec2ae65d3e55bf77b2101991c8/files/calib111
- url: https://bitbucket.]org/!api/2.0/snippets/hogya/dxkkpr/2a7b31d0309cf290a0a4c692077fd013669991b2/files/charles11
- url: https://bitbucket.]org/!api/2.0/snippets/hogya/7XkkMb/3cb71404b16fd36f48bb66d71c61d6055fe8fbd3/files/dark1
- url: https://bitbucket.]org/!api/2.0/snippets/hogya/qXkkMx/5b19e6bac2c7b95e36211bb737603c38bcc64885/files/ghul1
- url: https://bitbucket.]org/!api/2.0/snippets/hogya/Epgg7x/90823c7b15d8d3c9aa74b74766a264f2cdaff147/files/long11
- url: https://bitbucket.]org/!api/2.0/snippets/hogya/kxqqjX/1cf020a5bcfd0f3a613b1356558b4e5c67136435/files/mrk
- url: https://bitbucket.]org/!api/2.0/snippets/hogya/yXEEMa/2c4fbe9f83764ed4c53961886e563861399257d5/files/muti
- url: https://bitbucket.]org/!api/2.0/snippets/hogya/A9MM7b/b1f5d79e5438016d91d7a42680532aed1cff8657/files/qw2
- url: https://bitbucket.]org/!api/2.0/snippets/hogya/KpMMLg/a2975578cff84cf6c198f055b21a7a6e3f14cd15/files/rotyh12
- url: https://bitbucket.]org/!api/2.0/snippets/hogya/rXEEgk/81cf1a8c4f8ec324adf7e8729c8c19d6f3191d34/files/van1
- url: https://bitbucket.]org/!api/2.0/snippets/hogya/7Xkkdr/71b71d4e957ac56cd5bc6d1558b81f44210cd884/files/calib-1
- url: https://bitbucket.]org/!api/2.0/snippets/hogya/KpMMLe/b4e47bf432d722a20ecd7b8d532de88c5274468e/files/charles123
- url: https://bitbucket.]org/!api/2.0/snippets/hogya/rXEEgA/236882c179c87120ea611078d65f6af854a3da76/files/dark123
- url: https://bitbucket.]org/!api/2.0/snippets/hogya/nxkkbx/b985a138bfcc230075309d6393d9a77a013146d2/files/ghul123
- url: https://bitbucket.]org/!api/2.0/snippets/hogya/yXEEdx/fd5b2f66e22535e681f5d9b75f380f15645e8ea5/files/long132
- url: https://bitbucket.]org/!api/2.0/snippets/hogya/KpMMLk/30b96224276ce0482b9ca6a8e8d51b1a80af06dc/files/mrk123
- url: https://bitbucket.]org/!api/2.0/snippets/hogya/rXEEgg/947b59abdf17355aa212f65cc26ed3a0a694dd30/files/muti001
- url: https://bitbucket.]org/!api/2.0/snippets/hogya/nxkkbj/93313de40a32b1c85bf7c5ef52d103808e400c89/files/qwe22
- url: https://bitbucket.]org/!api/2.0/snippets/hogya/LpMMnx/78c83d16ba68da5bd2cdc3a25e26e367c7b10f05/files/roth123
- url: https://bitbucket.]org/!api/2.0/snippets/hogya/qXkkda/da9c321b635563490e760230601e6da016df6172/files/van123
- url: https://bitbucket.]org/!api/2.0/snippets/hogya/kxqqay/1b716492745a665eea93dd18261a7a3c9f8ac85f/files/reza
- url: https://bitbucket.]org/!api/2.0/snippets/hogya/exEE5y/c407ebf390895c289726d38e17ace212689e34f8/files/reza-111
- url: https://bitbucket.]org/!api/2.0/snippets/choasknight/6XEXAo/6602fb280c0f18337286988b9af658023a7cc994/files/test
- url: https://bitbucket.]org/!api/2.0/snippets/choasknight/kxqxxA/5864261b6610d863302b06c528fe1a85d4db7072/files/darkhorse
- url: https://bitbucket.]org/!api/2.0/snippets/choasknight/yXEXXn/2b8cdcdeaa63834b21dba9c15a50226a5629a888/files/darkhorsepart2
- hash: 014d5412e803d0abe1bdf1f29d02e389603ad5c30e449920f6995748e9310542
- hash: 19451a668953bd2a206283163714425ed75f822b8ac915f1e04b966671a1a23c
- hash: 27b7e68d5d728b339dc5d8fbc6a9f4194da0ba1ffc471d58c3cabf2a2ebd426d
- hash: 29a4107734ec549b59d5babd945ceb6c254375011165d34e70e86553c27581c8
- hash: 36f26fffbe92ea0a9fbd25908fd12af52f2dad967a1369c77ef97e76c1638ca3
- hash: 414f56a4bbedb067cfa571d107103f705d742d10e2fe7163c97d6925e62ea853
- hash: 468f28807ef4d3e8cbd812d808b9573fb87ba83a037503c9c14f032ca08deb2e
- hash: 54f8342dec4a0b60e369292eee00cb6b8676ec48973a3a345a217febb0f3488e
- hash: 5665e106ce98224e6f1d02a49c86e01778ed630ab53b55f5ed50126bd1666c06
- hash: 639f108d6fa7469827be4396f086b95158ee28a7eec6867cedaf2d4007a3784b
- hash: 6d492bbc2e972b9720bb9463733ed550236742341952e0d5a31c0f0220beffdd
- hash: 81698424c325e40c1cd537719a228cf99fcacd1b954e717f27c4ba32c5cd83fd
- hash: 89d2bfac1aa9427857b229ec9f1acae69a865bb33a88f33e7264e82bd4463b35
- hash: 8a17d0e4a4f310a8aeb27a2e30cfc463c2d5a2bfa2772b0a5d5700b4c1e1c3bd
- hash: 8ed21a5bfe917fcba312ed2b630deadba0a4d623f4bccf74dd80149b176d414e
- hash: 9c3ecaecc2339b973eacaa4da07dae33964c75c7766f36c862c988491d4ecbb0
- hash: 9f4a60a9f9c8ac29814bf0e94360ca1502973ad2530bb66f8c4e2b75977d7311
- hash: a3d8bc6d455eaeca2f0fbe462f6348c0f61242dc7bde1c48d27b33f1d8cf1d9d
- hash: a98f6606e576078f0735d504dfd4c4276fd91d918117a29334ff41107c3d269e
- hash: acd370830c92939272a8503ef834d5892108133de131407d10c7435e1514208b
- hash: bc1254a16b628102bb13c3501d2c52063f16c7857419455790863beec30f31e2
- hash: c4d3db664407cd7dde28b6490dc2cbaafad0b91740bf51b480b1f4c324834fd1
- hash: d0d36b28f2d009efd9ebf8006d5a937bdf61e408166d7d811ed01bc4a6cc61ab
- hash: d3b83d76e76c22b2881a3e5b86afbfd020b631584ed0a40f67d5820a572bc5f2
- hash: d4ee5546b462eb2cf6f88ca39fcc208904d02488782ab0285c06e1e35c1a754e
- hash: fe5811c318713cbdf188b2fae370dd8827715fd9e0e5a1ee367823343d0d5a0f
- hash: e2a2f3d6aae6a4ca060d5f761591f6edb9db80677bdd7bb9ba71f8c88b0dbf38
- hash: bb5bdc809fe22bdc88652c5ca93aba8c90798d55e62d7fc0cbc44740bf6bf1d6
- hash: 17f3f34d7814338c40153073fed0ed0414ecb4f76ca9d3d337b8b09da85f2a57
- hash: 94ac4b5dc33bd0374952731853642a4eca8bdb9be12b861297d7dd8f0e527c19
- url: http://69.174.99.181/webpanel-calib/
- url: http://69.174.99.181/webpanel-charles/
- url: http://69.174.99.181/webpanel-dark/
- url: http://69.174.99.181/webpanel-ghul/
- url: http://69.174.99.181/webpanel-greg/
- url: http://69.174.99.181/webpanel-long/
- url: http://69.174.99.181/webpanel-mrk/
- url: http://69.174.99.181/webpanel-muti/
- url: http://69.174.99.181/webpanel-reza/
- url: http://69.174.99.181/webpanel-roth/
- url: http://69.174.99.181/webpanel-trade/
- url: http://69.174.99.181/webpanel-van/
- url: http://69.174.99.181/webpanel-zoe/
- link: https://yoroi.company/research/serverless-infostealer-delivered-in-est-european-countries/
- text: Threat actors' consistency over time represents an indication of effectiveness and experience, resulting in an increasing risk for targeted companies. The Yoroi Malware ZLAB is tracking the threat actor Aggah (TH-157) since 2019, along with PaloAlto UNIT42, HP and Juniper Networks, and the persistency of its malicious operation over time reveals a structured information stealing infrastructure, a worldwide campaign capable of quickly varying its distribution technique. We discovered new data theft and reconnaissance operations targeting multiple victims worldwide, including Ukraine, Lithuania, and Italy. The whole campaign impacted hundreds of victims and lasted for two months. CERT Yoroi was able to track the malware distribution infrastructure which was abusing the Bitbucket code repository infrastructures to evade detection mechanism, URL and domain reputation security check. The following article describes how TH-157 conducted this new wave of attacks along with all the indicators needed by security teams to hunt down active intrusions.
- text: Report
- hash: 17f3f34d7814338c40153073fed0ed0414ecb4f76ca9d3d337b8b09da85f2a57
- ssdeep: 384:IKyo59LwWOIZlIjlaRKPPYglCLMvu61aUr/clFo39D:J59UWOI3mbkLhHmcjo
- file: xxx1.txt
- text: %PUBLIC%\xxx1.txt
Serverless InfoStealer delivered in Est European Countries
Description
Serverless InfoStealer delivered in Est European Countries
AI-Powered Analysis
Technical Analysis
The threat identified as 'Serverless InfoStealer delivered in Est European Countries' is a malware campaign focused on information theft, specifically targeting entities within Eastern European countries. The term 'serverless' suggests that the malware operates without relying on traditional server infrastructure, potentially leveraging cloud functions or ephemeral execution environments to evade detection and persistence mechanisms. This approach complicates traditional network-based detection and mitigation strategies. The malware is categorized under OSINT (Open Source Intelligence), payload delivery, and network activity, indicating that it likely collects sensitive information and exfiltrates it over the network without requiring persistent installation on victim systems. The lack of affected versions and patch availability implies that this malware exploits either zero-day vulnerabilities or uses social engineering and other non-patchable attack vectors. The technical details are minimal, with a low threat level rating (1) and no known exploits in the wild, suggesting limited current exploitation or detection. However, the severity is marked as high, reflecting the potential impact of information theft. The campaign's delivery in Eastern European countries indicates a geographically targeted operation, possibly focusing on specific sectors or organizations. The absence of indicators and CWEs limits detailed technical attribution or signature-based detection. Overall, this malware represents a sophisticated, stealthy threat that leverages modern serverless computing paradigms to conduct information theft operations in a targeted regional context.
Potential Impact
For European organizations, particularly those in Eastern Europe, this malware poses significant risks to confidentiality due to its information-stealing capabilities. Compromised data could include sensitive corporate information, intellectual property, personal data, or credentials, leading to financial loss, reputational damage, and regulatory penalties under GDPR. The serverless nature of the malware complicates detection and response, increasing the likelihood of prolonged undetected presence within networks. This can facilitate further attacks such as lateral movement, espionage, or supply chain compromises. Additionally, organizations with cloud-native architectures or those leveraging serverless technologies may be more vulnerable, as attackers exploit these environments' ephemeral and distributed characteristics. The lack of patches or known exploits suggests that traditional vulnerability management may be insufficient, requiring enhanced monitoring and behavioral analysis. The targeted delivery in Eastern Europe also raises concerns about geopolitical motivations, potentially affecting critical infrastructure, government agencies, and key industries in the region.
Mitigation Recommendations
Implement advanced network monitoring solutions capable of detecting anomalous outbound traffic patterns typical of data exfiltration, especially focusing on unusual use of cloud service APIs or serverless function invocations. Enhance endpoint detection and response (EDR) tools with behavioral analytics to identify suspicious processes that do not rely on traditional persistence mechanisms. Conduct regular threat hunting exercises targeting serverless environments and cloud-native applications to identify potential compromises early. Restrict and monitor the use of serverless functions and cloud APIs, applying the principle of least privilege and employing strong authentication and authorization controls. Educate employees on social engineering tactics that may be used to deliver such malware, emphasizing caution with unsolicited links or attachments. Deploy data loss prevention (DLP) solutions tailored to detect and block unauthorized data transfers, particularly from sensitive repositories. Collaborate with cloud service providers to gain visibility into serverless function usage and to implement security best practices specific to serverless architectures. Maintain up-to-date incident response plans that include scenarios involving serverless malware and information theft. Leverage threat intelligence sharing platforms to stay informed about emerging indicators and tactics related to this malware campaign.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Threat Level
- 1
- Analysis
- 0
- Uuid
- b0135754-b115-47c4-811c-e6840fe03f50
- Original Timestamp
- 1687347426
Indicators of Compromise
File
| Value | Description | Copy |
|---|---|---|
filehulalalMCROSOFT.vbs | — | |
filexxx1.txt | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://crypters.coolpage.biz/rumps/Rumppp.txt | — | |
urlhttps://bitbucket.org/!api/2.0/snippets/hogya/KpMMLg/a2975578cff84cf6c198f055b21a7a6e3f14cd15/files/rotyh12 | — | |
urlhttps://bitbucket.org/hogya/workspace/snippets/ | hogya - harsh singh | |
urlhttps://bitbucket.org/choasknight/workspace/snippets/ | choasknight | |
urlhttps://1230948%1230948%1230948%1230948%1230948%1230948@bitly.]com/dsasabshjkahsadnjksalhndjksa | — | |
urlhttps://bitly.com/dghiaksgdbshagdh | — | |
urlhttps://bitly.com/etwuiqdbshadbsgha | — | |
urlhttps://bitly.com/etyqwuidgshaja | — | |
urlhttps://bitly.com/etywuiqdbhsnadg | — | |
urlhttps://bitly.com/etywuiqdhbsgjj | — | |
urlhttps://bitly.com/etywuiqdhjkasdnbvh | — | |
urlhttps://bitly.com/eyuiasdbnjkasdhkashd | — | |
urlhttps://bitly.com/eyuiqwdbhasgdjsha | — | |
urlhttps://bitly.com/eyuiqwdhjkasdbsadgb | — | |
urlhttps://bitly.com/eyuiqwdhksbgjsha | — | |
urlhttps://bitly.com/eyuiqwdhsgaddasvdj | — | |
urlhttps://bitly.com/eyuiqwhdjkasdghj | — | |
urlhttps://bitly.com/eywuiqdbnamsdgjh | — | |
urlhttps://bitly.com/eywuiqdhjkasdbgmh | — | |
urlhttps://bitly.com/eywuiqdhnjkasbdjsghah | — | |
urlhttps://bitly.com/qywuiehasgdshaj | — | |
urlhttps://bitly.com/twyiqgshagsja | — | |
urlhttps://bitly.com/yeuioqwhdkjasgd | — | |
urlhttps://bitly.com/yeuiwqhdbasnvgjha | — | |
urlhttps://bitly.com/yqweikkajsbdjsgadhasdbg | — | |
urlhttps://madarbloghogya.blogspot.com/p/longdickback1.]html | — | |
urlhttps://madarbloghogya.blogspot.com/p/rothwellback.]html | — | |
urlhttps://bitbucket.]org/!api/2.0/snippets/hogya/bxkkpz/4118f44550b85bec2ae65d3e55bf77b2101991c8/files/calib111 | — | |
urlhttps://bitbucket.]org/!api/2.0/snippets/hogya/dxkkpr/2a7b31d0309cf290a0a4c692077fd013669991b2/files/charles11 | — | |
urlhttps://bitbucket.]org/!api/2.0/snippets/hogya/7XkkMb/3cb71404b16fd36f48bb66d71c61d6055fe8fbd3/files/dark1 | — | |
urlhttps://bitbucket.]org/!api/2.0/snippets/hogya/qXkkMx/5b19e6bac2c7b95e36211bb737603c38bcc64885/files/ghul1 | — | |
urlhttps://bitbucket.]org/!api/2.0/snippets/hogya/Epgg7x/90823c7b15d8d3c9aa74b74766a264f2cdaff147/files/long11 | — | |
urlhttps://bitbucket.]org/!api/2.0/snippets/hogya/kxqqjX/1cf020a5bcfd0f3a613b1356558b4e5c67136435/files/mrk | — | |
urlhttps://bitbucket.]org/!api/2.0/snippets/hogya/yXEEMa/2c4fbe9f83764ed4c53961886e563861399257d5/files/muti | — | |
urlhttps://bitbucket.]org/!api/2.0/snippets/hogya/A9MM7b/b1f5d79e5438016d91d7a42680532aed1cff8657/files/qw2 | — | |
urlhttps://bitbucket.]org/!api/2.0/snippets/hogya/KpMMLg/a2975578cff84cf6c198f055b21a7a6e3f14cd15/files/rotyh12 | — | |
urlhttps://bitbucket.]org/!api/2.0/snippets/hogya/rXEEgk/81cf1a8c4f8ec324adf7e8729c8c19d6f3191d34/files/van1 | — | |
urlhttps://bitbucket.]org/!api/2.0/snippets/hogya/7Xkkdr/71b71d4e957ac56cd5bc6d1558b81f44210cd884/files/calib-1 | — | |
urlhttps://bitbucket.]org/!api/2.0/snippets/hogya/KpMMLe/b4e47bf432d722a20ecd7b8d532de88c5274468e/files/charles123 | — | |
urlhttps://bitbucket.]org/!api/2.0/snippets/hogya/rXEEgA/236882c179c87120ea611078d65f6af854a3da76/files/dark123 | — | |
urlhttps://bitbucket.]org/!api/2.0/snippets/hogya/nxkkbx/b985a138bfcc230075309d6393d9a77a013146d2/files/ghul123 | — | |
urlhttps://bitbucket.]org/!api/2.0/snippets/hogya/yXEEdx/fd5b2f66e22535e681f5d9b75f380f15645e8ea5/files/long132 | — | |
urlhttps://bitbucket.]org/!api/2.0/snippets/hogya/KpMMLk/30b96224276ce0482b9ca6a8e8d51b1a80af06dc/files/mrk123 | — | |
urlhttps://bitbucket.]org/!api/2.0/snippets/hogya/rXEEgg/947b59abdf17355aa212f65cc26ed3a0a694dd30/files/muti001 | — | |
urlhttps://bitbucket.]org/!api/2.0/snippets/hogya/nxkkbj/93313de40a32b1c85bf7c5ef52d103808e400c89/files/qwe22 | — | |
urlhttps://bitbucket.]org/!api/2.0/snippets/hogya/LpMMnx/78c83d16ba68da5bd2cdc3a25e26e367c7b10f05/files/roth123 | — | |
urlhttps://bitbucket.]org/!api/2.0/snippets/hogya/qXkkda/da9c321b635563490e760230601e6da016df6172/files/van123 | — | |
urlhttps://bitbucket.]org/!api/2.0/snippets/hogya/kxqqay/1b716492745a665eea93dd18261a7a3c9f8ac85f/files/reza | — | |
urlhttps://bitbucket.]org/!api/2.0/snippets/hogya/exEE5y/c407ebf390895c289726d38e17ace212689e34f8/files/reza-111 | — | |
urlhttps://bitbucket.]org/!api/2.0/snippets/choasknight/6XEXAo/6602fb280c0f18337286988b9af658023a7cc994/files/test | — | |
urlhttps://bitbucket.]org/!api/2.0/snippets/choasknight/kxqxxA/5864261b6610d863302b06c528fe1a85d4db7072/files/darkhorse | — | |
urlhttps://bitbucket.]org/!api/2.0/snippets/choasknight/yXEXXn/2b8cdcdeaa63834b21dba9c15a50226a5629a888/files/darkhorsepart2 | — | |
urlhttp://69.174.99.181/webpanel-calib/ | — | |
urlhttp://69.174.99.181/webpanel-charles/ | — | |
urlhttp://69.174.99.181/webpanel-dark/ | — | |
urlhttp://69.174.99.181/webpanel-ghul/ | — | |
urlhttp://69.174.99.181/webpanel-greg/ | — | |
urlhttp://69.174.99.181/webpanel-long/ | — | |
urlhttp://69.174.99.181/webpanel-mrk/ | — | |
urlhttp://69.174.99.181/webpanel-muti/ | — | |
urlhttp://69.174.99.181/webpanel-reza/ | — | |
urlhttp://69.174.99.181/webpanel-roth/ | — | |
urlhttp://69.174.99.181/webpanel-trade/ | — | |
urlhttp://69.174.99.181/webpanel-van/ | — | |
urlhttp://69.174.99.181/webpanel-zoe/ | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash014d5412e803d0abe1bdf1f29d02e389603ad5c30e449920f6995748e9310542 | — | |
hash19451a668953bd2a206283163714425ed75f822b8ac915f1e04b966671a1a23c | — | |
hash27b7e68d5d728b339dc5d8fbc6a9f4194da0ba1ffc471d58c3cabf2a2ebd426d | — | |
hash29a4107734ec549b59d5babd945ceb6c254375011165d34e70e86553c27581c8 | — | |
hash36f26fffbe92ea0a9fbd25908fd12af52f2dad967a1369c77ef97e76c1638ca3 | — | |
hash414f56a4bbedb067cfa571d107103f705d742d10e2fe7163c97d6925e62ea853 | — | |
hash468f28807ef4d3e8cbd812d808b9573fb87ba83a037503c9c14f032ca08deb2e | — | |
hash54f8342dec4a0b60e369292eee00cb6b8676ec48973a3a345a217febb0f3488e | — | |
hash5665e106ce98224e6f1d02a49c86e01778ed630ab53b55f5ed50126bd1666c06 | — | |
hash639f108d6fa7469827be4396f086b95158ee28a7eec6867cedaf2d4007a3784b | — | |
hash6d492bbc2e972b9720bb9463733ed550236742341952e0d5a31c0f0220beffdd | — | |
hash81698424c325e40c1cd537719a228cf99fcacd1b954e717f27c4ba32c5cd83fd | — | |
hash89d2bfac1aa9427857b229ec9f1acae69a865bb33a88f33e7264e82bd4463b35 | — | |
hash8a17d0e4a4f310a8aeb27a2e30cfc463c2d5a2bfa2772b0a5d5700b4c1e1c3bd | — | |
hash8ed21a5bfe917fcba312ed2b630deadba0a4d623f4bccf74dd80149b176d414e | — | |
hash9c3ecaecc2339b973eacaa4da07dae33964c75c7766f36c862c988491d4ecbb0 | — | |
hash9f4a60a9f9c8ac29814bf0e94360ca1502973ad2530bb66f8c4e2b75977d7311 | — | |
hasha3d8bc6d455eaeca2f0fbe462f6348c0f61242dc7bde1c48d27b33f1d8cf1d9d | — | |
hasha98f6606e576078f0735d504dfd4c4276fd91d918117a29334ff41107c3d269e | — | |
hashacd370830c92939272a8503ef834d5892108133de131407d10c7435e1514208b | — | |
hashbc1254a16b628102bb13c3501d2c52063f16c7857419455790863beec30f31e2 | — | |
hashc4d3db664407cd7dde28b6490dc2cbaafad0b91740bf51b480b1f4c324834fd1 | — | |
hashd0d36b28f2d009efd9ebf8006d5a937bdf61e408166d7d811ed01bc4a6cc61ab | — | |
hashd3b83d76e76c22b2881a3e5b86afbfd020b631584ed0a40f67d5820a572bc5f2 | — | |
hashd4ee5546b462eb2cf6f88ca39fcc208904d02488782ab0285c06e1e35c1a754e | — | |
hashfe5811c318713cbdf188b2fae370dd8827715fd9e0e5a1ee367823343d0d5a0f | — | |
hashe2a2f3d6aae6a4ca060d5f761591f6edb9db80677bdd7bb9ba71f8c88b0dbf38 | — | |
hashbb5bdc809fe22bdc88652c5ca93aba8c90798d55e62d7fc0cbc44740bf6bf1d6 | — | |
hash17f3f34d7814338c40153073fed0ed0414ecb4f76ca9d3d337b8b09da85f2a57 | — | |
hash94ac4b5dc33bd0374952731853642a4eca8bdb9be12b861297d7dd8f0e527c19 | — | |
hash17f3f34d7814338c40153073fed0ed0414ecb4f76ca9d3d337b8b09da85f2a57 | — |
Link
| Value | Description | Copy |
|---|---|---|
linkhttps://yoroi.company/research/serverless-infostealer-delivered-in-est-european-countries/ | — |
Text
| Value | Description | Copy |
|---|---|---|
textThreat actors' consistency over time represents an indication of effectiveness and experience, resulting in an increasing risk for targeted companies.
The Yoroi Malware ZLAB is tracking the threat actor Aggah (TH-157) since 2019, along with PaloAlto UNIT42, HP and Juniper Networks, and the persistency of its malicious operation over time reveals a structured information stealing infrastructure, a worldwide campaign capable of quickly varying its distribution technique.
We discovered new data theft and reconnaissance operations targeting multiple victims worldwide, including Ukraine, Lithuania, and Italy. The whole campaign impacted hundreds of victims and lasted for two months. CERT Yoroi was able to track the malware distribution infrastructure which was abusing the Bitbucket code repository infrastructures to evade detection mechanism, URL and domain reputation security check.
The following article describes how TH-157 conducted this new wave of attacks along with all the indicators needed by security teams to hunt down active intrusions. | — | |
textReport | — | |
text%PUBLIC%\xxx1.txt | — |
Ssdeep
| Value | Description | Copy |
|---|---|---|
ssdeep384:IKyo59LwWOIZlIjlaRKPPYglCLMvu61aUr/clFo39D:J59UWOI3mbkLhHmcjo | — |
Threat ID: 682c7ad2e3e6de8ceb7733f0
Added to database: 5/20/2025, 12:51:30 PM
Last enriched: 6/19/2025, 2:03:55 PM
Last updated: 8/16/2025, 12:01:43 AM
Views: 9
Related Threats
ThreatFox IOCs for 2025-08-17
MediumColt Technology faces multi-day outage after WarLock ransomware attack
HighU.S. seizes $2.8 million in crypto from Zeppelin ransomware operator
HighThreatFox IOCs for 2025-08-16
MediumERMAC V3.0 Banking Trojan Source Code Leak Exposes Full Malware Infrastructure
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.