The 'Bear' attacks: what we learned about the phishing campaign targeting Russian organizations
The 'Bear' attacks are a phishing campaign by the NetMedved group targeting Russian organizations since October 2025. The attackers use malicious LNK files disguised as business documents to deliver NetSupport RAT malware. They employ PowerShell scripts, finger protocol, and anti-analysis techniques to evade detection. The campaign infrastructure overlaps with previous 2024 campaigns, indicating an evolution of tactics. The group uses social engineering, custom obfuscation, and legitimate tools abuse to maintain persistence. Although primarily targeting Russian entities, the techniques and malware used could pose risks to organizations with similar profiles. No known exploits in the wild have been reported, and the campaign is assessed as medium severity. Defenders should focus on detecting malicious LNK files, monitoring PowerShell activity, and blocking suspicious domains. The threat is relevant mainly to Russian organizations but could indirectly impact European entities with ties to Russia or similar environments.
AI Analysis
Technical Summary
The 'Bear' attacks represent a targeted phishing campaign conducted by the threat actor NetMedved since October 2025, focusing on Russian organizations. The attackers distribute malicious LNK shortcut files masquerading as legitimate business documents, which when opened, execute payloads that deploy the NetSupport Remote Access Trojan (RAT). This RAT enables remote control and espionage capabilities. The campaign leverages PowerShell scripts for execution and persistence, uses the finger protocol for communication or reconnaissance, and incorporates anti-analysis checks to evade sandboxing and forensic investigation. The attackers utilize multiple domains for payload delivery and command and control (C2) infrastructure, complicating detection and takedown efforts. The infrastructure and tactics show continuity with campaigns from 2024, suggesting a refinement of methods rather than a new actor emergence. Social engineering is heavily employed to trick victims into opening malicious files, while custom obfuscation techniques and abuse of legitimate system tools help maintain stealth and persistence. Indicators of compromise include suspicious LNK files, unusual PowerShell activity, and network connections to known malicious domains. Despite the absence of known exploits in the wild, the campaign's sophistication and persistence mechanisms pose a credible threat to targeted organizations.
Potential Impact
For European organizations, the direct impact of this campaign is currently limited as the primary targets are Russian entities. However, European companies with business ties to Russia, subsidiaries, or shared infrastructure could be at risk of collateral compromise or secondary targeting. The use of NetSupport RAT allows attackers to gain remote access, potentially leading to data exfiltration, espionage, or lateral movement within networks. The campaign's use of social engineering and legitimate tools complicates detection, increasing the risk of prolonged undetected access. If the campaign expands or similar tactics are adopted against European targets, the impact could include loss of confidentiality, integrity, and availability of critical systems. Additionally, the reuse of infrastructure and evolving tactics indicate a persistent threat actor capable of adapting to defensive measures, which could challenge incident response efforts in Europe.
Mitigation Recommendations
European organizations should implement targeted detection and prevention strategies beyond generic advice. Specifically, they should: 1) Enforce strict email filtering and attachment sandboxing to detect and block malicious LNK files; 2) Monitor and restrict PowerShell usage, enabling logging and applying constrained language mode where feasible; 3) Implement network segmentation and monitor for unusual finger protocol traffic and connections to suspicious domains; 4) Employ threat intelligence feeds to identify and block known NetMedved infrastructure; 5) Conduct user awareness training focused on recognizing social engineering tactics and suspicious file types; 6) Use endpoint detection and response (EDR) solutions capable of detecting obfuscated scripts and abnormal process behaviors; 7) Regularly audit and harden systems against abuse of legitimate tools; 8) Establish incident response plans that include rapid containment and forensic analysis of suspected infections; 9) Collaborate with national cybersecurity centers to share intelligence on emerging threats; 10) Apply strict application whitelisting policies to prevent execution of unauthorized LNK files and scripts.
Affected Countries
Russia, Germany, United Kingdom, France, Poland, Italy
Indicators of Compromise
- ip: 185.158.249.64
- hash: 002bca1bb5ccc22049aa918aafc174a7
- hash: 01264394800dd0ded80b873d339aaebf
- hash: 01a43d17f909792addcc004bdd513963
- hash: 0b314bd55b9a3e318e3c207e597f3e5f
- hash: 192c0538c375d9c5064a39f07e5b3744
- hash: 1b8fef7767370b985214470cf4e56a24
- hash: 20ddd51ca6febc3ddf10a93230aa569f
- hash: 219a47f8a1820d131fa90f0e15230197
- hash: 25f5b04a7cb54ae588235cf7cf3a89f4
- hash: 31c60c6eca6b9d7349a85ceb0cba3d8b
- hash: 3ffdae649a03c010e8d2297311634ac3
- hash: 410879d8562a64d5cd7034bbff462655
- hash: 435e3d7ab7f4939a00332f823a923c8f
- hash: 63a769becb77120637e242b5a3e41649
- hash: 7c747a3bae1b6093273fb59be92947c8
- hash: 7cb00849d03ffa13ab9e5b077e161608
- hash: 7cec93c66b8fce48eb393c176936d146
- hash: 7dbb2d7f7fb06c12739b719d9653c57b
- hash: 807cf9936885bbc4ee06e4ece0392cd1
- hash: 8136af34863b2eba580aa022bf0ca912
- hash: 81e4ee273f7d4eaaba6ec1c31088d59f
- hash: 84677cb94f1772c22d9d82114a4a4038
- hash: 8944560ed965974f843fc984e417457e
- hash: 8c021c5d85f635286c0c4878ae3dfacc
- hash: 8ca3640f4dedf5caa352efb72a19914a
- hash: 8d4ac3cb056d331ca382d1b1b6dae3a4
- hash: a3f88b1b992f9c4a56e07fd59dd394af
- hash: aefa1b33765e08e264b5d2d15f3f260e
- hash: b43fc607fabdee781ca6877a04a97f2d
- hash: b45f2ae24457d9a3cc44f4c6c183211c
- hash: ba454a50b727cd724066ce2cfd575b9d
- hash: d0f7cdde46cd23cb01d70c88b92e7080
- hash: e1649ded8b6f6b591ec903387a9de93e
- hash: f2547fd021e9af337f22537cfffa8b12
- hash: f9b64f0da33c475658ea206a484d236f
- hash: fc53d4925a9e5f0a2d84bb7185da1874
- hash: 111c9272b9d0ca9836fcef79fc7a502117764308
- hash: 1c7bf6e246b211e42f22d6d9e74d3f33dc83d835
- hash: 1e842b5aa270657aedeced10e105432508997532
- hash: 251a012f8489db93e280c46c59bd341b76b58136
- hash: 277a95d0095bb39ab7ea4d8c9b3077010d2ee511
- hash: 2d07e5f0c97a5150f80130e3d05deb3dd2440c2e
- hash: 3aff248f75a54b6e8f14b07c35cc4e5d19b43fb3
- hash: 4c70f17b2e9a7e223b30b5c00d5512a157738b7d
- hash: 4ca145a304aa5b2706da90e4d2ed493e986e28d3
- hash: 4de3b3a50ee9169f8826f98167c0c3697538bfa8
- hash: 5363f611e91e2a1433cb9502365ae47708adec29
- hash: 586edeac5a77f604016b6921369c8816bed3659e
- hash: 5a401eefb9c3234841f2f9060745ebac61eade33
- hash: 681ae1f5dcbafd30167b8b158b0c937a2a3f6023
- hash: 6c51276cc02b6e10f0c18f2459f121e44f8cea3f
- hash: 72a65f4684fd413858b8791a697fad6051fb6ec2
- hash: 7cc19bef3359350561896c08a021757f7df3d6f1
- hash: 890766ecce25a487864f71a71c519a9c4fc68dbb
- hash: 8a27e37499c26e1e465375ecd1bfb3f0ae9bf8db
- hash: 8fb720d4eabe22820b2affd76a56495feb297422
- hash: 9bfcad0f12ee36fa7a15de5e52b5fe416c7f9db6
- hash: a09a56aa6285884082a3eaca89a93ca438f19468
- hash: a34a796d8d342f2d54d5db601522dbe4b96a81ec
- hash: a3f420516b31e3ab5a49ebcc7026f6f47fcaa44e
- hash: b19532b2b8d684d3adb7204046a60ab58b64b993
- hash: bd1de96110ee8770df1ebfd4420ddb8ed5869e33
- hash: c157e587545ba74980026bd082301e23cc2c002f
- hash: c30516b6a3894821d6a472f9ec18ae526857c260
- hash: cc404afb2d49861bfacfa25b8aa07c68c69d4ff6
- hash: d1d41e0701fa58d3c4113634260f93f7e7c46836
- hash: d2f5d23bd424fd552b96432f097c94a8388b94ea
- hash: d3b726039aead4cac409a9e4257027036469f8e3
- hash: e148be1c9148c0542475237b78d40face8252ee2
- hash: e44b913a1694a61705344ce406f77301defd8ec5
- hash: f1d4d04186a3262d455c40e2d8377d6646a03dee
- hash: fec85d048c284db87859ade0d68734683fe1352b
- hash: 007ec4eadad16fed2361486bbd79ce8491db3aeae615fef9069e274609233e2f
- hash: 05464b16c6ea40cd93d39b7c0a20c136be2b7921818aa5041b7b98a7cbbf270f
- hash: 0c166f4c7475ec6d15ac00b9b7bc9cf0d7bb53eb504e14f153af08dfe05c40e2
- hash: 0c61883da958fb23e03eac577b169d5e7535910b5a12916fe6d2a94f6b40a89e
- hash: 0f430f2772119b62d32b7812b44726f7d1f3ffc9f9f9ca86b7a0a0c8b314215d
- hash: 1027cd7578146cafe39eacf1ed6d2048aa12fc6936d2594d49eb093c56b2d840
- hash: 23eb791345d1a125c2c5988fb7a8001824a328a248f0c7588973b045b50bea69
- hash: 25a7dc3f0f16a6f1e69db6e80143f2a8788c5542246966c081a06bf9767264fe
- hash: 2e851fcc4eb8e60f350ce68b686cc1ce3c4a0370c28a230a0f3468358907c075
- hash: 2fdabce92c1915556f2e4d5cfdf34f18147d1e09c454c3758a4dcf31431e1e62
- hash: 340f085668d115b4f0ae586b26ecc3cc5a977449989221e02a13b09decbf9bb9
- hash: 3983a383b532c32dfbab8958ad1b35fc8cb3fc3141b5016dd01fcfbfd3c0cd3b
- hash: 44e29f1e03d3ff663058338363f144326b1e83a63a43caea86e313c3b8bf98a6
- hash: 4546d8fa49836ae06af4df56fca03905afd4d7df60d171cc2c959be03d1d94b2
- hash: 4fed61b2f93f4ef51777ac2f381a89e564c8ddf941ecef9f3f7f1e9c370ff0a3
- hash: 51012e5e9ee205efe5025e0a83cce90dca5719268229c91b6777060c1b4578d0
- hash: 59f3acf7a2099899807685c631d8a64af0e784a046a48f45ba2cc40d2e785444
- hash: 5b83e99dfeeb8c30dc72059d369bff0109c40cb5d9aea63245d90a1ca4a36232
- hash: 7573e2a6a6a4a5c21bc3f81a53262e3ade3871fd00ab06b9cf9f9a28c45926f2
- hash: 76d3a58f3fb14e1d8435eabaac21c84f9d256bcd241da3da44b70c4a606134fd
- hash: 7ffc177f931c6df8542cc87c9da95d3f3a51b587c237253b6091e83451d7c3a2
- hash: 8de51b085e9ae644099bebe8e95ec1d5dbe2b854b4d20d8f33c9160458f6c413
- hash: 98a693f412da7b5e5fa790ab54e1c4737ce628ddaedda6cb2359214ec17c11a8
- hash: a4cf4c55312222dfa5c9e08034377a2efaae3b94213c1283c3e2145d2677c3d3
- hash: a55733d4055fe83817b865638b71690fe8f32de77eec04498171fd7e1cb3eb67
- hash: a68b10d3a36423d44d36274dc995a5f11bfb1dd5bba6de81071e9ced8dc780f3
- hash: aa666ff1e5276677b9995f86399743aaad38a6b70b53a124062aa69c798760b6
- hash: b302c16d60f055ec37833e45b091f20b6eae3248be74f389094e69d20f496a7b
- hash: b69c5134a453d19ddf94967c49dd9ecb825ae2461d491f67d09fb5bda5dd27be
- hash: bf0df57d9dac2aafd89f30d818749d3ce15afe488dcdad912e8996bfd3d0b3c1
- hash: cb2c2f492fd44afa9279ee8d4a8a6e8ca11ab65a9224a18da9ba8b0d8f6bec14
- hash: cc6219c710d5bd0ee986b479723ab4f42027da0f28a49fad66d9f3280774e654
- hash: d3aea6e94151bcbb8ac451c50a3a6a5693162521b7d61c53e57c91e4c91c1eb4
- hash: dddfc3c5ca754144b430df11a78a048609106f9d12db4b1fec309bb9805743ec
- hash: e34552a5338872919b3e0f15efc9c27641479750ca2a43ac7cc5c9b15f15ad20
- hash: ea3d66b8e53cf2475ef89c94d917529360325f3464727a54a3be2aa2ffde0e2b
- ip: 185.158.249.54
- domain: bspaco.com
- domain: cdn-reserved.com
- domain: metrics-strange.com
- domain: nbmovies.net
- domain: nicevn.net
- domain: pauldv.com
- domain: real-fishburger.com
- domain: skillswar.com
- domain: tvfilia.com
- domain: x-projectlys.com
- domain: api.metrics-strange.com
- domain: sara.x-projectlys.com
The 'Bear' attacks: what we learned about the phishing campaign targeting Russian organizations
Description
The 'Bear' attacks are a phishing campaign by the NetMedved group targeting Russian organizations since October 2025. The attackers use malicious LNK files disguised as business documents to deliver NetSupport RAT malware. They employ PowerShell scripts, finger protocol, and anti-analysis techniques to evade detection. The campaign infrastructure overlaps with previous 2024 campaigns, indicating an evolution of tactics. The group uses social engineering, custom obfuscation, and legitimate tools abuse to maintain persistence. Although primarily targeting Russian entities, the techniques and malware used could pose risks to organizations with similar profiles. No known exploits in the wild have been reported, and the campaign is assessed as medium severity. Defenders should focus on detecting malicious LNK files, monitoring PowerShell activity, and blocking suspicious domains. The threat is relevant mainly to Russian organizations but could indirectly impact European entities with ties to Russia or similar environments.
AI-Powered Analysis
Technical Analysis
The 'Bear' attacks represent a targeted phishing campaign conducted by the threat actor NetMedved since October 2025, focusing on Russian organizations. The attackers distribute malicious LNK shortcut files masquerading as legitimate business documents, which when opened, execute payloads that deploy the NetSupport Remote Access Trojan (RAT). This RAT enables remote control and espionage capabilities. The campaign leverages PowerShell scripts for execution and persistence, uses the finger protocol for communication or reconnaissance, and incorporates anti-analysis checks to evade sandboxing and forensic investigation. The attackers utilize multiple domains for payload delivery and command and control (C2) infrastructure, complicating detection and takedown efforts. The infrastructure and tactics show continuity with campaigns from 2024, suggesting a refinement of methods rather than a new actor emergence. Social engineering is heavily employed to trick victims into opening malicious files, while custom obfuscation techniques and abuse of legitimate system tools help maintain stealth and persistence. Indicators of compromise include suspicious LNK files, unusual PowerShell activity, and network connections to known malicious domains. Despite the absence of known exploits in the wild, the campaign's sophistication and persistence mechanisms pose a credible threat to targeted organizations.
Potential Impact
For European organizations, the direct impact of this campaign is currently limited as the primary targets are Russian entities. However, European companies with business ties to Russia, subsidiaries, or shared infrastructure could be at risk of collateral compromise or secondary targeting. The use of NetSupport RAT allows attackers to gain remote access, potentially leading to data exfiltration, espionage, or lateral movement within networks. The campaign's use of social engineering and legitimate tools complicates detection, increasing the risk of prolonged undetected access. If the campaign expands or similar tactics are adopted against European targets, the impact could include loss of confidentiality, integrity, and availability of critical systems. Additionally, the reuse of infrastructure and evolving tactics indicate a persistent threat actor capable of adapting to defensive measures, which could challenge incident response efforts in Europe.
Mitigation Recommendations
European organizations should implement targeted detection and prevention strategies beyond generic advice. Specifically, they should: 1) Enforce strict email filtering and attachment sandboxing to detect and block malicious LNK files; 2) Monitor and restrict PowerShell usage, enabling logging and applying constrained language mode where feasible; 3) Implement network segmentation and monitor for unusual finger protocol traffic and connections to suspicious domains; 4) Employ threat intelligence feeds to identify and block known NetMedved infrastructure; 5) Conduct user awareness training focused on recognizing social engineering tactics and suspicious file types; 6) Use endpoint detection and response (EDR) solutions capable of detecting obfuscated scripts and abnormal process behaviors; 7) Regularly audit and harden systems against abuse of legitimate tools; 8) Establish incident response plans that include rapid containment and forensic analysis of suspected infections; 9) Collaborate with national cybersecurity centers to share intelligence on emerging threats; 10) Apply strict application whitelisting policies to prevent execution of unauthorized LNK files and scripts.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://habr.com/ru/companies/pt/articles/968572/"]
- Adversary
- NetMedved
- Pulse Id
- 6926cae8043aabe58197d11e
- Threat Score
- null
Indicators of Compromise
Ip
| Value | Description | Copy |
|---|---|---|
ip185.158.249.64 | — | |
ip185.158.249.54 | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash002bca1bb5ccc22049aa918aafc174a7 | — | |
hash01264394800dd0ded80b873d339aaebf | — | |
hash01a43d17f909792addcc004bdd513963 | — | |
hash0b314bd55b9a3e318e3c207e597f3e5f | — | |
hash192c0538c375d9c5064a39f07e5b3744 | — | |
hash1b8fef7767370b985214470cf4e56a24 | — | |
hash20ddd51ca6febc3ddf10a93230aa569f | — | |
hash219a47f8a1820d131fa90f0e15230197 | — | |
hash25f5b04a7cb54ae588235cf7cf3a89f4 | — | |
hash31c60c6eca6b9d7349a85ceb0cba3d8b | — | |
hash3ffdae649a03c010e8d2297311634ac3 | — | |
hash410879d8562a64d5cd7034bbff462655 | — | |
hash435e3d7ab7f4939a00332f823a923c8f | — | |
hash63a769becb77120637e242b5a3e41649 | — | |
hash7c747a3bae1b6093273fb59be92947c8 | — | |
hash7cb00849d03ffa13ab9e5b077e161608 | — | |
hash7cec93c66b8fce48eb393c176936d146 | — | |
hash7dbb2d7f7fb06c12739b719d9653c57b | — | |
hash807cf9936885bbc4ee06e4ece0392cd1 | — | |
hash8136af34863b2eba580aa022bf0ca912 | — | |
hash81e4ee273f7d4eaaba6ec1c31088d59f | — | |
hash84677cb94f1772c22d9d82114a4a4038 | — | |
hash8944560ed965974f843fc984e417457e | — | |
hash8c021c5d85f635286c0c4878ae3dfacc | — | |
hash8ca3640f4dedf5caa352efb72a19914a | — | |
hash8d4ac3cb056d331ca382d1b1b6dae3a4 | — | |
hasha3f88b1b992f9c4a56e07fd59dd394af | — | |
hashaefa1b33765e08e264b5d2d15f3f260e | — | |
hashb43fc607fabdee781ca6877a04a97f2d | — | |
hashb45f2ae24457d9a3cc44f4c6c183211c | — | |
hashba454a50b727cd724066ce2cfd575b9d | — | |
hashd0f7cdde46cd23cb01d70c88b92e7080 | — | |
hashe1649ded8b6f6b591ec903387a9de93e | — | |
hashf2547fd021e9af337f22537cfffa8b12 | — | |
hashf9b64f0da33c475658ea206a484d236f | — | |
hashfc53d4925a9e5f0a2d84bb7185da1874 | — | |
hash111c9272b9d0ca9836fcef79fc7a502117764308 | — | |
hash1c7bf6e246b211e42f22d6d9e74d3f33dc83d835 | — | |
hash1e842b5aa270657aedeced10e105432508997532 | — | |
hash251a012f8489db93e280c46c59bd341b76b58136 | — | |
hash277a95d0095bb39ab7ea4d8c9b3077010d2ee511 | — | |
hash2d07e5f0c97a5150f80130e3d05deb3dd2440c2e | — | |
hash3aff248f75a54b6e8f14b07c35cc4e5d19b43fb3 | — | |
hash4c70f17b2e9a7e223b30b5c00d5512a157738b7d | — | |
hash4ca145a304aa5b2706da90e4d2ed493e986e28d3 | — | |
hash4de3b3a50ee9169f8826f98167c0c3697538bfa8 | — | |
hash5363f611e91e2a1433cb9502365ae47708adec29 | — | |
hash586edeac5a77f604016b6921369c8816bed3659e | — | |
hash5a401eefb9c3234841f2f9060745ebac61eade33 | — | |
hash681ae1f5dcbafd30167b8b158b0c937a2a3f6023 | — | |
hash6c51276cc02b6e10f0c18f2459f121e44f8cea3f | — | |
hash72a65f4684fd413858b8791a697fad6051fb6ec2 | — | |
hash7cc19bef3359350561896c08a021757f7df3d6f1 | — | |
hash890766ecce25a487864f71a71c519a9c4fc68dbb | — | |
hash8a27e37499c26e1e465375ecd1bfb3f0ae9bf8db | — | |
hash8fb720d4eabe22820b2affd76a56495feb297422 | — | |
hash9bfcad0f12ee36fa7a15de5e52b5fe416c7f9db6 | — | |
hasha09a56aa6285884082a3eaca89a93ca438f19468 | — | |
hasha34a796d8d342f2d54d5db601522dbe4b96a81ec | — | |
hasha3f420516b31e3ab5a49ebcc7026f6f47fcaa44e | — | |
hashb19532b2b8d684d3adb7204046a60ab58b64b993 | — | |
hashbd1de96110ee8770df1ebfd4420ddb8ed5869e33 | — | |
hashc157e587545ba74980026bd082301e23cc2c002f | — | |
hashc30516b6a3894821d6a472f9ec18ae526857c260 | — | |
hashcc404afb2d49861bfacfa25b8aa07c68c69d4ff6 | — | |
hashd1d41e0701fa58d3c4113634260f93f7e7c46836 | — | |
hashd2f5d23bd424fd552b96432f097c94a8388b94ea | — | |
hashd3b726039aead4cac409a9e4257027036469f8e3 | — | |
hashe148be1c9148c0542475237b78d40face8252ee2 | — | |
hashe44b913a1694a61705344ce406f77301defd8ec5 | — | |
hashf1d4d04186a3262d455c40e2d8377d6646a03dee | — | |
hashfec85d048c284db87859ade0d68734683fe1352b | — | |
hash007ec4eadad16fed2361486bbd79ce8491db3aeae615fef9069e274609233e2f | — | |
hash05464b16c6ea40cd93d39b7c0a20c136be2b7921818aa5041b7b98a7cbbf270f | — | |
hash0c166f4c7475ec6d15ac00b9b7bc9cf0d7bb53eb504e14f153af08dfe05c40e2 | — | |
hash0c61883da958fb23e03eac577b169d5e7535910b5a12916fe6d2a94f6b40a89e | — | |
hash0f430f2772119b62d32b7812b44726f7d1f3ffc9f9f9ca86b7a0a0c8b314215d | — | |
hash1027cd7578146cafe39eacf1ed6d2048aa12fc6936d2594d49eb093c56b2d840 | — | |
hash23eb791345d1a125c2c5988fb7a8001824a328a248f0c7588973b045b50bea69 | — | |
hash25a7dc3f0f16a6f1e69db6e80143f2a8788c5542246966c081a06bf9767264fe | — | |
hash2e851fcc4eb8e60f350ce68b686cc1ce3c4a0370c28a230a0f3468358907c075 | — | |
hash2fdabce92c1915556f2e4d5cfdf34f18147d1e09c454c3758a4dcf31431e1e62 | — | |
hash340f085668d115b4f0ae586b26ecc3cc5a977449989221e02a13b09decbf9bb9 | — | |
hash3983a383b532c32dfbab8958ad1b35fc8cb3fc3141b5016dd01fcfbfd3c0cd3b | — | |
hash44e29f1e03d3ff663058338363f144326b1e83a63a43caea86e313c3b8bf98a6 | — | |
hash4546d8fa49836ae06af4df56fca03905afd4d7df60d171cc2c959be03d1d94b2 | — | |
hash4fed61b2f93f4ef51777ac2f381a89e564c8ddf941ecef9f3f7f1e9c370ff0a3 | — | |
hash51012e5e9ee205efe5025e0a83cce90dca5719268229c91b6777060c1b4578d0 | — | |
hash59f3acf7a2099899807685c631d8a64af0e784a046a48f45ba2cc40d2e785444 | — | |
hash5b83e99dfeeb8c30dc72059d369bff0109c40cb5d9aea63245d90a1ca4a36232 | — | |
hash7573e2a6a6a4a5c21bc3f81a53262e3ade3871fd00ab06b9cf9f9a28c45926f2 | — | |
hash76d3a58f3fb14e1d8435eabaac21c84f9d256bcd241da3da44b70c4a606134fd | — | |
hash7ffc177f931c6df8542cc87c9da95d3f3a51b587c237253b6091e83451d7c3a2 | — | |
hash8de51b085e9ae644099bebe8e95ec1d5dbe2b854b4d20d8f33c9160458f6c413 | — | |
hash98a693f412da7b5e5fa790ab54e1c4737ce628ddaedda6cb2359214ec17c11a8 | — | |
hasha4cf4c55312222dfa5c9e08034377a2efaae3b94213c1283c3e2145d2677c3d3 | — | |
hasha55733d4055fe83817b865638b71690fe8f32de77eec04498171fd7e1cb3eb67 | — | |
hasha68b10d3a36423d44d36274dc995a5f11bfb1dd5bba6de81071e9ced8dc780f3 | — | |
hashaa666ff1e5276677b9995f86399743aaad38a6b70b53a124062aa69c798760b6 | — | |
hashb302c16d60f055ec37833e45b091f20b6eae3248be74f389094e69d20f496a7b | — | |
hashb69c5134a453d19ddf94967c49dd9ecb825ae2461d491f67d09fb5bda5dd27be | — | |
hashbf0df57d9dac2aafd89f30d818749d3ce15afe488dcdad912e8996bfd3d0b3c1 | — | |
hashcb2c2f492fd44afa9279ee8d4a8a6e8ca11ab65a9224a18da9ba8b0d8f6bec14 | — | |
hashcc6219c710d5bd0ee986b479723ab4f42027da0f28a49fad66d9f3280774e654 | — | |
hashd3aea6e94151bcbb8ac451c50a3a6a5693162521b7d61c53e57c91e4c91c1eb4 | — | |
hashdddfc3c5ca754144b430df11a78a048609106f9d12db4b1fec309bb9805743ec | — | |
hashe34552a5338872919b3e0f15efc9c27641479750ca2a43ac7cc5c9b15f15ad20 | — | |
hashea3d66b8e53cf2475ef89c94d917529360325f3464727a54a3be2aa2ffde0e2b | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainbspaco.com | — | |
domaincdn-reserved.com | — | |
domainmetrics-strange.com | — | |
domainnbmovies.net | — | |
domainnicevn.net | — | |
domainpauldv.com | — | |
domainreal-fishburger.com | — | |
domainskillswar.com | — | |
domaintvfilia.com | — | |
domainx-projectlys.com | — | |
domainapi.metrics-strange.com | — | |
domainsara.x-projectlys.com | — |
Threat ID: 6926ceff91609981b6f87aaa
Added to database: 11/26/2025, 9:57:19 AM
Last enriched: 11/26/2025, 10:09:01 AM
Last updated: 12/4/2025, 3:11:40 PM
Views: 72
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
New Android malware lets criminals control your phone and drain your bank account
MediumNewly Sold Albiriox Android Malware Targets Banks and Crypto Holders
MediumGlobal Corporate Web
Medium4.3 Million Browsers Infected: Inside ShadyPanda's 7-Year Malware Campaign
MediumAlbiriox Exposed: A New RAT Mobile Malware Targeting Global Finance and Crypto Wallets
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.