The 'Bear' attacks: what we learned about the phishing campaign targeting Russian organizations
A hacking group named NetMedved has been conducting phishing attacks against Russian organizations since October 2025. The campaign uses malicious LNK files disguised as business documents to deliver NetSupport RAT malware. The attackers employ various techniques including PowerShell scripts, finger protocol, and anti-analysis checks. They utilize multiple domains for payload delivery and command and control. The group's infrastructure overlaps with previous campaigns from 2024, suggesting an evolution of tactics rather than a new actor. NetMedved's operations involve social engineering, custom obfuscation, and abuse of legitimate tools to evade detection and maintain persistence on compromised systems.
AI Analysis
Technical Summary
The 'Bear' attacks represent a targeted phishing campaign conducted by the threat actor NetMedved since October 2025, focusing on Russian organizations. The attackers distribute malicious LNK shortcut files masquerading as legitimate business documents, which when opened, execute payloads that deploy the NetSupport Remote Access Trojan (RAT). This RAT enables remote control and espionage capabilities. The campaign leverages PowerShell scripts for execution and persistence, uses the finger protocol for communication or reconnaissance, and incorporates anti-analysis checks to evade sandboxing and forensic investigation. The attackers utilize multiple domains for payload delivery and command and control (C2) infrastructure, complicating detection and takedown efforts. The infrastructure and tactics show continuity with campaigns from 2024, suggesting a refinement of methods rather than a new actor emergence. Social engineering is heavily employed to trick victims into opening malicious files, while custom obfuscation techniques and abuse of legitimate system tools help maintain stealth and persistence. Indicators of compromise include suspicious LNK files, unusual PowerShell activity, and network connections to known malicious domains. Despite the absence of known exploits in the wild, the campaign's sophistication and persistence mechanisms pose a credible threat to targeted organizations.
Potential Impact
For European organizations, the direct impact of this campaign is currently limited as the primary targets are Russian entities. However, European companies with business ties to Russia, subsidiaries, or shared infrastructure could be at risk of collateral compromise or secondary targeting. The use of NetSupport RAT allows attackers to gain remote access, potentially leading to data exfiltration, espionage, or lateral movement within networks. The campaign's use of social engineering and legitimate tools complicates detection, increasing the risk of prolonged undetected access. If the campaign expands or similar tactics are adopted against European targets, the impact could include loss of confidentiality, integrity, and availability of critical systems. Additionally, the reuse of infrastructure and evolving tactics indicate a persistent threat actor capable of adapting to defensive measures, which could challenge incident response efforts in Europe.
Mitigation Recommendations
European organizations should implement targeted detection and prevention strategies beyond generic advice. Specifically, they should: 1) Enforce strict email filtering and attachment sandboxing to detect and block malicious LNK files; 2) Monitor and restrict PowerShell usage, enabling logging and applying constrained language mode where feasible; 3) Implement network segmentation and monitor for unusual finger protocol traffic and connections to suspicious domains; 4) Employ threat intelligence feeds to identify and block known NetMedved infrastructure; 5) Conduct user awareness training focused on recognizing social engineering tactics and suspicious file types; 6) Use endpoint detection and response (EDR) solutions capable of detecting obfuscated scripts and abnormal process behaviors; 7) Regularly audit and harden systems against abuse of legitimate tools; 8) Establish incident response plans that include rapid containment and forensic analysis of suspected infections; 9) Collaborate with national cybersecurity centers to share intelligence on emerging threats; 10) Apply strict application whitelisting policies to prevent execution of unauthorized LNK files and scripts.
Affected Countries
Russia, Germany, United Kingdom, France, Poland, Italy
Indicators of Compromise
- ip: 185.158.249.64
- hash: 002bca1bb5ccc22049aa918aafc174a7
- hash: 01264394800dd0ded80b873d339aaebf
- hash: 01a43d17f909792addcc004bdd513963
- hash: 0b314bd55b9a3e318e3c207e597f3e5f
- hash: 192c0538c375d9c5064a39f07e5b3744
- hash: 1b8fef7767370b985214470cf4e56a24
- hash: 20ddd51ca6febc3ddf10a93230aa569f
- hash: 219a47f8a1820d131fa90f0e15230197
- hash: 25f5b04a7cb54ae588235cf7cf3a89f4
- hash: 31c60c6eca6b9d7349a85ceb0cba3d8b
- hash: 3ffdae649a03c010e8d2297311634ac3
- hash: 410879d8562a64d5cd7034bbff462655
- hash: 435e3d7ab7f4939a00332f823a923c8f
- hash: 63a769becb77120637e242b5a3e41649
- hash: 7c747a3bae1b6093273fb59be92947c8
- hash: 7cb00849d03ffa13ab9e5b077e161608
- hash: 7cec93c66b8fce48eb393c176936d146
- hash: 7dbb2d7f7fb06c12739b719d9653c57b
- hash: 807cf9936885bbc4ee06e4ece0392cd1
- hash: 8136af34863b2eba580aa022bf0ca912
- hash: 81e4ee273f7d4eaaba6ec1c31088d59f
- hash: 84677cb94f1772c22d9d82114a4a4038
- hash: 8944560ed965974f843fc984e417457e
- hash: 8c021c5d85f635286c0c4878ae3dfacc
- hash: 8ca3640f4dedf5caa352efb72a19914a
- hash: 8d4ac3cb056d331ca382d1b1b6dae3a4
- hash: a3f88b1b992f9c4a56e07fd59dd394af
- hash: aefa1b33765e08e264b5d2d15f3f260e
- hash: b43fc607fabdee781ca6877a04a97f2d
- hash: b45f2ae24457d9a3cc44f4c6c183211c
- hash: ba454a50b727cd724066ce2cfd575b9d
- hash: d0f7cdde46cd23cb01d70c88b92e7080
- hash: e1649ded8b6f6b591ec903387a9de93e
- hash: f2547fd021e9af337f22537cfffa8b12
- hash: f9b64f0da33c475658ea206a484d236f
- hash: fc53d4925a9e5f0a2d84bb7185da1874
- hash: 111c9272b9d0ca9836fcef79fc7a502117764308
- hash: 1c7bf6e246b211e42f22d6d9e74d3f33dc83d835
- hash: 1e842b5aa270657aedeced10e105432508997532
- hash: 251a012f8489db93e280c46c59bd341b76b58136
- hash: 277a95d0095bb39ab7ea4d8c9b3077010d2ee511
- hash: 2d07e5f0c97a5150f80130e3d05deb3dd2440c2e
- hash: 3aff248f75a54b6e8f14b07c35cc4e5d19b43fb3
- hash: 4c70f17b2e9a7e223b30b5c00d5512a157738b7d
- hash: 4ca145a304aa5b2706da90e4d2ed493e986e28d3
- hash: 4de3b3a50ee9169f8826f98167c0c3697538bfa8
- hash: 5363f611e91e2a1433cb9502365ae47708adec29
- hash: 586edeac5a77f604016b6921369c8816bed3659e
- hash: 5a401eefb9c3234841f2f9060745ebac61eade33
- hash: 681ae1f5dcbafd30167b8b158b0c937a2a3f6023
- hash: 6c51276cc02b6e10f0c18f2459f121e44f8cea3f
- hash: 72a65f4684fd413858b8791a697fad6051fb6ec2
- hash: 7cc19bef3359350561896c08a021757f7df3d6f1
- hash: 890766ecce25a487864f71a71c519a9c4fc68dbb
- hash: 8a27e37499c26e1e465375ecd1bfb3f0ae9bf8db
- hash: 8fb720d4eabe22820b2affd76a56495feb297422
- hash: 9bfcad0f12ee36fa7a15de5e52b5fe416c7f9db6
- hash: a09a56aa6285884082a3eaca89a93ca438f19468
- hash: a34a796d8d342f2d54d5db601522dbe4b96a81ec
- hash: a3f420516b31e3ab5a49ebcc7026f6f47fcaa44e
- hash: b19532b2b8d684d3adb7204046a60ab58b64b993
- hash: bd1de96110ee8770df1ebfd4420ddb8ed5869e33
- hash: c157e587545ba74980026bd082301e23cc2c002f
- hash: c30516b6a3894821d6a472f9ec18ae526857c260
- hash: cc404afb2d49861bfacfa25b8aa07c68c69d4ff6
- hash: d1d41e0701fa58d3c4113634260f93f7e7c46836
- hash: d2f5d23bd424fd552b96432f097c94a8388b94ea
- hash: d3b726039aead4cac409a9e4257027036469f8e3
- hash: e148be1c9148c0542475237b78d40face8252ee2
- hash: e44b913a1694a61705344ce406f77301defd8ec5
- hash: f1d4d04186a3262d455c40e2d8377d6646a03dee
- hash: fec85d048c284db87859ade0d68734683fe1352b
- hash: 007ec4eadad16fed2361486bbd79ce8491db3aeae615fef9069e274609233e2f
- hash: 05464b16c6ea40cd93d39b7c0a20c136be2b7921818aa5041b7b98a7cbbf270f
- hash: 0c166f4c7475ec6d15ac00b9b7bc9cf0d7bb53eb504e14f153af08dfe05c40e2
- hash: 0c61883da958fb23e03eac577b169d5e7535910b5a12916fe6d2a94f6b40a89e
- hash: 0f430f2772119b62d32b7812b44726f7d1f3ffc9f9f9ca86b7a0a0c8b314215d
- hash: 1027cd7578146cafe39eacf1ed6d2048aa12fc6936d2594d49eb093c56b2d840
- hash: 23eb791345d1a125c2c5988fb7a8001824a328a248f0c7588973b045b50bea69
- hash: 25a7dc3f0f16a6f1e69db6e80143f2a8788c5542246966c081a06bf9767264fe
- hash: 2e851fcc4eb8e60f350ce68b686cc1ce3c4a0370c28a230a0f3468358907c075
- hash: 2fdabce92c1915556f2e4d5cfdf34f18147d1e09c454c3758a4dcf31431e1e62
- hash: 340f085668d115b4f0ae586b26ecc3cc5a977449989221e02a13b09decbf9bb9
- hash: 3983a383b532c32dfbab8958ad1b35fc8cb3fc3141b5016dd01fcfbfd3c0cd3b
- hash: 44e29f1e03d3ff663058338363f144326b1e83a63a43caea86e313c3b8bf98a6
- hash: 4546d8fa49836ae06af4df56fca03905afd4d7df60d171cc2c959be03d1d94b2
- hash: 4fed61b2f93f4ef51777ac2f381a89e564c8ddf941ecef9f3f7f1e9c370ff0a3
- hash: 51012e5e9ee205efe5025e0a83cce90dca5719268229c91b6777060c1b4578d0
- hash: 59f3acf7a2099899807685c631d8a64af0e784a046a48f45ba2cc40d2e785444
- hash: 5b83e99dfeeb8c30dc72059d369bff0109c40cb5d9aea63245d90a1ca4a36232
- hash: 7573e2a6a6a4a5c21bc3f81a53262e3ade3871fd00ab06b9cf9f9a28c45926f2
- hash: 76d3a58f3fb14e1d8435eabaac21c84f9d256bcd241da3da44b70c4a606134fd
- hash: 7ffc177f931c6df8542cc87c9da95d3f3a51b587c237253b6091e83451d7c3a2
- hash: 8de51b085e9ae644099bebe8e95ec1d5dbe2b854b4d20d8f33c9160458f6c413
- hash: 98a693f412da7b5e5fa790ab54e1c4737ce628ddaedda6cb2359214ec17c11a8
- hash: a4cf4c55312222dfa5c9e08034377a2efaae3b94213c1283c3e2145d2677c3d3
- hash: a55733d4055fe83817b865638b71690fe8f32de77eec04498171fd7e1cb3eb67
- hash: a68b10d3a36423d44d36274dc995a5f11bfb1dd5bba6de81071e9ced8dc780f3
- hash: aa666ff1e5276677b9995f86399743aaad38a6b70b53a124062aa69c798760b6
- hash: b302c16d60f055ec37833e45b091f20b6eae3248be74f389094e69d20f496a7b
- hash: b69c5134a453d19ddf94967c49dd9ecb825ae2461d491f67d09fb5bda5dd27be
- hash: bf0df57d9dac2aafd89f30d818749d3ce15afe488dcdad912e8996bfd3d0b3c1
- hash: cb2c2f492fd44afa9279ee8d4a8a6e8ca11ab65a9224a18da9ba8b0d8f6bec14
- hash: cc6219c710d5bd0ee986b479723ab4f42027da0f28a49fad66d9f3280774e654
- hash: d3aea6e94151bcbb8ac451c50a3a6a5693162521b7d61c53e57c91e4c91c1eb4
- hash: dddfc3c5ca754144b430df11a78a048609106f9d12db4b1fec309bb9805743ec
- hash: e34552a5338872919b3e0f15efc9c27641479750ca2a43ac7cc5c9b15f15ad20
- hash: ea3d66b8e53cf2475ef89c94d917529360325f3464727a54a3be2aa2ffde0e2b
- ip: 185.158.249.54
- domain: bspaco.com
- domain: cdn-reserved.com
- domain: metrics-strange.com
- domain: nbmovies.net
- domain: nicevn.net
- domain: pauldv.com
- domain: real-fishburger.com
- domain: skillswar.com
- domain: tvfilia.com
- domain: x-projectlys.com
- domain: api.metrics-strange.com
- domain: sara.x-projectlys.com
The 'Bear' attacks: what we learned about the phishing campaign targeting Russian organizations
Description
A hacking group named NetMedved has been conducting phishing attacks against Russian organizations since October 2025. The campaign uses malicious LNK files disguised as business documents to deliver NetSupport RAT malware. The attackers employ various techniques including PowerShell scripts, finger protocol, and anti-analysis checks. They utilize multiple domains for payload delivery and command and control. The group's infrastructure overlaps with previous campaigns from 2024, suggesting an evolution of tactics rather than a new actor. NetMedved's operations involve social engineering, custom obfuscation, and abuse of legitimate tools to evade detection and maintain persistence on compromised systems.
AI-Powered Analysis
Technical Analysis
The 'Bear' attacks represent a targeted phishing campaign conducted by the threat actor NetMedved since October 2025, focusing on Russian organizations. The attackers distribute malicious LNK shortcut files masquerading as legitimate business documents, which when opened, execute payloads that deploy the NetSupport Remote Access Trojan (RAT). This RAT enables remote control and espionage capabilities. The campaign leverages PowerShell scripts for execution and persistence, uses the finger protocol for communication or reconnaissance, and incorporates anti-analysis checks to evade sandboxing and forensic investigation. The attackers utilize multiple domains for payload delivery and command and control (C2) infrastructure, complicating detection and takedown efforts. The infrastructure and tactics show continuity with campaigns from 2024, suggesting a refinement of methods rather than a new actor emergence. Social engineering is heavily employed to trick victims into opening malicious files, while custom obfuscation techniques and abuse of legitimate system tools help maintain stealth and persistence. Indicators of compromise include suspicious LNK files, unusual PowerShell activity, and network connections to known malicious domains. Despite the absence of known exploits in the wild, the campaign's sophistication and persistence mechanisms pose a credible threat to targeted organizations.
Potential Impact
For European organizations, the direct impact of this campaign is currently limited as the primary targets are Russian entities. However, European companies with business ties to Russia, subsidiaries, or shared infrastructure could be at risk of collateral compromise or secondary targeting. The use of NetSupport RAT allows attackers to gain remote access, potentially leading to data exfiltration, espionage, or lateral movement within networks. The campaign's use of social engineering and legitimate tools complicates detection, increasing the risk of prolonged undetected access. If the campaign expands or similar tactics are adopted against European targets, the impact could include loss of confidentiality, integrity, and availability of critical systems. Additionally, the reuse of infrastructure and evolving tactics indicate a persistent threat actor capable of adapting to defensive measures, which could challenge incident response efforts in Europe.
Mitigation Recommendations
European organizations should implement targeted detection and prevention strategies beyond generic advice. Specifically, they should: 1) Enforce strict email filtering and attachment sandboxing to detect and block malicious LNK files; 2) Monitor and restrict PowerShell usage, enabling logging and applying constrained language mode where feasible; 3) Implement network segmentation and monitor for unusual finger protocol traffic and connections to suspicious domains; 4) Employ threat intelligence feeds to identify and block known NetMedved infrastructure; 5) Conduct user awareness training focused on recognizing social engineering tactics and suspicious file types; 6) Use endpoint detection and response (EDR) solutions capable of detecting obfuscated scripts and abnormal process behaviors; 7) Regularly audit and harden systems against abuse of legitimate tools; 8) Establish incident response plans that include rapid containment and forensic analysis of suspected infections; 9) Collaborate with national cybersecurity centers to share intelligence on emerging threats; 10) Apply strict application whitelisting policies to prevent execution of unauthorized LNK files and scripts.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://habr.com/ru/companies/pt/articles/968572/"]
- Adversary
- NetMedved
- Pulse Id
- 6926cae8043aabe58197d11e
- Threat Score
- null
Indicators of Compromise
Ip
| Value | Description | Copy |
|---|---|---|
ip185.158.249.64 | — | |
ip185.158.249.54 | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash002bca1bb5ccc22049aa918aafc174a7 | — | |
hash01264394800dd0ded80b873d339aaebf | — | |
hash01a43d17f909792addcc004bdd513963 | — | |
hash0b314bd55b9a3e318e3c207e597f3e5f | — | |
hash192c0538c375d9c5064a39f07e5b3744 | — | |
hash1b8fef7767370b985214470cf4e56a24 | — | |
hash20ddd51ca6febc3ddf10a93230aa569f | — | |
hash219a47f8a1820d131fa90f0e15230197 | — | |
hash25f5b04a7cb54ae588235cf7cf3a89f4 | — | |
hash31c60c6eca6b9d7349a85ceb0cba3d8b | — | |
hash3ffdae649a03c010e8d2297311634ac3 | — | |
hash410879d8562a64d5cd7034bbff462655 | — | |
hash435e3d7ab7f4939a00332f823a923c8f | — | |
hash63a769becb77120637e242b5a3e41649 | — | |
hash7c747a3bae1b6093273fb59be92947c8 | — | |
hash7cb00849d03ffa13ab9e5b077e161608 | — | |
hash7cec93c66b8fce48eb393c176936d146 | — | |
hash7dbb2d7f7fb06c12739b719d9653c57b | — | |
hash807cf9936885bbc4ee06e4ece0392cd1 | — | |
hash8136af34863b2eba580aa022bf0ca912 | — | |
hash81e4ee273f7d4eaaba6ec1c31088d59f | — | |
hash84677cb94f1772c22d9d82114a4a4038 | — | |
hash8944560ed965974f843fc984e417457e | — | |
hash8c021c5d85f635286c0c4878ae3dfacc | — | |
hash8ca3640f4dedf5caa352efb72a19914a | — | |
hash8d4ac3cb056d331ca382d1b1b6dae3a4 | — | |
hasha3f88b1b992f9c4a56e07fd59dd394af | — | |
hashaefa1b33765e08e264b5d2d15f3f260e | — | |
hashb43fc607fabdee781ca6877a04a97f2d | — | |
hashb45f2ae24457d9a3cc44f4c6c183211c | — | |
hashba454a50b727cd724066ce2cfd575b9d | — | |
hashd0f7cdde46cd23cb01d70c88b92e7080 | — | |
hashe1649ded8b6f6b591ec903387a9de93e | — | |
hashf2547fd021e9af337f22537cfffa8b12 | — | |
hashf9b64f0da33c475658ea206a484d236f | — | |
hashfc53d4925a9e5f0a2d84bb7185da1874 | — | |
hash111c9272b9d0ca9836fcef79fc7a502117764308 | — | |
hash1c7bf6e246b211e42f22d6d9e74d3f33dc83d835 | — | |
hash1e842b5aa270657aedeced10e105432508997532 | — | |
hash251a012f8489db93e280c46c59bd341b76b58136 | — | |
hash277a95d0095bb39ab7ea4d8c9b3077010d2ee511 | — | |
hash2d07e5f0c97a5150f80130e3d05deb3dd2440c2e | — | |
hash3aff248f75a54b6e8f14b07c35cc4e5d19b43fb3 | — | |
hash4c70f17b2e9a7e223b30b5c00d5512a157738b7d | — | |
hash4ca145a304aa5b2706da90e4d2ed493e986e28d3 | — | |
hash4de3b3a50ee9169f8826f98167c0c3697538bfa8 | — | |
hash5363f611e91e2a1433cb9502365ae47708adec29 | — | |
hash586edeac5a77f604016b6921369c8816bed3659e | — | |
hash5a401eefb9c3234841f2f9060745ebac61eade33 | — | |
hash681ae1f5dcbafd30167b8b158b0c937a2a3f6023 | — | |
hash6c51276cc02b6e10f0c18f2459f121e44f8cea3f | — | |
hash72a65f4684fd413858b8791a697fad6051fb6ec2 | — | |
hash7cc19bef3359350561896c08a021757f7df3d6f1 | — | |
hash890766ecce25a487864f71a71c519a9c4fc68dbb | — | |
hash8a27e37499c26e1e465375ecd1bfb3f0ae9bf8db | — | |
hash8fb720d4eabe22820b2affd76a56495feb297422 | — | |
hash9bfcad0f12ee36fa7a15de5e52b5fe416c7f9db6 | — | |
hasha09a56aa6285884082a3eaca89a93ca438f19468 | — | |
hasha34a796d8d342f2d54d5db601522dbe4b96a81ec | — | |
hasha3f420516b31e3ab5a49ebcc7026f6f47fcaa44e | — | |
hashb19532b2b8d684d3adb7204046a60ab58b64b993 | — | |
hashbd1de96110ee8770df1ebfd4420ddb8ed5869e33 | — | |
hashc157e587545ba74980026bd082301e23cc2c002f | — | |
hashc30516b6a3894821d6a472f9ec18ae526857c260 | — | |
hashcc404afb2d49861bfacfa25b8aa07c68c69d4ff6 | — | |
hashd1d41e0701fa58d3c4113634260f93f7e7c46836 | — | |
hashd2f5d23bd424fd552b96432f097c94a8388b94ea | — | |
hashd3b726039aead4cac409a9e4257027036469f8e3 | — | |
hashe148be1c9148c0542475237b78d40face8252ee2 | — | |
hashe44b913a1694a61705344ce406f77301defd8ec5 | — | |
hashf1d4d04186a3262d455c40e2d8377d6646a03dee | — | |
hashfec85d048c284db87859ade0d68734683fe1352b | — | |
hash007ec4eadad16fed2361486bbd79ce8491db3aeae615fef9069e274609233e2f | — | |
hash05464b16c6ea40cd93d39b7c0a20c136be2b7921818aa5041b7b98a7cbbf270f | — | |
hash0c166f4c7475ec6d15ac00b9b7bc9cf0d7bb53eb504e14f153af08dfe05c40e2 | — | |
hash0c61883da958fb23e03eac577b169d5e7535910b5a12916fe6d2a94f6b40a89e | — | |
hash0f430f2772119b62d32b7812b44726f7d1f3ffc9f9f9ca86b7a0a0c8b314215d | — | |
hash1027cd7578146cafe39eacf1ed6d2048aa12fc6936d2594d49eb093c56b2d840 | — | |
hash23eb791345d1a125c2c5988fb7a8001824a328a248f0c7588973b045b50bea69 | — | |
hash25a7dc3f0f16a6f1e69db6e80143f2a8788c5542246966c081a06bf9767264fe | — | |
hash2e851fcc4eb8e60f350ce68b686cc1ce3c4a0370c28a230a0f3468358907c075 | — | |
hash2fdabce92c1915556f2e4d5cfdf34f18147d1e09c454c3758a4dcf31431e1e62 | — | |
hash340f085668d115b4f0ae586b26ecc3cc5a977449989221e02a13b09decbf9bb9 | — | |
hash3983a383b532c32dfbab8958ad1b35fc8cb3fc3141b5016dd01fcfbfd3c0cd3b | — | |
hash44e29f1e03d3ff663058338363f144326b1e83a63a43caea86e313c3b8bf98a6 | — | |
hash4546d8fa49836ae06af4df56fca03905afd4d7df60d171cc2c959be03d1d94b2 | — | |
hash4fed61b2f93f4ef51777ac2f381a89e564c8ddf941ecef9f3f7f1e9c370ff0a3 | — | |
hash51012e5e9ee205efe5025e0a83cce90dca5719268229c91b6777060c1b4578d0 | — | |
hash59f3acf7a2099899807685c631d8a64af0e784a046a48f45ba2cc40d2e785444 | — | |
hash5b83e99dfeeb8c30dc72059d369bff0109c40cb5d9aea63245d90a1ca4a36232 | — | |
hash7573e2a6a6a4a5c21bc3f81a53262e3ade3871fd00ab06b9cf9f9a28c45926f2 | — | |
hash76d3a58f3fb14e1d8435eabaac21c84f9d256bcd241da3da44b70c4a606134fd | — | |
hash7ffc177f931c6df8542cc87c9da95d3f3a51b587c237253b6091e83451d7c3a2 | — | |
hash8de51b085e9ae644099bebe8e95ec1d5dbe2b854b4d20d8f33c9160458f6c413 | — | |
hash98a693f412da7b5e5fa790ab54e1c4737ce628ddaedda6cb2359214ec17c11a8 | — | |
hasha4cf4c55312222dfa5c9e08034377a2efaae3b94213c1283c3e2145d2677c3d3 | — | |
hasha55733d4055fe83817b865638b71690fe8f32de77eec04498171fd7e1cb3eb67 | — | |
hasha68b10d3a36423d44d36274dc995a5f11bfb1dd5bba6de81071e9ced8dc780f3 | — | |
hashaa666ff1e5276677b9995f86399743aaad38a6b70b53a124062aa69c798760b6 | — | |
hashb302c16d60f055ec37833e45b091f20b6eae3248be74f389094e69d20f496a7b | — | |
hashb69c5134a453d19ddf94967c49dd9ecb825ae2461d491f67d09fb5bda5dd27be | — | |
hashbf0df57d9dac2aafd89f30d818749d3ce15afe488dcdad912e8996bfd3d0b3c1 | — | |
hashcb2c2f492fd44afa9279ee8d4a8a6e8ca11ab65a9224a18da9ba8b0d8f6bec14 | — | |
hashcc6219c710d5bd0ee986b479723ab4f42027da0f28a49fad66d9f3280774e654 | — | |
hashd3aea6e94151bcbb8ac451c50a3a6a5693162521b7d61c53e57c91e4c91c1eb4 | — | |
hashdddfc3c5ca754144b430df11a78a048609106f9d12db4b1fec309bb9805743ec | — | |
hashe34552a5338872919b3e0f15efc9c27641479750ca2a43ac7cc5c9b15f15ad20 | — | |
hashea3d66b8e53cf2475ef89c94d917529360325f3464727a54a3be2aa2ffde0e2b | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainbspaco.com | — | |
domaincdn-reserved.com | — | |
domainmetrics-strange.com | — | |
domainnbmovies.net | — | |
domainnicevn.net | — | |
domainpauldv.com | — | |
domainreal-fishburger.com | — | |
domainskillswar.com | — | |
domaintvfilia.com | — | |
domainx-projectlys.com | — | |
domainapi.metrics-strange.com | — | |
domainsara.x-projectlys.com | — |
Threat ID: 6926ceff91609981b6f87aaa
Added to database: 11/26/2025, 9:57:19 AM
Last enriched: 11/26/2025, 10:09:01 AM
Last updated: 1/18/2026, 5:24:17 PM
Views: 145
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
ThreatFox IOCs for 2026-01-17
MediumLOTUSLITE Backdoor Targets U.S. Policy Entities Using Venezuela-Themed Spear Phishing
MediumGootLoader Malware Uses 500–1,000 Concatenated ZIP Archives to Evade Detection
MediumThreatFox IOCs for 2026-01-16
MediumHUMINT Operations Uncover Cryptojacking Campaign: Discord-Based Distribution of Clipboard Hijacking Malware Targeting Cryptocurrency Communities
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.