Reconnecting to live updates…

XCTDH Crypto Heist Part 3 - Yashraj Solanki

Severity: mediumType: unknown

AI Analysis

Technical Summary

The XCTDH Crypto Heist Part 3 appears to be a continuation of a series of cyber threat intelligence reports focusing on cryptocurrency-related theft activities attributed to North Korean threat actors. The report is sourced from CIRCL's OSINT feed and is tagged with a 50% certainty level, indicating moderate confidence in the attribution and threat validity. The technical details are minimal, with no specific vulnerabilities, exploits, or affected software versions identified. No patches or known exploits in the wild are reported, suggesting this is primarily an intelligence observation rather than a disclosed vulnerability or active exploit campaign. The involvement of DPRK (North Korea) aligns with historically observed state-sponsored cybercrime operations targeting cryptocurrency exchanges and wallets to circumvent sanctions and generate revenue. The medium severity rating reflects the potential financial impact of crypto theft but is tempered by the lack of concrete exploitation details. The threat is perpetual in nature, indicating ongoing monitoring is necessary. The absence of CWE identifiers and technical indicators limits the ability to perform detailed technical mitigation but highlights the importance of vigilance in crypto asset security.

Potential Impact

For European organizations, especially those operating cryptocurrency exchanges, blockchain infrastructure, or financial services dealing with digital assets, this threat could result in significant financial losses if successful thefts occur. The medium severity suggests that while the threat is credible, it may not currently be actively exploited or widespread. However, given the strategic importance of cryptocurrency in global finance and the known targeting of crypto assets by North Korean actors, European entities could face risks including theft of digital assets, disruption of services, and reputational damage. The impact extends to regulatory compliance challenges, as stolen crypto assets may be used in money laundering or sanctions evasion. The threat also underscores the need for enhanced cyber threat intelligence sharing and collaboration across European financial sectors to detect and respond to such activities promptly.

Mitigation Recommendations

European organizations should implement advanced monitoring of cryptocurrency transactions and wallet activities to detect anomalous behavior indicative of theft attempts. Employ multi-factor authentication and hardware security modules (HSMs) for managing private keys to reduce the risk of unauthorized access. Regularly update and audit blockchain-related infrastructure and smart contracts to identify potential security gaps. Engage in active threat intelligence sharing with national cybersecurity centers and industry groups to stay informed about emerging tactics used by DPRK threat actors. Conduct employee training focused on social engineering and phishing risks that could facilitate initial access. Implement network segmentation and strict access controls around crypto asset management systems. Consider deploying blockchain analytics tools to trace suspicious transactions and collaborate with law enforcement agencies for incident response. Given the lack of patches, focus on preventive controls and detection capabilities rather than remediation of specific vulnerabilities.

Affected Countries

Germany, United Kingdom, Netherlands, France, Switzerland

Indicators of Compromise

ip: 23.26.237.237
datetime: 2025-11-18T00:00:00+00:00
text: Rhadamanthys Stealer
ip: 23.26.237.117
datetime: 2025-10-18T00:00:00+00:00
text: Rhadamanthys Stealer
ip: 23.27.24.90
datetime: 2025-10-18T00:00:00+00:00
text: Sliver C2
ip: 23.27.168.222
datetime: 2025-10-18T00:00:00+00:00
text: Rhadamanthys Stealer
ip: 136.0.141.91
datetime: 2025-09-18T00:00:00+00:00
text: Rhadamanthys Stealer
ip: 136.0.141.245
datetime: 2025-09-18T00:00:00+00:00
text: Rhadamanthys Stealer
ip: 166.88.117.240
datetime: 2025-09-18T00:00:00+00:00
text: Remcos
ip: 23.27.124.91
datetime: 2025-09-18T00:00:00+00:00
text: Remcos
ip: 156.227.0.60
datetime: 2025-09-18T00:00:00+00:00
text: Rhadamanthys Stealer
ip: 96.126.191.167
datetime: 2025-09-18T00:00:00+00:00
text: Xworm
ip: 108.165.147.181
datetime: 2025-09-18T00:00:00+00:00
text: SuperShell C2
ip: 216.173.65.45
datetime: 2025-09-18T00:00:00+00:00
text: Remcos
ip: 166.88.194.123
datetime: 2025-08-18T00:00:00+00:00
text: Cobalt Strike (Watermark: 0)
ip: 23.27.163.245
datetime: 2025-08-18T00:00:00+00:00
text: VenomRAT
ip: 23.27.169.64
datetime: 2025-08-18T00:00:00+00:00
text: DCRAT
ip: 23.27.24.227
datetime: 2025-08-18T00:00:00+00:00
text: GoPhish
ip: 166.88.132.69
datetime: 2025-08-18T00:00:00+00:00
text: Remcos
ip: 166.0.132.184
datetime: 2025-08-18T00:00:00+00:00
text: Sliver C2
ip: 38.211.230.55
datetime: 2025-06-18T00:00:00+00:00
text: Remcos
ip: 23.27.201.30
datetime: 2025-06-18T00:00:00+00:00
text: Sliver C2
ip: 166.88.61.58
datetime: 2025-06-18T00:00:00+00:00
text: AdaptixC2
ip: 166.88.114.78
datetime: 2025-05-18T00:00:00+00:00
text: Sliver C2
ip: 166.88.100.85
datetime: 2025-05-18T00:00:00+00:00
text: Cobalt Strike (Watermark: 391144938)
ip: 23.27.48.77
datetime: 2025-05-18T00:00:00+00:00
text: Remcos
ip: 166.88.95.137
datetime: 2025-05-18T00:00:00+00:00
text: Mythic C2
ip: 23.27.48.113
datetime: 2025-04-18T00:00:00+00:00
text: Red Guard (C2 Redirector)
ip: 166.88.14.137
datetime: 2025-04-18T00:00:00+00:00
text: Cobalt Strike (Watermark: 391144938)
ip: 216.173.64.63
datetime: 2025-02-18T00:00:00+00:00
text: XWorm
ip: 166.88.90.22
datetime: 2025-02-18T00:00:00+00:00
text: AsyncRAT
ip: 23.27.169.4
datetime: 2025-02-18T00:00:00+00:00
text: Viper C2
ip: 166.88.98.221
datetime: 2025-02-18T00:00:00+00:00
text: Cobalt Strike (Watermark: 0)
ip: 23.27.240.252
datetime: 2025-02-18T00:00:00+00:00
text: Cobalt Strike (Watermark: 666666666)
ip: 23.27.48.179
datetime: 2025-02-18T00:00:00+00:00
text: Cobalt Strike (Watermark: 666666666)
ip: 166.88.141.40
datetime: 2025-02-18T00:00:00+00:00
text: Cobalt Strike (Watermark: 666666666)
ip: 23.27.48.4
datetime: 2025-01-18T00:00:00+00:00
text: Cobalt Strike (Watermark: 987654321)
ip: 23.27.12.214
datetime: 2024-12-18T00:00:00+00:00
text: SuperShell C2
ip: 23.27.201.57
datetime: 2024-12-18T00:00:00+00:00
text: UNAM C2 Panel
ip: 156.235.89.227
datetime: 2024-12-18T00:00:00+00:00
text: Sliver C2
ip: 23.27.240.237
datetime: 2024-12-18T00:00:00+00:00
text: Cobalt Strike
ip: 45.194.27.99
datetime: 2024-10-18T00:00:00+00:00
text: Sliver C2
ip: 166.88.57.117
datetime: 2024-09-18T00:00:00+00:00
text: SuperShell C2
ip: 136.0.11.193
datetime: 2024-09-18T00:00:00+00:00
text: Cobalt Strike (Watermark: 100000)
ip: 23.27.244.39
datetime: 2024-08-18T00:00:00+00:00
text: Remcos
ip: 172.121.5.230
datetime: 2024-04-18T00:00:00+00:00
text: Cobalt Strike (Watermark: 100000)
ip: 166.88.132.139
datetime: 2024-02-18T00:00:00+00:00
text: QuasarRAT
ip: 166.88.97.138
datetime: 2025-08-18T00:00:00+00:00
text: PlugX
ip: 166.88.61.35
datetime: 2025-07-18T00:00:00+00:00
text: China Aligned Espionage - Cobalt Strike (Watermark: 100000)
ip: 166.88.96.120
datetime: 2025-06-18T00:00:00+00:00
text: Cobalt Strike (Watermark: 100000)
ip: 166.88.4.2
datetime: 2025-06-18T00:00:00+00:00
text: NPM Supply Chain
ip: 166.88.2.90
datetime: 2025-08-18T00:00:00+00:00
text: Dark Peony (Operation Controlplug)
ip: 166.88.194.53
datetime: 2025-04-18T00:00:00+00:00
text: Earth Kurma
ip: 166.88.61.53
datetime: 2025-04-18T00:00:00+00:00
text: Russian Infra with DPRK
ip: 166.88.117.11
datetime: 2025-04-18T00:00:00+00:00
text: Dark Peony (Operation Controlplug)
ip: 166.88.35.203
datetime: 2025-03-18T00:00:00+00:00
text: Dark Peony (Operation Controlplug)
ip: 166.88.2.184
datetime: 2025-03-18T00:00:00+00:00
text: Cobalt Strike (Watermark: 666666666)
ip: 166.88.14.52
datetime: 2024-12-18T00:00:00+00:00
text: Cobalt Strike (Watermark: 987654321)
ip: 166.88.14.44
datetime: 2025-03-18T00:00:00+00:00
text: Xworm
ip: 166.88.101.20
datetime: 2025-02-18T00:00:00+00:00
text: DeimosC2
ip: 166.88.99.15
datetime: 2025-02-18T00:00:00+00:00
text: Cobalt Strike (Watermark: Unknown)
ip: 166.88.55.54
datetime: 2025-02-18T00:00:00+00:00
text: Cobalt Strike (Watermark: Unknown)
ip: 166.88.132.39
datetime: 2025-11-18T00:00:00+00:00
text: DPRK Lazarus - Contagious Interview
ip: 166.88.159.187
datetime: 2025-06-18T00:00:00+00:00
text: FIN7
ip: 166.88.159.37
datetime: 2024-10-18T00:00:00+00:00
text: FIN7
ip: 193.57.57.121
datetime: 2025-01-18T00:00:00+00:00
text: Cobalt Strike (Watermark: 100000)
ip: 198.105.127.98
datetime: 2024-05-18T00:00:00+00:00
text: DPRK Lazarus (through domain resolution)
ip: 198.105.127.124
datetime: 2025-05-18T00:00:00+00:00
text: PoC Exploit for Critical Zero Day
ip: 223.165.6.30
datetime: 2024-07-18T00:00:00+00:00
text: VenomRAT
ip: 38.211.230.5
datetime: 2025-07-18T00:00:00+00:00
text: Dark Peony (Operation Controlplug)
ip: 38.246.73.120
datetime: 2025-06-18T00:00:00+00:00
text: Dark Peony (Operation Controlplug)
ip: 45.195.76.82
datetime: 2024-02-18T00:00:00+00:00
text: Cobalt Strike (Watermark: 100000)
ip: 45.195.76.26
datetime: 2023-12-18T00:00:00+00:00
text: ShadowPad
ip: 50.114.5.82
datetime: 2024-09-18T00:00:00+00:00
text: Supershell
ip: 91.218.183.90
datetime: 2023-04-18T00:00:00+00:00
text: Cobalt Strike - Threat Actor: QUARTERRIG (APT29)
ip: 103.179.142.121
datetime: 2023-06-18T00:00:00+00:00
text: AveMaria
ip: 136.0.3.250
datetime: 2025-01-18T00:00:00+00:00
text: AsyncRAT
ip: 136.0.3.71
datetime: 2024-03-18T00:00:00+00:00
text: Bianlian
ip: 136.0.3.240
datetime: 2024-01-18T00:00:00+00:00
text: Bianlian
ip: 136.0.8.169
datetime: 2025-02-18T00:00:00+00:00
text: Danabot
ip: 136.0.9.8
datetime: 2025-06-18T00:00:00+00:00
text: NPM Supply Chain (Ports: 27017 and 3306)
ip: 142.111.77.196
datetime: 2024-07-18T00:00:00+00:00
text: DPRK Moonsleet NPM
ip: 154.81.220.233
datetime: 2025-02-18T00:00:00+00:00
text: Redline Stealer
ip: 155.254.60.160
datetime: 2025-05-18T00:00:00+00:00
text: ViciousTrap CVE exploitation
ip: 156.227.0.187
datetime: 2024-04-18T00:00:00+00:00
text: Agent Tesla Targeting Entities
ip: 156.236.76.90
datetime: 2025-06-18T00:00:00+00:00
text: PoC Exploit for Critical Zero Day
hash: 742016f01fa89be4d43916d5d2349c8d86dc89f096302501ec22b5c239685a20
file: Actor_APT_DPRK_Unknown_MAL_Script_PY_Stealer_Unknown_Strings_1_1Oct25
text: DPRK APT - Python Stealer
hash: a7d7075e866132b8e8eb87265f7b7fab0e9f6dd7f748445a18f37da2e989faa3
file: Actor_APT_DPRK_Unknown_MAL_Script_PY_Stealer_Unknown_Strings_1_1Oct25
text: DPRK APT - Python Stealer
hash: 236ff897dee7d21319482cd67815bd22391523e37e0452fa230813b30884a86f
file: Actor_APT_DPRK_Unknown_MAL_Script_PY_Stealer_Unknown_Strings_2_Oct25
text: DPRK APT - Python Stealer
hash: 742016f01fa89be4d43916d5d2349c8d86dc89f096302501ec22b5c239685a20
file: Actor_APT_DPRK_Unknown_MAL_Script_PY_Stealer_Unknown_Strings_2_Oct25
text: DPRK APT - Python Stealer
hash: a7d7075e866132b8e8eb87265f7b7fab0e9f6dd7f748445a18f37da2e989faa3
file: Actor_APT_DPRK_Unknown_MAL_Script_PY_Stealer_Unknown_Strings_2_Oct25
text: DPRK APT - Python Stealer
hash: 24cad593f02db847d1302ee7c486d0756708521d5ae69faa9d6600dff81fd924
file: Actor_APT_DPRK_Unknown_MAL_Script_PY_Stealer_Unknown_Strings_2_Oct25
text: DPRK APT - Python Stealer
hash: a51c2b2c5134d8079f11a22bd0621d29b10e16aefa4174b516e00fa40dafde69
file: Actor_APT_DPRK_Unknown_MAL_Script_PY_Stealer_Unknown_Strings_2_Oct25
text: DPRK APT - Python Stealer
hash: be21bf4ad94c394202e7b52a1b461ed868200f0f03b3c8544984e9765c23e1e0
file: Actor_APT_DPRK_Unknown_MAL_Script_JS_Loader_Unknown_Strings_Oct25
text: DPRK APT - JavaScript Loader
hash: 87330f64f5cd4695f2385f87c9ffffee26d5ad2637665f1cd5d7fce217770a4d
file: Actor_APT_DPRK_Unknown_MAL_Script_JS_Loader_Unknown_Strings_Oct25
text: DPRK APT - JavaScript Loader
hash: ba738d8fa5ecd4b996612dde6cd4516cbe7116305661521ffcfd62d37687875d
file: Actor_APT_DPRK_Unknown_MAL_Script_JS_Loader_Unknown_Strings_Oct25
text: DPRK APT - JavaScript Loader
hash: 83a84588a941e463c981083555a2e7814887fa8816e7cca5af9cb7fd0b62cdac
file: Actor_APT_DPRK_Unknown_MAL_Script_JS_Loader_Unknown_Strings_Oct25
text: DPRK APT - JavaScript Loader
hash: 6e48fe09117ead1ef2c10a3db614217184fc300ac70ee902f67510b8d0d0b0c8
file: Actor_APT_DPRK_Unknown_MAL_Script_JS_Loader_Unknown_Strings_Oct25
text: DPRK APT - JavaScript Loader
hash: 897d040e5db47b806c01eb2a1a056ca49b10e0aa4985f84d2b808a121083570e
file: Actor_APT_DPRK_Unknown_MAL_Script_JS_Loader_Unknown_Strings_Oct25
text: DPRK APT - JavaScript Loader
hash: eefe39fe88e75b37babb37c7379d1ec61b187a9677ee5d0c867d13ccb0e31e30
file: Actor_APT_DPRK_Unknown_MAL_Script_JS_RAT_Unknown_Strings_Oct25
text: DPRK APT - JavaScript RAT
hash: 43dc7a343649a7ce748e4c2f94bcb6064199507cfd9f064a2d462536bec1d57f
file: Actor_APT_DPRK_Unknown_MAL_Script_JS_RAT_Unknown_Strings_Oct25
text: DPRK APT - JavaScript RAT
hash: 908696f3ec522e846575061e90747ddf29fccab0e59364597493d72159986c60
file: Actor_APT_DPRK_Unknown_MAL_Indicators_Strings_Oct25
text: DPRK APT - Malware Indicators
hash: 897d040e5db47b806c01eb2a1a056ca49b10e0aa4985f84d2b808a121083570e
file: Actor_APT_DPRK_Unknown_MAL_Indicators_Strings_Oct25
text: DPRK APT - Malware Indicators
hash: be21bf4ad94c394202e7b52a1b461ed868200f0f03b3c8544984e9765c23e1e0
file: Actor_APT_DPRK_Unknown_MAL_Indicators_Strings_Oct25
text: DPRK APT - Malware Indicators
hash: 6e48fe09117ead1ef2c10a3db614217184fc300ac70ee902f67510b8d0d0b0c8
file: Actor_APT_DPRK_Unknown_MAL_Indicators_Strings_Oct25
text: DPRK APT - Malware Indicators
hash: 87330f64f5cd4695f2385f87c9ffffee26d5ad2637665f1cd5d7fce217770a4d
file: Actor_APT_DPRK_Unknown_MAL_Indicators_Strings_Oct25
text: DPRK APT - Malware Indicators
hash: 83a84588a941e463c981083555a2e7814887fa8816e7cca5af9cb7fd0b62cdac
file: Actor_APT_DPRK_Unknown_MAL_Indicators_Strings_Oct25
text: DPRK APT - Malware Indicators
hash: ba738d8fa5ecd4b996612dde6cd4516cbe7116305661521ffcfd62d37687875d
file: Actor_APT_DPRK_Unknown_MAL_Indicators_Strings_Oct25
text: DPRK APT - Malware Indicators
hash: a2880c2d262b4a76e64fd29a813f2446ecbd640f378714aa575bf1064b7adc29
file: Actor_APT_DPRK_Unknown_MAL_Indicators_Strings_Oct25
text: DPRK APT - Malware Indicators
hash: 973f777723d315e0bee0fb9e81e943bb3440be7d2de7bf582419ae47479bc15d
file: Actor_APT_DPRK_Unknown_MAL_Indicators_Strings_Oct25
text: DPRK APT - Malware Indicators
hash: a7d7075e866132b8e8eb87265f7b7fab0e9f6dd7f748445a18f37da2e989faa3
file: Actor_APT_DPRK_Unknown_MAL_Indicators_Strings_Oct25
text: DPRK APT - Malware Indicators
counter: 1
text: https://www.circl.lu/pdns/
text: A
text: 166.88.159.37
text: 756984.xyz
datetime: 2024-10-03T05:21:55+00:00
datetime: 2024-10-03T05:21:55+00:00
counter: 1
text: https://www.circl.lu/pdns/
text: A
text: 166.88.159.37
text: www.756984.xyz
datetime: 2024-10-03T05:59:28+00:00
datetime: 2024-10-03T05:59:28+00:00

XCTDH Crypto Heist Part 3 - Yashraj Solanki

Severity: medium

Type: unknown

XCTDH Crypto Heist Part 3 - Yashraj Solanki

Technical Summary

Potential Impact

Mitigation Recommendations

Affected Countries

Germany, United Kingdom, Netherlands, France, Switzerland

Indicators of Compromise

ip: 23.26.237.237
datetime: 2025-11-18T00:00:00+00:00
text: Rhadamanthys Stealer
ip: 23.26.237.117
datetime: 2025-10-18T00:00:00+00:00
text: Rhadamanthys Stealer
ip: 23.27.24.90
datetime: 2025-10-18T00:00:00+00:00
text: Sliver C2
ip: 23.27.168.222
datetime: 2025-10-18T00:00:00+00:00
text: Rhadamanthys Stealer
ip: 136.0.141.91
datetime: 2025-09-18T00:00:00+00:00
text: Rhadamanthys Stealer
ip: 136.0.141.245
datetime: 2025-09-18T00:00:00+00:00
text: Rhadamanthys Stealer
ip: 166.88.117.240
datetime: 2025-09-18T00:00:00+00:00
text: Remcos
ip: 23.27.124.91
datetime: 2025-09-18T00:00:00+00:00
text: Remcos
ip: 156.227.0.60
datetime: 2025-09-18T00:00:00+00:00
text: Rhadamanthys Stealer
ip: 96.126.191.167
datetime: 2025-09-18T00:00:00+00:00
text: Xworm
ip: 108.165.147.181
datetime: 2025-09-18T00:00:00+00:00
text: SuperShell C2
ip: 216.173.65.45
datetime: 2025-09-18T00:00:00+00:00
text: Remcos
ip: 166.88.194.123
datetime: 2025-08-18T00:00:00+00:00
text: Cobalt Strike (Watermark: 0)
ip: 23.27.163.245
datetime: 2025-08-18T00:00:00+00:00
text: VenomRAT
ip: 23.27.169.64
datetime: 2025-08-18T00:00:00+00:00
text: DCRAT
ip: 23.27.24.227
datetime: 2025-08-18T00:00:00+00:00
text: GoPhish
ip: 166.88.132.69
datetime: 2025-08-18T00:00:00+00:00
text: Remcos
ip: 166.0.132.184
datetime: 2025-08-18T00:00:00+00:00
text: Sliver C2
ip: 38.211.230.55
datetime: 2025-06-18T00:00:00+00:00
text: Remcos
ip: 23.27.201.30
datetime: 2025-06-18T00:00:00+00:00
text: Sliver C2
ip: 166.88.61.58
datetime: 2025-06-18T00:00:00+00:00
text: AdaptixC2
ip: 166.88.114.78
datetime: 2025-05-18T00:00:00+00:00
text: Sliver C2
ip: 166.88.100.85
datetime: 2025-05-18T00:00:00+00:00
text: Cobalt Strike (Watermark: 391144938)
ip: 23.27.48.77
datetime: 2025-05-18T00:00:00+00:00
text: Remcos
ip: 166.88.95.137
datetime: 2025-05-18T00:00:00+00:00
text: Mythic C2
ip: 23.27.48.113
datetime: 2025-04-18T00:00:00+00:00
text: Red Guard (C2 Redirector)
ip: 166.88.14.137
datetime: 2025-04-18T00:00:00+00:00
text: Cobalt Strike (Watermark: 391144938)
ip: 216.173.64.63
datetime: 2025-02-18T00:00:00+00:00
text: XWorm
ip: 166.88.90.22
datetime: 2025-02-18T00:00:00+00:00
text: AsyncRAT
ip: 23.27.169.4
datetime: 2025-02-18T00:00:00+00:00
text: Viper C2
ip: 166.88.98.221
datetime: 2025-02-18T00:00:00+00:00
text: Cobalt Strike (Watermark: 0)
ip: 23.27.240.252
datetime: 2025-02-18T00:00:00+00:00
text: Cobalt Strike (Watermark: 666666666)
ip: 23.27.48.179
datetime: 2025-02-18T00:00:00+00:00
text: Cobalt Strike (Watermark: 666666666)
ip: 166.88.141.40
datetime: 2025-02-18T00:00:00+00:00
text: Cobalt Strike (Watermark: 666666666)
ip: 23.27.48.4
datetime: 2025-01-18T00:00:00+00:00
text: Cobalt Strike (Watermark: 987654321)
ip: 23.27.12.214
datetime: 2024-12-18T00:00:00+00:00
text: SuperShell C2
ip: 23.27.201.57
datetime: 2024-12-18T00:00:00+00:00
text: UNAM C2 Panel
ip: 156.235.89.227
datetime: 2024-12-18T00:00:00+00:00
text: Sliver C2
ip: 23.27.240.237
datetime: 2024-12-18T00:00:00+00:00
text: Cobalt Strike
ip: 45.194.27.99
datetime: 2024-10-18T00:00:00+00:00
text: Sliver C2
ip: 166.88.57.117
datetime: 2024-09-18T00:00:00+00:00
text: SuperShell C2
ip: 136.0.11.193
datetime: 2024-09-18T00:00:00+00:00
text: Cobalt Strike (Watermark: 100000)
ip: 23.27.244.39
datetime: 2024-08-18T00:00:00+00:00
text: Remcos
ip: 172.121.5.230
datetime: 2024-04-18T00:00:00+00:00
text: Cobalt Strike (Watermark: 100000)
ip: 166.88.132.139
datetime: 2024-02-18T00:00:00+00:00
text: QuasarRAT
ip: 166.88.97.138
datetime: 2025-08-18T00:00:00+00:00
text: PlugX
ip: 166.88.61.35
datetime: 2025-07-18T00:00:00+00:00
text: China Aligned Espionage - Cobalt Strike (Watermark: 100000)
ip: 166.88.96.120
datetime: 2025-06-18T00:00:00+00:00
text: Cobalt Strike (Watermark: 100000)
ip: 166.88.4.2
datetime: 2025-06-18T00:00:00+00:00
text: NPM Supply Chain
ip: 166.88.2.90
datetime: 2025-08-18T00:00:00+00:00
text: Dark Peony (Operation Controlplug)
ip: 166.88.194.53
datetime: 2025-04-18T00:00:00+00:00
text: Earth Kurma
ip: 166.88.61.53
datetime: 2025-04-18T00:00:00+00:00
text: Russian Infra with DPRK
ip: 166.88.117.11
datetime: 2025-04-18T00:00:00+00:00
text: Dark Peony (Operation Controlplug)
ip: 166.88.35.203
datetime: 2025-03-18T00:00:00+00:00
text: Dark Peony (Operation Controlplug)
ip: 166.88.2.184
datetime: 2025-03-18T00:00:00+00:00
text: Cobalt Strike (Watermark: 666666666)
ip: 166.88.14.52
datetime: 2024-12-18T00:00:00+00:00
text: Cobalt Strike (Watermark: 987654321)
ip: 166.88.14.44
datetime: 2025-03-18T00:00:00+00:00
text: Xworm
ip: 166.88.101.20
datetime: 2025-02-18T00:00:00+00:00
text: DeimosC2
ip: 166.88.99.15
datetime: 2025-02-18T00:00:00+00:00
text: Cobalt Strike (Watermark: Unknown)
ip: 166.88.55.54
datetime: 2025-02-18T00:00:00+00:00
text: Cobalt Strike (Watermark: Unknown)
ip: 166.88.132.39
datetime: 2025-11-18T00:00:00+00:00
text: DPRK Lazarus - Contagious Interview
ip: 166.88.159.187
datetime: 2025-06-18T00:00:00+00:00
text: FIN7
ip: 166.88.159.37
datetime: 2024-10-18T00:00:00+00:00
text: FIN7
ip: 193.57.57.121
datetime: 2025-01-18T00:00:00+00:00
text: Cobalt Strike (Watermark: 100000)
ip: 198.105.127.98
datetime: 2024-05-18T00:00:00+00:00
text: DPRK Lazarus (through domain resolution)
ip: 198.105.127.124
datetime: 2025-05-18T00:00:00+00:00
text: PoC Exploit for Critical Zero Day
ip: 223.165.6.30
datetime: 2024-07-18T00:00:00+00:00
text: VenomRAT
ip: 38.211.230.5
datetime: 2025-07-18T00:00:00+00:00
text: Dark Peony (Operation Controlplug)
ip: 38.246.73.120
datetime: 2025-06-18T00:00:00+00:00
text: Dark Peony (Operation Controlplug)
ip: 45.195.76.82
datetime: 2024-02-18T00:00:00+00:00
text: Cobalt Strike (Watermark: 100000)
ip: 45.195.76.26
datetime: 2023-12-18T00:00:00+00:00
text: ShadowPad
ip: 50.114.5.82
datetime: 2024-09-18T00:00:00+00:00
text: Supershell
ip: 91.218.183.90
datetime: 2023-04-18T00:00:00+00:00
text: Cobalt Strike - Threat Actor: QUARTERRIG (APT29)
ip: 103.179.142.121
datetime: 2023-06-18T00:00:00+00:00
text: AveMaria
ip: 136.0.3.250
datetime: 2025-01-18T00:00:00+00:00
text: AsyncRAT
ip: 136.0.3.71
datetime: 2024-03-18T00:00:00+00:00
text: Bianlian
ip: 136.0.3.240
datetime: 2024-01-18T00:00:00+00:00
text: Bianlian
ip: 136.0.8.169
datetime: 2025-02-18T00:00:00+00:00
text: Danabot
ip: 136.0.9.8
datetime: 2025-06-18T00:00:00+00:00
text: NPM Supply Chain (Ports: 27017 and 3306)
ip: 142.111.77.196
datetime: 2024-07-18T00:00:00+00:00
text: DPRK Moonsleet NPM
ip: 154.81.220.233
datetime: 2025-02-18T00:00:00+00:00
text: Redline Stealer
ip: 155.254.60.160
datetime: 2025-05-18T00:00:00+00:00
text: ViciousTrap CVE exploitation
ip: 156.227.0.187
datetime: 2024-04-18T00:00:00+00:00
text: Agent Tesla Targeting Entities
ip: 156.236.76.90
datetime: 2025-06-18T00:00:00+00:00
text: PoC Exploit for Critical Zero Day
hash: 742016f01fa89be4d43916d5d2349c8d86dc89f096302501ec22b5c239685a20
file: Actor_APT_DPRK_Unknown_MAL_Script_PY_Stealer_Unknown_Strings_1_1Oct25
text: DPRK APT - Python Stealer
hash: a7d7075e866132b8e8eb87265f7b7fab0e9f6dd7f748445a18f37da2e989faa3
file: Actor_APT_DPRK_Unknown_MAL_Script_PY_Stealer_Unknown_Strings_1_1Oct25
text: DPRK APT - Python Stealer
hash: 236ff897dee7d21319482cd67815bd22391523e37e0452fa230813b30884a86f
file: Actor_APT_DPRK_Unknown_MAL_Script_PY_Stealer_Unknown_Strings_2_Oct25
text: DPRK APT - Python Stealer
hash: 742016f01fa89be4d43916d5d2349c8d86dc89f096302501ec22b5c239685a20
file: Actor_APT_DPRK_Unknown_MAL_Script_PY_Stealer_Unknown_Strings_2_Oct25
text: DPRK APT - Python Stealer
hash: a7d7075e866132b8e8eb87265f7b7fab0e9f6dd7f748445a18f37da2e989faa3
file: Actor_APT_DPRK_Unknown_MAL_Script_PY_Stealer_Unknown_Strings_2_Oct25
text: DPRK APT - Python Stealer
hash: 24cad593f02db847d1302ee7c486d0756708521d5ae69faa9d6600dff81fd924
file: Actor_APT_DPRK_Unknown_MAL_Script_PY_Stealer_Unknown_Strings_2_Oct25
text: DPRK APT - Python Stealer
hash: a51c2b2c5134d8079f11a22bd0621d29b10e16aefa4174b516e00fa40dafde69
file: Actor_APT_DPRK_Unknown_MAL_Script_PY_Stealer_Unknown_Strings_2_Oct25
text: DPRK APT - Python Stealer
hash: be21bf4ad94c394202e7b52a1b461ed868200f0f03b3c8544984e9765c23e1e0
file: Actor_APT_DPRK_Unknown_MAL_Script_JS_Loader_Unknown_Strings_Oct25
text: DPRK APT - JavaScript Loader
hash: 87330f64f5cd4695f2385f87c9ffffee26d5ad2637665f1cd5d7fce217770a4d
file: Actor_APT_DPRK_Unknown_MAL_Script_JS_Loader_Unknown_Strings_Oct25
text: DPRK APT - JavaScript Loader
hash: ba738d8fa5ecd4b996612dde6cd4516cbe7116305661521ffcfd62d37687875d
file: Actor_APT_DPRK_Unknown_MAL_Script_JS_Loader_Unknown_Strings_Oct25
text: DPRK APT - JavaScript Loader
hash: 83a84588a941e463c981083555a2e7814887fa8816e7cca5af9cb7fd0b62cdac
file: Actor_APT_DPRK_Unknown_MAL_Script_JS_Loader_Unknown_Strings_Oct25
text: DPRK APT - JavaScript Loader
hash: 6e48fe09117ead1ef2c10a3db614217184fc300ac70ee902f67510b8d0d0b0c8
file: Actor_APT_DPRK_Unknown_MAL_Script_JS_Loader_Unknown_Strings_Oct25
text: DPRK APT - JavaScript Loader
hash: 897d040e5db47b806c01eb2a1a056ca49b10e0aa4985f84d2b808a121083570e
file: Actor_APT_DPRK_Unknown_MAL_Script_JS_Loader_Unknown_Strings_Oct25
text: DPRK APT - JavaScript Loader
hash: eefe39fe88e75b37babb37c7379d1ec61b187a9677ee5d0c867d13ccb0e31e30
file: Actor_APT_DPRK_Unknown_MAL_Script_JS_RAT_Unknown_Strings_Oct25
text: DPRK APT - JavaScript RAT
hash: 43dc7a343649a7ce748e4c2f94bcb6064199507cfd9f064a2d462536bec1d57f
file: Actor_APT_DPRK_Unknown_MAL_Script_JS_RAT_Unknown_Strings_Oct25
text: DPRK APT - JavaScript RAT
hash: 908696f3ec522e846575061e90747ddf29fccab0e59364597493d72159986c60
file: Actor_APT_DPRK_Unknown_MAL_Indicators_Strings_Oct25
text: DPRK APT - Malware Indicators
hash: 897d040e5db47b806c01eb2a1a056ca49b10e0aa4985f84d2b808a121083570e
file: Actor_APT_DPRK_Unknown_MAL_Indicators_Strings_Oct25
text: DPRK APT - Malware Indicators
hash: be21bf4ad94c394202e7b52a1b461ed868200f0f03b3c8544984e9765c23e1e0
file: Actor_APT_DPRK_Unknown_MAL_Indicators_Strings_Oct25
text: DPRK APT - Malware Indicators
hash: 6e48fe09117ead1ef2c10a3db614217184fc300ac70ee902f67510b8d0d0b0c8
file: Actor_APT_DPRK_Unknown_MAL_Indicators_Strings_Oct25
text: DPRK APT - Malware Indicators
hash: 87330f64f5cd4695f2385f87c9ffffee26d5ad2637665f1cd5d7fce217770a4d
file: Actor_APT_DPRK_Unknown_MAL_Indicators_Strings_Oct25
text: DPRK APT - Malware Indicators
hash: 83a84588a941e463c981083555a2e7814887fa8816e7cca5af9cb7fd0b62cdac
file: Actor_APT_DPRK_Unknown_MAL_Indicators_Strings_Oct25
text: DPRK APT - Malware Indicators
hash: ba738d8fa5ecd4b996612dde6cd4516cbe7116305661521ffcfd62d37687875d
file: Actor_APT_DPRK_Unknown_MAL_Indicators_Strings_Oct25
text: DPRK APT - Malware Indicators
hash: a2880c2d262b4a76e64fd29a813f2446ecbd640f378714aa575bf1064b7adc29
file: Actor_APT_DPRK_Unknown_MAL_Indicators_Strings_Oct25
text: DPRK APT - Malware Indicators
hash: 973f777723d315e0bee0fb9e81e943bb3440be7d2de7bf582419ae47479bc15d
file: Actor_APT_DPRK_Unknown_MAL_Indicators_Strings_Oct25
text: DPRK APT - Malware Indicators
hash: a7d7075e866132b8e8eb87265f7b7fab0e9f6dd7f748445a18f37da2e989faa3
file: Actor_APT_DPRK_Unknown_MAL_Indicators_Strings_Oct25
text: DPRK APT - Malware Indicators
counter: 1
text: https://www.circl.lu/pdns/
text: A
text: 166.88.159.37
text: 756984.xyz
datetime: 2024-10-03T05:21:55+00:00
datetime: 2024-10-03T05:21:55+00:00
counter: 1
text: https://www.circl.lu/pdns/
text: A
text: 166.88.159.37
text: www.756984.xyz
datetime: 2024-10-03T05:59:28+00:00
datetime: 2024-10-03T05:59:28+00:00

Source: CIRCL OSINT Feed

Published: Tue Nov 18 2025

XCTDH Crypto Heist Part 3 - Yashraj Solanki

Medium

Unknowntype:osint dprk misp-galaxy:country="north korea"osint:lifetime="perpetual"osint:certainty="50"tlp:white tlp:clear

Published: Tue Nov 18 2025 (11/18/2025, 00:00:00 UTC)

Source: CIRCL OSINT Feed

Vendor/Project: type

Product: osint

Description

XCTDH Crypto Heist Part 3 - Yashraj Solanki

AI-Powered Analysis

AILast updated: 12/23/2025, 23:19:11 UTC

Technical Analysis

Potential Impact

Mitigation Recommendations

Affected Countries

Need more detailed analysis?Upgrade to Pro Console

Technical Details

Uuid: fbf8c6e8-5e74-493f-9699-ec352bcc179c
Original Timestamp: 1763467869

Indicators of Compromise

Ip

Value	Description	Copy
ip23.26.237.237	—
ip23.26.237.117	—
ip23.27.24.90	—
ip23.27.168.222	—
ip136.0.141.91	—
ip136.0.141.245	—
ip166.88.117.240	—
ip23.27.124.91	—
ip156.227.0.60	—
ip96.126.191.167	—
ip108.165.147.181	—
ip216.173.65.45	—
ip166.88.194.123	—
ip23.27.163.245	—
ip23.27.169.64	—
ip23.27.24.227	—
ip166.88.132.69	—
ip166.0.132.184	—
ip38.211.230.55	—
ip23.27.201.30	—
ip166.88.61.58	—
ip166.88.114.78	—
ip166.88.100.85	—
ip23.27.48.77	—
ip166.88.95.137	—
ip23.27.48.113	—
ip166.88.14.137	—
ip216.173.64.63	—
ip166.88.90.22	—
ip23.27.169.4	—
ip166.88.98.221	—
ip23.27.240.252	—
ip23.27.48.179	—
ip166.88.141.40	—
ip23.27.48.4	—
ip23.27.12.214	—
ip23.27.201.57	—
ip156.235.89.227	—
ip23.27.240.237	—
ip45.194.27.99	—
ip166.88.57.117	—
ip136.0.11.193	—
ip23.27.244.39	—
ip172.121.5.230	—
ip166.88.132.139	—
ip166.88.97.138	—
ip166.88.61.35	—
ip166.88.96.120	—
ip166.88.4.2	—
ip166.88.2.90	—
ip166.88.194.53	—
ip166.88.61.53	—
ip166.88.117.11	—
ip166.88.35.203	—
ip166.88.2.184	—
ip166.88.14.52	—
ip166.88.14.44	—
ip166.88.101.20	—
ip166.88.99.15	—
ip166.88.55.54	—
ip166.88.132.39	—
ip166.88.159.187	—
ip166.88.159.37	—
ip193.57.57.121	—
ip198.105.127.98	—
ip198.105.127.124	—
ip223.165.6.30	—
ip38.211.230.5	—
ip38.246.73.120	—
ip45.195.76.82	—
ip45.195.76.26	—
ip50.114.5.82	—
ip91.218.183.90	—
ip103.179.142.121	—
ip136.0.3.250	—
ip136.0.3.71	—
ip136.0.3.240	—
ip136.0.8.169	—
ip136.0.9.8	—
ip142.111.77.196	—
ip154.81.220.233	—
ip155.254.60.160	—
ip156.227.0.187	—
ip156.236.76.90	—

Datetime

Value	Description	Copy
datetime2025-11-18T00:00:00+00:00	—
datetime2025-10-18T00:00:00+00:00	—
datetime2025-10-18T00:00:00+00:00	—
datetime2025-10-18T00:00:00+00:00	—
datetime2025-09-18T00:00:00+00:00	—
datetime2025-09-18T00:00:00+00:00	—
datetime2025-09-18T00:00:00+00:00	—
datetime2025-09-18T00:00:00+00:00	—
datetime2025-09-18T00:00:00+00:00	—
datetime2025-09-18T00:00:00+00:00	—
datetime2025-09-18T00:00:00+00:00	—
datetime2025-09-18T00:00:00+00:00	—
datetime2025-08-18T00:00:00+00:00	—
datetime2025-08-18T00:00:00+00:00	—
datetime2025-08-18T00:00:00+00:00	—
datetime2025-08-18T00:00:00+00:00	—
datetime2025-08-18T00:00:00+00:00	—
datetime2025-08-18T00:00:00+00:00	—
datetime2025-06-18T00:00:00+00:00	—
datetime2025-06-18T00:00:00+00:00	—
datetime2025-06-18T00:00:00+00:00	—
datetime2025-05-18T00:00:00+00:00	—
datetime2025-05-18T00:00:00+00:00	—
datetime2025-05-18T00:00:00+00:00	—
datetime2025-05-18T00:00:00+00:00	—
datetime2025-04-18T00:00:00+00:00	—
datetime2025-04-18T00:00:00+00:00	—
datetime2025-02-18T00:00:00+00:00	—
datetime2025-02-18T00:00:00+00:00	—
datetime2025-02-18T00:00:00+00:00	—
datetime2025-02-18T00:00:00+00:00	—
datetime2025-02-18T00:00:00+00:00	—
datetime2025-02-18T00:00:00+00:00	—
datetime2025-02-18T00:00:00+00:00	—
datetime2025-01-18T00:00:00+00:00	—
datetime2024-12-18T00:00:00+00:00	—
datetime2024-12-18T00:00:00+00:00	—
datetime2024-12-18T00:00:00+00:00	—
datetime2024-12-18T00:00:00+00:00	—
datetime2024-10-18T00:00:00+00:00	—
datetime2024-09-18T00:00:00+00:00	—
datetime2024-09-18T00:00:00+00:00	—
datetime2024-08-18T00:00:00+00:00	—
datetime2024-04-18T00:00:00+00:00	—
datetime2024-02-18T00:00:00+00:00	—
datetime2025-08-18T00:00:00+00:00	—
datetime2025-07-18T00:00:00+00:00	—
datetime2025-06-18T00:00:00+00:00	—
datetime2025-06-18T00:00:00+00:00	—
datetime2025-08-18T00:00:00+00:00	—
datetime2025-04-18T00:00:00+00:00	—
datetime2025-04-18T00:00:00+00:00	—
datetime2025-04-18T00:00:00+00:00	—
datetime2025-03-18T00:00:00+00:00	—
datetime2025-03-18T00:00:00+00:00	—
datetime2024-12-18T00:00:00+00:00	—
datetime2025-03-18T00:00:00+00:00	—
datetime2025-02-18T00:00:00+00:00	—
datetime2025-02-18T00:00:00+00:00	—
datetime2025-02-18T00:00:00+00:00	—
datetime2025-11-18T00:00:00+00:00	—
datetime2025-06-18T00:00:00+00:00	—
datetime2024-10-18T00:00:00+00:00	—
datetime2025-01-18T00:00:00+00:00	—
datetime2024-05-18T00:00:00+00:00	—
datetime2025-05-18T00:00:00+00:00	—
datetime2024-07-18T00:00:00+00:00	—
datetime2025-07-18T00:00:00+00:00	—
datetime2025-06-18T00:00:00+00:00	—
datetime2024-02-18T00:00:00+00:00	—
datetime2023-12-18T00:00:00+00:00	—
datetime2024-09-18T00:00:00+00:00	—
datetime2023-04-18T00:00:00+00:00	—
datetime2023-06-18T00:00:00+00:00	—
datetime2025-01-18T00:00:00+00:00	—
datetime2024-03-18T00:00:00+00:00	—
datetime2024-01-18T00:00:00+00:00	—
datetime2025-02-18T00:00:00+00:00	—
datetime2025-06-18T00:00:00+00:00	—
datetime2024-07-18T00:00:00+00:00	—
datetime2025-02-18T00:00:00+00:00	—
datetime2025-05-18T00:00:00+00:00	—
datetime2024-04-18T00:00:00+00:00	—
datetime2025-06-18T00:00:00+00:00	—
datetime2024-10-03T05:21:55+00:00	—
datetime2024-10-03T05:21:55+00:00	—
datetime2024-10-03T05:59:28+00:00	—
datetime2024-10-03T05:59:28+00:00	—

Text

Value	Description	Copy
textRhadamanthys Stealer	—
textRhadamanthys Stealer	—
textSliver C2	—
textRhadamanthys Stealer	—
textRhadamanthys Stealer	—
textRhadamanthys Stealer	—
textRemcos	—
textRemcos	—
textRhadamanthys Stealer	—
textXworm	—
textSuperShell C2	—
textRemcos	—
textCobalt Strike (Watermark: 0)	—
textVenomRAT	—
textDCRAT	—
textGoPhish	—
textRemcos	—
textSliver C2	—
textRemcos	—
textSliver C2	—
textAdaptixC2	—
textSliver C2	—
textCobalt Strike (Watermark: 391144938)	—
textRemcos	—
textMythic C2	—
textRed Guard (C2 Redirector)	—
textCobalt Strike (Watermark: 391144938)	—
textXWorm	—
textAsyncRAT	—
textViper C2	—
textCobalt Strike (Watermark: 0)	—
textCobalt Strike (Watermark: 666666666)	—
textCobalt Strike (Watermark: 666666666)	—
textCobalt Strike (Watermark: 666666666)	—
textCobalt Strike (Watermark: 987654321)	—
textSuperShell C2	—
textUNAM C2 Panel	—
textSliver C2	—
textCobalt Strike	—
textSliver C2	—
textSuperShell C2	—
textCobalt Strike (Watermark: 100000)	—
textRemcos	—
textCobalt Strike (Watermark: 100000)	—
textQuasarRAT	—
textPlugX	—
textChina Aligned Espionage - Cobalt Strike (Watermark: 100000)	—
textCobalt Strike (Watermark: 100000)	—
textNPM Supply Chain	—
textDark Peony (Operation Controlplug)	—
textEarth Kurma	—
textRussian Infra with DPRK	—
textDark Peony (Operation Controlplug)	—
textDark Peony (Operation Controlplug)	—
textCobalt Strike (Watermark: 666666666)	—
textCobalt Strike (Watermark: 987654321)	—
textXworm	—
textDeimosC2	—
textCobalt Strike (Watermark: Unknown)	—
textCobalt Strike (Watermark: Unknown)	—
textDPRK Lazarus - Contagious Interview	—
textFIN7	—
textFIN7	—
textCobalt Strike (Watermark: 100000)	—
textDPRK Lazarus (through domain resolution)	—
textPoC Exploit for Critical Zero Day	—
textVenomRAT	—
textDark Peony (Operation Controlplug)	—
textDark Peony (Operation Controlplug)	—
textCobalt Strike (Watermark: 100000)	—
textShadowPad	—
textSupershell	—
textCobalt Strike - Threat Actor: QUARTERRIG (APT29)	—
textAveMaria	—
textAsyncRAT	—
textBianlian	—
textBianlian	—
textDanabot	—
textNPM Supply Chain (Ports: 27017 and 3306)	—
textDPRK Moonsleet NPM	—
textRedline Stealer	—
textViciousTrap CVE exploitation	—
textAgent Tesla Targeting Entities	—
textPoC Exploit for Critical Zero Day	—
textDPRK APT - Python Stealer	—
textDPRK APT - Python Stealer	—
textDPRK APT - Python Stealer	—
textDPRK APT - Python Stealer	—
textDPRK APT - Python Stealer	—
textDPRK APT - Python Stealer	—
textDPRK APT - Python Stealer	—
textDPRK APT - JavaScript Loader	—
textDPRK APT - JavaScript Loader	—
textDPRK APT - JavaScript Loader	—
textDPRK APT - JavaScript Loader	—
textDPRK APT - JavaScript Loader	—
textDPRK APT - JavaScript Loader	—
textDPRK APT - JavaScript RAT	—
textDPRK APT - JavaScript RAT	—
textDPRK APT - Malware Indicators	—
textDPRK APT - Malware Indicators	—
textDPRK APT - Malware Indicators	—
textDPRK APT - Malware Indicators	—
textDPRK APT - Malware Indicators	—
textDPRK APT - Malware Indicators	—
textDPRK APT - Malware Indicators	—
textDPRK APT - Malware Indicators	—
textDPRK APT - Malware Indicators	—
textDPRK APT - Malware Indicators	—
texthttps://www.circl.lu/pdns/	—
textA	—
text166.88.159.37	—
text756984.xyz	—
texthttps://www.circl.lu/pdns/	—
textA	—
text166.88.159.37	—
textwww.756984.xyz	—

Hash

Value	Description	Copy
hash742016f01fa89be4d43916d5d2349c8d86dc89f096302501ec22b5c239685a20	—
hasha7d7075e866132b8e8eb87265f7b7fab0e9f6dd7f748445a18f37da2e989faa3	—
hash236ff897dee7d21319482cd67815bd22391523e37e0452fa230813b30884a86f	—
hash742016f01fa89be4d43916d5d2349c8d86dc89f096302501ec22b5c239685a20	—
hasha7d7075e866132b8e8eb87265f7b7fab0e9f6dd7f748445a18f37da2e989faa3	—
hash24cad593f02db847d1302ee7c486d0756708521d5ae69faa9d6600dff81fd924	—
hasha51c2b2c5134d8079f11a22bd0621d29b10e16aefa4174b516e00fa40dafde69	—
hashbe21bf4ad94c394202e7b52a1b461ed868200f0f03b3c8544984e9765c23e1e0	—
hash87330f64f5cd4695f2385f87c9ffffee26d5ad2637665f1cd5d7fce217770a4d	—
hashba738d8fa5ecd4b996612dde6cd4516cbe7116305661521ffcfd62d37687875d	—
hash83a84588a941e463c981083555a2e7814887fa8816e7cca5af9cb7fd0b62cdac	—
hash6e48fe09117ead1ef2c10a3db614217184fc300ac70ee902f67510b8d0d0b0c8	—
hash897d040e5db47b806c01eb2a1a056ca49b10e0aa4985f84d2b808a121083570e	—
hasheefe39fe88e75b37babb37c7379d1ec61b187a9677ee5d0c867d13ccb0e31e30	—
hash43dc7a343649a7ce748e4c2f94bcb6064199507cfd9f064a2d462536bec1d57f	—
hash908696f3ec522e846575061e90747ddf29fccab0e59364597493d72159986c60	—
hash897d040e5db47b806c01eb2a1a056ca49b10e0aa4985f84d2b808a121083570e	—
hashbe21bf4ad94c394202e7b52a1b461ed868200f0f03b3c8544984e9765c23e1e0	—
hash6e48fe09117ead1ef2c10a3db614217184fc300ac70ee902f67510b8d0d0b0c8	—
hash87330f64f5cd4695f2385f87c9ffffee26d5ad2637665f1cd5d7fce217770a4d	—
hash83a84588a941e463c981083555a2e7814887fa8816e7cca5af9cb7fd0b62cdac	—
hashba738d8fa5ecd4b996612dde6cd4516cbe7116305661521ffcfd62d37687875d	—
hasha2880c2d262b4a76e64fd29a813f2446ecbd640f378714aa575bf1064b7adc29	—
hash973f777723d315e0bee0fb9e81e943bb3440be7d2de7bf582419ae47479bc15d	—
hasha7d7075e866132b8e8eb87265f7b7fab0e9f6dd7f748445a18f37da2e989faa3	—

File

Value	Description	Copy
fileActor_APT_DPRK_Unknown_MAL_Script_PY_Stealer_Unknown_Strings_1_1Oct25	—
fileActor_APT_DPRK_Unknown_MAL_Script_PY_Stealer_Unknown_Strings_1_1Oct25	—
fileActor_APT_DPRK_Unknown_MAL_Script_PY_Stealer_Unknown_Strings_2_Oct25	—
fileActor_APT_DPRK_Unknown_MAL_Script_PY_Stealer_Unknown_Strings_2_Oct25	—
fileActor_APT_DPRK_Unknown_MAL_Script_PY_Stealer_Unknown_Strings_2_Oct25	—
fileActor_APT_DPRK_Unknown_MAL_Script_PY_Stealer_Unknown_Strings_2_Oct25	—
fileActor_APT_DPRK_Unknown_MAL_Script_PY_Stealer_Unknown_Strings_2_Oct25	—
fileActor_APT_DPRK_Unknown_MAL_Script_JS_Loader_Unknown_Strings_Oct25	—
fileActor_APT_DPRK_Unknown_MAL_Script_JS_Loader_Unknown_Strings_Oct25	—
fileActor_APT_DPRK_Unknown_MAL_Script_JS_Loader_Unknown_Strings_Oct25	—
fileActor_APT_DPRK_Unknown_MAL_Script_JS_Loader_Unknown_Strings_Oct25	—
fileActor_APT_DPRK_Unknown_MAL_Script_JS_Loader_Unknown_Strings_Oct25	—
fileActor_APT_DPRK_Unknown_MAL_Script_JS_Loader_Unknown_Strings_Oct25	—
fileActor_APT_DPRK_Unknown_MAL_Script_JS_RAT_Unknown_Strings_Oct25	—
fileActor_APT_DPRK_Unknown_MAL_Script_JS_RAT_Unknown_Strings_Oct25	—
fileActor_APT_DPRK_Unknown_MAL_Indicators_Strings_Oct25	—
fileActor_APT_DPRK_Unknown_MAL_Indicators_Strings_Oct25	—
fileActor_APT_DPRK_Unknown_MAL_Indicators_Strings_Oct25	—
fileActor_APT_DPRK_Unknown_MAL_Indicators_Strings_Oct25	—
fileActor_APT_DPRK_Unknown_MAL_Indicators_Strings_Oct25	—
fileActor_APT_DPRK_Unknown_MAL_Indicators_Strings_Oct25	—
fileActor_APT_DPRK_Unknown_MAL_Indicators_Strings_Oct25	—
fileActor_APT_DPRK_Unknown_MAL_Indicators_Strings_Oct25	—
fileActor_APT_DPRK_Unknown_MAL_Indicators_Strings_Oct25	—
fileActor_APT_DPRK_Unknown_MAL_Indicators_Strings_Oct25	—

Counter

Value	Description	Copy
counter1	—
counter1	—

Threat ID: 691c8529b718280d689345ee

Added to database: 11/18/2025, 2:39:37 PM

Last enriched: 12/23/2025, 11:19:11 PM

Last updated: 1/7/2026, 8:32:02 AM

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by

Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Related Threats

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

External Links

Search on Google

Need more coverage?

Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

XCTDH Crypto Heist Part 3 - Yashraj Solanki

AI Analysis

Technical Summary

Potential Impact

Mitigation Recommendations

Affected Countries

Indicators of Compromise

XCTDH Crypto Heist Part 3 - Yashraj Solanki

Description

AI-Powered Analysis

Technical Analysis

Potential Impact

Mitigation Recommendations

Affected Countries

Technical Details

Indicators of Compromise

Ip

Datetime

Text

Hash

File

Counter

Community Reviews

Related Threats

ThreatFox IOCs for 2026-01-06

ThreatFox IOCs for 2026-01-05

ThreatFox IOCs for 2026-01-04

ThreatFox IOCs for 2026-01-03

ThreatFox IOCs for 2026-01-02

Actions

External Links

Need more coverage?

Latest Threats

Keyboard Shortcuts

Navigation

Search & Filters

UI Controls

Accessibility