Reconnecting to live updates…

XCTDH Crypto Heist Part 3 - Yashraj Solanki

Severity: mediumType: unknown

AI Analysis

Technical Summary

The XCTDH Crypto Heist Part 3 report appears to be part of a series of intelligence findings related to North Korean cyber operations targeting cryptocurrency assets. The source is the CIRCL OSINT Feed, indicating that the information is derived from open-source intelligence rather than confirmed technical exploits or vulnerabilities. The report lacks detailed technical indicators, affected software versions, or specific attack vectors, which limits the ability to perform a deep technical analysis. The medium severity rating suggests a moderate risk level, likely due to the association with North Korean threat actors known for sophisticated cybercrime and state-sponsored operations. The absence of patches or known exploits in the wild indicates that this is more of an intelligence alert than an active vulnerability or exploit campaign. The mention of DPRK (North Korea) and the crypto heist context aligns with historical patterns where North Korean groups have targeted cryptocurrency exchanges and wallets to circumvent sanctions and generate revenue. The uncertainty (50% certainty) and lack of detailed indicators imply that organizations should treat this as a potential emerging threat rather than an immediate crisis. The report's perpetual lifetime tag suggests ongoing monitoring is advised. Overall, this intelligence highlights the continued interest of North Korean actors in cryptocurrency theft, emphasizing the need for vigilance in crypto-related sectors.

Potential Impact

For European organizations, the primary impact of this threat lies in the potential financial losses and reputational damage resulting from cryptocurrency theft. Entities such as cryptocurrency exchanges, wallet providers, blockchain infrastructure companies, and financial institutions facilitating crypto transactions are at heightened risk. A successful heist could lead to significant monetary loss, disruption of services, and erosion of customer trust. Additionally, regulatory repercussions could arise if organizations fail to adequately protect assets or report incidents. Given Europe's increasing adoption of cryptocurrencies and the presence of major crypto hubs in countries like Germany, the Netherlands, and the UK, the threat could affect critical financial infrastructure. The medium severity reflects that while the threat is credible, the lack of active exploits or detailed attack methods reduces immediate risk. However, the persistent nature of North Korean cybercrime campaigns means that organizations should remain alert to evolving tactics that could impact confidentiality, integrity, and availability of crypto assets.

Mitigation Recommendations

European organizations should implement targeted measures to mitigate risks associated with North Korean crypto theft campaigns. These include: 1) Enhancing monitoring and anomaly detection for cryptocurrency transactions to identify suspicious activities early. 2) Employing multi-factor authentication and hardware security modules (HSMs) for wallet and key management to prevent unauthorized access. 3) Conducting regular threat intelligence sharing with industry groups and national cybersecurity centers to stay informed about emerging tactics linked to DPRK actors. 4) Implementing strict access controls and network segmentation for systems handling crypto assets to limit lateral movement. 5) Performing continuous security assessments and penetration testing focused on crypto infrastructure. 6) Training staff on social engineering and phishing risks, as these are common initial attack vectors. 7) Establishing incident response plans specifically for crypto-related breaches, including coordination with law enforcement and regulatory bodies. 8) Considering the use of blockchain analytics tools to trace and block illicit transactions linked to known North Korean wallets. These steps go beyond generic advice by focusing on the unique challenges posed by state-sponsored crypto theft operations.

Affected Countries

Germany, United Kingdom, Netherlands, France, Switzerland

Indicators of Compromise

ip: 23.26.237.237
datetime: 2025-11-18T00:00:00+00:00
text: Rhadamanthys Stealer
ip: 23.26.237.117
datetime: 2025-10-18T00:00:00+00:00
text: Rhadamanthys Stealer
ip: 23.27.24.90
datetime: 2025-10-18T00:00:00+00:00
text: Sliver C2
ip: 23.27.168.222
datetime: 2025-10-18T00:00:00+00:00
text: Rhadamanthys Stealer
ip: 136.0.141.91
datetime: 2025-09-18T00:00:00+00:00
text: Rhadamanthys Stealer
ip: 136.0.141.245
datetime: 2025-09-18T00:00:00+00:00
text: Rhadamanthys Stealer
ip: 166.88.117.240
datetime: 2025-09-18T00:00:00+00:00
text: Remcos
ip: 23.27.124.91
datetime: 2025-09-18T00:00:00+00:00
text: Remcos
ip: 156.227.0.60
datetime: 2025-09-18T00:00:00+00:00
text: Rhadamanthys Stealer
ip: 96.126.191.167
datetime: 2025-09-18T00:00:00+00:00
text: Xworm
ip: 108.165.147.181
datetime: 2025-09-18T00:00:00+00:00
text: SuperShell C2
ip: 216.173.65.45
datetime: 2025-09-18T00:00:00+00:00
text: Remcos
ip: 166.88.194.123
datetime: 2025-08-18T00:00:00+00:00
text: Cobalt Strike (Watermark: 0)
ip: 23.27.163.245
datetime: 2025-08-18T00:00:00+00:00
text: VenomRAT
ip: 23.27.169.64
datetime: 2025-08-18T00:00:00+00:00
text: DCRAT
ip: 23.27.24.227
datetime: 2025-08-18T00:00:00+00:00
text: GoPhish
ip: 166.88.132.69
datetime: 2025-08-18T00:00:00+00:00
text: Remcos
ip: 166.0.132.184
datetime: 2025-08-18T00:00:00+00:00
text: Sliver C2
ip: 38.211.230.55
datetime: 2025-06-18T00:00:00+00:00
text: Remcos
ip: 23.27.201.30
datetime: 2025-06-18T00:00:00+00:00
text: Sliver C2
ip: 166.88.61.58
datetime: 2025-06-18T00:00:00+00:00
text: AdaptixC2
ip: 166.88.114.78
datetime: 2025-05-18T00:00:00+00:00
text: Sliver C2
ip: 166.88.100.85
datetime: 2025-05-18T00:00:00+00:00
text: Cobalt Strike (Watermark: 391144938)
ip: 23.27.48.77
datetime: 2025-05-18T00:00:00+00:00
text: Remcos
ip: 166.88.95.137
datetime: 2025-05-18T00:00:00+00:00
text: Mythic C2
ip: 23.27.48.113
datetime: 2025-04-18T00:00:00+00:00
text: Red Guard (C2 Redirector)
ip: 166.88.14.137
datetime: 2025-04-18T00:00:00+00:00
text: Cobalt Strike (Watermark: 391144938)
ip: 216.173.64.63
datetime: 2025-02-18T00:00:00+00:00
text: XWorm
ip: 166.88.90.22
datetime: 2025-02-18T00:00:00+00:00
text: AsyncRAT
ip: 23.27.169.4
datetime: 2025-02-18T00:00:00+00:00
text: Viper C2
ip: 166.88.98.221
datetime: 2025-02-18T00:00:00+00:00
text: Cobalt Strike (Watermark: 0)
ip: 23.27.240.252
datetime: 2025-02-18T00:00:00+00:00
text: Cobalt Strike (Watermark: 666666666)
ip: 23.27.48.179
datetime: 2025-02-18T00:00:00+00:00
text: Cobalt Strike (Watermark: 666666666)
ip: 166.88.141.40
datetime: 2025-02-18T00:00:00+00:00
text: Cobalt Strike (Watermark: 666666666)
ip: 23.27.48.4
datetime: 2025-01-18T00:00:00+00:00
text: Cobalt Strike (Watermark: 987654321)
ip: 23.27.12.214
datetime: 2024-12-18T00:00:00+00:00
text: SuperShell C2
ip: 23.27.201.57
datetime: 2024-12-18T00:00:00+00:00
text: UNAM C2 Panel
ip: 156.235.89.227
datetime: 2024-12-18T00:00:00+00:00
text: Sliver C2
ip: 23.27.240.237
datetime: 2024-12-18T00:00:00+00:00
text: Cobalt Strike
ip: 45.194.27.99
datetime: 2024-10-18T00:00:00+00:00
text: Sliver C2
ip: 166.88.57.117
datetime: 2024-09-18T00:00:00+00:00
text: SuperShell C2
ip: 136.0.11.193
datetime: 2024-09-18T00:00:00+00:00
text: Cobalt Strike (Watermark: 100000)
ip: 23.27.244.39
datetime: 2024-08-18T00:00:00+00:00
text: Remcos
ip: 172.121.5.230
datetime: 2024-04-18T00:00:00+00:00
text: Cobalt Strike (Watermark: 100000)
ip: 166.88.132.139
datetime: 2024-02-18T00:00:00+00:00
text: QuasarRAT
ip: 166.88.97.138
datetime: 2025-08-18T00:00:00+00:00
text: PlugX
ip: 166.88.61.35
datetime: 2025-07-18T00:00:00+00:00
text: China Aligned Espionage - Cobalt Strike (Watermark: 100000)
ip: 166.88.96.120
datetime: 2025-06-18T00:00:00+00:00
text: Cobalt Strike (Watermark: 100000)
ip: 166.88.4.2
datetime: 2025-06-18T00:00:00+00:00
text: NPM Supply Chain
ip: 166.88.2.90
datetime: 2025-08-18T00:00:00+00:00
text: Dark Peony (Operation Controlplug)
ip: 166.88.194.53
datetime: 2025-04-18T00:00:00+00:00
text: Earth Kurma
ip: 166.88.61.53
datetime: 2025-04-18T00:00:00+00:00
text: Russian Infra with DPRK
ip: 166.88.117.11
datetime: 2025-04-18T00:00:00+00:00
text: Dark Peony (Operation Controlplug)
ip: 166.88.35.203
datetime: 2025-03-18T00:00:00+00:00
text: Dark Peony (Operation Controlplug)
ip: 166.88.2.184
datetime: 2025-03-18T00:00:00+00:00
text: Cobalt Strike (Watermark: 666666666)
ip: 166.88.14.52
datetime: 2024-12-18T00:00:00+00:00
text: Cobalt Strike (Watermark: 987654321)
ip: 166.88.14.44
datetime: 2025-03-18T00:00:00+00:00
text: Xworm
ip: 166.88.101.20
datetime: 2025-02-18T00:00:00+00:00
text: DeimosC2
ip: 166.88.99.15
datetime: 2025-02-18T00:00:00+00:00
text: Cobalt Strike (Watermark: Unknown)
ip: 166.88.55.54
datetime: 2025-02-18T00:00:00+00:00
text: Cobalt Strike (Watermark: Unknown)
ip: 166.88.132.39
datetime: 2025-11-18T00:00:00+00:00
text: DPRK Lazarus - Contagious Interview
ip: 166.88.159.187
datetime: 2025-06-18T00:00:00+00:00
text: FIN7
ip: 166.88.159.37
datetime: 2024-10-18T00:00:00+00:00
text: FIN7
ip: 193.57.57.121
datetime: 2025-01-18T00:00:00+00:00
text: Cobalt Strike (Watermark: 100000)
ip: 198.105.127.98
datetime: 2024-05-18T00:00:00+00:00
text: DPRK Lazarus (through domain resolution)
ip: 198.105.127.124
datetime: 2025-05-18T00:00:00+00:00
text: PoC Exploit for Critical Zero Day
ip: 223.165.6.30
datetime: 2024-07-18T00:00:00+00:00
text: VenomRAT
ip: 38.211.230.5
datetime: 2025-07-18T00:00:00+00:00
text: Dark Peony (Operation Controlplug)
ip: 38.246.73.120
datetime: 2025-06-18T00:00:00+00:00
text: Dark Peony (Operation Controlplug)
ip: 45.195.76.82
datetime: 2024-02-18T00:00:00+00:00
text: Cobalt Strike (Watermark: 100000)
ip: 45.195.76.26
datetime: 2023-12-18T00:00:00+00:00
text: ShadowPad
ip: 50.114.5.82
datetime: 2024-09-18T00:00:00+00:00
text: Supershell
ip: 91.218.183.90
datetime: 2023-04-18T00:00:00+00:00
text: Cobalt Strike - Threat Actor: QUARTERRIG (APT29)
ip: 103.179.142.121
datetime: 2023-06-18T00:00:00+00:00
text: AveMaria
ip: 136.0.3.250
datetime: 2025-01-18T00:00:00+00:00
text: AsyncRAT
ip: 136.0.3.71
datetime: 2024-03-18T00:00:00+00:00
text: Bianlian
ip: 136.0.3.240
datetime: 2024-01-18T00:00:00+00:00
text: Bianlian
ip: 136.0.8.169
datetime: 2025-02-18T00:00:00+00:00
text: Danabot
ip: 136.0.9.8
datetime: 2025-06-18T00:00:00+00:00
text: NPM Supply Chain (Ports: 27017 and 3306)
ip: 142.111.77.196
datetime: 2024-07-18T00:00:00+00:00
text: DPRK Moonsleet NPM
ip: 154.81.220.233
datetime: 2025-02-18T00:00:00+00:00
text: Redline Stealer
ip: 155.254.60.160
datetime: 2025-05-18T00:00:00+00:00
text: ViciousTrap CVE exploitation
ip: 156.227.0.187
datetime: 2024-04-18T00:00:00+00:00
text: Agent Tesla Targeting Entities
ip: 156.236.76.90
datetime: 2025-06-18T00:00:00+00:00
text: PoC Exploit for Critical Zero Day
hash: 742016f01fa89be4d43916d5d2349c8d86dc89f096302501ec22b5c239685a20
file: Actor_APT_DPRK_Unknown_MAL_Script_PY_Stealer_Unknown_Strings_1_1Oct25
text: DPRK APT - Python Stealer
hash: a7d7075e866132b8e8eb87265f7b7fab0e9f6dd7f748445a18f37da2e989faa3
file: Actor_APT_DPRK_Unknown_MAL_Script_PY_Stealer_Unknown_Strings_1_1Oct25
text: DPRK APT - Python Stealer
hash: 236ff897dee7d21319482cd67815bd22391523e37e0452fa230813b30884a86f
file: Actor_APT_DPRK_Unknown_MAL_Script_PY_Stealer_Unknown_Strings_2_Oct25
text: DPRK APT - Python Stealer
hash: 742016f01fa89be4d43916d5d2349c8d86dc89f096302501ec22b5c239685a20
file: Actor_APT_DPRK_Unknown_MAL_Script_PY_Stealer_Unknown_Strings_2_Oct25
text: DPRK APT - Python Stealer
hash: a7d7075e866132b8e8eb87265f7b7fab0e9f6dd7f748445a18f37da2e989faa3
file: Actor_APT_DPRK_Unknown_MAL_Script_PY_Stealer_Unknown_Strings_2_Oct25
text: DPRK APT - Python Stealer
hash: 24cad593f02db847d1302ee7c486d0756708521d5ae69faa9d6600dff81fd924
file: Actor_APT_DPRK_Unknown_MAL_Script_PY_Stealer_Unknown_Strings_2_Oct25
text: DPRK APT - Python Stealer
hash: a51c2b2c5134d8079f11a22bd0621d29b10e16aefa4174b516e00fa40dafde69
file: Actor_APT_DPRK_Unknown_MAL_Script_PY_Stealer_Unknown_Strings_2_Oct25
text: DPRK APT - Python Stealer
hash: be21bf4ad94c394202e7b52a1b461ed868200f0f03b3c8544984e9765c23e1e0
file: Actor_APT_DPRK_Unknown_MAL_Script_JS_Loader_Unknown_Strings_Oct25
text: DPRK APT - JavaScript Loader
hash: 87330f64f5cd4695f2385f87c9ffffee26d5ad2637665f1cd5d7fce217770a4d
file: Actor_APT_DPRK_Unknown_MAL_Script_JS_Loader_Unknown_Strings_Oct25
text: DPRK APT - JavaScript Loader
hash: ba738d8fa5ecd4b996612dde6cd4516cbe7116305661521ffcfd62d37687875d
file: Actor_APT_DPRK_Unknown_MAL_Script_JS_Loader_Unknown_Strings_Oct25
text: DPRK APT - JavaScript Loader
hash: 83a84588a941e463c981083555a2e7814887fa8816e7cca5af9cb7fd0b62cdac
file: Actor_APT_DPRK_Unknown_MAL_Script_JS_Loader_Unknown_Strings_Oct25
text: DPRK APT - JavaScript Loader
hash: 6e48fe09117ead1ef2c10a3db614217184fc300ac70ee902f67510b8d0d0b0c8
file: Actor_APT_DPRK_Unknown_MAL_Script_JS_Loader_Unknown_Strings_Oct25
text: DPRK APT - JavaScript Loader
hash: 897d040e5db47b806c01eb2a1a056ca49b10e0aa4985f84d2b808a121083570e
file: Actor_APT_DPRK_Unknown_MAL_Script_JS_Loader_Unknown_Strings_Oct25
text: DPRK APT - JavaScript Loader
hash: eefe39fe88e75b37babb37c7379d1ec61b187a9677ee5d0c867d13ccb0e31e30
file: Actor_APT_DPRK_Unknown_MAL_Script_JS_RAT_Unknown_Strings_Oct25
text: DPRK APT - JavaScript RAT
hash: 43dc7a343649a7ce748e4c2f94bcb6064199507cfd9f064a2d462536bec1d57f
file: Actor_APT_DPRK_Unknown_MAL_Script_JS_RAT_Unknown_Strings_Oct25
text: DPRK APT - JavaScript RAT
hash: 908696f3ec522e846575061e90747ddf29fccab0e59364597493d72159986c60
file: Actor_APT_DPRK_Unknown_MAL_Indicators_Strings_Oct25
text: DPRK APT - Malware Indicators
hash: 897d040e5db47b806c01eb2a1a056ca49b10e0aa4985f84d2b808a121083570e
file: Actor_APT_DPRK_Unknown_MAL_Indicators_Strings_Oct25
text: DPRK APT - Malware Indicators
hash: be21bf4ad94c394202e7b52a1b461ed868200f0f03b3c8544984e9765c23e1e0
file: Actor_APT_DPRK_Unknown_MAL_Indicators_Strings_Oct25
text: DPRK APT - Malware Indicators
hash: 6e48fe09117ead1ef2c10a3db614217184fc300ac70ee902f67510b8d0d0b0c8
file: Actor_APT_DPRK_Unknown_MAL_Indicators_Strings_Oct25
text: DPRK APT - Malware Indicators
hash: 87330f64f5cd4695f2385f87c9ffffee26d5ad2637665f1cd5d7fce217770a4d
file: Actor_APT_DPRK_Unknown_MAL_Indicators_Strings_Oct25
text: DPRK APT - Malware Indicators
hash: 83a84588a941e463c981083555a2e7814887fa8816e7cca5af9cb7fd0b62cdac
file: Actor_APT_DPRK_Unknown_MAL_Indicators_Strings_Oct25
text: DPRK APT - Malware Indicators
hash: ba738d8fa5ecd4b996612dde6cd4516cbe7116305661521ffcfd62d37687875d
file: Actor_APT_DPRK_Unknown_MAL_Indicators_Strings_Oct25
text: DPRK APT - Malware Indicators
hash: a2880c2d262b4a76e64fd29a813f2446ecbd640f378714aa575bf1064b7adc29
file: Actor_APT_DPRK_Unknown_MAL_Indicators_Strings_Oct25
text: DPRK APT - Malware Indicators
hash: 973f777723d315e0bee0fb9e81e943bb3440be7d2de7bf582419ae47479bc15d
file: Actor_APT_DPRK_Unknown_MAL_Indicators_Strings_Oct25
text: DPRK APT - Malware Indicators
hash: a7d7075e866132b8e8eb87265f7b7fab0e9f6dd7f748445a18f37da2e989faa3
file: Actor_APT_DPRK_Unknown_MAL_Indicators_Strings_Oct25
text: DPRK APT - Malware Indicators
counter: 1
text: https://www.circl.lu/pdns/
text: A
text: 166.88.159.37
text: 756984.xyz
datetime: 2024-10-03T05:21:55+00:00
datetime: 2024-10-03T05:21:55+00:00
counter: 1
text: https://www.circl.lu/pdns/
text: A
text: 166.88.159.37
text: www.756984.xyz
datetime: 2024-10-03T05:59:28+00:00
datetime: 2024-10-03T05:59:28+00:00

XCTDH Crypto Heist Part 3 - Yashraj Solanki

Severity: medium

Type: unknown

XCTDH Crypto Heist Part 3 - Yashraj Solanki

Technical Summary

Potential Impact

Mitigation Recommendations

Affected Countries

Germany, United Kingdom, Netherlands, France, Switzerland

Indicators of Compromise

ip: 23.26.237.237
datetime: 2025-11-18T00:00:00+00:00
text: Rhadamanthys Stealer
ip: 23.26.237.117
datetime: 2025-10-18T00:00:00+00:00
text: Rhadamanthys Stealer
ip: 23.27.24.90
datetime: 2025-10-18T00:00:00+00:00
text: Sliver C2
ip: 23.27.168.222
datetime: 2025-10-18T00:00:00+00:00
text: Rhadamanthys Stealer
ip: 136.0.141.91
datetime: 2025-09-18T00:00:00+00:00
text: Rhadamanthys Stealer
ip: 136.0.141.245
datetime: 2025-09-18T00:00:00+00:00
text: Rhadamanthys Stealer
ip: 166.88.117.240
datetime: 2025-09-18T00:00:00+00:00
text: Remcos
ip: 23.27.124.91
datetime: 2025-09-18T00:00:00+00:00
text: Remcos
ip: 156.227.0.60
datetime: 2025-09-18T00:00:00+00:00
text: Rhadamanthys Stealer
ip: 96.126.191.167
datetime: 2025-09-18T00:00:00+00:00
text: Xworm
ip: 108.165.147.181
datetime: 2025-09-18T00:00:00+00:00
text: SuperShell C2
ip: 216.173.65.45
datetime: 2025-09-18T00:00:00+00:00
text: Remcos
ip: 166.88.194.123
datetime: 2025-08-18T00:00:00+00:00
text: Cobalt Strike (Watermark: 0)
ip: 23.27.163.245
datetime: 2025-08-18T00:00:00+00:00
text: VenomRAT
ip: 23.27.169.64
datetime: 2025-08-18T00:00:00+00:00
text: DCRAT
ip: 23.27.24.227
datetime: 2025-08-18T00:00:00+00:00
text: GoPhish
ip: 166.88.132.69
datetime: 2025-08-18T00:00:00+00:00
text: Remcos
ip: 166.0.132.184
datetime: 2025-08-18T00:00:00+00:00
text: Sliver C2
ip: 38.211.230.55
datetime: 2025-06-18T00:00:00+00:00
text: Remcos
ip: 23.27.201.30
datetime: 2025-06-18T00:00:00+00:00
text: Sliver C2
ip: 166.88.61.58
datetime: 2025-06-18T00:00:00+00:00
text: AdaptixC2
ip: 166.88.114.78
datetime: 2025-05-18T00:00:00+00:00
text: Sliver C2
ip: 166.88.100.85
datetime: 2025-05-18T00:00:00+00:00
text: Cobalt Strike (Watermark: 391144938)
ip: 23.27.48.77
datetime: 2025-05-18T00:00:00+00:00
text: Remcos
ip: 166.88.95.137
datetime: 2025-05-18T00:00:00+00:00
text: Mythic C2
ip: 23.27.48.113
datetime: 2025-04-18T00:00:00+00:00
text: Red Guard (C2 Redirector)
ip: 166.88.14.137
datetime: 2025-04-18T00:00:00+00:00
text: Cobalt Strike (Watermark: 391144938)
ip: 216.173.64.63
datetime: 2025-02-18T00:00:00+00:00
text: XWorm
ip: 166.88.90.22
datetime: 2025-02-18T00:00:00+00:00
text: AsyncRAT
ip: 23.27.169.4
datetime: 2025-02-18T00:00:00+00:00
text: Viper C2
ip: 166.88.98.221
datetime: 2025-02-18T00:00:00+00:00
text: Cobalt Strike (Watermark: 0)
ip: 23.27.240.252
datetime: 2025-02-18T00:00:00+00:00
text: Cobalt Strike (Watermark: 666666666)
ip: 23.27.48.179
datetime: 2025-02-18T00:00:00+00:00
text: Cobalt Strike (Watermark: 666666666)
ip: 166.88.141.40
datetime: 2025-02-18T00:00:00+00:00
text: Cobalt Strike (Watermark: 666666666)
ip: 23.27.48.4
datetime: 2025-01-18T00:00:00+00:00
text: Cobalt Strike (Watermark: 987654321)
ip: 23.27.12.214
datetime: 2024-12-18T00:00:00+00:00
text: SuperShell C2
ip: 23.27.201.57
datetime: 2024-12-18T00:00:00+00:00
text: UNAM C2 Panel
ip: 156.235.89.227
datetime: 2024-12-18T00:00:00+00:00
text: Sliver C2
ip: 23.27.240.237
datetime: 2024-12-18T00:00:00+00:00
text: Cobalt Strike
ip: 45.194.27.99
datetime: 2024-10-18T00:00:00+00:00
text: Sliver C2
ip: 166.88.57.117
datetime: 2024-09-18T00:00:00+00:00
text: SuperShell C2
ip: 136.0.11.193
datetime: 2024-09-18T00:00:00+00:00
text: Cobalt Strike (Watermark: 100000)
ip: 23.27.244.39
datetime: 2024-08-18T00:00:00+00:00
text: Remcos
ip: 172.121.5.230
datetime: 2024-04-18T00:00:00+00:00
text: Cobalt Strike (Watermark: 100000)
ip: 166.88.132.139
datetime: 2024-02-18T00:00:00+00:00
text: QuasarRAT
ip: 166.88.97.138
datetime: 2025-08-18T00:00:00+00:00
text: PlugX
ip: 166.88.61.35
datetime: 2025-07-18T00:00:00+00:00
text: China Aligned Espionage - Cobalt Strike (Watermark: 100000)
ip: 166.88.96.120
datetime: 2025-06-18T00:00:00+00:00
text: Cobalt Strike (Watermark: 100000)
ip: 166.88.4.2
datetime: 2025-06-18T00:00:00+00:00
text: NPM Supply Chain
ip: 166.88.2.90
datetime: 2025-08-18T00:00:00+00:00
text: Dark Peony (Operation Controlplug)
ip: 166.88.194.53
datetime: 2025-04-18T00:00:00+00:00
text: Earth Kurma
ip: 166.88.61.53
datetime: 2025-04-18T00:00:00+00:00
text: Russian Infra with DPRK
ip: 166.88.117.11
datetime: 2025-04-18T00:00:00+00:00
text: Dark Peony (Operation Controlplug)
ip: 166.88.35.203
datetime: 2025-03-18T00:00:00+00:00
text: Dark Peony (Operation Controlplug)
ip: 166.88.2.184
datetime: 2025-03-18T00:00:00+00:00
text: Cobalt Strike (Watermark: 666666666)
ip: 166.88.14.52
datetime: 2024-12-18T00:00:00+00:00
text: Cobalt Strike (Watermark: 987654321)
ip: 166.88.14.44
datetime: 2025-03-18T00:00:00+00:00
text: Xworm
ip: 166.88.101.20
datetime: 2025-02-18T00:00:00+00:00
text: DeimosC2
ip: 166.88.99.15
datetime: 2025-02-18T00:00:00+00:00
text: Cobalt Strike (Watermark: Unknown)
ip: 166.88.55.54
datetime: 2025-02-18T00:00:00+00:00
text: Cobalt Strike (Watermark: Unknown)
ip: 166.88.132.39
datetime: 2025-11-18T00:00:00+00:00
text: DPRK Lazarus - Contagious Interview
ip: 166.88.159.187
datetime: 2025-06-18T00:00:00+00:00
text: FIN7
ip: 166.88.159.37
datetime: 2024-10-18T00:00:00+00:00
text: FIN7
ip: 193.57.57.121
datetime: 2025-01-18T00:00:00+00:00
text: Cobalt Strike (Watermark: 100000)
ip: 198.105.127.98
datetime: 2024-05-18T00:00:00+00:00
text: DPRK Lazarus (through domain resolution)
ip: 198.105.127.124
datetime: 2025-05-18T00:00:00+00:00
text: PoC Exploit for Critical Zero Day
ip: 223.165.6.30
datetime: 2024-07-18T00:00:00+00:00
text: VenomRAT
ip: 38.211.230.5
datetime: 2025-07-18T00:00:00+00:00
text: Dark Peony (Operation Controlplug)
ip: 38.246.73.120
datetime: 2025-06-18T00:00:00+00:00
text: Dark Peony (Operation Controlplug)
ip: 45.195.76.82
datetime: 2024-02-18T00:00:00+00:00
text: Cobalt Strike (Watermark: 100000)
ip: 45.195.76.26
datetime: 2023-12-18T00:00:00+00:00
text: ShadowPad
ip: 50.114.5.82
datetime: 2024-09-18T00:00:00+00:00
text: Supershell
ip: 91.218.183.90
datetime: 2023-04-18T00:00:00+00:00
text: Cobalt Strike - Threat Actor: QUARTERRIG (APT29)
ip: 103.179.142.121
datetime: 2023-06-18T00:00:00+00:00
text: AveMaria
ip: 136.0.3.250
datetime: 2025-01-18T00:00:00+00:00
text: AsyncRAT
ip: 136.0.3.71
datetime: 2024-03-18T00:00:00+00:00
text: Bianlian
ip: 136.0.3.240
datetime: 2024-01-18T00:00:00+00:00
text: Bianlian
ip: 136.0.8.169
datetime: 2025-02-18T00:00:00+00:00
text: Danabot
ip: 136.0.9.8
datetime: 2025-06-18T00:00:00+00:00
text: NPM Supply Chain (Ports: 27017 and 3306)
ip: 142.111.77.196
datetime: 2024-07-18T00:00:00+00:00
text: DPRK Moonsleet NPM
ip: 154.81.220.233
datetime: 2025-02-18T00:00:00+00:00
text: Redline Stealer
ip: 155.254.60.160
datetime: 2025-05-18T00:00:00+00:00
text: ViciousTrap CVE exploitation
ip: 156.227.0.187
datetime: 2024-04-18T00:00:00+00:00
text: Agent Tesla Targeting Entities
ip: 156.236.76.90
datetime: 2025-06-18T00:00:00+00:00
text: PoC Exploit for Critical Zero Day
hash: 742016f01fa89be4d43916d5d2349c8d86dc89f096302501ec22b5c239685a20
file: Actor_APT_DPRK_Unknown_MAL_Script_PY_Stealer_Unknown_Strings_1_1Oct25
text: DPRK APT - Python Stealer
hash: a7d7075e866132b8e8eb87265f7b7fab0e9f6dd7f748445a18f37da2e989faa3
file: Actor_APT_DPRK_Unknown_MAL_Script_PY_Stealer_Unknown_Strings_1_1Oct25
text: DPRK APT - Python Stealer
hash: 236ff897dee7d21319482cd67815bd22391523e37e0452fa230813b30884a86f
file: Actor_APT_DPRK_Unknown_MAL_Script_PY_Stealer_Unknown_Strings_2_Oct25
text: DPRK APT - Python Stealer
hash: 742016f01fa89be4d43916d5d2349c8d86dc89f096302501ec22b5c239685a20
file: Actor_APT_DPRK_Unknown_MAL_Script_PY_Stealer_Unknown_Strings_2_Oct25
text: DPRK APT - Python Stealer
hash: a7d7075e866132b8e8eb87265f7b7fab0e9f6dd7f748445a18f37da2e989faa3
file: Actor_APT_DPRK_Unknown_MAL_Script_PY_Stealer_Unknown_Strings_2_Oct25
text: DPRK APT - Python Stealer
hash: 24cad593f02db847d1302ee7c486d0756708521d5ae69faa9d6600dff81fd924
file: Actor_APT_DPRK_Unknown_MAL_Script_PY_Stealer_Unknown_Strings_2_Oct25
text: DPRK APT - Python Stealer
hash: a51c2b2c5134d8079f11a22bd0621d29b10e16aefa4174b516e00fa40dafde69
file: Actor_APT_DPRK_Unknown_MAL_Script_PY_Stealer_Unknown_Strings_2_Oct25
text: DPRK APT - Python Stealer
hash: be21bf4ad94c394202e7b52a1b461ed868200f0f03b3c8544984e9765c23e1e0
file: Actor_APT_DPRK_Unknown_MAL_Script_JS_Loader_Unknown_Strings_Oct25
text: DPRK APT - JavaScript Loader
hash: 87330f64f5cd4695f2385f87c9ffffee26d5ad2637665f1cd5d7fce217770a4d
file: Actor_APT_DPRK_Unknown_MAL_Script_JS_Loader_Unknown_Strings_Oct25
text: DPRK APT - JavaScript Loader
hash: ba738d8fa5ecd4b996612dde6cd4516cbe7116305661521ffcfd62d37687875d
file: Actor_APT_DPRK_Unknown_MAL_Script_JS_Loader_Unknown_Strings_Oct25
text: DPRK APT - JavaScript Loader
hash: 83a84588a941e463c981083555a2e7814887fa8816e7cca5af9cb7fd0b62cdac
file: Actor_APT_DPRK_Unknown_MAL_Script_JS_Loader_Unknown_Strings_Oct25
text: DPRK APT - JavaScript Loader
hash: 6e48fe09117ead1ef2c10a3db614217184fc300ac70ee902f67510b8d0d0b0c8
file: Actor_APT_DPRK_Unknown_MAL_Script_JS_Loader_Unknown_Strings_Oct25
text: DPRK APT - JavaScript Loader
hash: 897d040e5db47b806c01eb2a1a056ca49b10e0aa4985f84d2b808a121083570e
file: Actor_APT_DPRK_Unknown_MAL_Script_JS_Loader_Unknown_Strings_Oct25
text: DPRK APT - JavaScript Loader
hash: eefe39fe88e75b37babb37c7379d1ec61b187a9677ee5d0c867d13ccb0e31e30
file: Actor_APT_DPRK_Unknown_MAL_Script_JS_RAT_Unknown_Strings_Oct25
text: DPRK APT - JavaScript RAT
hash: 43dc7a343649a7ce748e4c2f94bcb6064199507cfd9f064a2d462536bec1d57f
file: Actor_APT_DPRK_Unknown_MAL_Script_JS_RAT_Unknown_Strings_Oct25
text: DPRK APT - JavaScript RAT
hash: 908696f3ec522e846575061e90747ddf29fccab0e59364597493d72159986c60
file: Actor_APT_DPRK_Unknown_MAL_Indicators_Strings_Oct25
text: DPRK APT - Malware Indicators
hash: 897d040e5db47b806c01eb2a1a056ca49b10e0aa4985f84d2b808a121083570e
file: Actor_APT_DPRK_Unknown_MAL_Indicators_Strings_Oct25
text: DPRK APT - Malware Indicators
hash: be21bf4ad94c394202e7b52a1b461ed868200f0f03b3c8544984e9765c23e1e0
file: Actor_APT_DPRK_Unknown_MAL_Indicators_Strings_Oct25
text: DPRK APT - Malware Indicators
hash: 6e48fe09117ead1ef2c10a3db614217184fc300ac70ee902f67510b8d0d0b0c8
file: Actor_APT_DPRK_Unknown_MAL_Indicators_Strings_Oct25
text: DPRK APT - Malware Indicators
hash: 87330f64f5cd4695f2385f87c9ffffee26d5ad2637665f1cd5d7fce217770a4d
file: Actor_APT_DPRK_Unknown_MAL_Indicators_Strings_Oct25
text: DPRK APT - Malware Indicators
hash: 83a84588a941e463c981083555a2e7814887fa8816e7cca5af9cb7fd0b62cdac
file: Actor_APT_DPRK_Unknown_MAL_Indicators_Strings_Oct25
text: DPRK APT - Malware Indicators
hash: ba738d8fa5ecd4b996612dde6cd4516cbe7116305661521ffcfd62d37687875d
file: Actor_APT_DPRK_Unknown_MAL_Indicators_Strings_Oct25
text: DPRK APT - Malware Indicators
hash: a2880c2d262b4a76e64fd29a813f2446ecbd640f378714aa575bf1064b7adc29
file: Actor_APT_DPRK_Unknown_MAL_Indicators_Strings_Oct25
text: DPRK APT - Malware Indicators
hash: 973f777723d315e0bee0fb9e81e943bb3440be7d2de7bf582419ae47479bc15d
file: Actor_APT_DPRK_Unknown_MAL_Indicators_Strings_Oct25
text: DPRK APT - Malware Indicators
hash: a7d7075e866132b8e8eb87265f7b7fab0e9f6dd7f748445a18f37da2e989faa3
file: Actor_APT_DPRK_Unknown_MAL_Indicators_Strings_Oct25
text: DPRK APT - Malware Indicators
counter: 1
text: https://www.circl.lu/pdns/
text: A
text: 166.88.159.37
text: 756984.xyz
datetime: 2024-10-03T05:21:55+00:00
datetime: 2024-10-03T05:21:55+00:00
counter: 1
text: https://www.circl.lu/pdns/
text: A
text: 166.88.159.37
text: www.756984.xyz
datetime: 2024-10-03T05:59:28+00:00
datetime: 2024-10-03T05:59:28+00:00

Source: CIRCL OSINT Feed

Published: Tue Nov 18 2025

XCTDH Crypto Heist Part 3 - Yashraj Solanki

Medium

Unknowntype:osint dprk misp-galaxy:country="north korea"osint:lifetime="perpetual"osint:certainty="50"tlp:white tlp:clear

Published: Tue Nov 18 2025 (11/18/2025, 00:00:00 UTC)

Source: CIRCL OSINT Feed

Vendor/Project: type

Product: osint

Description

XCTDH Crypto Heist Part 3 - Yashraj Solanki

AI-Powered Analysis

AILast updated: 11/18/2025, 14:40:09 UTC

Technical Analysis

Potential Impact

Mitigation Recommendations

Affected Countries

Need more detailed analysis?Get Pro

Pro Feature

For access to advanced analysis and higher rate limits, contact root@offseq.com

Technical Details

Uuid: fbf8c6e8-5e74-493f-9699-ec352bcc179c
Original Timestamp: 1763467869

Indicators of Compromise

Ip

Value	Description	Copy
ip23.26.237.237	—
ip23.26.237.117	—
ip23.27.24.90	—
ip23.27.168.222	—
ip136.0.141.91	—
ip136.0.141.245	—
ip166.88.117.240	—
ip23.27.124.91	—
ip156.227.0.60	—
ip96.126.191.167	—
ip108.165.147.181	—
ip216.173.65.45	—
ip166.88.194.123	—
ip23.27.163.245	—
ip23.27.169.64	—
ip23.27.24.227	—
ip166.88.132.69	—
ip166.0.132.184	—
ip38.211.230.55	—
ip23.27.201.30	—
ip166.88.61.58	—
ip166.88.114.78	—
ip166.88.100.85	—
ip23.27.48.77	—
ip166.88.95.137	—
ip23.27.48.113	—
ip166.88.14.137	—
ip216.173.64.63	—
ip166.88.90.22	—
ip23.27.169.4	—
ip166.88.98.221	—
ip23.27.240.252	—
ip23.27.48.179	—
ip166.88.141.40	—
ip23.27.48.4	—
ip23.27.12.214	—
ip23.27.201.57	—
ip156.235.89.227	—
ip23.27.240.237	—
ip45.194.27.99	—
ip166.88.57.117	—
ip136.0.11.193	—
ip23.27.244.39	—
ip172.121.5.230	—
ip166.88.132.139	—
ip166.88.97.138	—
ip166.88.61.35	—
ip166.88.96.120	—
ip166.88.4.2	—
ip166.88.2.90	—
ip166.88.194.53	—
ip166.88.61.53	—
ip166.88.117.11	—
ip166.88.35.203	—
ip166.88.2.184	—
ip166.88.14.52	—
ip166.88.14.44	—
ip166.88.101.20	—
ip166.88.99.15	—
ip166.88.55.54	—
ip166.88.132.39	—
ip166.88.159.187	—
ip166.88.159.37	—
ip193.57.57.121	—
ip198.105.127.98	—
ip198.105.127.124	—
ip223.165.6.30	—
ip38.211.230.5	—
ip38.246.73.120	—
ip45.195.76.82	—
ip45.195.76.26	—
ip50.114.5.82	—
ip91.218.183.90	—
ip103.179.142.121	—
ip136.0.3.250	—
ip136.0.3.71	—
ip136.0.3.240	—
ip136.0.8.169	—
ip136.0.9.8	—
ip142.111.77.196	—
ip154.81.220.233	—
ip155.254.60.160	—
ip156.227.0.187	—
ip156.236.76.90	—

Datetime

Value	Description	Copy
datetime2025-11-18T00:00:00+00:00	—
datetime2025-10-18T00:00:00+00:00	—
datetime2025-10-18T00:00:00+00:00	—
datetime2025-10-18T00:00:00+00:00	—
datetime2025-09-18T00:00:00+00:00	—
datetime2025-09-18T00:00:00+00:00	—
datetime2025-09-18T00:00:00+00:00	—
datetime2025-09-18T00:00:00+00:00	—
datetime2025-09-18T00:00:00+00:00	—
datetime2025-09-18T00:00:00+00:00	—
datetime2025-09-18T00:00:00+00:00	—
datetime2025-09-18T00:00:00+00:00	—
datetime2025-08-18T00:00:00+00:00	—
datetime2025-08-18T00:00:00+00:00	—
datetime2025-08-18T00:00:00+00:00	—
datetime2025-08-18T00:00:00+00:00	—
datetime2025-08-18T00:00:00+00:00	—
datetime2025-08-18T00:00:00+00:00	—
datetime2025-06-18T00:00:00+00:00	—
datetime2025-06-18T00:00:00+00:00	—
datetime2025-06-18T00:00:00+00:00	—
datetime2025-05-18T00:00:00+00:00	—
datetime2025-05-18T00:00:00+00:00	—
datetime2025-05-18T00:00:00+00:00	—
datetime2025-05-18T00:00:00+00:00	—
datetime2025-04-18T00:00:00+00:00	—
datetime2025-04-18T00:00:00+00:00	—
datetime2025-02-18T00:00:00+00:00	—
datetime2025-02-18T00:00:00+00:00	—
datetime2025-02-18T00:00:00+00:00	—
datetime2025-02-18T00:00:00+00:00	—
datetime2025-02-18T00:00:00+00:00	—
datetime2025-02-18T00:00:00+00:00	—
datetime2025-02-18T00:00:00+00:00	—
datetime2025-01-18T00:00:00+00:00	—
datetime2024-12-18T00:00:00+00:00	—
datetime2024-12-18T00:00:00+00:00	—
datetime2024-12-18T00:00:00+00:00	—
datetime2024-12-18T00:00:00+00:00	—
datetime2024-10-18T00:00:00+00:00	—
datetime2024-09-18T00:00:00+00:00	—
datetime2024-09-18T00:00:00+00:00	—
datetime2024-08-18T00:00:00+00:00	—
datetime2024-04-18T00:00:00+00:00	—
datetime2024-02-18T00:00:00+00:00	—
datetime2025-08-18T00:00:00+00:00	—
datetime2025-07-18T00:00:00+00:00	—
datetime2025-06-18T00:00:00+00:00	—
datetime2025-06-18T00:00:00+00:00	—
datetime2025-08-18T00:00:00+00:00	—
datetime2025-04-18T00:00:00+00:00	—
datetime2025-04-18T00:00:00+00:00	—
datetime2025-04-18T00:00:00+00:00	—
datetime2025-03-18T00:00:00+00:00	—
datetime2025-03-18T00:00:00+00:00	—
datetime2024-12-18T00:00:00+00:00	—
datetime2025-03-18T00:00:00+00:00	—
datetime2025-02-18T00:00:00+00:00	—
datetime2025-02-18T00:00:00+00:00	—
datetime2025-02-18T00:00:00+00:00	—
datetime2025-11-18T00:00:00+00:00	—
datetime2025-06-18T00:00:00+00:00	—
datetime2024-10-18T00:00:00+00:00	—
datetime2025-01-18T00:00:00+00:00	—
datetime2024-05-18T00:00:00+00:00	—
datetime2025-05-18T00:00:00+00:00	—
datetime2024-07-18T00:00:00+00:00	—
datetime2025-07-18T00:00:00+00:00	—
datetime2025-06-18T00:00:00+00:00	—
datetime2024-02-18T00:00:00+00:00	—
datetime2023-12-18T00:00:00+00:00	—
datetime2024-09-18T00:00:00+00:00	—
datetime2023-04-18T00:00:00+00:00	—
datetime2023-06-18T00:00:00+00:00	—
datetime2025-01-18T00:00:00+00:00	—
datetime2024-03-18T00:00:00+00:00	—
datetime2024-01-18T00:00:00+00:00	—
datetime2025-02-18T00:00:00+00:00	—
datetime2025-06-18T00:00:00+00:00	—
datetime2024-07-18T00:00:00+00:00	—
datetime2025-02-18T00:00:00+00:00	—
datetime2025-05-18T00:00:00+00:00	—
datetime2024-04-18T00:00:00+00:00	—
datetime2025-06-18T00:00:00+00:00	—
datetime2024-10-03T05:21:55+00:00	—
datetime2024-10-03T05:21:55+00:00	—
datetime2024-10-03T05:59:28+00:00	—
datetime2024-10-03T05:59:28+00:00	—

Text

Value	Description	Copy
textRhadamanthys Stealer	—
textRhadamanthys Stealer	—
textSliver C2	—
textRhadamanthys Stealer	—
textRhadamanthys Stealer	—
textRhadamanthys Stealer	—
textRemcos	—
textRemcos	—
textRhadamanthys Stealer	—
textXworm	—
textSuperShell C2	—
textRemcos	—
textCobalt Strike (Watermark: 0)	—
textVenomRAT	—
textDCRAT	—
textGoPhish	—
textRemcos	—
textSliver C2	—
textRemcos	—
textSliver C2	—
textAdaptixC2	—
textSliver C2	—
textCobalt Strike (Watermark: 391144938)	—
textRemcos	—
textMythic C2	—
textRed Guard (C2 Redirector)	—
textCobalt Strike (Watermark: 391144938)	—
textXWorm	—
textAsyncRAT	—
textViper C2	—
textCobalt Strike (Watermark: 0)	—
textCobalt Strike (Watermark: 666666666)	—
textCobalt Strike (Watermark: 666666666)	—
textCobalt Strike (Watermark: 666666666)	—
textCobalt Strike (Watermark: 987654321)	—
textSuperShell C2	—
textUNAM C2 Panel	—
textSliver C2	—
textCobalt Strike	—
textSliver C2	—
textSuperShell C2	—
textCobalt Strike (Watermark: 100000)	—
textRemcos	—
textCobalt Strike (Watermark: 100000)	—
textQuasarRAT	—
textPlugX	—
textChina Aligned Espionage - Cobalt Strike (Watermark: 100000)	—
textCobalt Strike (Watermark: 100000)	—
textNPM Supply Chain	—
textDark Peony (Operation Controlplug)	—
textEarth Kurma	—
textRussian Infra with DPRK	—
textDark Peony (Operation Controlplug)	—
textDark Peony (Operation Controlplug)	—
textCobalt Strike (Watermark: 666666666)	—
textCobalt Strike (Watermark: 987654321)	—
textXworm	—
textDeimosC2	—
textCobalt Strike (Watermark: Unknown)	—
textCobalt Strike (Watermark: Unknown)	—
textDPRK Lazarus - Contagious Interview	—
textFIN7	—
textFIN7	—
textCobalt Strike (Watermark: 100000)	—
textDPRK Lazarus (through domain resolution)	—
textPoC Exploit for Critical Zero Day	—
textVenomRAT	—
textDark Peony (Operation Controlplug)	—
textDark Peony (Operation Controlplug)	—
textCobalt Strike (Watermark: 100000)	—
textShadowPad	—
textSupershell	—
textCobalt Strike - Threat Actor: QUARTERRIG (APT29)	—
textAveMaria	—
textAsyncRAT	—
textBianlian	—
textBianlian	—
textDanabot	—
textNPM Supply Chain (Ports: 27017 and 3306)	—
textDPRK Moonsleet NPM	—
textRedline Stealer	—
textViciousTrap CVE exploitation	—
textAgent Tesla Targeting Entities	—
textPoC Exploit for Critical Zero Day	—
textDPRK APT - Python Stealer	—
textDPRK APT - Python Stealer	—
textDPRK APT - Python Stealer	—
textDPRK APT - Python Stealer	—
textDPRK APT - Python Stealer	—
textDPRK APT - Python Stealer	—
textDPRK APT - Python Stealer	—
textDPRK APT - JavaScript Loader	—
textDPRK APT - JavaScript Loader	—
textDPRK APT - JavaScript Loader	—
textDPRK APT - JavaScript Loader	—
textDPRK APT - JavaScript Loader	—
textDPRK APT - JavaScript Loader	—
textDPRK APT - JavaScript RAT	—
textDPRK APT - JavaScript RAT	—
textDPRK APT - Malware Indicators	—
textDPRK APT - Malware Indicators	—
textDPRK APT - Malware Indicators	—
textDPRK APT - Malware Indicators	—
textDPRK APT - Malware Indicators	—
textDPRK APT - Malware Indicators	—
textDPRK APT - Malware Indicators	—
textDPRK APT - Malware Indicators	—
textDPRK APT - Malware Indicators	—
textDPRK APT - Malware Indicators	—
texthttps://www.circl.lu/pdns/	—
textA	—
text166.88.159.37	—
text756984.xyz	—
texthttps://www.circl.lu/pdns/	—
textA	—
text166.88.159.37	—
textwww.756984.xyz	—

Hash

Value	Description	Copy
hash742016f01fa89be4d43916d5d2349c8d86dc89f096302501ec22b5c239685a20	—
hasha7d7075e866132b8e8eb87265f7b7fab0e9f6dd7f748445a18f37da2e989faa3	—
hash236ff897dee7d21319482cd67815bd22391523e37e0452fa230813b30884a86f	—
hash742016f01fa89be4d43916d5d2349c8d86dc89f096302501ec22b5c239685a20	—
hasha7d7075e866132b8e8eb87265f7b7fab0e9f6dd7f748445a18f37da2e989faa3	—
hash24cad593f02db847d1302ee7c486d0756708521d5ae69faa9d6600dff81fd924	—
hasha51c2b2c5134d8079f11a22bd0621d29b10e16aefa4174b516e00fa40dafde69	—
hashbe21bf4ad94c394202e7b52a1b461ed868200f0f03b3c8544984e9765c23e1e0	—
hash87330f64f5cd4695f2385f87c9ffffee26d5ad2637665f1cd5d7fce217770a4d	—
hashba738d8fa5ecd4b996612dde6cd4516cbe7116305661521ffcfd62d37687875d	—
hash83a84588a941e463c981083555a2e7814887fa8816e7cca5af9cb7fd0b62cdac	—
hash6e48fe09117ead1ef2c10a3db614217184fc300ac70ee902f67510b8d0d0b0c8	—
hash897d040e5db47b806c01eb2a1a056ca49b10e0aa4985f84d2b808a121083570e	—
hasheefe39fe88e75b37babb37c7379d1ec61b187a9677ee5d0c867d13ccb0e31e30	—
hash43dc7a343649a7ce748e4c2f94bcb6064199507cfd9f064a2d462536bec1d57f	—
hash908696f3ec522e846575061e90747ddf29fccab0e59364597493d72159986c60	—
hash897d040e5db47b806c01eb2a1a056ca49b10e0aa4985f84d2b808a121083570e	—
hashbe21bf4ad94c394202e7b52a1b461ed868200f0f03b3c8544984e9765c23e1e0	—
hash6e48fe09117ead1ef2c10a3db614217184fc300ac70ee902f67510b8d0d0b0c8	—
hash87330f64f5cd4695f2385f87c9ffffee26d5ad2637665f1cd5d7fce217770a4d	—
hash83a84588a941e463c981083555a2e7814887fa8816e7cca5af9cb7fd0b62cdac	—
hashba738d8fa5ecd4b996612dde6cd4516cbe7116305661521ffcfd62d37687875d	—
hasha2880c2d262b4a76e64fd29a813f2446ecbd640f378714aa575bf1064b7adc29	—
hash973f777723d315e0bee0fb9e81e943bb3440be7d2de7bf582419ae47479bc15d	—
hasha7d7075e866132b8e8eb87265f7b7fab0e9f6dd7f748445a18f37da2e989faa3	—

File

Value	Description	Copy
fileActor_APT_DPRK_Unknown_MAL_Script_PY_Stealer_Unknown_Strings_1_1Oct25	—
fileActor_APT_DPRK_Unknown_MAL_Script_PY_Stealer_Unknown_Strings_1_1Oct25	—
fileActor_APT_DPRK_Unknown_MAL_Script_PY_Stealer_Unknown_Strings_2_Oct25	—
fileActor_APT_DPRK_Unknown_MAL_Script_PY_Stealer_Unknown_Strings_2_Oct25	—
fileActor_APT_DPRK_Unknown_MAL_Script_PY_Stealer_Unknown_Strings_2_Oct25	—
fileActor_APT_DPRK_Unknown_MAL_Script_PY_Stealer_Unknown_Strings_2_Oct25	—
fileActor_APT_DPRK_Unknown_MAL_Script_PY_Stealer_Unknown_Strings_2_Oct25	—
fileActor_APT_DPRK_Unknown_MAL_Script_JS_Loader_Unknown_Strings_Oct25	—
fileActor_APT_DPRK_Unknown_MAL_Script_JS_Loader_Unknown_Strings_Oct25	—
fileActor_APT_DPRK_Unknown_MAL_Script_JS_Loader_Unknown_Strings_Oct25	—
fileActor_APT_DPRK_Unknown_MAL_Script_JS_Loader_Unknown_Strings_Oct25	—
fileActor_APT_DPRK_Unknown_MAL_Script_JS_Loader_Unknown_Strings_Oct25	—
fileActor_APT_DPRK_Unknown_MAL_Script_JS_Loader_Unknown_Strings_Oct25	—
fileActor_APT_DPRK_Unknown_MAL_Script_JS_RAT_Unknown_Strings_Oct25	—
fileActor_APT_DPRK_Unknown_MAL_Script_JS_RAT_Unknown_Strings_Oct25	—
fileActor_APT_DPRK_Unknown_MAL_Indicators_Strings_Oct25	—
fileActor_APT_DPRK_Unknown_MAL_Indicators_Strings_Oct25	—
fileActor_APT_DPRK_Unknown_MAL_Indicators_Strings_Oct25	—
fileActor_APT_DPRK_Unknown_MAL_Indicators_Strings_Oct25	—
fileActor_APT_DPRK_Unknown_MAL_Indicators_Strings_Oct25	—
fileActor_APT_DPRK_Unknown_MAL_Indicators_Strings_Oct25	—
fileActor_APT_DPRK_Unknown_MAL_Indicators_Strings_Oct25	—
fileActor_APT_DPRK_Unknown_MAL_Indicators_Strings_Oct25	—
fileActor_APT_DPRK_Unknown_MAL_Indicators_Strings_Oct25	—
fileActor_APT_DPRK_Unknown_MAL_Indicators_Strings_Oct25	—

Counter

Value	Description	Copy
counter1	—
counter1	—

Threat ID: 691c8529b718280d689345ee

Added to database: 11/18/2025, 2:39:37 PM

Last enriched: 11/18/2025, 2:40:09 PM

Last updated: 11/19/2025, 3:55:47 AM

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by

Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Related Threats

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

External Links

Search on Google

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

XCTDH Crypto Heist Part 3 - Yashraj Solanki

AI Analysis

Technical Summary

Potential Impact

Mitigation Recommendations

Affected Countries

Indicators of Compromise

XCTDH Crypto Heist Part 3 - Yashraj Solanki

Description

AI-Powered Analysis

Technical Analysis

Potential Impact

Mitigation Recommendations

Affected Countries

Technical Details

Indicators of Compromise

Ip

Datetime

Text

Hash

File

Counter

Community Reviews

Related Threats

ThreatFox IOCs for 2025-11-18

ThreatFox IOCs for 2025-11-17

ThreatFox IOCs for 2025-11-16

ThreatFox IOCs for 2025-11-15

ThreatFox IOCs for 2025-11-14

Actions

External Links

Need enhanced features?

Latest Threats

Keyboard Shortcuts

Navigation

Search & Filters

UI Controls

Accessibility