{
	"id": "f63e8c5f-02bc-4f74-90ff-19efb5de89dd",
	"created_at": "2026-04-06T00:12:17.982513Z",
	"updated_at": "2026-04-10T03:30:33.537454Z",
	"deleted_at": null,
	"sha1_hash": "00e98c5e4aba4d027fcbdd7d1244f8f1c9a6556e",
	"title": "Combing Through Brushaloader Amid Massive Detection Uptick",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1181200,
	"plain_text": "Combing Through Brushaloader Amid Massive Detection Uptick\r\nBy Edmund Brumaghin\r\nPublished: 2019-02-20 · Archived: 2026-04-05 18:52:46 UTC\r\nNick Biasini and Edmund Brumaghin authored this blog post with contributions from Matthew Molyett.\r\nExecutive Summary\r\nOver the past several months, Cisco Talos has been monitoring various malware\r\ndistribution campaigns leveraging the malware loader Brushaloader to deliver\r\nmalware payloads to systems. Brushaloader is currently characterized by the use\r\nof various scripting elements, such as PowerShell, to minimize the number of\r\nartifacts left on infected systems. Brushaloader also leverages a combination of\r\nVBScript and PowerShell to create a Remote Access Trojan (RAT) that allows\r\npersistent command execution on infected systems.\r\nBrushaloader is an evolving threat that is being actively developed and refined over time as attackers identify\r\nareas of improvement and add additional functionality. We have identified multiple iterations of this threat since\r\nmid-2018. Most of the malware distribution activity that we observe associated with Brushaloader leverages\r\nmalicious email campaigns targeting specific geographic regions to distribute various malware payloads, primarily\r\nDanabot. Danabot has already been described in detail here and here, so this post will focus on the analysis of\r\nBrushaloader itself. Talos has recently identified a marked increase in the quantity of malware distribution activity\r\nassociated with Brushaloader, as well as the implementation of various techniques and evasive functionality that\r\nhas resulted in significantly lower detection rates, as well as sandbox evasion.\r\nThe advanced command-line auditing and reporting available within ThreatGrid make analyzing threats such as\r\nBrushaloader much more efficient. Threats such as Brushaloader demonstrate the importance of ensuring that\r\nPowerShell logging is enabled and configured on endpoints in most corporate environments.\r\nHistory of Brushaloader\r\nThe first Brushaloader campaign that caught our attention was back in August\r\n2018. It was initially notable because it was only using Polish language emails\r\ntargeting Polish victims. Although it is common to see threats target users in\r\nmultiple languages, attackers typically don't target a single European country.\r\nBelow is a sample of one of the emails from that initial campaign and shows the\r\ncharacteristics that we would come to expect from Brushaloader: a RAR\r\nhttps://blog.talosintelligence.com/2019/02/combing-through-brushaloader.html\r\nPage 1 of 23\n\nattachment containing a Visual Basic script that results in a Brushaloader\r\ninfection ending in the eventual download and execution of Danabot.\r\nThere is one other characteristic of this email that will remain a thread throughout all Brushaloader campaigns:\r\n\"Faktura,\" or the Polish word for invoices. There will be a few variations of this over the next several months, but\r\nregardless of language, invoices and billing will always play a vital role in these spam campaigns.\r\nAs far as the attachment itself, it typically consists of a RAR file with a filename that contains the word \"faktura.\"\r\nThe RAR files typically contain a VBScript that reaches out for additional payloads. The script itself already had\r\nsome interesting techniques associated with sandbox or network simulation evasion, which we will discuss later in\r\nthe blog. This script wasn't heavily obfuscated, and efficiently established command and control (C2)\r\ncommunication with a hard-coded IP address via HTTP using wscript. The specific URL being queried in this\r\nparticular campaign was:\r\n   http://162[.]251[.]166[.]72/about.php?faxid=446708802\u0026opt=.\r\nOver time, a pattern started to emerge: The campaigns would run for a week or two and then go quiet for a couple\r\nof weeks before restarting. The modus operandi for the actor was largely the same throughout, Polish language\r\nspam campaigns related to invoices or \"Faktura\" that contained a RAR file with malicious VBScript inside. One\r\nthing of note about these campaigns is in the downtime changes and improvements were being made to the way\r\nthe VBScript tries to evade detection and analysis or how the C2 communication was established. Let's walk\r\nthrough some examples.\r\nNetwork simulation evasion, multi-path C2 implemented\r\nThe second major campaign we analyzed had already added some functionality. Initially, the\r\nthreat was trying to connect to a non-existent domain to check for things like network simulation.\r\nThis second campaign implemented an \"infinite\" recursive loop that continues to repeat itself if\r\nthat GET request resulted in an HTTP/200 indicating a successful request. Here is a quick\r\nscreenshot showing that new functionality.\r\nhttps://blog.talosintelligence.com/2019/02/combing-through-brushaloader.html\r\nPage 2 of 23\n\nThis simple snippet of code includes the GET request to a non-existent domain (www[.]dencedence[.]denceasdq)\r\n(1), the steps taken if an HTTP/200 is provided in response to that request (2), and finally enters an \"infinite\"\r\nrecursive loop when an HTTP/200 is found (3). This is an elegant, simple way to determine if network simulation\r\nis occurring and delaying malicious execution. These simple techniques can be incredibly effective at avoiding\r\nsome types of detection and analysis.\r\nA campaign that launched just a few days later had already gone through some additional revisions. Early versions\r\nof the script only communicated via hard-coded IP address. This campaign implemented a random choice between\r\na domain and a hard-coded IP. Below is an example of this type of evolution.\r\nhttps://blog.talosintelligence.com/2019/02/combing-through-brushaloader.html\r\nPage 3 of 23\n\nThe function at the top of the capture shows the initial C2 request. You can see that request includes some new\r\nvariables and functionality (1) which randomly choose one of the two options listed further down in the\r\nDaLoweRsxMinsa function (2). It is here you can see both the hard-coded IP address (192[.]3[.]204[.]226) and a\r\ndomain (emailerservo[.]science) hosted on a different server that responds to the same path. This particular\r\nfunctionality would remain for the next couple of months with some subtle changes as time progressed.\r\nLegitimate URLs added to obfuscate\r\nOver the next couple of campaigns throughout the rest of September and early October, there\r\nwere subtle changes around the non-existent domains being used, and the ways they tried to\r\nobfuscate the C2 communication, but no significant changes. In early October, the actors added a\r\nthird legitimate domain to the round robin, which can be seen below:\r\nHere, the actors have added google[.]com to the potential sources of C2 communication. Over the next several\r\nmonths, the legitimate site changed to include such sites as www[.]ti[.]com and www[.]bbc[.]com, among others.\r\nThis was yet another simplistic approach at sandbox evasion where, periodically, the VBScript would do nothing\r\nmore than send a request to a legitimate domain.\r\nStreamlined version emerges\r\nThere were more significant changes taking place during October 2018, including the removal of\r\nthe non-existent domain check and instead implementing what appears to be a registry check in\r\nwscript to try and read a value from the registry. It appears to be using this for some permissions\r\ncheck, but all users of all privilege levels would be able to query the key\r\nHKEY_CURRENT_USER. Below is a screen capture of this check as it was implemented.\r\nhttps://blog.talosintelligence.com/2019/02/combing-through-brushaloader.html\r\nPage 4 of 23\n\nThis check and functionality were relatively short-lived, since in the last couple days of October, the actors shifted\r\naway from WScript entirely and shifted the majority of the functionality to Internet Explorer directly. In addition\r\nto switching to Internet Explorer for web communications, the VBScript was streamlined considerably and went\r\nfrom being a 4KB text file to being less than 1KB. Below is a screen capture of the entire VBScript. A majority of\r\nthe checking and evasion techniques were removed, except some extended sleep commands to timeout some\r\nsandbox technologies.\r\nhttps://blog.talosintelligence.com/2019/02/combing-through-brushaloader.html\r\nPage 5 of 23\n\nNote the highlighted section shows the creation of an invisible IE instance for the script to use to communicate\r\nwith the C2 server. Additionally, the actors stopped using domains altogether and returned to hosting everything\r\nusing hard-coded IP addresses.\r\nNew campaign, new languages targeted\r\nIt was also around this time that Cisco Talos started to observe the spam campaign beginning to\r\ntarget languages besides Polish. The first campaign involving multiple languages included\r\nlaunched around this same time, an example of the German campaign is shown below.\r\nhttps://blog.talosintelligence.com/2019/02/combing-through-brushaloader.html\r\nPage 6 of 23\n\nThe subject of this particular campaign appears to focus on income tax returns. However, the body of the email is\r\nmaking references to an attachment of unpaid bills and threatens the recipient with legal action if payment is not\r\nremitted. The actors also took advantage of the fact that \"Faktura\" translates to billing in German, as opposed to\r\ninvoices in Polish.\r\nAfter a couple more weeks, around mid-November, the actors began to re-implement some of the non-existent\r\ndomain checking an example of which is shown below.\r\nIn this particular instance, the actors would craft an HTTP request to http://someserver/folder/file[.]pdf and\r\nimplements a loop in an HTTP/200 if found. A few days later, the actors shifted again and moved from using hard-coded IP addresses to leveraging domains for the initial C2 communication.\r\nEnd of November overhaul\r\nThe campaign at the end of November brought a full re-work of the VBScript implementing\r\nseveral improvements. The first change is that the VBScript begins by creating a file system\r\nobject, which allows the actors to start reading and writing files to disk.\r\nhttps://blog.talosintelligence.com/2019/02/combing-through-brushaloader.html\r\nPage 7 of 23\n\nThe script initiates the function below which immediately makes use of the file system objects.\r\nThe WriteFile and readFile functions are shown below and allow a file to be written to the system and read back\r\nby the script. Note there are a few seconds of sleep between these calls.\r\nThe WriteFile function specifically creates a file in the temporary folder and then writes the ASCII text \"test\" to\r\nthe file with reference to vbCrLf, this is a remnant of the early days of VBScripting and will return the value \"\\r\\n\"\r\neffectively creating a new line. The readFile function then reads the line containing \"test\" and stores it in a\r\nvariable strLine for usage later.\r\nThe actors then referenced what is effectively a sleep function and then called the function HttpsSend. This is\r\nwhere some of the significant changes occurred in the C2 communication. Below is that HttpsSend function.\r\nhttps://blog.talosintelligence.com/2019/02/combing-through-brushaloader.html\r\nPage 8 of 23\n\nThere are a couple of critical changes here to note. First is the adversaries have moved to HTTPS traffic and are\r\nutilizing a domain instead of a hard-coded IP. Additionally, the type of request has changed from a GET to a\r\nPOST. After the request is made, the response is stored and eventually makes its way into an array. At this point,\r\nanother quick sleep of 10 seconds is implemented before another function Emulator is called, which is shown\r\nbelow.\r\nThe Emulator function is checking to ensure that the file that was created and written earlier in the script worked\r\nand the stored line that was read from the file has a value of \"test.\" If the file has the expected contents, then the\r\nscript will execute whatever command was sent by the C2 server queried above and stored into the array\r\n\"ArrAddMyArray.\" Going back to the primary function, you can see this is done in a while loop that would allow\r\nfor repeated request and execution providing a simple framework for some level of additional infection.\r\nhttps://blog.talosintelligence.com/2019/02/combing-through-brushaloader.html\r\nPage 9 of 23\n\nAll of the various campaigns that have been described in this section were of moderate volume and ceased toward\r\nthe end of November. The actor and loader would remain quiet for all of December and most of January. However,\r\nin late January and early February that changed.\r\nCurrent Campaigns\r\nA new spam campaign kicked off in late January delivering malicious RAR files\r\ncontaining a Visual Basic script (.vbs). At the time the majority of the spam\r\nmessages were in Polish and appeared to be targeting Polish users. All of the\r\nfilenames and subjects were centered on invoices, commonly using \"Faktura\" or\r\nsome similar term. This campaign began with primarily Polish-based emails, as is\r\ntypical for this loader, an example of which is shown below.\r\nThis follows the standard template we've come to expect from brushaloader campaigns, themed around \"Faktura,\"\r\nin Polish, and with an attached RAR file containing the malicious VBScript file. One other interesting aspect of\r\nhttps://blog.talosintelligence.com/2019/02/combing-through-brushaloader.html\r\nPage 10 of 23\n\nthis campaign was the presence of multiple other languages in the campaign. Most notably, we identified\r\nadditional Italian language spam messages as well, an example of which can be found below.\r\nThere are a couple of subtle differences in the Italian language version. Specifically, they use \"Fattura\" instead of\r\n\"Faktura,\" largely because \"Fattura\" is the word for \"invoices\" in Italian. The basic template is the same and\r\ncontains an invoice-themed RAR file containing a malicious VBS file.\r\nAs far as the attachments are concerned, there have been a couple of additional improvements from the previous\r\nversion in late November, but the overall functionality is primarily the same.\r\nOne of the most significant changes in this campaign was the move toward PowerShell and away from wscript\r\nthat was previously used to execute commands, gather system information, and provide additional payloads.\r\nAdditionally, this campaign was on a scale we previously hadn't seen from Brushaloader and could be an indicator\r\nthe loader may be ready for more widespread distribution, with the potential to have reach outside of just Europe.\r\nThe full detail of the new functionality will be covered in a later section of the blog, providing a deeper dive into\r\nthe HTTPS C2 communications that occurred.\r\nThis campaign ended the first week of February and the activity has been mostly dark since then. Over the last\r\nhalf year, Brushaloader has gone from a new VBScript-based loader with some basic evasion techniques to an\r\nincreasingly advanced and increasingly distributed threat. The timeline below illustrates how aggressive the\r\ndevelopment of Brushaloader has been. If the past is any indication, Brushaloader will be an interesting threat to\r\nfollow going forward.\r\nhttps://blog.talosintelligence.com/2019/02/combing-through-brushaloader.html\r\nPage 11 of 23\n\nEvasion/anti-analysis techniques\r\nIn many corporate networks, files that are introduced into the environment are\r\nautomatically submitted to automated analysis platforms, such as sandboxes, that\r\nwill execute the file and observe system activity to determine if the file is malicious\r\nor benign before allowing the file to be transmitted to the system for which it was\r\ninitially destined. Threat actors are aware of these security controls and often\r\nemploy creative mechanisms for bypassing them. In most cases, these mechanisms\r\nare designed to minimize the amount of malicious file activity so that automated\r\nanalysis platforms do not detect the file as malicious and allow it to be transmitted\r\nfurther into the network environment.\r\nhttps://blog.talosintelligence.com/2019/02/combing-through-brushaloader.html\r\nPage 12 of 23\n\nSome techniques include the use of sleep() timers that will cause the malware to wait for a predefined period\r\nbefore resuming malicious execution. In other cases, malware distributors might leverage password-protected\r\nemail attachments that require the user to input information prior to opening the attachment. These techniques are\r\noften successful, as many automated detection and analysis platforms are not designed to interact with sample\r\nsubmissions in these ways and as a result are not able to properly initiate the infection process. Brushaloader is no\r\ndifferent, and we have recently observed multiple techniques being leveraged to maximize the success rate of\r\nBrushaloader infections.\r\nUser interaction\r\nOne of the changes we have observed over the past couple of months of Brushaloader campaigns\r\nis the use of malware downloaders that require user interaction before the execution of malicious\r\nbehavior on infected systems. Attackers will often make use of infection processes that require\r\nuser interaction as a way to bypass automated analysis platforms such as sandboxes.\r\nIn the case of Brushaloader, the malicious emails contain RAR archives. The RAR archives typically contain a\r\nVBScript (VBS) that is responsible for making an HTTP request to an attacker-controlled distribution server to\r\ndownload a malicious PE32 executable. The VBScript calls a dialog box that prints various characters of the\r\nFibonacci sequence:\r\nBy default, when the VBS is executed, the following dialog box is presented on the system.\r\nhttps://blog.talosintelligence.com/2019/02/combing-through-brushaloader.html\r\nPage 13 of 23\n\nThe downloader functionality present within the VBS file does not activate until the OK button is selected. This\r\nrequirement for user interaction could cause issues in many automated analysis platforms that are not configured\r\nto handle this sort of requirement properly. This approach often results in significantly lower detection rates\r\ncompared to the downloaders used by most commodity malware distributors.\r\nFake domains\r\nThe downloader scripts leveraged in various Brushaloader campaigns have also made use of\r\ninvalid domains as a way to determine whether or not the downloader is executed in an analysis\r\nenvironment where network simulation is occurring. In many malware analysis environments,\r\nnetwork simulation is used to allow analysts to interact with malware samples even when\r\nresources that the malware requests are not available. This is especially helpful when C2\r\ninfrastructure is no longer available, or when analysis is occurring in an environment that lacks\r\ninternet connectivity. There are several utilities available that provide this functionality — two of\r\nthe most commonly used are inetsim and FakeNet-NG.\r\nIn the case of Brushaloader, they even went so far as to use non-existent TLDs like\r\nwww[.]weryoseruisasds[.]oedsdenlinsedrwersa or just hostnames instead of legitimate domains like someserver.\r\nObviously, neither of these domains should resolve and it makes for a simple test to determine if this network\r\nsimulation is in use. In some ways, this technique could also be used to aid in the detection of potentially\r\ncompromised hosts and provides another reason why logging DNS resolutions can be an invaluable tool for\r\nanalysts and security teams.\r\nLoader functionality\r\nOnce the initial infection process starts, the previously described multi-stage VBS\r\nexecution begins. The infected system makes an HTTP POST request to the C2\r\nhttps://blog.talosintelligence.com/2019/02/combing-through-brushaloader.html\r\nPage 14 of 23\n\ninfrastructure. The scripting engine then executes the response to the HTTP POST\r\nrequest. This loop is delayed by the server sending WScript.Sleep commands.\r\nThe first stage VBS is responsible for the execution of the following encoded PowerShell command:\r\nThis encoded PowerShell is executed three times and decodes to:\r\nThis results in an HTTP request to the C2 infrastructure and an additional set of PowerShell commands to be\r\nretrieved and executed.\r\nThis PowerShell, once decoded, looks like this:\r\nhttps://blog.talosintelligence.com/2019/02/combing-through-brushaloader.html\r\nPage 15 of 23\n\nThis code is responsible for establishing a remote, interactive session with the infected system that is then used to\r\nexecute commands on the infected system retrieve the command output. At this point, the script loops, waiting for\r\nany additional command execution sent from the C2 infrastructure. This communications channel is also used to\r\nfacilitate the retrieval and execution of various Powershell command that are responsible for using gathering and\r\ntransmitting information about the system.\r\nThe above Powershell is passed to IEX and executed, with the results transmitted back to the C2 server:\r\nhttps://blog.talosintelligence.com/2019/02/combing-through-brushaloader.html\r\nPage 16 of 23\n\nAs can be seen in the screenshot above, the loader attempts to enumerate the following information about systems\r\nbeing infected:\r\nProcessorId\r\nWindows operating system version\r\nCurrently logged in Username\r\nInstalled Antivirus Products\r\nSystem Make/Manufacturer\r\nPowershell version\r\nIP address information\r\nAvailable memory\r\nCurrent Working Directory\r\nSystem Installation Date/Time\r\nDisplay Adapter Information All of this information can then be used to determine whether to infect the\r\nsystem with additional malware payloads, or what modules should be delivered to the system in the case of\r\na modular malware framework, such as Danabot. In the infections that we observed, this was the final\r\npayload delivered to infected systems.\r\nThe Powershell process running on the infected system also achieves persistence by creating a Windows shortcut\r\n(LNK) which is added to the Startup directory on the system:\r\nThe LNK shortcut contains Powershell, which is responsible for querying the contents of a registry key for\r\nadditional commands to execute each time the system is rebooted.\r\nThis registry location contains the following Powershell:\r\nThe above Base64 encoded Powershell decodes to:\r\nThis causes the malware to reach out to the C2 server via HTTPS, likely to retrieve any available commands that\r\nthe C2 sends to execute in the future.\r\nCampaign distribution over time\r\nCisco Talos has been monitoring malware distribution campaigns associated with\r\nBrushaloader since mid-2018. Historically, these campaigns have been relatively\r\nhttps://blog.talosintelligence.com/2019/02/combing-through-brushaloader.html\r\nPage 17 of 23\n\nlow volume compared to other commodity malware distribution campaign activity,\r\nsuch as Emotet. In most of the cases we analyzed, the majority of the distribution\r\nactivity occurred towards the end of each month. This recently changed — we\r\nhave observed a significant increase in the volume and duration of the malspam\r\ncampaigns.\r\nBelow is a graph showing current distribution activity when compared to the volume seen in campaigns observed\r\nthroughout most of 2018.\r\nIn addition to changes in the volume with which distribution activity is occurring, we have also observed changes\r\nin the demographic data associated with the intended recipients of malicious emails. Initially, these campaigns\r\nappear to have used relatively narrow targeting, which the majority of the emails tailored toward recipients in\r\nPoland, we have observed newer campaigns branching out to target recipients in Germany, Italy, and other\r\ncountries as well.\r\nConclusion\r\nThe threat landscape is ever changing — this is true for both the malware and the\r\nmechanisms to deliver the malware, like Brushaloader. This blog outlines yet\r\nanother key example of how these loaders are changing and evolving constantly.\r\nThe things that make Brushaloader stand out are how quickly threat actors\r\nevolved the loader, indicating it is actively in development. Additionally, it's\r\ninteresting to note that after the long break over December and most of January,\r\nthe loader has exploded onto the scene. Going from small-scale campaigns\r\ntargeting exclusively Polish users to branching out in both scale and countries\r\nhttps://blog.talosintelligence.com/2019/02/combing-through-brushaloader.html\r\nPage 18 of 23\n\nbeing targeted. It's not common to see regional specific usage of loaders, which\r\nBrushaloader does.\r\nThis is also a key example of the levels of obfuscation and sophistication these loaders can posses. This simple\r\nVBS based campaign implemented several clever evasion and obfuscation techniques in a minimal amount of\r\ncode, showing that adversaries will continue to think outside the box and develop novel ways to deliver threats to\r\nusers. This is why users need organizations with visibility around the world, since it's just a matter of time until\r\nthis successful loader starts being sought out by other attackers looking to deliver threats. We will continue to\r\nmonitor this threat and the payloads it provides and will continue to be vigilant in protecting our customers from\r\nany evolutions that will inevitably occur.\r\nCoverage Additional ways our customers can detect and block this threat are listed\r\nbelow.\r\nAdvanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these\r\nthreat actors.\r\nCisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious\r\nwebsites and detects malware used in these attacks.\r\nEmail Security can block malicious emails sent by threat actors as part of their campaign.\r\nNetwork Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention\r\nSystem (NGIPS), andMeraki MX can detect malicious activity associated with this threat.\r\nAMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.\r\nUmbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs,\r\nwhether users are on or off the corporate network.\r\nhttps://blog.talosintelligence.com/2019/02/combing-through-brushaloader.html\r\nPage 19 of 23\n\nOpen Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.\r\nIndicators of Compromise\r\nThe following Indicators of Compromise (IOCs) have been observed as being\r\nassociated with various campaigns leveraging Brushaloader to install malware on\r\nsystems.\r\n(Thank you to Kafeine for sharing additional sample data.)\r\nMalicious Attachments\r\nThe following IOCs are associated with the malicious attachments observed as part of malicious\r\nspam campaigns.\r\nRAR Files\r\nA list of hashes associated with the malicious RAR archives can be found here.\r\nVBS Files\r\nA list of hashes associated with malicious VBS files can be found here.\r\nDomains\r\ncheapairlinediscount[.]site\r\nemailerservo[.]science\r\nfaxpctodaymessage[.]press\r\nfaxpctodaymessage[.]space\r\nfaxpctodaymessage[.]website\r\nfaxzmessageservice[.]club\r\nfazadminmessae[.]info\r\nhousecleaning[.]press\r\nhrent[.]site\r\nirepare[.]site\r\nmacmall[.]fun\r\nmanagerdriver[.]website\r\nmantorsagcoloms[.]club\r\nmediaaplayer[.]win\r\nmobileshoper[.]science\r\nplomnetus[.]club\r\nppservice[.]stream\r\nprogresservesmail[.]science\r\nproservesmail[.]science\r\nhttps://blog.talosintelligence.com/2019/02/combing-through-brushaloader.html\r\nPage 20 of 23\n\nproservesmailing[.]science\r\nsearchidriverip[.]space\r\nservemai[.]science\r\nservemaining[.]science\r\nserveselitmail[.]science\r\nserveselitmailer[.]science\r\nservesmailelit[.]science\r\nservesmailerpro[.]science\r\nservesmailerprogres[.]science\r\nservespromail[.]science\r\nservicemaile[.]science\r\nserviveemail[.]science\r\nservoemail[.]science\r\nservomail[.]science\r\nIP Addresses\r\n107[.]173[.]193[.]242\r\n107[.]173[.]193[.]243\r\n107[.]173[.]193[.]244\r\n107[.]173[.]193[.]246\r\n107[.]173[.]193[.]247\r\n107[.]173[.]193[.]248\r\n107[.]173[.]193[.]249\r\n107[.]173[.]193[.]250\r\n107[.]173[.]193[.]251\r\n107[.]173[.]193[.]252\r\n107[.]173[.]193[.]253\r\n162[.]251[.]166[.]72\r\n172[.]245[.]159[.]130\r\n185[.]212[.]44[.]114\r\n192[.]3[.]204[.]226\r\n192[.]3[.]204[.]228\r\n192[.]3[.]204[.]229\r\n192[.]3[.]204[.]231\r\n192[.]3[.]204[.]232\r\n192[.]3[.]204[.]233\r\n192[.]3[.]204[.]234\r\n192[.]3[.]204[.]235\r\n192[.]3[.]204[.]236\r\nhttps://blog.talosintelligence.com/2019/02/combing-through-brushaloader.html\r\nPage 21 of 23\n\n192[.]3[.]204[.]237\r\n192[.]3[.]207[.]115\r\n192[.]3[.]207[.]116\r\n192[.]3[.]207[.]117\r\n192[.]3[.]207[.]118\r\n192[.]3[.]207[.]119\r\n192[.]3[.]207[.]120\r\n192[.]3[.]207[.]123\r\n192[.]3[.]207[.]124\r\n192[.]3[.]207[.]125\r\n192[.]3[.]207[.]126\r\n192[.]3[.]31[.]211\r\n192[.]3[.]31[.]214\r\n192[.]3[.]45[.]90\r\n192[.]3[.]45[.]91\r\n192[.]3[.]45[.]92\r\n192[.]3[.]45[.]93\r\n192[.]3[.]45[.]94\r\n64[.]110[.]25[.]146\r\n64[.]110[.]25[.]147\r\n64[.]110[.]25[.]148\r\n64[.]110[.]25[.]150\r\n64[.]110[.]25[.]151\r\n64[.]110[.]25[.]152\r\n64[.]110[.]25[.]153\r\n64[.]110[.]25[.]154\r\nFake Domains (Sandbox Evasion)\r\nwww[.]analiticsmailgooglefaxidload[.]onlinsedsa\r\nwww[.]wewanaliticsmailgooglefaxidload[.]oeenlinsedsa\r\nwww[.]lovisaaa[.]oedsdenlinsedrwersa\r\nwww[.]weryoseruisasds[.]oedsdenlinsedrwersa\r\nwww[.]dencedence[.]denceasdq\r\nwww[.]goooglwas[.]freesaf\r\ndgdfgdfgdfg\r\nfaxdaytodayd\r\nmailsssssssssssdddaas[.]com\r\nmailsmessage[.]comssaaa\r\nmailsmaasessage[.]comssssaaa\r\nhttps://blog.talosintelligence.com/2019/02/combing-through-brushaloader.html\r\nPage 22 of 23\n\nsssaaalllsaallsaaaasssaaa[.]comssssaaa\r\nlvelalslllasaasss[.]lllassaassaa\r\n1122212121212[.]1221212\r\n00000000000000[.]11111111\r\n11111[.]222222222222\r\nsomeserver\r\nsomeserversdfdfdf[.]111\r\nwww[.]wikipedia[.]000212[.]nl\r\nwikipedia[.]112000212[.]com\r\nSource: https://blog.talosintelligence.com/2019/02/combing-through-brushaloader.html\r\nhttps://blog.talosintelligence.com/2019/02/combing-through-brushaloader.html\r\nPage 23 of 23",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.talosintelligence.com/2019/02/combing-through-brushaloader.html"
	],
	"report_names": [
		"combing-through-brushaloader.html"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434337,
	"ts_updated_at": 1775791833,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/00e98c5e4aba4d027fcbdd7d1244f8f1c9a6556e.pdf",
		"text": "https://archive.orkl.eu/00e98c5e4aba4d027fcbdd7d1244f8f1c9a6556e.txt",
		"img": "https://archive.orkl.eu/00e98c5e4aba4d027fcbdd7d1244f8f1c9a6556e.jpg"
	}
}