{
	"id": "21ac9d7a-ddf4-4cde-b7b1-b3db0e3abdb1",
	"created_at": "2026-04-06T01:30:08.331053Z",
	"updated_at": "2026-04-10T13:11:51.272356Z",
	"deleted_at": null,
	"sha1_hash": "2c84786d03a17afeb8e76ba55449ad285045ba8c",
	"title": "Ongoing Social Engineering Campaign Refreshes Payloads",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2048658,
	"plain_text": "Ongoing Social Engineering Campaign Refreshes Payloads\r\nBy Tyler McGraw\r\nPublished: 2024-08-12 · Archived: 2026-04-06 01:25:53 UTC\r\nExecutive Summary\r\nOn June 20, 2024, Rapid7 identified multiple intrusion attempts by threat actors utilizing techniques, tactics, and procedures\r\n(TTPs) that are consistent with an ongoing social engineering campaign being tracked by Rapid7. Rapid7 observed a\r\nmeaningful shift in the tools used by the threat actors during the investigations of these recent incidents. For more\r\ninformation about the social engineering strategies and tools that have been used, please refer to the previous blog.\r\nOverview\r\nThe initial lure being utilized by the threat actors remains the same: an email bomb followed by an attempt to call impacted\r\nusers and offer a fake solution. In the recent cases handled by Rapid7, external calls were typically made to the impacted\r\nusers via Microsoft Teams. Once on the phone, the threat actor would convince the user to download and install AnyDesk, a\r\npopular remote access tool that allows the threat actor to take control of the user’s computer. Threat actors typically use this\r\nconnection to upload and execute payloads on the user’s system as well as to exfiltrate stolen data, during the initial stages\r\nof the attack. Rapid7 did not observe attempts to use Microsoft’s Quick Assist in recent cases, a feature that previously\r\nfacilitated numerous intrusions in cases handled by Rapid7.\r\nWhere threat actors previously ran a credential harvesting batch script, which typically utilized several native Windows\r\nbinaries, Rapid7 has now observed the usage of the 32-bit .NET executable AntiSpam.exe.\r\nDuring execution, AntiSpam.exe will pretend to download email spam filters and then prompt the user to enter their\r\ncredentials into a pop-up window.\r\nhttps://www.rapid7.com/blog/post/2024/08/12/ongoing-social-engineering-campaign-refreshes-payloads/\r\nPage 1 of 17\n\nThe executable is presented as a spam filter updater for consistency with the initial social engineering lure, where the threat\r\nactor has already spammed the user with benign emails. The credentials entered into the prompt are saved to disk after\r\nvalidation along with system enumeration information. If incorrect credentials are entered by the user they are also logged to\r\ndisk, but the user will be prompted to try again until they are successful.\r\nFollowing the execution of the credential harvester, threat actors also executed a series of binaries and PowerShell scripts to\r\nattempt to establish a connection with the threat actor’s command and control (C2) servers. Rapid7 has observed follow-on\r\npayloads with the following names, which all stay consistent with the social engineering lure to avoid suspicion:\r\nPayload name\r\nupdate1.exe\r\nupdate4.exe\r\nupdate6.exe\r\nupdate7.exe\r\nupdate8.exe\r\nupdate2.dll\r\nupdate5.dll\r\nupdate7.ps1\r\nThese payloads include: SystemBC malware, which acts as a dropper and socks proxy; Golang HTTP beacons, which seem\r\nto serve as a C2 framework; Socks proxy beacons, which can route connections; and a Beacon Object File (BOF), that was\r\nconverted from a Cobalt Strike module to a standalone executable.\r\nOf special note, once executed, the payload update6.exe will attempt to exploit CVE-2022-26923 to add a machine account\r\n(functionality that is publicly available as a BOF), which can then be used by a threat actor for Kerberoasting. This\r\nhttps://www.rapid7.com/blog/post/2024/08/12/ongoing-social-engineering-campaign-refreshes-payloads/\r\nPage 2 of 17\n\ntechnique was observed in multiple cases handled by Rapid7, where it was used as a means of privilege escalation if there\r\nwere vulnerable domain controllers within the impacted environment.\r\nIn addition to these secondary payloads, Rapid7 has observed usage of reverse SSH tunnels and the Level Remote\r\nMonitoring and Management (RMM) tool to facilitate lateral movement and retain access within compromised\r\nenvironments.\r\nTechnical analysis\r\nTo gain a better understanding of the actions performed by the secondary payloads, we will analyze several of the payloads\r\nin more depth. Rapid7 determined that many of the compiled payloads recently observed have been signed with the same\r\ncertificate, which is associated with the thumbprint B55DAD8DA97FA6AF0272102ED0E55E76E753FD04.\r\nA second signature was identified that corresponds to a second batch of similar payloads (~8 files), though subsequent\r\nanalysis will be limited to those signed with the thumbprint previously mentioned (~11 files). More information on these\r\nsignatures is available in the Indicators of Compromise section.\r\nAntiSpam.exe\r\nAlthough the credential harvester has been re-written as a .NET application, AntiSpam.exe , originally named update3.exe,\r\nstill allocates a console window via AllocConsole to display messages to the user. The “filter updates” that the program\r\npretends to download are the result of a simple loop that prints the same message 1023 times to the console window, with\r\nonly the iteration number changing.\r\nOnce the fake loop is completed, the program initializes a window that prompts the user to enter their credentials to\r\ncomplete the update. The username field in the window is automatically populated with the current user’s domain and\r\nusername. When the user enters their password, their credentials are validated using the ValidateCredentials method.\r\nThe first time the user enters their credentials, AntiSpam.exe will spawn three enumeration commands via cmd.exe:\r\nsysteminfo, route print, and ipconfig /all. The output of these commands is saved to a file at %TEMP%\\qwertyuio.txt, a\r\nfilename that results from simply running your finger across the top alphabetical row on a QWERTY keyboard.\r\nhttps://www.rapid7.com/blog/post/2024/08/12/ongoing-social-engineering-campaign-refreshes-payloads/\r\nPage 3 of 17\n\nAs seen above, there are several versions of AntiSpam.exe that contain functionality to write a list of usernames to\r\n%TEMP%\\qwertyuio.txt, though a complete implementation was only observed in the most recent version (other versions\r\nonly write a single new-line as the array is empty). The full implementation uses a WMI query for Win32_UserAccount to\r\npopulate a username list. The changes across versions of the malware also indicate that development of the tool was actively\r\nin progress at the time of distribution. In what appears to be the most complete version, the username of the current user is\r\nalso displayed without their domain, a format that is likely more familiar to targets of the social engineering (and thus, less\r\nsuspicious).\r\nIf the user enters the wrong password, the oldest version of AntiSpam.exe will still log their credentials to the file at\r\n%TEMP%\\qwertyuio.txt, and present the prompt again for the user to retry until they are successful. This approach was\r\nlikely used as a fail safe method to at least inform some future password guesses by the threat actor if the user grows\r\nsuspicious or gives up before successfully validating their password. Newer versions have had this functionality removed.\r\nOnce valid credentials are entered all versions will display a success message for the fake update in a pop-up window and\r\nexit after appending the credentials to the end of %TEMP%\\qwertyuio.txt.\r\nupdatex.exe\r\nThe typical next step for threat actors after collecting environment information and the user’s credentials is to run a series of\r\nexecutables, where each filename typically begins with update and ends with a number. Like AntiSpam.exe, all of these\r\nexecutables have been signed by the same certificate, although they each have different functions. Many of the malware\r\npayloads also appear to be inserted into the original contents of the legitimate program they are pretending to be, which can\r\nbe identified based on the included metadata of the executable.\r\nupdate1.exe\r\nThe file update1.exe presents itself as an installer for Yandex Disk, a cloud storage and file sharing service created by\r\nYandex. Instead, the payload will load, decrypt (XOR key: 58 4C 4B 61 58 55 71 4F 58 4A 45 36 4A 34 75 57 66 65 2A 35\r\n45 24 3F 75 55 4C 00), and execute a second executable from an embedded resource, via local PE injection. Local PE\r\ninjection is the process by which a portable executable (PE) file can be executed in the virtual memory of a process without\r\nusing the Windows loader to read it from disk, though the process must then perform the functions of the Windows loader\r\ninstead.\r\nhttps://www.rapid7.com/blog/post/2024/08/12/ongoing-social-engineering-campaign-refreshes-payloads/\r\nPage 4 of 17\n\nThe second stage executable appears to be a beacon, where the implant will reach out to a C2 server using a Golang HTTP\r\nclient request with the following format:\r\nhxxp://xx.xx.xx[.]xx:xxxxxx/api/helper-first-register?buildVersion=\u003cbuild_version\u003e\u0026md5=\u003cmd5_hash\u003e\u0026proxyPassword=\r\n\u003cproxy_password\u003e\u0026proxyUsername=\u003cproxy_username\u003e\u0026userId=\u003cuser_id\u003e\r\nStrings embedded within the executable suggest that the server contacted likely functions as a socks proxy:\r\nGolang Payload Interesting Strings\r\nmain.(*S_gCuh3yYV).ConnectForSocks\r\nmain.(*HtinANA).GetAvailableRelayServer\r\nOther observed executable payloads that have similar functionality includes update2.dll, which is a fake AMD DirectX\r\ndriver library that also loads a second stage executable payload, via local PE injection. The second stage payload, once\r\nexecuted, will also reach out to several C2 addresses using a Golang HTTP library. The file update2.dll was compiled using\r\nan obfuscation framework that hinders analysis by obfuscating the control flow of the program, for example, by replacing\r\nassembly instructions with unnecessarily complex substitutes and inserting a large amount of jumps between instructions.\r\nUnlike several of the other payloads, update2.dll uses a custom decryption loop and a custom decompression loop to extract\r\nthe second stage payload before execution.\r\nhttps://www.rapid7.com/blog/post/2024/08/12/ongoing-social-engineering-campaign-refreshes-payloads/\r\nPage 5 of 17\n\nThe custom decryption loop uses two hard coded single byte values as keys for decryption. The first byte is used for byte\r\noperations within the loop (stored in register bl) and the second is used as an operand within the final rotate left instruction.\r\nOtherwise, the decryption/decompression algorithms are the same as those seen within two other analyzed payloads:\r\nupdate7.exe and lu2.exe.\r\nhttps://www.rapid7.com/blog/post/2024/08/12/ongoing-social-engineering-campaign-refreshes-payloads/\r\nPage 6 of 17\n\nupdate4.exe\r\nThe metadata for update4.exe presents the file as a copy of APEX Scan, an anti-virus scanner created by Trend Micro. The\r\nlegitimate functionality of the original program has not been removed. Instead, the threat actor has added malicious code\r\nahead of the legitimate entry point.\r\nWhen update4.exe is executed, it will ultimately load, decrypt, and execute shellcode. The shellcode will then reach out to\r\nthe C2 IPv4 address 91.196.70[.]160:443 and serve as a socks proxy between 91.196.70[.]160 and other IPv4 addresses that\r\ncan be specified by the threat actor.\r\nhttps://www.rapid7.com/blog/post/2024/08/12/ongoing-social-engineering-campaign-refreshes-payloads/\r\nPage 7 of 17\n\nAs seen above, the malware uses Windows Native API calls (NTAPI) to ZwAllocateVirtualMemory and NtVirtualProtect to\r\nfacilitate execution of the shellcode. Malware developers use lower level calls to the NTAPI (which are limited in official\r\nMicrosoft documentation) for multiple reasons, including the evasion of security solutions for which detections are based on\r\nhigh-level API calls.\r\nIn this case, the virtual memory permissions are set to PAGE_EXECUTE_READWRITE due to the call to NtVirtualProtect\r\npassing 0x40 for the new protection value. Most virtual memory pages do not typically possess all three permissions at the\r\nsame time, so this is a very obvious indicator that the executable is performing suspicious actions, one that is present in\r\nseveral of the other payloads as well. If errors are encountered during the setup process a function call is made to an invalid\r\naddress, causing the process to crash due to an access violation exception rather than exiting gracefully.\r\nBefore being executed the shellcode is decrypted with a simple XOR loop and the key \u003ci1GiPEQ?V56^uh!m\u003ciUZF!yW?.\r\nHowever, this password is only 26 characters long and we can see that the XOR loop uses a key with 27 characters. As a\r\nresult, the full XOR key includes the string terminating null byte as part of the key. Is this intentional, or is it an off by one\r\nerror? Based on analysis across other payloads, this type of loop has been implemented multiple times, so it could be an\r\nattempt to impede recovery of the XOR key, even if only briefly.\r\nAfter being executed, the shellcode will dynamically resolve key WINAPI libraries and functions using plaintext stack\r\nstrings, which stands in contrast to how the shellcode itself is loaded - with NTAPI calls. The functions that are dynamically\r\nresolved by the shellcode are as follows:\r\nWINAPI Functions Resolved By Shellcode\r\nws2_32.dll\r\n---------------\r\nhttps://www.rapid7.com/blog/post/2024/08/12/ongoing-social-engineering-campaign-refreshes-payloads/\r\nPage 8 of 17\n\nWINAPI Functions Resolved By Shellcode\r\nWSAStartup\r\nsocket\r\nconnect\r\nsend\r\nrecv\r\nWSAGetLastError\r\nWSAEventSelect\r\nclosesocket\r\nshutdown\r\nhtons\r\nntohs\r\ninet_addr\r\n--------------\r\nkernel32.dll\r\n----------------\r\nLoadLibraryA\r\nGetProcAddress\r\nCreateEventA\r\nVirtualAlloc\r\nVirtualFree\r\nCreateThread\r\nWaitForMultipleObjects\r\nGetComputerNameExA\r\nSleep\r\nAfter resolving the necessary functions, the shellcode will send two sequences of null bytes (16 null bytes then 4, after\r\nconnecting) to 91.196.70[.]160 and then wait in an infinite loop, without pausing, for a response.\r\nhttps://www.rapid7.com/blog/post/2024/08/12/ongoing-social-engineering-campaign-refreshes-payloads/\r\nPage 9 of 17\n\nFor each 16 byte response received by the shellcode from the socks server, it will create a new thread that establishes a\r\nconnection between the socks server, 91.196.70[.]160, and another destination specified by the socks server, by exchanging\r\ndata sent between two sockets.\r\nThe destination to route data to can be specified by the socks server as either an IPv4 address or domain as the destination is\r\nparsed as a SOCKS5 address structure. So, in effect, the payload update4.exe serves as a socks proxy during execution.\r\nThe same functionality (i.e., a socks proxy) is also present in the PowerShell script update7.ps1 with very similar logic and\r\nimplementation, and is also hard coded to reach out to the socks server 91.196.70[.]160.\r\nhttps://www.rapid7.com/blog/post/2024/08/12/ongoing-social-engineering-campaign-refreshes-payloads/\r\nPage 10 of 17\n\nA nearly identical process is also used within the executable update5.dll, which the metadata presents as “BitDefender\r\nLoger”, although the export LogSetMode has been patched to jump to a malicious function when called.\r\nThe XOR key used to decrypt the shellcode is instead the 18 byte string 69 3C 4C 39 48 24 36 61 28 78 3E 45 55 44 69 48\r\n26 00. The hard coded socks server embedded within the shellcode is still 91.196.70[.]160, and the functionality of the\r\nshellcode in update5.dll is essentially the same as update4.exe (socks proxy).\r\nupdate6.exe\r\nWhen executed, update6.exe will attempt to exploit CVE-2022-26923 to add a machine account if the domain controller\r\nused within the environment is vulnerable. The debugging symbols database path has been left intact and indicates this:\r\nC:\\Users\\lfkmf\\source\\repos\\AddMachineAccount\\x64\\Release\\AddMachineAccount.pdb. The original source code was\r\nlikely copied from the publicly available Cobalt Strike module created by Outflank.\r\nhttps://www.rapid7.com/blog/post/2024/08/12/ongoing-social-engineering-campaign-refreshes-payloads/\r\nPage 11 of 17\n\nHowever, the original code was intended to function as a BOF: a payload that could be downloaded directly into memory\r\nand executed. For this sample it has instead been compiled into an unsigned standalone executable. While the functionality\r\nbetween the public repository and update6.exe are nearly identical, instead of randomly generating a machine account\r\nusername and password at runtime, the payload has hardcoded credentials of username SRVVSSKL and password\r\nGCmtHzw8uI$JnJB.\r\nupdate7.exe\r\nThe samples update7.exe and update8.exe both contain SystemBC malware. SystemBC was first documented back in 2019\r\nby Proofpoint and primarily functions as a socks proxy and dropper for other payloads. The configuration for both malware\r\npayloads, initially encrypted, has been extracted below.\r\nupdate7.exe\r\nOriginal filename: KLDW.exe\r\nSystemBC config: HOST1:halagifts[.]com,HOST2:217.15.175[.]191,PORT1:443\r\nThe control flow of update7.exe has been obfuscated to hinder analysis, in a way similar to update2.dll. During execution,\r\nupdate7.exe also utilizes the same custom decryption/decompression loops (with different keys) to decrypt/decompress an\r\nembedded SystemBC payload, which is then executed via local PE injection.\r\nupdate8.exe\r\nOriginal filename: YandexDiskSetup.exe\r\nStage 2 XOR key (encrypted resource): 75 62 31 3c 49 6f 3f 73 79 2b 66 6f 6f 38 21 67 24 6f 70 5a 34 00\r\nSystemBC config: HOST1:halagifts[.]com,HOST2:217.15.175[.]191,PORT1:443\r\nThe SystemBC payload within update8.exe is retrieved from an encrypted resource at runtime and injected into a child\r\nprocess with the same name. As the original SystemBC PE file has been stored after only encryption with an XOR key, the\r\nhttps://www.rapid7.com/blog/post/2024/08/12/ongoing-social-engineering-campaign-refreshes-payloads/\r\nPage 12 of 17\n\nXOR key is leaked within the encrypted data as a result of encrypting the null bytes that serve as padding between PE\r\nsections.\r\nMitigation guidance\r\nRapid7 recommends baselining your environment for all installed remote monitoring and management solutions and\r\nutilizing application allowlisting solutions, such as AppLocker or Microsoft Defender Application Control to block all\r\nunapproved RMM solutions from executing within the environment. For example, the Quick Assist tool, quickassist.exe, can\r\nbe blocked from execution via AppLocker. As an additional precaution, Rapid7 recommends blocking domains associated\r\nwith all unapproved RMM solutions. A public GitHub repo containing a catalog of RMM solutions, their binary names, and\r\nassociated domains can be found here.\r\nRapid7 recommends ensuring users are aware of established IT channels and communication methods to identify and\r\nprevent common social engineering attacks. We also recommend ensuring users are empowered to report suspicious phone\r\ncalls and texts purporting to be from internal IT staff.\r\nRapid7 recommends regularly updating software used within the organization to prevent the exploitation of known software\r\nvulnerabilities. A patch was released for CVE-2022-26923 in May of 2022 that can prevent vulnerable domain controllers\r\nfrom being exploited for privilege escalation.\r\nMany of the C2 addresses identified within the malware payloads from this threat actor can be attributed to low cost server\r\nhosting providers (e.g., VDSINA, ASNs: AS48282,AS216071). If access to low cost VPN/VPS/VDS services is not\r\nnecessary for business purposes within the environment, then they should be blocked to limit risk.\r\nRapid7 Customers\r\nInsightIDR, Managed Detection and Response, and Managed Threat Complete customers have existing detection coverage\r\nthrough Rapid7's expansive library of detection rules. Rapid7 recommends installing the Insight agent on all applicable hosts\r\nto ensure visibility into suspicious processes and proper detection coverage. Below is a non-exhaustive list of detections that\r\nare deployed and will alert on behavior related to this activity:\r\nDetections\r\nAttacker Technique - Enumerating Domain Or Enterprise Admins With Net Command\r\nAttacker Technique - NTDS File Access\r\nSuspicious Process - Diskshadow (Windows Server) Delete Shadow Copies\r\nCredential Access - Steal or Forge Kerberos tickets\r\nAttacker Technique - Gathering System Information with SystemInfo, Route and Ipconfig Commands\r\nAttacker Technique - Renamed Kaspersky Dump Writer\r\nRansomware - Possible Black Basta Related Binary Execution\r\nNon-Approved Application - Remote Management and Monitoring (RMM) Tools\r\nMITRE ATT\u0026CK Techniques\r\nTactic Technique Procedure\r\nResource\r\nDevelopment\r\nT1587.001: Develop Capabilities:\r\nMalware\r\nThe threat actor is actively developing new malware to\r\ndistribute.\r\nhttps://www.rapid7.com/blog/post/2024/08/12/ongoing-social-engineering-campaign-refreshes-payloads/\r\nPage 13 of 17\n\nTactic Technique Procedure\r\nImpact T1498: Network Denial of Service\r\nThe threat actor overwhelms email protection solutions\r\nwith spam.\r\nInitial Access\r\nT1566.004: Phishing: Spearphishing\r\nVoice\r\nThe threat actor calls impacted users and pretends to be a\r\nmember of their organization’s IT team to gain remote\r\naccess.\r\nExecution\r\nT1059.001: Command and Scripting\r\nInterpreter: PowerShell\r\nThe threat actor executes a socks proxy PowerShell script.\r\nDefense Evasion\r\nT1140: Deobfuscate/Decode Files or\r\nInformation\r\nThe threat actor encrypts zip archive payloads with a\r\npassword.\r\nDefense Evasion\r\nT1055.002: Process Injection:\r\nPortable Executable Injection\r\nMultiple payloads executed by the threat actor utilize\r\nlocal PE injection.\r\nDefense Evasion T1620: Reflective Code Loading\r\nMultiple payloads executed by the threat actor load and\r\nexecute shellcode.\r\nDefense Evasion\r\nSubvert Trust Controls: Code\r\nSigning\r\nThe threat actor has signed many of their payloads to\r\nmake them appear legitimate.\r\nPrivilege\r\nEscalation\r\nT1068: Exploitation for Privilege\r\nEscalation\r\nThe threat actor attempts to exploit CVE-2022-26923 to\r\ncreate a machine account.\r\nCredential\r\nAccess\r\nT1056.001: Input Capture:\r\nKeylogging\r\nThe threat actor runs an executable that harvests the\r\nuser’s credentials.\r\nCredential\r\nAccess\r\nT1558.003: Steal or Forge Kerberos\r\nTickets: Kerberoasting\r\nThe threat actor requests a large volume of Kerberos\r\nservice tickets once privileges have been escalated.\r\nDiscovery\r\nT1033: System Owner/User\r\nDiscovery\r\nThe threat actor enumerates users within the environment.\r\nLateral\r\nMovement\r\nT1570: Lateral Tool Transfer\r\nAnydesk was used to move payloads onto compromised\r\nsystems.\r\nCommand and\r\nControl\r\nT1572: Protocol Tunneling\r\nSSH reverse tunnels were used to provide the threat actor\r\nwith remote access.\r\nCommand and\r\nControl\r\nT1219: Remote Access Software\r\nThe threat actor has used Anydesk to gain initial access\r\nand Level to move laterally.\r\nIndicators of Compromise\r\nNetwork Based Indicators (NBIs)\r\nDomain/IPv4 Address Notes\r\nspamicrosoft[.]com Used to make external Microsoft Teams calls after email bombing users.\r\n37.221.126[.]202 C2 address used by the threat actor to connect via Anydesk.\r\n91.196.70[.]160 Socks proxy server.\r\nhttps://www.rapid7.com/blog/post/2024/08/12/ongoing-social-engineering-campaign-refreshes-payloads/\r\nPage 14 of 17\n\nDomain/IPv4 Address Notes\r\nhalagifts[.]com SystemBC C2 domain\r\n217.15.175[.]191 SystemBC C2 IP address\r\npreservedmoment[.]com Cobalt Strike domain\r\n45.155.249[.]97 Cobalt Strike C2 IP address\r\n77.238.224[.]56 C2 address.\r\n77.238.229[.]63 C2 address.\r\n77.238.250[.]123 C2 address.\r\n77.238.245[.]233 C2 address.\r\n91.142.74[.]28 C2 address.\r\n191.142.74[.]28 C2 address.\r\n195.2.70[.]38 C2 address.\r\nfalseaudiencekd[.]shop Lumma C2 domain\r\nfeighminoritsjda[.]shop Lumma C2 domain\r\njustifycanddidatewd[.]shop Lumma C2 domain\r\nmarathonbeedksow[.]shop Lumma C2 domain\r\npleasurenarrowsdla[.]shop Lumma C2 domain\r\nraiseboltskdlwpow[.]shop Lumma C2 domain\r\nrichardflorespoew[.]shop Lumma C2 domain\r\nstrwawrunnygjwu[.]shop Lumma C2 domain\r\nHost Based Indicators (HBIs)\r\nFile SHA256 Notes\r\nAntiSpam.exe ed062c189419bca7d8c816bcdb1a150c7ca7dd1ad6e30e1f46fae0c10ab062ef\r\nCredential harveste\r\nversion 1.\r\nAntiSpam.exe d512bf205fb9d1c429a7f11f3b720c74680ea88b62dda83372be8f0de1073a08\r\nCredential harveste\r\nversion 2.\r\nAntiSpam.exe dc5c9310a2e6297caa4304002cdfb6fbf7d6384ddbd58574f77a411f936fab0b\r\nCredential harveste\r\nversion 3.\r\nupdate1.exe 24b6ddd3028c28d0a13da0354333d19cbc8fd12d4351f083c8cb3a93ec3ae793\r\nOriginal filename:\r\nYandexDiskSetup.e\r\nupdate4.exe 9c1e0c8c5b9b9fe9d0aa533fb7d9d1b57db98fd70c4f66a26a3ed9e06ac132a7\r\nOriginal filename:\r\nAPEXScan.exe.\r\nSocks proxy.\r\nhttps://www.rapid7.com/blog/post/2024/08/12/ongoing-social-engineering-campaign-refreshes-payloads/\r\nPage 15 of 17\n\nFile SHA256 Notes\r\nupdate6.exe ac22ab152ed2e4e7b4cd1fc3025b58cbcd8d3d3ae3dbc447223dd4eabb17c45c\r\nUsed to attempt\r\nexploitation of CVE\r\n2022-26923 for\r\nprivilege escalation\r\nupdate7.exe ab1f101f6cd7c0cffc65df720b92bc8272f82a1e13f207dff21caaff7675029f\r\nOriginal filename:\r\nKLDW.exe.\r\nSystemBC malware\r\nupdate8.exe 9ED2B4D88B263F5078003EF35654ED5C205AC2F2C0E9225D4CDB4C24A5EA9AF2\r\nOriginal filename:\r\nYandexDiskSetup.e\r\nSystemBC malware\r\nupdate2.dll ab3daec39332ddeeba64a2f1916e6336a36ffcc751554954511121bd699b0caa\r\nOriginal filename:\r\natiumdag.dll\r\nupdate5.dll 7d96ec8b72015515c4e0b5a1ae6c799801cf7b86861ade0298a372c7ced5fd93\r\nOriginal filename:\r\nLog.dll. Socks prox\r\nupdate7.ps1 9dc809b2e5fbf38fa01530609ca7b608e2e61bd713145f84cf22c68809aec372 Socks proxy script.\r\nAntiSpam.exe fb4fa180a0eee68c06c85e1e755f423a64aa92a3ec6cf76912606ac253973506\r\nNot analyzed in thi\r\nblog, likely cred\r\nharvester.\r\nAntiSpam.exe fcf59559731574c845e42cd414359067e73fca108878af3ace99df779d48cbc3\r\nNot analyzed in thi\r\nblog, likely cred\r\nharvester.\r\nupdate5.dll 949faad2c2401eb854b9c32a6bb6e514ad075e5cbe96154c172f5f6628af43ed\r\nNot analyzed in thi\r\nblog, likely socks\r\nproxy.\r\nupdate2.dll b92cf617a952f0dd2c011d30d8532d895c0cfbfd9556f7595f5b220e99d14d64\r\nNot analyzed in thi\r\nblog, likely Golang\r\nHTTP beacon.\r\nAPEXScan.exe cff5c6694d8925a12ce13a85e969bd468e28313af2fb46797bdcf77092012732\r\nNot analyzed in thi\r\nblog, likely socks\r\nproxy.\r\nunnamed cb03b206d63be966ddffa7a2115ea99f9fec50d351dce03dff1240bb073b5b50\r\nNot analyzed in thi\r\nblog, likely the sam\r\nBOF contained wit\r\nupdate6.exe.\r\nupdate1.exe ccaa8c8b39cb4a4de4944200936bcd4796367c16421a89e6a7d5476ae2da78cd\r\nNot analyzed in thi\r\nblog, likely Golang\r\nHTTP beacon.\r\nupdate4.exe 1ade6a15ebcbe8cb9bda1e232d7e4111b808fd4128e0d5db15bfafafc3ec7b8e\r\nNot analyzed in thi\r\nblog, likely socks\r\nproxy.\r\nhttps://www.rapid7.com/blog/post/2024/08/12/ongoing-social-engineering-campaign-refreshes-payloads/\r\nPage 16 of 17\n\nFile SHA256 Notes\r\nlu2.exe ce1f44a677d9b7d1d62373175f5583d9e8c04e16ebd94656e21aa296e00e93d7\r\nOriginal filename:\r\nswi_config.exe.\r\nPacked copy of\r\nLumma Stealer.\r\nSignatures\r\nRapid7 has observed multiple batches of payloads used by threat actors during incidents, with each payload in a batch all\r\ncontaining the same signature. The usage of signatures on payloads increases the likelihood of evasion by faking legitimacy.\r\nSigner Name Issuer Thumbprint\r\nSerial\r\nNumber\r\nDate\r\nSigned\r\nGuizhou\r\nQi'ang\r\nKangyuan\r\nRosa\r\nRoxburghii\r\nDevelopment\r\nCo., Ltd.\r\nSSL.com EV\r\nCode Signing\r\nIntermediate\r\nCA RSA R3\r\nB55DAD8DA97FA6AF0272102ED0E55E76E753FD04\r\n23 D2\r\nCA AE\r\n31 B7 54\r\n60 AC\r\nDB D1\r\nB4 2D 6E\r\n77 43\r\n2024-06-\r\n19\r\n18:37:00\r\nUTC\r\nSTERLING\r\nLIMITED\r\nGlobalSign\r\nGCC R45 EV\r\nCodeSigning\r\nCA 2020\r\nDCB42EF087633803CD17C0CD6C491D522B8A2A2A\r\n64 82 EA\r\n28 C1 28\r\n78 B4 BC\r\n3A A2 2D\r\n2024-06-\r\n18\r\n15:48:00\r\nUTC\r\nNEVER MISS AN EMERGING THREAT\r\nBe the first to learn about the latest vulnerabilities and cybersecurity news.\r\nSubscribe Now\r\nSource: https://www.rapid7.com/blog/post/2024/08/12/ongoing-social-engineering-campaign-refreshes-payloads/\r\nhttps://www.rapid7.com/blog/post/2024/08/12/ongoing-social-engineering-campaign-refreshes-payloads/\r\nPage 17 of 17",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.rapid7.com/blog/post/2024/08/12/ongoing-social-engineering-campaign-refreshes-payloads/"
	],
	"report_names": [
		"ongoing-social-engineering-campaign-refreshes-payloads"
	],
	"threat_actors": [
		{
			"id": "81dde5cc-c29f-430d-8c6e-e5e92d5015e7",
			"created_at": "2022-10-25T16:07:23.704358Z",
			"updated_at": "2026-04-10T02:00:04.718034Z",
			"deleted_at": null,
			"main_name": "Harvester",
			"aliases": [],
			"source_name": "ETDA:Harvester",
			"tools": [
				"Agentemis",
				"Cobalt Strike",
				"CobaltStrike",
				"Graphon",
				"Metasploit",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775439008,
	"ts_updated_at": 1775826711,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2c84786d03a17afeb8e76ba55449ad285045ba8c.pdf",
		"text": "https://archive.orkl.eu/2c84786d03a17afeb8e76ba55449ad285045ba8c.txt",
		"img": "https://archive.orkl.eu/2c84786d03a17afeb8e76ba55449ad285045ba8c.jpg"
	}
}