{
	"id": "eb4f8549-3a6f-4851-b4f2-29e706f67cb9",
	"created_at": "2026-04-06T00:18:22.191955Z",
	"updated_at": "2026-04-10T03:21:45.481773Z",
	"deleted_at": null,
	"sha1_hash": "305c441f2b5b345f574a6d6f2a1c28525216356f",
	"title": "Spectre (SPC) v9 Campaigns and Updates",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 914188,
	"plain_text": "Spectre (SPC) v9 Campaigns and Updates\r\nBy Jason Reaves\r\nPublished: 2024-06-19 · Archived: 2026-04-05 16:11:19 UTC\r\nBy Jason Reaves and Joshua Platt\r\nSpectre RAT was previously discussed a few years ago[1] in an excellent overview by Yoroi but recently has\r\nresurfaced in campaigns being distributed on livechat-files[.com[3] using code signing certificates.\r\nOne noteworthy trend with their code signing certificates was their ability to stay undetected for far longer than\r\nsome of the traditional mass spam campaigns where the certs and AV detections were generally corrected by the\r\nnext day.\r\nThe advert for Spectre RAT v9 confirms that it is primarily designed for targeted attacks:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/walmartglobaltech/spectre-spc-v9-campaigns-and-updates-546c2e65e247\r\nPage 1 of 11\n\nCampaign\r\nFirst Submission: 2024-05-29 18:05:16 UTC\r\nCompilation TimeStamp: 2024-05-27 14:30:30 UTC\r\nSHA-256: f90d1716de7244f368a81d2b9d247c2b6213447aee6da606267edceef0cc1377\r\nCode Signing Certificate\r\nName: Xi'an Jiashi Xinnuo Information Technology Co., Ltd.\r\nIssuer: Certum Extended Validation Code Signing 2021 CA\r\nValid From: 2024-05-10 05:35:18\r\nValid To: 2025-05-10 05:35:17\r\nValid Usage Code Signing\r\nAlgorithm: sha256RSA\r\nThumbprint: C2016ABA9447FCB75B03F158B31EAC7D76262377\r\nThumbprint: MD5 ACD454260943CF6CD1357DF75DB109D0\r\nThumbprint:\r\nSHA256 0777CE1ACD929ED7A1DF146BEA6126DAADA3EE564A4D57CAF924B4BEADFC8FB3\r\nSerial Number 34 1D FC 31 CA 4B DB B1 82 4E 25 4B CD 5B 59 E0\r\nIP: 91.92.240[.]40\r\nDomain: serowakrasolaristic[.]xyz\r\nhttps://medium.com/walmartglobaltech/spectre-spc-v9-campaigns-and-updates-546c2e65e247\r\nPage 2 of 11\n\nThe following files were also signed with the same code signing certificate:\r\nFirst Submission: 2024-06-03 16:16:36 UTC\r\nCompilation TimeStamp: 2024-05-27 14:51:43 UTC\r\nSHA-256: 84499164a4848a100a22361f38d36ddaea66d01d2e68580271692f9a6fc2a570\r\nIP: 91.92.240[.]40\r\nFirst Submission: 2024-06-04 00:28:31 UTC\r\nCompilation TimeStamp: 2024-05-01 16:54:39 UTC\r\nSHA-256: aed440f54dc3f39d5eff26ff4eee34f991750bff7b2b7031260cd2cdd43339dd\r\nUsing the cloud file hosting domain cdn.livechat-files[.]com as a pivot point, we were quickly able to track back\r\nan initial launch date of May 15 2024, with the initial redirect domain being cdn-namecheap[.]com. The file\r\ndetails associated with the first sighting of this campaign are listed below:\r\nFirst Submission: 2024-05-11 03:22:14 UTC\r\nCompilation TimeStamp: 2024-05-01 16:58:45 UTC\r\nSHA-256: 37c495acbd56aa54755e1a69c5f0bd4edfe758c1b627ca8185196378f3314f45\r\nCode Signing Certificate\r\nName: JauiInderte Agiletron Information Technology Co., Ltd.\r\nIssuer: GlobalSign GCC R45 EV CodeSigning CA 2020\r\nValid From: 2024-01-31 01:42:53\r\nValid To: 2025-01-31 01:42:53\r\nValid Usage Code Signing\r\nAlgorithm: sha256RSA\r\nThumbprint: D0C7D82E733D076804E5DFF6FB93069D2F9CB192\r\nThumbprint: MD5 0BD0D08DAEABFD4B060DD4486EE7A068\r\nThumbprint: SHA256 0846ECB892A26A8804A58C9122FFB7BEA31A47387A2452765B50058890F88ABA\r\nSerial Number: 0C 6D 55 B6 A1 9A C5 AD 30 52 EF 24\r\nThe following files were also signed with the same code signing certificate:\r\nFirst Submission: 2024-05-19 17:24:50 UTC\r\nCompilation TimeStamp: 2024-05-02 18:22:05 UTC\r\nSHA-256: 94827a4ab543972eacee8e610ec94d8469de43fe8dc0302015f1c587b158025d\r\nIP: 91.92.240[.]40\r\nDomain: serowakrasolaristic[.]xyz\r\n First Submission: 2024-05-23 17:19:24 UTC\r\nCompilation TimeStamp: 2024-05-14 10:33:22 UTC\r\nSHA-256: 8ce3bc41fb200cf7ba41f6b0d9dc976126dc3a4271a1e3b5725c80f3bd031738\r\nIP: 91.92.255[.]73\r\nDomain: holosymmetryspecscollunbeatable[.]xyz\r\nFirst Submission: 2024-02-03 07:50:41 UTC\r\nCompilation TimeStamp: 1992-06-19 22:22:17 UTC\r\nhttps://medium.com/walmartglobaltech/spectre-spc-v9-campaigns-and-updates-546c2e65e247\r\nPage 3 of 11\n\nSHA-256: 500670f00b1e99426a3f5a49634475b69e3bca76442f7ad6db3b082fd094aecb\r\nIP: 80.79.4[.]144\r\nFirst Submission: 2024-02-05 19:51:53 UTC\r\nCompilation TimeStamp: 1992-06-19 22:22:17 UTC\r\nSHA-256: b79199586df6a084fe73ec610858f2965b835c06a0761f44e771b6f8c247067e\r\nIP: 80.79.4[.]144\r\nAfter observing the two month gap between signed files, we noted a similar but slightly different hosting\r\nmechanism used to deliver the file from early February. While the hosting platform was the same, the distribution\r\ndomain instead utilized cdn-staging.livechat-files[.]com. This led to another signed SpectreRAT sample, which\r\naligned with the previously uncovered campaigns and pushed the timeline back to early January 2024. The code\r\nsigning certificate also appeared to follow the same sequence as the previous samples.\r\nFirst Submission: 2024-01-10 05:56:57 UTC\r\nCompilation TimeStamp: 2024-01-03 12:38:59 UTC\r\nSHA-256: 9bee19ac1946bc15dd7de3027d0b9ede2e92beaa246fb21d65e6faf817682106\r\nCode Signing Certificate\r\nName: Mutiix QuansumKeep Information Technologies Co., Ltd.\r\nIssuer: GlobalSign GCC R45 EV CodeSigning CA 2020\r\nValid From: 2024-01-03 08:19:05\r\nValid To: 2025-01-03 08:19:05\r\nValid Usage Code Signing\r\nAlgorithm: sha256RSA\r\nThumbprint: 8282D32D753A4E0BBA8057D7D6835F103B8D6530\r\nThumbprint: MD5 4D85FD3EEC6CCF4C907113E62DB0E4F2\r\nThumbprint: SHA256 4E3A1FB1BE71D954173003EDB79A06CD17F9AC8319BA3115BE277CDAB0A3BF92\r\nSerial Number: 4A 6C E4 49 DE 5C 97 48 35 DE 71 64\r\nIP: 91.92.241[.]187\r\nDomain: dystopianoverbiassperple[.]com\r\nSpectre\r\nThe crypter leverages timing checks mixed with GetTickCount and Sleep wrapped around a block of function\r\ncalls, the idea here is that in virtual machines some functionality takes drastically shorter to accomplish than it\r\ndoes on a real machine. In this case the actions being leveraged are allocating memory on the heap and then\r\nfreeing it. To make it look more innocuous, they are also getting the foreground window name and copying it into\r\nnewly allocated memory off the heap while converting it to ascii.\r\nSetup:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/walmartglobaltech/spectre-spc-v9-campaigns-and-updates-546c2e65e247\r\nPage 4 of 11\n\nEnd of the loop after the heap manipulation:\r\nThis isn’t a new technique, it was previously leveraged by a crypter being used by Locky[2].\r\nGet Jason Reaves’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nThe crypter also leverages TIMEOUT calls which are packaged into the unpacking routines:\r\nhttps://medium.com/walmartglobaltech/spectre-spc-v9-campaigns-and-updates-546c2e65e247\r\nPage 5 of 11\n\nThe crypter will alsomove itself if it is not running as a hardcoded filename before restarting:\r\n\"C:\\Windows\\System32\\cmd.exe\" /c ping localhost -n 6 \u003e nul \u0026 del \"C:\\Users\\user\\Desktop\\mal.exe\" \u0026 \"C\r\nOnce unpacked, the Spectre sample has a basic string encoding setup as a simple single byte XOR. However, they\r\nalso rebuild the data before decoding it, making it slightly harder to properly signature on and decode all the\r\nrelevant strings. One needs to rebuild them first based on the way they are loaded during the rebuild process.\r\nRelevant decoded strings:\r\nOzEsMTIsMDYwLDYy\r\ncWVwZ3djaXBhcW1uaXJrcXRrYSx4e3I=\r\nYWF7ZmFwZmFlcGN2Z2R3cWVxYWNzYWlgZWxzLHhxeg==\r\n04-29\r\nlyqi.dll\r\nwlmxz\r\nhttps://medium.com/walmartglobaltech/spectre-spc-v9-campaigns-and-updates-546c2e65e247\r\nPage 6 of 11\n\nF44BE522-0833-28F5-5508\r\neygkp\r\nwsbic\r\nchgj.php\r\njtez.php\r\npefb.zip\r\npefb_nonir.zip\r\nroed.zip\r\nroed_x64.zip\r\nxofq.exe\r\neyrd=\r\n\u0026tucy=\r\n\u0026pvwz=\r\n\u0026ykam=\r\n\u0026byul=\r\n\u0026dcfl=\r\n\u0026oghd=\r\n\u0026vhup\r\n\u0026pthq=\r\n\u0026yhtz=\r\n\u0026dybj=\r\n\u0026klne=\r\n\u0026jlgo=\r\n\u0026aicj=\r\n\u0026qube=\r\n\u0026wjba=\r\n\u0026wrja=\r\n?myqg=\r\nehmn\r\naej\r\n9\r\n/v\r\ndown/\r\n\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\\r\nnircmdc.exe\r\nzip.exe\r\n/c ping localhost -n 6 \u003e nul \u0026\r\n/c ping localhost -n 10 \u003e nul \u0026\r\ncout\r\nhttp://\r\ntrue\r\nfalse\r\nvoid\r\n.asd\r\n\u0026\r\n@\r\nhttps://medium.com/walmartglobaltech/spectre-spc-v9-campaigns-and-updates-546c2e65e247\r\nPage 7 of 11\n\n[@]\r\n|\r\n~\r\n[|]\r\n[*]\r\n.png\r\n.exe\r\n.lnk\r\n.vbs\r\n.txt\r\n.7z\r\n.bak\r\n*\r\n --headless=old --disable-gpu --remote-debugging -port=0\r\n MyTasks\\\\\r\nOnyxGraphicsKit\r\nMost of the main functionality resides in function tables which are called in sequence. Dummy or placeholder\r\nfunctions can be found in many of the tables:\r\nThe only component that gets additional encoding is the C2 addresses which are hardcoded in the binary, C2\r\ndecoding involves a hardcoded string used as a key for the following:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/walmartglobaltech/spectre-spc-v9-campaigns-and-updates-546c2e65e247\r\nPage 8 of 11\n\nA demonstration of this decoding using Python is provided below:\r\n\u003e\u003e\u003e def decode(c2):\r\n... a = bytearray(base64.b64decode(c2))\r\n... key = bytearray('61C8EB3FE72795B6DBF7A787D5020913')\r\n... for i in range(len(a)):\r\n... temp = key[i]\r\n... temp = (temp \u0026 0xa)\r\n... a[i] ^= temp\r\n... return(a)\r\n...\r\n\u003e\u003e\u003e\r\n\u003e\u003e\u003e decode('cWVwZ3djaXBhcW1uaXJrcXRrYSx4e3I=')\r\nbytearray(b'serowakrasolaristic[.xyz')\r\n\u003e\u003e\u003e decode('YWF7ZmFwZmFlcGN2Z2R3cWVxYWNzYWlgZWxzLHhxeg==')\r\nbytearray(b'caynardceratodusescascabels[.xyz')\r\n\u003e\u003e\u003e decode('OzEsMTIsMDYwLDYy')\r\nbytearray(b'91.92.240[.40')\r\nDebug string:\r\nC:\\DEV\\SPC\\DEV\\v9\\\r\nhttps://medium.com/walmartglobaltech/spectre-spc-v9-campaigns-and-updates-546c2e65e247\r\nPage 9 of 11\n\nIOCs\r\nIPs:\r\n179.43.142[.]145\r\n179.43.142[.]190\r\n193.233.185[.]133\r\n193.233.191[.]162\r\n209.182.227[.]122\r\n213.139.205[.]131\r\n185.225.74[.]131\r\n91.92.255[.]73\r\n91.92.247[.]196\r\n94.156.69[.]212\r\n94.156.64[.]35\r\n91.92.250[.]157\r\n91.92.240[.]40\r\n91.92.244[.]110\r\n91.92.243[.]158\r\n91.92.255[.]84\r\n91.92.244[.]110\r\n94.156.65[.]162\r\n91.92.241[.]187\r\nDomains:\r\nholosymmetryspecscollunbeatable[.]xyz\r\ngonorhynchidaeanalgesidaefascinatedly[.]xyz\r\ncyanoauricharesstealthful[.]xyz\r\nexpansivenessburnishesitel[.]xyz\r\nserowakrasolaristic[.[xyz\r\nsymphoniesreinflatablexerodermatic[.]com\r\npandemoniumpleurolysishummus[.]xyz\r\nelectivesprotagonmillenary[.]xyz\r\nchairermisassayssebate[.]xyz\r\nimpersuasiblyredeliveranceunspleened[.]com\r\nponticcyclersrecubate[.]com\r\nsappedisomorphousnonappreciativeness[.]com\r\nevanescingunsatanicallychrysal[.]com\r\npharyngologicalpseudoanginaperpetrable[.]com\r\ndystopianoverbiassperple[.]com\r\ncdn.livechat-files[.]com\r\ncdn-staging.livechat-files[.]com\r\nReferences\r\nhttps://medium.com/walmartglobaltech/spectre-spc-v9-campaigns-and-updates-546c2e65e247\r\nPage 10 of 11\n\n1: https://yoroi.company/en/research/spectre-v4-0-the-speed-of-malware-threats-after-the-pandemics/\r\n2: https://github.com/sysopfb/VM_Timing_Detect\r\n3: https://urlscan.io/search/#filename%3A%22.scr%22%20AND%20domain%3Alivechat-files.com\r\n4: https://x.com/DailyDarkWeb/status/1740825011932573712\r\nSource: https://medium.com/walmartglobaltech/spectre-spc-v9-campaigns-and-updates-546c2e65e247\r\nhttps://medium.com/walmartglobaltech/spectre-spc-v9-campaigns-and-updates-546c2e65e247\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://medium.com/walmartglobaltech/spectre-spc-v9-campaigns-and-updates-546c2e65e247"
	],
	"report_names": [
		"spectre-spc-v9-campaigns-and-updates-546c2e65e247"
	],
	"threat_actors": [],
	"ts_created_at": 1775434702,
	"ts_updated_at": 1775791305,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/305c441f2b5b345f574a6d6f2a1c28525216356f.pdf",
		"text": "https://archive.orkl.eu/305c441f2b5b345f574a6d6f2a1c28525216356f.txt",
		"img": "https://archive.orkl.eu/305c441f2b5b345f574a6d6f2a1c28525216356f.jpg"
	}
}