{ "id": "30017db9-a8a1-4f71-b520-b33ba5bb19c9", "created_at": "2026-04-06T00:07:32.450232Z", "updated_at": "2026-04-10T03:35:20.391565Z", "deleted_at": null, "sha1_hash": "3f5daa005e4404241450ec8e4d4d908d3e148927", "title": "New pastebin-like service used in multiple malware campaigns", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1375916, "plain_text": "New pastebin-like service used in multiple malware campaigns\r\nBy Paul Kimayong\r\nPublished: 2020-10-05 · Archived: 2026-04-05 13:53:09 UTC\r\nJuniper Threat Labs identified several malware campaigns that rely on a pastebin-like service for its infection\r\nchain. The domain in question is paste.nrecom.net. The attacks usually start as a phishing email and, when a user\r\nis tricked into executing the malware, it downloads the succeeding stage of the malware from paste.nrecom.net\r\nand loads it into the memory without writing to disk. Using a legitimate web-service for the malware\r\ninfrastructure is not new, as we have seen APT group FIN6 using pastebin to host parts of the infection chain and\r\nRocke using it for command and control. Although using legitimate web services is not novel, this is the first time\r\nthat we have seen threat actors use paste.nrecom.net. Among the malware we have identified are AgentTesla,\r\nLimeRAT, Ransomware and Redline Stealer.\r\nWhat is paste.nrecom.net?\r\nhttps://blogs.juniper.net/en-us/threat-research/new-pastebin-like-service-used-in-multiple-malware-campaigns\r\nPage 1 of 20\n\nPaste.nrecom has been in service since May 2014. If you are not familiar with pastebin, it is a service where you\r\ncan post your code or text data with the intent of sharing it with others. Paste.nrecom does the same thing and it\r\nalso offers an API that allows scripting. This is advantageous to threat actors as they can easily insert and update\r\ndata programmatically. This service is powered by Stikked, which is an open-source PHP based pastebin.\r\nHow do threat actors use it for malicious purposes?\r\nBecause it is a text-only service, one would think that it cannot host an executable file (binary data) into it.\r\nHowever, binary data can be represented as a text file by simply encoding it. The common encoding method is\r\nusing base64. That is exactly what the threat actors did in this case.\r\nmalicious paste encoded in base64\r\nTo add another layer of obfuscation, they encrypt the binary data with a XOR key. The following file, for example,\r\nis encrypted with XOR key, 0x02.\r\nhttps://blogs.juniper.net/en-us/threat-research/new-pastebin-like-service-used-in-multiple-malware-campaigns\r\nPage 2 of 20\n\nAfter base64 decoding, the file is still encrypted with XOR algorithm.\r\nAfter all the necessary decoding and decryption, you will then see the executable file, as shown\r\nabove.\r\nFrom September 21, 2020, we have seen several malware families taking advantage of this service and quickly\r\nramped up.\r\nMalware Campaigns\r\nhttps://blogs.juniper.net/en-us/threat-research/new-pastebin-like-service-used-in-multiple-malware-campaigns\r\nPage 3 of 20\n\nThe attack usually starts with a phishing email that includes an attachment, such as a document, archive or an\r\nexecutable. When a user is tricked into installing the malicious attachment (first stage), it downloads the next\r\nstages from paste.nrecom.net. We have also seen malware hosting their configuration data in the same service.\r\nAgent Tesla\r\nAgent Tesla is a spyware that is capable of stealing personal data from web browsers, mail clients and FTP\r\nservers. It can also collect screenshots, videos and capture clipboard data. Recent versions of this malware are also\r\ncapable of stealing personal data from VPN clients. It is being sold on the underground markets for as low as $15\r\nand could go up to $70 depending on the additional features.\r\nAgent Tesla is among the most active malware using this pastebin-like service. Campaigns usually start with a\r\nphishing email with a malicious attachment. Based on the samples we found, these campaigns target multiple\r\nindustries related to shipping, supply chain and banks. In some cases, the attachments are archives, such as .iso,\r\n.rar or .uue like below:\r\nAttachment Sha256: 9c38ab9d806417e89e3c035740421977f92a15c12f9fa776ac9665a1879e5f67\r\nhttps://blogs.juniper.net/en-us/threat-research/new-pastebin-like-service-used-in-multiple-malware-campaigns\r\nPage 4 of 20\n\nInfection Chain for 9c38ab9d806417e89e3c035740421977f92a15c12f9fa776ac9665a1879e5f67\r\nAs you can see from the chain, there are two requests to paste.nrecom because it divides the Agent Tesla payload\r\ninto two. The first request is the first half of the file and the second request makes the second half. This technique\r\nmakes it harder for security solutions to analyze the payload.\r\nAnother sample phishing email has the attachment with Sha256:\r\n199a98adf78de6725b49ec1202ce5713eb97b00ae66669a6d42f8e4805a0fab9\r\nBelow are email attachments and files inside some email attachments that we have found to install Agent Tesla\r\nusing paste.nrecom.\r\nFile Name Sha256\r\nEmirate bank TT copy 2020-\r\n09-20 at 07.30.55.uue\r\nf8c02c3f6d22978b3c478d0fb7ad4845609b8ad4a38e0ed2a75721156a6a8e44\r\nhttps://blogs.juniper.net/en-us/threat-research/new-pastebin-like-service-used-in-multiple-malware-campaigns\r\nPage 5 of 20\n\nInv C-22464 PO 3871.exe 27f8e739b62c685c4115f49ae146bb75271d0b8fad021436939735bf7492186b\r\nPO#150367285 SECONDO\r\nVERGANI SPA\r\nRef#BK043383.exe\r\n3101003430beae11fe082a07878ac2f643a64e3abd82b7b2a787a0e1fde27307\r\nPayment Notification.uue b7cf6fb7557f435bab1b815a38b1771aea9d118192f6d184111754615e8881af\r\nbank payment copy.exe 136991b95c503e13d7ed77305a305f6f568c9d93273584d19a33014202a6ebbb\r\nPayment\r\ndocs63878288882788.docx.rar\r\n44221603cb9e19a630e35bd12a9c8bd97a9d2743a6fc5528e81db0718fc3e1b3\r\nAttachment JOIN LEADERS\r\nPO332,pdf.exe\r\n167139073c586fd0d7de374611f899e170fd0316463be6c65170496636b3e42d\r\nAPROBACION DE\r\nTRANSFERENCIA\r\nINUSUAL REALIZADA\r\nEXITOSAMENTE.tar\r\n0e044c8570122a280c963cac80e0140da78ee0d378cd17cab4ea6f146ce35d15\r\nIn some cases, the attached files are Office Documents that download the Agent Tesla loader.\r\nhttps://blogs.juniper.net/en-us/threat-research/new-pastebin-like-service-used-in-multiple-malware-campaigns\r\nPage 6 of 20\n\nInfection chain for c66e6c6018d3e51e8b39146c6021fb51f59750b93778a063f7d591f24068c880\r\nW3Cryptolocker Ransomware\r\nW3Cryptolocker is a relatively new ransomware. Based on our telemetry, this ransomware surfaced in July 2020.\r\nWe will call this malware W3Cryptolocker, based on a string found in its code.\r\nStrings found in the binary code of this ransomware.\r\nThe loader was hosted on a potentially hacked site, italake.com.\r\nhttps://blogs.juniper.net/en-us/threat-research/new-pastebin-like-service-used-in-multiple-malware-campaigns\r\nPage 7 of 20\n\nInfection Chain of Ede98ae4e8afea093eae316388825527658807489e5559bff6dbf5bc5b554a2c\r\nIt will encrypt all files in all drives except for files having “.xls” extension and folders having the following\r\nstrings:\r\nWindows\r\nProgramData\r\n$Recycle.bin\r\nSystem Volume Information\r\nIt adds an extension .xls for encrypted files. After it is done encrypting each folder, it creates a “Read_Me.txt” file\r\non each folder with the following message.\r\nhttps://blogs.juniper.net/en-us/threat-research/new-pastebin-like-service-used-in-multiple-malware-campaigns\r\nPage 8 of 20\n\nVisiting thehttps://yip[.]su/2QstD5 leads you to a freshdesk support site, bit7.freshdesk.com.\r\nOther W3Cryptolocker Samples\r\nc97852b425e41d384227124d93baf6c2d3e30b52295a828b1eac41dc0df94d29\r\n9a0af98d0b8f7eacc3fdd582bbc0d4199825e01eeb20c2a6f98023c33ece74f6\r\n01eea2a4628c6b27a5249a08152655246871acafa657e391b73444c05097976e\r\n9a08e87e8063b13546e464f73e87b2ca5bde9410fec4e614313e2b8a497592fa\r\n8dfe87850bd17b4eb0169b85b75b5f104ae6b84deeb2c81fe6ae5e19685f6c66\r\n53124033d521158771eac79ad6f489c6fdd5b25ab96712035c2ca65b3a3c5eed\r\naac2024789ffd2bfce97d6a509136ecf7c43b18c2a83280b596e62d988cedb10\r\nhttps://blogs.juniper.net/en-us/threat-research/new-pastebin-like-service-used-in-multiple-malware-campaigns\r\nPage 9 of 20\n\nfafabdffa67883587ba1a3c29f6345a378254f720efe8c2f318a4d5acdbce373\r\nRedline Stealer\r\nRedline Stealer is a malware that surfaced around March 2020 and it was reported to have targeted healthcare and\r\nmanufacturing industries in the United States. This malware is found being advertised on forums with several\r\npricing options starting from $100/month subscription. It has the following functionality:\r\nBrowser Data Stealer\r\nLogin and Passwords\r\nCookies\r\nAutocomplete Fields\r\nCredit Cards\r\nRemote Task Functions\r\nExecute Commands\r\nDownload Files\r\nDownload Files and Execute\r\nRunPE (Process Injection for fileless infection)\r\nOpenLink\r\nFTP and IM client stealer\r\nFile-grabber\r\nCollects information about the victim’s system\r\nThe sample we found poses as a Bitcoin Miner archived into a RAR file. The archive contains an executable,\r\nMinerBitcoin.exe, that downloads the Redline Stealer payload from paste.nrecom.net.\r\nInfection Chain of Redline Stealer: Sha256:\r\na719affc96b41b63f78d03dc3bc6b7340287d25d876e58fd1ab307169a1751dc\r\nhttps://blogs.juniper.net/en-us/threat-research/new-pastebin-like-service-used-in-multiple-malware-campaigns\r\nPage 10 of 20\n\nRedline Stealer malicious functions\r\nLimeRAT\r\nLimeRAT is a remote administration trojan coded in .NET and is open source. It was a malware used to target\r\nColombian government institutions by the APT-C-36 group. Among its many capabilities, it can be used as:\r\nRansomware\r\nRemote Desktop\r\nCrypto Mining\r\nCryptoStealer\r\nDDOS\r\nKeylogger \r\nPassword Stealer\r\nhttps://blogs.juniper.net/en-us/threat-research/new-pastebin-like-service-used-in-multiple-malware-campaigns\r\nPage 11 of 20\n\nInfection Chain of 20ad344d20337f8a782135e59bc1f6e1a7999bcddc50fc1dc3b8b6645abcb91e\r\nAnother sample we found is aae2e0d0792e22164b3c81d0051c5f94a293bae69e7aac5cc4ad035860dbf802. At the\r\ntime of this analysis, this sample still has zero VT detections. It downloads the LimeRAT from\r\nhttps://paste[.]nrecom[.]net/view/raw/93a7cd20.\r\naae2e0d0792e22164b3c81d0051c5f94a293bae69e7aac5cc4ad035860dbf802 with no VT hits\r\nConclusion\r\nUsing legitimate web-services like pastebin or paste.nrecom for malware infrastructure gives cybercriminals an\r\nadvantage, as these services cannot be easily taken down due to their legitimate use. We recommend Security\r\nOperations to add paste.nrecom to potentially web services being abused for malicious purposes. It is\r\nrecommended to monitor web-services like this one for suspicious content particularly binary data encoded in\r\nbase64. Juniper’s Encrypted Traffic Insights capability on the SRX NGFW does detect the malicious TLS\r\nconnections to paste.nrecom.net as malicious using machine learning as seen in the screenshot below for\r\nW3Cryptolocker loader.\r\nJuniper Advanced Threat Protection (ATP) detects these threats.\r\nhttps://blogs.juniper.net/en-us/threat-research/new-pastebin-like-service-used-in-multiple-malware-campaigns\r\nPage 12 of 20\n\nDetection of AgentTesla Loader (Project 68234.iso)\r\nDetection of AgentTesla Loader (VESSL’ITENERARY.xlsm)\r\nDetection of W3Cryptolocker Loader (0022.exe)\r\nDetection of malicious connection to paste.nrecom using Juniper Encrypted Traffic Insights\r\nIndicators of Compromise (IOC)\r\nDomain\r\nhttps://blogs.juniper.net/en-us/threat-research/new-pastebin-like-service-used-in-multiple-malware-campaigns\r\nPage 13 of 20\n\nPaste.nrecom.net\r\n192.12.66.108\r\nlol.thezone.vip\r\nURL\r\nhttps://198[.]12[.]66[.]108/v[.]exe\r\nhttps://lol[.]thezone[.]vip/v[.]exe\r\nhttps://italake[.]com/assets/css/0022[.]exe\r\nhttps://paste[.]nrecom[.]net/view/raw/3c3ececf\r\nhttps://paste[.]nrecom[.]net/view/raw/6306a51c\r\nhttps://paste[.]nrecom[.]net/view/raw/bfefa179\r\nhttps://paste[.]nrecom[.]net/view/raw/39468747\r\nhttps://paste[.]nrecom[.]net/view/raw/c230a816\r\nhttps://paste[.]nrecom[.]net/view/raw/3529ec57\r\nhttps://paste[.]nrecom[.]net/view/raw/7900ed08\r\nhttps://paste[.]nrecom[.]net/view/raw/bd63e76f\r\nhttps://paste[.]nrecom[.]net/view/raw/658b9281\r\nhttps://paste[.]nrecom[.]net/view/raw/b44fe71a\r\nhttps://paste[.]nrecom[.]net/view/raw/93a7cd20\r\nhttps://paste[.]nrecom[.]net/view/raw/d8aedaf6\r\nhttps://paste[.]nrecom[.]net/view/raw/91aec4e7\r\nhttps://paste[.]nrecom[.]net/view/raw/4736837b\r\nhttps://paste[.]nrecom[.]net/view/raw/aec14685\r\nhttps://paste[.]nrecom[.]net/view/raw/c7dfc858\r\nhttps://paste[.]nrecom[.]net/view/raw/bebcab0a\r\nhttps://paste[.]nrecom[.]net/view/raw/bfbb1544\r\nhttps://paste[.]nrecom[.]net/view/raw/7f41da66\r\nhttps://blogs.juniper.net/en-us/threat-research/new-pastebin-like-service-used-in-multiple-malware-campaigns\r\nPage 14 of 20\n\nhttps://paste[.]nrecom[.]net/view/raw/0d9233c8\r\nhttps://paste[.]nrecom[.]net/view/raw/4f789f73\r\nhttps://paste[.]nrecom[.]net/view/raw/6550c073\r\nhttps://paste[.]nrecom[.]net/view/raw/3066146f\r\nhttps://paste[.]nrecom[.]net/view/raw/019f27dd\r\nhttps://paste[.]nrecom[.]net/view/raw/04fba6cb\r\nSha256\r\n9c38ab9d806417e89e3c035740421977f92a15c12f9fa776ac9665a1879e5f67\r\nEde98ae4e8afea093eae316388825527658807489e5559bff6dbf5bc5b554a2c\r\ncb1da05bac46d1aeb0eeec67b2249aa8f539784c4a9ff9245b4ed4a8937ccd0f\r\n337f28a9250592d0ebc58f5a913114df82e69ef4c44243191204adfa61f9819b\r\n8d804533708c03ed4236be70e113a419ce1c8d8a5c36baa755cb7b787f29f54f\r\n20ad344d20337f8a782135e59bc1f6e1a7999bcddc50fc1dc3b8b6645abcb91e\r\nbc2e03ca292da305602c8755453fa87073810a6359f2ec9a0935fe3bb51ef886\r\n4f31265917db7d9abbdf4b6378da0822158cc9b4bff1904adad63a87cfa82f2e\r\n3d3ab28f09d5736fcd2215fb6395e7b15e6e9f1f86931b1d3d956c70879e9d33\r\n13b630c5c157585f6abcb2fc8e3388c23a09f881c20cdeaffda291fb36a37539\r\na78cce9dc644987d3404335cefeca9833ea5f69a36b2da05e5a86505c862d867\r\n29f7eb242d7ddcaacfaac36f036081abc28ba48faaaf9fca601725a6ed160637\r\n62fa4dea77f33cfe294110457af90d2ccd0fc32f3d37c9ddf7a0457ed8f315ee\r\n9c0b50ba7ea383bf16b25ea12a830d5c63c5c995ab2f494dc270137ecfd31701\r\n3c940fdf850d0e6211b340564357094fa8ddb81351789bfd43465efa2e52acfd\r\n59bf368c532ca20de17fdaaee2160451ae8c8f7cafd8d3c7adb263dd0978e918\r\nb9e094892d6ed3b3eba5b56416d31b5ea635cf666ddf67ff4eb62475db7371ca\r\n9b876e4ddeaf0d950860db4942d9be1507453ba1065a03672de41dfb287b2511\r\nf8ef2da125ebd0f972969d12f28964a00954bad6e4f804bd1db8c0507e751bc9\r\nhttps://blogs.juniper.net/en-us/threat-research/new-pastebin-like-service-used-in-multiple-malware-campaigns\r\nPage 15 of 20\n\nf679912dbe6576989cd541b866f5f3a7a2423b1a6f92cc189a12fbffc42b926d\r\n1e4b7d7868d25071db67da87392fd5dafab344a9fa6dc040f7afb0699152fc13\r\n1a8573f9acba3f7d8863043223fb1d6ef4b52ad5bb4cdcb5e178e935b25b40e3\r\n94b9c9154a23db8df436f4cdda225d9bd28dfae325dfe68e034462d70245fb0e\r\na7f337587cdd0e9a1fb013da274293d207815843f778c714e75693cd2c8e5f11\r\nafb7a097cebd29157285861e7bac37648c92243143b560772e652fa87b8aed6b\r\ne3065a6f8e49ccda273bf283c18b9344cc9ad802c1065b0fdf45cdafe92d1029\r\nd38feef0723f730c8bb5704b4b45c8c0c324b1718b42e80b98244a7e49844331\r\n99121c7c11bb444912d02000ce2e8a39b3e885d66889547ec8fb0c88906c22f4\r\n6194207c32a23bac956afb47f857ebcdcb3aa37e818907e98b27acaf4b83d60f\r\n435f9c7e3e74fa789f423e1a3c794fc8347414495a46de36e82de0e10cc0cf38\r\n41502bc411135eb896c8a8aa7aa337ae437977473bd329ac1d0ccfa639ec4e2c\r\n5d4b172afd897db7dddf983697c620cb1dde6341380b849f81f7606ae2073093\r\ncb6c181823fd61558c1e6cefa9f1634d1676984316caa071c24268df493d3629\r\n518096f15c73866783c6e10fbc9b694c41391ee6b0b3b4608ff24c3f457e21fd\r\n904453d980dceca169497cb717731b046bbbb8c6700b90dbe46dc35c15a8fff2\r\n8aaea85bfddaea3ec7217b5f2fa10daf0ca359f5228c3119185e7af281b42e2b\r\n444d5257fc696b234af3311abf6985a41e6e60c66dc92dab0903cbc60156f398\r\ne7edc16f528c9cf0455d84f412520786f31aae8f67f3f551671f576727d1d141\r\n34a5905fd12478a0ac253f5fb1fb8e32543ea070ef3d1f84ed5e448475f385cb\r\n9db25a250975ebce56643b75440c64705b0ecc1207d5a3d92b8f3d6060af3551\r\na533b2ceae875b9e14a1980d31fcd0243ef88a66371d6bcfbde7e423e0c2b610\r\n1089bd2bc482573fc05dbea6a3c195802accedcd9ad74c6e4125a7a035c021be\r\n398a9031f8f0eeb85169aa06340a39230beac02dc1a2a004280a1528576197ad\r\n115127b50a0f45aabb993f8ffd5b585e063a98a17e1b687036167409cf2b0ac2\r\nf52802d87fdaca4cc9c0ef7a6b1352163e3679272752d8ea3e7a681de99dfd43\r\nhttps://blogs.juniper.net/en-us/threat-research/new-pastebin-like-service-used-in-multiple-malware-campaigns\r\nPage 16 of 20\n\nb50d4fd8b572c3a13c4997c83e0bbbc3f7a270e75b79ec09512142f5560f61ab\r\n2b2da9baef3c6f18ac4c4340b3107359f1113ee8ea3c097835c24546f1a3f11f\r\nf638dcb163a2568b12a9ea757335a0cc432bee92c15c77c5e80a294ad31bd792\r\n5946308eb0248dd65c6ddc199f8bf69576b7e1dc95eb28822a265fecb1e56c86\r\nc8ccf5c24239360035df47fef44703d7775346dbf7b1afcf78af6250b8876521\r\n49add5e8057e45261291d45a67b60d0db5376efe9ba6873af53fc79f27243e43\r\nd58b9d22310bf486e4301ed93191810f07cf06ca42b5252e4ded1537680579b6\r\n3e292943cacc062b57a2b1e88340a2d0641e901470f385168b671c90eaf70e2a\r\n3db65b267a1e41ebb307b706f561866dce2752041f482abe93f73144df9a1d4d\r\ncf2dfce39e8f0eb5af3a9d51b5559e2c9be27ea5c1ef899e76281a0ee530307f\r\n878bc771d4c7416170ff358db124e1608f5612b8998199a95c5d60d8f940b26e\r\nb7b028faf0caeca7b7f21de532299867e142fb043d31f996c5f5a3535dea4a47\r\ndd16f5efc0cdb995aa3f7822016ae1e2a4708d5b8b5b4a2f6477f5ef5b82e205\r\n682fdd0b1a94ea8f92981fd6b697a5c4ff817ff6e838285655ede39107ca9ade\r\n3a845e095d227f6318cb0dc973c5ecd2a74555435fcd735b71cd30d4a862c39c\r\ne5eab76057ff57592284f3ea66db174032c69b1808dee70c081e03771d521545\r\n3d9e5f07897b3089600b123a50a005eab5051640661dc4575c2afc0391c97ad8\r\n4f0bc389fcd575a732907732c223219ab0ad44571ca6f83f99358bb9e7467839\r\nf1b40766fbaeb0248b3e629b1904156e3966d2b862d030a8218236904e8cd32f\r\n52f124a478c562251459cacc60b7afa952a8c02df7342c1a951502307ba7b33f\r\n3cc7000f6f2bf315a4fc3fb0ef9035f8683d4660648e23cb178656eae79b2dc5\r\n63cd03b7e7013b0a7bac695d4fb9b5c5c7e9c556eb6eab0a9ec359049fb2621c\r\n022d911560f38d5165ea4196ac74a141531d3e244cdc9be895e539f7143a7bbb\r\n39ba64584fb99652e9d2c05b4afdf139317f5f2a052611b989257047cc12db74\r\n4784f1dbfcafcef10bdfd6c2021b1e74a826917715fd84a91f610a8b6a3bdc4f\r\n7fe854ce78e7ab7cafcc299b4f2a4ee82cc366d47f9a8961727365e45688bb4c\r\nhttps://blogs.juniper.net/en-us/threat-research/new-pastebin-like-service-used-in-multiple-malware-campaigns\r\nPage 17 of 20\n\nac97cd95119446e96dd0bc35a4b9dc67f4ef2853e298dc145c7588807022d808\r\n0e044c8570122a280c963cac80e0140da78ee0d378cd17cab4ea6f146ce35d15\r\n6e960e703df3fdea6667d9c5b671e3efc05c692eb6875edc74c5ccc8ade52ac7\r\nc8abcedb3ec20f7ab5d9b98cc32f03b318eba61f344e0537e4d4de673422c6b1\r\nb4e0b3b783072b5266988f11bd5af2235b432619a42466fea81a35cb5edc4eea\r\n23528e75315abed2f7a86fad26036ef1626311c3838153cb8a96bd938f0055ac\r\n0374033592ba3bfa76d5046af2eaf4506166b157aae2c5a396c827b36d4738ca\r\n6462c93c7a2cbad27bd1cd418bed36078860fd7f1399b477991fe3c71c0d7a8c\r\ndcbfc3cecf75ec77de3ac314ca911af1d778e5c432df4cda146c02aa9ae84c47\r\nfc4b29f54e0b3ed0493ba85310a2665ab47e5143f3cb3ce09686f0560dd1ed04\r\n27f8e739b62c685c4115f49ae146bb75271d0b8fad021436939735bf7492186b\r\n28b5ab14ad007650aa5e45f5090119a758eb45f893e400e53e5ea13ac2e5b38e\r\n115127b50a0f45aabb993f8ffd5b585e063a98a17e1b687036167409cf2b0ac2\r\nf52802d87fdaca4cc9c0ef7a6b1352163e3679272752d8ea3e7a681de99dfd43\r\nb50d4fd8b572c3a13c4997c83e0bbbc3f7a270e75b79ec09512142f5560f61ab\r\n2b2da9baef3c6f18ac4c4340b3107359f1113ee8ea3c097835c24546f1a3f11f\r\nf638dcb163a2568b12a9ea757335a0cc432bee92c15c77c5e80a294ad31bd792\r\n5946308eb0248dd65c6ddc199f8bf69576b7e1dc95eb28822a265fecb1e56c86\r\nc8ccf5c24239360035df47fef44703d7775346dbf7b1afcf78af6250b8876521\r\n49add5e8057e45261291d45a67b60d0db5376efe9ba6873af53fc79f27243e43\r\nd58b9d22310bf486e4301ed93191810f07cf06ca42b5252e4ded1537680579b6\r\n3e292943cacc062b57a2b1e88340a2d0641e901470f385168b671c90eaf70e2a\r\n3db65b267a1e41ebb307b706f561866dce2752041f482abe93f73144df9a1d4d\r\ncf2dfce39e8f0eb5af3a9d51b5559e2c9be27ea5c1ef899e76281a0ee530307f\r\n878bc771d4c7416170ff358db124e1608f5612b8998199a95c5d60d8f940b26e\r\nb7b028faf0caeca7b7f21de532299867e142fb043d31f996c5f5a3535dea4a47\r\nhttps://blogs.juniper.net/en-us/threat-research/new-pastebin-like-service-used-in-multiple-malware-campaigns\r\nPage 18 of 20\n\ndd16f5efc0cdb995aa3f7822016ae1e2a4708d5b8b5b4a2f6477f5ef5b82e205\r\n682fdd0b1a94ea8f92981fd6b697a5c4ff817ff6e838285655ede39107ca9ade\r\n3a845e095d227f6318cb0dc973c5ecd2a74555435fcd735b71cd30d4a862c39c\r\ne5eab76057ff57592284f3ea66db174032c69b1808dee70c081e03771d521545\r\n3d9e5f07897b3089600b123a50a005eab5051640661dc4575c2afc0391c97ad8\r\n4f0bc389fcd575a732907732c223219ab0ad44571ca6f83f99358bb9e7467839\r\nf1b40766fbaeb0248b3e629b1904156e3966d2b862d030a8218236904e8cd32f\r\n52f124a478c562251459cacc60b7afa952a8c02df7342c1a951502307ba7b33f\r\n3cc7000f6f2bf315a4fc3fb0ef9035f8683d4660648e23cb178656eae79b2dc5\r\n63cd03b7e7013b0a7bac695d4fb9b5c5c7e9c556eb6eab0a9ec359049fb2621c\r\n022d911560f38d5165ea4196ac74a141531d3e244cdc9be895e539f7143a7bbb\r\n39ba64584fb99652e9d2c05b4afdf139317f5f2a052611b989257047cc12db74\r\n4784f1dbfcafcef10bdfd6c2021b1e74a826917715fd84a91f610a8b6a3bdc4f\r\n7fe854ce78e7ab7cafcc299b4f2a4ee82cc366d47f9a8961727365e45688bb4c\r\nac97cd95119446e96dd0bc35a4b9dc67f4ef2853e298dc145c7588807022d808\r\n0e044c8570122a280c963cac80e0140da78ee0d378cd17cab4ea6f146ce35d15\r\n6e960e703df3fdea6667d9c5b671e3efc05c692eb6875edc74c5ccc8ade52ac7\r\nc8abcedb3ec20f7ab5d9b98cc32f03b318eba61f344e0537e4d4de673422c6b1\r\nb4e0b3b783072b5266988f11bd5af2235b432619a42466fea81a35cb5edc4eea\r\n23528e75315abed2f7a86fad26036ef1626311c3838153cb8a96bd938f0055ac\r\n0374033592ba3bfa76d5046af2eaf4506166b157aae2c5a396c827b36d4738ca\r\n6462c93c7a2cbad27bd1cd418bed36078860fd7f1399b477991fe3c71c0d7a8c\r\ndcbfc3cecf75ec77de3ac314ca911af1d778e5c432df4cda146c02aa9ae84c47\r\nfc4b29f54e0b3ed0493ba85310a2665ab47e5143f3cb3ce09686f0560dd1ed04\r\n27f8e739b62c685c4115f49ae146bb75271d0b8fad021436939735bf7492186b\r\n28b5ab14ad007650aa5e45f5090119a758eb45f893e400e53e5ea13ac2e5b38e\r\nhttps://blogs.juniper.net/en-us/threat-research/new-pastebin-like-service-used-in-multiple-malware-campaigns\r\nPage 19 of 20\n\nSource: https://blogs.juniper.net/en-us/threat-research/new-pastebin-like-service-used-in-multiple-malware-campaigns\r\nhttps://blogs.juniper.net/en-us/threat-research/new-pastebin-like-service-used-in-multiple-malware-campaigns\r\nPage 20 of 20", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blogs.juniper.net/en-us/threat-research/new-pastebin-like-service-used-in-multiple-malware-campaigns" ], "report_names": [ "new-pastebin-like-service-used-in-multiple-malware-campaigns" ], "threat_actors": [ { "id": "98b22fd7-bf1b-41a6-b51c-0e33a0ffd813", "created_at": "2022-10-25T15:50:23.688973Z", "updated_at": "2026-04-10T02:00:05.390055Z", "deleted_at": null, "main_name": "APT-C-36", "aliases": [ "APT-C-36", "Blind Eagle" ], "source_name": "MITRE:APT-C-36", "tools": [ "Imminent Monitor" ], "source_id": "MITRE", "reports": null }, { "id": "7c053836-8f50-4d40-bc5c-7088967e1b57", "created_at": "2022-10-25T16:07:24.549525Z", "updated_at": "2026-04-10T02:00:05.03048Z", "deleted_at": null, "main_name": "Rocke", "aliases": [ "Aged Libra", "G0106", "Iron Group", "Rocke" ], "source_name": "ETDA:Rocke", "tools": [ "Godlua", "Kerberods", "LSD", "Pro-Ocean", "Xbash" ], "source_id": "ETDA", "reports": null }, { "id": "12517c87-040a-4627-a3df-86ca95e5c13f", "created_at": "2022-10-25T16:07:23.61665Z", "updated_at": "2026-04-10T02:00:04.689Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "ATK 88", "Camouflage Tempest", "FIN6", "G0037", "Gold Franklin", "ITG08", "Skeleton Spider", "Storm-0538", "TAAL", "TAG-CR2", "White Giant" ], "source_name": "ETDA:FIN6", "tools": [ "AbaddonPOS", "Agentemis", "AmmyyRAT", "Anchor_DNS", "BlackPOS", "CmdSQL", "Cobalt Strike", "CobaltStrike", "FlawedAmmyy", "FrameworkPOS", "Grateful POS", "JSPSPY", "Kaptoxa", "LOLBAS", "LOLBins", "Living off the Land", "LockerGoga", "MMon", "Magecart", "Meterpreter", "Mimikatz", "More_eggs", "NeverQuest", "POSWDS", "Reedum", "Ryuk", "SCRAPMINT", "SONE", "SpicyOmelette", "StealerOne", "Taurus Loader Stealer Module", "Terra Loader", "TerraStealer", "Vawtrak", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "cobeacon", "grabnew" ], "source_id": "ETDA", "reports": null }, { "id": "905eabd9-2b7f-483d-86bd-0c72f96b4162", "created_at": "2023-01-06T13:46:39.02749Z", "updated_at": "2026-04-10T02:00:03.185957Z", "deleted_at": null, "main_name": "Rocke", "aliases": [ "Aged Libra" ], "source_name": "MISPGALAXY:Rocke", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0b02af5f-2027-42b7-a6f2-51e2fd49ba7f", "created_at": "2022-10-25T15:50:23.360509Z", "updated_at": "2026-04-10T02:00:05.337702Z", "deleted_at": null, "main_name": "Rocke", "aliases": [ "Rocke" ], "source_name": "MITRE:Rocke", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "ea7bfe06-7c23-481d-b8ba-eafa6cda3bc9", "created_at": "2022-10-25T15:50:23.317961Z", "updated_at": "2026-04-10T02:00:05.280403Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "FIN6", "Magecart Group 6", "ITG08", "Skeleton Spider", "TAAL", "Camouflage Tempest" ], "source_name": "MITRE:FIN6", "tools": [ "FlawedAmmyy", "GrimAgent", "FrameworkPOS", "More_eggs", "Cobalt Strike", "Windows Credential Editor", "AdFind", "PsExec", "LockerGoga", "Ryuk", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "be597b07-0cde-47bc-80c3-790a8df34af4", "created_at": "2022-10-25T16:07:23.407484Z", "updated_at": "2026-04-10T02:00:04.58656Z", "deleted_at": null, "main_name": "Blind Eagle", "aliases": [ "APT-C-36", "APT-Q-98", "AguilaCiega", "G0099" ], "source_name": "ETDA:Blind Eagle", "tools": [ "AsyncRAT", "BitRAT", "Bladabindi", "BlotchyQuasar", "Imminent Monitor", "Imminent Monitor RAT", "Jorik", "LimeRAT", "Remcos", "RemcosRAT", "Remvio", "Socmer", "Warzone", "Warzone RAT", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "b3acfb48-b04d-4d3d-88a8-836d7376fa2e", "created_at": "2024-06-19T02:03:08.052814Z", "updated_at": "2026-04-10T02:00:03.659971Z", "deleted_at": null, "main_name": "GOLD FRANKLIN", "aliases": [ "FIN6 ", "ITG08 ", "MageCart Group 6 ", "Skeleton Spider ", "Storm-0538 ", "White Giant " ], "source_name": "Secureworks:GOLD FRANKLIN", "tools": [ "FrameWorkPOS", "Metasploit", "Meterpreter", "Mimikatz", "PowerSploit", "PowerUpSQL", "RemCom" ], "source_id": "Secureworks", "reports": null }, { "id": "ee3363a4-e807-4f95-97d8-b603c31b9de1", "created_at": "2023-01-06T13:46:38.485884Z", "updated_at": "2026-04-10T02:00:02.99385Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "SKELETON SPIDER", "ITG08", "MageCart Group 6", "ATK88", "TA4557", "Storm-0538", "White Giant", "GOLD FRANKLIN", "G0037", "Camouflage Tempest" ], "source_name": "MISPGALAXY:FIN6", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bd43391b-b835-4cb3-839a-d830aa1a3410", "created_at": "2023-01-06T13:46:38.925525Z", "updated_at": "2026-04-10T02:00:03.147197Z", "deleted_at": null, "main_name": "APT-C-36", "aliases": [ "Blind Eagle" ], "source_name": "MISPGALAXY:APT-C-36", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434052, "ts_updated_at": 1775792120, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3f5daa005e4404241450ec8e4d4d908d3e148927.pdf", "text": "https://archive.orkl.eu/3f5daa005e4404241450ec8e4d4d908d3e148927.txt", "img": "https://archive.orkl.eu/3f5daa005e4404241450ec8e4d4d908d3e148927.jpg" } }