{ "id": "d20ba6b2-68a6-41da-9758-3f22f7e64037", "created_at": "2026-04-06T00:21:35.904951Z", "updated_at": "2026-04-10T13:11:29.476039Z", "deleted_at": null, "sha1_hash": "6c9b0c947ea03fc5e3ed6438477945c6b510e41d", "title": "Freezer Paper around Free Meat", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 860582, "plain_text": "Freezer Paper around Free Meat\r\nBy GReAT\r\nPublished: 2016-04-27 · Archived: 2026-04-05 12:46:00 UTC\r\nBeEF Wrapped Up and Delivered in 2016\r\nIn late February 2016, a University website in Iran stood out for thoroughly vetting its current and potential\r\nstudents and staff. The University’s web site served repackaged content from the Browser Exploitation Framework\r\n(BeEF) with embedded JavaScript content maintaining the potential to hook visitors’ web browsers, identify\r\nvisited websites and domains, explore for vulnerabilities (we did not observe any auto-pwning), and provide\r\ntracking through evercookies. Even a partial listing of visited sites can be sensitive and valuable information, and\r\nthis sort of “sites visited” data gathering via other techniques, like screengrabbing and keylogging, were observed\r\nin past APT incidents like the Madi campaigns. Currently, it’s advisable to avoid the site.\r\nThe embedded BeEF content appears not to be fully configured, and only partially implemented. Perhaps a limited\r\ndata set was of interest for this attacker, or this was an early attempt at deploying BeEF.\r\nThis incident is interesting because at the same time and a bit earlier, another group was heavily relying on\r\nrepackaging open source offensive security product in their toolset by deploying both BeEF and Metasploit-produced components across a select set of strategic web compromises. This particular APT has years of low-tech\r\nelaborate social engineering schemes and re-purposed open source efforts under its belt.\r\nWhile we call them the NewsBeef APT, they have been reported in the past as Charming Kitten or Newscaster in\r\n2014, social engineering their way into sensitive circles of trust with spoofed LinkedIn profiles and phony news\r\nmedia organizations.\r\nThey continue to be highly active, but this time, they are using a slightly more technical toolset. On one hand, they\r\nhave developed skills or discovered tools to compromise select web applications and sites, supporting their\r\nhttps://securelist.com/blog/software/74503/freezer-paper-around-free-meat/\r\nPage 1 of 4\n\nwatering hole campaigns. On the other hand, they have repackaged leaked bot source code and repackaged open\r\nsource Metasploit and PowerSploit components to produce and administer backdoors and downloaders.\r\nNewsbeef/Newscaster will find a way to compromise a web site, usually the vulnerability appears to be CMS\r\nrelated, in an outdated WordPress plugin, Joomla version, or Drupal version. Attackers usually perform one of two\r\nthings, Newsbeef has been performing the first of the two:\r\ninject a src or iframe link into web pages or css sheets\r\ninject the content of an entire BeEF web page into one of the internally linked javascript helpers\r\nThe injected link will redirect visitors’ browsers to a BeEF server. Usually, the attackers deliver some of the\r\ntracking and system/browser identification and evercookie capabilities. Sometimes, it appears that they deliver the\r\nmetasploit integration to exploit and deliver backdoors (we haven’t identified that exploitation activity in our ksn\r\ndata related to this group just yet). Sometimes, it is used to pop up spoofed login input fields to steal social\r\nnetworking site credentials. We also haven’t detected that in ksn, but some partners have privately reported it\r\nabout various incidents. But we have identified that attackers will redirect specific targets to laced Adobe Flash\r\nand other installers from websites that they operate.\r\nSo, the watering hole activity isn’t always and usually isn’t delivering backdoors. Most of the time, the watering\r\nhole injections are used to identify and track visitors or steal their browser history. Then, they deliver the\r\nbackdoors to the right targets.\r\nIn addition to the University site and the NewsBeef APT, in the past couple of months, we identified a\r\nvariety of compromised sites around the world serving the BeEF. Most are cleaned up. Deployments to interesting\r\nand strategic web sites and their true reach on a global scale appears to be on the increase:\r\nMiddle eastern embassy in the Russian Federation\r\nIndian military technology school\r\nHigh conflict regional presidency\r\nUkrainian ICS Scanner mirror\r\nEuropean Union education diversification support agency\r\nRussian foreign trade management organization\r\nProgressive Kazakh news and politics media\r\nTurkish news organization\r\nSpecialized German music school\r\nJapanese textile manufacturing inspection corporate division\r\nMiddle Eastern social responsibility and philanthropy\r\nsurprisingly popular British “lifestyle” blog\r\nAlgerian University’s online course platform\r\nChinese construction group\r\nRussian overseas business development and holding company\r\nRussian gaming developer forum\r\nRomanian Steam gaming developer\r\nChinese online gaming virtual gold seller\r\nhttps://securelist.com/blog/software/74503/freezer-paper-around-free-meat/\r\nPage 2 of 4\n\nBrazilian music instrument retailer\r\nBeEF Capabilities\r\nKey to these incidents are the development, distribution, and ease of use of toolkits like BeEF.\r\nBeEF itself is an open source collection of tools and tricks, some years old, that combined together can effectively\r\nhook a visiting web browser for evaluation and full exploitation. Because of its capabilities, we have seen\r\nincreased adoption of the framework for the past year or so.\r\nBrowser enumeration and reporting\r\nPlugin enumeration and reporting\r\nRetrieve visited domains (based on an old browser cache fetch timing trick)\r\nSocial engineering via live sessions and phishing within the browser\r\nNetwork exploration, discovery, and exfiltration tunneling\r\nMetasploit exploit integration and autopwning\r\nEvercookie deployment for persistent tracking – multiple platforms\r\nXSS evaluation and exploitation\r\nAt the same time, many of the techniques implemented are very old and public. The kit is extensible,\r\ncustomizable, and integrates with metasploit for autopwnage. Some of the techniques were discussed\r\nduring Jeremiah Grossman’s 2006 Black Hat conference presentation. The delay in deployment for techniques of\r\nthis type indicates that some teams are dependent on open source tool packaging and ease of use. We have seen\r\nthis sort of reliance on both open source offensive toolkits and legitimate software in the past from APT like\r\nCrouching Yeti, TeamSpy, and now the Newsbeef.\r\nFighting against the use of browser hooking frameworks for identification, tracking, live session social\r\nengineering, and precision and auto-exploitation effectively requires a mix of technologies. When these\r\nJavaScript-based frameworks are used in a malicious manner, the combination of network and host based\r\ndetection is required to fully handle more serious incidents.\r\nUnfortunately, these incidents are on the increase. You can disable JavaScript in your own browser with NoScript,\r\nbut that’s much like just moving to Lynx or a text-based browser – people don’t want that because it kills\r\nfunctionality in the browser they do want. A Chrome plugin that detects the BeEF cookie is easily evaded by\r\nserious players. And preventing the tracking methods altogether is another whole ball of wax, because much of the\r\nfunctionality is tied into legitimate web pages by third party marketers and retailers.\r\nPreventing the social engineering sessions for credential theft and Metasploit exploit integration makes immediate\r\nsense and can be incorporated at the network and more effectively at the host level. AntiAPT can help wipe out\r\nhttps://securelist.com/blog/software/74503/freezer-paper-around-free-meat/\r\nPage 3 of 4\n\nmost of an operation on the network at scale, but these measures can be evaded as well. In other words, dealing\r\nwith a determined attacker using tools like this one is difficult.\r\nReferences\r\nNEWSCASTER – An Iranian Threat Inside Social Media\r\nThe Browser Exploitation Framework Project\r\nMetasploit: Penetration Testing Software\r\nSource: https://securelist.com/blog/software/74503/freezer-paper-around-free-meat/\r\nhttps://securelist.com/blog/software/74503/freezer-paper-around-free-meat/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "origins": [ "web" ], "references": [ "https://securelist.com/blog/software/74503/freezer-paper-around-free-meat/" ], "report_names": [ "freezer-paper-around-free-meat" ], "threat_actors": [ { "id": "82b92285-4588-48c9-8578-bb39f903cf62", "created_at": "2022-10-25T15:50:23.850506Z", "updated_at": "2026-04-10T02:00:05.418577Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "Charming Kitten" ], "source_name": "MITRE:Charming Kitten", "tools": [ "DownPaper" ], "source_id": "MITRE", "reports": null }, { "id": "dfee8b2e-d6b9-4143-a0d9-ca39396dd3bf", "created_at": "2022-10-25T16:07:24.467088Z", "updated_at": "2026-04-10T02:00:05.000485Z", "deleted_at": null, "main_name": "Circles", "aliases": [], "source_name": "ETDA:Circles", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "322a0ef1-136b-400e-89d0-0d62ee2bd319", "created_at": "2023-01-06T13:46:38.662109Z", "updated_at": "2026-04-10T02:00:03.05924Z", "deleted_at": null, "main_name": "Madi", "aliases": [], "source_name": "MISPGALAXY:Madi", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "649b5b3e-b16e-44db-91bc-ae80b825050e", "created_at": "2022-10-25T15:50:23.290412Z", "updated_at": "2026-04-10T02:00:05.257022Z", "deleted_at": null, "main_name": "Dragonfly", "aliases": [ "TEMP.Isotope", "DYMALLOY", "Berserk Bear", "TG-4192", "Crouching Yeti", "IRON LIBERTY", "Energetic Bear", "Ghost Blizzard" ], "source_name": "MITRE:Dragonfly", "tools": [ "MCMD", "Impacket", "CrackMapExec", "Backdoor.Oldrea", "Mimikatz", "PsExec", "Trojan.Karagany", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "1d8dd2ca-5592-482e-b89d-6a7e1a49f4f6", "created_at": "2023-01-06T13:46:38.408359Z", "updated_at": "2026-04-10T02:00:02.962242Z", "deleted_at": null, "main_name": "TeamSpy Crew", "aliases": [ "TeamSpy", "Team Bear", "Anger Bear", "IRON LYRIC" ], "source_name": "MISPGALAXY:TeamSpy Crew", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1a76ed30-4daf-4817-98ae-87c667364464", "created_at": "2022-10-25T16:47:55.891029Z", "updated_at": "2026-04-10T02:00:03.646466Z", "deleted_at": null, "main_name": "IRON LIBERTY", "aliases": [ "ALLANITE ", "ATK6 ", "BROMINE ", "CASTLE ", "Crouching Yeti ", "DYMALLOY ", "Dragonfly ", "Energetic Bear / Berserk Bear ", "Ghost Blizzard ", "TEMP.Isotope ", "TG-4192 " ], "source_name": "Secureworks:IRON LIBERTY", "tools": [ "ClientX", "Ddex Loader", "Havex", "Karagany", "Loek", "MCMD", "Sysmain", "xfrost" ], "source_id": "Secureworks", "reports": null }, { "id": "029625d2-9734-44f9-9e10-b894b4f57f08", "created_at": "2023-01-06T13:46:38.364105Z", "updated_at": "2026-04-10T02:00:02.944092Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "iKittens", "Group 83", "NewsBeef", "G0058", "CharmingCypress", "Mint Sandstorm", "Parastoo" ], "source_name": "MISPGALAXY:Charming Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-10T02:00:05.291959Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-10T02:00:03.640335Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "5cbf6c32-482d-4cd2-9d11-0d9311acdc28", "created_at": "2023-01-06T13:46:38.39927Z", "updated_at": "2026-04-10T02:00:02.958273Z", "deleted_at": null, "main_name": "ENERGETIC BEAR", "aliases": [ "BERSERK BEAR", "ALLANITE", "Group 24", "Koala Team", "G0035", "ATK6", "ITG15", "DYMALLOY", "TG-4192", "Crouching Yeti", "Havex", "IRON LIBERTY", "Blue Kraken", "Ghost Blizzard" ], "source_name": "MISPGALAXY:ENERGETIC BEAR", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b07fec96-80cd-4d92-aa52-a26a0b25b7c2", "created_at": "2022-10-25T16:07:23.826594Z", "updated_at": "2026-04-10T02:00:04.760416Z", "deleted_at": null, "main_name": "Madi", "aliases": [ "Mahdi" ], "source_name": "ETDA:Madi", "tools": [ "Madi" ], "source_id": "ETDA", "reports": null }, { "id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f", "created_at": "2022-10-25T16:07:23.83826Z", "updated_at": "2026-04-10T02:00:04.761303Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "APT 35", "Agent Serpens", "Ballistic Bobcat", "Charming Kitten", "CharmingCypress", "Cobalt Illusion", "Cobalt Mirage", "Educated Manticore", "G0058", "G0059", "Magic Hound", "Mint Sandstorm", "Operation BadBlood", "Operation Sponsoring Access", "Operation SpoofedScholars", "Operation Thamar Reservoir", "Phosphorus", "TA453", "TEMP.Beanie", "Tarh Andishan", "Timberworm", "TunnelVision", "UNC788", "Yellow Garuda" ], "source_name": "ETDA:Magic Hound", "tools": [ "7-Zip", "AnvilEcho", "BASICSTAR", "CORRUPT KITTEN", "CWoolger", "CharmPower", "ChromeHistoryView", "CommandCam", "DistTrack", "DownPaper", "FRP", "Fast Reverse Proxy", "FireMalv", "Ghambar", "GoProxy", "GorjolEcho", "HYPERSCRAPE", "Havij", "MPK", "MPKBot", "Matryoshka", "Matryoshka RAT", "MediaPl", "Mimikatz", "MischiefTut", "NETWoolger", "NOKNOK", "PINEFLOWER", "POWERSTAR", "PowerLess Backdoor", "PsList", "Pupy", "PupyRAT", "SNAILPROXY", "Shamoon", "TDTESS", "WinRAR", "WoolenLogger", "Woolger", "pupy", "sqlmap" ], "source_id": "ETDA", "reports": null }, { "id": "e034b94b-9655-42c4-a72e-a58807dce299", "created_at": "2022-10-25T16:07:24.133537Z", "updated_at": "2026-04-10T02:00:04.876832Z", "deleted_at": null, "main_name": "Rocket Kitten", "aliases": [ "Group 83", "NewsBeef", "Newscaster", "Operation Newscaster", "Operation Woolen-GoldFish", "Parastoo", "Rocket Kitten" ], "source_name": "ETDA:Rocket Kitten", "tools": [ "CoreImpact (Modified)", "FireMalv", "Ghole", "Gholee" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434895, "ts_updated_at": 1775826689, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6c9b0c947ea03fc5e3ed6438477945c6b510e41d.pdf", "text": "https://archive.orkl.eu/6c9b0c947ea03fc5e3ed6438477945c6b510e41d.txt", "img": "https://archive.orkl.eu/6c9b0c947ea03fc5e3ed6438477945c6b510e41d.jpg" } }