{
	"id": "72448a5c-0eb2-43e9-9f5d-35cb31e68a92",
	"created_at": "2026-04-06T00:06:13.312069Z",
	"updated_at": "2026-04-10T03:28:33.587311Z",
	"deleted_at": null,
	"sha1_hash": "7dbdd354a73cd3d71f9d7bf66c84ec5fb37f01e4",
	"title": "Intelligence Insights: January 2022",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 96030,
	"plain_text": "Intelligence Insights: January 2022\r\nBy susannah.matt@redcanary.com\r\nArchived: 2026-04-05 19:38:10 UTC\r\n⬆ = trending up from previous month\r\n⬇= trending down from previous month\r\n➡ = no change in rank from previous month\r\n*Denotes a tie\r\nObservations on trending threats\r\nFor the fourth consecutive month, we have a new threat at the top of our prevalence rankings. This time\r\nSocGholish made the ascent. The emergence of BLISTER malware as a follow-on payload (more on that below)\r\nmay be related to this rise, and the 1.8% of customers affected is SocGholish’s high water mark for the year.\r\nCobalt Strike, a mainstay of the top five spots every month this year, curiously dropped all the way down to\r\nthe twelfth spot. Only ~0.5% of customers saw Cobalt Strike detections in December, after 11 straight months of\r\nover 1% seeing Cobalt Strike, with a peak of 3.2% of customers back in June. It remains to be seen if this\r\nrepresents a shift in tooling or TTPs by adversaries, or if this was merely a holiday lull for both red teamers and\r\npost-exploitation adversaries. In any case, Red Canary detection engineers are maintaining a vigilant watch on\r\nthese and other threats.\r\nNew Conficker detection analytic identifies old persistence. Speaking of expanded detection coverage, you\r\nmay have noticed Conficker, that years-old nuisance, creeping into the bottom of our rankings. This is not a re-emergence of a new threat, but an artifact of deploying a new detection analytic to shine a light on an old\r\npersistence technique hidden in a dark, and often overlooked, corner. In most instances, the malicious DLL\r\npayload of these Conficker cases was likely removed by antivirus long ago. However, the lingering persistence\r\nmechanism attempting to launch those randomly named libraries tends to languish in the labyrinth of the registry\r\nlong after antivirus declares the threat removed. Expanding detection coverage does not just uncover new and\r\nnovel threats, it also adds layers of defenses to ensure more complete and thorough clean-up of the closed out\r\ncases of the past.\r\nAccordingly, we can add Conficker to the compendium of older threats with worming capabilities that are still\r\nfinding their way into places they don’t belong. If you’re seeing Conficker detections, one way to harden your\r\nattack surface is to ensure you’re running an up-to-date OS. You may also want to consider disabling AutoRun and\r\nchecking over those firewall rules one last time, just to make sure you aren’t haunted by any residual Conficker\r\ninfections wandering about come the next holiday season.\r\nDetection opportunity: Rundll32 executing with command lines consistent with Conficker\r\nhttps://redcanary.com/blog/intelligence-insights-january-2022/\r\nPage 1 of 4\n\nprocess_ name == rundll32.exe\r\n\u0026\u0026\r\ncommand_line_contains == rundll32\\.exe [a-z]{5,8}\\.[a-z]{1,3},[a-z]{5,8}\r\nNote: If you are having trouble getting this detection opportunity to work in your environment, you may find\r\nadditional success by focusing only on processes where taskeng.exe or svchost.exe are the parents of\r\nrundll32 .\r\nAdversaries find a juicy Log4j target in VMware Horizon\r\nSince public disclosures of the Log4j vulnerabilities began on December 9, we’ve been tracking threats that have\r\nexploited them. We realized the attack surface using Log4j was huge, but in the first several weeks, the activity we\r\nobserved consisted mostly of scanning, testing, and coinminers.\r\nDetection opportunity: PowerShell listing VMBlastSG service names\r\nThis analytic identifies PowerShell executing a command to return a list of service names containing VMBlastSG .\r\nThis may assist in identifying post-exploitation as described in this excellent NHS alert, similar to the following,\r\nwhich invokes Get-WMIObject on win32_service to return service names:\r\npowershell -c \"$path=gwmi win32_service|?{$.Name -like \"\"\"VMBlastSG\"\"\"}|%{$.PathName -replace '\"\"\"',\r\n'' -replace \"\"\"nssm.exe\"\"\",\"\"\"lib\\absg-worker.js\"\"\"}\r\nprocess_name== powershell.exe\r\n\u0026\u0026\r\ncommand_line_contains == VMBlastSG\r\nThe nature of recently disclosed Log4j vulnerabilities may have contributed to the volume and delayed\r\ntiming of activity observed in the wild. One of the reasons we did not observe a large volume of exploitation in\r\nthe first few days may be that these vulnerabilities are highly application-specific, depending on how Log4j is\r\nimplemented in them. This means an adversary could not have crafted a single exploit that would have had a\r\nbroad impact on many types of applications at once.\r\nToward late December and early January, however, we observed an uptick in adversaries exploiting\r\ninternet-facing VMware Horizon servers running versions affected by the Log4J vulnerabilities. While we\r\ncouldn’t attribute all activity to named adversaries, we observed likely PROPHET SPIDER activity in one\r\nenvironment, and patterns suggesting a potentially different adversary in other environments. Others in the\r\ncommunity, including the UK NHS and Microsoft, observed the same pattern of adversaries targeting VMware\r\nHorizon. This supplements earlier reporting about Conti ransomware operators exploiting VMware vCenter during\r\nlateral movement in an environment. When viewed together, this reporting and our direct visibility suggests\r\nVMware Horizon is a top choice for adversaries to narrow their Log4j targeting, likely because it is widely used\r\nand often internet-facing. We recommend everyone using VMware Horizon immediately apply updates and\r\nevaluate whether it needs to be internet-facing.\r\nhttps://redcanary.com/blog/intelligence-insights-january-2022/\r\nPage 2 of 4\n\nSocGholish causing BLISTERs?\r\nIn December, Elastic Security published research exposing BLISTER, a newly discovered loader that may contain\r\nCobalt Strike beacons or other remote access tools. This threat evades static signatures by splicing malicious code\r\ninto a legitimate Windows executable while preserving most of the original executable’s structure and content.\r\nElastic observed BLISTER coming from malicious installers, and we observed a slightly different pattern:\r\nSocGholish deploying BLISTER. In at least one instance in December, we observed SocGholish deploying\r\nBLISTER, which deployed a Cobalt Strike beacon.\r\nThis development shows that adversaries are actively using multiple methods to distribute BLISTER and its\r\nsubsequent payloads. BLISTER itself is evasive, hindering static analysis and detection rules.\r\nManaging the increase in ManageEngine vulnerabilities\r\nIn December 2021, Red Canary observed activity associated with the likely exploitation of vulnerabilities in two\r\nZoho ManageEngine products: ADSelfService Plus and ServiceDesk Plus. The FBI also reported in-the-wild\r\nexploitation of a vulnerability in a third ManageEngine product, Desktop Central. Given the frequency with which\r\nvulnerabilities in ManageEngine have been recently disclosed and the speed at which adversaries can exploit these\r\nnewly reported weaknesses, Red Canary focuses on identifying and detecting post-exploitation behavior, and we\r\nrecommend others do the same to identify malicious activity, regardless of how adversaries accessed the\r\nenvironment.\r\nDetection opportunity: Java.exe writing msiexec.exe to disk\r\nprocess_name == java.exe\r\nfile_modification == msiexec.exe\r\nADSelfService Plus (CVE-2021-40539)\r\nAs noted previously in our December Intelligence Insights, we’ve consistently observed operators dropping web\r\nshells and using keytool.exe , a Java utility, after exploiting what appears to be CVE-2021-40539. Separately, in\r\none incident response engagement, our partner observed a ransomware attack after operators gained initial access\r\nvia exploitation of CVE-2021-40539.\r\nServiceDesk Plus (CVE-2021-44077)\r\nWe’ve also observed CVE-2021-44077, a vulnerability in ManageEngine ServiceDesk Plus, likely exploited to\r\nupload a malicious executable and conduct post-exploitation reconnaissance. Behavior exploiting this\r\nvulnerability—in concert with a binary masquerading as msiexec.exe —appears to overlap with the\r\nTiltedTemple campaign recently reported by researchers at Palo Alto Unit 42.\r\nDesktop Central (CVE-2021-44515)\r\nhttps://redcanary.com/blog/intelligence-insights-january-2022/\r\nPage 3 of 4\n\nThe FBI released a FLASH notification detailing APT exploitation of a third ManageEngine vulnerability, this\r\ntime in a Desktop Central MSP server, part of ManageEngine’s Desktop Central product. Following successful\r\nexploitation of this vulnerability, the FBI reported that adversaries drop a web shell, conduct reconnaissance, and\r\nuse BITSAdmin to download additional tools.\r\nThough Red Canary has not observed successful exploitation of this vulnerability first-hand, credible reporting\r\nfrom CISA and the FBI highlights the risks associated with the follow-on activity successful exploitation can\r\nenable. Tracking public reporting on vulnerabilities such as CVE-2021-44515 allows us to add context to threats\r\nassociated with common software and tailor our detection coverage to cover tradecraft highlighted by other\r\nsources in the community.\r\nManageEngine products are widely used among IT departments, presenting a large attack surface for\r\nadversaries. Organizations using ManageEngine products in their environment should update accordingly.\r\nPatches for all of the vulnerabilities listed here have been released and are available via ManageEngine.\r\nAs always, the assessments in this report represent our best thinking based on our current visibility. To this end,\r\nwe welcome the receipt of conflicting or contradictory information on these threats and acknowledge that our\r\nassessments are subject to change over time as we incorporate new information. To submit additional information\r\nfor consideration, please contact intel@redcanary.com.\r\nSource: https://redcanary.com/blog/intelligence-insights-january-2022/\r\nhttps://redcanary.com/blog/intelligence-insights-january-2022/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://redcanary.com/blog/intelligence-insights-january-2022/"
	],
	"report_names": [
		"intelligence-insights-january-2022"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "056826cb-6e17-4954-a9b4-2cc8c6ae3cb8",
			"created_at": "2023-03-04T02:01:54.115678Z",
			"updated_at": "2026-04-10T02:00:03.360898Z",
			"deleted_at": null,
			"main_name": "Prophet Spider",
			"aliases": [
				"GOLD MELODY",
				"UNC961"
			],
			"source_name": "MISPGALAXY:Prophet Spider",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "0a80df4d-5ab7-4ca3-809d-8ef7b5a54f1f",
			"created_at": "2023-11-21T02:00:07.386886Z",
			"updated_at": "2026-04-10T02:00:03.474764Z",
			"deleted_at": null,
			"main_name": "TiltedTemple",
			"aliases": [
				"Circle Typhoon",
				"DEV-0322"
			],
			"source_name": "MISPGALAXY:TiltedTemple",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "47b52642-e5b8-4502-b714-b625002d86aa",
			"created_at": "2024-06-19T02:03:08.086579Z",
			"updated_at": "2026-04-10T02:00:03.812509Z",
			"deleted_at": null,
			"main_name": "GOLD MELODY",
			"aliases": [
				"PROPHET SPIDER",
				"UNC961"
			],
			"source_name": "Secureworks:GOLD MELODY",
			"tools": [
				"7-Zip",
				"AUDITUNNEL",
				"BURP Suite",
				"GOTROJ",
				"JSP webshells",
				"Mimikatz",
				"Wget"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775433973,
	"ts_updated_at": 1775791713,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7dbdd354a73cd3d71f9d7bf66c84ec5fb37f01e4.pdf",
		"text": "https://archive.orkl.eu/7dbdd354a73cd3d71f9d7bf66c84ec5fb37f01e4.txt",
		"img": "https://archive.orkl.eu/7dbdd354a73cd3d71f9d7bf66c84ec5fb37f01e4.jpg"
	}
}