{ "id": "546410dc-cab0-417b-96b1-d61d9afef601", "created_at": "2026-04-06T00:08:13.554737Z", "updated_at": "2026-04-10T03:37:23.969254Z", "deleted_at": null, "sha1_hash": "83249a05d1701c3293c5c1633fa466b8f9f4d668", "title": "PoisonSeed Campaign Targets CRM and Bulk Email Providers in Supply Chain Spam Operation", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 5049861, "plain_text": "PoisonSeed Campaign Targets CRM and Bulk Email Providers in\r\nSupply Chain Spam Operation\r\nBy Peggy Kelly\r\nPublished: 2025-04-03 · Archived: 2026-04-05 18:36:55 UTC\r\nKey Findings\r\nSilent Push Threat Analysts are sharing our discoveries related to a cryptocurrency and bulk email provider\r\nphishing campaign targeting enterprise organizations and VIP individuals outside the cryptocurrency\r\nindustry, along with a supply chain spam operation targeting individual crypto holders with a novel “crypto\r\nseed phrase” phishing effort. We are naming this new threat “PoisonSeed.”\r\nTargeted crypto companies include Coinbase and Ledger, and targeted CRM and bulk email\r\nproviders include: Mailchimp, SendGrid, Hubspot, Mailgun, and Zoho.\r\nWe are classifying PoisonSeed distinctly from two loosely aligned threat actors: Scattered Spider and\r\nCryptoChameleon, both of which are associated with “The Comm” (also spelled “The Com”).\r\nOur team has confirmed connections between two attacks that occurred in March 2025:\r\nA phishing attack targeting Troy Hunt to compromise his MailChimp account and a crypto phishing\r\ncampaign sent from a compromised Akamai SendGrid account.\r\nBleeping Computer reported the Akamai SendGrid account sent out crypto spam after it had been\r\ncompromised.\r\nSilent Push Threat Analysts are publicly revealing that the compromised Akamai SendGrid account sent\r\nout SendGrid phishing messages to at least one other enterprise organization, with a phishing email\r\npromoting the domain sso-account[.]com.\r\nTable of Contents\r\nKey Findings\r\nExecutive Summary\r\nSign Up for a Free Silent Push Community Edition Account\r\nBackground\r\nMarch 2025 Akamai SendGrid Compromise\r\nResearch Methodology\r\nInitial Research Lead\r\nWHOIS Pivots\r\nC2 Domains Exposed in Ledger Phishing Page Template\r\nCommon Directories Further Connect Bulk Email and Cryptocurrency Phishing Campaigns\r\nPoisonSeed Domain Patterns, Registrar \u0026 WHOIS Keywords Align to CryptoChameleon, Explaining the\r\nScattered Spider Connection\r\nhttps://www.silentpush.com/blog/poisonseed/\r\nPage 1 of 17\n\nWHOIS Registration Connections\r\nLooking at the Behaviors Behind Poison Seed, Crypto Chameleon, and Scattered Spider\r\nKnown CryptoChameleon and Scattered Spider Phishing Kits Don’t Align with PoisonSeed\r\nContinuing to Track PoisonSeed\r\nPoisonSeed Mitigation\r\nRegister for Community Edition\r\nIndicators of Future Attack™ (IOFA™)\r\nExecutive Summary\r\nPoisonSeed threat actors are targeting enterprise organizations and individuals outside the cryptocurrency\r\nindustry. They have been phishing CRM and bulk email providers’ credentials to export email lists and send bulk\r\nspam from the accounts. Email providers appear to be targeted mainly to provide infrastructure for cryptocurrency\r\nspam operations.\r\nRecipients of the bulk spam are targeted with a cryptocurrency seed phrase poisoning attack. As part of the attack,\r\nPoisonSeed provides security seed phrases to get potential victims to copy and paste them into new\r\ncryptocurrency wallets for future compromising.\r\nWe detected similarities between PoisonSeed, Scattered Spider, and CryptoChameleon (the latter two being threat\r\ngroups spun from “The Comm,” a threat actor community comprised mostly of young, Western individuals). Our\r\nteam believes the ties to Scattered Spider are not definitive, which we will explain later in this report. It is\r\nimportant to note that while we see commonalities with CryptoChameleon, the PoisonSeed campaign is currently\r\nbeing classified separately due to multiple unique data points distinguishing the two and a general lack of code\r\ncommonalities between the groups.\r\nRegister now for our free Community Edition to use all of the tools and queries highlighted in this blog.\r\nBackground\r\nA few organizations and media outlets have individually covered the threat actors behind PoisonSeed without\r\nanyone connecting the dots to their true origin — until now.\r\nPoisonSeed is in fact the same campaign that recently targeted Troy Hunt, which he wrote about on March 25,\r\n2025, “A Sneaky Phish Just Grabbed my Mailchimp Mailing List”\r\nIt’s also the same campaign Lawrence Abrams wrote about for Bleeping Computer on March 14, 2025, “Coinbase\r\nphishing email tricks users with fake wallet migration”\r\nThe threat actor group has been setting up phishing pages for prominent CRM and bulk email companies,\r\nincluding: Mailchimp, SendGrid, Hubspot, Mailgun, Zoho, and likely others.\r\nThese phishing pages were essentially pixel-perfect matches for the real login pages:\r\nhttps://www.silentpush.com/blog/poisonseed/\r\nPage 2 of 17\n\nExample of a SendGrid phishing page on sso-account[.]com that is part of an ongoing campaign\r\nOnce the phishing pages were set up, phishing emails were sent to very specific email addresses. In Troy Hunt’s\r\nexample, his “mailchimp@redacted” email was used (and it was only used to log in to Mailchimp).\r\nThe phishing email used a “Sending Privileges Restricted” lure, and it appeared to have been sent by another\r\ncompromised business email account.\r\nhttps://www.silentpush.com/blog/poisonseed/\r\nPage 3 of 17\n\nScreenshot of the phishing email sent to Troy Hunt\r\nWhen credentials are successfully phished for an email provider, PoisonSeed appears to automate the process of\r\nbulk downloading the email lists. Troy Hunt shared the timeline to help confirm that the process of exporting the\r\nlists was extremely quick and likely automated.\r\nhttps://www.silentpush.com/blog/poisonseed/\r\nPage 4 of 17\n\nScreenshot of the Mailchimp list export email sent to Troy Hunt\r\nThe threat actors created a new API key so they could maintain persistence if only the password was reset. This\r\nwould likely have been used to send bulk emails:\r\nScreenshot of Mailchimp API Keys from Troy Hunt\r\nThe threat actors behind PoisonSeed were observed attempting to acquire email lists and also sending spam from\r\ncompromised accounts.\r\nMarch 2025 Akamai SendGrid Compromise\r\nAkamai had one of these bulk email account breaches earlier in March 2025, covered by Bleeping Computer. The\r\nbreach involved spam sent from the Akamai SendGrid account in a Coinbase cryptocurrency seed phrase\r\npoisoning attack.\r\nThe email headers for the cryptocurrency phishing effort included @akamai[.]com as the “From sender” (which\r\ncan be spoofed, but apparently wasn’t in this instance).\r\nhttps://www.silentpush.com/blog/poisonseed/\r\nPage 5 of 17\n\nEmail headers for the Coinbase phishing effort sent from Akamai\r\nSome of the post-CRM-compromise supply chain spam phishing attempts used a complex cryptocurrency seed\r\nphrase poisoning effort with an urgent notice claiming “Coinbase is transitioning to self-custodial wallets.”\r\nThe prompt told the targeted victim that they needed to set up a new Coinbase Wallet. The threat actor then\r\nintroduced the phishing aspect by providing seed phrases, hoping the victim would manually enter them into the\r\naccount creation flow so the threat actor could use the specific phrases to later “recover” the account and transfer\r\naway stolen funds.\r\nhttps://www.silentpush.com/blog/poisonseed/\r\nPage 6 of 17\n\nPhishing example directing victims to “update” their Coinbase Wallets\r\nhttps://www.silentpush.com/blog/poisonseed/\r\nPage 7 of 17\n\nSilent Push Threat Analysts privately received details from a research sharing partner about the Akamai SendGrid\r\ncompromise. At the same time that Akamai’s compromised SendGrid account was sending Coinbase phishing\r\nmessages, it also sent out phishing messages to at least one business (and likely many others) with a message that\r\ndirected users to a phishing page attempting to compromise their SendGrid account – likely to continue the scam\r\nwith even more bulk email accounts.\r\nScreenshot of sso-account[.]com, a domain that Akamai’s SendGrid was sending out, according to\r\none of our research sharing partners\r\nAkamai acknowledged the recent threat but hasn’t provided significant updates, telling Bleeping Computer on\r\nMarch 14, “Akamai is aware of reports regarding a potential phishing scam targeting Coinbase users that involves\r\nan Akamai email domain. We take information security very seriously and are actively investigating the matter.”\r\nIt’s unclear how many messages were sent out via Akamai, but many email accounts beyond Akamai appear to\r\nhave been compromised by the threat actors and used for phishing spam. After a few days (or sooner), the\r\naccounts appeared to be cleaned up, but by then, the threat actors had phished new email accounts for their\r\nspamming operations.\r\nResearch Methodology\r\nFor operational security reasons, we are unable to make all fingerprints used to track this campaign public. We are\r\nsharing what we can below, in the hopes that other organizations and researchers can benefit.\r\nInitial Research Lead\r\nAfter the March 14, 2025, Akamai-compromised phishing campaign, Silent Push analysts were given a related\r\ndomain that was sent to one of our research sharing partners: sso-account[.]com.\r\nhttps://www.silentpush.com/blog/poisonseed/\r\nPage 8 of 17\n\nWe captured a SendGrid phishing page on this domain and fingerprinted the kit so that we could find variations of\r\nit on other domains.\r\nLooking deeper, our team found 49 unique domains that featured references to the targeted email platforms and\r\nCoinbase. Two domains mentioning “firmware” (firmware-llive[.]com and firmware-server12[.]com) were both\r\nused for a Ledger Wallet phishing effort, which helped our team uncover some of PoisonSeed’s command and\r\ncontrol (C2) domains.\r\nWHOIS Pivots\r\nWhen checking this PoisonSeed grouping, most of the domains found via the phishing kit fingerprint pivot were\r\nunique within the WHOIS “State” field. Other threat analysts have mentioned this detail publicly, so we are\r\nmaking the following details available as well to support defenders in their efforts.\r\nWithin the domains we had tracked with our phishing kit fingerprint, there were groupings of domains found\r\nwhich included one of four strings in this WHOIS “State” field—two with obscene phrases—being reused over\r\nand over in that field: “headstompn⬛ggerfucke”, “creampie city”, “asdf” or “123123”*.\r\n*Note: For community users following along with the query below, please note that we have redacted the racist\r\nword above—the “i” has been replaced with a “⬛”.\r\nOur team then created a simple WHOIS “State” query with the two specific (obscene) words that are not likely to\r\nbe reused in that field by other registrants to identify part of the infrastructure:\r\nSilent Push WHOIS Scanner search:\r\ndatasource = “whois” AND state = [“headstompn⬛ggerfucke”, “creampie city”]\r\nWeb Scanner WHOIS and “State” search results\r\nhttps://www.silentpush.com/blog/poisonseed/\r\nPage 9 of 17\n\nOur team also created two additional WHOIS queries for the more generic “asdf” and “123123” WHOIS “State”\r\nfields. Combining those “state” names with other empty WHOIS fields and the registrar name helped to narrow\r\nthe search down to the single entity likely behind all of the recent domains:\r\nSilent Push WHOIS Scanner search:\r\ndatasource = “whois” AND state = “asdf” AND country = “AD” AND name = “None” AND city = “None”\r\nAND registrar = “NICENIC INTERNATIONAL GROUP CO., LIMITED”\r\nWeb Scanner WHOIS with “City,” “State,” “Country,” “Name,” and “Registrar” search results\r\nWe conducted the same search for the WHOIS State “123123” to pick up more recent domains. These types of\r\nqueries are often not safe enough to “leave running” because they could generate false positives in the future. As\r\nthey can occasionally provide further pivots for tracking a given campaign, they can be useful for investigation\r\npurposes. Such was the case here:\r\nSilent Push WHOIS Scanner search:\r\ndatasource = “whois” AND registrar = “NICENIC INTERNATIONAL GROUP CO., LIMITED” AND\r\nstate = “123123” AND country = “AE” AND zipcode = “None” AND address = “None”\r\nhttps://www.silentpush.com/blog/poisonseed/\r\nPage 10 of 17\n\nThe Web Scanner WHOIS plus “Registrar,” “State,” “Country,” “Zipcode,” and “Address” search\r\nyielded 41 results\r\nC2 Domains Exposed in Ledger Phishing Page Template\r\nWe discovered that the domain firmware-server12[.]com, found in the original phishing kit fingerprint pivot, was\r\nalso referenced within the SSL certificate “ssl.subject.common_name” field for two IP addresses:\r\nSilent Push Web Scanner search:\r\ndatasource = [“webscan”] AND ssl.subject.common_name = “firmware-server12.com”\r\nFrom these results, one IP address, 86.54.42[.]92, had no significant pivots, but the other IP address,\r\n212.224.88[.]188, was recently found to be hosting a Ledger Wallet “Upgrade Firmware” page, which appeared to\r\nbe another complex lure for stealing cryptocurrency.\r\nThis is what the page looked like at the time of our discovery in March 2025:\r\nhttps://www.silentpush.com/blog/poisonseed/\r\nPage 11 of 17\n\nLedger Wallet “Upgrade Firmware” phishing content found on 212.224.88[.]188/login/\r\nThis login page had C2 domains exposed in the JavaScript:\r\nJavaScript from an exposed Ledger phishing page on 212.224.88[.]188/login/\r\nC2s found in the JavaScript included:\r\nmysrver-chbackend[.]com\r\nnikafk244[.]com\r\niosjdfsmdkf[.]com\r\nbarefoots-api[.]com\r\nCommon Directories Further Connect Bulk Email and Cryptocurrency Phishing Campaigns\r\nWhen analyzing the JavaScript on hubservices-crm[.]com found through the original phishing kit fingerprint\r\nquery, we discovered two directories PoisonSeed had used for the CRM/bulk email phishing pages flow:\r\n/api\r\n/api/2fa/verify\r\nUnique paths retrieved from the JavaScript file\r\nhttps://www.silentpush.com/blog/poisonseed/\r\nPage 12 of 17\n\nWhen the Troy Hunt phishing campaign was made public, Silent Push Threat Analysts quickly grabbed the\r\nJavaScript from mailchimp-sso[.]com, (Cloudflare NameServer records were removed on March 25, 2025, likely\r\ndue to a ban). Our team noted the specific JavaScript configuration on mailchimp-sso[.]com and matched the same\r\npaths that we saw on hubservices-crm[.]com:\r\nUnique path configuration retrieved from the JavaScript file\r\nThe identical directories between the bulk email phishing campaigns and the cryptocurrency seed phrase\r\npoisoning campaign, along with their WHOIS “State” connections, further confirmed what we had already known\r\ndue to the Akamai SendGrid compromise: Both campaigns are from the same actor.\r\nPoisonSeed Domain Patterns, Registrar \u0026 WHOIS Keywords Align to\r\nCryptoChameleon, Explaining the Scattered Spider Connection\r\nMany threat analysts and researchers have been trying to link the current PoisonSeed threat actors to Scattered\r\nSpider, but few have been connecting them to CryptoChameleon, even though both threat actor groups are\r\nassociated with The Comm.\r\nOur team believes it’s important to highlight and explain our thought processes behind classifying this as an\r\nindependent threat actor group as the technical details in this case, on close examination, reveal a closer alignment\r\nto CryptoChameleon over Scattered Spider.\r\nWHOIS Registration Connections\r\nAccording to Group IB research, the “mailchimp-sso [.] com” domain used in the recent Troy Hunt phishing effort\r\nwas first seen in attacks in 2022 and was used by Scattered Spider.\r\nNow, three years past the first attack, anyone could have re-registered the domain. Just because one specific threat\r\nactor previously controlled a domain doesn’t mean attribution of that domain to the same threat actor remains\r\nindefinitely, especially after it changes registration.\r\nThe mailchimp-sso[.]com domain was registered on Porkbun from the previous attack up until March 24, 2025,\r\nwhen it was re-registered on NiceNIC, a registrar of choice for both Scattered Spider and CryptoChameleon.\r\nSilent Push Total View Search:\r\nmailchimp-sso[.]com\r\nhttps://www.silentpush.com/blog/poisonseed/\r\nPage 13 of 17\n\nTotal View WHOIS search results for mailchimp-sso[.]com\r\nOur team believes it’s too early to classify mailchimp-sso[.]com as part of Scattered Spider merely because the\r\nthreat actor group previously controlled it, or because it was re-registered on a popular registrar they are using –\r\nespecially when the recent campaign had a cryptocurrency cash-out scheme, which would be a significant change\r\nfor them. It is important to note: None of the previously documented Scattered Spider attacks included\r\nallegations of trying to phish individual cryptocurrency wallets using complex email supply chain spam\r\noperations.\r\nIn the previous Scattered Spider attack on Mailchimp, the group was likely targeting the brand because any\r\nransomware on Mailchimp environments could potentially prevent clients from sending emails, and this would put\r\nenormous pressure on Mailchimp to pay a ransom. Early attacks from Scattered Spider followed similar targeting\r\nstrategies – they went after Western companies with a large number of customers who would be immediately\r\nimpacted if the attack was successful.\r\nAnother domain registration connection between the current PoisonSeed campaign and threat actors associated\r\nwith The Comm (both Scattered Spider and CryptoChameleon) is the racist and obscene language used in the\r\nWHOIS “State” field. Using such language within infrastructure is consistent with what has been seen with threat\r\nactors associated with The Comm, (including both Scattered Spider and CryptoChameleon). But this observation\r\nisn’t strong enough by itself to definitively say PoisonSeed is from either threat actor group associated with The\r\nComm.\r\nLooking at the Behaviors Behind Poison Seed, Crypto Chameleon, and Scattered Spider\r\nScattered Spider is a group of big game corporate hunters who are looking to collect massive ransoms from\r\nencrypting and disrupting major corporate operations. Scattered Spider uses social engineering, malware, and\r\nhands-on keyboard tactics to gain access to corporate environments. We have seen some light targeting of crypto\r\ncompanies by Scattered Spider since 2023, but there is no indication that these attacks were different from the\r\nother corporate attacks, many of which we know a considerable amount about.\r\nOur team believes the new campaign we’re classifying as PoisonSeed is not likely to be Scattered Spider because\r\nwe’ve seen Scattered Spider continue to conduct attacks in 2025 in ways strikingly similar to its legacy attacks. In\r\n2025, Scattered Spider has targeted brands including: Audemars Piguet, Chick-fil-A, Credit Karma, Forbes,\r\nInstacart, Louis Vuitton, Morningstar, New York Digital Investment Group, News Corporation, Nike, Paxos,\r\nTwitter/X, and Vodafone.\r\nhttps://www.silentpush.com/blog/poisonseed/\r\nPage 14 of 17\n\nNone of the 2025 brands targeted by Scattered Spider align with PoisonSeed’s efforts.\r\nThe recent cryptocurrency seed phrase poisoning attack utilizing a supply chain spam operation does not align\r\nwith Scattered Spider TTPs – doing so would be a significant change for them.\r\nThese tactics and the recent campaign do somewhat align with CryptoChameleon, however, which is a part of the\r\nsame threat actor group: “The Comm.”\r\nIn May 2024, we published a client-only report on CryptoChameleon and a public blog. Since then, we’ve\r\nengaged with several research sharing partners to further our understanding of these threat actors.\r\nCryptoChameleon has conducted VIP spear phishing targeted at high net worth crypto holders, cell phone SIM\r\nswaps, email hacks, and all types of voice and email phishing techniques to get access to accounts holding large\r\namounts of crypto. They likely buy access to lists of crypto holders and/or work with partners to find potential\r\ntargets. To date, Silent Push analysts have not observed CryptoChameleon conducting a cryptocurrency seed\r\nphrase poisoning effort – but this new campaign is a novel phishing effort, and that does align with their\r\ninnovative methodology.\r\nCryptoChameleon heavily targets Coinbase and Ledger (just like PoisonSeed), along with several other crypto\r\nbrands. Our team has never seen CryptoChameleon directly target email providers other than GMAIL and iCloud.\r\nCryptoChameleon attacks are performed quickly, with the cryptocurrency being moved immediately from a\r\nvictim’s wallet once the attack is successful. The PoisonSeed campaign has more of a delay with cash-out efforts,\r\nrequiring a victim to add the threat-actor-provided seed phrase to their account, and later the threat actor would\r\nbulk check accounts for the phrases, and then take over the accounts to cash out.\r\nCryptoChameleon also allegedly walks victims through their phishing pages, manually triggering the next page\r\nfrom their admin panel to prevent automatic scanners from working on their sites. We’ve seen nothing like this\r\nfrom the PoisonSeed campaign; in fact, more of an opposite strategy is being taken.\r\nWhenever our team finds two efforts (CryptoChameleon and PoisonSeed) that are heavily aligned on\r\ninfrastructure decisions and only partially aligned on victim targeting and tactical behavior but have no current on-page code overlap, we delay merging the two groups until definitive information is acquired.\r\nKnown CryptoChameleon and Scattered Spider Phishing Kits Don’t Align with PoisonSeed\r\nSilent Push analysts are tracking multiple phishing kits used by Scattered Spider, including their recent 2025\r\nvariations. For CryptoChameleon, we’re tracking several variations (some with subtle changes) and have analyzed\r\nmany details of how their kits work.\r\nNone of these kits aligns with what we’re seeing with PoisonSeed, leading us to the conclusion that it’s either a\r\ncompletely new phishing kit from CryptoChameleon or a separate threat actor who just happens to use similar\r\ntactics and infrastructure decisions.\r\nTherefore, until definitive information is discovered pairing the two, our team will continue to classify this threat\r\nseparately under the name: PoisonSeed.\r\nhttps://www.silentpush.com/blog/poisonseed/\r\nPage 15 of 17\n\nContinuing to Track PoisonSeed\r\nSilent Push will continue to report on our work tracking this cryptocurrency and CRM phishing threat actor,\r\nespecially if it continues to target enterprises outside the cryptocurrency industry.\r\nIf you or your organization have any leads related to this effort that you would like to share, particularly those\r\nbeing used by these threat actors, we would love to hear from you.\r\nPoisonSeed Mitigation\r\nSilent Push believes all domains related to PoisonSeed may offer some level of risk to enterprise organizations.\r\nWe provide client-only Indicators of Future AttackTM (IOFA™) feeds for tracking PoisonSeed domains and IPs.\r\nSilent Push IOFA™ Feeds are available as part of an Enterprise subscription. Enterprise users can ingest IOFA™\r\nFeed data into their security stack to inform their detection protocols or use it to pivot across attacker\r\ninfrastructure using the Silent Push Console and Feed Analytics screen.\r\nSilent Push Community Edition is a free threat-hunting and cyber defense platform featuring a range of\r\nadvanced offensive and defensive lookups, web content queries, and enriched data types, including Silent Push\r\nWeb Scanner and Live Scan.\r\nClick here to sign up for a free account.\r\nIndicators of Future Attack™ (IOFA™)\r\nSilent Push is sharing a sample IOFA\r\nTM list we have associated with the PoisonSeed phishing campaign to\r\nsupport ongoing efforts within the community. Our enterprise users have access to an IOFA\r\nTM feed currently\r\ncontaining many times this number, with more being added in real time as our investigation continues.\r\nactive-mailgun[.]com\r\nbarefoots-api[.]com\r\ncloudflare-sendgrid[.]com\r\ncomplete-sendgrid[.]com\r\nconnect1-coinbase[.]com\r\nconnect5-coinbase[.]com\r\nfirmware-llive[.]com\r\nfirmware-server12[.]com\r\nhubservices-crm[.]com\r\ninquiry-loginp[.]com\r\niosjdfsmdkf[.]com\r\nlive-sso[.]com\r\nmail-chimpservices[.]com\r\nhttps://www.silentpush.com/blog/poisonseed/\r\nPage 16 of 17\n\nmailchimp-sso[.]com\r\nmailchimp-ssologin[.]com\r\nmyaccount-hbspot[.]com\r\nmysite-clflre[.]com\r\nmysrver-chbackend[.]com\r\nmyw-cbw[.]com\r\nmywallet-cbsmartw[.]com\r\nmywallet-cbsmw[.]com\r\nmywallet-cbupgrade[.]com\r\nnikafk244[.]com\r\npassword-proxy-redirect[.]com\r\nredirect-sso[.]com\r\nresponse-crmsg[.]com\r\nresponse-loginportal[.]com\r\nresponse16-sendgrid[.]com\r\nresponse20-sendgrid[.]com\r\nresponseinquiry-tos[.]com\r\nresponsesendgrid[.]com\r\nreview-termsconditions[.]com\r\nrevokecblink[.]com\r\nrseponse-manageprod[.]com\r\nrseponse25-sendgrid[.]com\r\nrseponsequery[.]com\r\nserver12-mchimp[.]com\r\nserver9-hubspot[.]com\r\nserver9-mailgun[.]com\r\nserver9-sendgrid[.]net\r\nsso-account[.]com\r\nsso-signon[.]com\r\nsupport-zoho[.]com\r\nswallet-coinbase[.]com\r\n212.224.88[.]188\r\n86.54.42[.]92\r\nSource: https://www.silentpush.com/blog/poisonseed/\r\nhttps://www.silentpush.com/blog/poisonseed/\r\nPage 17 of 17", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.silentpush.com/blog/poisonseed/" ], "report_names": [ "poisonseed" ], "threat_actors": [ { "id": "9ddc7baf-2ea7-4294-af2c-5fce1021e8e8", "created_at": "2023-06-23T02:04:34.386651Z", "updated_at": "2026-04-10T02:00:04.772256Z", "deleted_at": null, "main_name": "Muddled Libra", "aliases": [ "0ktapus", "Scatter Swine", "Scattered Spider" ], "source_name": "ETDA:Muddled Libra", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "7da6012f-680b-48fb-80c4-1b8cf82efb9c", "created_at": "2023-11-01T02:01:06.643737Z", "updated_at": "2026-04-10T02:00:05.340198Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "Scattered Spider", "Roasted 0ktapus", "Octo Tempest", "Storm-0875", "UNC3944" ], "source_name": "MITRE:Scattered Spider", "tools": [ "WarzoneRAT", "Rclone", "LaZagne", "Mimikatz", "Raccoon Stealer", "ngrok", "BlackCat", "ConnectWise" ], "source_id": "MITRE", "reports": null }, { "id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0", "created_at": "2023-10-03T02:00:08.510742Z", "updated_at": "2026-04-10T02:00:03.374705Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "UNC3944", "Scattered Swine", "Octo Tempest", "DEV-0971", "Starfraud", "Muddled Libra", "Oktapus", "Scatter Swine", "0ktapus", "Storm-0971" ], "source_name": "MISPGALAXY:Scattered Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9", "created_at": "2023-10-14T02:03:13.99057Z", "updated_at": "2026-04-10T02:00:04.531987Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "0ktapus", "LUCR-3", "Muddled Libra", "Octo Tempest", "Scatter Swine", "Scattered Spider", "Star Fraud", "Storm-0875", "UNC3944" ], "source_name": "ETDA:Scattered Spider", "tools": [ "ADRecon", "AnyDesk", "ConnectWise", "DCSync", "FiveTran", "FleetDeck", "Govmomi", "Hekatomb", "Impacket", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Lumma Stealer", "LummaC2", "Mimikatz", "Ngrok", "PingCastle", "ProcDump", "PsExec", "Pulseway", "Pure Storage FlashArray", "Pure Storage FlashArray PowerShell SDK", "RedLine Stealer", "Rsocx", "RustDesk", "ScreenConnect", "SharpHound", "Socat", "Spidey Bot", "Splashtop", "Stealc", "TacticalRMM", "Tailscale", "TightVNC", "VIDAR", "Vidar Stealer", "WinRAR", "WsTunnel", "gosecretsdump" ], "source_id": "ETDA", "reports": null }, { "id": "20c759c2-cd02-45bb-85c6-41bde9e6a7cf", "created_at": "2024-01-18T02:02:34.189827Z", "updated_at": "2026-04-10T02:00:04.721082Z", "deleted_at": null, "main_name": "HomeLand Justice", "aliases": [ "Banished Kitten", "Karma", "Red Sandstorm", "Storm-0842", "Void Manticore" ], "source_name": "ETDA:HomeLand Justice", "tools": [ "BABYWIPER", "BiBi Wiper", "BiBi-Linux Wiper", "BiBi-Windows Wiper", "Cl Wiper", "LowEraser", "No-Justice Wiper", "Plink", "PuTTY Link", "RevSocks", "W2K Res Kit" ], "source_id": "ETDA", "reports": null }, { "id": "e424a2db-0f5a-4ee5-96d2-5ab16f1f3824", "created_at": "2024-06-19T02:03:08.062614Z", "updated_at": "2026-04-10T02:00:03.655475Z", "deleted_at": null, "main_name": "GOLD HARVEST", "aliases": [ "Octo Tempest ", "Roasted 0ktapus ", "Scatter Swine ", "Scattered Spider ", "UNC3944 " ], "source_name": "Secureworks:GOLD HARVEST", "tools": [ "AnyDesk", "ConnectWise Control", "Logmein" ], "source_id": "Secureworks", "reports": null }, { "id": "6355663f-1a27-4a08-879a-89bc3cf2cd63", "created_at": "2026-02-04T02:00:03.712015Z", "updated_at": "2026-04-10T02:00:03.953324Z", "deleted_at": null, "main_name": "CryptoChameleon", "aliases": [ "UNC5356" ], "source_name": "MISPGALAXY:CryptoChameleon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4e9127fc-a9d2-4d6c-9596-fb729d21c2c4", "created_at": "2026-01-22T02:00:03.67474Z", "updated_at": "2026-04-10T02:00:03.925728Z", "deleted_at": null, "main_name": "PoisonSeed", "aliases": [], "source_name": "MISPGALAXY:PoisonSeed", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434093, "ts_updated_at": 1775792243, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/83249a05d1701c3293c5c1633fa466b8f9f4d668.pdf", "text": "https://archive.orkl.eu/83249a05d1701c3293c5c1633fa466b8f9f4d668.txt", "img": "https://archive.orkl.eu/83249a05d1701c3293c5c1633fa466b8f9f4d668.jpg" } }