{
	"id": "2135bc21-b585-4c3a-b3f3-7bfc5d7f3158",
	"created_at": "2026-04-06T00:09:00.540882Z",
	"updated_at": "2026-04-10T03:24:24.457265Z",
	"deleted_at": null,
	"sha1_hash": "869ab188815fe6d4962a2d2935809d2e790f09c2",
	"title": "MAR 10339794-1.v1 – Cobalt Strike Beacon | CISA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 98583,
	"plain_text": "MAR 10339794-1.v1 – Cobalt Strike Beacon | CISA\r\nPublished: 2021-05-28 · Archived: 2026-04-05 23:16:31 UTC\r\nNotification\r\nThis report is provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not\r\nprovide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial\r\nproduct or service referenced in this bulletin or otherwise.\r\nThis document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries\r\nminimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to\r\nstandard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the\r\nTraffic Light Protocol (TLP), see http://www.cisa.gov/tlp.\r\nSummary\r\nDescription\r\nThis Malware Analysis Report (MAR) is the result of analytic efforts by the Cybersecurity and Infrastructure Security\r\nAgency (CISA) and the Federal Bureau of Investigation (FBI) to provide detailed analysis of three malicious ISO (optical\r\ndisc image) files submitted to CISA. These malicious files are associated with a spearphishing campaign targeting\r\ngovernment organizations, intergovernmental organizations, and non-governmental organizations using Constant Contact to\r\nspoof a U.S. Government organization and distribute links to malicious URLs.\r\nTwo of the ISO files submitted to CISA contain a dynamic-link library that is a custom Cobalt Strike Beacon loader, a\r\nPortable Document Format (PDF) file, which is displayed to the target as a decoy document, and a Microsoft shortcut that\r\nexecutes the Cobalt Strike beacon. The remaining file is corrupt and fails to extract PDF and LNK files. The two Cobalt\r\nStrike Beacon loaders contain the same encoded configuration data. The Cobalt Strike Beacon is a malicious implant on a\r\ncompromised system that calls back to the attacker and checks for additional commands to execute on the compromised\r\nsystem.\r\nCISA and FBI are distributing this MAR, which includes tactics, techniques, and procedures associated with this activity, to\r\nenable network defense and reduce exposure to this malicious activity. For more information, refer to the CISA Alert AA21-\r\n148A Sophisticated Actor Spearphishing Campaign Targets Government Organizations, IGOs, and NGOs.\r\nFor a downloadable copy of IOCs, see: MAR-10339794-1.v1.stix.\r\nSubmitted Files (7)\r\n2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9226c80b8b31252 (ICA-declass.iso)\r\n48b5fb3fa3ea67c2bc0086c41ec755c39d748a7100d71b81f618e82bf1c479f0 (Reports.lnk)\r\n7d34f25ad8099bd069c5a04799299f17d127a3866b77ee34ffb59cfd36e29673 (ICA-declass.pdf)\r\n94786066a64c0eb260a28a2959fcd31d63d175ade8b05ae682d3f6f9b2a5a916 (ICA-declass.iso)\r\nd035d394a82ae1e44b25e273f99eae8e2369da828d6b6fdb95076fd3eb5de142 (ICA-declass.iso)\r\nee42ddacbd202008bcc1312e548e1d9ac670dd3d86c999606a3a01d464a2a330 (Documents.dll)\r\nee44c0692fd2ab2f01d17ca4b58ca6c7f79388cbc681f885bb17ec946514088c (Documents.dll)\r\nDomains (2)\r\ntheyardservice.com\r\nworldhomeoutlet.com\r\nFindings\r\n2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9226c80b8b31252\r\nTags\r\ndropper\r\nDetails\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-148a\r\nPage 1 of 16\n\nName ICA-declass.iso\r\nSize 22085632 bytes\r\nType UDF filesystem data (version 1.5) 'ICA_DECLASS'\r\nMD5 cbc1dc536cd6f4fb9648e229e5d23361\r\nSHA1 c1d5443f6f57f89bef76eb9e7c070f911954553b\r\nSHA256 2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9226c80b8b31252\r\nSHA512 5141f30a24ebbf180a9707de6fad8e730a28fa3396d3f06c0bda60c93f73fea8ad867446065ed170c326f26e0b69034b2ac2fd272ec3c59b82727\r\nssdeep 393216:fkU+ZCNKp+nzmrrascT2vZw/ORavIZ8D8wd1gAqL5v078owIgPtW9+6KPz0wr0Q1:M4DnzsGGsvIZi8AZqLNSqj6cz0K7q0t\r\nEntropy 7.701745\r\nAntivirus\r\nNo matches found.\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nRelationships\r\n2523f94bd4... Contains ee44c0692fd2ab2f01d17ca4b58ca6c7f79388cbc681f885bb17ec946514088c\r\n2523f94bd4... Contains 7d34f25ad8099bd069c5a04799299f17d127a3866b77ee34ffb59cfd36e29673\r\n2523f94bd4... Contains 48b5fb3fa3ea67c2bc0086c41ec755c39d748a7100d71b81f618e82bf1c479f0\r\nDescription\r\nThis is an ISO archive file that contains three files including a malicious DLL library named \"Documents.dll\"\r\n(ee44c0692fd2ab2f01d17ca4b58ca6c7f79388cbc681f885bb17ec946514088c). This DLL has been identified as a custom\r\nCobalt Strike Beacon Version 4 implant. The second file is a malicious shortcut file named \"Reports.lnk\"\r\n(48b5fb3fa3ea67c2bc0086c41ec755c39d748a7100d71b81f618e82bf1c479f0) that executes the custom Cobalt Strike\r\nBeacon loader. The third file, \"ICA-declass.pdf\", is a benign decoy PDF\r\n(7d34f25ad8099bd069c5a04799299f17d127a3866b77ee34ffb59cfd36e29673).\r\n7d34f25ad8099bd069c5a04799299f17d127a3866b77ee34ffb59cfd36e29673\r\nDetails\r\nName ICA-declass.pdf\r\nSize 19782503 bytes\r\nType PDF document, version 1.4 (password protected)\r\nMD5 b40b30329489d342b2aa5ef8309ad388\r\nSHA1 738c20a2cc825ae51b2a2f786248f850c8bab6f5\r\nSHA256 7d34f25ad8099bd069c5a04799299f17d127a3866b77ee34ffb59cfd36e29673\r\nSHA512 99319a4af803d4f5f03822ba287f8f26f771d7caad3159df5b84bc8eec67e1b638ad84f04895259876f4e8360970fecafc1bd0c9e5607d13d91404\r\nssdeep 393216:IkU+ZCNKp+nzmrrascT2vZw/ORavIZ8D8wd1gAqL5v078owIgPtW9+6KPz0wr0QO:d4DnzsGGsvIZi8AZqLNSqj6cz0K7q0tM\r\nEntropy 7.998144\r\nAntivirus\r\nNo matches found.\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-148a\r\nPage 2 of 16\n\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nPDF Metadata\r\nTitle None\r\nSubject None\r\nAuthor None\r\nCreator Hewlett-Packard MFP\r\nProducer None\r\nCreation Date 2021-03-16 12:56:18-04:00\r\nMod Data 2021-03-16 12:56:18-04:00\r\nPDF String Count\r\nHeader %PDF-1.4\r\nobj 52\r\nendobj 51\r\nstream 32\r\nendstream 32\r\nxref 2\r\ntrailer 2\r\nstartxref 2\r\n/Page 15\r\n/Encrypt 0\r\n/ObjStm 0\r\n/JS 1\r\n/JavaScript 0\r\n/AA 0\r\n/OpenAction 0\r\n/AcroForm 0\r\n/JBIG2Decode 3\r\n/RichMedia 0\r\n/Launch 0\r\n/EmbeddedFile 0\r\n/XFA 0\r\n/Colors \u003e 2^24 0\r\nRelationships\r\n7d34f25ad8... Contained_Within 2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9226c80b8b31252\r\n7d34f25ad8... Contained_Within 94786066a64c0eb260a28a2959fcd31d63d175ade8b05ae682d3f6f9b2a5a916\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-148a\r\nPage 3 of 16\n\nDescription\r\nICA-declass.pdf is a benign PDF decoy file contained within the ISO archive. This appears to be a copy of the declassified\r\nversion of the Intelligence Community Assessment pursuant to Executive Order 13848 Section (1)(a), which is available at\r\nhttps://www.intelligence.gov/index.php/ic-on-the-record-database/results/1046-foreign-threats-to-the-2020-us-federal-elections-intelligence-community-assessment.\r\n48b5fb3fa3ea67c2bc0086c41ec755c39d748a7100d71b81f618e82bf1c479f0\r\nDetails\r\nName Reports.lnk\r\nSize 1486 bytes\r\nType\r\nMS Windows shortcut, Item id list present, Has command line arguments, Icon number=4, ctime=Wed Dec 31 23:59:59 1969, mtime=Wed\r\n23:59:59 1969, atime=Wed Dec 31 23:59:59 1969, length=0, window=hide\r\nMD5 dcfd60883c73c3d92fceb6ac910d5b80\r\nSHA1 1cb1c2cd9f59d4e83eb3c950473a772406ec6f1a\r\nSHA256 48b5fb3fa3ea67c2bc0086c41ec755c39d748a7100d71b81f618e82bf1c479f0\r\nSHA512 d725d0005d8a013c750598d3f2039737f6dfd33a579915e7a1723f386cf2e38b7c490b1ad85a493b02519263ff0a29ed8a40ea902667b40a2e4f\r\nssdeep 12:8hXnm/3BVSXzM3WlllbdDvPywMYTvPCDiN33Y98SWi88:8c/BCllhdDv6wdvKaHYWi\r\nEntropy 2.093090\r\nAntivirus\r\nNo matches found.\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nRelationships\r\n48b5fb3fa3... Contained_Within 2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9226c80b8b31252\r\n48b5fb3fa3... Contained_Within 94786066a64c0eb260a28a2959fcd31d63d175ade8b05ae682d3f6f9b2a5a916\r\n48b5fb3fa3... Related_To ee44c0692fd2ab2f01d17ca4b58ca6c7f79388cbc681f885bb17ec946514088c\r\n48b5fb3fa3... Related_To ee42ddacbd202008bcc1312e548e1d9ac670dd3d86c999606a3a01d464a2a330\r\nDescription\r\nReport.lnk is a Microsoft shortcut (LNK) file. The file was contained within the ISO archive. The file \"Report.lnk\" displays\r\na folder icon labeled \"Reports\" on the compromised system. The file contains the following data:\r\n--Begin malicious shortcut data--\r\nrunll32.exe Documents.dll,Open%windir%/system32/shell32.dll\r\n--End malicious shortcut data--\r\nWhen executed, the shortcut will stealthily launch the Cobalt Strike implant named \"Documents.dll\"\r\n(ee44c0692fd2ab2f01d17ca4b58ca6c7f79388cbc681f885bb17ec946514088c or\r\nee42ddacbd202008bcc1312e548e1d9ac670dd3d86c999606a3a01d464a2a330).\r\nee44c0692fd2ab2f01d17ca4b58ca6c7f79388cbc681f885bb17ec946514088c\r\nTags\r\ntrojan\r\nDetails\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-148a\r\nPage 4 of 16\n\nName Documents.dll\r\nSize 1737728 bytes\r\nType PE32+ executable (DLL) (GUI) x86-64, for MS Windows\r\nMD5 7edf943ed251fa480c5ca5abb2446c75\r\nSHA1 1380d7c44efde64f471ae70563372efe18f43026\r\nSHA256 ee44c0692fd2ab2f01d17ca4b58ca6c7f79388cbc681f885bb17ec946514088c\r\nSHA512 9c84e4184798bdd06a4f6128242f2e7d2b8840cbf0639cd917c023bd22de3b7c2d98d072608106a94875a9655bcf1117fb3f1d0a2557cfda9b1b\r\nssdeep 6144:T22r1g93MFP1WWgs+oht05tnCCRem/V9FkkKdKb+/++9GIyRv9QTaq+D/aYndvKF:T2+g9KzkoEtVcKb+/+EzD+7aJ\r\nEntropy 2.144987\r\nAntivirus\r\nBitDefender Trojan.GenericKD.46360875\r\nESET a variant of Win64/Rozena.KA trojan\r\nEmsisoft Trojan.GenericKD.46360875 (B)\r\nIkarus Trojan.Win64.Rozena\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2019-04-27 14:27:02-04:00\r\nImport Hash 042c6b16f932b7d83d864033b4c9bf27\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\n2737834f2ef34dc429a7ca5634454d08 header 1024 3.007590\r\n5d32cb386f61f62b4265c621e52b5870 .text 81408 6.449170\r\n023bcf34752191bd249f2abfac339cf6 .rdata 55808 5.044293\r\n2a7d1951ddc821aded735b43b63ddd51 .data 1592320 1.640778\r\n251fe4f11cc161fd4290e61e146e9d2f .pdata 4608 5.024657\r\nf34220b14577ddd51cd0bce45da457d8 .rsrc 512 4.711413\r\nb84914ab6f20a711de871aa00d835f5d .reloc 2048 4.894250\r\nRelationships\r\nee44c0692f... Contained_Within 2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9226c80b8b31252\r\nee44c0692f... Contained_Within d035d394a82ae1e44b25e273f99eae8e2369da828d6b6fdb95076fd3eb5de142\r\nee44c0692f... Related_To 48b5fb3fa3ea67c2bc0086c41ec755c39d748a7100d71b81f618e82bf1c479f0\r\nee44c0692f... Connected_To theyardservice.com\r\nee44c0692f... Connected_To worldhomeoutlet.com\r\nDescription\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-148a\r\nPage 5 of 16\n\nThis file is a 64-bit DLL file identified as a custom Cobalt Strike Beacon Version 4 implant. The DLL was contained within\r\nthe ISO archive file \"ICA-declass.iso\" (2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9226c80b8b31252). The\r\nencoded configuration data for the implant is illustrated in Figure 1. The configuration file contains the hard-coded C2s,\r\ncommunication protocol, and an implant watermark. The configuration file is encoded via an XOR with the key 0x2e and a\r\n16-bit byte swap. The parsed configuration file for the Cobalt Beacon implant is displayed below:\r\n--Begin configuration data--\r\nBeaconType                     - Not Found\r\nPort                             - 187\r\nSleepTime                        - Not Found\r\nMaxGetSize                     - Not Found\r\nJitter                         - Not Found\r\nMaxDNS                         - Not Found\r\nPublicKey_MD5                    - Not Found\r\nC2Server                         - dataplane.theyardservice[.]com,/jquery-3.3.1.min.woff2,cdn.theyardservice[.]com,/jquery-3.3.1.min.woff2,static.theyardservice[.]com,/jquery-3.3.1.min.woff2,worldhomeoutlet[.]com,/jquery-3.3.1.min.woff2\r\nUserAgent                        - Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko\r\nHttpPostUri                     - /jquery-3.3.2.min.woff2\r\nMalleable_C2_Instructions        - Remove 1522 bytes from the end\r\n                                Remove 84 bytes from the beginning\r\n                                Remove 3931 bytes from the beginning\r\n                                Base64 URL-safe decode\r\n                                XOR mask w/ random key\r\nHttpGet_Metadata                 - Metadata\r\n                                      mask\r\n                                      base64url\r\n                                      prepend \"_cfuid=\"\r\n                                      header \"Cookie\"\r\nHttpPost_Metadata                - SessionId\r\n                                      mask\r\n                                      base64url\r\n                                      parameter \"_cfuid\"\r\n                                Output\r\n                                      mask\r\n                                      base64url\r\n                                      print\r\nPipeName                         - Not Found\r\nDNS_Idle                         - Not Found\r\nDNS_Sleep                        - Not Found\r\nSSH_Host                         - Not Found\r\nSSH_Port                         - Not Found\r\nSSH_Username                     - Not Found\r\nSSH_Password_Plaintext         - Not Found\r\nSSH_Password_Pubkey             - Not Found\r\nSSH_Banner                     -\r\nHttpGet_Verb                     - GET\r\nHttpPost_Verb                    - POST\r\nHttpPostChunk                    - 0\r\nSpawnto_x86                     - %windir%\\syswow64\\dllhost.exe\r\nSpawnto_x64                     - %windir%\\sysnative\\dllhost.exe\r\nCryptoScheme                     - 0\r\nProxy_Config                     - Not Found\r\nProxy_User                     - Not Found\r\nProxy_Password                 - Not Found\r\nProxy_Behavior                 - Use IE settings\r\nWatermark                        - 1359593325\r\nbStageCleanup                    - True\r\nbCFGCaution                     - False\r\nKillDate                         - 0\r\nbProcInject_StartRWX             - False\r\nbProcInject_UseRWX             - False\r\nbProcInject_MinAllocSize         - 0\r\nProcInject_PrependAppend_x86     -\r\nb'\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90'\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-148a\r\nPage 6 of 16\n\nEmpty\r\nProcInject_PrependAppend_x64     -\r\nb'\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90'\r\n                                Empty\r\nProcInject_Execute             - ntdll:RtlUserThreadStart\r\n                                CreateThread\r\n                                NtQueueApcThread-s\r\n                                CreateRemoteThread\r\n                                RtlCreateUserThread\r\nProcInject_AllocationMethod     - NtMapViewOfSection\r\nbUsesCookies                     - True\r\nHostHeader                     -\r\nheadersToRemove                 - Not Found\r\nDNS_Beaconing                    - Not Found\r\nDNS_get_TypeA                    - Not Found\r\nDNS_get_TypeAAAA                 - Not Found\r\nDNS_get_TypeTXT                 - Not Found\r\nDNS_put_metadata                 - Not Found\r\nDNS_put_output                 - Not Found\r\nDNS_resolver                     - Not Found\r\nDNS_strategy                     - Not Found\r\nDNS_strategy_rotate_seconds     - Not Found\r\nDNS_strategy_fail_x             - Not Found\r\nDNS_strategy_fail_seconds        - Not Found\r\n--End configuration data--\r\nThe hard-coded C2s include the following:\r\n--Begin C2s--\r\ndataplane.theyardservice[.]com/jquery-3.3.1.min.woff2\r\ncdn.theyardservice[.]com/jquery-3.3.1.min.woff2\r\nstatic.theyardservice[.]com/jquery-3.3.1.min.woff2\r\nworldhomeoutlet[.]com/jquery-3.3.1.min.woff2\r\n--End C2s--\r\nScreenshots\r\nFigure 1 - Encoded configuration data for the Cobalt Strike Beacon.\r\ntheyardservice.com\r\nTags\r\ncommand-and-control\r\nURLs\r\ncdn.theyardservice.com/jquery-3.3.1.min.woff2\r\ndataplane.theyardservice.com/jquery-3.3.1.min.woff2\r\nstatic.theyardservice.com/jquery-3.3.1.min.woff2\r\nHTTP Sessions\r\nGET /jquery-3.3.1.min.woff2 HTTP/1.1\r\nAccept: */*\r\nCookie: _cfuid=CyjkRTGjxcCHL55z9nLYj6lHHepbtmpw9qe0iAb1dHIDbpULhTse_mJUxk3c5-\r\nJpXlZu21ZsnBcxzblX_Ab6hesCQ13I5bwHN1f_IimQWV9ErSSRQ088efe2m_IykB8KQoilJAKqjx89lORFW8kHTRNLfEKqk8gOZKdAHkMLv\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko\r\nHost: cdn.theyardservice[.]com\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\nGET /jquery-3.3.1.min.woff2 HTTP/1.1\r\nAccept: */*\r\nCookie:\r\n_cfuid=MF5n5QrVRmC8WR3TzQRbL5IxnkpgwOnQzdE3KD2D99I4GBarvk2dXlkiRe3nkWHJZSDte20aH7cKuzr3x3B5JdB0wP3zkz-nDCF8ghLm2v9_26cxeDm_2czAGFIJ5pyqef4mhDncDL8G4mflYL-E7Sg9_-KR5UuuX9HDvnh9PqOGA4jx\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-148a\r\nPage 7 of 16\n\nUser-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko\r\nHost: static.theyardservice[.]com\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\nGET /jquery-3.3.1.min.woff2 HTTP/1.1\r\nAccept: */*\r\nCookie: _cfuid=bvKtwVR5jETi9df3k6iRC8ydVG4-\r\nbCP0k339DGMvPfZmtNyP4OFXegeOj8m5PavtO4wnXzO21ZNUF_DTmdyzAY7YCtmtP_WDUo22pkxKENshd20VJpV1_ZJs0nZXSlaOJ1Lso\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko\r\nHost: dataplane.theyardservice[.]com\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\nWhois\r\nDomain name: theyardservice.com\r\nRegistry Domain ID: 1583241583_DOMAIN_COM-VRSN\r\nRegistrar WHOIS Server: whois.namecheap.com\r\nRegistrar URL: http://www.namecheap.com\r\nUpdated Date: 2021-03-31T13:16:35.65Z\r\nCreation Date: 2010-01-27T02:26:05.00Z\r\nRegistrar Registration Expiration Date: 2023-01-27T02:26:05.00Z\r\nRegistrar: NAMECHEAP INC\r\nRegistrar IANA ID: 1068\r\nRegistrar Abuse Contact Email: abuse@namecheap.com\r\nRegistrar Abuse Contact Phone: +1.6613102107\r\nReseller: NAMECHEAP INC\r\nDomain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited\r\nRegistry Registrant ID:\r\nRegistrant Name: Withheld for Privacy Purposes\r\nRegistrant Organization: Privacy service provided by Withheld for Privacy ehf\r\nRegistrant Street: Kalkofnsvegur 2\r\nRegistrant City: Reykjavik\r\nRegistrant State/Province: Capital Region\r\nRegistrant Postal Code: 101\r\nRegistrant Country: IS\r\nRegistrant Phone: +354.4212434\r\nRegistrant Phone Ext:\r\nRegistrant Fax:\r\nRegistrant Fax Ext:\r\nRegistrant Email: 2c839fd1b7284a55b8204adbf86e09f6.protect@withheldforprivacy.com\r\nRegistry Admin ID:\r\nAdmin Name: Withheld for Privacy Purposes\r\nAdmin Organization: Privacy service provided by Withheld for Privacy ehf\r\nAdmin Street: Kalkofnsvegur 2\r\nAdmin City: Reykjavik\r\nAdmin State/Province: Capital Region\r\nAdmin Postal Code: 101\r\nAdmin Country: IS\r\nAdmin Phone: +354.4212434\r\nAdmin Phone Ext:\r\nAdmin Fax:\r\nAdmin Fax Ext:\r\nAdmin Email: 2c839fd1b7284a55b8204adbf86e09f6.protect@withheldforprivacy.com\r\nRegistry Tech ID:\r\nTech Name: Withheld for Privacy Purposes\r\nTech Organization: Privacy service provided by Withheld for Privacy ehf\r\nTech Street: Kalkofnsvegur 2\r\nTech City: Reykjavik\r\nTech State/Province: Capital Region\r\nTech Postal Code: 101\r\nTech Country: IS\r\nTech Phone: +354.4212434\r\nTech Phone Ext:\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-148a\r\nPage 8 of 16\n\nTech Fax:\r\nTech Fax Ext:\r\nTech Email: 2c839fd1b7284a55b8204adbf86e09f6.protect@withheldforprivacy.com\r\nName Server: dns1.registrar-servers.com\r\nName Server: dns2.registrar-servers.com\r\nDNSSEC: unsigned\r\nURL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/\r\nRelationships\r\ntheyardservice.com Connected_From ee44c0692fd2ab2f01d17ca4b58ca6c7f79388cbc681f885bb17ec946514088c\r\ntheyardservice.com Connected_From ee42ddacbd202008bcc1312e548e1d9ac670dd3d86c999606a3a01d464a2a330\r\nDescription\r\nCobalt Strike Beacon DLL files \"Documents.dll\"\r\n(ee44c0692fd2ab2f01d17ca4b58ca6c7f79388cbc681f885bb17ec946514088c and\r\nee42ddacbd202008bcc1312e548e1d9ac670dd3d86c999606a3a01d464a2a330) attempt to connect to the domain.\r\nworldhomeoutlet.com\r\nTags\r\ncommand-and-control\r\nURLs\r\nworldhomeoutlet.com/jquery-3.3.1.min.woff2\r\nHTTP Sessions\r\nGET /jquery-3.3.1.min.woff2 HTTP/1.1\r\nAccept: */*\r\nCookie:\r\n_cfuid=QA9ir3qEQyrMCBiZvVVeZeJgmwAQkeyavYAyYk3S8phISRPhzhyYFClzQKeXwGSDFXHoMR1LGv166j-9tyF8b6AlxbeDwjrtfHB5yGK337UPiqJ7CGi6k7yRHRh5t5ngCa8jzkmNCfV2s2KvEO6Bp1hs-qjhtE7kL4DG9AgsO-n2Uo27\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko\r\nHost: worldhomeoutlet[.]com\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\nWhois\r\nDomain name: worldhomeoutlet.com\r\nRegistry Domain ID: 2502265423_DOMAIN_COM-VRSN\r\nRegistrar WHOIS Server: whois.namecheap.com\r\nRegistrar URL: http://www.namecheap.com\r\nUpdated Date: 2021-02-17T11:58:31.52Z\r\nCreation Date: 2020-03-11T14:24:03.00Z\r\nRegistrar Registration Expiration Date: 2022-03-11T14:24:03.00Z\r\nRegistrar: NAMECHEAP INC\r\nRegistrar IANA ID: 1068\r\nRegistrar Abuse Contact Email: abuse@namecheap.com\r\nRegistrar Abuse Contact Phone: +1.6613102107\r\nReseller: NAMECHEAP INC\r\nDomain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited\r\nRegistry Registrant ID:\r\nRegistrant Name: Withheld for Privacy Purposes\r\nRegistrant Organization: Privacy service provided by Withheld for Privacy ehf\r\nRegistrant Street: Kalkofnsvegur 2\r\nRegistrant City: Reykjavik\r\nRegistrant State/Province: Capital Region\r\nRegistrant Postal Code: 101\r\nRegistrant Country: IS\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-148a\r\nPage 9 of 16\n\nRegistrant Phone: +354.4212434\r\nRegistrant Phone Ext:\r\nRegistrant Fax:\r\nRegistrant Fax Ext:\r\nRegistrant Email: 20cbb70538424016943819fe8eadaddc.protect@withheldforprivacy.com\r\nRegistry Admin ID:\r\nAdmin Name: Withheld for Privacy Purposes\r\nAdmin Organization: Privacy service provided by Withheld for Privacy ehf\r\nAdmin Street: Kalkofnsvegur 2\r\nAdmin City: Reykjavik\r\nAdmin State/Province: Capital Region\r\nAdmin Postal Code: 101\r\nAdmin Country: IS\r\nAdmin Phone: +354.4212434\r\nAdmin Phone Ext:\r\nAdmin Fax:\r\nAdmin Fax Ext:\r\nAdmin Email: 20cbb70538424016943819fe8eadaddc.protect@withheldforprivacy.com\r\nRegistry Tech ID:\r\nTech Name: Withheld for Privacy Purposes\r\nTech Organization: Privacy service provided by Withheld for Privacy ehf\r\nTech Street: Kalkofnsvegur 2\r\nTech City: Reykjavik\r\nTech State/Province: Capital Region\r\nTech Postal Code: 101\r\nTech Country: IS\r\nTech Phone: +354.4212434\r\nTech Phone Ext:\r\nTech Fax:\r\nTech Fax Ext:\r\nTech Email: 20cbb70538424016943819fe8eadaddc.protect@withheldforprivacy.com\r\nName Server: dns1.registrar-servers.com\r\nName Server: dns2.registrar-servers.com\r\nDNSSEC: unsigned\r\nURL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/\r\nRelationships\r\nworldhomeoutlet.com Connected_From ee44c0692fd2ab2f01d17ca4b58ca6c7f79388cbc681f885bb17ec946514088c\r\nworldhomeoutlet.com Connected_From ee42ddacbd202008bcc1312e548e1d9ac670dd3d86c999606a3a01d464a2a330\r\nDescription\r\nCobalt Strike Beacon DLL files \"Documents.dll\"\r\n(ee44c0692fd2ab2f01d17ca4b58ca6c7f79388cbc681f885bb17ec946514088c and\r\nee42ddacbd202008bcc1312e548e1d9ac670dd3d86c999606a3a01d464a2a330) attempt to connect to the domain.\r\n94786066a64c0eb260a28a2959fcd31d63d175ade8b05ae682d3f6f9b2a5a916\r\nTags\r\ndropper\r\nDetails\r\nName ICA-declass.iso\r\nSize 22085632 bytes\r\nType UDF filesystem data (version 1.5) 'ICA_DECLASS'\r\nMD5 29e2ef8ef5c6ff95e98bff095e63dc05\r\nSHA1 bf7b36c521e52093360a4df0dd131703b7b3d648\r\nSHA256 94786066a64c0eb260a28a2959fcd31d63d175ade8b05ae682d3f6f9b2a5a916\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-148a\r\nPage 10 of 16\n\nSHA512 99c90941405628ce989a4bb8683f052450d22b25c9f3aeda21b0086ba9f0b67d67a21536ae1b0a000eef006024e714f78b32b3626e99c3ad0c9a\r\nssdeep 393216:UkU+ZCNKp+nzmrrascT2vZw/ORavIZ8D8wd1gAqL5v078owIgPtW9+6KPz0wr0Q1:x4DnzsGGsvIZi8AZqLNSqj6cz0K7q0t\r\nEntropy 7.703418\r\nAntivirus\r\nNo matches found.\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nRelationships\r\n94786066a6... Contains 7d34f25ad8099bd069c5a04799299f17d127a3866b77ee34ffb59cfd36e29673\r\n94786066a6... Contains 48b5fb3fa3ea67c2bc0086c41ec755c39d748a7100d71b81f618e82bf1c479f0\r\n94786066a6... Contains ee42ddacbd202008bcc1312e548e1d9ac670dd3d86c999606a3a01d464a2a330\r\nDescription\r\nThis file is an ISO archive file containing three files including a malicious DLL library named \"Documents.dll\"\r\n(ee42ddacbd202008bcc1312e548e1d9ac670dd3d86c999606a3a01d464a2a330). This DLL application has been identified as\r\na custom Cobalt Strike Beacon Version 4 implant. The second file is a malicious shortcut file named \"Reports.lnk\"\r\n(48b5fb3fa3ea67c2bc0086c41ec755c39d748a7100d71b81f618e82bf1c479f0). The shortcut executes the custom Cobalt\r\nStrike Beacon loader. The third file, \"ICA-declass.pdf\", is a benign decoy PDF\r\n(7d34f25ad8099bd069c5a04799299f17d127a3866b77ee34ffb59cfd36e29673).\r\nee42ddacbd202008bcc1312e548e1d9ac670dd3d86c999606a3a01d464a2a330\r\nTags\r\ntrojan\r\nDetails\r\nName Documents.dll\r\nSize 1747968 bytes\r\nType PE32+ executable (DLL) (GUI) x86-64, for MS Windows\r\nMD5 1c3b8ae594cb4ce24c2680b47cebf808\r\nSHA1 1fb12e923bdb71a1f34e98576b780ab2840ba22e\r\nSHA256 ee42ddacbd202008bcc1312e548e1d9ac670dd3d86c999606a3a01d464a2a330\r\nSHA512 2917e5a1ecfa4343f0de204804487db368371b10b9ae3cc2ebc7e1da74c679c1ef198c2c183572f537fed7c1bc8c7183513fcadf6dcad3749bc40\r\nssdeep 6144:GBv2rCsfI34JBE8LCiohg05tnCCRem/V9FkkKdKb+/++9GIyRv9QTaq+D/aYndvj:GBurzfI2B9roDtVcKb+/+EzD+7aJ\r\nEntropy 2.177087\r\nAntivirus\r\nBitDefender Gen:Variant.Razy.872798\r\nCyren W64/Trojan2.QXAH\r\nESET a variant of Win64/Rozena.KA trojan\r\nEmsisoft Gen:Variant.Razy.872798 (B)\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-148a\r\nPage 11 of 16\n\nIkarus Trojan.Win64.Rozena\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2019-04-27 14:24:28-04:00\r\nImport Hash 844c8136867966b00afa26206439e6ff\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\n7d43d5e4810891d60b6c1cfe53c65bda header 1024 2.863431\r\n0ec5565defffef0494210cd746adb072 .text 91648 6.404547\r\nd5be4f214547e473abb5af81438017fa .rdata 55808 5.068392\r\n64f4595113032e066dfcf5791dc377da .data 1592320 1.640945\r\n32029ef6b1f438ceea676490a1afa4d8 .pdata 4608 5.070921\r\nb19c0e4b63d9d9892e1e291e7dcb7fd7 .rsrc 512 4.719348\r\n1819f7d3592f9bbf795bc7902ffa7fed .reloc 2048 4.886504\r\nRelationships\r\nee42ddacbd... Contained_Within 94786066a64c0eb260a28a2959fcd31d63d175ade8b05ae682d3f6f9b2a5a916\r\nee42ddacbd... Related_To 48b5fb3fa3ea67c2bc0086c41ec755c39d748a7100d71b81f618e82bf1c479f0\r\nee42ddacbd... Connected_To theyardservice.com\r\nee42ddacbd... Connected_To worldhomeoutlet.com\r\nDescription\r\nThis file is a 64-bit DLL file identified as a custom Cobalt Strike Beacon Version 4 implant. The DLL was contained within\r\nthe ISO file \"ICA-declass.iso\" (94786066a64c0eb260a28a2959fcd31d63d175ade8b05ae682d3f6f9b2a5a916). The encoded\r\nconfiguration data for the implant is illustrated in Figure 1. The configuration file contains the hard-coded C2s,\r\ncommunication protocol, and an implant watermark. The configuration file is encoded via an XOR with the key 0x2e and a\r\n16-bit byte swap. The parsed configuration file for the Cobalt Beacon implant is displayed below:\r\n--Begin configuration data--\r\nBeaconType                     - Not Found\r\nPort                             - 187\r\nSleepTime                        - Not Found\r\nMaxGetSize                     - Not Found\r\nJitter                         - Not Found\r\nMaxDNS                         - Not Found\r\nPublicKey_MD5                    - Not Found\r\nC2Server                         - dataplane.theyardservice.com,/jquery-3.3.1.min.woff2,cdn.theyardservice.com,/jquery-3.3.1.min.woff2,static.theyardservice.com,/jquery-3.3.1.min.woff2,worldhomeoutlet.com,/jquery-3.3.1.min.woff2\r\nUserAgent                        - Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko\r\nHttpPostUri                     - /jquery-3.3.2.min.woff2\r\nMalleable_C2_Instructions        - Remove 1522 bytes from the end\r\n                                Remove 84 bytes from the beginning\r\n                                Remove 3931 bytes from the beginning\r\n                                Base64 URL-safe decode\r\n                                XOR mask w/ random key\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-148a\r\nPage 12 of 16\n\nHttpGet_Metadata                 - Metadata\r\n                                      mask\r\n                                      base64url\r\n                                      prepend \"_cfuid=\"\r\n                                      header \"Cookie\"\r\nHttpPost_Metadata                - SessionId\r\n                                      mask\r\n                                      base64url\r\n                                      parameter \"_cfuid\"\r\n                                Output\r\n                                      mask\r\n                                      base64url\r\n                                      print\r\nPipeName                         - Not Found\r\nDNS_Idle                         - Not Found\r\nDNS_Sleep                        - Not Found\r\nSSH_Host                         - Not Found\r\nSSH_Port                         - Not Found\r\nSSH_Username                     - Not Found\r\nSSH_Password_Plaintext         - Not Found\r\nSSH_Password_Pubkey             - Not Found\r\nSSH_Banner                     -\r\nHttpGet_Verb                     - GET\r\nHttpPost_Verb                    - POST\r\nHttpPostChunk                    - 0\r\nSpawnto_x86                     - %windir%\\syswow64\\dllhost.exe\r\nSpawnto_x64                     - %windir%\\sysnative\\dllhost.exe\r\nCryptoScheme                     - 0\r\nProxy_Config                     - Not Found\r\nProxy_User                     - Not Found\r\nProxy_Password                 - Not Found\r\nProxy_Behavior                 - Use IE settings\r\nWatermark                        - 1359593325\r\nbStageCleanup                    - True\r\nbCFGCaution                     - False\r\nKillDate                         - 0\r\nbProcInject_StartRWX             - False\r\nbProcInject_UseRWX             - False\r\nbProcInject_MinAllocSize         - 0\r\nProcInject_PrependAppend_x86     -\r\nb'\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90'\r\n                                Empty\r\nProcInject_PrependAppend_x64     -\r\nb'\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90'\r\n                                Empty\r\nProcInject_Execute             - ntdll:RtlUserThreadStart\r\n                                CreateThread\r\n                                NtQueueApcThread-s\r\n                                CreateRemoteThread\r\n                                RtlCreateUserThread\r\nProcInject_AllocationMethod     - NtMapViewOfSection\r\nbUsesCookies                     - True\r\nHostHeader                     -\r\nheadersToRemove                 - Not Found\r\nDNS_Beaconing                    - Not Found\r\nDNS_get_TypeA                    - Not Found\r\nDNS_get_TypeAAAA                 - Not Found\r\nDNS_get_TypeTXT                 - Not Found\r\nDNS_put_metadata                 - Not Found\r\nDNS_put_output                 - Not Found\r\nDNS_resolver                     - Not Found\r\nDNS_strategy                     - Not Found\r\nDNS_strategy_rotate_seconds     - Not Found\r\nDNS_strategy_fail_x             - Not Found\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-148a\r\nPage 13 of 16\n\nDNS_strategy_fail_seconds        - Not Found\r\n--End configuration data--\r\nThe hard-coded C2s include the following:\r\n--Begin C2s--\r\ndataplane.theyardservice[.]com/jquery-3.3.1.min.woff2\r\ncdn.theyardservice[.]com/jquery-3.3.1.min.woff2\r\nstatic.theyardservice[.]com/jquery-3.3.1.min.woff2\r\nworldhomeoutlet[.]com/jquery-3.3.1.min.woff2\r\n--End C2s--\r\nd035d394a82ae1e44b25e273f99eae8e2369da828d6b6fdb95076fd3eb5de142\r\nTags\r\ndropper\r\nDetails\r\nName ICA-declass.iso\r\nSize 10485447 bytes\r\nType UDF filesystem data (version 1.5) 'ICA_DECLASS'\r\nMD5 ebe2f8df39b4a94fb408580a728d351f\r\nSHA1 251fa6cafd4f4d26fe97630834aa7d3f5543f886\r\nSHA256 d035d394a82ae1e44b25e273f99eae8e2369da828d6b6fdb95076fd3eb5de142\r\nSHA512 c18f88763383abd5bee0ad3804acfbfa3bfe11d4643190e63b97007adb2aa058c5cf316f8625680b8f68e7af865604eafe887b48f5889614f7edb1\r\nssdeep 196608:MMWitOVKn+ZCZQkpyjdYmsm+xRC+0Ezmr3ra3chWJWMeZv2SxQUWuO:fkU+ZCNKp+nzmrrascT2vZ4\r\nEntropy 7.187756\r\nAntivirus\r\nNo matches found.\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nRelationships\r\nd035d394a8... Contains ee44c0692fd2ab2f01d17ca4b58ca6c7f79388cbc681f885bb17ec946514088c\r\nDescription\r\nThis file is an ISO archive file containing three files including a malicious DLL library named \"Documents.dll\"\r\n(ee42ddacbd202008bcc1312e548e1d9ac670dd3d86c999606a3a01d464a2a330). This DLL application has been identified as\r\na custom Cobalt Strike Beacon Version 4 implant. This archive file is corrupt preventing the remaining files\r\n\"ICA_DECL.PDF\" and \"REPORT.LNK\" from being extracted.\r\nRelationship Summary\r\n2523f94bd4... Contains ee44c0692fd2ab2f01d17ca4b58ca6c7f79388cbc681f885bb17ec946514088c\r\n2523f94bd4... Contains 7d34f25ad8099bd069c5a04799299f17d127a3866b77ee34ffb59cfd36e29673\r\n2523f94bd4... Contains 48b5fb3fa3ea67c2bc0086c41ec755c39d748a7100d71b81f618e82bf1c479f0\r\n7d34f25ad8... Contained_Within 2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9226c80b8b31252\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-148a\r\nPage 14 of 16\n\n7d34f25ad8... Contained_Within 94786066a64c0eb260a28a2959fcd31d63d175ade8b05ae682d3f6f9b2a5a916\r\n48b5fb3fa3... Contained_Within 2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9226c80b8b31252\r\n48b5fb3fa3... Contained_Within 94786066a64c0eb260a28a2959fcd31d63d175ade8b05ae682d3f6f9b2a5a916\r\n48b5fb3fa3... Related_To ee44c0692fd2ab2f01d17ca4b58ca6c7f79388cbc681f885bb17ec946514088c\r\n48b5fb3fa3... Related_To ee42ddacbd202008bcc1312e548e1d9ac670dd3d86c999606a3a01d464a2a330\r\nee44c0692f... Contained_Within 2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9226c80b8b31252\r\nee44c0692f... Contained_Within d035d394a82ae1e44b25e273f99eae8e2369da828d6b6fdb95076fd3eb5de142\r\nee44c0692f... Related_To 48b5fb3fa3ea67c2bc0086c41ec755c39d748a7100d71b81f618e82bf1c479f0\r\nee44c0692f... Connected_To theyardservice.com\r\nee44c0692f... Connected_To worldhomeoutlet.com\r\ntheyardservice.com Connected_From ee44c0692fd2ab2f01d17ca4b58ca6c7f79388cbc681f885bb17ec946514088c\r\ntheyardservice.com Connected_From ee42ddacbd202008bcc1312e548e1d9ac670dd3d86c999606a3a01d464a2a330\r\nworldhomeoutlet.com Connected_From ee44c0692fd2ab2f01d17ca4b58ca6c7f79388cbc681f885bb17ec946514088c\r\nworldhomeoutlet.com Connected_From ee42ddacbd202008bcc1312e548e1d9ac670dd3d86c999606a3a01d464a2a330\r\n94786066a6... Contains 7d34f25ad8099bd069c5a04799299f17d127a3866b77ee34ffb59cfd36e29673\r\n94786066a6... Contains 48b5fb3fa3ea67c2bc0086c41ec755c39d748a7100d71b81f618e82bf1c479f0\r\n94786066a6... Contains ee42ddacbd202008bcc1312e548e1d9ac670dd3d86c999606a3a01d464a2a330\r\nee42ddacbd... Contained_Within 94786066a64c0eb260a28a2959fcd31d63d175ade8b05ae682d3f6f9b2a5a916\r\nee42ddacbd... Related_To 48b5fb3fa3ea67c2bc0086c41ec755c39d748a7100d71b81f618e82bf1c479f0\r\nee42ddacbd... Connected_To theyardservice.com\r\nee42ddacbd... Connected_To worldhomeoutlet.com\r\nd035d394a8... Contains ee44c0692fd2ab2f01d17ca4b58ca6c7f79388cbc681f885bb17ec946514088c\r\nRecommendations\r\nCISA recommends that users and administrators consider using the following best practices to strengthen the security\r\nposture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators\r\nprior to implementation to avoid unwanted impacts.\r\nMaintain up-to-date antivirus signatures and engines.\r\nKeep operating system patches up-to-date.\r\nDisable File and Printer sharing services. If these services are required, use strong passwords or Active Directory\r\nauthentication.\r\nRestrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local\r\nadministrators group unless required.\r\nEnforce a strong password policy and implement regular password changes.\r\nExercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be\r\nknown.\r\nEnable a personal firewall on agency workstations, configured to deny unsolicited connection requests.\r\nDisable unnecessary services on agency workstations and servers.\r\nScan for and remove suspicious e-mail attachments; ensure the scanned attachment is its \"true file type\" (i.e., the\r\nextension matches the file header).\r\nMonitor users' web browsing habits; restrict access to sites with unfavorable content.\r\nExercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).\r\nScan all software downloaded from the Internet prior to executing.\r\nMaintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).\r\nAdditional information on malware incident prevention and handling can be found in National Institute of Standards and\r\nTechnology (NIST) Special Publication 800-83, \"Guide to Malware Incident Prevention \u0026 Handling for Desktops and\r\nLaptops\".\r\nContact Information\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-148a\r\nPage 15 of 16\n\nDocument FAQ\r\nWhat is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in\r\na timely manner. In most instances this report will provide initial indicators for computer and network defense. To request\r\nadditional analysis, please contact CISA and provide information regarding the level of desired analysis.\r\nWhat is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware\r\nanalysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide\r\ninformation regarding the level of desired analysis.\r\nCan I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to\r\nthis document should be directed to the CISA at 1-888-282-0870 or CISA Central .\r\nCan I submit malware to CISA? Malware samples can be submitted via three methods:\r\nWeb: https://malware.us-cert.gov\r\nE-Mail: submit@malware.us-cert.gov\r\nFTP: ftp.malware.us-cert.gov (anonymous)\r\nCISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software\r\nvulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.cisa.gov .\r\nSource: https://us-cert.cisa.gov/ncas/analysis-reports/ar21-148a\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-148a\r\nPage 16 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://us-cert.cisa.gov/ncas/analysis-reports/ar21-148a"
	],
	"report_names": [
		"ar21-148a"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434140,
	"ts_updated_at": 1775791464,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/869ab188815fe6d4962a2d2935809d2e790f09c2.pdf",
		"text": "https://archive.orkl.eu/869ab188815fe6d4962a2d2935809d2e790f09c2.txt",
		"img": "https://archive.orkl.eu/869ab188815fe6d4962a2d2935809d2e790f09c2.jpg"
	}
}